Skip to content

Red Flag Regs Alert: It's Time to Start Planning

Red Flag Regs Alert:
It's Time to Start Planning
John S. Burnett, BOL Guru

New rules mandated by the FACT Act* requiring identity theft prevention programs and setting forth guidelines and requirements are about to be published. They implement Section 114 of the law and set forth certain "red flags" that may be indicative of identity theft. This article provides an overview of the final regs.

Effective and Mandatory Compliance Dates
The effective date for the regulations will depend on when they are finally published in the Federal Register. Once they are published, the regulations will be effective on the first day of the calendar quarter that is at least 30 days after publication. So, if they're published on or before November 30, 2007, they'll be effective January 1. If they appear in the Federal Register in December, they won't be effective until April 1, 2008.

Compliance will be mandatory beginning November 1, 2008, but don't let that make you complacent. Each day that your institution doesn't have an effective Identity Theft Prevention Program increases the odds that you'll be damaged by the theft and misuse of a customer's identity.

Program Content
Your Identity Theft Prevention Program must include policies and procedures to:

  1. identify relevant Red Flags for your institution's covered accounts, and incorporate them into the Program. Your institution must start with the Guidelines in Appendix J of the regulation, and the list of Red Flags in its Supplement. You don't have to include all of the Red Flags in the Supplement, but you should have a valid reason for excluding any of them. Add to your list any other Red Flags based on your institution's experience with identity theft, regulatory guidance or from other sources.
  2. detect Red Flag events that have been included in your Program
  3. respond appropriately to detected Red Flag events, to prevent ID theft and mitigate its effects
  4. ensure that the Program is updated periodically, to reflect changes in ID theft risks to customers and your institution

What is a Red Flag?
A Red Flag is a pattern, practice, or specific activity that indicates the possible existence of identity theft. There is a list of suggested Red Flags included in Supplement A to Appendix J of the regulations.

Who is Covered?
The Red Flag regulations and guidelines affect all financial institutions and creditors with covered accounts. "Creditor" includes anyone who arranges for the extension, renewal, or continuation of credit (following the definition in the Equal Credit Opportunity Act), which includes third-party debt collectors.

Who is Protected?
The group of customers whose identity is protected by the regulations and guidelines includes all customers with covered accounts. While the largest group of protected customers is consumers or individuals, the regulations are risk-based, and coverage is extended based on the type of account involved more than on the >
What Accounts Are Covered?
The regulations cover continuing deposit or credit relationships established by a person with a financial institution or creditor involving a product or service for personal, family, or household purposes, if the product or service is designed to permit multiple payments or transactions. Examples include credit card accounts, mortgage loans, installment credit, margin accounts, cell phone and other utility accounts (extensions of credit), checking and savings accounts. They also cover any other account (including those established for business purposes) where there is a reasonably foreseeable risk to a customer or the financial institution from identity theft. Financial institution risks include financial, operational, compliance, reputation, or litigation risks. The regulation covers both existing accounts and those in the process of being opened.

Part of the preliminary and ongoing responsibilities of a financial institution under the regulations will be to, on a risk basis, determine which types of accounts fall into the "other account" group for which there is foreseeable risk of ID theft.

Board Involvement
Your board of directors or an appropriate board committee must approve your initial Identity Theft Prevention Program. The board, a board committee, or an employee at a senior management level must be involved in the oversight, development, implementation and administration of the Program. The board is responsible for ensuring that your staff has appropriate training to implement the Program, and that the Program includes appropriate oversight of service provider arrangements.

Address Changes (Card Issuers)
The regulations include a requirement that you have policies and procedures to verify address changes for credit card or debit card holders if the address change is followed within 30 days (or a longer period established in your procedures) by a request for an additional card or replacement card for the same account. You can't issue the additional or replacement card until you've checked out the change of address with your cardholder, and provided your cardholder a reasonable means for promptly reporting an incorrect address change.

Your policies and procedures can provide for the verification of all address change requests. If you've already verified such a request before receiving a request for an added or replacement card, you need not verify the address a second time before issuing the card.

It's Time to Get Moving!
With the compliance deadline a short 12 months away, and evidence that examiners have already been asking financial institutions about their Red Flag programs, you should waste no time ramping up your planning for implementation. When planning backward from the November 1, 2008, deadline, make sure you allow time to present your proposed Program to your board of directors and make any needed adjustments before obtaining their final approval. Assemble your team to decide which accounts you will include in your initial plan for coverage, by assessing the risk of ID theft for each type of account you offer. Don't forget business accounts, particularly those of sole proprietorships and other small businesses.

Watch for guidance from regulators on any additional Red Flags that you should consider including in your Program. Also watch industry news reports, including BOL's weekly Tech Talk briefing, for ID theft developments that might suggest added ID theft risk for any of your customers or account types.

Don't forget time to identify steps that you will include in your Program as responses to any detected Red Flag events.

Each of the federal financial institution regulatory agencies (the Agencies) and the Federal Trade Commission will issue its own regulation in a joint announcement once all of the final approvals are received. Although some of the wording in the agency versions regulations will differ, the substantive provisions will be the same.

The agencies introduced proposed regulations on July 18, 2006, and received 128 comments. The regulations and guidelines are mandated by section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act or FACTA) which requires financial institutions and creditors to develop and maintain a written Identity Theft Prevention Program. The Agencies are also issuing joint regulations under Section 315 of FACTA to provide guidance on action when a consumer reporting agency sends a notice of address discrepancy (see our Address Discrepancy article).

* FACT Act - Fair and Accurate Credit Transactions Act of 2003


Related Links

  • Final Red Flag and Address Discrepancy Regulations - PDF File (right-click and save to download before opening)
  • Proposed Regulations - For research purposes, here are the proposed Red Flag and Address Discrepancy Regulations
  • Comments on proposals - The 56 comments received by the Federal Reserve Board on the proposed regulations. You can review these comment letters for ideas on how the new requirements may affect your institution.
  • Red Flag Examples - HTML - PDF (right click and save before opening) Examples from Supplement A to Appendix J to the Red Flag regulations. You need to consider each of these examples for inclusion in your Program.
  • BankersOnline's Bankers' Threads FCRA/FACT Act Forum - Pose a question, offer an answer, or simply share information on all things related to FCRA.
  • BankersOnlne's FACT Act resource page - Proposed rules, guidance and final rules implementing FACTA provisions. You'll find handy FACT Act and FCRA Tools here, too.



First published on BankersOnline.com 10/19/2007

First published on 10/19/2007

Search Topics