Does the Red Flags Rule (Still) Apply to Local Government Utilities?

As the clock struck midnight on January 1, 2011, enforcement of the federal Red Flags Rule began—a mere three years after its enactment. (The Red Flags Rule comprises federal regulations aimed at preventing or mitigating identity theft associated with certain financial transactions. The Rule requires certain creditors that offer or maintain one or more covered accounts to develop and provide for the continued administration of a written program to detect, prevent, and mitigate identity theft in connection with the opening or maintenance of the accounts. See 16 C.F.R. Part 681 (2007).) The Federal Trade Commission (FTC) delayed enforcement of the Red Flags Rule five times since the FTC (and other federal agencies) promulgated the Rule. The enforcement delay was due in large part to controversy over the scope of coverage of the Rule. In fact, when it issued its last extension notice in May 2010, the Federal Trade Commission indicated that it was doing so at the behest of several Members of Congress to afford Congress time to consider “legislation that would affect the scope of entities covered by the Rule.” As Jill Moore reported in a recent post, Congress subsequently enacted the Red Flag Program Clarification Act of 2010, Pub. L. No. 111-319 (to be codified as 15 U.S.C. 1681m(e)(4)) (Clarification Act), which amended the Fair Credit Reporting Act (15 U.S.C. 1681m(e)) (FCRA), to limit the scope of the Red Flags Rule. As Jill pointed out, the Clarification Act is less than completely clear as to which entities are subject (and which are not subject) to the Rule. Her post analyzed the likely impact on public health providers. This post looks at the effect on local government utilities.

Previous Definition of “Creditor”

Before enactment of the Clarification Act, the Red Flags Rule purportedly applied to any creditor that maintained one or more covered accounts. A creditor was defined, in relevant part, as any entity that “regularly extends, renews, or continues credit,” or as any entity that “regularly arranges for the extension, renewal, or continuation of credit.” To extend credit meant to allow for deferred payment of a debt or deferred payment for the purchase of property or services. The FTC interpreted the definition of creditor expansively to include not only lenders, such as banks and finance companies, but also (among other entities) “automobile dealers, mortgage brokers, utility companies, and telecommunication companies.” See 16 C.F.R. Part 681 (2007); see also 15 U.S.C. 1681a & 1691a. Thus, a local government or public authority likely qualified as a creditor if it loaned money to individuals or entities or if it provided property or services to individuals or entities in advance of receiving payment. Most local government utilities satisfied this definition of creditor because they bill for utility services after the services are provided.

New Definition of “Creditor”

The Clarification Act amends the FCRA to modify the definition of creditor for purposes of the Red Flags Rule. The new definition is best considered in four parts. Part 1 starts with the same definition of creditor as before—namely “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.” Part 2 modifies the definition by requiring that the person also “regularly and in the ordinary course of business”

1. Obtain or use consumer reports directly or indirectly in connection with a  credit transaction, or
2. Furnish information to consumer reporting agencies in connection with a credit transaction, or
3. Advance funds to or on behalf of a person based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.

Part 3 specifically exempts any person that otherwise qualifies as a creditor under Part 2, subsection (3), but that “advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.” Based on the legislative history of the Clarification Act, it appears that Congress intended to exempt from the definition of “creditor” entities that merely allow for payment of services after the services have been provided. Part 4 specifies, however, that any person who satisfies the definition of creditor in Part 1 may be made subject to the Red Flags Rule by the FTC, or other federal agency responsible for oversight over the creditor, if the agency determines that the “creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.” To date, the FTC or other relevant federal agencies have not provided any interpretative guidance as to what other types of entities might be made subject to the Rule based on this criterion.

Application of New Definition of “Creditor” to Local Government Utilities

So, do local government utilities fall under the new definition of creditor? Unfortunately the answer is unclear and depends, at least in part, on how the FTC interprets the Clarification Act (which we do not yet know). Arguably, at least most local government utilities fall under the exception in Part 3 and would not be deemed to be "creditors" for purposes of compliance with the Red Flags Rule because they only incidentally extend credit to customers in relation to the provision of  utility services. The analysis is not quite that simple, though. First, many local government utilities utilize consumer reports either when establishing customer accounts (to determine credit-worthiness of potential customers and/or set deposit fee amounts) or to aid in collecting delinquent accounts. And some utilities contract with debt collection agencies that utilize the consumer reports in connection with collecting delinquent utility accounts. Presumably, these utilities fall under the definition of creditor for purposes of the Rule. Note that a utility that regularly and in the ordinary course of business (directly or indirectly) uses consumer reports or furnishes information to consumer reporting agencies in connection with a credit transaction is not exempt under Part 3 of the definition of “creditor” even if the utility only incidentally extends credit in relation to the provision of a service. Second, some local government utilities—particularly water utilities—may not fall under the exception in Part 3 of the definition of “creditor.” Note that only creditors that “advance[] funds on behalf of a person for expenses incidental to a service provided by the creditor to that person” are exempt. But the definition of extending credit does not just apply to services. Credit is defined as the “right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor.”  15 U.S.C. 1681m,1681a &1691a. Thus, if a local utility allows for deferred payment of a property purchase then it may very well be subject to the Rule. Although most individuals view the provision of utilities as a service, in North Carolina the provision of water actually constitutes a sale of goods under the Uniform Commercial Code. See Jones v. Town of Angier, 181 N.C. App. 121, 638 S.E.2d 607 (2007). It is unclear whether the sale of water would be deemed a service for purposes of the federal statute at issue. It is at least possible that water utilities are not exempt under Part 3 of the definition of “creditor” because they provide a good, not a service. Finally, and perhaps most importantly, Part 4 of the new definition of “creditor” allows the FTC to make local government utilities subject to the Red Flags Rule, regardless of the exemption in Part 3, if the FTC determines that the “creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.” Utility accounts often are cited as a common source of identity theft. See, e.g., Consumer Sentinel Network Data Book for January-December 2009 (Federal Trade Commission Feb. 2010). The FTC may very well find that the risk of identity theft associated with utility accounts is great enough to subject local government utility providers (that maintain one or more covered accounts) to the Red Flags Rule’s requirements. Given the uncertainty that remains about the application of the new definition of “creditor,” local government utilities likely should continue to implement their Identity Theft Prevention programs pending further guidance from the FTC.