F.A.C.T.A. RED FLAG RULE
 | |  | |  | |  | |  | |  | |  |
Identity Theft Red Flags Rule
Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate
Credit Transactions Act of 2003
(aka Identity Theft Red Flags Rule)
Background:
The issuance of the final rule of the Identity Theft Red Flags and Address Discrepancies under
the Fair and Accurate Credit Transactions Act of 2003 rule implements sections 114 and 315 of
the Fair and Accurate Credit Transactions Act of 2003, an amendment to the Fair Credit
Reporting Act. The purpose of the Rule is to attempt to minimize incidents of Identity Theft and
fraud in the opening and maintenance of covered accounts by financial institutions and
creditors, as well as addressing issues of address discrepancies by users of consumer reports
(credit reports and specialty consumer reports) and debit or credit card issuers.
Summary of Key Requirements:
The final rules requires each financial institution and creditor that holds any consumer account,
or other account for which there is a reasonably foreseeable risk of identity theft, to develop
and implement a written Identity Theft Prevention Program for combating identity theft in
connection with the opening of new accounts and the maintenance of existing accounts. The
Program must include reasonable policies and procedures for detecting, preventing, and
mitigating identity theft of its customers and enable a financial institution or creditor to
specifically:
1. Identify relevant patterns, practices, and specific forms of activity that are "red flags"
signaling possible identity theft and incorporate those red flags into the Program;
2. Detect red flags that have been incorporated into the Program;
3. Respond appropriately to any red flags that are detected to prevent and mitigate identity
theft; and
4. Ensure the Program is updated periodically to reflect changes in risks from identity theft.
The agencies also issued guidelines to assist financial institutions and creditors in developing
and implementing a Program, including a supplement that provides examples of red flags.
The final rules also require credit and debit card issuers to develop policies and procedures to
assess the validity of a request for a change of address that is followed closely by a request for
an additional or replacement card. In addition, the final rules require users of consumer reports
to develop reasonable policies and procedures to apply when they receive a notice of address
discrepancy from a consumer reporting agency.
It is important to note that, as with the Disposal Rule, the Red Flags Rule does NOT
automatically apply to every business. Under the final rule, only those financial institutions and
creditors that offer or maintain "covered accounts" must develop and implement a written
Program. For example, a restaurant that accepts credit cards as a means of one-time payment
in full by a customer who purchases a meal is not impacted; whereas, a utility company that
opens and maintains accounts for its customers is impacted.
Administration and Oversight of the Program:
Each financial institution or creditor that is required to implement a Program must provide for
the continued administration and oversight of the Program and must:
1. Obtain approval of the initial written Program from either its board of directors or an
appropriate committee of the board of directors; and
2. Involve the board of directors, an appropriate committee thereof, or a designated employee
at the level of senior management in the oversight, development, implementation and
administration of the Program; and
3. Train staff, as necessary, to effectively implement the Program; and
4. Exercise appropriate and effective oversight of service provider arrangements.
Oversight by the board of directors, an appropriate committee of the board, or a designated
employee at the level of senior management should include:
1. Assigning specific responsibility for the Program's implementation;
2. Reviewing reports prepared by staff regarding compliance by the financial institution or
creditor; and
3. Approving material changes to the Program as necessary to address changing identity theft
risks.
Staff of the financial institution or creditor responsible for development, implementation, and
administration of its Program should report to the board of directors, an appropriate committee
of the board, or a designated employee at the level of senior management, at least annually, on
compliance by the financial institution or creditor. The report should address material matters
related to the Program and evaluate issues such as: the effectiveness of the policies and
procedures of the financial institution or creditor in addressing the risk of identity theft in
connection with the opening of covered accounts and with respect to existing covered
accounts; service provider arrangements; significant incidents involving identity theft and
management's response; and recommendations for material changes to the Program.
Flexibility for Small Entities:
The final requirements of the Red Flags Rule were drafted in a flexible manner intended to limit
the burden on a substantial majority of low-risk entities, allowing these entities to conduct
periodic risk assessments for covered accounts and allowing the remaining minority of low-risk
entities to develop and implement different types of programs based upon their size,
complexity, and the nature and scope of their activities.
Final Rule Effective Date: 1 January, 2008
Regulatory Agencies:(Applicable regulatory agency determined by the business' industry
or nature of business / statutory regulator)
• Office of the Comptroller of the Currency
• Federal Reserve
• Federal Deposit Insurance Corporation
• Office of Thrift Supervision
• National Credit Union Administration
• Federal Trade Commission
Question:
"To what businesses does the Red Flags Rule apply?
Answer:
The provisions of the Red Flags Rule predominantly apply to financial institutions and
creditors that offer or maintain covered accounts, and also to users of consumer reports
and to debit or credit card issuers. As noted below, "creditor" is somewhat broadly defined,
though the key determination of a mandatory compliance requirement is triggered by the
offering or maintenance of "covered accounts" (or if the business is a user of consumer
reports or issues debit or credit cards).
Some key definitions under the Red Flags Rule include:
"Account" - Under the Red Flags Rule, "account" means: "a continuing relationship
established by a person with a financial institution or creditor to obtain a product or service for
personal, family, household or business purposes." Account specifically includes: "(i) An
extension of credit, such as the purchase of property or services involving a deferred payment;
and (ii) A deposit account."
Because a person may establish a relationship with a creditor, such as an automobile dealer or
a telecommunications provider, primarily to obtain a product or service that is not financial in
nature, "account" includes relationships with creditors that are not financial institutions, and the
definition is no longer tied to the provision of "financial" products and services.
"Covered Account" -Under the Red Flags Rule, a "covered account' means: "(i) An account
that a financial institution or creditor offers or maintains, primarily for personal, family, or
household purposes, that involves or is designed to permit multiple payments or transactions,
such as a credit card account, mortgage loan, automobile loan, margin account, cell phone
account, utility account, checking account, or savings account; and
(ii) Any other account that the financial institution or creditor offers or maintains for which there
is a reasonably foreseeable risk to customers or to the safety and soundness of the financial
institution or creditor from identity theft, including financial, operational, compliance, reputation,
or litigation risks."
"Creditor"-Under the Red Flags Rule, "creditor" has the same meaning as Section 702 of the
Equal Credit Opportunity Act (ECOA), 15 U.S.C. 1691a. ECOA defines "creditor" to include
a person who arranges for the extension, renewal, or continuation of credit, which in some
cases could also include third-party debt collectors. As outlined in the final rule, "creditor"
specifically includes, but is not limited to, lenders such as banks, finance companies,
automobile dealers, and mortgage brokers, and creditors such as utility companies,
telecommunications, and cellular /wireless companies.
"Customer" -Under the Red Flags Rule, "customer" (and "account holder") means a person
that has a covered account with a financial institution or creditor.
"Red Flag" - Under the Red Flags Rule, "red flag" means: "a pattern, practice, or specific
activity that indicates the possible existence of identity theft."
Identifying Relevant Red Flags:
(A) Risk Factors: A financial institution or creditor should consider the following factors in
identifying relevant Red Flags for covered accounts, as appropriate:
1. The types of covered accounts it offers or maintains;
2. The methods it provides to open its covered accounts;
3. The methods it provides to access its covered accounts; and
4. Its previous experiences with identity theft.
(B) Sources of Red Flags:
Financial institutions and creditors should incorporate relevant Red Flags from sources such
as:
1. Incidents of identity theft that the financial institution or creditor has experienced;
2. Methods of identity theft that the financial institution or creditor has identified that reflect
changes in identity theft risks; and
3. Applicable supervisory guidance.
(C) Categories of Red Flags:
The Program should include relevant Red Flags from the following categories, as appropriate.
Examples include, but are not limited to:
1. Alerts, notifications, or other warnings received from consumer reporting agencies or service
providers, such as fraud detection services;
2. The presentation of suspicious documents;
3. The presentation of suspicious personal identifying information, such as a suspicious
address change;
4. The unusual use of, or other suspicious activity related to, a covered account; and
5. Notice from customers, victims of identity theft, law enforcement authorities, or other persons
regarding possible identity theft in connection with covered accounts held by the financial
institution or creditor.
Click the Link Below to View the Complete Text of
Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate
Credit Transactions Act of 2003 (256 page pdf document):
www.ftc.gov/os/2007/10/r611019redflagsfrn.pdf
For More Information on these and other identity theft laws go to www.KJ3rd.com or call our office at
404-474-2273.
Made available by:
K.J. Anderson III
Certified Identity Theft Risk Management Specialist (www.tifrm.net )
President
Anderson & Associates
Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate
Credit Transactions Act of 2003
(aka Identity Theft Red Flags Rule)
Background:
The issuance of the final rule of the Identity Theft Red Flags and Address Discrepancies under
the Fair and Accurate Credit Transactions Act of 2003 rule implements sections 114 and 315 of
the Fair and Accurate Credit Transactions Act of 2003, an amendment to the Fair Credit
Reporting Act. The purpose of the Rule is to attempt to minimize incidents of Identity Theft and
fraud in the opening and maintenance of covered accounts by financial institutions and
creditors, as well as addressing issues of address discrepancies by users of consumer reports
(credit reports and specialty consumer reports) and debit or credit card issuers.
Summary of Key Requirements:
The final rules requires each financial institution and creditor that holds any consumer account,
or other account for which there is a reasonably foreseeable risk of identity theft, to develop
and implement a written Identity Theft Prevention Program for combating identity theft in
connection with the opening of new accounts and the maintenance of existing accounts. The
Program must include reasonable policies and procedures for detecting, preventing, and
mitigating identity theft of its customers and enable a financial institution or creditor to
specifically:
1. Identify relevant patterns, practices, and specific forms of activity that are "red flags"
signaling possible identity theft and incorporate those red flags into the Program;
2. Detect red flags that have been incorporated into the Program;
3. Respond appropriately to any red flags that are detected to prevent and mitigate identity
theft; and
4. Ensure the Program is updated periodically to reflect changes in risks from identity theft.
The agencies also issued guidelines to assist financial institutions and creditors in developing
and implementing a Program, including a supplement that provides examples of red flags.
The final rules also require credit and debit card issuers to develop policies and procedures to
assess the validity of a request for a change of address that is followed closely by a request for
an additional or replacement card. In addition, the final rules require users of consumer reports
to develop reasonable policies and procedures to apply when they receive a notice of address
discrepancy from a consumer reporting agency.
It is important to note that, as with the Disposal Rule, the Red Flags Rule does NOT
automatically apply to every business. Under the final rule, only those financial institutions and
creditors that offer or maintain "covered accounts" must develop and implement a written
Program. For example, a restaurant that accepts credit cards as a means of one-time payment
in full by a customer who purchases a meal is not impacted; whereas, a utility company that
opens and maintains accounts for its customers is impacted.
Administration and Oversight of the Program:
Each financial institution or creditor that is required to implement a Program must provide for
the continued administration and oversight of the Program and must:
1. Obtain approval of the initial written Program from either its board of directors or an
appropriate committee of the board of directors; and
2. Involve the board of directors, an appropriate committee thereof, or a designated employee
at the level of senior management in the oversight, development, implementation and
administration of the Program; and
3. Train staff, as necessary, to effectively implement the Program; and
4. Exercise appropriate and effective oversight of service provider arrangements.
Oversight by the board of directors, an appropriate committee of the board, or a designated
employee at the level of senior management should include:
1. Assigning specific responsibility for the Program's implementation;
2. Reviewing reports prepared by staff regarding compliance by the financial institution or
creditor; and
3. Approving material changes to the Program as necessary to address changing identity theft
risks.
Staff of the financial institution or creditor responsible for development, implementation, and
administration of its Program should report to the board of directors, an appropriate committee
of the board, or a designated employee at the level of senior management, at least annually, on
compliance by the financial institution or creditor. The report should address material matters
related to the Program and evaluate issues such as: the effectiveness of the policies and
procedures of the financial institution or creditor in addressing the risk of identity theft in
connection with the opening of covered accounts and with respect to existing covered
accounts; service provider arrangements; significant incidents involving identity theft and
management's response; and recommendations for material changes to the Program.
Flexibility for Small Entities:
The final requirements of the Red Flags Rule were drafted in a flexible manner intended to limit
the burden on a substantial majority of low-risk entities, allowing these entities to conduct
periodic risk assessments for covered accounts and allowing the remaining minority of low-risk
entities to develop and implement different types of programs based upon their size,
complexity, and the nature and scope of their activities.
Final Rule Effective Date: 1 January, 2008
Regulatory Agencies:(Applicable regulatory agency determined by the business' industry
or nature of business / statutory regulator)
• Office of the Comptroller of the Currency
• Federal Reserve
• Federal Deposit Insurance Corporation
• Office of Thrift Supervision
• National Credit Union Administration
• Federal Trade Commission
Question:
"To what businesses does the Red Flags Rule apply?
Answer:
The provisions of the Red Flags Rule predominantly apply to financial institutions and
creditors that offer or maintain covered accounts, and also to users of consumer reports
and to debit or credit card issuers. As noted below, "creditor" is somewhat broadly defined,
though the key determination of a mandatory compliance requirement is triggered by the
offering or maintenance of "covered accounts" (or if the business is a user of consumer
reports or issues debit or credit cards).
Some key definitions under the Red Flags Rule include:
"Account" - Under the Red Flags Rule, "account" means: "a continuing relationship
established by a person with a financial institution or creditor to obtain a product or service for
personal, family, household or business purposes." Account specifically includes: "(i) An
extension of credit, such as the purchase of property or services involving a deferred payment;
and (ii) A deposit account."
Because a person may establish a relationship with a creditor, such as an automobile dealer or
a telecommunications provider, primarily to obtain a product or service that is not financial in
nature, "account" includes relationships with creditors that are not financial institutions, and the
definition is no longer tied to the provision of "financial" products and services.
"Covered Account" -Under the Red Flags Rule, a "covered account' means: "(i) An account
that a financial institution or creditor offers or maintains, primarily for personal, family, or
household purposes, that involves or is designed to permit multiple payments or transactions,
such as a credit card account, mortgage loan, automobile loan, margin account, cell phone
account, utility account, checking account, or savings account; and
(ii) Any other account that the financial institution or creditor offers or maintains for which there
is a reasonably foreseeable risk to customers or to the safety and soundness of the financial
institution or creditor from identity theft, including financial, operational, compliance, reputation,
or litigation risks."
"Creditor"-Under the Red Flags Rule, "creditor" has the same meaning as Section 702 of the
Equal Credit Opportunity Act (ECOA), 15 U.S.C. 1691a. ECOA defines "creditor" to include
a person who arranges for the extension, renewal, or continuation of credit, which in some
cases could also include third-party debt collectors. As outlined in the final rule, "creditor"
specifically includes, but is not limited to, lenders such as banks, finance companies,
automobile dealers, and mortgage brokers, and creditors such as utility companies,
telecommunications, and cellular /wireless companies.
"Customer" -Under the Red Flags Rule, "customer" (and "account holder") means a person
that has a covered account with a financial institution or creditor.
"Red Flag" - Under the Red Flags Rule, "red flag" means: "a pattern, practice, or specific
activity that indicates the possible existence of identity theft."
Identifying Relevant Red Flags:
(A) Risk Factors: A financial institution or creditor should consider the following factors in
identifying relevant Red Flags for covered accounts, as appropriate:
1. The types of covered accounts it offers or maintains;
2. The methods it provides to open its covered accounts;
3. The methods it provides to access its covered accounts; and
4. Its previous experiences with identity theft.
(B) Sources of Red Flags:
Financial institutions and creditors should incorporate relevant Red Flags from sources such
as:
1. Incidents of identity theft that the financial institution or creditor has experienced;
2. Methods of identity theft that the financial institution or creditor has identified that reflect
changes in identity theft risks; and
3. Applicable supervisory guidance.
(C) Categories of Red Flags:
The Program should include relevant Red Flags from the following categories, as appropriate.
Examples include, but are not limited to:
1. Alerts, notifications, or other warnings received from consumer reporting agencies or service
providers, such as fraud detection services;
2. The presentation of suspicious documents;
3. The presentation of suspicious personal identifying information, such as a suspicious
address change;
4. The unusual use of, or other suspicious activity related to, a covered account; and
5. Notice from customers, victims of identity theft, law enforcement authorities, or other persons
regarding possible identity theft in connection with covered accounts held by the financial
institution or creditor.
Click the Link Below to View the Complete Text of
Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate
Credit Transactions Act of 2003 (256 page pdf document):
www.ftc.gov/os/2007/10/r611019redflagsfrn.pdf
For More Information on these and other identity theft laws go to www.KJ3rd.com or call our office at
404-474-2273.
Made available by:
K.J. Anderson III
Certified Identity Theft Risk Management Specialist (www.tifrm.net )
President
Anderson & Associates
