As previously posted on this blog, the Federal Trade Commission (FTC) delayed enforcement of the Red Flag Rules until December 31, 2010, in large part due to extensive litigation and controversy regarding the scope of the Rules. According to the FTC’s press release, during the delay period, Congress was scheduled to consider legislation that would alter the scope of entities covered by the Rule, and more specifically the definition of a “creditor.”
At the end of December 2010, Congress passed the Red Flag Program Clarification Act of 2010, which as expected, changed the definition of “creditor.” Though Congress redefined the term creditor, it did not clearly include or exclude specific types of entities, such as utilities, from the purview of the Red Flags Rule. In short, it is not clear whether municipal utilities are still required to comply with the Red Flags Rule. However, until the FTC revises its guidance, it is best to begin enforcing the Identity Theft Prevention Program that your municipal utility adopted in anticipation of the December 31st deadline.
Before the Clarification Act was enacted, only “creditors” and “financial institutions” with one or more “covered accounts” were required to develop and implement a written Identity Theft Prevention Program. A “creditor” was defined as an entity that regularly extended, renewed, or continued credit. A “creditor” included businesses or organizations that regularly deferred payment for goods or services or provided goods or services and billed customers later. Municipal utilities were considered “creditors” under this Rule both because utilities defer payment for services and because the FTC’s regulations specifically referenced utilities as an example of a “creditor.”
The Clarification Act, however, changed the definition of a “creditor.” Now, a “creditor” is defined as any person who regularly extends, renews, or continues credit, and who regularly and in the ordinary course of business:
(1) obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction; or
(2) furnishes information to consumer reporting agencies in connection with a credit transaction; or
(3) advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.
Finally, Congress stated that the term “creditor” includes any other type of creditor, as the term was previously defined prior to the Clarification Act, if the Federal banking agencies, the National Credit Union Administration, or the Federal Trade Commission deem that the entity continues to be a “creditor” by regulation. In order to enact such a regulation, the Federal banking agencies, the National Credit Union Administration, and the Federal Trade Commission must make a determination that such creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.
Based upon the Congressional Record in both the House and Senate, it appears that Congress wanted to limit the scope of the Red Flags Rule to those creditors that use consumer reports, furnish information to consumer reporting agencies, and to those creditors that loan money. However, the Act specifically gives some discretion to the FTC and other regulatory agencies to include creditors which offer or maintain accounts that are subject to a reasonably foreseeable risk of identity theft. To date, the FTC has not updated its regulations to include any other “creditors” within the scope of the Act.
From this new definition of “creditor,” a few basic principles can be distilled:
(1) Municipal utilities met the “old” definition of a creditor, so if your utility regularly obtains or uses consumer reports or if it provides information to consumer reporting agencies, your utility is still subject to the Rules. Because the definition of a “creditor” includes the indirect use of consumer reports, your utility is probably still subject to the Rules, for example, if it contracts with collection agencies that obtain or use consumer reports or that report delinquencies to a consumer reporting agency.
(2) If your utility (and any collection agencies you contract with) does not obtain or use consumer reports or furnish information to consumer reporting agencies, your utility is no longer covered by the Red Flag Rules, except in the rare circumstance that you loan funds to customers. Some utilities may provide conservation loans, septic loans, or other utility-related loans to customers, in which case, your utility would be a “creditor” under subparagraph (3).
(3) Even if your utility does not obtain or use consumer reports, furnish information to consumer reporting agencies, or provide loans to customers, the FTC or another federal regulatory agency may enact regulations to include utilities within the scope of the Red Flag Rules in the near future. The FTC cited utility accounts as sources of identity theft in its previous regulations, and therefore, it seems likely that the FTC will include utilities within the scope of the Red Flag Rules in its revised regulations. Because of this likelihood, it may be wise to continue to implement your Identity Theft Prevention Program in the interim.
(4) Remember that the Clarification Act has not changed the definition of a “covered account.” Even if your utility continues to be a “creditor” under the new definition, only those creditors which maintain “covered accounts” must develop and implement a written Identity Theft Prevention Program. “Covered accounts” are those which are offered or maintained by a creditor “primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions” or “for which there is a reasonably foreseeable risk to customers” of identity theft.
A link to the text of the Red Flag Program Clarification Act is provided here.
A link to the FTC’s webpage regarding Red Flag Rules is provided here.
If you have further questions regarding the Clarification Act or need assistance in drafting your Identity Theft Prevention Program please contact Kristin Eick at email@example.com or 206-447-7000.