The Red Flags Rules apply to “financial institutions” and “creditors” with “covered accounts.”
The ‘Red Flag Rule’ which is part of Fair and Accurate Credit Transactions Act of 2003 (FACTA) requires “creditors” to implement an identity theft prevention program for “covered accounts”. A “covered account” is any account that allows for multiple payments or transactions or an account with a reasonably foreseeable risk of identity theft. This rule does not distinguish among accounts that pay with credit cards, cash or checks; it has to do with the prevention of identity theft in general. You will need to look at your current accounts to see if they fall under the definition of a “covered account”. If they do, you will need to set up an identity theft prevention program.
Under the Rules, a financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. Most of these institutions are regulated by the Federal bank regulatory agencies and the NCUA. Financial institutions under the FTC’s jurisdiction include state-chartered credit unions and certain other entities that hold consumer transaction accounts.
Banks, thrifts, mortgage lenders, credit unions, US branches and agencies of foreign banks, US commercial lending companies of foreign banks, and certain “creditors” which is defined as “any person or business who arranges for the extension, renewal, or continuation of credit”. This specifically includes utility companies, car dealers, telecommunications companies, health care companies, and debt collectors. Many other types of organizations could also fall into this definition.
Under the Red Flags Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.
Part 1: LIST YOUR RED FLAGS
Each organization who is subject to the regulation must IDENTIFY relevant patterns, practices and specific forms of activity that are “red flags” signaling possible identity theft, and incorporate those red flags into their program.
Each organization is responsible for coming up with its own list of Red Flags, and the list should be as exhaustive as possible. Unfortunately there is no qualification in the regulation for the “Top Ten Red Flags” or the “Red Flags Most Commonly Found” so you need to include every situation that you can. You should utilize the following resources when creating your list;
- Examples provided in Section 114, subpart J, Appendix A of FACTA. (These are also listed on our website, www.redflagrules.net, for your convenience.)
- The financial institution’s or the creditor’s own experience, and
- Relevant identity theft methods and changes in identity theft risks. [In other words, you must keep pace with the new and evolving methods that criminals are using to obtain and use the personal information of others.]
Part 2: DETECT RED FLAGS
Now that you have a complete list of the Red Flags that signal identity theft as it pertains to your organization, you must describe how you will detect each Red Flag in every circumstance where it may occur. There are several very broad requirements for this objective. A closer look at these may reveal deficiencies or gaps in your current programs and processes that will need to be addressed:
1. Obtaining Identifying Information and Verifying Identity
This specifically pertains to the process of verifying the identity of a person who has approached you regarding the opening of a new account. You may already have a solution in place based on the requirements of the USA Patriot Act, but this may be a good time to assess whether or not your current practice is strong enough. Make sure that your process will detect the Red Flag BEFORE the account is opened, which is a variation on CIP Rules. New advances using national database scanning provides additional security for Customer Information Programs (CIPs).
2. Authenticating Transactions for Existing Customers
The term “authentication” typically means a stringent means of assuring that the person who is making a transaction is the true owner of the “personal information set” that we call an identity. The traditional method of validating an identity has been to obtain a drivers license or government ID and compare the picture on the ID to the person in front of you. With the onset of identity theft, this method can no longer be completely trusted. An authentication process must be put in place that includes additional validation of the person’s identity before a transaction is allowed. Some of the newest forms of authentication include biometrics, tokens, security ID cards, fingerprint readers and GPS technology using cell phones as a point of reference. For online transactions these are used in conjunction with user ID and passwords to create stronger two-factor authentication processes. Another method is to ask the consumer several “out of wallet” questions, which are questions that have answers only the customer would know and can not be answered by information typically found in a purse or wallet (which may have been compromised). The Red Flag regulation does not specify the degree to which you must deploy technology to detect Red Flags. It only stresses the need to be “effective” and to prove the effectiveness of your program to your board of directors on at least an annual basis.
3. Monitoring Transactions (Activity) Of Customers
Monitoring activity of your current customers can be an even bigger challenge. An example used in the regulation is a change of address request that closely follows a request for a new credit or debit card. Another is a material change in a customer’s use of credit, especially with respect to recently established relationships. This means that not only do you need to track specific types of activities but you must track those activities in relation to the timing of certain other events or transactions and in some cases compare it to a “norm” that may be different for each customer. There are rules-based database scanning technologies that can look for patterns of behavior and anomalies in your existing customer transaction data and provide an alert. But whether you employ a technology solution or not, it is the responsibility of the financial institution to make sure that all of the rules are established, maintained and are followed accurately.
4. Verifying the Validity of Change of Address
There is a great deal of emphasis that is placed on the monitoring of change of address for covered accounts – for good reason! It is a proven fact that in most cases an identity thief will attempt to manipulate an account before he begins his spending spree so that fraudulent activity will not be discovered quickly. One way to do this is to change the address on an existing account to divert the statements and notifications so the real owner of the identity remains unaware. The longer a thief can go undetected the more damage they can do. And don’t overlook change of e-mail address as well. With many customers now using e-statements this is another way for the thief to hide his tracks. A change of address request should be treated in the same cautious manner as a request for a withdrawal, using the level of authentication required for other types of transactions.
Change of address requests for debit and credit cards is called out in a separate section of the rulemaking, with specific requirements for assuring the integrity of this type of transaction under certain circumstances.
The regulation requires that issuers of debit or credit cards must establish an implement reasonable policies and procedures to validate a change of address request IF a request for a replacement card follows the change of address within 30 days.
The card issuer may NOT ISSUE the card until it has satisfied at least one of the following provisions:
(1) Notifying the cardholder by postal mail at the former address, or other means previously agreed with the cardholder, and providing a means for the cardholder to PROMPTLY respond if the address change is incorrect.
(2) Using another means of assessing the validity of the request for address change — which is probably referring to address validation software systems.
Part 3: PREVENT AND MITIGATE IDENTITY THEFT WITH AN APPROPRIATE RESPONSE
The regulation states that a Red Flag Program should provide for appropriate responses to the Red Flags detected that are commensurate with the degree of risk posed. In reading the original draft of the legislation this section references an assessment of risk to both the customer and to the financial institution or creditor. This is a human assessment that must take place each time a Red Flag is detected in order to gauge a response. You must not only consider the type of Red Flag, but its timing with other “aggravating factors” that may increase the risk of identity theft. The regulation provides two examples of aggravating factors; (1) the institution has experienced a breach of security that resulted in the unauthorized access of loss of personal data of customers, or (2) you become aware that a customer has provided information related to a covered account to someone who is fraudulently claiming to represent the financial institution or creditor, or to a cloned website. There are surely other aggravating factors, such as the customer reporting to you that they have seen other evidence of fraud or abuse of their identifying information.
- The regulation states that appropriate responses may include the following:
- Monitoring a covered account for evidence of identity theft
- Contacting the customer,
- Changing any passwords, security codes, or other security devices that permit, access to a covered account,
- Reopening a covered account with a new number,
- Not opening a new covered account,
- Closing an existing covered account,
- Not attempting to collect on a covered account or not selling a covered account to a debt collector;
- Notifying law enforcement; or
- Determining that no response is warranted under the particular circumstances.
It is worthwhile to note that the last criteria was added to the final rulemaking to acknowledge that there may be times when a Red Flag produces a false positive alert, meaning that the circumstances indicate a Red Flag is present but it can be determined that no risk of identity theft exists. It was emphasized that it is “implicit” in order to “respond appropriately” to a Red Flag that not only does the financial institution or creditor need to assess the degree of risk; it must also have a “reasonable basis” for concluding that the Red Flag does not evidence a risk of identity theft.
In practical application, when you find a Red Flag and you can not establish a reasonable basis for no response, you must notify the customer. All other responses depend on this. When you notify the customer that he or she may be a victim of identity theft you will most likely get the following question, “what do I do now?” The answer is critical, not only to your customer, but ultimately your brand image and quite possibly your market share.
There are already many financial institutions who are offering no cost professional identity theft recovery services to deliver the difficult and specialized work that is necessary to unravel the problem of identity theft for their customers. You can spot a reputable service if they offer to do the legwork for the customer by utilizing a limited power of attorney authorization in order to dispute the fraudulent activity and obtain documented clearance of all issues. The identity theft services industry is yet unregulated and there are many companies that provide only generic advice but call it “recovery assistance” when in fact it is nothing more than a do-it-yourself-kit. Still others thrive on big dollar media hype and half-truths about preventing identity theft using fraud alerts with million dollar guarantees. Do your homework! Your reputation depends on it.
If you feel you already have remediation for identity theft events covered by your Fraud Unit, consider this. By outsourcing some or all of the mitigation for identity theft issues found by Red Flags you will not only be providing a higher quality of service to your customers and reallocating valuable employee time, but you will also have a system for tracking the identity theft activity and how it is resolved. This is a requirement of the Red Flag regulation that is coming up in the next section.
Part 4: UPDATING THE PROGRAM
The final rules include a fourth element to make sure that the Program keeps pace as criminals get more creative. The regulation requires that a financial institution or creditor have in place “policies and procedures to ensure the Program (including the Red Flags determined to be relevant) is updated periodically to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.”
In this requirement are several key words that elaborate on its intent. First, the terms “policies” and “procedures” means that you need to have a documented method for monitoring, assessing, and adopting additional measures to detect, prevent and mitigate new ways of committing identity theft as they are discovered.
Second, the term “ensure” emphasizes the importance of making sure that this requirement is not treated lightly. Key criteria that should be included in your program include (1) Where you access your identity theft trend data, (2) Who will be designated to track and record this information, (3) What process will you take to assess and adopt new measures into your program.
Third, the term “periodically” may be interpreted as more than once a year. Otherwise, the Committee would have used the word annually.
How Must the Plan Be Administered?
Each financial institution or creditor must provide for the proper administration of their Program and must meet the following requirements:
1. Adoption of the Initial Plan by the Board. Each financial institution or creditor must obtain initial approval of the Identity Theft Prevention Plan by its board of directors or committee of the board, or if there is no board, then by a designated Senior Manager.
2. Assign Specific Responsibility for the Program. The regulation specifically states that you should involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the program.
3. Reporting to the Board or Senior Manager. At least annually, the person or committee responsible for the Program must provide a report to the board of directors or senior manager that does the following:
- Shows the effectiveness of the Program for covered accounts
- Explains “significant events” involving identity theft and management’s response to the incidents
- Provides recommendations for material changes to the Program due to evolving risks and methods of identity theft
Am I Responsible for My Service Providers?
In a word, “yes”. Whenever a service provider is performing an activity in connection with a covered account it is your responsibility to make sure that the provider (a) has an Identity Theft Prevention Plan, and (b) is following the Identity Theft Prevention Plan. The same requirement to detect, prevent and mitigate identity theft as it pertains to covered accounts is extended to any service provider who is engaged to perform an activity in connection with the covered accounts. In order to compliant with this provision there are two options:
The financial institution or creditor could require the service provider to have a Red Flag Program of its own and report to the financial institution or creditor on the effectiveness of the program, etc.
The financial institution or creditor could require the service provider to respond to its Red Flags appropriate to prevent and mitigate the risk of identity theft.
What about Training of Staff?
The proposed rules required each financial institution or creditor to train staff to implement its program. Consumer groups wanted the final rules to be more detailed, calling for specific oversight and audit of the covered entity’s training efforts. On the other side, financial institutions felt that they had already met the burden of training through their fraud prevention efforts.
The final rules provide that a covered entity must train staff, as necessary, to effectively implement the program. While there is no corresponding section, the Agencies stressed the importance of this requirement by stating that they continue to believe that proper training will enable the staff to address the risk of identity theft.