Recall that the Federal Trade Commission became very concerned about identity theft in the early 2000's. The Furnisher Rule, that I discussed last week, was one of the bi-products of this concern. Another bi-product was the adoption by the FTC of the Red Flags Rule, based on sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003. The CFPB inherited enforcement of this Rule under the Dodd Frank Act.
The Red Flags Rule, also known as Regulation V and now enforced by the Bureau, requires that we implement a written identity theft (“ID theft”) prevention program designed to detect the red flags of ID theft in the day-to-day operation of the business. Such a program should have four basic components:
- identify likely business-specific ID theft red flags;
- create a procedure to detect red flags in the day-to-day operation of your business;
- act to prevent and mitigate potential harm when red flags are detected;
- maintain and update a red flags ID theft program that includes educating your CSRs.
The term “red flags” includes (i) alerts, notifications or warnings from a consumer reporting agency, law enforcement or directly from the consumer, (ii) suspicious documents or addresses, (iii) suspicious personal identifying information, and (iv) suspicious activity relating to a customer's account. In summary, a red flag is any potential pattern, practice or activity indicating the possibility of ID theft.
So, the Rule requires that creditors develop, implement and administer an ID theft program: The first step in compliance is to identify the potential sources of ID theft related to your business model. Step two is to prevent or mitigate the potential for harm from such theft. And, the third step is to continuously update and administer an ID theft program. It is important and the Rule requires that each company adopt and maintain a Red Flags Program commensurate with the size and complexity of the business. So, not all consumer finance red flags programs will look alike.
The reason that I write today about the Red Flags Rule in this Back-to-Basics Series is really because of the fourth bullet point above: In the words of the FTC:
“The Rule recognizes that new red flags emerge as technology changes or identity thieves change their tactics, and requires periodic updates to your program. Factor in your own experience with identity theft; changes in how identity thieves operate; new methods to detect, prevent, and mitigate identity theft; changes in the accounts you offer; and changes in your business, like mergers, acquisitions, alliances, join ventures, and arrangements with service providers.”
Practice Pointer: If you haven't reviewed your Red Flags Policy in recent years, it is time to dust it off and take a look at it. Determine if it is still effective in addressing the risk of ID theft, including whether you are monitoring the practices of those in your company who are responsible for Red Flags compliance.