For those of you who have been following our series of articles about the Federal Trade Commission’s Red Flags Rule, you may be wondering if you are standing in an echo chamber.
Delayed again, delayed again, delayed again . . .
The new enforcement deadline is now December 31, 2010.
Without repeating too much of what has been discussed in previous issues of the SDA Newsletter, here’s a brief synopsis of the Rule and its relevance to Colorado special districts.
The Red Flags Rule requires “creditors” who have “covered accounts” to address the risk of identity theft by developing and implementing a written program to help identify, detect, and respond to patterns, practices, or specific activities (known as “red flags”) that could indicate identity theft.
The Rule is relevant to special districts because some districts will fall within the definition of “creditor” based on how they operate. Merely accepting credit cards or other forms of payment doesn’t make you a “creditor” under the Red Flags Rule. Rather, a “creditor” includes entities that regularly provide goods or services first and allow customers to pay later. Utilities and health care providers are offered as examples of groups that may fall within the definition. Sending a tax bill out to citizens is not considered extending “credit” for the purposes of the Rule. The FTC’s interpretive materials on the Rule even draw a distinction between billing customers a flat fee and billing customers based on usage; the former is more like a tax and you wouldn’t be a creditor, and the latter is more like a utility transaction and you would be a creditor.
The FTC staff recognizes that the likelihood that an identity thief can defraud your business/district by impersonating someone else may be extremely low for some creditors with consumer or household accounts, or in certain lines of business. Therefore, your identity theft program needn’t be complicated. Groups with a low risk for identity theft may have a more streamlined program, for example, simply having a plan for how they’ll respond if they find out there has been an incident of identity theft involving their business.
The FTC has designed a form to help groups at low risk for identity theft put together a Program. It’s available at http://www.ftc.gov/bcp/edu/microsites/redflagsrule/diy-template.shtm.
The FTC delayed enforcement of the Red Flags Rule at the request, once again, of several members of the U.S. Congress, while Congress considers legislation that would affect the scope of the entities covered by the Rule. “Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule, and to fix this problem quickly,” said FTC Chairman Jon Leibowitz. “As an agency we’re charged with enforcing the law, and endless extensions delay enforcement.” The FTC has indicated that if Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date.