The information provided about FACTA and Red Flag rules is not legal advice. If legal advice is required, the services of a legal professional should be sought.
November 1 is the deadline for complying with Section 114 of FACTA (Fair and Accurate Credit Transactions Act of 2003), also known as the “Red Flag” rules. If that fact has you ready to wave the white flag, Harland Clarke can help. Delivering Value recently asked Buddy Allen, senior product specialist in marketing with Harland Clarke, some questions about the Red Flag rules. (Buddy is not a lawyer and his comments below are not legal advice.)
In early May, Harland Clarke conducted an online survey of compliance officers regarding their preparation process for the November 1, 2008 FACTA Red Flag compliance deadline. The results may surprise you.
DV: What are the Red Flag rules? What are the requirements?
BA: In October 2007, federal financial institution regulatory agencies and the Federal Trade Commission issued rules that require financial institutions and creditors to develop and implement an identity theft prevention program. According to regulators, “the program must include reasonable policies and procedures for detecting, preventing and mitigating identity theft and enable a financial institution or creditor to: identify relevant patterns, practices and specif c forms of activity that are ‘red flags’ signaling possible identity theft and incorporate those red fl ags into the program; detect red fl ags that have been incorporated into the program; respond appropriately to any red fl ags that are detected to prevent and mitigate identity theft; and, ensure the program is updated periodically to reflect changes in risks from identity theft.”1
DV: Who must comply?
BA: The rules state that “financial institutions and creditors that offer or maintain ‘covered accounts’ must develop and implement a written program. A covered account is (1) an account primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonable foreseeable risk to customers or the and soundness of the financial institution or creditor from identity theft.”2
DV: What are some of the red flags that need to be monitored?
BA: The guidelines provide 26 examples of red flags. Some of them include: “alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services; the presentation of suspicious documents; the presentation of suspicious personal identifying information, such as a suspicious address change; the unusual use of, or other suspicious activity related to, a covered account; and notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor.”2
DV: What should financial institutions do to prepare for the November 1 deadline?
BA: Financial institutions should have a cohesive written policy, approved by its board or senior management that describes the various red fl ags they will detect as well as the resulting processes that must be followed once one of those red flags has been detected.
DV: What are some of the compliance challenges facing financial institutions?
BA: Financial institutions must educate all their employees to look for red flags across consumer and small business accounts including IRAs, investments, mortgages, loans, etc. A second challenge is updating the plan periodically in order to keep up with the changing risks to consumers. One way to do this is by monitoring trends, such as collecting and analyzing red flag data. Financial institutions may not currently have a tool in place that allows them to easily collect and analyze this data.
DV: What is the first step for financial institutions in developing an identity theft prevention program?
BA: The first step is to form a Red Flag compliance team made up of executive and senior-level management. The rules specifically call for “oversight by the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management.”2
DV: How time-consuming will it be for most financial institutions to comply with the new regulations?
BA: It will depend upon the size of the institution, the documentation already in place for identity validation processes, and the knowledge level of the current staff. The creation of the written plan will require input from all departments that service ‘covered accounts.’
DV: What is the biggest mistake a financial institution can make in the compliance process?
BA: Not working as one cohesive group to come up with a plan. It’s important to take an overall organizational perspective on this. That is why it must be approached from a corporate view, allowing for everyone’s input, building a plan and a process that is efficient and effective across the entire organization.
Click to zoom in:
1 FDIC joint press release: “Agencies Issue Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy” 31 Oct. 2007
2 http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf. The Guidelines provide 26 examples of red flags.