Skip to content

Getting Compliant: The 7 Step Red Flag Checklist

The clock is ticking; on November 1 leading financial institutions are required by the Federal Reserve to meet key Red Flag ruling requirements or face potential sanctions and monetary penalties. Banks are now scrambling for solutions only to find that most of the available tools only address a subset of the Fed?s regulation. Many financial institution need to step back and make a careful evaluation of the regulation?s implications. There?s still time to create a plan.

The reason for the new regulation is simple: identity crime is spiraling out of control. FBI statistics show United States companies spend $67 billion annually combating cyber crime and consumers lose $50 billion to identity theft and recovery expenses every year, according to the Federal Trade Commission. Regulators know that banks can play a pivotal role in the fight against identity fraud by implementing the new regulatory requirements.

The Red Flag regulations require all financial institutions to implement identity theft protection programs to include ?reasonable policies and procedures? for preventing identity theft and the ability to track ?red flag? activities and notify victims. Compliance with the comprehensive regulation can be addressed by implementing the seven measures detailed in the Red Flag Checklist.

Red Flag Requirements Initial Risk Assessment Policies and Procedures Manual Train Staff on Program Implementation New Account Authentication
(All consumer accounts) Validate Change of Address Requests
(All consumer accounts) Anti-Phishing Program Identity Theft Protection
(All consumer accounts)
Initial Risk Assessment
The risk assessment required per 12 CFR Part 41 Subpart J (c) determines if an institution has covered accounts and a formal ID Theft Prevention Program. The risk assessment must be updated periodically based on changes used to open accounts, methods available to access accounts, and the institution?s experience with identity theft.

Policies and Procedures Manual
All policies and procedures are required to be in writing and have the respective financial institution?s board approval. The proper manual not only meets this requirement, but includes a board resolution template as well. The manual includes updates, as required to identify changing risks and changes in methods of identity theft and strategies to detect, prevent and mitigate identity theft.

Train Staff on Program Implementation
A requirement of the ruling is to increase operational efficiencies while decreasing fraud risk. To ensure this regulation is met, ideally a program should provide onsite and web-based training to employees.

New Account Authentication
Financial institutions will also be required to implement tools to validate change of address on all accounts. Institutions must be able to identify the level of risk associated with address changes and react accordingly. New technologies now enable institutions to search through a database with more 700 million records receiving over 4 million updates per month: the result is the most accurate information the industry. This technology also flags individuals who are ?highest probability? matches, and reduces the false positive rate by over 20 percent by utilizing authentication practices.

Validate Change of Address Requests
An effective Change of Address Verification tool identifies the level of risk associated with address changes. An exhaustive search will be conducted through a database with more 700 million records receiving over four million updates per month to reflect literally the entire mortgage and deed-record base, along with the monthly changes taking place: the result can be the most accurate information the industry. The Change of Address Verification tool should also flag individuals who are ?highest probability? matches. When implemented correctly, best-in->
Anti-Phishing Program
Phishing attacks have risen dramatically in the last year and have significantly undermined trust in online commerce. Under the new regulation financial institutions must have an anti-phishing program in place. Companies such as ING and the IRS are currently using the best anti-phishing detection and takedown service available in the market. Institutions can now access these world->
Identity Theft Protection
Lastly financial institutions must provide all consumer accounts with some level of identity theft protection. According to Unisys Corporation?s Annual ID Theft Survey, up to 50 percent of consumers said they would switch their financial institution for one that offered better protection against identity theft. This is an area where institutions can not only increase their customer base but also generate substantial non-interest income by providing a higher-level of protection through proven strategies.

The Deadline is Approaching
Before the November deadline banks must implement a sound identity theft program addressing the seven areas outlined in the regulatory requirements. Ensuring theses safeguards are in place will prevent costly compliance issues and will protect bank?s customers from identity fraud.

Secure Identity Systems is the only company in the U.S. that offers the end-to-end solution for Red Flag compliance including: Initial Risk Assessment, Policies and Procedures Manual, New Account Authentication, Change of Address Verification, Identity Theft Protection with fully managed recovery, On-site Staff Training, and an Anti-Phishing Program. For additional information, please call (615) 377-7661, or e-mail:

First published on 8/04/08

First published on 08/04/2008

Banker Store View All

From training, policies, forms, and publications, to office products and occasional gifts, it’s available here:

Banker Store

hot right now

image description

Looking for effective, convenient training on a particular subject?

BOL Learning Connect offers more than 200 courses ON-DEMAND or on CD ROM from AML to Reg Z and every topic in between.

Search Topics