I was recently asked in a comment, "What do we have to do to become compliant?"
Great question. There is not a single path to compliance when it comes to Red Flags compliance. Effectively, an institution that has covered accounts under the Rule must implement both a written and operational Identity Theft Prevention Program.
The Red Flags Rule requires financial institutions and creditors to establish and maintain a written Program designed to detect, prevent and mitigate identity theft in connection with their covered accounts.The Program is a self-prescribed system of checks and balances that each financial institution and creditor implements to reach compliance with the Red Flags Rule. The goal of the provisions is to drive organizations to put into place a system that identifies patterns, practices and forms of activities that indicate the possible existence of identity theft.The provisions are not designed to steer the market to a “one size fits all” compliance platform.In essence, how businesses choose to meet the requirements will depend on the business size, operational complexity, customer transaction processes and risks associated with each of these characteristics.
A compliant Program must contain reasonable policies and procedures to address four mandatory elements:
- Identifying Red Flags applicable to covered accounts and incorporating them into the Program
- Detecting and evaluating the Red Flags included in the Program
- Responding to the Red Flags detected in a manner that is appropriate to the degree of risk they pose and
- Updating the Program to address changes in the risks to customers, and to the financial institution’s or creditor’s safety and soundness, from identity theft
The Red Flags Rule includes 26 illustrative examples of possible Red Flags financial institutions and creditors should consider when implementing a written Program.While implementation of any predetermined number of the 26 Red Flag examples is not mandatory, financial institutions and creditors should consider those that are applicable to their business processes, consumer relationships and levels of risk.
The Red Flags Rule requires financial institutions and creditors to focus on identifying Red Flags applicable to their account opening activities, existing account maintenance, and new activity on an account that has been inactive for two years or more.Some mandatory requirements include:
- Keeping a current, written Identity Theft Prevention Program that contains reasonable policies and procedures to identify, detect and respond to Red Flags, and keeping the Program updated
- Confirming that the consumer reports requested from consumer reporting agencies are related to the consumer with whom the financial institution or creditor are doing business
- Reviewing address discrepancies