Technically in place since January, the FTC's red flag rules designed to prevent identity theft become fully effective November 1. The regulations require businesses extending credit to customers to have comprehensive programs in place for verifying an applicant's identity, and for taking specific actions if a potential fraud is detected.
The FTC outlines a four-step process:
1. Identifying "red flags." This involves adopting a company-specific written policy.
2. Detecting red flags, meaning applying the new written policy.
3. Responding to red flags.
4. Updating policies.
What Do You Have to Do by 11/1?
Businesses listed among those required to comply predictably include banks, credit unions and mortgage brokers, but also utility companies, telecommunications companies, healthcare providers, debt collectors and auto dealers, all businesses that offer accounts "for which there is a reasonably foreseeable risk to customers or the safety and soundness of ... the creditor from identity theft." And while identity theft primarily has been directed at consumers, the FTC made it clear that small businesses have also been targets of identity theft.
Each business' individual program can be tailored to its size, complexity and nature of its use of credit. A large bank, for example, needs to have much more extensive policies than a lumberyard or plumbing supplier.
That's good because, while most financial institutions have been working on red flag programs for some time, many businesses in the "small auto dealer" or "building supplier" category are just learning the extent to which they are impacted, and racing to come to terms with what exactly that means.
The first step, defining a process for identifying red flags, involves the time-consuming effort of going through the guidelines to assess the degree to which a business is required to comply. Once in place, the company's written policy must be followed during every transaction that involves pulling credit or the use of other Fair Credit Reporting Act (FCRA) data.
What Constitutes a Red Flag?
A "red flag" is a pattern, practice or specific activity that indicates the possible risk of identity theft. In its guidelines, the FTC specifies 26 red flag examples but says that, depending on the type of business, the actual number may vary.
As the guidelines evolved and the deadline approaches, the agencies updating the rules have recognized that the final rules and guidelines cover a wide variety of financial institutions and creditors that offer and maintain many different products and services, and require the flexibility to be able to adapt to rapidly changing risks of identity theft. This flexibility is good from an implementation standpoint, but the liability should a business miss something based on their own interpreted of the rules is unclear.
The guidelines do identify five categories of potential red flags:
1. Suspicious documents, including:
* Driver's license that appears to have been altered or forged
* Photographs and physical description on a driver's license that don't match the applicant
* Credit application that appears to be altered or forged
2. Suspicious activity, such as:
* Delinquent accounts where there is no history of late or missed payments
* Notice from a customer that the customer is not receiving paper account statements
* Notice of unauthorized charges or transactions
3. Inconsistencies between credit reports and application data: name, SSN, DOB, address, phone, driver's license information
4. Inconsistencies between personal ID data such as SSNs and data from external information sources
5. Notices of fraud on an account
The first two red flag categories, suspicious documents and activities, require physical inspection of ID documents and a review of existing accounts. Companies should formulate an internal checklist to review before proceeding with a transaction.
Common indicators involving documents include cases where someone attempting to open an account fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete. Red flags in this category would include situations where an account that has been inactive for a long period of time is suddenly used or mail sent to a customer is returned repeatedly as undeliverable but transactions continue to be conducted in connection with the customer's covered account. Other good indicators include things such as requests for replacement customer charge cards or account passwords right after an address change is recorded; breaches in payment patterns, such as sudden nonpayment when there is no history of late or missed payments; or changes to electronic fund transfers.
To deal with the next two categories involving inconsistencies, businesses need to develop a template that weighs the importance of particular inconsistencies. Basically what's needed is a "pass/fail" or "if/then" decisioning matrix of what steps to take throughout the screening process.
The last category, instances where a business is actually notified by a customer or law enforcement authorities, or is a victim of stolen identity, is pretty clear-cut.
What Do You Do If You Get a "Hit"?
Perhaps the grayest red flag area is the whole question of what to do if your identity verification process turns up a "hit" that indicates identity theft may be taking place. Here, the FTC lists potentially appropriate responses, but doesn't go the extra step of specifying which actions apply to which red flags. The guidelines also say that "an appropriate response may be no response, especially, for example, when a financial institution or creditor has a reasonable basis for concluding that the red flags detected do not evidence a risk of identity theft."
* Monitoring an account for evidence of identity theft
* Contacting the customer
* Changing passwords and security codes
* Reopening an account with a new account number
* Not opening a new account
* Closing an existing account
* Notifying law enforcement
* And, if applicable, filing a suspicious activity report
Cutting Through the Red Tape: Where to Go for Help
The most useful sites and documents for quickly coming to terms with red flags are:
* FTC: http://www.ftc.gov/bcp/edu/pubs/business/alerts/ alt050.shtm
* CDIA: http://cdiaonline.org/
* The Federal Reserve: http://www.federalreserve.gov
Small businesses that don't want to focus legal and financial resources on constructing red flag policies can also get help from credit and identity verification service providers. Still, it's a good idea to run your policies by legal counsel to make sure you haven't misinterpreted the steps your business is accountable for taking.
The good news, despite the fact there's a lot of work involved, is that these red flags mark an important trend in combating ID theft, a crime we all know can takes years to rectify. By compelling businesses that handle consumers' most valuable personal data to be proactive and conscientious about its use, the government is driving a major shift from damage control and repair to actually preventing and catching perpetrators in the act.
In the end, the red flag regulations stand to save businesses and consumers tons of time, money and aggravation, not to mention how lethal bad press associated with letting customer information leak out can be.
There's not much time left, but charging through this issue is well worth the effort.
Brian Bradley is EVP, Strategy and Emerging Markets, for Microbilt. He may be reached at email@example.com or 609-580-0027. Microbilt is a resource for coming to terms with red flags. Please visit http://www.microbilt.com/see_resources.asp.