ANTI-MONEY LAUNDERING REGULATION COMPLIANCE
Table of Contents
I. In a Nutshell: FACTA’s Red Flag Rules
II. Why do FACTA's Red Flag Rules?
III. The Details: FACTA's Red Flag Rules Requirements & Compliance
IV. How do FACTA's Red Flag Rules affect your business?
V. FACTA's Red Flag Rules Information Resources
The Fair and Accurate Credit Transactions Act of 2003, or FACTA, is an amendment to the Fair Credit Reporting Act (FCRA) and became a federal law when pass by Congress on November 22, 2003. The Identity Theft Red Flags and Address Discrepancies Rules, or ‘Red Flags Rules’, was published on November 9, 2007 by the National Credit Union Administration and the Federal Trade Commission and went into effect on January 1, 2008. Although compliance was initially required by November 1, 2008, confusion over certain aspects of the rules led to the publication of the ‘Red Flag Program Clarification Act of 2010’ and pushed the compliance deadline to December 31, 2010.
FCRA regulates the collection, use, and release of consumer credit information in credit reports by consumer reporting agencies.
FACTA provides consumer with identity theft protection via the regulation of consumer information privacy and accuracy.
The Identity Theft Red Flags and Address Discrepancies Rules allowed for the effective implementation of Section 114 of FACTA by clarifying rules and guidelines. These ‘Red Flags Rules’ stipulate that: Financial Institutions, such as banks, and creditors, such as car dealerships, are required to implement an “Identity Theft Prevention Program” that has reasonable policies and procedures for detecting, preventing, and mitigating identity theft. In addition, these rules provide the regulations for processing a customer’s change of address.
Although it may seem like a much more recent phenomenon, identity theft is a rapidly growing epidemic that legislation has been trying to cure for nearly two decades.
A core problem with identity theft is its attractiveness to criminals: gaining access to a victim’s identity information can open many avenues with which to easily defraud businesses and other entities out of thousands of dollars.
Using personal identity information that only the victim should know, criminals can convincingly pose as the victim in order to:
Unnervingly, identity theft and attempts to use false/stolen identities to conduct fraudulent transactions are poised to escalate thanks to the exponential rise in the number of data breaches – the collection of identity information by those unauthorized to do so.
As mentioned above, the ability to apply identity information to conduct a variety of different fraudulent activities renders identity information as valuable currency for criminals. Conducting a data breach and amassing hundreds, thousands, and possibly millions, of people’s identity information, can be quite the lucrative payday for enterprising criminals.
And unfortunately, cybersecurity - although able to react quickly to the ever changing environment - struggles to keep pace with the innovation of the global data hacking industry. As soon as a vulnerability that can cause a data breach is fixed, criminals either find or make a new one.
Instead of waiting for cybersecurity technology to address the main issue of data breaches – identity information taken and used by criminals – legislators implemented the ‘Red Flags Rules’ within FACTA.
The theory is that by requiring financial institutions, such as banks, and creditor entities, such as car dealerships, to have an identity theft prevention program in place to make sure customers are who they say they are while conducting certain types of transactions, identity theft and its financial consequences can be prevented.
In essence, these Red Flag Rules are designed to protect financial institutions and creditor entities as well as consumers by having a two-fold purpose:
Of course, it is in financial institutions’ and creditors’ best interests to have some type of identity theft prevention program in place, even in the absence of legislation, as protection from being defrauded by criminals. After all, why wouldn’t your business have an interest in being on the lookout for signs that a criminal is attempting to use someone else’s information to anonymously get products and services from your business without paying for them?
To be clear, the purpose of FACTA’s Red Flag Rules is to provide directions for developing, implementing, and administering a written identity theft prevention program.
There are 4 main requirements that need to be met in order to have an identity theft prevention program that is in compliance with FACTA’s Red Flag Rules:
The elements that comprise the 4 requirements listed above are expanded upon below.
A ‘red flag’ describes any activity or repeated activities/patterns that are suspicious and indicate the possibility of identity theft. To be clear, each business has distinct operations and activities, a ‘red flag’ action taken by a customer at one business may not be considered a ‘red flag’ activity by another business.
To determine what constitutes a ‘red flag’ for your business, you should consider:
The following is a list of examples of red flags; for a more comprehensive list of examples, please consult Supplement A:
Developing and implementing an effective detection system for ‘red flags’ is the key to running a successful identity theft prevention program. For example, if you regularly check I.D.s for certain transactions, an I.D. that looks fake would be considered a ‘red flag’ for your business, and so, having the procedures in place to detect any potential fake, forged, or altered forms of identification is absolutely fundamental.
Thankfully, the Red Flags Rules give businesses the flexibility to define and address red flags in such a way that is appropriate for its particular business dealings and level of exposure to risk. This gives businesses a lot of leeway in setting up a program that is customized for their particular needs, giving just broad requirements. Since there is no list of specific instructions, how do businesses know how to detect these red flags?
For each red flag identified, a business then needs to have a system put in place to actually detect these red flags when they occur. The following lists the very broad requirements for detecting red flags:
Once a potential red flag is detected, human intervention is needed to gauge what the appropriate response should be in order to prevent identity theft from occurring. The appropriate response should be based on:
If a potential red flag is subsequently identified as an occurrence of fraud, the next step for a financial institution or creditor would be to mitigate the potential consequences of that red flag. Appropriate responses include:
In a handful of cases, a ‘false positive’ of a red flag may occur, which means that not responding to the red flag would be considered the most appropriate course of action. A false positive would be the presence of a red flag activity that does not have the risk of identity theft. For example, a data entry error that raises a red flag does not carry the risk of identity theft. In situations such as these, no response would likely be the most appropriate method of compliance.
If a red flag is detected yet it is unclear whether or not ‘no response’ is the most appropriate course of action, the customer must be notified.
A requirement of the Red Flag Rules is to periodically review and update your program to make sure that there aren’t any changes to what would be considered a ‘red flag’ due to changes in/with:
Once you have developed an identity theft prevention program, you need to take the following steps in order to comply with how the program needs to be administered under Red Flag Rules:
A final requirement of the Red Flag Rules is to make sure that all necessary staff/employees are trained such that they are able to effectively address red flag issues.
There are two types of businesses that need to comply with FACTA’s Red Flag Rules requirements:
You are probably well-aware of whether or not your business is a financial institution, but how do you know if your business is a creditor? If your business regularly grants credit or defers payments and gives/gets information from credit reporting companies or advances funding that needs to be paid back, your business is probably considered a creditor.
To be clear, a creditor is not defined as a business that simply does not receive payment in full at the time a service is provided. For example, a repairman who sends a bill to customers at the end of the month as opposed to the time of service is not considered a creditor and so does not have to comply with the Red Flag Rules.
If you have determined that your business is either a financial institution or a creditor, you then need to determine whether or not your business has any ‘covered accounts’. If your business does not have any ‘covered accounts’, you do not need to comply with the Red Flag Rules. However, because businesses models and product/service offerings can change, all financial institutions and creditors need to conduct a periodic risk assessment on whether or not any new and existing accounts are considered ‘covered’ – if covered accounts exist, then the business needs to comply with the Red Flag Rules.
A covered account is an account that meets either of the following definitions:
*If your business is neither a financial institution nor a creditor, then you are exempt from FACTA’s Red Flag Rules as they do not apply to you. Additionally, financial institutions and creditors that do not have covered accounts are exempt from FACTA’S Red Flag Rules.*
Although most of the details surrounding FACTA’s Red Flag Rules have been covered above, there are some nuances that have not been covered. To learn more about FACTA’s Red Flag Rules in detail, please use the following resources:
1 A ‘transaction account’ is defined as a deposit or account from which its owner(s) use to make withdrawals, payments and/or transfers to third parties and others. Examples of transaction accounts include:
Our team of fraud prevention specialists is here to guide and provide support for all your fraud prevention needs!
CONTACT OUR FRAUD PREVENTION TEAM
1743 S. Grand Ave., Glendora, CA 91740
(800) 883-8822
FraudFighter by UVeritech. Copyright 2023.
All Rights Reserved
Blog
Sitemap
BUY REPLACEMENT BULBS