Federal law requires banks, investment brokers, mutual funds and other creditors to adopt identity theft prevention programs. This is the Red Flags Rule, so-named because its central feature requires financial institutions to identify certain practices that are indicators, or ‘red flags’ of identity theft. The rule exists as part of FACTA (the Fair and Accurate Credit Transactions Act of 2003), which amended the Fair Credit Reporting Act (Regulation V). Although this is a law geared toward financial institutions and creditors, all businesses may find it beneficial to implement.
According to the regulation, an institution’s red flag program must include reasonable policies and procedures for detecting, preventing and mitigating identity theft, and enable a financial institution or creditor to:
- Identify specific forms of activity that are ‘red flags’;
- Detect red flags;
- Respond appropriately; and,
- Ensure periodic updates occur.
Overall, the program should be designed to detect the red flags of identity theft in day-to-day operations, take steps to prevent the crime and mitigate its damage. The bottom line is that a program can help institutions spot suspicious patterns and prevent the costly consequences of identity theft for the customer.
How to Comply
In our introduction above, we talk about how a red flags program must include four basic elements that create a framework to deal with the threat of identity theft. The following points expand on how an institution can comply with requirements of the Red Flags Rule:
- A program must include reasonable policies and procedures to identify the red flags of identity theft that may occur in your day-to-day operations. Red flags are suspicious patterns or practices, or specific activities that indicate the possibility of identity theft. For example, if a customer has to provide some form of identification to open an account with your company, an ID that doesn’t look genuine is a red flag for your business.
- A program must be designed detect the red flags you’ve identified. If you have identified fake IDs as a red flag, for example, you must have procedures to detect possible fake, forged or altered identification.
- A program must spell out appropriate actions you’ll take when you detect red flags.
- A program must detail how you’ll keep it current to reflect new threats.
Simply completing a red flags risk assessment or creating a policy is not enough to achieve the objectives of the regulation. The program must be incorporated into daily business operations and procedures.
Having a strong red flags program helps financial institutions ensure customers are protected against identity theft and fraud. The program should have specific features, including appropriate policies and procedures, specific elements related to risks identified, detailed actions to take for incidents that are discovered, and details on how to keep the program current to protect against new threats. By being vigilant and following our procedures that are integrated into our daily operations, we can all help protect against these types of crime to provide a better overall customer experience, and to provide the protection that our customers deserve.
Sources
Office of the Comptroller of the Currency: https://www.occ.treas.gov/topics/bank-operations/financial-crime/identit...
Federal Trade Commission:
- https://www.ftc.gov/news-events/press-releases/2007/10/agencies-issue-fi...
- https://www.ftc.gov/tips-advice/business-center/guidance/fighting-identi...
Bankers Online: https://www.bankersonline.com/regulations/12-222-suppa