Financial institutions and other creditors soon will be under the close eye of the Federal Trade Commission and banking regulators, which are stepping up their scrutiny of how those businesses detect and respond to identity theft.
According to new “Red Flags” rules that went into effect Jan. 1, any organization that handles consumer financial data must not only design and implement policies and procedures that detect possible identity theft, but also must maintain a written policy for how they prevent or mitigate such theft. Covered companies must comply with the new rules by Nov. 1.
The publication of the final rules comes on the heels of a list recently released by the FTC of the top consumer fraud complaints received by the agency last year. For the seventh year in a row, identity theft ranked number one.
The report, “Consumer Fraud and Identity Theft Complaint Data January-December 2007,” shows that of 813,899 total complaints received last year, 32 percent were related to identity theft. Of those complaints, credit card fraud was the most common at 23 percent, followed by utilities fraud at 18 percent, employment fraud at 14 percent, and bank fraud at 13 percent.
Of course, efforts to deter identity theft are not new. A variety of specific statutes and regulations exist that restrict disclosure of certain consumer information, according to Joel Winston, associate director of the Division of Privacy and Identity Protection at the FTC. “In addition, under some circumstances, entities are required to have procedures in place to ensure the security and integrity of sensitive consumer information,” he said in a statement.
The Red Flag rules, for example, were originally mandated by the Fair and Accurate Credit Transaction Act of 2003, which require creditors and financial institutions to “identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft,” according to the rules.
The Red Flag rules additionally state that financial institutions subject to existing Customer Identification Program rules under the Patriot Act may satisfy customer verification procedures by complying with the CIP. But they still must also evaluate whether their policies under the CIP rules adequately address the risks to consumers of identity theft, “because there’s more to it than simply knowing your customer,” says Christopher Wolf of the law firm Proskauer Rose.
The rules define financial institutions in much the same way the Fair Credit Reporting Act does, as entities engaged in banking, insurance, loan brokering, and similar “financial activities.” Creditors, too, are defined loosely as “a person who arranges for the extension, renewal, or continuation of credit, which in some cases could include third-party debt collectors.”
Ted Dreyer, senior lawyer at Wolters Kluwer Financial Services, says other covered creditors may include “finance companies, automobile dealers that finance their sales, mortgage brokers, even utility companies or telecommunications companies that are concerned about things like the hijacking of cell phone accounts,” he says.
Red Flags Defined
Because the rules encompass a wide range of businesses, the FTC offers a suggested list of 26 red flags to identify but leaves it up to a business’s discretion on which to adopt. “Technically, the rule doesn’t require the adoption of any of them. Although, you’d be foolish not to adopt the ones that make sense in the context of your business,” says Michael Benoit, a partner with law firm Hudson & Cook.
Companies should “look at which red flags are relevant to their activities,” Dreyer says. They might already have some red flags that aren’t all that relevant, or they might find others they should adopt, he says.
And, Benoit says, “Some red flags are going to be more serious than others.” Examples include a fraud alert, credit freeze, or address discrepancy that’s included with a consumer report or provided by a credit-reporting agency.
Other red flags include possibly forged or altered documents—Benoit gives the example of a driver’s license that “looks like it was put together with construction paper and library paste”—or change-of-address alerts quickly followed by requests for new credit or bank cards. “That’s a major red flag that identity theft might be occurring,” Dreyer says.
The Red Flag rules do not require companies to explain why they exclude a particular red flag from the list. But their identity theft prevention program should be “appropriate to the size, complexity, nature, and scope of the company,” says Wolf.
Dreyer says the agencies “should make a good faith attempt to identify all red flags.”
After a merchant or financial institution has identified which red flags to include in its program, the next step is to put in place reasonable policies and procedures to detect red flags. Those protections must apply to both new and existing accounts, and Dreyer warns: “The ways in which you do that for an existing account are very different than what you might do in a new account relationship.”
New accounts, for example, need to verify customer identities; existing accounts must authenticate identities. Authentication requires “another means of making sure the person is who they say they are,” Dreyer says, such as quizzing someone on their own life, asking questions only the customer would know.
A Red Flag program also needs an appropriate response once a red flag is detected. “It may not require any action; it may be a false alarm,” Dreyer says. Or, a company might need to change a password, close an account, or even alert law enforcement to suspicious activity. “There are a lot of responses that might be appropriate, depending on what happened,” Dreyer says.
The final element of a Red Flag program is keeping current with “the evolution of identity theft,” Benoit says. “All of us work to improve our skills and take advantage of new technology. Identity thieves are no different. Their skills and tools improve over time as well. Companies need to keep current with new methods of combating identity theft and adopt those methods as it makes sense.”
Training staff to stay current with theft schemes can be challenging. “I think the important thing to remember here is that you’re not training people on compliance with the rule, per se,” Benoit says. “You’re training your staff how to comply with your specific policies and procedures that you’ve created because of your obligation to comply with the rule.”
As with any new regulations, especially among smaller companies, there are worries about cost.
“It is going to require some expense and attention,” says Benoit. Even without installing new technology, the personnel resources necessary to create, implement, and oversee an identity theft prevention program will cost money, he says.
Others, however, say the bill might not be as expensive as companies fear. In relation to what the rules require, “most modern businesses have those things for other reasons anyway,” Wolf says. Likewise, Dreyer adds: “The extent to which it’s going to be expensive depends upon the extent to which they have systems in place to do these things.”
Experts also hesitate to put a price on the cost of non-compliance. Because FTC penalties vary greatly, the costs will be specific to each case, Dreyer says.
Yet if history teaches Corporate America anything, it’s that being in compliance is wise. Most notorious is the 2006 enforcement action against data broker ChoicePoint, which was hit with $15 million in fines after a massive identity theft there. That case was soon followed by another FTC action against Guidance Software for similar violations.
In each of these cases, “the vulnerabilities were multiple and systemic, and … inexpensive measures were available to prevent them,” the FTC’s Winston said. “The cases stand for the proposition that companies should maintain reasonable and appropriate measures to protect sensitive consumer information.”
The Red Flag rules do not allow for any private legal action, which spares offending companies from some of the headache of litigation from angry plaintiffs. But, Benoit notes, violation of federal rules can themselves be violation of certain state laws that might allow actions from consumers or state attorneys general. “When you add it all up,” he says, “it can be pretty hefty.”