Related Indusries

HOW TO COMPLY with red flag rules

Simple, Easy Steps to Comply

Instantly Detect, Deter and Prevent Fraud

If you’re a creditor or financial institution with covered accounts, you must develop and implement a written Identity Theft Prevention Program. The Program must be designed to prevent, detect, and mitigate identity theft in connection with the opening of new accounts and the operation of existing ones. Your Program must be appropriate to the size and complexity of your business or organization and the nature and scope of its activities. A company with a higher risk of identity theft or a variety of covered accounts may need a more comprehensive Program.

Many companies already have plans in place to combat identity theft and related fraud. If that’s the case for your business, you may be able to incorporate procedures that already have proven effective in the current environment.

Here’s more on how you can tailor an Identity Theft Prevention Program that suits the nature of your business and assets as well as addresses the risks you’re likely to face.

How do I develop a compliant Identity Theft Prevention Program?

It’s a four-step process.

Step One – Identify relevant red flags. Identify the scope of operations and red flags of identity theft you’re likely to come across in your business.

Step Two – Detect red flags. Set up procedures to detect those red flags in your day-to-day operations when they occur.

Step Three – Prevent and mitigate identity theft. If you spot the red flags you’ve identified, respond appropriately to prevent and mitigate the harm caused by fraud.

Step Four – Update your Program. The risks of identity theft can change rapidly, so it’s important to realize that keeping your program current and your staff educated is an ongoing process.

Who must comply with the Red Flags Rules?

If you’re a creditor or financial institution with covered accounts, you must develop and implement a written Identity Theft Prevention Program. The Program must be designed to prevent, detect, and mitigate identity theft in connection with the opening of new accounts and the operation of existing ones. Your Program must be appropriate to the size and complexity of your business or organization and the nature and scope of its activities. A company with a higher risk of identity theft or a variety of covered accountsmay need a more comprehensive Program.

Many companies already have plans in place to combat identity theft and related fraud. If that’s the case for your business, you may be able to augment your program by incorporating procedures that already have proven effective.

Step One – Identify relevant red flags.

What are “red flags”? They’re the potential patterns, practices, or specific activities indicating the possibility of identity theft. Although there is no single approach that can fit every organization’s needs, consider: 1) relevant risk factors; 2) the sources of possible red flags; and 3) the categories of common red flags.

Risk Factors: Different types of accounts pose different kinds of risk. For example, red flags for deposit accounts may differ from red flags for credit accounts. Similarly, the red flags for consumer accounts may not be the same as those for business accounts. And red flags for accounts opened or accessed online or by phone may differ from those involving face-to-face contact. Therefore, in identifying the relevant red flags, consider the types of accounts you offer or maintain; the methods used to open covered accounts; how you provide access to those accounts; and what you have learned about identity theft in your business.

Sources of Red Flags: Consider other sources of information, including how identity theft may have undermined your business and the experience of other members of your industry. Because technology and criminal techniques change constantly, keep up-to-date on emerging threats.

Categories of Common Red Flags: Supplement A to the Red Flags Rule lists five specific categories of warning signs to consider including in your Program. Some examples may be relevant to your business or organization. Some may be relevant only when combined or considered with other indicators of identity theft. The examples aren’t an exhaustive compilation or a mandatory checklist, but rather a way to help think about relevant red flags in the context of your business.

1. Alerts, Notifications, and Warnings from a Credit Reporting Company. Here are some examples of changes in a credit report or a consumer’s credit activity that may signal identity theft:

a fraud or active duty alert on a credit report
a notice of credit freeze in response to a request for a credit report
a notice of address discrepancy provided by a credit reporting agency
a credit report indicating a pattern of activity inconsistent with the person’s history – for example, a big increase in the volume of inquiries or the use of credit, especially on new accounts; an unusual number of recently established credit relationships; or an account that was closed because of an abuse of account privileges

3. Suspicious Personal Identifying Information. Identity thieves may use personally identifying information that doesn’t ring true. Here are some red flags involving identifying information:

inconsistencies with what else you know – for example, an address that doesn’t match the credit report, the use of a Social Security number that’s listed on the Social Security Administration Death Master File12, or a number that hasn’t been issued, according to the monthly issuance tables available from the Social Security Administration13
inconsistencies in the information the customer has given you – say, a date of birth that doesn’t correlate to the number range on the Social Security Administration’s issuance tables
an address, phone number, or other personal information that’s been used on an account you know to be fraudulent
a bogus address, an address for a mail drop or prison, a phone number that’s invalid, or one that’s associated with a pager or answering service
a Social Security number that’s been used by someone else opening an account
an address or telephone number that’s been used by many other people opening accounts
a person who omits required information on an application and doesn’t respond to notices that the application is incomplete
a person who can’t provide authenticating information beyond what’s generally available from a wallet or credit report – for example, a person who can’t answer a challenge question

4. Suspicious Account Activity. Sometimes the tip-off is how the account is being used. Here are some red flags related to account activity:

soon after you’re notified of a change of address, you’re asked for new or additional credit cards, cell phones, etc., or to add users to the account
a new account that’s used in ways associated with fraud – for example, the customer doesn’t make the first payment, or makes only an initial payment or most of the available credit is used for cash advances or for jewelry, electronics, or other merchandise easily convertible to cash
an account that’s used in a way inconsistent with established patterns – for example, nonpayment when there’s no history of missed payments, a big increase in the use of available credit, a major change in buying or spending patterns or electronic fund transfers, or a noticeable change in calling patterns for a cell phone account
an account that’s been inactive for a long time is suddenly used again
mail sent to the customer that’s returned repeatedly as undeliverable although transactions continue to be conducted on the account
information that the customer isn’t receiving their account statements in the mail
information about unauthorized charges on the account.

5. Notice from Other Sources.
Sometimes a red flag that an account has been opened or used fraudulently can come from a customer, a victim of identity theft, a law enforcement authority, or someone else.

Step Two – Detect Red Flags

Once you’ve identified the red flags of identity theft for your business, it’s time to lay out procedures for detecting them in your day-to-day operations. Sometimes using identity verification and authentication methods can help you turn up red flags. Consider how your procedures may differ depending on whether an identity verification or authentication is taking place in person or at a distance – say, by telephone, mail, Internet, or wireless system.

New accounts. When verifying the identity of the person who is opening a new account, reasonable procedures may include getting a name, address, and identification number and, for in-person verification, checking a current government-issued identification card, like a driver’s license or passport. Depending on the circumstances, you may want to compare that information with the information you can find out from other sources, like a credit reporting company or data broker, the Social Security Number Death Master File, or publicly available information.14 Asking challenge questions based on information from other sources can be another way of verifying someone’s identity.

Existing accounts. To detect red flags for existing accounts, your Program may include reasonable procedures to authenticate customers (confirming that the person you’re dealing with really is your customer), monitor transactions, and verify the validity of change-of-address requests. For online authentication, consider the Federal Financial Institutions Examination Council’s guidance on authentication as a starting point.15 It explores the application of multi-factor authentication techniques in high-risk environments, including using passwords, PIN numbers, smart cards, tokens, and biometric identification. Certain types of personal information – like a Social Security number, date of birth, mother’s maiden name, or mailing address – are not good authenticators because they’re so easily accessible.

You may already be using programs to monitor transactions, identify behavior that indicates the possibility of fraud and identity theft, or validate changes of address. If that’s the case, incorporate these tools into your Program.

Step Three – Prevent and Mitigate Identity Theft

When you spot a red flag, be prepared to respond appropriately. Your response will depend upon the degree of risk posed. It may need to accommodate other legal obligations – for example, laws for medical providers or utility companies regarding the provision and termination of service.

The Guidelines in the Red Flags Rule offer examples of some appropriate responses, including:

monitoring a covered account for evidence of identity theft
contacting the customer
changing passwords, security codes, or other ways to access a covered account
closing an existing account
reopening an account with a new account number
not opening a new account
not trying to collect on an account or not selling an account to a debt collector
notifying law enforcement
determining that no response is warranted under the particular circumstance

The facts of a particular case may warrant using one or several of these options, or another response altogether. In determining your response, consider whether any aggravating factors heighten the risk of identity theft. For example, a recent breach that resulted in unauthorized access to a customer’s account records or a customer who gave personal information to an imposter would certainly call for a stepped-up response because the risk of identity theft would go up.

Step Four – Update the Program

The Rule recognizes that new red flags emerge as technology changes or identity thieves change their tactics. Therefore, it requires periodic updates to your Program to ensure that it keeps current with identity theft risks. Factor in your own experience with identity theft; changes in how identity thieves operate; new methods to detect, prevent, and mitigate identity theft; changes in the accounts you offer; and changes in your business, such as mergers, acquisitions, alliances, joint ventures, and arrangements with service providers.

Source: FTC Facts for Business:
http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.shtm

Compliance Management