Navigating complicated rules on consumer identity-theft protection procedures
By Mary Thorson
When it comes to identity-theft consumer compliance, community banks must see red—red flags, that is. Identity theft is growing, and in 2014 it topped the list of complaints filed with the Federal Trade Commission for the second year in a row, with 13 percent of total complaints.
The Fair and Accurate Credit Transactions Act of 2003 (FACTA or FACT Act) amended the Fair Credit Reporting Act (FCRA) to include seven major titles dedicated to the protection of consumer information and identity-theft prevention. Title I–Identity Theft Prevention and Credit History Restoration of FACTA is primarily directed at preventing identity theft and directs financial institutions and creditors to detect and address identity theft or possible identity theft. Bankers know it as the Red Flags Rule.
Financial institutions that offer or maintain covered accounts must comply with the Red Flags Rule. The rule adopts FCRA’s definition of “financial institution” as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or a person who, directly or indirectly, holds a transaction account belonging to a consumer.
Two categories of accounts are covered:
- A consumer account for your customers for personal, family or household purposes that involves or allows multiple payments or transactions.
- Any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.
Red Flags Rule compliance
Banks must implement identity-theft compliance programs, train staff and report compliance activities to their boards of directors or their boards’ designated representatives. All activities of the identity-theft compliance program should be documented. The program must include provisions to comply with the rule in four categories.
1. Identify Red Flags. Find patterns, practices and activities specific to the organization, its products and its activities that signal possible identity theft:
Risk assessment. What is the risk of identity theft across the bank’s deposit and credit accounts, consumer and business accounts, and the activities to open, maintain and close accounts?
Sources of red flags. Consider the bank’s experiences with identity theft, relevant identity-theft methods in the financial industry, and changes in criminal methods.
Categories of red flags. Supplement A to the Red Flags Rule lists specific categories of warning signs to consider, including, but not limited to:
- Alerts, notifications and warnings from credit reporting companies;
- Suspicious documents;
- Personal identifying information inconsistencies or omissions;
- Account activity and patterns; and
- Notifications from other sources, such as law enforcement.
2. Detect Red Flags. Once a bank identifies the potential for red flag activity, it must describe and implement internal controls and procedures to detect it in every circumstance where it may occur in new and existing accounts.
3. Prevent and Mitigate Identity Theft. When red flags do occur, a bank must be prepared to measure the degree of risk that is posed and make an appropriate response. Depending on the type and frequency of activity, a bank’s response might include one or more of the examples provided in the rule, including:
- Monitor the account for identity theft activity;
- Contact the customer;
- Change passwords, security codes or other ways to access a covered account;
- Close an existing account;
- Reopen an account with a new account number;
- Refuse to open a new account;
- Cease action to collect on an account or sell an account to a debt collector;
- Notify law enforcement; and
- Determine that no response is warranted under the particular circumstances.
4. Maintain and Update the Program. Banks need to remain nimble to respond to changes in internal operations, technology and identity-theft criminal activity. Periodic reviews of identity-theft compliance programs are required. To determine their frequency, consider factors such as any identity-theft incidents that have occurred, trends in criminal activities, new resources for identity-theft detection and mitigation, and internal and external changes to the organization.
Use of third-party services for operational efficiency, cost effectiveness or access to specific skill sets is on the rise. Is a bank responsible for Red Flags identity-theft compliance for its service providers?
Yes, third-party vendor management should include steps to ensure any service provider that performs any activity for covered accounts has an identity-theft compliance program consistent with the rule and that the service provider follows the bank’s identity-theft compliance program relevant to covered accounts.
Given the preponderance of electronically available information and the growth of identity theft across all financial products and services, community banks must be vigilant to implement and execute a meaningful identity-theft compliance program. Anything less could have you seeing red.
Mary Thorson, a former Federal Reserve managing examiner and compliance consultant, is a financial writer in Virginia.