All posts by Keir Breitenfeld
At which stage of the application process does the Red Flags Rule apply? The Red Flag Rule would apply whenever you detect a Red Flag in connection with an application. This could occur as soon as you receive an application, for example: if the application appears to have been altered or forged; or the consumer’s identification appears to be forged or is inconsistent with the information on the application. Is the social security number (SSN) check a requirement? No, but an invalid SSN may be a Red Flag – i.e., an indicator of possible identity theft – and obtaining and verifying a SSN may be a reasonable means of application risk management to detect this Red Flag when opening accounts. You may be able to utilize your existing procedures under your Customer Identification Program under the USA PATRIOT Act.
After reviewing more details around the "The President\'s Identity Theft Task Force Report" (September 2008), and some of the activities surrounding it, I find myself again pondering how all of this may be impacting our clients. Does heightened consumer awareness around both identity theft Red Flags rules and government initiatives (like the task force report) put more pressure on various industries to have buttoned up identity theft prevention programs that are not only effective, but also "marketed" to consumers? Are consumers now expecting to see more blatant identity theft prevention measures in place each time they transact with a service provider…any service provider?Lots of questions here, so let me know if you are feeling residual pressures from your consumer base as a result of any of the latest initiatives or reports. I can say that we do have some clients that believe effective identity theft measures matter to their customers and use their protection measures as marketing messages. For example, the use of knowledge-based authentication questions during an application or transaction approval process is not only effective in preventing fraud, but also leaves customers with a sense of security and an understanding that their financial institutions are working to combat identify theft..
What to do when you see a Red Flag. Your Identity Theft Prevention Program should include appropriate responses when you detect a Red Flag. You must assess whether the Red Flag evidences a risk of identity theft. If so, your response must be commensurate with the degree of risk posed. Depending on the level of risk, an appropriate response may include contacting your applicant, not opening a new account or even determining that no response is necessary.
How do I know which Red Flags apply to me? The Red Flag guidelines that will apply to you depend on a number of factors including: The types of covered accounts you offer and how those accounts may be opened and accessed Your previous experiences with identity theft In order to determine the applicable Red Flags, you must consider these factors as well as various sources and categories of Red Flags identified in the Guidelines. There are many resources available to help you gain the upper hand on Identity Theft Red Flags. I encourage you to visit this site for more information including a white paper, webinar, data sheet and more.
There seems to be some ground-laying for follow-on Red Flag compliance guidelines to emerge either pre- or post- May 1, 2009. Whether they arrive in the form of clarifying statements by the Red Flags Rule drafting agencies, or separate guidelines beyond the current Rule, the ambiguity associated with the current set of parameters leads me to believe that:The door is open for many entities, not clearly called out in the Red Flags Rule as \'covered\' to be more formally placed under that umbrella, andA new series of mandates may be on the horizon as the focus on identity theft prevention and, of critical note, consumer protection continues to sharpen.I look at "The President\'s Identity Theft Task Force Report" (September 2008) as a potential catalyst for the publication of more formal directives around consumer identity theft prevention programs. While the report currently sits in the form of recommendations, it is likely that some of these recommendations may evolve into more definitive enactments. Additionally, it\'s clear that even commercial entities that are potentially not covered by the Red Flag Rule today are called out as still in need of stringent and diligent identity theft prevention measures. More to follow next time on this report.
It seems to me that there remains quite a bit of dispute and confusion around the inclusion of healthcare providers under the umbrella of "creditors." This would, in turn, imply that a physician's office would need to have a Red Flags Identity Theft Prevention Program in place. Yikes! My guess is that this will not be fully resolved by May 1, 2009. I see too many disparate opinions out there to think otherwise. I certainly see both sides. On the one hand, the definition of "creditor" to include "deferred payment of debts" does make the case for most physicians’ offices to be covered under the rule. On the other hand, to what extent will each and every physician's office be able to have a verification process in place by May 1, 2009? Certainly, those offices integrated with third party processing will have an easier go of it, but the stand-alone practices are facing a tough challenge. There is no doubt that the healthcare space is, and should be, covered under the Red Flags rule, I just have to wonder how comprehensive and enforceable compliance will be. Let me know your thoughts!
During a recent real-time survey of 850 representatives of the financial services industry: only 36 percent said that they completely understood the new Identity Theft Red Flags Rule guidelines and were prepared to meet the deadline. 60 percent said that they had just started to determine their approach to Red Flag compliance.
I’m speculating a bit here, but I have a feeling that as the first wave of Red Flag rule examinations occurs, one of the potential perceived weak points in your program(s) may be your vendor relationships. Of particular note are collections agencies. Per the guidelines, “Section 114 applies to financial institutions and creditors.” Under the FCRA, the term “creditor” has the same meaning as in section 702 of the Equal Credit Opportunity Act (ECOA), 15 U.S.C. 1691a.15 ECOA defines “creditor” to include a person who arranges for the extension, renewal or continuation of credit, which in some cases could include third-party debt collectors. Therefore, the Agencies are not excluding third-party debt collectors from the scope of the final rules and “a financial institution or creditor is ultimately responsible for complying with the final rules and guidelines even if it outsources an activity to a third-party service provider.” A general rule of thumb in any examination process is to look closely at activities that are the most difficult for the examinee to control. Third-party relationship management certainly falls into this category. So, make sure your written and operational programs have procedures in place to ensure and regularly monitor appropriate Red Flag compliance -- even when customer (or potential customer) activities occur outside your walls. Good luck!
I have heard this question posed and you may be asking yourselves: Why are referral volumes (the potential that the account origination or maintenance process will get bogged down due to a significant number of red flags detected) such a significant operations concern? These concerns are not without merit. Because of the new Red Flag Rules, financial institutions are likely to be more cautious. As a result, many transactions may be subject to greater customer identification scrutiny than is necessary. Organizations may be able to control referral volumes through the use of automated tools that evaluate the level of identity theft risk in a given transaction. For example, customers with a low-risk authentication score can be moved quickly through the account origination process absent any additional red flags detected in the ordinary course of the application or transaction. In fact, using such tools may allow organizations to quicken the origination process for customers. They can then identify and focus resources on transactions that pose the greatest potential for identity theft. A risk-based approach to Red Flags compliance affords an institution the ability to reconcile the majority of detected Red Flag conditions efficiently, consistently and with minimal consumer impact. Detection of Red Flag conditions is only half the battle. Responding to those conditions is a substantial problem to solve for most institutions. A response policy that incorporates scoring, alternate data sources and flexible decisioning can reduce the majority of referrals to real-time approvals without staff intervention or customer hardship.
What is your greatest concern as the May 1, 2009 enforcement date approaches for all guidelines in the Identity Theft Red Flags Rule?
I’ve talked (sorry, blogged) previously about taking a risk-based approach to reconciling initial Red Flag Rule conditions in your applications, transactions, or accounts. In short, that risk-based approach incorporates a more holistic view of a consumer in determining overall risk associated with that identity. This risk can be assessed via an authentication score, alternate data sources and/or verification results. I also want to point out the potential value of knowledge-based authentication (a.k.a. out-of-wallet questions) in providing an extra level of confidence in progressing a consumer transaction or application in light of an initially detected Red Flag condition. In Experian’s Fraud and Identity Solutions business, we have some clients who are effectively embedding the use of knowledge-based authentication into their overall Red Flags Identity Theft Prevention Program. In doing so, they are able to identify the majority of higher risk conditions and transactions and positively authenticate those initiating consumers via a series of interactive questions designed to be more easily answered by a legitimate individual -- and more difficult for a fraudster. Using knowledge-based authentication can provide the following values to your overall process: 1. Consistency: Utilizing a hosted and standard process can reduce potential subjectivity in decisioning. Subjectivity is not a friend to examiners or to your bottom line. 2. Measurability: Question performance and reporting allows for ongoing monitoring and optimization of decisioning strategies. Plus, examiners will appreciate the metrics. 3. Customer Experience: This is a buzzword these days for sure. Better to place a customer through a handful of interactive questions, than to ask them to fax in documentation --or to take part in a face-to-face authentication. 4. Cost: See the three values above…Plus, a typical knowledge-based authentication session may well be more cost effective from an FTE/manual review perspective. Now, keep in mind that the use of knowledge-based authentication is certainly a process that should be approved by your internal compliance and legal teams for use in your Red Flags Identity Theft Prevention Program. That said, with sound decisioning strategies based on authentication question performance in combination with overall authentication results and scores, you can be well-positioned to positively progress the vast majority of consumers into profitable accounts and transactions without incurring undue costs.
Hello Red Flaggers! I’m still getting some questions from our clients these days around the FTC enforcement extension. My concern is that there seems to be a perception that May 1, 2009 is the enforcement date for all of the guidelines in the Red Flags Rule. In reading through the recently released FTC Enforcement Policy (Identity Theft Red Flags Rule, 16 CFR, 681.2), it clearly states the following: This delay in enforcement is limited to the Identity Theft Red Flags Rule (16 CFR 681.2), and does not extend to the rule regarding address discrepancies applicable to users of consumer reports (16 CFR 681.1), or to the rule regarding changes of address applicable to card issuers (16 CFR 681.3). So, while you may be breathing a sigh of relief as far as the implementation of your overall Identity Theft Prevention Program is concerned, be advised that the May 1, 2009 extension does not cover the need to detect and/or respond to address discrepancies on consumer reports or during address changes on card accounts. As previously mentioned in an earlier blog of mine (see Nov. 13 blog), responding to address discrepancies on consumer reports may be the biggest challenge for many of our clients, as (depending on market served) the percentage of consumer reports with an address discrepancy can number over 20 percent. This can create an operational burden from the perspective of cost, customer experience, and the ability to quickly book legitimate and profitable customers. Have a look at my previous blog on a risk based approach to address discrepancies for a refresher on this subject. Good luck!!
We continue to receive inquiries from our clients, and the market in general, around whether they are required to comply with the Red Flag Rule or not. That final decision can be found with the legal and compliance teams within your organization. I am finding, however, that there generally seems to be too literal and narrow an interpretation of the terms ‘creditor’ or ‘financial institution’ as described in the guidelines. I often hear an organization state that they don’t believe they’re covered because they are not one of those types of entities. Ultimately, as I said, that’s up to your internal team(s) to establish. I would recommend, however, that you ensure that opinion and ultimate determination is well researched. It may sound simple, but reach out to your examining agencies or the Federal Trade Commission (FTC) and discuss any ambiguities you feel exist related to covered accounts. There is some great clarifying language out there beyond the initial Red Flag Rule. For example, the FTC provided a very useful article (www.ftc.gov/bcp/edu/pubs/articles/art11.shtm) that described how even health care providers can be covered under the Red Flag Rule. At first glance, they may not seem to fall under the umbrella of a ‘creditor or financial institution.’ As stated in the article, the extension of credit “means an arrangement by which you defer payment of debts or accept deferred payments for the purchase of property or services. In other words, payment is made after the product was sold or the service was rendered. Even if you’re a non-profit or government agency, you still may be a creditor if you accept deferred payments for goods or services.” Maybe it’s just me, but that description is arguably much broader-reaching than one might initially think. Long story short: do your research, and don’t assume you or your accounts are not covered under the guidelines. Better to find out now instead of after your first examination….for obvious reasons.
We get the following question quite a bit: Would the regulators expect to see a log of detected activity and resulting mitigation? Short answer: The Red Flags Rule does not specifically require you to maintain a log, nor do the guidelines suggest that a log should be maintained. However, covered institutions are required to prepare regular reports around the effectiveness of their program. Additionally, there exists the requirement to incorporate an institution’s own experiences with identity theft when reviewing and updating their program. Long answer: Think now about the value of incorporating robust (and, optimally, transaction level) reporting into your program for a few key reasons: 1. Reporting allows you to more easily and comprehensively create and disseminate board-level reports related to program effectiveness. These aren’t a bad thing to show a regulator either. 2. Detailed reporting provides you an opportunity to more accurately monitor your program’s performance with respect to decisioning strategies, false positives, false negatives, fraud detection and prevention rates, resultant losses and legitimate costs. 3. The more historic detail you have compiled, the easier it will be to make educated, analytically based, and quantifiable updates to your program over time. Without this, you may be living and dying with anecdotal decision making….never good. 4. Finally, maintaining program performance data will afford you the ability to work with other service providers in validating their capabilities against known transactional or account level outcomes. We, at Experian, certainly find this useful in working with our clients to deliver optimal strategies. Thanks as always.
The Federal Trade Commission (FTC) suspended enforcement of the new Red Flag Rule until May 1, 2009. According to the FTC’s Enforcement Policy, “…during the course of the Commission’s education and outreach efforts following publication of the rule, the Commission has learned that some industries and entities within the FTC’s jurisdiction have expressed confusion and uncertainty about their coverage under the rule. These entities indicated that they were not aware that they were undertaking activities that would cause them to fall within FACTA Sections 114 and 315 definitions of ‘creditor’ or ’financial institution’.” So, depending upon which enforcement entity (or entities) will be knocking on your door in the coming months, you may (and I emphasize “may”) have some extra time to get your house in order. While many of you are likely confident that you have a compliant written and operational Identity Theft Prevention Program, this break in the action can be a great time to take care of setting up some ongoing procedures for keeping your program up to date. Here are some ideas to keep in mind along the way: 1. Make sure you have clear responsibilities and accountabilities identified and assigned to appropriate persons. Lack thereof may lead to everyone thinking someone else is keeping tabs. 2. Start setting the stage for a process to update your program based on: a. Your new experiences with identity theft; b. Changes in methods of identity theft; c. Changes in methods to detect, prevent, and mitigate identity theft; d. Changes in the types of accounts you offer or maintain; and e. Changes in your business arrangements, including mergers, acquisitions, alliances, joint ventures and service provider arrangements. 3. Set up a process for program review at the board level. Remember that your program does not have to be approved by your board of directors annually, but the board (or a committee of the board) or senior management must review reports regarding your program each year. They must approve any material changes to your program should they occur. 4. Prepare now for follow up actions associated with your first Red Flag Rule examination(s). There will surely be suggestions or mandates stemming from that exercise, and now is a good time to start securing appropriate resources and time. My key message here is that, while there may be lull in the world of Red Flags activity, this is a great time to keep momentum in your program development and upkeep by planning for the next wave of updates and your impending examinations. Best of luck.
Learn More Image
