vulnerable to identity theft. 1 Identify theft
broadly includes third-party fraud where a
victims identity is used to open an account,
situations where an account is taken over by a
fraudster, and fraudulent transactions on a customer’s account by an unauthorized third party.
This includes scenarios such as fraudulent
paper or electronic applications, compromised
online or mobile banking accounts, forged
checks, and stolen debit or credit cards.
In 2010, the F TC narrowed the definition of
“creditor” to include only entities engaged in the
following activities:
■ ■ ■ Users of consumers reports in connection
with a credit transaction;
■ ■ ■ Furnishers of information to consumer reports in connection with a credit transaction;
and
■ ■ ■ Advance of funds to a person, other than for
incidental services.
This was intended to resolve a dispute with
certain nonbank entities and exclude doctors,
lawyers, and others who do not receive immediate payment for their services. This change had
no impact on coverage for financial institutions, but resulted in a series of delays with FTC
enforcement from 2008 to 2010 and the rule
has yet to see its first enforcement action. Be
prepared. Enforcement is now fully in effect and
compliance back to the 2008 effective date of
the rule may be expected.
In 2013, the Securities and Exchange Commission (SEC) and the Commodity Futures
Trading Commission (CFTC) published their
own version of the rule for investment firms,
which reinforced applicability to investment
services such as brokerage, mutual fund, and
advisory accounts. Regulation S-ID was adopted
as a direct result of Section 1088 of the The
Dodd–Frank Wall Street Reform and Consumer
Protection Act. That section directed the SEC
and the CFTC to adopt joint rules requiring
entities that are subject to the commissions’
respective enforcement authorities to address
identity theft. 2 Regulation S-ID has very subtle
differences from the FTC’s original rule and the
FRB’s Regulation V. While the context is identical, the account and product type references in
Regulation S-ID are consistent with investment
offerings. The red flags discussed in this article
are based on the original text of the rule.
The 26 red flag examples in the associated
guidelines fall into the first five categories below:
1. Alerts, notifications, or warnings from a consumer reporting agency;
2. Suspicious documents;
3. Suspicious personal identifying information;
4. Unusual use of, or suspicious activity related
to, the covered account;
5. Notice of possible identity theft from customers, victims of identity theft, law enforcement authorities, or other persons regarding
possible identity theft in connection with
covered accounts held by the financial institution; and
6. Other red flags based on the financial institution’s fraud experience.
Examples are provided in the guidelines for
all but the sixth category. It is up to the bank to
identify and expand upon that category based
on the types of products it offers, its various
points of vulnerability, identity theft experiences, and anticipated fraud schemes.
Many of the red flags may already be requirements for your institution based on other FCRA
provisions and in place by complying with the
Customer Information Program (CIP) requirements of the USA PATRIOT Act. However, these
should also be referenced in your ITPP.
Here’s a breakdown of the 26 red flag examples,
with more focused discussion on the mandatory
and essential red flags:
Alerts, Notifications or Warnings
from a Consumer Reporting Agency
1. A fraud or active duty alert is included with a
consumer report.
• FACTA §112 mandates detection of these
alerts for users of consumer reports in connection with:
■ ■ Opening a new credit plan;
■ ■ Extending a credit line increase; and
■ ■ Complying with a customer’s request
and sending an additional card at a on a
credit account.
• There are three types of alerts:
■ ■ Active duty alert (stays on file for 12
months);
■ ■ Initial alert (stays on file for 90 days); and
■ ■ Extended alert (stays on file for seven years).
• Active duty and initial alerts can be cleared
by either contacting the consumer as instructed by the alert, or by taking reasonable steps to verify the consumer’s identity
and ensure that the request was not the
result of identity theft.
• Extended alerts must be cleared only by
contacting the consumer as instructed by
the alert or by contacting the consumer in
person. This will ensure that the request was
not the result of identity theft. Alternatively,
a consumer can contact the consumer reporting agency to remove the alert;
• “User of a consumer report” includes the
use of credit scores generated from information in a consumer report; and
• Financial institutions would also be wise
to build this red flag into their programs
for other/all situations—especially when a
consumer report is being accessed. Fraud
alerts are a sure sign of trouble for consumers at risk for identity theft or those who
are already compromised.
2. A consumer reporting agency provides a notice
of credit freeze in response to a request for a consumer report.
• This is unavoidably required for users of
consumer reports. Consumers need to
contact the consumer reporting agency to
remove the alert in order to proceed with a
credit application or other request.
3. A consumer reporting agency provides a notice
of address discrepancy.
• This is also required for users of consumer
reports by FACTA §315. When the rule was
drafted, change of address was common
characteristic of fraud schemes, leading to
extra focus with this provision.
Regulatory Timeline
2003
2008
2010
2013
