FTC gives enforcement delay

The Federal Trade Commission has delayed enforcement of the Red Flags Rule until May 1, 2009, to give businesses under their jurisdiction additional time to develop and implement written identity theft prevention programs. This does not affect other agencies’ enforcement of the November 1, 2008 deadline for institutions subject to their oversight to be in compliance. The federal banking agencies (the OCC, OTS, FDIC, Federal Reserve and NCUA) have not issued anything similar.

Institutions under the FTC’s jurisdiction include state-chartered credit unions and certain other entities that hold consumer transaction accounts such as finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. The FTC believed that many of these entities were not aware that they would be covered by the requirements so they were given an extension.

One effect that this might have on depository institutions is that some of your service providers may fall into the FTC-regulated group, particularly if you purchase loans originated by these other types of entities. Unless and until the federal banking agencies issue additional guidance, however, the existing requirements remain in effect.

Do the red flag regs apply to denied applications?

No. The FACT Act red flag regulations apply to "covered accounts"

Under the law, an "account" means a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes.

The term "covered account" means (i) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan,automobile loan, checking account, savings account, etc.; and (ii) any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers/members or to the safety and soundness of the financial institution or creditor from identity theft.

Since an application that is denied does not result in a continuing relationship it is not subject your ID theft prevention program. However, anytime you are handling personal information you must insure the safety of that information to avoid identity theft issues.

ID Theft Risk Assessment Worksheets

The ID Theft Program Risk Assessment Worksheet in the PRINGLE Compliance Program and ID (Red Flags) Theft Toolkit builds on the Customer Identification Program risk assessment in the Bank Secrecy Act, Customer Identification Program (“CIP”), and OFAC Policy. This Worksheet does have a final column for quantifying the risk for various types of accounts based on how the account can be accessed and funds transferred as well as the sorts of limitations placed on access and on funds transfers. Because quantifying these risks with a dollar amount, or even a range of dollar amounts, can be difficult, we have encouraged the use of “high”, “moderate”, and “low” in this column; this is comparable to the risk levels designated for CIP purposes. This also allows the risk assessment to be completed more quickly at this time and readdressed, if necessary, when the ID Theft Program is reviewed and updated annually.

Fraud Alerts Can Help Prevent Further Damage

Your institution may be one of the first places your customer or member contacts if victimized by an identity thief. While you will certainly need to take steps internally and apply your Identity Theft Prevention Program, you may also want to encourage your customer or member to place a fraud alert on their credit reports. Fraud alerts can help prevent an identity thief from opening any more accounts in the name of your customer or member. Our Identity Theft Brochure provides some very useful consumer information on how to place a fraud alert, including the telephone numbers of the three consumer reporting companies, among other things. Once identification is stolen, time is of the essence as identity thieves can cause a significant amount of damage in a very short period of time.

What is the Regulation on Card Issuers?

This is a separate regulation that applies to issuers of debit or credit cards.

• Card issuers need policies and procedures to assess the validity of a change of address if they receive notification of a change of address for a consumer’s debit or credit card account and, within a short period of time afterwards (at least the first 30 days after notification), they receive a request for an additional or replacement card for the same account;
• The institution may not issue an additional or replacement card, until they assess the validity of the change of address; and
• The regulation specifically allows use of policies and procedures established for compliance with the Red Flag rules

Although getting a change of address followed closely by a request for an additional or replacement card on the account is one of the 26 illustrative examples in the Red Flags regulation, it is also covered by this regulation. You should make sure that your policy covers both sets of requirements.

Assigning Responsibility for ID Theft Program

Like the assignment of other areas of compliance responsibility, the designation of the person or persons assigned with the responsibility of implementing your institution’s identity theft program should be carefully considered. Your compliance organization chart should already include several individuals with skill sets and dedication to detail and timely performance. Because there are so many areas to cover, grouping areas of responsibility by related topics and expertise and experience makes sense. Many institutions have determined that grouping this area of responsibility with information security works efficiently and that the person or committee assigned to be the information security officer is well prepared to also be responsible for the implementation of the identity theft program. However, the rule requires that your program “involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, and administration of the program...” Also, remember that the Board of Directors or an appropriate committee of the Board must specifically designate that person or persons. That designation is included in the identity theft program found in the Red Flags for Identity Theft Toolkit and in the PRINGLE Compliance Program.

Aggravating factors

You are supposed to respond "appropriately" to detected red flags to prevent and mitigate the risk of identity theft. In order to do that, you need to have determined whether the Red Flags that you detected pose a risk of identity theft. Your Program’s policies and procedures must provide for determining the appropriate responses to the Red Flags that have been detected, and those responses should be in line with the degree of risk posed.

In determining an appropriate response, you need to consider any aggravating factors that may heighten the risk of identity theft. Some examples of aggravating factors mentioned in the regulations are:

• if a data security breach results in unauthorized access to account records at your financial institution, or


• if you receive notice that your customer or member has provided their account information to someone fraudulently claiming to represent your financial institution or


• if they have provided information to a fraudulent website in a phishing scam.

Obviously if one of those things has occurred, it suggests that there is an intent to use the information. You should mention aggravating factors in your program when discussing responses.