Five years in the pipeline, 'red-flag' guidelines require financial institutions to watch for fraud. Small businesses with few resources do not welcome the 'burdensome' procedures.
By Bankrate.com
Identity thieves face tough going this year if they think pilfering your personal information will be a stroll through the park. Or at least that's what regulators hope.
This is because new "red-flag" rules aimed at impeding identity thieves are being phased in.
You've never heard of them? Join the crowd.
"There hasn't been a big consumer-education push," says Chris Hoofnagle, a senior fellow with the Berkeley Center for Law & Technology in California. "These rules are not well-known, even among consumer advocates."
Hoofnagle says the information is relatively scarce because the rules stem from a 2003 law that took five years to implement.
"There's been a lot of waiting," he says.
What are red-flag rules?
The rules push financial institutions to make sure people are who they say they are. Authenticating identities will be the name of the game. Red-flag rules stipulate that financial institutions and creditors establish a written program to "detect, prevent and mitigate identity theft in connection with the opening of certain accounts or existing accounts," according to a Federal Trade Commission report (.pdf file).
The rules offer more than two dozen examples of suspicious behavior that financial institutions and creditors should consider warnings.
The presentation of altered documents, a suspicious address change, a fraud alert on a credit report and other unusual account activities are among the red flags.
The idea is to prompt banks and creditors to go into "authentication mode" and determine whether fraudsters are trying to apply for credit in someone else's name or hijack someone else's accounts.
The rules stem from the Fair and Accurate Credit Transactions Act of 2003. Relevant financial institutions have until November to come into full compliance or be subject to penalties.
Proponents say the rules will standardize how credit-issuing entities respond to suspicious activities regarding your accounts.
"These rules for the first time provide a uniform road map for protecting customer information and preventing identity theft," says Sai Huda, the CEO of Compliance Coach, a San Diego company that provides red-flag-compliance software. "Before the rule, there was only an implied obligation on business to protect information."
Now financial institutions and creditors must update their programs periodically to handle new threats as they emerge.
To whom do the rules apply?
The Federal Trade Commission says financial institutions and creditors who "offer or maintain covered accounts" must implement a red-flag program.
So what exactly is a covered account?
"Red-flag rules apply to financial institutions and creditors like banks, credit unions, auto dealers, mortgage brokers, utility companies and telecommunications companies," says Pavneet Singh, an FTC spokeswoman.
Compliance Coach's Huda says you don't necessarily have to be an account holder for the rules to apply to you.
Credit reporting agencies are exempt from the red-flag rules, but at least one, Experian, is getting involved at some level. In February, Experian hosted a Web seminar on the rules and attracted more than 700 clients.
"We tried to make sure that all our existing and prospective clients understood what these red-flag rules meant," says Keir Breitenfeld, a senior product manager with Experian's Fraud & Identity Solutions. "We tried to do that educationally."
How will red-flag rules benefit you?
Red-flag advocates say that banks and creditors with sloppy fraud-prevention programs will eventually be exposed by litigation and negative publicity.
"The public disclosure of identity theft will create more of an onus for these companies to be up to par," Huda says. "Consumers will eventually benefit because of the higher standards."
Hoofnagle says the prospects of the agencies, such as the FTC and the Federal Deposit Insurance Corp., enforcing the rules combined with possible litigation "will involve some transparency of procedures."
Another added benefit is that employees may be more vigilant in spotting identity fraud.
Anita Marchion, the assistant vice president of regulatory compliance at Navy Federal Credit Union in Virginia, says the training of new recruits has been beefed up to include more focus on identity theft.
She says that the nation's largest credit union will be in compliance by the November deadline and that "members should have a comfort level knowing that we are taking extra steps to protect them from identity fraud."
Hoofnagle has been pushing for a ratings system for banks like the ones that measure vehicle safety. His 2006 study of ID thefts among financial institutions reveals a wide variance in frequency of customer complaints.
"You can go online and look at the crash test of your car and the rollover rating, and all this is available to consumers now," he says. "It wasn't available 40 years ago, but I think we will have a similar situation with banks."
Hoofnagle says the red-flag process is not foolproof. For example, financial institutions need to keep an eye on sales where affiliate marketing agreements come into play. When consumers apply for a credit card or cell phone contract, often the agreement's privacy policy will provide for the company's right to share your information with third-party affiliates that sell products. Hoofnagle believes some commissioned salespeople may have strong incentives to override the red flags.
He is also concerned that some banks may find ways to simply override authentication procedures.
"There has to be some counterweight to that problem," he says.
Heather Grover, a director of product management with Experian's Fraud & Identity Solutions, says there has to be some balance between the consumer's best interest and an organization's need to keep its defenses opaque to thieves.
"Fraudsters are students of their craft, and they'll really game the system as soon as they find the hole," she says.
Who opposes the rules?
The rules give businesses the flexibility to design programs that work best with their respective business models and available resources.
However, some creditors and financial institutions aren't too happy about what they see as the added financial and bureaucratic burden of being required to comply with the rules.
Some smaller institutions have complained that the rules place an unnecessary financial and operational burden on them that they cannot afford. Many may have to hire a third-party company to ensure compliance.
While financial giants may have legions of in-house staffers dedicated to fraud prevention, your local community bank may opt to use a third-party vendor.
The National Automobile Dealers Association supports the government's goal of trying to protect consumers from identity theft, but it also believes the red-flag rules will hurt smaller dealers with limited financial resources.
"We anticipate most dealers will find it challenging to develop and implement a comprehensive identity theft program as required by the red-flag rules," says Paul Metrey, the director of regulatory affairs for the auto dealers group.
Metrey says the program will demand significant time and attention from managers and service providers. He says many provisions of the rules have already been addressed in prior laws, such as the FTC Safeguards Rule and the FTC Privacy Rule.
Not surprisingly, lobbyists for the banking industry also rejected the rules as heavy-handed.
The Illinois Bankers Association, in a statement to the FDIC, called the rules "excessive and overly burdensome."
There may be some reluctance to accept red-flag rules as a best-practice measure, Grover says, but she adds that many businesses will eventually come around when they see the benefits of protecting their customers, as well as a decrease in fraud losses.
The red-flag triggers
The rules are designed to fill the cracks in the system through which identity thieves could fraudulently pilfer the identities of other people for their personal gain.
Six agencies were involved in drafting the rules: the Treasury Department's Office of Thrift Supervision, the Office of Comptroller of the Currency, the FDIC, the FTC, the National Credit Union Administration and the Federal Reserve System. They came up with the following guidelines as examples of red flags. These were gleaned from the Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003:
- A fraud alert included with a consumer report.
- A notice of a credit freeze in response to a request for a consumer report.
- A consumer reporting agency providing a notice of address discrepancy.
- Unusual credit activity, such as an increased number of accounts or inquiries.
- Documents provided for identification appearing altered or forged.
- A photograph on ID inconsistent with appearance of customer.
- Information on ID inconsistent with information provided by person opening account.
- Information on ID, such as signature, inconsistent with information on file at financial institution.
- An application appearing forged or altered or destroyed and reassembled.
- Information on ID not matching any address in the consumer report.
- A Social Security number has not been issued or appears on the Social Security Administration's Death Master File, a file of information associated with Social Security numbers of those who are deceased.
- A lack of correlation between the Social Security number range and the date of birth.
- Personal identifying information associated with known fraud activity.
- Suspicious addresses supplied, such as a mail drop or prison, or phone numbers associated with pagers or an answering service.
- A Social Security number provided matching that submitted by another person opening an account or other customers.
- An address or phone number matching that supplied by a large number of applicants.
- The person opening the account unable to supply identifying information in response to notification that the application is incomplete.
- Personal information inconsistent with information already on file at a financial institution or creditor.
- Person opening account or customer unable to correctly answer challenge questions.
- Shortly after a change of address, creditor receiving request for additional users of account.
- Most of available credit used for cash advances, jewelry or electronics, plus customer fails to make first payment.
- A drastic change in payment patterns, use of available credit or spending patterns.
- An account that has been inactive for a lengthy time suddenly exhibiting unusual activity.
- Mail sent to customer repeatedly returned as undeliverable despite continuing transactions on an active account.
- A financial institution or creditor notified that customer is not receiving paper account statements.
- A financial institution or creditor notified of unauthorized charges or transactions on customer's account.
- A financial institution or creditor notified that it has opened a fraudulent account for a person engaged in identity theft.
This story was reported and written by Steve Santiago for Bankrate.com.