UPDATE August 2013: For more recent information on this topic click here.
Jill Moore recently blogged about the applicability of the federal Red Flag Rules to local health departments and the appropriate responses by those departments to prevent or mitigate identity theft. As Jill mentioned in her post, the reach of the Red Flag Rules (at least potentially) extends beyond local health departments, though. To what other local programs or activities might the Rules apply? This post provides guidance to local officials in determining if, and under what circumstances, the Red Flag Rules apply to their unit or authority.
What are the Red Flag Rules?
The Red Flag Rules are federal regulations aimed at preventing or mitigating identity theft associated with certain financial transactions, including the opening or maintaining of “customer” accounts that provide for the repayment of loans or the deferred payment for products or services. (The regulations became effective January 1, 2008, although the FTC has thrice delayed enforcement of the Red Flag Rules. Currently, full compliance with the Rules is required by November 1, 2009.)
Who Must Comply with the Red Flag Rules?
The Rules require certain creditors that offer or maintain one or more covered accounts to develop and provide for the continued administration of a written program to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.
Creditor. There has been some confusion about whether, and under what circumstances, a local government or public authority may be deemed to be a creditor under the Rules. A creditor is defined, in relevant part, as any entity that regularly extends, renews, or continues credit, or as any entity that regularly arranges for the extension, renewal, or continuation of credit. To extend credit means to give a “customer” the right to defer payment of a debt or to defer payment for property or services. A local government or public authority is a creditor if it loans money to individuals or entities or provides services to individuals or entities in advance of receiving payment. (Note that a local government or public authority is not a creditor if it receives payment in advance or at the same time that services are rendered.)
However, the Federal Trade Commission (the agency responsible for enforcing the rules) has indicated that the Rules apply only to entities that extend credit for the direct provision of products or services that are obtained by customers on a voluntary basis. The term credit does not apply to involuntary payments of taxes or fees. Thus, a local government or public authority is not a creditor (and the Rules do not apply) when it collects property taxes, business license taxes, parking tickets, special assessments, availability fees (for water, sewer, or solid waste), stormwater fees, and other taxes or fees that are not incurred by a “customer” on a voluntary basis, even if the unit establishes a deferred payment plan for these taxes or fees.
Covered Account. If a local government or public authority is a creditor, it must then determine if it maintains one or more covered accounts. A covered account is either (1) an account used mostly for personal, family, or household purposes that involves multiple payments or transactions, or (2) any other account that the creditor offers or maintains for which there is a reasonably foreseeable risk to customers or the safety and soundness of the creditor from identity theft.
Note that the first definition of a covered account must involve a continuing relationship between the “customer” and the creditor. The definition does not include single, non-continuing payments or transactions, even if they are done after the services are rendered. For example, if a local government provides one-time EMS services and bills the recipient after the services are provided, it likely has not established a covered account (and the Rules do not apply) because the account does not involve a continuing relationship between the local government and the “customer.” Alternatively, if a local unit provides one-time EMS services and sets up a payment plan (involving multiple payments over time), it may satisfy the continuing relationship requirement. And, if the same unit provides on-going EMS services (such as regular ambulance pick-up) and bills for those services on a periodic basis (and after the services are provided), the “customer” account likely involves a continuing relationship.
A local government or public authority likely does not have to worry about most accounts or transactions that do not involve a continuing relationship with the “customer.” Note, however, that there is a catch-all second definition of covered account that requires compliance with the Rules for any account in which there is a reasonably foreseeable risk to customers or the creditor from identity theft. A unit, therefore, may want to err on the side of over-inclusiveness in adopting its Red Flags program.
Examples of services commonly offered by a local government or public authority that potentially may involve covered accounts include public enterprise utilities services (water, sewer, solid waste, electric, natural gas, cable television, airports, public transportation), certain public health or hospital services, certain recreation programs and services, certain airport services, CDBG loans, home-ownership or home rehabilitation loans, revolving loans for small businesses, and façade improvement loans. This is not an exhaustive list, though. A local government or public authority must periodically canvass its own programs and services to determine if it maintains one or more types of accounts that qualify as covered accounts.
Short-cut to Determining Applicability of Rules. It is important to remember that an entity is subject to the Rules only if it both qualifies as a creditor and maintains one or more covered accounts. And, the Rules only apply to the opening and maintaining of covered accounts. To determine if a local government or public authority is subject to the Red Flag Rules, a unit’s employees and officials should periodically examine its operations and ask the following four questions.
1. Does the local government or public authority make loans to individuals or entities or allow deferred payment for the voluntary receipt of the unit’s services? (If the answer to Question 1 is yes, the unit is a creditor.)
2. Does the local government or public authority maintain one or more accounts that involve the repayment of a loan or deferred payment for the voluntary receipt of the unit’s services?
3. Are the accounts referenced in Question 2 primarily for personal, family, or household purposes?
4a. If the answer to Question 3 is yes, do the accounts involve a continuing relationship between the unit and the account holder (not just a single transaction)?
4b. If the answer to Question 3 is no, do the accounts otherwise pose a reasonably foreseeable risk to the account holder or the unit of identity theft?
(If the answer to Questions 2, 3, and 4a are yes, the Red Flag Rules likely apply to the referenced acccounts. Alternatively, if the answer to Question 3 is no, but the answer to Question 4b is yes, the Red Flag Rules likely apply to the referenced accounts.)