Identity Theft: Business Information

New 'Red Flags' Requirement for Financial Institutions and Creditors Will Help Fight Identity Theft

The Federal Trade Commission (FTC) has once again delayed full enforcement of the new identity theft prevention measure known as the "Red Flags Rule." Many of the businesses compelled by the FTC to comply with these changes now have a little breathing room with a new deadline of June 1, 2010 to meet.

This is the fourth extension since the rules first came into existence. Initially, the enforcement of the Red Flags Rule was expected to occur by November 1, 2008, then extended through May, 2009. Then once again, compliance dates were extended through this November 2009. Now the FTC has again, at the request of Congress, delayed the full compliance date through June 2010. This latest extension of time doesn't apply to banks, credit card issuers, credit unions, and other businesses regulated by the National Credit Union Administration and federal bank regulatory agencies who were previously mandated to meet full compliance with the "Red Flags Rule."

Part of the Fair and Accurate Credit Transactions Act of 2003, the Red Flags Rule are designed to shore up identity protection in an effort to reduce the incidence of identity theft, which has reached phenomenal numbers and percentages. Finally, a viable effort to prevent easy access to an individual's financial resources is being made as directed by Congress to the FTC.

This federal mandate increases the requirements for customer identification procedures for several types of companies and financial institutions. The companies that are forced to comply with these changes are not determined by their line of business, but rather, by whether or not their business practices fall within certain parameters.

The Red Flags Rule will have repercussions for both customers and financial institutions. For companies, it is going to entail a great deal more work. For customers, it is going to involve the presentation of more forms of identification proof. That's not a bad thing. Consumers are going to be required to show this proof to financial companies more frequently -something that is a commonsense measure that should have been required long ago.

True, the financial companies might need to spend a bit more to incorporate these measures. Plus, the customers might need to be a bit more patient when accessing their accounts as they are asked to present additional forms of identification. However, this practice is a lot more secure than simply hoping that no one steals your identity and runs off with your money. Those businesses that store our information will now be required to better protect it and have a written plan in place for all employees that handle our sensitive date.

The measures themselves are referred to as the Red Flags Rule simply because they include a list of 26 red flags that "creditors" should be watching for when dealing with customers. These red flags were compiled through the joint efforts of the Federal Trade Commission, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Treasury Department's Office of Thrift Supervision, the Federal Deposit Insurance Corp., and the Federal Reserve System.

Each red flag rule is designed to help prevent identity theft by identifying or detecting specific activities or patterns that are indicative of identity theft and creating a response to prevent these practices from developing into full fledged theft of an individual's identity.

The 26 Red Flags as provided by the Federal Trade Commission are:

 1. A consumer report that includes a fraud alert.
 2. Notice of a credit freeze prompted by a request for a consumer report.
 3. A notice of address discrepancy provided by a consumer reporting agency.
 4. Unusual credit activity including new acquisitions or inquiries.
 5. The documentation provided for identification purposes appears to be questionable.
 6. The photograph presented for photo identification does not resemble the individual in person.
 7. The individual opening an account provides inconsistent information from that included on the papers presented for identification.
 8. The records held at the financial institution and those presented by an individual are not consistent.
 9. The application appears to be altered in some way.
10. The Social Security Number is questionable due to address, appearance on Death Master File, or associated filing.
11. A lack of correlation appears between the Social Security Number sequence and the individual's date of birth.
12. Presented identification information is related to existing fraud case or activity.
13. Phone numbers associated with answering service or pager or suspicious addresses provided such as a mail drop box.
14. The Social Security Number has already been presented by another customer.
15. A frequently used address or phone number.
16. Additional information cannot be provided when requested.
17. Personal information that is presented is not consistent with the information that is on file.
18. Challenge questions cannot be answered.
19. Request for additional users on an account immediately after a change of address on the account.
20. New credit is used for certain types of purposes including cash advances or high-end electronics.
21. Payment patterns change drastically.
22. Inactive accounts are suddenly awakened to frequent use.
23. Returned mail for current accounts.
24. Customer complaint about statements not arriving in the mail.
25. Customer complaint about unauthorized charges to an account.
26. The financial institution receives notification that the account was fraudulently opened by an individual known for committing identity theft.

Each financial institution that is compelled by law to enforce the Red Flags Rule is required to create a formal written policy of response to each individual red flag. This formal policy must be carried out every single time potential red flags appear. In fact, the companies involved are required to document the steps that are taken along with the results in order to provide proof that they have ensured that the particular red flag in evidence isn't related to identity theft.

The premise behind the incorporation of such rules is that identity theft will become more difficult to achieve and consumers will be protected in a manner that actually does protect their data and finances. As with any change, the growing pains are bound to put some people off, but the end result truly is worth it in this case.

Identity theft can ruin lives. It can create years of frustration. It is certainly about time to incorporate safeguards that actually protect consumers should someone gain access to their stored personal information. While these measures are not going to do away with identity theft, they will help to reduce the risk and impact on some level.

The below information comes from the Federal Trade Commission;

The Red Flags Rules apply to "financial institutions" and "creditors" with "covered accounts."

Under the Rules, a financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a "transaction account" belonging to a consumer. Most of these institutions are regulated by the Federal bank regulatory agencies and the NCUA. Financial institutions under the FTC's jurisdiction include state-chartered credit unions and certain other entities that hold consumer transaction accounts.

A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.

A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors. Most creditors, except for those regulated by the Federal bank regulatory agencies and the NCUA, come under the jurisdiction of the FTC.

A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft-for example, small business or sole proprietorship accounts.

Complying with the Red Flags Rules

Under the Red Flags Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs-or "red flags"-of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.

How flexible are the Red Flags Rules?

The Red Flags Rules provide all financial institutions and creditors the opportunity to design and implement a program that is appropriate to their size and complexity, as well as the nature of their operations. Guidelines issued by the FTC, the federal banking agencies, and the NCUA (ftc.gov) should be helpful in assisting covered entities in designing their programs. A supplement to the Guidelines identifies 26 possible red flags. These red flags are not a checklist, but rather, are examples that financial institutions and creditors may want to use as a starting point. They fall into five categories:

• alerts, notifications, or warnings from a consumer reporting agency;
• suspicious documents;
• suspicious personally identifying information, such as a suspicious address;
• unusual use of-or suspicious activity relating to-a covered account; and
• notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts. More detailed compliance guidance on the Red Flags Rules will be forthcoming. For questions about compliance with the Rules, you may contact RedFlags@ftc.gov.

Some key definitions under the Red Flags Rule include:
"Account"-Under the Red Flags Rule, "account" means: "a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes." Account specifically includes: "(i) An extension of credit, such as the purchase of property or services involving a deferred payment; and (ii) A deposit account."

Because a person may establish a relationship with a creditor, such as an automobile dealer or a telecommunications provider, primarily to obtain a product or service that is not financial in nature, "account" includes relationships with creditors that are not financial institutions, and the definition is no longer tied to the provision of "financial" products and services.

"Creditor"-Under the Red Flags Rule, "creditor" has the same meaning as Section 702 of the Equal Credit Opportunity Act (ECOA), 15 U.S.C. 1691a. ECOA defines "creditor" to include a person who arranges for the extension, renewal, or continuation of credit, which in some cases could also include third-party debt collectors. As outlined in the final rule, "creditor" specifically includes, but is not limited to, lenders such as banks, finance companies, automobile dealers, and mortgage brokers, and creditors such as utility companies, telecommunications, and cellular /wireless companies.

"Customer"-Under the Red Flags Rule, "customer" (and "account holder") means a person that has a covered account with a financial institution or creditor.

"Red Flag"-Under the Red Flags Rule, "red flag" means: "a pattern, practice, or specific activity that indicates the possible existence of identity theft."

"Covered Account"-Under the Red Flags Rule, a "covered account' means:

• An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and
• Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks."

Summary of Key Requirements:

The final rules requires each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement a written Identity Theft Prevention Program for combating identity theft in connection with the opening of new accounts and the maintenance of existing accounts.

The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft of its customers and enable a financial institution or creditor to specifically:

• Identify relevant patterns, practices, and specific forms of activity that are "red flags" signaling possible identity theft and incorporate those red flags into the Program; 
• Detect red flags that have been incorporated into the Program;
• Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
• Ensure the Program is updated periodically to reflect changes in risks from identity theft.