FACTA Red Flags 2010

Fair and Accurate Credit Transactions Act of 2003 Red Flag Provisions Brenda Terreault, Esq. NACM Oregon January 14, 2010

SO WHAT IS THE RED FLAGS RULE?

BACKGROUND Joint Rulemaking Final rules published Nov 9, 2007 Compliance required Nov 1, 2008, but enforcement forbearance for the Red Flag Rules until June 1, 2010, for entities under FTC jurisdiction.

Red Flag Provisions RULES: 72 Fed. Reg. 63718 (November 9, 2007) www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf (FTC Rules p.63771-63773, Guidelines p. 63773-63774, Supplement p. 63774) FACT Act section 114 FCRA section 615 (e) 16 CFR section 681.2 http://www.ftc.gov/bcp/edu/microsites/redflagsrule/get-started.shtm

What is a Red Flag? A “Red Flag” is a pattern, practice, or specific activity that could indicate identity theft.

STRUCTURE OF THE RED FLAGS RULE Risk-based Rule Guidelines (Appendix A) Supplement A - 26 examples of red flags located within the link: www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf

PURPOSE OF THE RED FLAGS RULE To ensure that your business or organization is on the lookout for the signs that a crook is using someone else’s information, typically to get your products and services with no intention of paying. Not just another Data Security regulation

WHO’S COVERED BY THE RED FLAGS RULE?

WHO’S COVERED? Financial Institutions Creditors

WHO’S COVERED? From the FCRA, a “financial institution” is: A state or national bank A state or federal savings and loan association A mutual savings bank A state or federal credit union, Or any other person that directly or indirectly holds a transaction account belonging to a consumer.

DEFINITION OF “TRANSACTION ACCOUNT” From Federal Reserve Act, Section 19(b) – an Account that allows withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or similar items to make payments or transfers to third persons or others.

FTC Definition of “Creditors” H aving "the same meaning as in 15 U.S.C. 1681a(r)(5), and includes lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies."

FTC Definition of “Creditors” 15 U.S.C. 1681a(r)(5) Having "the same meaning as in Section 702 of the Equal Credit Opportunity Act."

FTC Definition of “Creditors” Section 702(e) of the Equal Credit Opportunity Act – 15 U.S.C. 1691a(e) “ The term "creditor" means any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.”

FTC Definition of “Creditors” Any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit and includes lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.

RECAP - WHO’S COVERED? Any person who regularly extends, renews or continues credit Any person who regularly arranges for extension, renewal or continuation of credit Any assignee of an original creditor and who participates in the decision to extend, renew or continue credit.

WHO’S NOT COVERED? New stuff Businesses at low risk of ID theft Know all their customers personally Provide services at customers’ homes Previous experience with ID theft Industry where ID theft is common Attorney firms and Accountant firms Court opinion Amendment

IF WE’RE COVERED BY THE RED FLAGS RULE, WHAT DO WE NEED TO DO?

WHAT DO WE NEED TO DO? Conduct a periodic risk assessment to determine if “covered accounts” exist If covered accounts exist: develop, implement and administer a written Identity Theft Prevention Program to detect, prevent and mitigate identity theft in connections with: The opening of a covered account or Transactions in any existing covered account

WHAT IS AN “ACCOUNT”? An “account” is: A continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, household or business purpose.

WHAT IS A “COVERED ACCOUNT”? A “covered account” includes: A consumer account Designed to permit multiple payments or transactions Offered or maintained by creditor Primarily for personal, household or family purposes. (Regulation subsection 3i – consumer accounts)

WHAT IS A “COVERED ACCOUNT”? A “covered account” includes: Any other accounts that based on a reasonably foreseeable risk of ID theft creditor has designated as a covered account (Regulation subsection 3ii – catch-all regulation)

Risk Assessment of Covered Accounts Creditor must conduct initial risk assessment and consider, among other things : Methods used to open accounts Methods to access accounts Previous experiences with ID theft All creditors must periodically reassess, even if no initial covered accounts, to consider changes in: Account offerings Regulatory changes and Changes in methods and patterns of ID theft

HOW DO WE DESIGN AN IDENTITY THEFT PREVENTION PROGRAM?

A Brief Outline of What’s Expected Incorporating existing policies and procedures Identify relevant red flags Set up procedures to detect red flags Respond appropriately to red flags Update your program periodically Administer your program Consider other legal requirements

DESIGNING AN IDENTITY THEFT PREVENTION PROGRAM STEP BY STEP

DESIGNING YOUR PROGRAM The program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of activities The rules require you to consider the guidelines and incorporate appropriate guidelines into your program.

Things to Remember Must be in writing No one-size-fits-all formula Tailored to creditor’s size and complexity Tailored to nature and scope of business activities Based on results of risk assessments

Things to Remember Minimally contain reasonable policies/procedures to: Identify what “Red Flags” might be for covered accounts Detect “Red Flags” when they occur Respond to mitigate and prevent ID theft Update program periodically .

DESIGNING YOUR PROGRAM Develop reasonable processes and procedures: Step #1 – Identify relevant red flags likely in your business that indicates a crook is using someone else’s information to get your products or services with no intention of paying

Incorporating existing policies and procedures Evaluate your existing anti-fraud programs Evaluate your information security programs Evaluate your credit policy

Identify relevant red flags Identify red flags according to risk posed to creditor’s business Types of covered accounts offered or maintained Methods provided to open those accounts Methods provided to access those accounts Previous experience with ID theft

Identify relevant red flags Five categories of red flags: Alerts, notifications or other warnings received from credit reporting agencies or service providers Suspicious documents Suspicious personal identifying information Unusual use of or other suspicious activity related to a covered account Notice from customers, victims of identity theft or law enforcement authorities

EXAMPLES OF RED FLAGS (SUPP. A) Warning from credit reporting agencies Inconsistent with external information sources Suspicious documents Documents provided for identification appear to be altered Suspicious personal information Fraud or active duty alert included in consumer report

EXAMPLES OF RED FLAGS (SUPP. A) Unusual use of account Account used in a way inconsistent with historical patterns of activity Notice from customers Customer notifies you about identity theft

DESIGNING YOUR PROGRAM Develop reasonable processes and procedures: Step #2 – Detect red flags – Set up procedures to detect them in your day-to-day operations

Detecting relevant red flags Two specific times for detecting red flags When Creditor obtains and verifies identifying information on customer who is opening the account, and When Creditor authenticates and verifies customer identity when customer makes a change on the account and monitors account transactions afterwards. There may be other times when a red flag may be identified – every industry is different

Detecting relevant red flags Verify identity Authenticate customers Monitor transactions Verify validity of address changes

DESIGNING YOUR PROGRAM Develop reasonable processes and procedures: Step #3- Prevent and mitigate identity theft. When you spot a red flag that you’ve identified, respond appropriately to prevent and mitigate harm

Responding to relevant red flags Reasonable policies and procedures Appropriate response Responses must be commensurate with risk posed Aggravating factors, early warning signs Different account types may have different red flags associated with it.

Respond appropriately to red flags Monitor accounts Contact customers Change passwords Close and reopen account Refuse to open account Don’t sell the account or collect on it against the identify theft victim Notify law enforcement In some cases, no response may be warranted

DESIGNING YOUR PROGRAM Develop reasonable processes and procedures: Step #4 – Update your program. The risks of identity theft can change rapidly, so keep your plan current and educate your staff.

Updating for new red flags Sources of Red flags: Episodes of identity theft that have already happened Changes in how crooks are committing identity theft Applicable supervisory guidance

Updating for new red flags Periodically review and evaluate red flags previously incorporated to verify each remains relevant to operation NOTE: Neither regulations, nor guidelines, define the term “periodically” or provide timeframes for conducting updates. Objective: to be responsive to changing risks

Updating for new red flags Periodic updating required, should consider: Experiences with ID theft Changes in ID theft methods Changes in ID theft detection, prevention and mitigation methods Changes in creditor’s business – growth, mergers, and other business arrangements Changes in types of account creditor offers or maintains

WHAT ABOUT THE ADDRESS DISCREPANCY RULE?

ADDRESS DISCREPANCY RULE FACT Act Section 315 FCRA Section 605(h) 16 CFR section 681.1

WHO’S COVERED? Users of credit reports Term to know - “Nationwide Credit Reporting Agency” (NCRA) as defined in FCRA

CONFIRMING ADDRESS Regulatory requirement: The user must have reasonable policies and procedures to furnish a confirmed address for the consumer to the NCRA when the user: Can form a reasonable belief that the report relates to the consumer Establishes a continuing relationship with the consumer Regularly furnishes information to the NCRA

NOTICE OF ADDRESS DISCREPANCY Notice of address discrepancy comes from a nationwide credit reporting agency and notifies the user of a substantial difference between: Address the user provided and Address in the credit reporting company’s files

ENSURING ACCURACY Regulatory requirement: The user must have reasonable policies and procedures to establish a reasonable belief that the credit report relates to the consumer about whom the report was requested

REASONABLE BELIEF Establishing a “reasonable belief” Examples: Compare information in the credit report to information that user: Maintains in its records Gets from third party sources Gets to comply with CIP rules Verify information in the credit report with the consumer

PROGRAM ADMINISTRATION OVERVIEW Red flag rule’s requirements for program administration consists of five elements: Board approval High-level oversight Reporting Staff training Service Provider oversight, if any service provider is hired

PROGRAM ADMINISTRATION ELEMENTS BOARD APPROVAL Initial written program must be approved by Board of Directors or a committee of the Board Once program is established, the Board may designate a senior management employee to oversee: Development, implementation and administration of the program Training of appropriate staff’ Arrangements with Service Providers

PROGRAM ADMINISTRATION ELEMENTS REPORTING At least once a year, creditor staff must report on effectiveness of program to the Board, Committee or senior management employee. Report should cover material aspects of Program, or at minimum Effectiveness of the program policies and procedures Service Provider arrangements if any Identity theft incidents and responses Recommendations for changes in program

PROGRAM ADMINISTRATION ELEMENTS TRAINING Train relevant staff as necessary to Implement program effectively Identify and respond appropriately NOTE: There is no prescription that ALL staff be trained. Deciding which staff members need training is up to creditor. Consider whether job duties may allow employee to identify, detect, prevent and mitigate ID theft risk

PROGRAM ADMINISTRATION ELEMENTS SERVICE PROVIDER OVERSIGHT Who is a Service Provider? Ensuring their activities are conducted in accordance with Reasonable policies and procedures designed To detect, prevent and mitigate the risk of ID theft.

PROGRAM ADMINISTRATION ELEMENTS SERVICE PROVIDER OVERSIGHT One method - Require written agreement from service provider that provider will detect and respond to ID theft red flags appropriately Service providers are not required to apply each client’s particular program Creditor retains accountability and cannot reduce or eliminate responsibility by outsourcing tasks

CONSEQUENCES OF NON-COMPLIANCE Customer loses confidence Take business elsewhere No private right of action for 16 CFR 681.2 State Attorneys General Can sue - Usually highly publicized and damaging to business even if creditor wins Federal and state regulators can Assess money damages-$2,500 per violation Issue cease and desist orders Take other legal actions

ENFORCEMENT OF RULES Administrative enforcement under 15 USC 1681s (Section 621 of the FCRA) State Attorneys General No criminal penalties

Advice Don’t Panic! Start with what policies you already have Ask yourself “what if” It’s meant to be a risk-based, flexible rule Think in terms of what is reasonable, practical and works for you in your business.

Where to go for templates Remember that templates are just starting points-no one-size-fits-all! http://www.ftc.gov/bcp/edu/microsites/redflagsrule/diy-template.shtm Click on the “get started” at the bottom middle of the page FTC anticipates that every business will have at least one red flag because they wrote it in for us. “ Notice from customer, a victim of ID theft, law enforcement agency or someone else that an account has been opened or used fraudulently”

Where to go for templates Remember that templates are just starting points-no one-size-fits-all! Business Credit Magazine, March 2009 Article on page 62 Model plan on page 65 to 68

Questions? [email_address] www.ftc.gov Thank you!

FACTA Red Flags 2010

More Related Content

What's hot (17)

Similar to FACTA Red Flags 2010 (20)

More from Credit Management Association (20)

Recently uploaded (20)

FACTA Red Flags 2010