Alert: FTC Issues Red Flags Rule: How-To Guide for BusinessesRead Time: 4 mins
The Federal Trade Commission (FTC) has issued a practical “how-to” guide (the Guide) for assisting businesses in complying with the identity theft prevention provisions of the Fair Credit Reporting Act, 15 U.S.C. § 1681m(e) (the Red Flags Rule). “Red flags” are suspicious patterns, practices or specific activities that indicate the possibility of identity theft. The Guide is directed to non-bank creditors, like sales finance companies, and provides guidance on how to create, implement and update an identity theft prevention program that must include four basic elements:
- Reasonable policies and procedures to identify red flags specific to your business;
- Reasonable policies and procedures to detect the red flags you identified for your business;
- Appropriate action you will take when you detect red flags; and
- How you will keep your identity theft prevention program current to reflect new threats.
The following summary highlights specific provisions of the Guide that may impact sales finance companies.
1. Identify Red Flags
To determine what red flags are related to your business, the Guide instructs businesses to consider:
- Risk Factors: Think about the types of products you offer or maintain, the ways you open those accounts, how you provide access to those accounts and what you know about identity theft in your business.
- Sources of Red Flags: This includes industry experience and changes in technology. We recommend that you consider how your business’s use of online lead generation websites and electronic contracting may raise red flags that are not present with in-person transactions.
Categories of Common Red Flags
A. Alerts, Notifications and Warnings from Credit Reporting Agencies
- fraud or active duty alerts on a credit report
- notice of a credit freeze in response to a request for a credit report
- notice of address discrepancy provided by a credit reporting agency
- credit report indicating a pattern inconsistent with the person’s history
B. Suspicious Documents
- identification document (driver’s license, state ID or passport) looks altered or forged
- the person presenting identification does not look like the photo or match the physical description
- information on the identification document differs from what the person with identification tells you
- application looks like it has been altered, forged or torn up and reassembled
C. Personal Identifying Information
- inconsistencies with what you know – for example, an address that does not match the credit report or the use of Social Security number that is listed on the Social Security Administration Death Master File
- inconsistencies in the information a customer has submitted to you
- an address, phone number, or other personal information already used on an account you know to be fraudulent
- a bogus address, an address for a mail drop or prison, a phone number that is invalid, or one that is associated with a pager or answering service
- a Social Security number used by someone else opening an account
- the same address or telephone number used by several people opening accounts
- a person who omits required information on an application and does not respond to notices that the application is incomplete
- a person who cannot provide authenticating information beyond what is generally available from a wallet or credit report – for example, someone who cannot answer a challenge question
D. Account Activity
- a new account used in ways associated with fraud – for example, the customer does not make the first payment or makes only an initial payment
- an account used outside of established patterns – for example, nonpayment when there is no history of missed payments
- information that the customer is not receiving an account statement by mail or email
E. Notice From Other Sources
- including a customer, victim of identity theft, law enforcement or someone else telling you that an account has been opened or used fraudulently
2. Detect Red Flags
Consider options like identity verification and authentication and tailor procedures to match methods used.
- New Accounts – Reasonable procedures to verify identify may include comparing information obtained from applicant to information available through other sources.
- Existing Accounts – Reasonable procedures may include confirming the identity of the person you are dealing with, monitoring transactions, verifying the validity of change of address requests and considering the FFIEC’s guidance on online authentication (http://www.ffiec.gov/pdf/authentication_guidance.pdf). Social Security number, date of birth, mother’s maiden name and mailing address are not reliable authenticators because they are so easily accessible.
3. Respond to a Detected Red Flag
Response to a red flag depends on the degree of risk posed and may be impacted by aggravating factors. The Red Flags Rule Guidelines offer the following examples of potential responses:
- monitoring a covered account for evidence of identity theft
- contacting the customer
- changing passwords, security codes, or other ways to access a covered account
- not trying to collect on an account or not selling an account to a debt collector
- notifying law enforcement
- determining that no response is warranted under the particular circumstances
4. Update the Program
Periodic updates should consider your experience with identity theft, changes in how identity thieves operate, new methods to detect, prevent and mitigate identity theft, changes in the products you offer and changes in your business.
The Guide also reiterates that your Board of Directors or appropriate Board committee must approve your initial plan and must designate a person who will be responsible for implementing your identity theft prevention program, reviewing staff reports about compliance with the Red Flags Rule, approving important changes to your program, training relevant staff as necessary and reporting annually to the Board.
Your service providers that conduct activities covered by the Red Flags Rule – like opening or managing accounts, billing customers, providing customer service or collecting debts – must apply the same standards you would if you were performing those tasks yourself. Your contracts with these service providers should include a representation and warranty that the service provider has procedures in place to detect red flags and either report them to you or responds appropriately to prevent or mitigate identity theft. You should also give these service providers a copy of your identity theft prevention program, review their program and/or require periodic reports about red flags they have detected and their response. You should review your vendor management policies and procedures to ensure that they include compliance with the Red Flags Rule and these expectations.
The Guide reiterates four current themes: (1) compliance with these rules requires more than a generic written policy; (2) reviewing and updating your identity theft prevention program to take into account your own experience and changes in technology and your own business are critical; (3) you are responsible for the acts of your service providers – do not assume that they are compliant; and (4) expect more enforcement actions.