In response to the nationwide increase in identity theft – defined by the Federal Trade Commission (FTC) as a “fraud committed or attempted using the identifying information of another person without authority” – Congress passed the Fair and Accurate Credit Transactions Act in December 2003. Nearly six years later, federal banking regulators and the FTC have issued and are enforcing (or preparing to enforce) regulations to implement Sections 114 and 315 of the act.
These new requirements, referred to as the Red Flags Rules, apply to financial institutions as well as creditors. While the term “financial institution” is relatively straightforward, the definition of a creditor is very broad.
It includes, but is not limited to, finance companies, automobile dealers, utility companies, educational facilities and healthcare providers. Financial institutions that are supervised by federal banking agencies were required to comply with the red flags requirements as of November 1, 2008. For all other financial institutions and creditors subject to the Red Flags Rules, the FTC has extended its compliance deadline to June 1, 2010.
Challenges and Opportunities
The Red Flags Rules impose several new compliance requirements, including:
- A written identity theft program must be developed that is appropriate to the size and complexity of each institution.
- Relevant, customized red flags – defined as a pattern, practice or specific activity that indicates the possible existence of identity theft – must be identified.
- Processes to detect red flags need to be developed.
- Appropriate responses to red flags must be devised.
- Periodic updates need to be made to reflect evolving identity theft risks applicable to the organization.
- Card issuers must assess the validity of address changes before issuing new or replacement debit and credit cards.
In light of the strict requirements established under the Red Flags Rules, as well as the continued media focus on identity theft incidents and the harm that can result to the reputations of firms affected by these incidents, an effective identity theft prevention program is a top priority for most financial institutions and creditors. However, many are struggling to develop one due to a variety of factors, including:
- Confusion over the definition of “creditor,” including pending discussions that may provide exemptions, leading to many firms waiting too long to begin the process of complying with the requirements
- Lack of effective processes to conduct and document the required enterprisewide risk assessment
- Challenges in designing and implementing IT controls to identify and investigate potential red flags automatically
- Difficulty in integrating new red flags processes and controls with existing fraud detection, anti-money laundering (AML) and related processes
A firm that addresses these challenges effectively will achieve numerous strategic advantages, including:
- Striking an effective balance between detecting actual red flags and preventing identity theft, while not preventing or delaying legitimate transactions
- Minimizing the time and cost required to investigate and resolve red flags alerts
- Developing or preserving its reputation for taking the privacy and security of customers seriously
Our Point of View
We believe the keys to an effective and efficient red flags program are:
- Developing a robust and well-documented risk assessment process that results in the identification of identity theft risks applicable to each institution’s unique products and services
- Establishing risk-based red flags monitoring that balances the efforts of and reduces duplication among business units, compliance, fraud and internal audit
- Automating the detection and investigation of red flags, where appropriate
- Continually validating the effectiveness of technologies used to support the program
- Regularly monitoring and evaluating red flags investigation results to identify opportunities to minimize false positives while maintaining the effectiveness of the program
- Establishing a comprehensive training program to ensure that affected personnel are aware of identity theft prevention procedures
How We Help Companies Succeed
Our professionals can assist your institution in complying with the Red Flags Rules through a variety of services.
Compliance Readiness Assessment – We can review your program prior to or shortly following mandatory compliance deadlines to evaluate criteria such as:
- The quality and comprehensiveness of the risk assessment process and documentation
- Whether an effective written program has been established
- The design and effectiveness of automated controls (including documentation supporting user acceptance testing)
- The process for managing alerts, including whether appropriate levels of staffing are in place to handle expected volumes in a timely manner
Identity Theft Prevention Program Development – Our experience in helping our clients design a compliance program includes work in the following areas:
- Risk assessment, including identifying covered accounts, affected business units, applicable red flags and current red flags processes
- Development of a red flags compliance program while leveraging existing fraud, AML and other control processes
- Development and delivery of training materials
Internal Audit Services – We can provide your institution outsourced or co-sourced internal audit support with experienced professionals to perform red flags compliance audits. These typically include elements of a compliance readiness assessment, with a focus on providing recommendations to enhance your program. We can also perform detailed tests of design and operating effectiveness of red flags control activities to assess the maturity of your program.
A telecommunications company faced challenges in developing an identity theft red flags program because of staffing limitations and differing views regarding ownership of the new program. We were engaged to assist the company in designing its red flags program.
We began by documenting existing policies and procedures. We then conducted a risk assessment to serve as a baseline for the design of the program. We also worked with the company to identify the appropriate owner of the program and to delineate the roles and responsibilities of other key stakeholders. Next, we worked with our client to create a well-defined red flags program to address the unique risks applicable to the company. Lastly, we tailored and delivered materials to meet the training requirements of our client’s personnel. Through our efforts, the company was able to demonstrate that it had met the initial compliance requirements of the Red Flags Rules.