Utility companies might be dangerously unaware that they have a looming deadline for compliance with complex new federal regulations. These "Red Flag" rules require utility companies to adopt and implement a broad identity theft prevention system by November 1, 2008.

Why Utilities?

The Red Flag rules were easy for utilities to overlook because they were adopted under the Fair and Accurate Credit Transactions Act of 2003 (FACTA), a statute intended generally to extend and update the Fair Credit Reporting Act. Additionally, the Red Flag rules were issued jointly by various federal agencies that regulate the financial industry, including the Office of the Comptroller of the Currency, Federal Reserve System, and the Federal Trade Commission (FTC), and thus appear to be directed at banks, mortgage lenders, and other financial institutions. But they are not so limited. Any "creditor" with "covered accounts," including utility companies, must comply.

A creditor is "any person or business who arranges for the extension, renewal, or continuation of credit" with a covered account, and specifically includes utility companies. An account means a continuing relationship with a creditor to obtain a product or service and includes deferred payments for services or property. A covered account is (1) an account primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions, and (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the utility from identity theft, including financial, operational, compliance, reputation, or litigation risks.

Utilities satisfy these definitions in various ways. Most utilities charge customers after providing services, not before. That means each month the utility is extending a form of credit to the customer and intends to do so on a recurring monthly basis. Utilities also often provide flat monthly payment plans that result in high credit balances for part of each service year. And sometimes customers just can't pay, so the utility enters into a workout agreement or even a formal loan contract that is an extension of credit.

What Are the Red Flag Requirements?

The Red Flag rules require a utility to develop and implement a written program that has reasonable policies and procedures for detecting, preventing, and mitigating identity theft. The program must enable a utility to:

  • Periodically determine whether it offers or maintains a covered account

  • Identify relevant patterns, practices, and specific forms of activity that are Red Flags signaling possible identity theft

  • Detect when such Red Flags are occurring in the utility's business activities

  • Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft

  • Ensure the program is updated periodically to reflect changes in risks from identity theft

Identity theft means "a fraud committed or attempted using the identifying information of another person without authority." See 16 CFR 603.2(a). Identifying information means any name or number that may be used alone or in conjunction with any other information to identify a specific person, including: Social Security Number; date of birth; official state- or government-issued driver's license or identification number; passport number; alien registration number; unique biometric data; unique electronic identification number, address, or routing code; or telecommunication identifying information or address device, etc. Thus under the Red Flag regulations, the creation of a fictitious identity using any single piece of information belonging to a real person falls within the definition of identity theft.

Utilities implementing Automated Metering Infrastructure (AMI) need to take into account the information that will be collected through these systems. Depending on the sophistication of in-home devices, AMI network design, and communications infrastructure, both the amount of personal information and the potential vulnerabilities are increased substantially.

Indicators of possible risk of identity theft include precursors to identity theft such as phishing or vishing and security breaches involving the theft of personal information, which often are a means to acquire the information of another person for use in committing identity theft. In order to properly define and implement its Red Flags program, a utility must learn lessons from others, keeping abreast of the identity theft environment, tapping sources such as literature and information from credit bureaus, financial institutions, other creditors, designers of fraud detection software, and the utility's own experience.

A utility's board of directors also must become involved in its Red Flags program. Each utility that is required to implement a program must (1) obtain approval of the initial written program from either its board of directors or an appropriate committee of the board of directors, and (2) involve the board of directors, an appropriate committee, or a designated employee at the level of senior management in the oversight, development, implementation, and administration of the utility's program.

There is much more in the regulations that must be done in time to meet the November 1, 2008 deadline. Utilities may not like these new rules, but they do serve business needs as well as compliance needs, and the potential sanctions for failure to comply make compliance the clear choice.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.