The Red Flag Rule is short for “Identity Theft Red Flags" and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003. The rule was issued by the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, Office of Thrift Supervision and the Federal Trade Commission. Water utilities come in under the FTC rule (16 CFR Part 681). The rule requires any entity where there is a risk of identity theft to develop and implement an identity theft program. The program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft.

The creation of the program involves selecting methods that will enable utilities to detect red flags when accounts are fraudulent, and the establishment of procedures that will:

• Prevent the establishments of false accounts
• Ensure existing accounts are not being manipulated
• Respond to Identity Theft

Does this apply to us?

The answer is YES. Even if only nominal information such as name, phone number, and address are collected when establishing water or wastewater service for a customer, every utility must comply with the rule. Utilities are not required to take measures to stop what most people think of as the most serious kinds of identity theft. The regulation does not address or require utilities to adopt measures that will protect consumer information or prevent unauthorized access to that information.

What kind of identity theft are we trying to prevent?

The primary purpose of the rule is to protect against the establishment of false accounts and the fraudulent manipulation of existing accounts. That’s it.

The following is an excerpt from NRWA’s Identity Theft Prevention Compliance Model:

Steps required to develop a utility’s individual Identity Theft Prevention Program:

• Assess their existing identity theft risk (risk assessment) for new and existing accounts.
• Use the risk assessment to select measures (red flags) that may be used to detect attempts to establish fraudulent accounts.
• Identify procedures for employees to prevent the establishment of false accounts and procedures for employees to implement if existing accounts are being manipulated.
• Obtain program approval by the governing body or designated senior management by November 1, 2008.*
• Train the appropriate employees on the program’s policies and procedures.
• Update the plan annually with review and approval by the governing body or designated senior management. The annual report should address any material matters related to the program such as the effectiveness of the policies and procedures, the oversight and effectiveness of any third party billing and account establishment entities, a summary of any identity thefts incidents and the response to the incident, and recommendations for substantial changes to the program, if any.

* - Because of the fact that most utilities were not in a position to meet the compliance deadline, the compliance date was pushed back 6 months to May 1, 2009.

Most utilities already have good business and management practices in place, so from an everyday, practical standpoint, it is unlikely that the implementation of this plan will cause your day-to-day operations to change much, if it all.

NRWA Senior Environmental Engineer Ed Thomas has created a compliance model for the implementation of the Red Flag Rule, and we have added a link that you can download. The model is broken down into five main components: Risk Assessment, Detection (Red Flags), Response, Personal Information Security Procedures, and Identity Theft Prevention Program Review and Approval. Appendix A contains a list of over 50 security procedures a utility should consider to in their efforts to protect customer information and unauthorized access outside the scope of the Red Flag Rule.

For questions about or assistance with implementation of the rule, please contact Andy Crocker or Bob Gay, VRWA Training Specialists.

NRWA Identity Theft Prevention Program Guidance

Red Flag Model Template