Identity Theft: Business Information
New 'Red Flags' Requirement for Financial Institutions and Creditors Will Help Fight Identity Theft
The Federal Trade Commission (FTC) has delayed full
enforcement of the new identity theft prevention measure known as the
"Red Flags Rule" a number of times. However, after several years of delay, the Red Flags Rule finally became law in December 2010.
What is the Red Flags Rule? It requires businesses to create a written identity theft prevention program. First introduced in Congress in 2007, it finally became federal law without much fanfare on Dec. 31, 2010.
Although the law was designed to protect consumers, CFO Magazine points out that identity theft costs businesses big bucks too. TJ Maxx's 2007 credit card breach cost the retailer $256 million!
Under the Red Flags Rule, a business defined as a "creditor" must have written policies in place to spot the "red flags" of identity theft. An acceptable identity theft prevention plan must have procedures in place to detect, prevent and mitigate identity theft. The plan must include training employees and subcontractors and periodically reevaluate for new security risks. To mitigate identity theft, a strong plan should also include a proactive protection solution to cover the affected individuals. Credit monitoring is not enough!
The types of crimes consumers face today are not as simple to clean up as closing a credit card. Whether our personal information is used to commit other crimes, clean out our bank accounts, file false tax returns, steal our home equity, obtain utilities, employment, government and medical benefits, the crime can follow us for years to come.
Though the creation of the Red Flags Rule would seem amenable to all, it wasn't quite that easy.
The Red Flags Rule, as originally drafted, required any business to comply if it extended credit. Insurance and medical industries, among other professionals, argued that the Rule as defined would be overly burdensome to small businesses.
The Red Flags Rule as finally implemented has a much narrower definition. According to the FTC, creditors must meet one of three criteria. They must:
• obtain or use consumer reports in connection with a credit transaction;
• furnish information to consumer reporting agencies in connection with a credit transaction; or
• advance funds to -- or on behalf of -- someone, except for funds for expenses incidental to a service provided by the creditor to that person.
In other words, your dentist who bills you after a root canal, or your wireless phone carrier who sends you a monthly statement, are not "creditors" for the purposes of this law, but a car dealer's finance office would be.
What I don't understand is why any business, small or large, would put on blinders about the impact that data theft crimes could have on them. We hear daily about losses brought by massive cyber-attacks and data breaches at multi-national companies like Sony or Citibank, and the millions of consumers affected.
We may not always hear about what happens when a school or small business discovers a corrupt employee is selling other people's Social Security numbers out the back door. Or what happens when a hospital employee sells patients' medical or financial records to members of an organized identity theft ring? Would a business owner prefer to spend time developing a plan to detect identity theft risks on the front end, or spend time and money dealing with police, potential lawsuits, negative publicity and angry victims after a breach occurs?
When just one data breach can bring about such misery, why wouldn't every business want to implement the Red Flags Rule -whether or not required to? When it comes to reading about the costly effects of a data breach, there is but one certainty: no business -small or large - wants to see their name in the headlines!
The Red Flags Rule will have repercussions for both customers and financial institutions. For companies, it is going to entail a great deal more work. For customers, it is going to involve the presentation of more forms of identification proof. That's not a bad thing. Consumers are going to be required to show this proof to financial companies more frequently -something that is a commonsense measure that should have been required long ago.
True, the financial companies might need to spend a bit more to incorporate these measures. Plus, the customers might need to be a bit more patient when accessing their accounts as they are asked to present additional forms of identification. However, this practice is a lot more secure than simply hoping that no one steals your identity and runs off with your money. Those businesses that store our information will now be required to better protect it and have a written plan in place for all employees that handle our sensitive date.
The measures themselves are referred to as the Red Flags Rule simply because they include a list of 26 red flags that "creditors" should be watching for when dealing with customers. These red flags were compiled through the joint efforts of the Federal Trade Commission, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Treasury Department's Office of Thrift Supervision, the Federal Deposit Insurance Corp., and the Federal Reserve System.
Each red flag rule is designed to help prevent identity theft by identifying or detecting specific activities or patterns that are indicative of identity theft and creating a response to prevent these practices from developing into full fledged theft of an individual's identity.
The 26 Red Flags as provided by the Federal Trade Commission are:
1. A consumer report that includes a fraud alert.
2. Notice of a credit freeze prompted by a request for a consumer report.
3. A notice of address discrepancy provided by a consumer reporting agency.
4. Unusual credit activity including new acquisitions or inquiries.
5. The documentation provided for identification purposes appears to be questionable.
6. The photograph presented for photo identification does not resemble the individual in person.
7. The individual opening an account provides inconsistent information from that included on the papers presented for identification.
8. The records held at the financial institution and those presented by an individual are not consistent.
9. The application appears to be altered in some way.
10. The Social Security Number is questionable due to address, appearance on Death Master File, or associated filing.
11. A lack of correlation appears between the Social Security Number sequence and the individual's date of birth.
12. Presented identification information is related to existing fraud case or activity.
13. Phone numbers associated with answering service or pager or suspicious addresses provided such as a mail drop box.
14. The Social Security Number has already been presented by another customer.
15. A frequently used address or phone number.
16. Additional information cannot be provided when requested.
17. Personal information that is presented is not consistent with the information that is on file.
18. Challenge questions cannot be answered.
19. Request for additional users on an account immediately after a change of address on the account.
20. New credit is used for certain types of purposes including cash advances or high-end electronics.
21. Payment patterns change drastically.
22. Inactive accounts are suddenly awakened to frequent use.
23. Returned mail for current accounts.
24. Customer complaint about statements not arriving in the mail.
25. Customer complaint about unauthorized charges to an account.
26. The financial institution receives notification that the account was fraudulently opened by an individual known for committing identity theft.
Each financial institution that is compelled by law to enforce the Red Flags Rule is required to create a formal written policy of response to each individual red flag. This formal policy must be carried out every single time potential red flags appear. In fact, the companies involved are required to document the steps that are taken along with the results in order to provide proof that they have ensured that the particular red flag in evidence isn't related to identity theft.
The premise behind the incorporation of such rules is that identity theft will become more difficult to achieve and consumers will be protected in a manner that actually does protect their data and finances. As with any change, the growing pains are bound to put some people off, but the end result truly is worth it in this case.
Identity theft can ruin lives. It can create years of frustration. It is certainly about time to incorporate safeguards that actually protect consumers should someone gain access to their stored personal information. While these measures are not going to do away with identity theft, they will help to reduce the risk and impact on some level.
The below information comes from the Federal Trade Commission;
The Red Flags Rules apply to "financial institutions" and "creditors" with "covered accounts."
Under the Rules, a financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a "transaction account" belonging to a consumer. Most of these institutions are regulated by the Federal bank regulatory agencies and the NCUA. Financial institutions under the FTC's jurisdiction include state-chartered credit unions and certain other entities that hold consumer transaction accounts.
A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.
A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors. Most creditors, except for those regulated by the Federal bank regulatory agencies and the NCUA, come under the jurisdiction of the FTC.
A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft-for example, small business or sole proprietorship accounts.
Complying with the Red Flags Rules
Under the Red Flags Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs-or "red flags"-of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.
How flexible are the Red Flags Rules?
The Red Flags Rules provide all financial institutions and creditors the opportunity to design and implement a program that is appropriate to their size and complexity, as well as the nature of their operations. Guidelines issued by the FTC, the federal banking agencies, and the NCUA (ftc.gov) should be helpful in assisting covered entities in designing their programs. A supplement to the Guidelines identifies 26 possible red flags. These red flags are not a checklist, but rather, are examples that financial institutions and creditors may want to use as a starting point. They fall into five categories:
- alerts, notifications, or warnings from a consumer reporting agency;
- suspicious documents;
- suspicious personally identifying information, such as a suspicious address;
- unusual use of-or suspicious activity relating to-a covered account; and
- notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts. More detailed compliance guidance on the Red Flags Rules will be forthcoming. For questions about compliance with the Rules, you may contact RedFlags@ftc.gov.
Some key definitions under the Red Flags Rule include:
"Account"-Under the Red Flags Rule, "account" means: "a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes." Account specifically includes: "(i) An extension of credit, such as the purchase of property or services involving a deferred payment; and (ii) A deposit account."
Because a person may establish a relationship with a creditor, such as an automobile dealer or a telecommunications provider, primarily to obtain a product or service that is not financial in nature, "account" includes relationships with creditors that are not financial institutions, and the definition is no longer tied to the provision of "financial" products and services.
"Creditor"-Under the Red Flags Rule, "creditor" has the same meaning as Section 702 of the Equal Credit Opportunity Act (ECOA), 15 U.S.C. 1691a. ECOA defines "creditor" to include a person who arranges for the extension, renewal, or continuation of credit, which in some cases could also include third-party debt collectors. As outlined in the final rule, "creditor" specifically includes, but is not limited to, lenders such as banks, finance companies, automobile dealers, and mortgage brokers, and creditors such as utility companies, telecommunications, and cellular /wireless companies.
"Customer"-Under the Red Flags Rule, "customer" (and "account holder") means a person that has a covered account with a financial institution or creditor.
"Red Flag"-Under the Red Flags Rule, "red flag" means: "a pattern, practice, or specific activity that indicates the possible existence of identity theft."
"Covered Account"-Under the Red Flags Rule, a "covered account' means:
- An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and
- Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks."
Summary of Key Requirements:
The final rules requires each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement a written Identity Theft Prevention Program for combating identity theft in connection with the opening of new accounts and the maintenance of existing accounts.
The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft of its customers and enable a financial institution or creditor to specifically:
- Identify relevant patterns, practices, and specific forms of activity that are "red flags" signaling possible identity theft and incorporate those red flags into the Program;
- Detect red flags that have been incorporated into the Program;
- Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
- Ensure the Program is updated periodically to reflect changes in risks from identity theft.