FTC Red Flag Regulation for Creditors and Financial Institutions

As part of the Fair and Accurate Credit Transactions (FACT) Act of 2003 the Federal Trade Commission (FTC), the National Credit Union Administration (NCUA) and the federal bank regulatory agencies together have initiated the ‘Red Flags Rules’ (regulations) that now requires financial institutions and creditors to implement written identity theft prevention programs.

This program is to help prevent identity fraud by detecting and mitigating any instances of it. These instances, responses, patterns or specific activities that could lead to identity theft are termed ‘Red Flags”. It is an attempt on part of the regulators to make organizations handling vulnerable consumer accounts, keep an eye out for red flags that signal identity theft.

The Red Flags Rules apply to financial institutions and creditors with covered accounts. Under the rules a covered account is an account that involves multiple payments or transaction. Examples of a covered account would be credit card accounts, automobile loans, mortgage loans, margin accounts, telephone bills, utility accounts, checking accounts, and savings accounts. These accounts are typically consumer accounts for personal, family or household purposes. A covered account may also include accounts of small businesses or sole prop accounts as they can also attract the risk of identity theft.

From a creditor’s standpoint it is interesting to note that by merely accepting credit cards as a form of payment does not in and of itself make an entity a creditor. For the purpose of this regulation a creditor is any entity that regularly:
• extends, renews, or continues credit;
• arranges for the extension, renewal, or continuation of credit;
The creditor can also be any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.

May 01, 2009 onwards the FTC will start enforcing these regulations. Every creditor and financial institution with ‘covered accounts’ must have in place a written policy to detect, prevent and mitigate the possibility of identity theft in connection with opening, maintaining and operating a covered account.

The current challenge for organizations affected lies in a) identifying their account-specific (covered-account(s)) Red Flags and b) writing a customized ‘Red Flag Program’.
As an example the written program may include things like, unusual account activity, fraud alerts on a consumer report or attempted use of suspicious account application documents. In writing such a program it should simultaneously describe appropriate measures the organization would take to prevent and mitigate anticipated or occurred crime and have provisions to update the program.

The Red Flag Program must be managed by the Board of Directors or senior employees of the financial institution or creditor. It should be inclusive of staff training for Red Flag Program and provide for oversight of any service providers.

This highlights the importance of the credit function in assessing the risk associated with covered accounts and gettting actively involved in developing and implementation of a written identity theft prevention program under the new "Red Flags Rules."

Article contributed by:
Puru Grover MD CreditGuru.com