Fair & Accurate Credit Transactions Act (facta): Red Flag Rules

In a Nutshell: FACTA’s Red Flag Rules

The Fair and Accurate Credit Transactions Act of 2003, or FACTA, is an amendment to the Fair Credit Reporting Act (FCRA) and became a federal law when pass by Congress on November 22, 2003. The Identity Theft Red Flags and Address Discrepancies Rules, or ‘Red Flags Rules’, was published on November 9, 2007 by the National Credit Union Administration and the Federal Trade Commission and went into effect on January 1, 2008. Although compliance was initially required by November 1, 2008, confusion over certain aspects of the rules led to the publication of the ‘Red Flag Program Clarification Act of 2010’ and pushed the compliance deadline to December 31, 2010.

FCRA regulates the collection, use, and release of consumer credit information in credit reports by consumer reporting agencies.

FACTA provides consumer with identity theft protection via the regulation of consumer information privacy and accuracy.

The Identity Theft Red Flags and Address Discrepancies Rules allowed for the effective implementation of Section 114 of FACTA by clarifying rules and guidelines. These ‘Red Flags Rules’ stipulate that: Financial Institutions, such as banks, and creditors, such as car dealerships, are required to implement an “Identity Theft Prevention Program” that has reasonable policies and procedures for detecting, preventing, and mitigating identity theft. In addition, these rules provide the regulations for processing a customer’s change of address.

Why do FACTA’s Red Flag Rules exist?

Although it may seem like a much more recent phenomenon, identity theft is a rapidly growing epidemic that legislation has been trying to cure for nearly two decades.

A core problem with identity theft is its attractiveness to criminals: gaining access to a victim’s identity information can open many avenues with which to easily defraud businesses and other entities out of thousands of dollars.

Using personal identity information that only the victim should know, criminals can convincingly pose as the victim in order to:

• drain the victim’s bank account(s)
• open new credit card accounts under the victim’s name
• obtain services and leaving the bills unpaid under the victim’s name

Unnervingly, identity theft and attempts to use false/stolen identities to conduct fraudulent transactions are poised to escalate thanks to the exponential rise in the number of data breaches – the collection of identity information by those unauthorized to do so.

As mentioned above, the ability to apply identity information to conduct a variety of different fraudulent activities renders identity information as valuable currency for criminals. Conducting a data breach and amassing hundreds, thousands, and possibly millions, of people’s identity information, can be quite the lucrative payday for enterprising criminals.

And unfortunately, cybersecurity - although able to react quickly to the ever changing environment - struggles to keep pace with the innovation of the global data hacking industry.  As soon as a vulnerability that can cause a data breach is fixed, criminals either find or make a new one.

Instead of waiting for cybersecurity technology to address the main issue of data breaches – identity information taken and used by criminals – legislators implemented the ‘Red Flags Rules’ within FACTA.

The theory is that by requiring financial institutions, such as banks, and creditor entities, such as car dealerships, to have an identity theft prevention program in place to make sure customers are who they say they are while conducting certain types of transactions, identity theft and its financial consequences can be prevented.

In essence, these Red Flag Rules are designed to protect financial institutions and creditor entities as well as consumers by having a two-fold purpose:

1. Establishing regulations on securely collecting identity data on consumers
2. Establishing regulations on securely maintaining identity data collected on consumers

Of course, it is in financial institutions’ and creditors’ best interests to have some type of identity theft prevention program in place, even in the absence of legislation, as protection from being defrauded by criminals. After all, why wouldn’t your business have an interest in being on the lookout for signs that a criminal is attempting to use someone else’s information to anonymously get products and services from your business without paying for them?

The Details: FACTA’s Red Flag Rules Requirements & Compliance

To be clear, the purpose of FACTA’s Red Flag Rules is to provide directions for developing, implementing, and administering a written identity theft prevention program.

There are 4 main requirements that need to be met in order to have an identity theft prevention program that is in compliance with FACTA’s Red Flag Rules:

1. Identify Red Flags Relevant to your Business: Determine reasonable program policies and procedures that are able to identify ‘red flag’ activities that occur in day-to-day operations of the business
2. Detect Red Flags: Procedures need to be able to detect those ‘red flags’
3. Prevent & Mitigate Identity Theft: Procedures need to provide the steps for the prevention of red flags and mitigation once a ‘red flag’ is detected
4. Update the Program: Determine how the program can be updated to address any new identity theft/’red flag’ threats

The elements that comprise the 4 requirements listed above are expanded upon below.

What is a “Red Flag?”

A ‘red flag’ describes any activity or repeated activities/patterns that are suspicious and indicate the possibility of identity theft. To be clear, each business has distinct operations and activities, a ‘red flag’ action taken by a customer at one business may not be considered a ‘red flag’ activity by another business.

To determine what constitutes a ‘red flag’ for your business, you should consider:

• Risk factors: different types of accounts pose different types and levels of risk. For example, opening a checking account poses typically poses less hurdles than to opening a mortgage loan account.
• Risk sources: to continue committing fraud, criminals are constantly updating their habits, mostly with technology. You should keep up-to-date on emerging sources of fraud that criminals may begin to use, especially technological sources
• Common risks: the Code of Federal Regulations that defines the Red Flag Rules provides “Supplement A to Appendix J” which lists common examples of red flags for businesses to consider when determining their own red flags. Supplement A has been copied verbatim from the official Code of Federal Regulations for your convenience and can be accessed by clicking here.

The following is a list of examples of red flags; for a more comprehensive list of examples, please consult Supplement A:

• a fraud alert placed by a credit reporting company
• address discrepancy between information provided by the consumer and the information provided on a credit report
• providing a form of identification, such as a driver’s license, that does not look authentic
• being unable to answer a predetermined challenge question
• an inactive existing account suddenly being used again
• a customer noticing suspicious activity on their account(s)
• using a phone number that’s already linked to another customer’s existing account

Developing and implementing an effective detection system for ‘red flags’ is the key to running a successful identity theft prevention program. For example, if you regularly check I.D.s for certain transactions, an I.D. that looks fake would be considered a ‘red flag’ for your business, and so, having the procedures in place to detect any potential fake, forged, or altered forms of identification is absolutely fundamental.

Thankfully, the Red Flags Rules give businesses the flexibility to define and address red flags in such a way that is appropriate for its particular business dealings and level of exposure to risk. This gives businesses a lot of leeway in setting up a program that is customized for their particular needs, giving just broad requirements. Since there is no list of specific instructions, how do businesses know how to detect these red flags?

Guideline on How to Detect your Red Flags

For each red flag identified, a business then needs to have a system put in place to actually detect these red flags when they occur. The following lists the very broad requirements for detecting red flags:

1. Obtaining & Verifying Identity Information for New Customers: When a red flag involves new customers’ identity information, you need to have a system that allows your business to not only securely obtain customer information, but also verify the given information.
   If your business is a financial institution, there is a good chance that your Customer Identification Program (CIP) should already be in place is sufficient to detect red flags at this juncture, but to be safe, you should review your CIP to make sure that there are no security gaps.
2. Authenticating Accounts/Transactions of Existing Customers: When a red flag involves authenticating existing customers’ accounts and/or transactions, you need to have a system that allows your business to make sure that the customer accessing the account(s) or conduction the transaction(s) is the true owner of the account/transaction. Traditionally, simply checking I.D.s was enough to ensure the true identity of a customer; however, due to the sheer amount of identity data that has been stolen over the past several years, this method may not be enough.
   Although the Red Flag Rules does not specify the exact manners or degrees with which you need to authentication the identities of existing customers – compliance simply requires that the method(s) used is ‘effective’, with its effectiveness proven to your board of directors annually - the following is a list of additional measures of identification that will undoubtedly meet compliance requirements:
   • biometrics
   • tokens
   • security ID cards
   • fingerprint readers
   • GPS technology using cell phones, for mobile app transactions
   • user ID + password, for online transactions
3. Monitoring Customers’ Transactions: Monitoring transactions for fraud is arguably the most difficult aspect of Red Flag Rules compliance. In order to make sure transactions are not fraudulent, businesses not only need to track transaction activities, but also analyze these activities in relation to other transactions, their timing, and deviations from what is considered ‘normal’ for your business. There are technologies that monitor transactions for these red flags, but regardless of whether or not your business decides to use technological aids, it is your business’s responsibility to monitor transactions.
4. Change of Address & Address Discrepancies Verification: You may have missed it in the very first section on this page, but the technical name for Red Flag Rules is ‘Identity Theft Red Flags and Address Discrepancies Rules’. Although the guidelines above are relatively general in nature, Red Flag Rules are specific about what to do when a customer has a change of address and/or address discrepancy and how to verify that the change of address is valid or that the address discrepancy is not an occurrence of fraud. This is due to the fact that a great deal of identity theft cases in these situations involves the manipulation of account information for an existing customer, namely the address.
   For new accounts, giving a different address than the one credit reporting bureaus have on file for a person is typically a red flag activity – by giving a different address, criminals are attempting to hide their fraudulent activity for as long as possible by ensuring that the victim does not receive any communication that a new account was opened in their name. Although the different address may be completely innocuous considering that the customer simply may have moved recently, address discrepancies need to be taken seriously. Address discrepancies can be resolved by:
   • verifying the address with the customer
   • reviewing any records that can be used to verify the address
   • verifying the address through a third-party
   • verifying the address through any other ‘reasonable’ means
   If the financial institution or the creditor regularly furnishes information to the credit reporting bureau that gave the address discrepancy, the financial institution/creditor needs to relay the correct address to the credit reporting bureau.
   For debit/credit card accounts, by changing the address, identity thieves can more or less ensure that their fraudulent activity will go undetected for as long as possible, especially by the victimized customer. Whenever a customer has a change of address and a replacement card is requested within 30 days of the change at the new address, you must comply with either of the following requirements:
   • Notify the customer via postal mail at their original address - or another previously agreed upon method of contact, such as email – that asks the cardholder to promptly respond if the change of address is incorrect, or
   • Assess the validity of the change of address through some other means, such as an address validation software system

How to Prevent Identity Theft and Mitigate Red Flags

Once a potential red flag is detected, human intervention is needed to gauge what the appropriate response should be in order to prevent identity theft from occurring. The appropriate response should be based on:

• the type of red flag that has been detected
• the level of risk of identity theft that this red flag presents
• the timing between this red flag and another activity
  ∙ ex: a change of address and the request for a replacement credit card within 30 days
• other situations, such as a data breach of the financial institution, that warrants closer scrutiny
• customer notification that they have noticed fraudulent activity on their account(s)

If a potential red flag is subsequently identified as an occurrence of fraud, the next step for a financial institution or creditor would be to mitigate the potential consequences of that red flag. Appropriate responses include:

• cancelling the transaction
• contacting the customer
• continual monitoring of the account
• changing passwords, security codes, and devices associated with the account
• reopening the account using a new customer number
• closing the account
• notifying law enforcement

In a handful of cases, a ‘false positive’ of a red flag may occur, which means that not responding to the red flag would be considered the most appropriate course of action. A false positive would be the presence of a red flag activity that does not have the risk of identity theft. For example, a data entry error that raises a red flag does not carry the risk of identity theft. In situations such as these, no response would likely be the most appropriate method of compliance.

If a red flag is detected yet it is unclear whether or not ‘no response’ is the most appropriate course of action, the customer must be notified.

How to Keep your Program Up-to-Date

A requirement of the Red Flag Rules is to periodically review and update your program to make sure that there aren’t any changes to what would be considered a ‘red flag’ due to changes in/with:

• business dealings and arrangements
• business offerings
• identity theft risk levels
• methods of red flag detection
• methods used by identity thieves

Program Administration Directions

Once you have developed an identity theft prevention program, you need to take the following steps in order to comply with how the program needs to be administered under Red Flag Rules:

1. Initial Plan Adoption: Each financial institution and creditor needs to obtain initial approval of the plan by either:
   • the board of directors or a committee of the board, or, if no board exists,
   • a designated Senior Manager
2. Specific Responsibility Assignment: The oversight, development, implementation, and administration of the program should be the responsibility of:
   • the board of directors or a committee of the board, or, if no board exists,
   • a designated Senior Manager
3. Report of the Program: At least once a year, a report of the program needs to be provided to the board or person given the responsibility of the program. The report needs to go over:
   • the effectiveness of the program for covered accounts
   • how significant red flags were discovered and what was the response was to those red flags
   • recommendations on how to improve or update the program

A final requirement of the Red Flag Rules is to make sure that all necessary staff/employees are trained such that they are able to effectively address red flag issues.

The Details: FACTA’s Red Flag Rules Requirements & Compliance

There are two types of businesses that need to comply with FACTA’s Red Flag Rules requirements:

1. Financial Institutions, such as banks
2. Creditors that have 'covered accounts'
   * The definition of 'covered accounts' is discussed below

Examples of Financial Institutions

• State or national banks
• State or federal savings and loan associations
• Mutual savings banks
• State or federal credit unions
• A person who, directly or indirectly, holds a transaction account¹ that belongs to a consumer

You are probably well-aware of whether or not your business is a financial institution, but how do you know if your business is a creditor? If your business regularly grants credit or defers payments and gives/gets information from credit reporting companies or advances funding that needs to be paid back, your business is probably considered a creditor.

Consult the following chart to see whether or not your business is a creditor:

Examples of Creditors

• Banks
• Finance companies
• Mortgage brokers
• Utility companies
• Telecommunications companies
• Auto dealers
• Any retailer who finances the sale of goods or services

To be clear, a creditor is not defined as a business that simply does not receive payment in full at the time a service is provided. For example, a repairman who sends a bill to customers at the end of the month as opposed to the time of service is not considered a creditor and so does not have to comply with the Red Flag Rules.

If you have determined that your business is either a financial institution or a creditor, you then need to determine whether or not your business has any ‘covered accounts’. If your business does not have any ‘covered accounts’, you do not need to comply with the Red Flag Rules. However, because businesses models and product/service offerings can change, all financial institutions and creditors need to conduct a periodic risk assessment on whether or not any new and existing accounts are considered ‘covered’ – if covered accounts exist, then the business needs to comply with the Red Flag Rules.

What is a Covered Account?

A covered account is an account that meets either of the following definitions:

1. An account held by a consumer for personal, family, or household purposes and allows for multiple payments and/or transactions. Examples include:
   • checking/savings accounts
   • credit card accounts
   • mortgage loan accounts
   • automobile loan accounts
   • cell phone accounts
   • margin accounts
   • utility accounts
2. An account that poses a reasonably foreseeable financial, operational, compliance, reputation, and/or litigation risk to customers and/or the financial institution/creditor due to identity theft. Unlike the definition given above, these types of accounts are only considered ‘covered’ if the risk of identity theft is reasonably foreseeable. Examples of these accounts include:
   • small business accounts
   • sole proprietorship accounts• single transaction consumer accounts

*If your business is neither a financial institution nor a creditor, then you are exempt from FACTA’s Red Flag Rules as they do not apply to you. Additionally, financial institutions and creditors that do not have covered accounts are exempt from FACTA’S Red Flag Rules.*

FACTA’s Red Flag Rules Information Resources

Although most of the details surrounding FACTA’s Red Flag Rules have been covered above, there are some nuances that have not been covered. To learn more about FACTA’s Red Flag Rules in detail, please use the following resources:

• The Federal Trade Commission (FTC)’s How-To Guide & Tips for Designing an Identity Theft Prevention Program
• The Federal Reserve’s Frequently Asked Questions on Identity Theft Red Flags and Address Discrepancies

BSA-related Blog Posts

• Red Flag Rules Coming into Effect on June 1, 2010 - Part I
• Red Flag Rules June 1 Deadline – Part II
• BSA and FACTA - Red Flag Rules
• Red Flag Rules Appropriate Responses Preparation – Part III
• Red Flag Rules Program Elements – Part IV
• ID Verification: Red Flags and Customer ID Programs
• Identity Theft Prevention: The Red Flags Rule
• BSA and FACTA – Red Flag Rules
• Apr. 01, 2013 – Red Flag Rules – Myths & Misconceptions

¹ A ‘transaction account’ is defined as a deposit or account from which its owner(s) use to make withdrawals, payments and/or transfers to third parties and others. Examples of transaction accounts include:

• Checking accounts
• Negotiable orders of withdrawal accounts
• Savings deposits that are subject to automatic transfers
• Share draft accounts