Published on November 2, 2008
The FACTA Red Flag Rule: Understanding the Rule and Recommendations for Compliance “We Accelerate Growth”
Introduction At the end of 2007, the Federal Trade Commission (FTC) and five federal bank regulatory agencies (FDIC, OCC, Federal Reserve, OTS and NCUA) jointly issued the final rules and guidelines implementing sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACT Act). Under these regulations, the “Red Flag Rule” was adopted which requires the development, implementation, and maintenance of an Identity Theft Prevention Program by covered companies that hold any customer accounts. 1 These requirements were effective January 1, 2008 with a mandatory compliance date of November 1, 2008. In this research note we will discuss the regulation, implications, and our recommendations for compliance. General Scope of the Red Flag Rule The Red Flag Rule requires all financial institutions and creditors to implement an Identity Theft Prevention Program to detect, prevent and mitigate identify theft for covered accounts. 1 The Program must be documented and updated periodically. Updates must reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft. The Program must also have the approval of the Board of Directors or a designated Senior Management employee. The Board of Directors shall also have supervision of the implementation of the Program as well as training of the staff and oversight of service providers. The four general elements that the Program must contain are “reasonable policies and procedures” to: • Identify and incorporate Red Flags for covered accounts • Detect Red Flags that are included in the Program • Respond to those Red Flags appropriately • Update the Program periodically to reflect the risk to the customer or to the safety of the financial institution or creditor from identify theft Identifying Red Flags Each financial institution or creditor is responsible for creating the list of its own Red Flags. There is no qualification or mandate for certain Red Flags to be included in the list. The regulation does offer general guidelines and categories in identifying Red Flags but in essence, a financial institution or creditor must include every possible situation in which a Red Flag might occur. 1. Covered account is defined as (1) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft. © 2008 Frost & Sullivan Page 2
The regulation includes five broad Red Flag categories, included in the following table. Also included are examples of each category. Category Example 1. Alerts, notifications, or other warnings A credit freeze or fraud alert reported by a received from consumer reporting credit reporting agency agencies or services providers Documents that seem to be forged or 2. Presentation of suspicious documents manipulated Photo identification information that is 3. Presentation of suspicious personal inconsistent with accessible information on file identifying information with the financial institution or creditor (ie, different SSN or date of birth) 4. The unusual use of, or suspicious activity An inordinate amount of withdrawals and related to a covered account suspicious amounts from the covered account 5. Note from customers, victims of identify A call from a customer indicating an unusual theft, law enforcement authorities, or other persons regarding possible identify activity pattern in his account that is dissimilar theft in connection with covered accounts from recent history held by the financial institution or creditor Detecting Red Flags After creating the exhaustive list of possible Red Flags the more challenging aspect is determining processes and procedures of their detection. Financial institutions or creditors that are subject to new and changing regulations should view Red Flag detection as a means to an end of achieving overall enhanced information security and IT security governance. A holistic view of information security and Red Flag detection helps align IT investment with business objectives - securing customer data, transactions, and identities, thus improving customer confidence. There are several broad requirements for detecting Red Flags. The Red Flag requirements do not require a degree in which technology should be used but it is Frost & Sullivan’s recommendation that technology should be leveraged to optimize detection. • Obtaining and verifying information of a person opening a covered account. Using the policies and procedures of the Customer Information Program (CIP) under the USA Patriot Act can serve as general guidelines. Verifying a customer’s information before the account is open is key but can prove difficult for financial institutions and creditors. A system that is able to provide verification which is not cumbersome to the potential client and is real-time can greatly reduce operating costs and improve the customer experience. Software solutions that provide verification questions by scanning public databases and records, give financial institutions and creditors an unbiased approach to authentication which complies with the Red Flag guidelines not to rely on information “which generally would be available from a wallet or consumer report.” • Authenticating existing covered accounts. Authenticating a person’s identity by comparing a picture ID to the person is no longer completely trusted. With the advent of technology, more advanced verification is needed. The use of software that not only verifies user ID and password but also authenticates individuals based on their risk levels will give the financial institution or creditor and customer a more optimal solution in authentication. © 2008 Frost & Sullivan Page 3
• Monitoring transactions of existing covered accounts. The method used to monitor transactions must be sensitive to not just signal an alert of an issue. It must also be able to correlate the degree of the possible alert with other changes to the customer’s portfolio to deduce the actual risk factor that alert has to the customer. An invisible system that is dynamic and self-learning can greatly reduce the number of false alerts and also quickly stop real identity threats and related patterns. • Verifying the validity of change of address request for existing covered accounts A change of address is one of the first things that occur before fraudulent activity begins on an account. In fact, the Red Flag Rule specifically addresses a change of address in relation to debit or credit cards. The regulation requires reasonable policies and procedures to validate if a request for a replacement card is followed by a request for a change of address within 30 days. The card issuer may not issue the card until it has satisfied at least one of the following provisions: (1) notifying the cardholder by mail or by another means already agreed upon and providing means for the cardholder to respond (2) using another means of evaluating the validity of the change of address. Software that is able to validate customer’s information by another means, such as adaptive questioning, can alleviate the possible cycle time in issuing a new card. • Conducting regular information risk assessments throughout the infrastructure Risk assessment services along with discovery and classification services ensure that threats, vulnerabilities and risks are properly identified and classified within a financial institution or creditor’s infrastructure. Likewise, security policy review services ensure that policies and procedures implemented to detect Red Flags are adequate to support compliance objectives. Ultimately, financial institutions or creditors should align their information risk management strategies with industry best practices and technology solutions to implement effective identity theft and security governance frameworks. Preventing and Mitigating Identity Theft The regulation states that the Program established by the financial institution or creditor must be commensurate with the degree of the risk posed and also should consider aggravating factors that might elevate the identify theft risk. An example given in the regulation is when a financial institution or creditor becomes aware that a customer inadvertently provided account information to someone fraudulently claiming to represent that financial institution or creditor in the form of a fraudulent website. In such a scenario, appropriate responses can include: a. Monitoring a covered account for evidence of identity theft; b. Contacting the customer; c. Changing any passwords, security codes, or other security devices that permit access to a covered account; d. Reopening a covered account with a new account number; e. Not opening a new covered account; f. Closing an existing covered account; g. Not attempting to collect on a covered account or not selling a covered account to a debt collector; h. Notifying law enforcement; or i. Determining that no response is warranted under the particular circumstances. Conclusion While many financial institutions and creditors have put processes in place to deal with identify theft, the overwhelming majority have not. The Red Flag Rule is now mandating that such processes be formalized into an Identity Theft Prevention Program to detect, prevent and mitigate identify theft for covered accounts. © 2008 Frost & Sullivan Page 4
A holistic approach to information security can help to integrate compliance efforts with business objectives to efficiently focus resources on IT governance and threat management. To achieve this, financial institutions and creditors avoid creating internal silos to comply with new regulations one at a time, and instead protect information throughout the information lifecycle to ensure compliance with multiple common regulatory requirements. Ultimately, this provides focus on establishing effective governance procedures that can be centrally managed to ensure responsiveness to the changing regulatory environment. It is Frost & Sullivan’s recommendation that a combination of technology based solutions that are adaptive, real-time, and self-learning should be leveraged to optimize the detection and response of identify theft through the application of identity verification, authentication, monitoring, and anti-fraud capabilities. About Frost & Sullivan Frost & Sullivan, the Growth Consulting Company, partners with clients to accelerate their growth. The company's Growth Partnership Services, Growth Consulting and Career Best Practices empower clients to create a growth focused culture that generates, evaluates and implements effective growth strategies. Frost & Sullivan employs over 45 years of experience in partnering with Global 1000 companies, emerging businesses and the investment community from more than 30 offices on six continents. For more information about Frost & Sullivan’s Growth Partnerships, visit http://www.frost.com. C O N TA C T U S 877.GoFrost (877.463.7678) • firstname.lastname@example.org • www.frost.com © 2008 Frost & Sullivan Page 5
Your responsibilities under the FACTA-Red Flag guidelines as a Data Furnisher Reviewing your tradeline information in ... FACTA Red Flag Ruling - Frost Report.
... The national flag consists of an equilateral white cross on a red ... Despite a Swiss report in January 1987 ... The ruling Federal Council ...
Learn about our latest announcement: Pixel, a phone by Google. Advertising Programmes Business Solutions +Google About Google Google.com © 2016 ...
Use xLyriX to find your favorite song lyrics. All lyrics are property and copyright of their owners. All lyrics provided for educational purposes only.
Biography World Teachers' Day: Read About Anne Sullivan Educator (1866–1936) PEOPLE. Hillary Clinton Donald Trump Malala Yousafzai ...