For companies that regularly extend credit, the need to establish an identity theft protection program is finally here. After almost two years of delay, the Red Flags Rule is now in force. For readers of the Experian Decision Analytics blog, the Rule has been a familiar topic since passage. If you want to skip ahead to find out what you need to know, we’ve made it easy by boiling it down to three main things. (You’ll find the “3 Things Telcos Should Know About the Rule” towards the end.) However, some background might be helpful to better understand the issues behind the delay. Discussion about Red Flags requirements first began when Congress passed the Fair and Accurate Credit Transactions Act in 2003, requiring the Federal Trade Commission to write and enforce the Rule as the nation’s consumer protection agency. The Red Flags Rule was actually enacted on Jan 1, 2008, but enforcement was delayed until December 31, 2010 to better clarify the terms of compliance and who had to follow them. Why the Red Flags Rule matters A “red flag” is something that signals possible identity theft, including any suspicious activity suggesting crooks might be using stolen information to establish service. The regulation now requires companies to develop a written “red flags program” to detect, prevent and minimize damage that could result from a security breach. Establishing a Red Flags program Companies that regularly extend credit or use consumer reports in connection with a credit transaction need to have a risk-based security program in place. The program must detail the process for detecting red flags, describe how to respond to prevent and mitigate identity theft, and spell out how to keep the program current.   Decision to delay: the definition of “creditor” At the center of the FTC’s decision to delay enforcement was a broad definition Congress gave to the term “creditor.” The Rule broadly captured a number of non-financial companies (many of them small businesses) that didn’t know whether it applied to them, and if they did, didn’t have time or expertise to establish proper procedures to comply. And failure to comply could lead to costly fines or civil actions. New Red Flags exemptions To resolve the issue, Congress approved legislation providing exemptions for businesses that provide goods or services and then accept payment later. The bill redefines the term “creditor” to apply only to businesses that advance funds to, or on behalf of a customer, based upon an obligation to repay. 3 things telcos should know about the Red Flags Rule: 1. Telcos are covered by the Rule For companies, like telcos, that obtain consumer reports, directly or indirectly, in connection with a credit transaction the requirement to comply hasn’t changed. In fact, under regulatory guidance, the FTC specifically lists telecommunications companies among those who need to comply. 2. Your company needs a written Red Flags program The FTC Rule requires that organizations identify and address the “red flags” that could indicate identity theft and update the program periodically. The program must address certain “covered accounts,” which includes a consumer account with frequent transactions or those that have a risk of identity theft.  An annual report must also be created for senior management or the board of directors.   3. How to comply is up to you The good news is that the Rule doesn't require any specific practice or procedures. Companies have the flexibility to tailor compliance programs to the nature of their business and the risks they face. The FTC will assess compliance based upon whether a company is taking “reasonable policies and procedures” to prevent identity theft.    

Let’s face it – not all knowledge based authentication (KBA) is created equal. I, too, have read horror stories of consumers forced to answer questions about a deceased relative or ex-spouse, or KBA sessions that went on far too long for anyone’s benefit. I have to attribute this to vendor inexperience and a lack of consulting with clients. An experienced vendor will use a fraud best practice such as a fraud analytics model to determine that some consumers do not even need questions and then a “Progressive Question” feature, which uses consumer performance on an initial question set to determine if it is necessary for the consumer to answer additional questions. This way, the true consumer completes the process quickly, improving the customer experience. The product of choice should also use a question mix that balances three factors: ·         how easily the true consumer can answer the question; ·         the fraud separation of the question (effectively the measured delta over time between how well true consumers answer the question vs. how well fraudsters do); ·         how many consumers overall the question can be generated.  A list of hundreds of possible questions doesn’t mean much if the questions can only be generated for one quarter of one percent of the population, as is the case for something like airplane ownership or pilot’s license. Ultimately, out of wallet questions should be generated for a large part of the population, easily answered by the true consumer but difficult for a fraudster; and not offensive or what a consumer would consider “creepy” (such as their child’s birthday or name). Well designed questions will be personal but not intrusive and mindful of personal relationships that may have changed.  The purpose of a knowledge based authentication session is risk management and/or consumer authentication for fraud prevention and compliance purposes – not to cause the loss of business because the fraud tool crossed the line in the mind of your customer.

Like all companies seeking to generate new revenue, wireless providers continually strive to expand their creditworthy universe of applicants and prospects, while shrinking or eliminating risk. Compared with other industries, however, telecom tends to have a disproportionate number of no-hit and unscorable thin files—primarily young adults and immigrants, emerging consumers, and alternative-finance transactors. The main reason is that these individuals typically acquire cell phones well before credit cards, mortgages or other loan products, and thus, fly under the radar of traditional credit scoring. Micro-segmentation—a paradox with a payoff Experian has found that, despite the lack of documented credit history, these often-ignored segments contain many potentially profitable accounts. Narrowing your focus (through targeted attributes and micro-segmentation) can actually expand your universe of prospects, creating a whole new world of opportunity that enables you to: Grow your portfolio without increasing your risk Match new customers with the appropriate deposit and payment structure Build trust, loyalty and long-term value Many companies also integrate market data, dealer data or other internal records to refine micro-segmentation efforts. Others enlist credit-reporting agencies to help combine traditional and alternative data sets to predict future performance. One or both methods can yield highly favorable results. Using high-quality information from proven, reliable sources enables wireless companies to segment information in innovative and profitable ways. In fact, when providers successfully expand their creditworthy customer universe, high-quality data is usually the bright and shining star. To learn more, read a related post about the role of data quality in effective customer acquisitions.