FIGHTING FRAUD WITH THE RE D FLAGS RULE & E NSURING - - PowerPoint PPT Presentation

Tiffany George Attorney, Division of Privacy & Identity Protection Federal Trade Commission

FIGHTING FRAUD WITH THE RE D FLAGS RULE & E NSURING ACCURACY WITH THE ADDRE SS DISCRE PANCY RULE

WHAT’S ON YOUR MIND

• So what

So what is is the Red Flags Rule? the Red Flags Rule?

• Who

Who’ ’s covered by the Red Flags Rule? s covered by the Red Flags Rule?

• If we

If we’ ’re covered by the Red Flags Rule, what re covered by the Red Flags Rule, what do we need to do? do we need to do?

• How do we design an Identity Theft Prevention

How do we design an Identity Theft Prevention Program? Program?

• What are the Red Flag Guidelines?

What are the Red Flag Guidelines?

• What about the Address Discrepancy Rule?

What about the Address Discrepancy Rule?

THE FACT ACT THE FACT ACT

F Fair and air and A Accurate ccurate C Credit redit T Transactions Act of 2003 ransactions Act of 2003

amending the amending the Fair Credit Reporting Act (FCRA) Fair Credit Reporting Act (FCRA)

RULES: 72 Fed. Reg. 63718 (November 9, 2007) www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf (FTC Rules p.63771-63773, Guidelines p. 63773-63774, Supplement p. 63774)

BACKGROUND

• Joint rulemaking

Joint rulemaking

• Final rules published November 9, 2007

Final rules published November 9, 2007

• Compliance required by November 1,

Compliance required by November 1, 2008, but enforcement forbearance for 2008, but enforcement forbearance for the Red Flags Rule until May 1, 2009, for the Red Flags Rule until May 1, 2009, for entities under FTC jurisdiction entities under FTC jurisdiction

SO WHAT IS THE RE D FLAGS RULE ?

Red Flags Rule

RE D FLAGS RULE

• FACT Act Section 114

FACT Act Section 114

• FCRA Section 615(e)

FCRA Section 615(e)

• 16 C.F.R.

16 C.F.R. § § 681.2 681.2

PURPOSE OF THE RE D FLAGS RULE

• To ensure

To ensure that your business or organization is on the lookout for the signs that a crook is using someone else’s information, typically to get your products or services with no intention of paying.

• A

A “ “red flag red flag” ” is a pattern, practice, or specific is a pattern, practice, or specific activity that could indicate identity theft activity that could indicate identity theft

• It

It’ ’s not just another data security regulation. s not just another data security regulation.

STRUCTURE OF THE RE D FLAGS RULE

• Risk

Risk-

• based rule

based rule

• Guidelines (Appendix A)

Guidelines (Appendix A)

• Supplement A

Supplement A – – 26 examples of red flags 26 examples of red flags

WHO’S COVE RE D BY THE RE D FLAGS RULE ?

Red Flags Rule

WHO’S COVE RE D BY THE RE D FLAGS RULE ?

• Financial institutions

Financial institutions

• Creditors

Creditors

WHO’S COVE RE D BY THE RE D FLAGS RULE ?

From the FCRA, a From the FCRA, a “ “financial institution financial institution” ” is: is:

• A state or national bank

A state or national bank

• A state or federal savings and loan association

A state or federal savings and loan association

• A mutual savings bank

A mutual savings bank

• A state or federal credit union, or

A state or federal credit union, or

• Any other person that directly or indirectly holds a

Any other person that directly or indirectly holds a transaction account* belonging to a consumer transaction account* belonging to a consumer

* From the Federal Reserve Act, Section 19(b) * From the Federal Reserve Act, Section 19(b) – – an account that allows an account that allows withdrawals by negotiable or transferable instrument, payment or withdrawals by negotiable or transferable instrument, payment orders of ders of withdrawal, telephone transfers, or similar items to make paymen withdrawal, telephone transfers, or similar items to make payments or ts or transfers to third persons or others transfers to third persons or others

WHO’S COVE RE D BY THE RE D FLAGS RULE ?

From the ECOA, a From the ECOA, a “ “creditor creditor” ” is: is:

• Any person who regularly extends, renews, or continues credit

Any person who regularly extends, renews, or continues credit

• Any person who regularly arranges for the extension, renewal, or

Any person who regularly arranges for the extension, renewal, or continuation of credit, or continuation of credit, or

• Any assignee of an original creditor who participates in the

Any assignee of an original creditor who participates in the decision to extend, renew, or continue credit decision to extend, renew, or continue credit

A “ person” means “ a natural person, a corporation, government or

governmental subdivision or agency, trust, estate, partnership, cooperative,

• r association.”
• “

“ Credit Credit ” ” means an arrangement by which you defer payment of debts or accept deferred payments for the purchase of property or services.

Red Flags Rule

IF WE ’RE COVE RE D BY THE RE D FLAGS RULE , WHAT DO WE NE E D TO DO?

IF WE ’RE COVE RE D BY THE RE D FLAGS RULE , WHAT DO WE NE E D TO DO?

• Financial institutions and creditors must

Financial institutions and creditors must conduct a periodic risk assessment to determine conduct a periodic risk assessment to determine if they have if they have “ “covered accounts. covered accounts.” ”

• If they do, they must develop, implement, and

If they do, they must develop, implement, and administer a written Identity Theft Prevention administer a written Identity Theft Prevention Program to detect, prevent, and mitigate Program to detect, prevent, and mitigate identity theft in connection with: identity theft in connection with:

• the opening of a covered account, or

the opening of a covered account, or

• any existing covered account.

any existing covered account.

An An “ “account account” ” is: is:

• A continuing relationship established by a

A continuing relationship established by a person with an FI or creditor to obtain a person with an FI or creditor to obtain a product or service for personal, household, or product or service for personal, household, or business purposes. business purposes.

IF WE ’RE COVE RE D BY THE RE D FLAGS RULE , WHAT DO WE NE E D TO DO?

A A “ “covered account covered account” ” is: is:

• A consumer account designed to permit multiple

A consumer account designed to permit multiple payments or transactions, and payments or transactions, and

• Any other account for which there is a reasonably

Any other account for which there is a reasonably foreseeable risk from identity theft foreseeable risk from identity theft

* * Risk factors Risk factors

1.

• 1. Methods provided to open the account

Methods provided to open the account 2.

• 2. Methods provided to access the account

Methods provided to access the account 3.

• 3. Previous experiences with identity theft

Previous experiences with identity theft

IF WE ’RE COVE RE D BY THE RE D FLAGS RULE , WHAT DO WE HAVE TO DO?

Red Flags Rule

HOW DO WE DE SIGN AN IDE NTITY THE FT PRE VE NTION PROGRAM?

DE SIGNING YOUR PROGRAM

Develop reasonable processes and procedures for : Develop reasonable processes and procedures for :

• S

TEP #1 S TEP #1 –

– Identify relevant red flags Identify relevant red flags. Identify the red flags . Identify the red flags you you’ ’re likely to come across in your business that indicate a re likely to come across in your business that indicate a crook is using someone else crook is using someone else’ ’s information to get your products s information to get your products

• r services with no intention of paying.
• r services with no intention of paying.

S

TEP #2 –

– Detect red flags Detect red flags. Set up procedures to detect them in . Set up procedures to detect them in your day your day-

• to

to-

• day operations.

day operations. S

TEP #3 –

– Prevent and mitigate identity theft Prevent and mitigate identity theft. When you spot . When you spot the red flags you the red flags you’ ’ve identified, respond appropriately to prevent ve identified, respond appropriately to prevent and mitigate harm. and mitigate harm.

• S

TEP #4 S TEP #4 –

– Update your Program Update your Program. The risks of . The risks of identity theft can change rapidly, so identity theft can change rapidly, so keep your Program current and keep your Program current and educate your staff. educate your staff.

The Program must be appropriate to the The Program must be appropriate to the size and complexity of the financial size and complexity of the financial institution or creditor and the nature institution or creditor and the nature and scope of its activities. and scope of its activities.

DE SIGNING YOUR PROGRAM

USING THE GUIDE LINE S

• Consider the Guidelines

Consider the Guidelines

• Incorporate appropriate Guidelines into your Program

Incorporate appropriate Guidelines into your Program

The Rules require you to: The Rules require you to:

ADMINISTE RING YOUR PROGRAM

• Get approval of the initial Program from your Board of

Get approval of the initial Program from your Board of Directors or from a committee of the Board Directors or from a committee of the Board

• After that, the Board may designate a senior

After that, the Board may designate a senior management employee to oversee: management employee to oversee:

• Development, implementation, and administration

Development, implementation, and administration

• f the Program
• f the Program
• Training of appropriate staff

Training of appropriate staff

• Arrangements with service providers

Arrangements with service providers

WHAT ARE THE IDE NTITY THE FT RE D FLAGS GUIDE LINE S?

Red Flags Rule

RE D FLAGS GUIDE LINE S

1.

• 1. Incorporate existing policies and procedures.

Incorporate existing policies and procedures. 2.

• 2. Identify relevant red flags.

Identify relevant red flags. 3.

• 3. Set up procedures to detect red flags.

Set up procedures to detect red flags. 4.

• 4. Respond appropriately to red flags.

Respond appropriately to red flags. 5.

• 5. Update your Program periodically.

Update your Program periodically. 6.

• 6. Administer your Program.

Administer your Program. 7.

• 7. Consider other legal requirements.

Consider other legal requirements.

Incorporate existing Incorporate existing policies and procedures policies and procedures

• Evaluate your existing anti

Evaluate your existing anti-

• fraud programs

fraud programs

• Evaluate your information security programs

Evaluate your information security programs

Identify relevant red flags Identify relevant red flags

• Risk factors:

Risk factors:

• Types of covered accounts you offer or maintain

Types of covered accounts you offer or maintain

• Methods for opening or accessing covered accounts

Methods for opening or accessing covered accounts

• Previous experience with identity theft

Previous experience with identity theft

• Sources of red flags:

Sources of red flags:

• Episodes of identity theft that have already

Episodes of identity theft that have already happened happened

• Changes in how crooks are committing identity

Changes in how crooks are committing identity theft theft

• Applicable supervisory guidance

Applicable supervisory guidance

Identify relevant red flags Identify relevant red flags

• Five categories of red flags*:

Five categories of red flags*:

• Alerts, notifications, or other warnings received

Alerts, notifications, or other warnings received from credit reporting agencies or service providers from credit reporting agencies or service providers

• Suspicious documents

Suspicious documents

• Suspicious personal identifying information

Suspicious personal identifying information

• Unusual use of or other suspicious activity related

Unusual use of or other suspicious activity related to a covered account to a covered account

• Notice from customers, victims of identity theft, or

Notice from customers, victims of identity theft, or law enforcement authorities law enforcement authorities

* 26 examples are found in Supplement A * 26 examples are found in Supplement A

Set up procedures Set up procedures to detect red flags to detect red flags

• Verify identity

Verify identity

• Authenticate customers

Authenticate customers

• Monitor transactions

Monitor transactions

• Verify validity of address changes

Verify validity of address changes

Respond appropriately Respond appropriately to red flags to red flags

• Monitor accounts

Monitor accounts

• Contact customer

Contact customer

• Change passwords

Change passwords

• Close and reopen account

Close and reopen account

• Refuse to open account

Refuse to open account

• Don

Don’ ’t sell the account or collect on it against t sell the account or collect on it against the identity theft victim the identity theft victim

• Notify law enforcement

Notify law enforcement

• In some cases, no response may be warranted

In some cases, no response may be warranted

Update your Program periodically Update your Program periodically in light of in light of:

• Experience with identity theft

Experience with identity theft

• Changes in methods of identity theft

Changes in methods of identity theft

• Changes in methods to detect, prevent, and

Changes in methods to detect, prevent, and mitigate identity theft mitigate identity theft

• Changes in types of accounts offered

Changes in types of accounts offered

• Changes in business arrangements

Changes in business arrangements

Administer your Program Administer your Program

• Oversight of the Program by your Board or a

Oversight of the Program by your Board or a senior manager involves: senior manager involves:

• Assigning specific responsibility for implementation

Assigning specific responsibility for implementation

• Reviewing reports

Reviewing reports

• Approving materials changes to your Program.

Approving materials changes to your Program.

Administer your Program Administer your Program

• At least once a year, the Board or the senior

At least once a year, the Board or the senior manager should get a report addressing manager should get a report addressing material matters like: material matters like:

• Service provider arrangements

Service provider arrangements

• Whether your policies and procedures have been

Whether your policies and procedures have been effective in addressing the risk of identity theft in effective in addressing the risk of identity theft in connection with covered accounts connection with covered accounts

• Significant incidents involving identity theft and

Significant incidents involving identity theft and management management’ ’s response s response

• Recommendations for changes to the Program

Recommendations for changes to the Program

Administer your Program Administer your Program

• Oversight of your service providers involves

Oversight of your service providers involves ensuring their activities are conducted in ensuring their activities are conducted in accordance with reasonable policies and accordance with reasonable policies and procedures designed to detect, prevent, and procedures designed to detect, prevent, and mitigate the risk of identity theft. mitigate the risk of identity theft.

Other legal requirements Other legal requirements

• Other FCRA provisions

Other FCRA provisions – – for example, for example, information furnisher duties to update or information furnisher duties to update or correct inaccurate information, and not report correct inaccurate information, and not report inaccurate information (15 U.S.C. 1681s inaccurate information (15 U.S.C. 1681s-

• 2)

2)

E XAMPLE S OF RE D FLAGS (SUPP. A)

• Warning from credit

Warning from credit reporting agencies reporting agencies

• Suspicious

Suspicious documents documents

• Suspicious personal

Suspicious personal information information Inconsistent with external information sources Documents provided for identification appear to be altered Fraud or active duty alert included in consumer report

E XAMPLE S OF RE D FLAGS (SUPP. A)

• Unusual use of

Unusual use of account account

• Notice from

Notice from customers customers Customer notifies you about identity theft Account used in a way inconsistent with historical patterns of activity

WHAT ABOUT THE ADDRE SS DISCRE PANCY RULE ?

A d d r e s s D i s c r e p a n c i e s

ADDRE SS DISCRE PANCY RULE

• FACT Act Section 315

FACT Act Section 315

• FCRA Section 605(h)

FCRA Section 605(h)

• 16 CFR

16 CFR § § 681.1 681.1

• Users of credit reports

Users of credit reports

WHO’S COVE RE D?

NOTICE OF ADDRE SS DISCRE PANCY

• Address the user provided, and

Address the user provided, and

• Address in the credit reporting company

Address in the credit reporting company’ ’s files s files

• “

“Nationwide credit reporting agency Nationwide credit reporting agency” ” (NCRA) (NCRA) – – as defined in FCRA as defined in FCRA

“ “Notice of address discrepancy Notice of address discrepancy” ” comes from a comes from a nationwide credit reporting agency and notifies nationwide credit reporting agency and notifies the user of a substantial difference between: the user of a substantial difference between:

Regulatory Requirement Regulatory Requirement: The user : The user must have reasonable policies and must have reasonable policies and procedures to establish a reasonable procedures to establish a reasonable belief that the credit report relates belief that the credit report relates to the consumer about whom the to the consumer about whom the report was requested report was requested

E NSURING ACCURACY

RE ASONABLE BE LIE F

• Compare information in the credit report to

Compare information in the credit report to information the user: information the user:

• Maintains in its records

Maintains in its records

• Gets from third

Gets from third-

• party sources

party sources

• Gets to comply with CIP rules

Gets to comply with CIP rules

• Verify information in the credit report with

Verify information in the credit report with the consumer the consumer

Establishing a Establishing a “ “reasonable belief reasonable belief” ” ― ― examples examples

CONFIRMING ADDRE SS

• Can form a reasonable belief that the report

Can form a reasonable belief that the report relates to the consumer relates to the consumer

• Establishes a continuing relationship with the

Establishes a continuing relationship with the consumer consumer

• Regularly furnishes information to the NCRA

Regularly furnishes information to the NCRA

Regulatory requirement Regulatory requirement: The user must : The user must have reasonable policies and procedures have reasonable policies and procedures to furnish a confirmed address for the to furnish a confirmed address for the consumer to the NCRA when the user: consumer to the NCRA when the user:

E NFORCE ME NT OF RULE S

• Administrative enforcement under 15

Administrative enforcement under 15 U.S.C. 1681s (Section 621 of the FCRA). U.S.C. 1681s (Section 621 of the FCRA).

• No private right of action for 16 C.F.R.

No private right of action for 16 C.F.R. 681.2 681.2

• State Attorneys General

State Attorneys General

• No criminal penalties

No criminal penalties

QUE STIONS?

RedFlags@ftc.gov www.ftc.gov