What's New
Federal Trade Commission (FTC) – Red Flag Rules
Identity thieves use people’s personally identifying information to open new accounts and misuse existing accounts, creating havoc for consumers and businesses. The FTC, the federal bank regulatory agencies and the National Credit Union Administration (NCUA) have issued regulations, known as the Red Flag Rules, requiring financial institutions and creditors to develop and implement written identity theft prevention programs as part of the Fair and Accurate Credit Transactions Act (FACTA) of 2003. The programs must be in place by May 1, 2009 and must provide for the identification, detection and response to patterns, practices or specific activities (“red flags”) that could indicate identity theft.
FACTA Section 114 – The provision recommends that both financial institutions and creditors in the United States assess the likelihood that their customers and their customers’ accounts are prone to identity theft.
- “Red Flags” are relevant indicators of a possible risk of identity theft.
- Identity theft is the fraudulent use of genuine or slightly altered personal information that has been stolen, compromised or borrowed from another individual or business.
- Creditors include utility or telecommunication companies, automobile dealers, non-bank lenders, mortgage brokers and medical providers.
- All existing or new accounts are included.
Specific relevant area of risks:
- Types of accounts a financial institution or creditor offers or maintains
- Methods a financial institution or creditor provides to open the account
- Methods a financial institution or creditor offers to access the account
Indicators of possible fraudulent use of personal information:
- Alerts or notification from consumer reporting agency – A consumer report indicates a pattern of activity that is inconsistent with the history of activity of an applicant.
- Notices from customers, victims of identity theft or law enforcement agencies
- Suspicious documents – Information on the identification is not consistent with the information provided by the person opening a new account or customer presenting the identification.
- Suspicious personally identifying information – Identification is not consistent with external information sources, such as a Social Security number being listed on the Social Security Administration death master file
- Unusual use or suspicious activities of the covered account – A cover account used in a manner that is not consistent with established patterns of activities
Institutional Responsibilities:
- Establishing policies and procedures that address identity theft
- Monitoring a covered account for evidence of identity theft
- Incident handling
- Changing any passwords or security codes that permit access to a covered account
- Re-opening a covered account with a new account
- Closing a covered account
- Notifying law enforcement agencies
- Operational Requirements:
- Verifying identities
- Authenticating customers
- Monitoring transactions