Cities Must Comply With Red Flags Rule By November 1st

The Federal Trade Commission has issued regulations requiring financial institutions and creditors to develop and implement written identity theft prevention programs by November 1, 2009, under the Fair and Accurate Credit Transaction Act of 2003 (FACTA).  Municipal utilities are subject to these requirements, and the City Councils of all cities that operate utilities must adopt programs that meet the requirements of FACTA. 

Below is a presentation explaining Red Flags rule requirements for municipalities.

 These identity theft prevention programs must provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

Who must comply with FACTA?


Financial institutions and “creditors” that maintain “covered accounts,” as defined in the Act, must comply with FACTA’s Red Flag requirements.  Under FACTA, a “creditor” means an entity that regularly extends, renews, or continues credit.[1]  Non-profit and government entities are included within this definition of “creditor.”[2]  The Code of Federal Regulations establishes that the term “creditor” includes lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.[3]  “Credit” is defined in the Act as “the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor.”[4]  Therefore, essentially any business, whether public or private, that provides services and accepts payment later is considered a creditor if it maintains “covered accounts.”


“Covered accounts” include accounts that financial institutions or creditors offer or maintain primarily for personal, family, or household purposes, that involve or are designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account.[5]  The term “covered accounts” also includes any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, or litigation risks.[6]  Because “covered accounts” specifically include utility accounts, municipalities deferring payment for services such as water, electric, or garbage collection must comply with FACTA. 


How do I comply with FACTA?


FACTA requires that municipalities, as creditors, develop a written Identity Theft Protection Program that is appropriate for the size and complexity of the municipality.[7]  The Program must include elements to identify, detect, and respond to Red Flags.  In addition, the Program must provide for a periodic updating process to reflect changes in risks to the creditor’s customers.[8] 


Each creditor is required to obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board, i.e., the City Council.[9]  The board of directors, a committee of the board, or an employee at the level of senior management must be assigned the duties of oversight, development, implementation, and administration of the Program.[10]  Further, staff must be trained appropriately and must oversee service providers providing services relating to the Act.[11]  Staff should prepare a report at least annually for the person specifically responsible for oversight of the program.  This report should include an evaluation of the effectiveness of the Program with respect to opening accounts, existing covered accounts, service provider arrangements, significant incidents involving identity theft and responses, and recommendations for changes to the Program.[12]


What are “Red Flags?”


Red Flags are patterns, practices, or specific activity that indicate the possible existence of identity theft.[13]  There are five general categories of Red Flags.  The Federal Trade Commission has also provided a list of 26 suggested Red Flags in the appendix to the Code of Federal Regulations.  The five categories are:

  • Alerts or notifications from consumer reporting agencies or service providers, such as fraud detection services; 
  • Presentation of suspicious documents, such as identification documents that have been forged or altered; 
  • Presentation of suspicious personal identifying information, such as a suspicious address change or social security number; 
  • Unusual use of or other suspicious activity relating to a covered account, such as identification of use of an account in a manner inconsistent with established patterns of activity on the account; and
  • Notices from customers, victims of identity theft, law enforcement, or other persons regarding identity theft in connection with covered accounts held by the creditor.[14]


Appropriate responses to Red Flags include:

  • Monitoring an account;
  • Contacting the customer;
  • Changing passwords and security codes;
  • Reopening an account with a new number;
  • Not opening a new account;
  • Closing an existing account;
  • Notifying law enforcement; and
  • Determining that no response is warranted under the particular circumstances.[15]


How is FACTA enforced?


FACTA does not allow for private enforcement of the Red Flag regulations.  However, the regulations are enforced by the Federal Trade Commission.[16]  If the creditor fails to develop and implement a Program, the Federal Trade Commission may enforce the failure as an unfair or deceptive act or practice in commerce.[17]  The consequences may include a cease and desist order from the Federal Trade Commission after a hearing and civil penalties not to exceed $2,500 per violation.[18]


What Type of Program Must I Adopt?


Attached you will find a sample program that the City Council may adopt.  It is important to remember, however, that the Red Flag Guidelines were designed to provide flexibility to the individual utility in adopting their Program.  Because the process used to open new accounts and monitor existing accounts will vary by utility, not every Red Flag will be applicable to each utility.  For example, the utility may not use credit reporting, and therefore, will not encounter Red Flags relating to consumer reports.  Thus, the goal is to be aware of the Red Flags, remain vigilant in detecting those Red Flags that are applicable to a particular utility, and notify the Finance Director of the City if a Red Flag is encountered.


As most cities will readily observe, the Red Flags have little relevance to the billing practices of city utilities.  The Federal Trade Commission, responsible for enforcement of FACTA, offers no guidance on how city utilities can implement these policies other than to suggest “common sense.”  There is obviously little common sense in designating City utilities as “creditors” subject to FACTA.  Implementing proactive measures to detect identity theft, such as comparing the names of all persons paying utility bills to the owners of property served, can be highly disruptive and costly to city operations.  The recommended program minimizes costs as much as possible and is comparable to programs adopted throughout the country.  More may be required of cities as court opinions and federal regulations further clarify the responsibilities of city utilities.


[1] 16 C.F.R. § 681.2(b)(5) (2008); 15 U.S.C. § 1681a(r)(5) (2006); 15 U.S.C. 1691a(e) (2006). 

[2] Federal Trade Commission, FTC Business Alert, New “Red Flag” Requirements for Financial Institutions and Creditors Will Help Fight Identity Theft, June 2008, available at

[3] 16 C.F.R. § 681.2(b)(5) (emphasis added).

[4] 16 C.F.R. § 681.2(b)(4); 15 U.S.C. 1681a(r)(5); 15 U.S.C. 1691a(d).

[5] 16 C.F.R. § 681.2(b)(3)(i) (emphasis added).

[6] 16 C.F.R. § 681.2(b)(3)(ii).

[7] 16 C.F.R. § 681.2(d)(1).

[8] 16 C.F.R. § 681.2(d)(2).

[9] 16 C.F.R. § 681.2(e)(1).

[10] 16 C.F.R. § 681.2(e)(2).

[11] 16 C.F.R. § 681.2(e)(3)-(4).

[12] 16 C.F.R. app. § 1681 A(VI)(b)(1).

[13] 16 C.F.R. § 681.2(b)(9).

[14] 16 C.F.R. Supplement A to App. § 1681 A.

[15] 16 C.F.R. app. § 1681 A(IV).

[16] 15 U.S.C. § 1681m(h)(8); see also Perry v. First Nat’l Bank, 459 F.3d 816, 819-20 (7th Cir. 2006).

[17] 15 U.S.C. § 1681m(h)(8)(B); 15 U.S.C. § 1691s(a)(1).

[18] 15 U.S.C. § 45(a)(1); § 45(b); § 1681s(a)(2)(A).

Explore posts in the same categories: Red Flags Rule

%d bloggers like this: