Utility Companies Must Comply With FTC’s Red Flags Rules
As of August 1, 2009 utility companies and other institutions must be in compliance with the Red Flags provisions of the Fair and Accurate Credit Transactions Act of 2003 (FACTA).
Utility ProductsBy Deb Geister
As of August 1, 2009 utility companies and other institutions must be in compliance with the Red Flags provisions of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). The Red Flags rules went into effect on January 1, 2008 with little comment or debate. The initial compliance deadline was November 1, 2008, however the Federal Trade Commission (FTC) announced that the deadline for compliance would be extended for entities under its jurisdiction–which was regarded as good fortune.
It is commonly believed that the Red Flags provisions were only applicable to financial institutions, however, many might be surprised to learn that the rules extend beyond this industry. The Rules also apply to utility companies, as well as any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. After determining if you are indeed a creditor the next step is to see if you have “covered accounts.” Covered accounts are used mostly for personal, family or household purposes involving multiple payments or transactions. For both definitions utility accounts are specifically listed as falling under the provisions, requiring utility companies to be compliant.
While the FTC’s deadline extension provides an additional six months for organizations to comply with the Red Flags provisions, it does not afford them a get-out-of-jail-free card. Legally, the FTC cannot push back the previous deadline for any organization; rather the FTC is saying that they will not prosecute for non-compliance for another six months. As a result, organizations that have not been in compliance are exposed to potential lawsuits from plaintiff attorneys. Anecdotal evidence suggests that many organizations are not even aware that they must comply with the Red Flags rules, let alone compliant.
Utility companies can comply by developing an identity theft prevention program that satisfies the four principle components of the Red Flags provisions:
- Identification of activity that may signal possible identity theft;
- Ongoing detection of red flags that have been identified;
- Ability to respond effectively to red flags to prevent and mitigate theft; and
- Periodic review and updating of red flags and procedures to keep pace with emerging threats.
The first step requires the organization to conduct a thorough risk assessment with clear and comprehensive criteria for how different areas of the business are assessed, including: the types of accounts offered by the organization, the methods of opening and accessing such accounts, and the organization’s prior experience with identity theft. There is no one-size-fits-all approach to compliance; a successful identity theft prevention program will take into account the size and complexity of the institution and the nature of their operations.
In step two, a utility company will develop the identify theft policies it needs–based on the findings of the risk assessment–to protect themselves and their customers. The written policy should contain: a list of relevant red flags (including, but not limited to, those outlined by the government); procedures detailing how the company intends to monitor for these red flags; and procedures for how the company will respond when red flags are detected.
The last stage is implementing the developed policies, which should be immediate. Once the policies are in place, businesses should monitor for red flags consistently and periodically review their procedures for evolving risks. Utility companies are expected to report on the effectiveness of their policies; whether or not outside service providers are implementing adequate safety procedures, significant security incidents, recommendations for material changes to the program, etc. Forms of identity theft are constantly evolving and it is expected that organizations will continue updating their program in order to keep pace with them.
Identity theft is a costly and destructive issue; business and consumer losses totaled $56.6 billion in 2005 alone. However, as destructive as identity theft can be to a business, the failure to comply with the Red Flags rules, designed to mitigate the negative effects of identity theft, can be even more disruptive and costly. To avoid potential losses, regulatory fines, costly investigations and potential lawsuits, it is imperative that all affected institutions quickly deploy effective, compliant programs to implement the most effective identity theft prevention program possible.
About the Author:
Deb Geister is Director, Fraud Prevention & Compliance Solutions at LexisNexis Risk & Information Analytics Group.