in 20 03, Congress passed the Fair and Accurate Credit Transaction Act (FACTA) as an amendment to the Fair Credit Reporting Act
(FCRA). FACTA (Section 114) mandated the federal banking agencies and
commissions to establish what is commonly referred to as the Red Flags
Rule, which was implemented in 2008. The Federal Reserve Bank (FRB) has
since promulgated it as part of Regulation V. The rule is both a consumer
protection and a safety and soundness regulation based on the concept of
using red flags to detect and prevent identity theft. Along with continual
identification and integration of the institution’s experiences with identity
theft, banks are expected to develop and implement a written Identity
Theft Prevention Program (ITPP) utilizing the 26 red flag examples listed
in the Interagency Guidelines on Identity Theft Detection, Prevention, and
Mitigation (Appendix J of Regulation V).
With identity theft as a growing area of regulatory focus, it’s important to
take a closer look at your program. Is it sitting on a shelf collecting dust, or is
it hard at work protecting both consumers and your institution’s safety and
soundness? To have a fully compliant and robust program, you must be continually aware of current developments with identity theft and have a full understanding of the rule. Your bank’s program should adapt to experiences with
identity theft and perpetually re-evaluate alignment with the rule to enhance
the program and minimize this threat to both consumers and your institution.
With identity theft as a growing area
of regulatory focus, it’s important to
take a closer look at your program.
Red Flag Basics
The Red Flags Rule covers any financial institution or creditor, including banks, investment
firms, loan companies, auto dealers, telecommunication providers, utilities, or other entities
with “covered accounts.” An account is considered covered when it is designed to permit multiple payments or transactions or where there
is a foreseeable risk of identity theft. This may
include credit cards, deposits, trading accounts,
margin accounts, automobile loans, mortgages,
mobile phone accounts, utilities, and, in some
cases, business accounts. Business accounts are
“accounts” if they establish a continuing relationship between a person and a financial institution or creditor to obtain a product or service
for business purposes. The FCRA definition of
a person, found at 15 U.S.C. §1681a(b), is not
limited to individuals. Each financial institution
or creditor must determine if any of its business
accounts present a reasonably foreseeable risk
of identity theft under the definition of a “
covered account.” According to the Federal Trade
Commission, the accounts of small businesses
or sole proprietorships may be particularly
Complying
With the Red
Flags Rule
