On May 1, 2009, the Federal Trade Commission (FTC) will begin enforcing its “Red Flag Rules” with regard to non-bank entities, including electric cooperatives. Electric cooperatives are subject to the Red Flag Rules as “Creditors” because they generally bill their customers after providing services.
The risks for failure to comply with the Red Flag Rules include civil fines up to $2,500 per violation, regulatory enforcement actions, plaintiffs’ lawsuits, and harm to one’s business reputation.
This legal alert discusses the compliance requirements for Electric Membership Corporations (EMCs), the policies and procedures that should be included in an EMC’s written Red Flag Program, and the requirements of administering a Red Flag Program.
Implementation of a Written Identity Theft Prevention Program
The FTC has specifically identified utilities as creditors who are subject to identity theft. All EMCs, therefore, should implement a written Identity Theft Prevention Program. The Program must be designed to detect, prevent and mitigate identity theft in connection with the opening of a new account for electric service (deemed a “Covered Account” under the FTC Regulations) or any existing account. Additionally, the Program must be appropriate to the size and complexity of the EMC’s business, address the nature and scope of the EMC’s activities, and be flexible to address changing identity theft risks as they arise.
Further, the written Program must be approved by the EMC’s board of directors or an appropriate board committee. The board, a board committee, or an employee at a senior management level must be involved in the oversight, development, implementation and administration of the Program. Additionally, the board is responsible for ensuring that the EMC’s staff has appropriate training to implement the Program and that the Program includes appropriate oversight guidelines for third-party services providers.
The four basic elements that must be included in any written Program are:
- Identifying relevant Red Flags
- Detecting Red Flags
- Responding appropriately to Red Flags
- Ensuring that the Program is updated periodically
Identifying Relevant Red Flags
A Red Flag is a pattern, practice or specific activity that indicates the possible existence of identity theft. Examples of Red Flags that EMCs may experience are a fraud or “credit freeze” alert on a consumer’s credit report; the return of bills sent to the consumer as being undeliverable, although transactions continue to be conducted in connection with the account; alerts, notifications or other warnings received from consumer reporting agencies; the presentation of suspicious documents in the opening of an account; the presentation of suspicious personal identifying information such as a suspicious address change; the unusual use of, or other suspicious activity related to, an account; and notices from customers, victims of identity theft, law enforcement authorities or other persons.
Detection of Red Flags
An EMC’s written Program must contain policies and procedures to detect the Red Flags that it has determined are relevant and incorporated into its Program. These policies and procedures should address the detection of Red Flags for both the opening and the maintenance of accounts. Such detection requirements may be accomplished by obtaining identifying information about, and verifying the identity of, a person or entity opening an account; authenticating customers, monitoring transactions, and verifying the validity of address change requests for existing accounts; and implementing appropriate procedures to verify any information obtained in connection with the opening or maintenance of an account.
Responding to Red Flags
Any written Program must also include reasonable policies and procedures designed to respond appropriately to any Red Flags detected in order to prevent and mitigate identity theft. The degree of response required to be undertaken in the written Program should be commensurate with the degree of risk the specific instance of identity theft poses. This risk formula should include the consideration of potential aggravating factors, such as a data security breach that results in unauthorized access to a customer’s account held by the EMC, that could heighten the risk of identity theft. Appropriate responses to the detection of Red Flags may include monitoring an account for additional evidence of identity theft; contacting the customer; changing any passwords, security codes, or other security devices that permit access to an account; reopening an account with a new number; and notifying law enforcement if the situation warrants.
Updating the Program
EMCs should periodically reassess the policies and procedures currently in place to reflect changes to the risk environment. Examples of events to consider in reassessing an EMC’s written Program include relevant experiences with identity theft; changes in identity theft methods; changes in the methods to detect, prevent and mitigate identity theft; changes in the types of accounts the EMC offers or maintains; and changes in the EMC’s business arrangements through mergers, acquisitions, or changes in vendors or services providers.
Every EMC must ensure that it takes appropriate steps to comply with the Red Flag Rules and must implement a written Program that identifies relevant Red Flags for new and existing covered accounts and incorporate those Red Flags into the Program; detects Red Flags that have been incorporated into the Program; responds appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and ensures the Program is updated periodically to reflect changes in risks to “customers” and to the safety and soundness of the EMC in its role as creditor.