Last October, six federal agencies issued final rules imposing anti-identity-theft requirements on financial institutions, creditors, credit and debit card issuers, and users of consumer credit reports. The new "red flags" regulation enacts sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) and calls for every financial institution or creditor to develop and implement a written "identity theft prevention program." (See "Basics of the new rules," p. 54) The final rules became effective on Jan. 1, 2008, and full compliance is required by Nov. 1, 2008.
The identity theft prevention program is at the heart of the new rules. Each financial institution or creditor must establish a program that sets policies and procedures to identify which key indicators of possible identity theft are relevant; detects them when they occur; and responds appropriately when they are detected. As the environment changes, either through internal changes in the organization or the development of new techniques on the part of identity thieves, the program must be updated.
Though complying with these rules may be challenging to some affected organizations, like car dealers or retailers, the policies and procedures required won't be new to most banks and savings institutions.
Obtaining and verifying identifying information about a person opening an account should be second nature to them, given such factors as the customer identification program requirements they must already fulfill in the Bank Secrecy Act/antimoney-laundering area. Authenticating customers, monitoring transactions, and verifying the validity of change of address requests for existing accounts should be business-as-usual.
What's new in these rules is their specificity. The regulations include guidelines listing 26 patterns, practices, and specific forms of activity that should raise a "red flag" signaling a possible risk of identity theft.
But the list is not intended to be comprehensive. Rather, in the words of the regulators, "when identifying red flags, financial institutions and creditors must consider the nature of their business and the type of identity theft to which they may be subject."
Each organization might do well to consider this guidance in developing internal controls, structuring a program that is specific to the business lines it is in, and that complies with the regulations, while maintaining a high level of vigilance (to see changes in the environment) and flexibility (to evaluate and adjust procedures to respond to those changes).
Identifying relevant red flags
The indicators listed in the guidelines are classified into five categories:
1. Alerts, notifications or warnings from a consumer reporting agency. If a fraud or active duty alert is included with a consumer's credit report, or a credit reporting agency provides a notice of credit freeze in response to a request for a consumer report, this is the most obvious type of red flag.
2. Suspicious documents. Do the documents provided for identification appear to have been altered or forged? Is information on the identification inconsistent with information provided by the person presenting it, whether an existing client or a new customer?
3. Suspicious personal identifying information. When compared against external information sources, is personal identifying information inconsistent? Some examples include cases where the address does not match any address in the credit report, the Social Security Number has not been issued, or the Social Security Number is listed on the Social Security Administration's Death Master File. Another example would be failure to provide all the information required on an application, even when asked twice. If the phone number provided by an applicant is invalid, or is an answering service or a pager, this could raise suspicion. …