• This is required for credit and debit card
issuers who must look back 30 days and
verify the address change before sending
the card (FRB Reg. V, §222.91); and
• The requirement can be met by enhanced
customer verification at the time of the
request, verification of all address changes,
sending a notification letter to the former
address, or communicating by other (clear
and conspicuous) written or electronic
means as previously agreed to with the customer (prior to sending the card).
20. A new revolving credit account is used in a
manner commonly associated with known patterns of fraud.
For example:
• The majority of available credit is used for
cash advances or merchandise that is easily
convertible to cash (e.g., electronics equipment or jewelry); or
• The customer fails to make the first payment
or makes an initial payment but no subsequent payments.
21. A covered account is used in a manner that is
not consistent with established patterns of activity
on the account.
There is, for example:
• Nonpayment when there is no history of late
or missed payments;
• A material increase in the use of available
credit;
• A material change in purchasing or spending
patterns;
• A material change in electronic fund transfer
patterns in connection with a deposit account; or
• A material change in telephone call patterns
in connection with a cellular phone account.
22. A covered account that has been inactive
for a reasonably lengthy period of time is used
(taking into consideration the type of account,
the expected pattern of usage, and other relevant
factors).
23. Mail sent to the customer is repeatedly returned as undeliverable, although transactions
continue to be conducted in connection with the
customer’s covered account.
24. The financial institution or creditor is notified that the customer is not receiving paper account statements.
25. The financial institution or creditor is notified of unauthorized charges or transactions in
connection with a customer’s covered account.
Notice from Customers, Victims of
Identity theft, law Enforcement
Authorities, or other Persons
Regarding Possible Identitytheft in
Connection with Covered Accounts
held by the Financial Institution
26. The financial institution or creditor is notified by a customer, a victim of identity theft, a
law enforcement authority, or any person that
it has opened a fraudulent account for a person
engaged in identity theft.
This is essentially required given other regulatory requirements such as:
■ ■ ■ Subpoena and USA PATRIOT Act
requirements;
■ ■ ■ FACTA Title I, Subtitle B—Protection and
Restoration of Identity Theft Victim Credit
History
• Includes FCRA Section 605B: Block of Information Resulting from Identity Theft,
• Includes FCRA Section 623( 6): Duties of
Furnishers Upon Notice of Identity Theft
Related-Information,
• Several requirements related to identity theft
victims rights, cooperation with law enforce-
ment, prevention of credit report repollu-
tion, and limits on debt collections; and
Especially when assessing this red flag, en-
sure that controls are in place for these related
requirements.
other Red Flags Based on the
Financial Institution’s Fraud
Experience
Keep going in your pursuit of red flags! The 26
red flags from the guidance are merely examples and identification of additional red flags is
required. These should be based on your financial institution’s experiences with identity theft,
industry threats, current technologies, and any
future supervisory guidance. Be sure to review
your bank’s controls and compare with known
identity theft incidents to see if these are appropriately aligned. Like many laws, this rule is
quickly becoming outdated from a technology
perspective, but the principles still hold true.
the Risk Assessment
The Red Flags Rule requires institutions to conduct a periodic risk assessment to determine if
they have covered accounts and to assess each
of the red flags in the guidelines. For red flags
that are deemed not applicable or proven to be
ineffective, the risk assessment should provide a
reasonable justification including any supporting
analysis. For example, red flags 1 through 4 only
apply to users of consumer reports, red flag 19 is
only required for card issuers, and red flag 20 is
for revolving credit accounts. The risk assessment
must also encapsulate relevant service providers.
Specific requirements are discussed further on.
Step 1: Identify your covered accounts
■ ■ ■ Consumer accounts designed to permit multiple payments or transactions (e.g. credit
card, cell phone, utility, checking, and savings); and
■ ■ ■ Accounts where there is a reasonably foreseeable risk to customers (including business
accounts) or the safety and soundness of the
financial institution or creditor.
When rationalizing whether or not there is a
reasonably foreseeable risk of identity theft, the
rule requires an assessment of all accounts, considering their financial, operational, compliance,
reputational, and litigation risks.
Step 2: Using the 26 red flag examples,
identify relevant red flags considering:
■ ■ ■ The types of accounts offered;
■ ■ ■ The methods to open an account;
■ ■ ■ The methods to access an account;
■ ■ ■ Previous experience with identity theft;
■ ■ ■ Service provider arrangements; and
■ ■ ■ Data breaches.
Checkpoints
■ ■ ■ Contemplate and cross reference all points
of vulnerability (in person, ATM, mobile,
online, mail, phone, wires, etc.) and service
providers (third-party providers);
■ ■ ■ Prepare and assess control documentation for
each red flag and be prepared to explain to
Be sure to review your bank’s controls and
compare with known identity theft incidents
to see if these are appropriately aligned.
