Regulatory Compliance
What are your thoughts on the third extension to the Identity Theft Red Flags Rule deadline? Was your institution ready to meet Red Flag guidelines?
Does the rule list the Red Flags? The Identity Theft Red Flags Rule provides several examples of Red Flags in four separate categories: 1. alerts and notifications recieved from credit reporting agencies and third-party service providers; 2. the presentation of suspicious documents or suspicious identifying information; 3. unusual or suspicious account usage patterns; and 4. notices from a customer, identity theft victim or law enforcement.
Optimization is a very broad and commonly used term today and the exact interpretation is typically driven by one's industry experience and exposure to modern analytical tools. Webster defines optimize as: "to make as perfect, effective or functional as possible". In the risk/collections world, when we want to optimize our strategies as perfect as technology will allow us, we need to turn to advanced mathematical engineering. More than just scoring and behavioral trending, the most powerful optimization tools leverage all available data and consider business constraints in addition to behavioral propensities for collections efficiency and collections management. A good example of how this can be leveraged in collections is with letter strategies. The cost of mailing letters is often a significant portion of the collections operational budget. After the initial letter required by the Fair Debt Collection Practice Act (FDCPA) has been sent, the question immediately becomes: “What is the best use of lettering dollars to maximize return?” With optimization technology we can leverage historical response data while also considering factors such as the cost of each letter, performance of each letter variation and departmental budget constraints, while weighing the alternatives to determine the best possible action to take for each individual customer. n short, cutting edge mathematical optimization technology answers the question: "Where is the point of diminishing return between collections treatment effectiveness and efficiency / cost?"
I was recently asked in a comment, "What do we have to do to become compliant?" Great question. There is not a single path to compliance when it comes to Red Flags compliance. Effectively, an institution that has covered accounts under the Rule must implement both a written and operational Identity Theft Prevention Program. The Red Flags Rule requires financial institutions and creditors to establish and maintain a written Program designed to detect, prevent and mitigate identity theft in connection with their covered accounts. The Program is a self-prescribed system of checks and balances that each financial institution and creditor implements to reach compliance with the Red Flags Rule. The goal of the provisions is to drive organizations to put into place a system that identifies patterns, practices and forms of activities that indicate the possible existence of identity theft. The provisions are not designed to steer the market to a “one size fits all” compliance platform. In essence, how businesses choose to meet the requirements will depend on the business size, operational complexity, customer transaction processes and risks associated with each of these characteristics. A compliant Program must contain reasonable policies and procedures to address four mandatory elements: Identifying Red Flags applicable to covered accounts and incorporating them into the Program Detecting and evaluating the Red Flags included in the Program Responding to the Red Flags detected in a manner that is appropriate to the degree of risk they pose and Updating the Program to address changes in the risks to customers, and to the financial institution’s or creditor’s safety and soundness, from identity theft The Red Flags Rule includes 26 illustrative examples of possible Red Flags financial institutions and creditors should consider when implementing a written Program. While implementation of any predetermined number of the 26 Red Flag examples is not mandatory, financial institutions and creditors should consider those that are applicable to their business processes, consumer relationships and levels of risk. The Red Flags Rule requires financial institutions and creditors to focus on identifying Red Flags applicable to their account opening activities, existing account maintenance, and new activity on an account that has been inactive for two years or more. Some mandatory requirements include: Keeping a current, written Identity Theft Prevention Program that contains reasonable policies and procedures to identify, detect and respond to Red Flags, and keeping the Program updated Confirming that the consumer reports requested from consumer reporting agencies are related to the consumer with whom the financial institution or creditor are doing business Reviewing address discrepancies
As we approach the FTC's May 1, 2009 Red Flags Rule enforcement deadline, we are still working with many of our existing and prospective clients to support their Red Flags Identity Theft Prevention Program. In my opinion, the May 1, 2009 extension did much good on two fronts: 1. It brought to light the need for all institutions, particularly in markets outside of traditional financial services arenas, to re-evaluate the expectation of their being 'covered' under the Red Flag guidelines. 2. It allowed 'covered' institutions the opportunity to take additional steps to not only create and operationalize their programs, but to spend time making those programs efficient and in line with business and regulatory objectives. In the spirit of information gathering and sharing, we at Experian are conducting a quick survey to gauge how 'helpful' the May 1, 2009 extension was to your organization. We're also trying to informally keep our finger on the pulse of market readiness, as the enforcement deadline is upon us. Via the link below, please take about 60 seconds to answer a few questions that will help us better understand the current state of the market's Red Flags Rule readiness. Experian Red Flags Survey We certainly appreciate your time.
I encourage all of you to have a look at this newly launched Federal Trade Commission Web site dedicated to the Red Flags Rule guidelines. It is a good resource to that organizes the requirements of the Rule in a user-friendly manner. It also looks to be an ongoing resource for the posting of updates and related commentary. I suggest you make this site one of your bookmarks today: The Federal Trade Commission has launched a Web site to help entities covered by the Red Flags Rule design and implement identity theft prevention programs. The Rule requires “creditors” and “financial institutions” to develop written programs to identify the warning signs of ID theft, spot them when they occur, and take appropriate steps to respond to those warning “red flags.” Of particular interest, is the "Read the Guide" tab, where you can view and download the new FTC guide to Red Flag Rules. For those in the telecommunications and utilities spaces, check out the "Publish the Articles" tab where you will find two bulletins on Red Flags in these arenas. Enjoy.
Regardless of the specific checks and overall processes incorporated into your Red Flags Identity Theft Prevention Program, the use of an automated decisioning strategy or strategies will allow you to: Deliver consistent responses based on objective authentication results, while eliminating subjectivity often found in more manual review processes. Save time and money associated with a manual review process currently attributed to Red Flag Rule referrals. Provide examiners a detailed process flow including decision elements. Create champion / challenger flows to test, compare and alter new strategies over time. Revise, over time, the specific elements used in your decisioning to appropriately weight each from a fraud detection and/or compliance perspective. Experian's consumer authentication products provide hosted decisioning strategies that alleviate the burden on our clients associated with maintenance and development of those processes. Whether you facilitate your own strategies or use a service provider's hosted strategies, it is important to ensure you are maximizing their ability to balance pass rates, fraud detection and compliance requirements.
If the business is a creditor or a “financial institution” (defined as a depository institution) that offers covered accounts, you must develop a Program to detect possible identity theft in the accounts and respond appropriately. The federal banking agencies, the NCUA and the FTC have issued Guidelines to help covered entities identify, detect and respond to indicators of possible identity theft, as well as to administer the Program. A copy of the Red Flag Guidelines can be found: Federal Reserve Board – 12 C.F.R. pt 222, App. J Federal Deposit Insurance Corporation – 12 C.F.R. pt 334, App. J FTC – 16 C.F.R. pt 681, App. A NCUA – 12 C.F.R. pt 717, App. J Office of the Comptroller of the Currency - 12 C.F.R. pt 41, App. J Office of Thrift Supervision - 12 C.F.R. pt 571, App. J
The credit reporting agencies will not identify Red Flags, as such, on a credit report. However, there may be certain information on a credit report that you have determined to be an indicator of possible identity theft and have incorporated into your Program, such as a consumer fraud alert or a notice of address discrepancy. In addition, the Red Flag Guidelines specify that a credit report indicating a pattern of inconsistent or unusual recent activity might be a Red Flag.
For all you folks who, like me, waited until the last minute to knock out a term paper or class project in school, here is a friendly reminder…Yes, the Federal Trade Commission (FTC) pushed out the enforcement deadline of the Red Flags Rule to May 1, 2009. Yes, a sigh of relief was heard across compliance officers and operations managers nationwide. However, you should still keep a few things in mind as we approach May 1. First, per the FTC, "many entities also noted that because they generally are not required to comply with FTC rules in other contexts, they had not followed or even been aware of the rulemaking, and therefore learned of the requirements of the rule too late to be able to come into compliance by November 1, 2008." Those of you, who have not been subject to FTC enforcement in the past are quite possibly still subject to the Red Flags Rule based on your institution maintaining 'covered accounts' per the definition in the Red Flags Rule itself. Double check if you think otherwise. Second, the FTC was clear in stating that "this delay in enforcement is limited to the Identity Theft Red Flags Rule (16 CFR 681.2), and does not extend to the rule regarding address discrepancies applicable to users of consumer reports (16 CFR 681.1), or to the rule regarding changes of address applicable to card issuers (16 CFR 681.3)." So, while May 1 is still a few weeks away, if you are accessing consumer credit reports, for example, you should already have a formal written and operational process to detect and respond to address discrepancies on those credit reports.
Red Flags Rule I've heard more than one institution claim that they may limit and even reduce the identity elements (perhaps down to just name and address) that are captured during consumer applications or other transactions. Their rationale is that the fewer identity elements they request or require during these processes, the less information they will need to authenticate as part of their Red Flags Identity Theft Prevention Program. While this argument seems logical on the surface, I would suggest that if securely gathered/stored and appropriate to the nature of your business, additional data elements such as Social Security Number (SSN), date of birth and phone number can actually allow you to accomplish a few things to your benefit. 1. Analysis of our consumer authentication products shows that contributing SSN, date of birth, and phone (in addition to name and address) to an authentication process, will actually improve your ability to positively authenticate a consumer via an overall risk-based strategy. 2. The use of additional data elements, such as the phone number, can unlock additional data sources for use in verifying not only that phone number, but the inquiry name and address as well. 3. Just because you don't capture certain identity elements, doesn't mean the risk goes away. In providing additional identity elements for authentication, you can gain a more holistic view of a consumer - be that good, bad or ugly. It’s better to figure this out up front versus down the road when bills go unpaid and the bad guys scatter.
Here are a few more frequently asked questions. 1. Am I a “creditor” under the rule? The term “creditor” has the same meaning as under the Equal Credit Opportunity Act (ECOA) and is defined as a person who regularly participates in credit decisions, including, for example, a mortgage broker, a person who arranges credit or a servicer of loans who participates in “workout” decisions. The term “credit” is defined, as in the ECOA, as the right granted by a creditor to defer payment for goods or services. It is important to note that commercial, as well as consumer, credit accounts may be covered by the Rule. 2. We are an insurance company that uses credit reports to underwrite insurance. Does the Red Flags Rule apply to us? The Red Flag Rule applies to creditors and depository institutions and should not apply to an insurer when engaged in activities related to insurance underwriting. To the extent that you extend credit, however, you may be covered. For example, you may wish to examine whether you permit consumers to finance their premiums; whether you extend credit to vendors, independent agents or other business partners; or whether you extend credit in connection with your investment activities, including real-estate investments. 3. I am an auto dealer. Does the rule apply to me? If the business extends auto credit to consumers or arranges auto credit for consumers, the Red Flag guidelines may apply.
Here we are in March, 2009, four months after the Red Flags Rules deadline OR two months until the Red Flags deadline…depending on your glass-half-full / glass-half-empty view of the world. I can say with confidence that at this point in time, the Identity Theft Red Flags 'discussion' with our clients and the market at large continues in full earnest. That said, however, the nature of our discussions has changed substantially. A few months ago, the needs expressed by the market centered on education around the Red Flags Rule, Red Flag compliance and it's applicability to various markets and account types. I find that the majority of my daily conversations on the subject now regard efficiencies in process and cost combined with effectiveness and customer experience. Most of our clients 'get' what they need to be doing such as identifying, detecting and responding to Red Flag conditions. Where we are still working closely with our clients is in how they can optimize their policies and procedures to ensure that the majority of Red Flag conditions are detected and reconciled in singular automated steps. As I've said in previous blogs, detecting these conditions is the easy part. It's how you reconcile (a.k.a. respond to) those conditions that makes the difference in your bottom line. As May 1 approaches, now is a great time to be monitoring each step in your process in an effort to identify those areas that may still have room for efficiency gains and improved customer experience.
Address discrepancies aren't the end of the road, but they sure can be a bump in it. One of the handful of mandatory elements in the Red Flag guidelines, which focus on FACTA Sections 114 and 315, is the implementation of Section 315. Section 315 provides guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a consumer reporting agency sends the user a notice of address discrepancy. A couple of common questions and answers to get us started: 1. How do the credit reporting agencies display an address discrepancy? Each credit reporting agency displays an “address discrepancy indicator,” which typically is simply a code in a specified field. Each credit reporting agency uses a different indicator. Experian, for example, supplies an indicator for each displayable address that denotes a match or mismatch to the address supplied upon inquiry. 2. How do I “form a reasonable belief” that a credit report relates to the consumer for whom it was requested? Following procedures that you have implemented as a part of your Customer Identification Program (CIP) under the USA PATRIOT Act can and should satisfy this requirement. You also may compare the credit report with information in your own records or information from a third-party source, or you may verify information in the credit report with the consumer directly. In my last posting, I discussed the value of a risk-based approach to Red Flag compliance. Foundational to that value is the ability to efficiently and effectively reconcile Red Flag conditions…including addressing discrepancies on a consumer credit report. Arguably, the biggest Red Flag problem we solve for our clients these days is in responding to identified and detected Red Flag conditions as part of their Identity Theft Prevention Program. There are many tools available that can detect Red Flag conditions. The best-in-class solutions, however, are those that not only detect these conditions, but allow for cost-effective and accurate reconciliation of high risk conditions. Remember, a Red Flag compliant program is one that identifies and detects high risk conditions, responds to the presence of those conditions, and is updated over time as risk and business processes change. A recent Experian analysis of records containing an address discrepancy on the credit profile showed that the vast majority of these could be positively reconciled (a.k.a. authenticated) via the use of alternate data sources and scores. Layer on top of a solid decisioning strategy using these elements, the use of consumer-facing knowledge-based authentication questions, and nearly all of that potential referral volume can be passed through automated checks without ever landing in a manual referral queue or call center. Now that address discrepancies can no longer be ignored, this approach can save your operations team from having to add headcount to respond to this initially detected condition.
At which stage of the application process does the Red Flags Rule apply? The Red Flag Rule would apply whenever you detect a Red Flag in connection with an application. This could occur as soon as you receive an application, for example: if the application appears to have been altered or forged; or the consumer’s identification appears to be forged or is inconsistent with the information on the application. Is the social security number (SSN) check a requirement? No, but an invalid SSN may be a Red Flag – i.e., an indicator of possible identity theft – and obtaining and verifying a SSN may be a reasonable means of application risk management to detect this Red Flag when opening accounts. You may be able to utilize your existing procedures under your Customer Identification Program under the USA PATRIOT Act.
Learn More Image
