“Red Flag Rules”
• What are the Red Flag Rules?
• Who do they apply to?
• When are they effective?
• How do you comply?
Regulations requiring “financial institutions” and
“creditors” with “covered accounts” to develop and
implement written identity theft prevention programs, as
part of the Fair and Accurate Credit Transactions (FACT)
Act of 2003.
i.e. An identity theft prevention program to fight fraud.
“Financial Institution” – A state or national bank , a state or federal
savings and loan association, a mutual savings bank, a state or federal
credit union, or any other person that, directly or indirectly, holds a
transaction account that belongs to a consumer.
“Creditor” – Businesses or organizations that regularly defer payment
for goods or services or provide goods and services and bill consumers
later. ALSO includes one who “regularly” grants loans, arranges for
loans or the extension of credit, or makes credit decisions.
BOTTOM LINE: Mortgage Brokers are considered creditors!
If you are a creditor or financial institution, do you
have “covered loans”?
Two categories:
• Consumer account that is primarily for personal, family, or
household purposes that involves or is designated to
permit multiple payments or transactions.
• Any other account for which there is a reasonably
foreseeable risk of identity theft, including financial,
operational, compliance, reputation, or litigation risks.
BOTTOM LINE: Mortgage Loans are “covered loans”
Effective January 1, 2008
But……
For entities regulated by the FTC,
enforcement has been postponed until
November 1, 2009.
Step 1: Identify the red flags
Identify the red flags of identity theft you’re likely to come across
in your business.
Step 2: Detect red flags
Set up procedures to detect those red flags in your day-to-day
operations.
Step 3: Prevent and mitigate identity theft
If you spot red flags – respond appropriately to mitigate
damages
Step 4: Update your program
Risks and your business change – so should your program!
26 RED FLAGS
Alerts, notifications, or warnings from a
consumer reporting agency
A fraud alert included with a consumer report
A notice of a credit freeze in response to a
consumer report
A consumer reporting agency providing a notice
of address discrepancy
Unusual credit activity – Increased number of accounts, inquiries,
or accounts closed for cause
Suspicious Documents
Documents provided for identification appear to be forged
An inconsistent photograph or physical description on the
document provided for identification
Information on account is inconsistent with other information
provided by person opening the account
Signature on identification does not match signature on file
The application appears to be altered or forged
Suspicious personal identifying information
The information on the identification does not match other
external sources of information – consumer report, social security
records
Lack of correlation between the social security number range and
date of birth
Personal identification information associated with fraudulent
activity on file (address, phone number, etc)
Suspicious personal information – an address associated with a
drop box or a prison
The social security number matches that of another client
An address or phone number that matches a large amount of
other applicants
Suspicious personal identifying information
The customer fails to provide all requested information on the
application or is unable to complete an incomplete application
Personal identification information is not consistent with
information already on hand
A customer is unable to answer challenge questions
Unusual use of, or suspicious activity related to
the account
A request for a new account is made shortly after a change of
address
Most available credit is used for the purchase of jewelry, electronics,
or cash advances
Unusual use of, or suspicious activity related
to the account
Drastic change in payment patterns or use of available credit
An inactive account shows an unusual amount of activity
Despite an active account, mail sent to the customer’s address is
repeatedly returned undeliverable
A creditor is notified that the customer is not receiving their paper
statements
A creditor is notified of unauthorized changes on an account
Notice from consumer or law enforcement
regarding possible identity theft
A creditor is notified that it has opened a fraudulent account for a
person engaged in identity theft
Step 2: Detect the red flags
NEW ACCOUNTS:
Get name, address, and social security numbers
Check multiple government issued IDs
Verify information against credit report
Check SSN Death Master File
Ask challenge questions
EXISTING ACCOUNTS:
Develop reasonable procedures to authenticate customer
information – challenge questions or third party software
providers
Step 3: Prevent and mitigate identity theft
Examples of appropriate responses:
Monitoring the account for fraudulent activity
Contacting the customer
Changing passwords, security codes, or other ways to access
accounts
Closing an existing account
Reopen an existing account with a different number
Not opening an account
Not trying to collect on an account or sell an account to a debt
collector
Notifying law enforcement
Do nothing! Determine that no response is warranted
Step 4: Update the program
Keep up with new technologies and new fraudulent schemes
Changes to your business may necessitate changes to your program
Take into account your personal experiences with identity theft
Administering your program
Board of Directors, appropriate committee of the Board, or senior
management must approve the initial written program
Appoint a responsible party to oversee, develop, and implement the
program
Verify the responsible party has had appropriate training
Quick FAQs
Where can I find the red flag rules?
The Red Flags Rule is on the FTC’s website: www.ftc.gov/redflagsrule or
www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf. The text of
the Rule is on page 63772, but you may want to read several other parts.
The Preamble – beginning on page 63718 – explains the rationale behind
the Rule and what it covers. The Guidelines – beginning on page 63773 –
list issues to think about in developing your Identity Theft Prevention
Program. The Supplement to the Guidelines – page 63774 – gives 26
possible red flags to consider.
Do the rules require that I have specific practices and procedures in my
program – like identifying a particular red flag?
The Rule doesn’t require any specific practice or procedures. It gives you
the flexibility to tailor your Program to the nature of your business and the
risks it faces. Compliance based on the reasonableness of a company’s
policies and procedures.
Quick FAQs
Is there a red flag certification or accreditation program to ensure a
program is in compliance with the law?
No. Some companies and organizations offer Red Flags compliance
services, but the FTC and TDSML haven’t certified or approved any
particular program.
What are the penalties for noncompliance?
The FTC can seek both monetary civil penalties and injunctive relief
for violations of the Red Flags Rule. Where the complaint seeks civil
penalties, the U.S. Department of Justice typically files the lawsuit in
federal court, on behalf of the FTC. Currently, the law sets $3,500 as
the maximum civil penalty per violation.
A good starting point for your written
program!
The FTC has promulgated forms for organization with a low risk of
identity theft
Some factors of an organization with low risk of identity theft
Personal knowledge of your clients
Do you provide services at your clients homes?
Have you experienced identity theft
www.kflawpllc.com
www.dfwamb.org
http://www.ftc.gov/bcp/edu/microsites/redflagsrul
e/index.shtml
http://www.sml.state.tx.us/tdsml_red_flag_rules.htm
l