Click here to access the full text of the Red Flags Rule
or check out the summary below to read what you must already be doing even though the FTC has delayed enforcement again until December 31, 2010:
IMMAAG Red Flag Rule Summary
What is a “Red Flag”?
What do you need to do to comply with the new rule?
The Fair and Accurate Credit Transactions Act of 2003 (FACTA) established a requirement for the implementation of an Identity Theft “Red Flags” Rule by January 1, 2008. Subsequently, in order to allow time for businesses to implement the rule, the deadline was extended to November 1, 2008.
The FTC and five other federal agencies: the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, and the National Credit Union Administration issued the final “Red Flag” rules on October 31, 2007. The purpose of the rules is to minimize incidents of Identity Theft and Fraud related to the handling of customers’ non-public information.
The Rules apply to federal banks, state and federal loan associations, mutual savings banks, state or federal credit unions, finance companies, automobile dealers and mortgage companies including brokers.
The new rules are documented in just over 250 pages of regulation. And, while on the surface compliance may appear to be fairly straightforward, just reading the novel-length requirements can send the untrained regulation interpreter into a mind numbing fog.
“Red Flag” Rule requirements:
The rules require that the program is in writing. There isn’t a “one size fits all” prescribed solution. Each entity has the flexibility to structure its own program based on its interpretation of the applicability of the rules and its business practices. The major requirement is that the written program must detect, prevent and mitigate Identity Theft.
Each Identity Theft prevention program must:
• Identify “Red Flags”. Incorporate into your business a process of identifying relevant patterns, practices, and specific activities that are "“red flags”" and may signal possible Identity Theft.
• Detect “Red Flags”. Develop a process of detecting “red flags” by obtaining specific identifying information about your clients and then verifying their identity.
• Respond to “Red Flags”. Responding to “Red Flags” requires “appropriate responses” that prevent and mitigate identity theft. Examples include contacting the consumer or notifying law enforcement,
• Be approved by the board of directors or senior management. Not only must the plan be approved, a senior manager must be designated for oversight, development, implementation and administration of the program. The program must specify responsibility for program implementation, staff training, audit compliance, annual reporting and employee supervision.
• Be periodically updated. The implemented program may not just sit on a shelf. The program must be updated periodically to reflect changes in the risks from Identity Theft.
The Federal Trade Commission identified 26 “sample” Red Flags. The list is not meant to be comprehensive, but provides guidance for consideration in implementing the program.
26 “Red Flags”:
1. A fraud alert included with a consumer report.
2. Notice of a credit freeze in response to a request for a consumer report.
3. A consumer-reporting agency providing a notice of address discrepancy.
4. Unusual credit activity, such as an increased number of accounts or inquiries.
5. Documents provided for identification appearing altered or forged.
6. Photograph on ID inconsistent with appearance of customer.
7. Information on ID inconsistent with information provided by person opening account.
8. Information on ID, such as signature, inconsistent with information on file at financial institution.
9. Application appearing forged or altered or destroyed and reassembled.
10. Information on ID not matching any address in the consumer report, Social Security number has not been issued or appears on the Social Security Administration's Death Master File, a file of information associated with Social Security numbers of those who are deceased.
11. Lack of correlation between Social Security number range and date of birth.
12. Personal identifying information associated with known fraud activity.
13. Suspicious addresses supplied, such as a mail drop or prison, or phone numbers associated with pagers or answering service.
14. Social Security number provided matching that submitted by another person opening an account or other customers.
15. An address or phone number matching that supplied by a large number of applicants.
16. The person opening the account unable to supply identifying information in response to notification that the application is incomplete.
17. Personal information inconsistent with information already on file at financial institution or creditor.
18. Person opening account or customer unable to correctly answer challenge questions.
19. Shortly after change of address, creditor receiving request for additional users of account.
20. Most of available credit used for cash advances, jewelry or electronics, plus customer fails to make first payment.
21. Drastic change in payment patterns, use of available credit or spending patterns.
22. An account that has been inactive for a lengthy time suddenly exhibiting unusual activity.
23. Mail sent to customer repeatedly returned as undeliverable despite ongoing transactions on active account.
24. Financial institution or creditor notified that customer is not receiving paper account statements.
25. Financial institution or creditor notified of unauthorized charges or transactions on customer's account.
26. Financial institution or creditor notified that it has opened a fraudulent account for a person engaged in identity theft.
Source: Federal Trade Commission
Use the list to guide your development and apply them to your business?
The “Red Flags” that apply to you depend on a number of factors, including:
> the type of business you are providing,
> your company‘s previous experiences with Identity Theft.
The program developed must consider these and other factors, as well as various sources and categories of “Red Flags” identified in the guidelines.
Considerations for the content of the Red Flag Identity Theft Program:
First, incorporate the Theft Program into current Policies and Procedures. Some of the activities and areas that you will want to consider include:
1. Record destruction. Adequately shred, burn, or pulverize papers containing non-private information to prevent reading or reconstruction
2. Computer Security
a. Destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed;
b. Email security – encrypt personal data being sent over the web or through email
c. Stored electronic private information and data should be encrypted
d. Encrypt document storage
e. Consider security and access to physical storage.
f. Use Computer system firewalls
g. Install and maintain antivirus software protection
h. Consider password protection and lockdown of your computers
i. How are laptops and other mobile devices secured?
3. Building/office security
4. Background screening of all employee’s and service providers
5. Associate training of the Identity Theft Program
6. Reporting and dealing with identity theft, including the filing and maintaining of an Suspicious Activity Reports (SAR’s).
7. Pre-funding check of borrower information for “red flags” and fraud,
a. What information to obtain from the customer
b. How to evaluate the information provided. Using third party validating sources is a possible option.
c. Appropriate responses when detection of a red flag. Assess whether the red flag evidences a risk of identity theft, and your response must be commensurate with the degree of risk posed.
d. How to document the conclusion – The rule requires regular reports on the program’s effectiveness.
8. Implement a Disaster Recovery Plan. All data whether electronic or physical must be secured from loss due to environmental hazards such as floods, as well as from technological hazards such as system failures.
9. Test and periodically update the Identity Theft Program
10. Board of Directors or Senior Management approval and annual review of the program
In the final analysis the Red Flag Program is intended to reflect the documented focus of your company, its Board of Directors and senior management attention on the detection, prevention and mitigation of identity theft. When properly executed based on consideration of your company’s business and practices, the Program documents the policies and procedures that enable compliance with this new FTC and Agency rule. The on-going reports and reviews ensure data, employee and customer protection and help the company protect against the potentially disastrous financial consequences of non-compliance.
With all of the changes it's easy to procrastinate on this one!
But if you do and happen to end up with a challenge to your compliance it could be costly!
IMMAAG encourages every registered user, visitor and subscriber to take this issue seriously. With our business partner, idBusiness we offer a time efficient, economical solution. But, whether you choose to take advantage of the IMMAAG/idBusiness option or another solution, at least get a compliant program in place and do it NOW. – don't put it off just because the FTC has stopped extending enforcement. You are required to comply NOW. The enforcement date of December 31, 2010 provides the chance to protect yourself before teh FTC begins enforcing. But, why risk an unprotected breach detected by someone else. Go to the IMMAAG/idBusiness solution page by clicking here and put this important task behind you, TODAY!
Click here to access the full text of the Red Flags Rule
or check out the summary below to read what you must already be doing even though the FTC has delayed enforcement again until December 31, 2010:
IMMAAG Red Flag Rule Summary
What is a “Red Flag”?
What do you need to do to comply with the new rule?
The Fair and Accurate Credit Transactions Act of 2003 (FACTA) established a requirement for the implementation of an Identity Theft “Red Flags” Rule by January 1, 2008. Subsequently, in order to allow time for businesses to implement the rule, the deadline was extended to November 1, 2008.
The FTC and five other federal agencies: the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, and the National Credit Union Administration issued the final “Red Flag” rules on October 31, 2007. The purpose of the rules is to minimize incidents of Identity Theft and Fraud related to the handling of customers’ non-public information.
The Rules apply to federal banks, state and federal loan associations, mutual savings banks, state or federal credit unions, finance companies, automobile dealers and mortgage companies including brokers.
The new rules are documented in just over 250 pages of regulation. And, while on the surface compliance may appear to be fairly straightforward, just reading the novel-length requirements can send the untrained regulation interpreter into a mind numbing fog.
“Red Flag” Rule requirements:
The rules require that the program is in writing. There isn’t a “one size fits all” prescribed solution. Each entity has the flexibility to structure its own program based on its interpretation of the applicability of the rules and its business practices. The major requirement is that the written program must detect, prevent and mitigate Identity Theft.
Each Identity Theft prevention program must:
• Identify “Red Flags”. Incorporate into your business a process of identifying relevant patterns, practices, and specific activities that are "“red flags”" and may signal possible Identity Theft.
• Detect “Red Flags”. Develop a process of detecting “red flags” by obtaining specific identifying information about your clients and then verifying their identity.
• Respond to “Red Flags”. Responding to “Red Flags” requires “appropriate responses” that prevent and mitigate identity theft. Examples include contacting the consumer or notifying law enforcement,
• Be approved by the board of directors or senior management. Not only must the plan be approved, a senior manager must be designated for oversight, development, implementation and administration of the program. The program must specify responsibility for program implementation, staff training, audit compliance, annual reporting and employee supervision.
• Be periodically updated. The implemented program may not just sit on a shelf. The program must be updated periodically to reflect changes in the risks from Identity Theft.
The Federal Trade Commission identified 26 “sample” Red Flags. The list is not meant to be comprehensive, but provides guidance for consideration in implementing the program.
26 “Red Flags”:
1. A fraud alert included with a consumer report.
2. Notice of a credit freeze in response to a request for a consumer report.
3. A consumer-reporting agency providing a notice of address discrepancy.
4. Unusual credit activity, such as an increased number of accounts or inquiries.
5. Documents provided for identification appearing altered or forged.
6. Photograph on ID inconsistent with appearance of customer.
7. Information on ID inconsistent with information provided by person opening account.
8. Information on ID, such as signature, inconsistent with information on file at financial institution.
9. Application appearing forged or altered or destroyed and reassembled.
10. Information on ID not matching any address in the consumer report, Social Security number has not been issued or appears on the Social Security Administration's Death Master File, a file of information associated with Social Security numbers of those who are deceased.
11. Lack of correlation between Social Security number range and date of birth.
12. Personal identifying information associated with known fraud activity.
13. Suspicious addresses supplied, such as a mail drop or prison, or phone numbers associated with pagers or answering service.
14. Social Security number provided matching that submitted by another person opening an account or other customers.
15. An address or phone number matching that supplied by a large number of applicants.
16. The person opening the account unable to supply identifying information in response to notification that the application is incomplete.
17. Personal information inconsistent with information already on file at financial institution or creditor.
18. Person opening account or customer unable to correctly answer challenge questions.
19. Shortly after change of address, creditor receiving request for additional users of account.
20. Most of available credit used for cash advances, jewelry or electronics, plus customer fails to make first payment.
21. Drastic change in payment patterns, use of available credit or spending patterns.
22. An account that has been inactive for a lengthy time suddenly exhibiting unusual activity.
23. Mail sent to customer repeatedly returned as undeliverable despite ongoing transactions on active account.
24. Financial institution or creditor notified that customer is not receiving paper account statements.
25. Financial institution or creditor notified of unauthorized charges or transactions on customer's account.
26. Financial institution or creditor notified that it has opened a fraudulent account for a person engaged in identity theft.
Source: Federal Trade Commission
Use the list to guide your development and apply them to your business?
The “Red Flags” that apply to you depend on a number of factors, including:
> the type of business you are providing,
> your company‘s previous experiences with Identity Theft.
The program developed must consider these and other factors, as well as various sources and categories of “Red Flags” identified in the guidelines.
Considerations for the content of the Red Flag Identity Theft Program:
First, incorporate the Theft Program into current Policies and Procedures. Some of the activities and areas that you will want to consider include:
1. Record destruction. Adequately shred, burn, or pulverize papers containing non-private information to prevent reading or reconstruction
2. Computer Security
a. Destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed;
b. Email security – encrypt personal data being sent over the web or through email
c. Stored electronic private information and data should be encrypted
d. Encrypt document storage
e. Consider security and access to physical storage.
f. Use Computer system firewalls
g. Install and maintain antivirus software protection
h. Consider password protection and lockdown of your computers
i. How are laptops and other mobile devices secured?
3. Building/office security
4. Background screening of all employee’s and service providers
5. Associate training of the Identity Theft Program
6. Reporting and dealing with identity theft, including the filing and maintaining of an Suspicious Activity Reports (SAR’s).
7. Pre-funding check of borrower information for “red flags” and fraud,
a. What information to obtain from the customer
b. How to evaluate the information provided. Using third party validating sources is a possible option.
c. Appropriate responses when detection of a red flag. Assess whether the red flag evidences a risk of identity theft, and your response must be commensurate with the degree of risk posed.
d. How to document the conclusion – The rule requires regular reports on the program’s effectiveness.
8. Implement a Disaster Recovery Plan. All data whether electronic or physical must be secured from loss due to environmental hazards such as floods, as well as from technological hazards such as system failures.
9. Test and periodically update the Identity Theft Program
10. Board of Directors or Senior Management approval and annual review of the program
In the final analysis the Red Flag Program is intended to reflect the documented focus of your company, its Board of Directors and senior management attention on the detection, prevention and mitigation of identity theft. When properly executed based on consideration of your company’s business and practices, the Program documents the policies and procedures that enable compliance with this new FTC and Agency rule. The on-going reports and reviews ensure data, employee and customer protection and help the company protect against the potentially disastrous financial consequences of non-compliance.
With all of the changes it's easy to procrastinate on this one!
But if you do and happen to end up with a challenge to your compliance it could be costly!
IMMAAG encourages every registered user, visitor and subscriber to take this issue seriously. With our business partner, idBusiness we offer a time efficient, economical solution. But, whether you choose to take advantage of the IMMAAG/idBusiness option or another solution, at least get a compliant program in place and do it NOW. – don't put it off just because the FTC has stopped extending enforcement. You are required to comply NOW. The enforcement date of December 31, 2010 provides the chance to protect yourself before teh FTC begins enforcing. But, why risk an unprotected breach detected by someone else. Go to the IMMAAG/idBusiness solution page by clicking here and put this important task behind you, TODAY!