Are You Ready for the Red Flag Rules?

Red Flag Rules will be effective 5-1-09 due to the Federal Trade Commission allowing an extension (previously 11-1-08) for lenders to implement identity theft prevention programs.  The Red Flag Rules require each financial institution and creditor that holds any consumer account, or other account with a reasonably foreseeable risk for identity theft must set policies and procedures for detecting, preventing, and mitigating identity theft.  The Prevention Program will enable a financial institution or creditor to:

1. Identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft and incorporate those red flags into the Program,
2. Detect red flags that have been incorporated into the Program,
3. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft, and
4. Ensure the Program is updated periodically to reflect changes in risks from identity theft. 

Creditors as defined by the Act include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.  You may go to the Federal Trade Commission’s website for guidelines to assist in developing and implement a Program www.ftc.gov.  A supplement to the Guidelines identifies 26 possible red flags.  These red flags are not a checklist, but rather, are examples that financial institutions and creditors may want to use as a starting point.  They fall into five categories:

• alerts, notifications, or warnings from a consumer reporting agency;
• suspicious documents;
• suspicious personally identifying information, such as a suspicious address;
• unusual use of – or suspicious activity relating to – a covered account; and
• Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.

A brief outline of the laws requirements includes:

• You must have a written information security policy
• You have to have an acceptable use plan (how will you use the above)
• You need an incident response plan (how you will respond to a breach of information by you or a third-party vendor)
• The program must be administered by senior management and updated on a regular basis
• A compliance report must be generated on at least an annual basis
• You must assure that your relevant vendors are also in compliance
• Senior management will be held responsible, and
• The law does allow for the use of a third-party provider who has the ability to facilitate this mandatory compliance issue on your behalf.

This legislation is holding businesses and business owners to a higher standard, as they are entrusted with safeguarding customer’s information.  If they are negligent in that regard, they will face serious consequences under this legislation.

Mortgage Trainers of North America is offering a service to help you develope your Prevention Program.  Email linda@mtgtna.com if you would like further information or assistance.

To test your knowledge of ID theft, try this website http://www.onguardonline.gov/games/id-theft-faceoff.aspx This FTC website has lots of useful information with ways to train your staff, and ensure you understand identity theft issues.