Dawn Crawford
SPHR, Compliance Analyst
September 2008
The “Red Flag” compliance deadline is November 1, 2008. Is your company ready?
The Fair and Accurate Credit Transactions Act (FACT), which contains the Red Flag Rules, was passed in 2003, but did not become effective until January of this year. Compliance must be met by November 1, 2008.
The FACT Act is a significant piece of legislation that amended the Fair Credit Reporting Act (FCRA) and required a number of regulations to implement the law. Some of the regulations were required to be jointly issued by the various regulatory agencies as opposed to one agency such as the Federal Trade Commission (FTC). The Identity Theft Red Flags Regulation is one that required a joint rule.
According to the FTC, each year over 8 million consumers fall victim to identity theft, and over $15 billion in losses are caused by fraudsters. Identity theft is a growing crime affecting not only consumers but also businesses negatively. Per the U.S. Secret Service, the agency that investigates identity theft, 50 percent of the time it is a business’ poor internal controls and procedures that provide thieves the opportunity to steal consumer information and commit identity theft. Something had to be done to deter identity theft. Congress added a provision to the FCRA to put the onus on businesses to take affirmative steps to prevent identity theft which resulted in the Red Flag Rules.
Establishment of an Identity Theft Program for financial institutions and creditors will be mandatory as of November 1, 2008. Compliance is important not only because it helps guard against regulatory penalties but can also help strengthen lender confidence in the company’s business practices.
The Rule applies to a financial institution or a creditor. So it not only applies to every single bank, thrift and credit union, but also thousands of other entities that are considered a creditor. The Rule uses the definition of a creditor as under the ECOA, so the coverage is very broad. It is anyone that makes a credit decision or is involved in a credit decision. So it affects a very large population of entities and businesses that include mortgage brokers, mortgage lenders, consumer finance companies, small business lenders, motor vehicle dealers, utility companies, municipalities, phone companies, among many others. Approximately 2 million entities and businesses are affected and must comply before the deadline date.
Complying with the rule is not an easy or quick task. Non-compliance risks are huge. Failing to comply creates civil fines, regulatory enforcement action, plaintiff lawsuits and harm to one’s reputation. The rule creates an affirmative obligation to prevent, detect and mitigate identity theft. That is why the Rule explicitly mandates the development and implementation of a written identity Theft Prevention Program. Affected entities and business must proactively look for red flags and take appropriate steps to prevent identity theft. Companies must take this issue seriously and ensure full compliance.
The Identity Theft Red Flags Rule requires that an affected entity or business perform a risk assessment to identify covered accounts. Then for each covered account it must consider from a list of 26 red flags that the Rule provides as a guide that may indicate possible identity theft when opening or servicing the covered account. For each red flag, an appropriate detection and response procedure must be mapped. All of this must then be incorporated into a written identity Theft Prevention Program. The program must be approved by the board of directors. At least annually a report must be made to assess the effectiveness of the program.