Fraud & Identity Management

Regardless of the specific checks and overall processes incorporated into your Red Flags Identity Theft Prevention Program, the use of an automated decisioning strategy or strategies will allow you to: Deliver consistent responses based on objective authentication results, while eliminating subjectivity often found in more manual review processes.  Save time and money associated with a manual review process currently attributed to Red Flag Rule referrals.  Provide examiners a detailed process flow including decision elements.  Create champion / challenger flows to test, compare and alter new strategies over time.  Revise, over time, the specific elements used in your decisioning to appropriately weight each from a fraud detection and/or compliance perspective. Experian's consumer authentication products provide hosted decisioning strategies that alleviate the burden on our clients associated with maintenance and development of those processes.  Whether you facilitate your own strategies or use a service provider's hosted strategies, it is important to ensure you are maximizing their ability to balance pass rates, fraud detection and compliance requirements.

If the business is a creditor or a “financial institution” (defined as a depository institution) that offers covered accounts, you must develop a Program to detect possible identity theft in the accounts and respond appropriately. The federal banking agencies, the NCUA and the FTC have issued Guidelines to help covered entities identify, detect and respond to indicators of possible identity theft, as well as to administer the Program. A copy of the Red Flag Guidelines can be found: Federal Reserve Board – 12 C.F.R. pt 222, App. J Federal Deposit Insurance Corporation – 12 C.F.R. pt 334, App. J FTC – 16 C.F.R. pt 681, App. A NCUA – 12 C.F.R. pt 717, App. J Office of the Comptroller of the Currency - 12 C.F.R. pt 41, App. J Office of Thrift Supervision - 12 C.F.R. pt 571, App. J  

The credit reporting agencies will not identify Red Flags, as such, on a credit report. However, there may be certain information on a credit report that you have determined to be an indicator of possible identity theft and have incorporated into your Program, such as a consumer fraud alert or a notice of address discrepancy. In addition, the Red Flag Guidelines specify that a credit report indicating a pattern of inconsistent or unusual recent activity might be a Red Flag.

For all you folks who, like me, waited until the last minute to knock out a term paper or class project in school, here is a friendly reminder…Yes, the Federal Trade Commission (FTC) pushed out the enforcement deadline of the Red Flags Rule to May 1, 2009.  Yes, a sigh of relief was heard across compliance officers and operations managers nationwide.  However, you should still keep a few things in mind as we approach May 1.  First, per the FTC, "many entities also noted that because they generally are not required to comply with FTC rules in other contexts, they had not followed or even been aware of the rulemaking, and therefore learned of the requirements of the rule too late to be able to come into compliance by November 1, 2008."  Those of you, who have not been subject to FTC enforcement in the past are quite possibly still subject to the Red Flags Rule based on your institution maintaining 'covered accounts' per the definition in the Red Flags Rule itself.  Double check if you think otherwise. Second, the FTC was clear in stating that "this delay in enforcement is limited to the Identity Theft Red Flags Rule (16 CFR 681.2), and does not extend to the rule regarding address discrepancies applicable to users of consumer reports (16 CFR 681.1), or to the rule regarding changes of address applicable to card issuers (16 CFR 681.3)."  So, while May 1 is still a few weeks away, if you are accessing consumer credit reports, for example, you should already have a formal written and operational process to detect and respond to address discrepancies on those credit reports.

Red Flags Rule I've heard more than one institution claim that they may limit and even reduce the identity elements (perhaps down to just name and address) that are captured during consumer applications or other transactions.  Their rationale is that the fewer identity elements they request or require during these processes, the less information they will need to authenticate as part of their Red Flags Identity Theft Prevention Program.  While this argument seems logical on the surface, I would suggest that if securely gathered/stored and appropriate to the nature of your business, additional data elements such as Social Security Number (SSN), date of birth and phone number can actually allow you to accomplish a few things to your benefit.  1.  Analysis of our consumer authentication products shows that contributing SSN, date of birth, and phone (in addition to name and address) to an authentication process, will actually improve your ability to positively authenticate a consumer via an overall risk-based strategy.  2.  The use of additional data elements, such as the phone number, can unlock additional data sources for use in verifying not only that phone number, but the inquiry name and address as well.  3.  Just because you don't capture certain identity elements, doesn't mean the risk goes away.  In providing additional identity elements for authentication, you can gain a more holistic view of a consumer - be that good, bad or ugly.  It’s better to figure this out up front versus down the road when bills go unpaid and the bad guys scatter.

Here are a few more frequently asked questions. 1. Am I a “creditor” under the rule? The term “creditor” has the same meaning as under the Equal Credit Opportunity Act (ECOA) and is defined as a person who regularly participates in credit decisions, including, for example, a mortgage broker, a person who arranges credit or a servicer of loans who participates in “workout” decisions. The term “credit” is defined, as in the ECOA, as the right granted by a creditor to defer payment for goods or services. It is important to note that commercial, as well as consumer, credit accounts may be covered by the Rule. 2. We are an insurance company that uses credit reports to underwrite insurance. Does the Red Flags Rule apply to us? The Red Flag Rule applies to creditors and depository institutions and should not apply to an insurer when engaged in activities related to insurance underwriting. To the extent that you extend credit, however, you may be covered. For example, you may wish to examine whether you permit consumers to finance their premiums; whether you extend credit to vendors, independent agents or other business partners; or whether you extend credit in connection with your investment activities, including real-estate investments. 3. I am an auto dealer. Does the rule apply to me? If the business extends auto credit to consumers or arranges auto credit for consumers, the Red Flag guidelines may apply.  

Here we are in March, 2009, four months after the Red Flags Rules deadline OR two months until the Red Flags deadline…depending on your glass-half-full / glass-half-empty view of the world.  I can say with confidence that at this point in time, the Identity Theft Red Flags 'discussion' with our clients and the market at large continues in full earnest.  That said, however, the nature of our discussions has changed substantially.  A few months ago, the needs expressed by the market centered on education around the Red Flags Rule, Red Flag compliance and it's applicability to various markets and account types. I find that the majority of my daily conversations on the subject now regard efficiencies in process and cost combined with effectiveness and customer experience. Most of our clients 'get' what they need to be doing such as identifying, detecting and responding to Red Flag conditions.  Where we are still working closely with our clients is in how they can optimize their policies and procedures to ensure that the majority of Red Flag conditions are detected and reconciled in singular automated steps.  As I've said in previous blogs, detecting these conditions is the easy part. It's how you reconcile (a.k.a. respond to) those conditions that makes the difference in your bottom line. As May 1 approaches, now is a great time to be monitoring each step in your process in an effort to identify those areas that may still have room for efficiency gains and improved customer experience.

Address discrepancies aren't the end of the road, but they sure can be a bump in it. One of the handful of mandatory elements in the Red Flag guidelines, which focus on FACTA Sections 114 and 315, is the implementation of Section 315.  Section 315 provides guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a consumer reporting agency sends the user a notice of address discrepancy.  A couple of common questions and answers to get us started: 1.  How do the credit reporting agencies display an address discrepancy? Each credit reporting agency displays an “address discrepancy indicator,” which typically is simply a code in a specified field. Each credit reporting agency uses a different indicator. Experian, for example, supplies an indicator for each displayable address that denotes a match or mismatch to the address supplied upon inquiry. 2.  How do I “form a reasonable belief” that a credit report relates to the consumer for whom it was requested? Following procedures that you have implemented as a part of your Customer Identification Program (CIP) under the USA PATRIOT Act can and should satisfy this requirement. You also may compare the credit report with information in your own records or information from a third-party source, or you may verify information in the credit report with the consumer directly. In my last posting, I discussed the value of a risk-based approach to Red Flag compliance.  Foundational to that value is the ability to efficiently and effectively reconcile Red Flag conditions…including addressing discrepancies on a consumer credit report. Arguably, the biggest Red Flag problem we solve for our clients these days is in responding to identified and detected Red Flag conditions as part of their Identity Theft Prevention Program.  There are many tools available that can detect Red Flag conditions.  The best-in-class solutions, however, are those that not only detect these conditions, but allow for cost-effective and accurate reconciliation of high risk conditions.  Remember, a Red Flag compliant program is one that identifies and detects high risk conditions, responds to the presence of those conditions, and is updated over time as risk and business processes change. A recent Experian analysis of records containing an address discrepancy on the credit profile showed that the vast majority of these could be positively reconciled (a.k.a. authenticated) via the use of alternate data sources and scores.  Layer on top of a solid decisioning strategy using these elements, the use of consumer-facing knowledge-based authentication questions, and nearly all of that potential referral volume can be passed through automated checks without ever landing in a manual referral queue or call center.  Now that address discrepancies can no longer be ignored, this approach can save your operations team from having to add headcount to respond to this initially detected condition.  

At which stage of the application process does the Red Flags Rule apply? The Red Flag Rule would apply whenever you detect a Red Flag in connection with an application. This could occur as soon as you receive an application, for example: if the application appears to have been altered or forged; or the consumer’s identification appears to be forged or is inconsistent with the information on the application. Is the social security number (SSN) check a requirement? No, but an invalid SSN may be a Red Flag – i.e., an indicator of possible identity theft – and obtaining and verifying a SSN may be a reasonable means of application risk management to detect this Red Flag when opening accounts. You may be able to utilize your existing procedures under your Customer Identification Program under the USA PATRIOT Act.  

What to do when you see a Red Flag. Your Identity Theft Prevention Program should include appropriate responses when you detect a Red Flag. You must assess whether the Red Flag evidences a risk of identity theft. If so, your response must be commensurate with the degree of risk posed. Depending on the level of risk, an appropriate response may include contacting your applicant, not opening a new account or even determining that no response is necessary.  

We have been hearing quite a bit about the ponzi scheme that was created and managed by Bernie Madoff.  Almost $50 billion dollars was taken from those that were considered to be sophisticated and definitely not the typical type to be scammed.  So, what created the environment that allowed such large sums of money to be lost in such a basic con game as a ponzi scheme?  I believe there are a few basic factors that prompted these seemingly sophisticated people to invest in this ill-fated “investment.” A strong desire to generate investment returns when the typical channels were not delivering. The reputation(s) of the existing client list -- If they invested why shouldn’t I? The thought that if it paid off with smaller dollar investments, just think what could be made with larger dollars! Hmmm!  Sounds like how we got ourselves into today’s credit situation.  Basically, we were distracted by the items noted above and ignored the warning signs. Putting the items above into credit industry terms it can be summed up as follows: We have to continue to grow and we are pressured to find more opportunities.  If we go lower in the credit quality spectrum, it can generate immediate volume from the existing application volume. Other financial institutions have gone into this type of lending and they aren’t showing any signs of significant distress in their portfolios.  We need to do the same.  (Everyone in the herd in favor of this action please respond by saying “Moo.”) Our test portfolio has performed acceptably, so let’s increase the volume. Let’s continue the correlation between these two “problems.”  In the Madoff ponzi scheme, there were warning signs that cropped up - some earlier than others. These included: In 2000, the Securities and Exchange Commission received a letter from an outside money manager which warned of a possible scheme. In 2005, the Bostonian submitted an 18-page document to the SEC citing 29 red flags and indicated some level of corruption within Madoff’s investment company. The SEC’s own earlier investigation conducted in 1999, included an acknowledgement that they had received “credible allegations” but these allegations were ignored. So, what were the signs that were in front of us but we simply chose to ignore? Were the portfolios turning over so fast that we could not actually gather statistically valid data to support performance? Since we were selling off the loans, either individually or in bulk, did we ignore the actual risk that was taken by the industry? Were we appropriately monitoring the portfolio growth and performance, utilizing risk reduction and risk avoidance techniques, doing regular rescores and tracking potential behavioral issues? Whether the signs were visible to us or not, the fact remains that they existed in the past and they will likely exist in the future.  As we continue to clean up the mess of our past, we need to consider a few items: What we did in the past will no longer be acceptable going forward. We must change. We must improve. Regulatory pressures will increase and changes will continue to be made. We will not have the luxury of time to respond to these pressures and/or changes. We must act now. What is a financial institution to do?  Well, the worst thing we can do is wait for the regulators to tell us what to do because that is simply too late.  We need to act and act now. Assess the risk management methods that were employed in the past and determine deficiencies. Note the gaps between the historical tools and data sources compared with the updated credit decisioning tools and sources available in the industry. Develop a plan for implementing the new risk reduction methods and tools. Determine the estimated lift and manage/monitor your performance against your estimates. Don’t forget about the new additions to the portfolio. Once you have the existing risk identified, you should make the appropriate adjustments to the product risk parameters and terms and conditions to improve the overall quality of the new portfolio. Overall, the worst thing that we can do is nothing. Remember, “Those who do not remember the past are condemned to repeat it.” George Santayana, a philosopher, essayist, poet, and novelist

How do I know which Red Flags apply to me? The Red Flag guidelines that will apply to you depend on a number of factors including: The types of covered accounts you offer and how those accounts may be opened and accessed Your previous experiences with identity theft In order to determine the applicable Red Flags, you must consider these factors as well as various sources and categories of Red Flags identified in the Guidelines. There are many resources available to help you gain the upper hand on Identity Theft Red Flags. I encourage you to visit this site for more information including a white paper, webinar, data sheet and more.  

It seems to me that there remains quite a bit of dispute and confusion around the inclusion of healthcare providers under the umbrella of "creditors." This would, in turn, imply that a physician's office would need to have a Red Flags Identity Theft Prevention Program in place.  Yikes!  My guess is that this will not be fully resolved by May 1, 2009.  I see too many disparate opinions out there to think otherwise.  I certainly see both sides.  On the one hand, the definition of "creditor" to include "deferred payment of debts" does make the case for most physicians’ offices to be covered under the rule.  On the other hand, to what extent will each and every physician's office be able to have a verification process in place by May 1, 2009?  Certainly, those offices integrated with third party processing will have an easier go of it, but the stand-alone practices are facing a tough challenge.    There is no doubt that the healthcare space is, and should be, covered under the Red Flags rule, I just have to wonder how comprehensive and enforceable compliance will be.  Let me know your thoughts!

During a recent real-time survey of 850 representatives of the financial services industry: only 36 percent said that they completely understood the new Identity Theft Red Flags Rule guidelines and were prepared to meet the deadline. 60 percent said that they had just started to determine their approach to Red Flag compliance.

I’m speculating a bit here, but I have a feeling that as the first wave of Red Flag rule examinations occurs, one of the potential perceived weak points in your program(s) may be your vendor relationships.  Of particular note are collections agencies.  Per the guidelines, “Section 114 applies to financial institutions and creditors.” Under the FCRA, the term “creditor” has the same meaning as in section 702 of the Equal Credit Opportunity Act (ECOA), 15 U.S.C. 1691a.15 ECOA defines “creditor” to include a person who arranges for the extension, renewal or continuation of credit, which in some cases could include third-party debt collectors.  Therefore, the Agencies are not excluding third-party debt collectors from the scope of the final rules and “a financial institution or creditor is ultimately responsible for complying with the final rules and guidelines even if it outsources an activity to a third-party service provider.” A general rule of thumb in any examination process is to look closely at activities that are the most difficult for the examinee to control.  Third-party relationship management certainly falls into this category.  So, make sure your written and operational programs have procedures in place to ensure and regularly monitor appropriate Red Flag compliance -- even when customer (or potential customer) activities occur outside your walls. Good luck!