AICPA Sues FTC

over Identity Theft Rule

The American Institute of CPAs has filed a lawsuit against the Federal Trade Commission challenging the applicability of the so-called “Red Flags Rule” to CPAs.

The lawsuit follows on the heels of the FTC’s recent decision to delay enforcement of the rule for the fourth time (see FTC Extends Deadline for ‘Red Flags’ ID Theft Rule). The rule, promulgated by the FTC in November 2007 to comply with the Fair and Accurate Credit Transactions Act of 2003, requires financial institutions and creditors to develop and implement written identity theft programs to help identify, detect and respond to patterns, practices or specific activities — known as “red flags” — that could indicate identity theft. It was originally set to take effect on Nov. 1, 2008, but after the latest extension, it is now set to become effective June 1, 2010.

Barry Melancon

 

The AICPA filed suit in the U.S. District Court for the District of Columbia seeking an injunction barring the FTC from applying the Red Flags Rule to CPAs, claiming the rule would impose onerous and unnecessary requirements on AICPA members. Its application to lawyers and law firms has already been blocked after a similar lawsuit was filed by the American Bar Association.

“We do not believe that there is any reasonably foreseeable risk of identity theft when CPA clients are billed for services rendered,” said AICPA president and CEO Barry Melancon in a statement. “As trusted advisors, CPAs are personally acquainted with their clients and already adhere to strict privacy requirements governing identifying information.”

The Red Flags Rule was mainly intended to apply to financial institutions and credit card companies, requiring them to develop and implement programs to detect and respond to activity that may signal identity theft. Under the FTC’s interpretation, the rule would apply to public accountants only because CPA firms typically bill clients for services rendered, thus technically qualifying them as a “creditor.”  However, the AICPA contends that public accountants do not provide financial services that would typically create identity theft risks for clients.

The AICPA’s complaint, filed by the law firm Fried, Frank, Harris, Shriver & Jacobson LLP, alleges that the FTC is exceeding its congressionally granted powers under the 2003 law by interpreting its Red Flags Rule to apply to accountants. The complaint alleges that the FTC has acted arbitrarily, capriciously, and contrary to law by failing to articulate a rational connection between the profession of public accounting and identity theft. The FTC failed to explain how the manner in which public accountants bill their clients in the normal course of business constitutes an extension of credit, according to the AICPA, adding that the FTC further failed to identify any legally supportable basis for applying the rule to accountants.

The AICPA’s lawsuit follows an Oct. 30 order by U.S. District Court Judge Reggie B. Walton in response to the American Bar Association’s lawsuit seeking to enjoin the FTC from applying its Red Flags Rule to practicing attorneys. Judge Walton granted the ABA’s motion in a partial summary judgment, holding that the FTC had exceeded its authority by interpreting the term “creditor” to include attorneys engaged in the practice of law. That same day, the FTC issued a press release announcing that it was delaying enforcement of the rule until June 1, 2010, a decision welcomed by the AICPA.

“The FTC made the right move in delaying implementation of the Red Flags Rule and we certainly still appreciate the commission’s continuing consideration of our request for a CPA exemption,” Melancon said.

A copy of the complaint filed by Fried Frank is available at http://www.aicpa.org/download/news/2009/AICPA-Complaint.pdf.

car dealer education for red flag rules

* The Program should explain how to respond to red flags.

If dealership employees have concerns because of one or more indicators of potential identity theft, what should their response be? Quite clearly, common sense should take over and employees should do more to ensure that they’re not dealing with an identity thief.

The first step is to engage the customer to get more information that explains any discrepancy, such as a utility bill to explain a difference in address. If dealership personnel are still concerned that they might be dealing with an identity thief, then the obvious response is to slow down the deal and get sufficient information to make a reasoned decision whether to do the deal at all.

If the deal is done and the dealership later learns that it dealt with an identity thief, then it must ask itself whether it should contact the correct person. And should it notify law enforcement? And should it contact the assignee of the finance contract to stop collection efforts? The program must detail methods to prevent and mitigate identity theft.

FTC Red Flag Rules

Dealing with a Data Breach

Information Compromise

and the Risk of Identity Theft:

Guidance for Your Business

These days, it is almost impossible to be in business and not collect or hold personally identifying information — names and addresses, Social Security numbers, credit card numbers, or other account numbers — about your customers, employees, business partners, students, or patients. If this information falls into the wrong hands, it could put these individuals at risk for identity theft.

Still, not all personal information compromises result in identity theft, and the type of personal information compromised can significantly affect the degree of potential damage. What steps should you take and whom should you contact if personal information is compromised? Although the answers vary from case to case, the following guidance from the Federal Trade Commission (FTC), the nation’s consumer protection agency, can help you make smart, sound decisions. Check federal and state laws or regulations for any specific requirements for your business.

Notifying Law Enforcement

When the compromise could result in harm to a person or business, call your local police department immediately. Report your situation and the potential risk for identity theft. The sooner law enforcement learns about the theft, the more effective they can be. If your local police are not familiar with investigating information compromises, contact the local office of the FBI or the U.S. Secret Service. For incidents involving mail theft, contact the U.S. Postal Inspection Service. Check the blue pages of your telephone directory or an online search engine for the number of the nearest field office.

Notifying Affected Businesses

Information compromises can have an impact on businesses other than yours, such as banks or credit issuers. If account access information — say, credit card or bank account numbers — has been stolen from you, but you do not maintain the accounts, notify the institution that does so that it can monitor the accounts for fraudulent activity. If you collect or store personal information on behalf of other businesses, notify them of any information compromise, as well.

If names and Social Security numbers have been stolen, you can contact the major credit bureaus for additional information or advice. If the compromise may involve a large group of people, advise the credit bureaus if you are recommending that people request fraud alerts for their files. Your notice to the credit bureaus can facilitate customer assistance.

Equifax
U.S. Consumer Services
Equifax Information Services, LLC.
Phone: 678-795-7971
Email: businessrecordsecurity@equifax.com

Experian
Experian Security Assistance
P.O. Box 72
Allen, TX 75013
Email: BusinessRecordsVictimAssistance@experian.com

TransUnion
Phone: 1-800-372-8391

If the information compromise resulted from the improper posting of personal information on your Web site, immediately remove the information from your site. Be aware that Internet search engines store, or “cache,” information for a period of time. You can contact the search engines to ensure that they do not archive personal information that was posted in error.

Notifying Individuals

Generally, early notification to individuals whose personal information has been compromised allows them to take steps to mitigate the misuse of their information. In deciding if notification is warranted, consider the nature of the compromise, the type of information taken, the likelihood of misuse, and the potential damage arising from misuse. For example, thieves who have stolen names and Social Security numbers can use this information to cause significant damage to a victim’s credit record. Individuals who are notified early can take some steps to prevent or limit any harm.

When notifying individuals, the FTC recommends that you:

• consult with your law enforcement contact about the timing of the notification so it does not impede the investigation.
• designate a contact person within your organization for releasing information. Give the contact person the latest information about the breach, your response, and how individuals should respond. Consider using letters (see sample below), Web sites, and toll-free numbers as methods of communication with those whose information may have been compromised.

It is important that your notice:

• describes clearly what you know about the compromise. Include how it happened; what information was taken, and, if you know, how the thieves have used the information; and what actions you have taken already to remedy the situation. Explain how to reach the contact person in your organization. Consult with your law enforcement contact on exactly what information to include so your notice does not hamper the investigation.
• explains what responses may be appropriate for the type of information taken. For example, people whose Social Security numbers have been stolen should contact the credit bureaus to ask that fraud alerts be placed on their credit reports. See www.ftc.gov/idtheft for more complete information on appropriate follow-up after a compromise.
• includes current information about identity theft. The FTC’s Web site at www.ftc.gov/idtheft has information to help individuals guard against and deal with identity theft.
• provides contact information for the law enforcement officer working on the case (as well as your case report number, if applicable) for victims to use. Be sure to alert the law enforcement officer working your case that you are sharing this contact information. Identity theft victims often can provide important information to law enforcement. Victims should request a copy of the police report and make copies for creditors who have accepted unauthorized charges. The police report is important evidence that can help absolve a victim of fraudulent debts.
• encourages those who discover that their information has been misused to file a complaint with the FTC at www.ftc.gov/idtheft or at 1-877-ID-THEFT (877-438-4338). Information entered into the Identity Theft Data Clearinghouse, the FTC’s database, is made available to law enforcement.

Model Letter

This model letter is provided as an example of how businesses might notify people whose names and Social Security numbers have been stolen. In cases of stolen Social Security numbers, it is important that people place a fraud alert on their credit reports. A fraud alert may hinder identity thieves from getting credit with stolen information because it is a signal to creditors to contact the consumer before opening new accounts or changing existing accounts. Potential victims of a theft also should review their credit reports periodically to keep track of whether their information is being misused. For some victims, weeks or months may pass between the time the information is stolen and the time it is misused.

For More Information

This publication provides general guidance for an organization that has experienced an information compromise. If you would like more individualized guidance, you may contact the FTC at idt-brt@ftc.gov. Please provide information regarding what has occurred, including the type of information taken, the number of people potentially affected, your contact information, and contact information for the law enforcement agent with whom you are working. The FTC can prepare its Consumer Response Center for calls from the people affected, help law enforcement with information from its national victim complaint database, and provide you with additional guidance as necessary. Because the FTC has a law enforcement role with respect to information privacy, if you prefer to seek guidance anonymously, you may do so.

The FTC works for the consumer to provide information on identity theft. To file a complaint or to get free information on ID theft issues, visit www.ftc.gov/idtheft or call toll-free 1-877-IDTHEFT (877-438-4338). The FTC enters identity theft complaints into the Identity Theft Data Clearinghouse, a secure online database available to law enforcement agencies.

Your Opportunity to Comment

The National Small Business Ombudsman and 10 Regional Fairness Boards collect comments from small businesses about federal compliance and enforcement activities. Each year, the Ombudsman evaluates the conduct of these activities and rates each agency’s responsiveness to small businesses. Small businesses can comment to the Ombudsman without fear of reprisal. To comment, call toll-free 1-888-REGFAIR (1-888-734-3247) or go to www.sba.gov/ombudsman.

Fair and Accurate

Credit Transactions Act

From Wikipedia, the free encyclopedia

The Fair and Accurate Credit Transactions Act of 2003 (FACT Act or FACTA, Pub.L. 108-159) is a United States federal law, passed by the United States Congress on November 22, 2003,^[1] and signed by President George W. Bush on December 4, 2003,^[2] as an amendment to the Fair Credit Reporting Act. The act allows consumers to request and obtain a free credit report once every twelve months from each of the three nationwide consumer credit reporting companies (Equifax, Experian and TransUnion). In cooperation with the Federal Trade Commission, the three major credit reporting agencies set up the website, annualcreditreport.com, to provide free access to annual credit reports.^[3]

The act also contains provisions to help reduce identity theft, such as the ability for individuals to place alerts on their credit histories if identity theft is suspected, or if deploying overseas in the military, thereby making fraudulent applications for credit more difficult. Further, it requires secure disposal of consumer information.

//

Provisions

The FACT Act contains seven major titles: Identity Theft Prevention and Credit History Restoration, Improvements in Use of and Consumer Access to Credit Information, Enhancing the Accuracy of Consumer Report Information, Limiting the Use and Sharing of Medical Information in the Financial System, Financial Literacy and Education Improvement, Protecting Employee Misconduct Investigations, and Relation to State Laws.^[4]

Identity Theft Prevention and

Credit History Restoration

This title of the act contains provisions that deal mainly with the prevention of identity theft. In particular, it establishes new regulations concerning ‘fraud alerts’ and ‘active duty alerts’, establishes new limitations on the printing of customers’ credit card numbers on receipts, and prescribes that new regulations be established by certain government agencies regarding the detection of identity theft by financial institutions and creditors.

Fraud Alerts

The title requires that consumer reporting agencies, upon the request of a consumer who believes he is or about to be a victim of fraud or any other related crime, must place a fraud alert on that consumer’s file for at least 90 days, and notify all other consumer reporting agencies of the fraud alert. Furthermore, such consumer may request an extended fraud alert, in which case requires the reporting agency to disclose this fraud alert in any credit score that it issues for the consumer during a seven year period. An extended alert also requires the reporting agency to exclude the consumer from any list distributed to third parties for the purpose of extending credit or offering insurance to that consumer. The title also provides for any active duty member to request an active duty alert, which requires the reporting agency to disclose such alert with any credit report issued within 12 months of the request and to exclude the active duty member from any list distributed to third parties for the purpose of extending credit or offering insurance for two years from the request.^[5]

Truncation of Credit and Debit Card Numbers

The act also prohibits businesses from printing more than 5 digits of any customer’s card number or card expiration date on any receipt provided to the cardholder at the point of sale or transaction. The provision excludes receipts that are handwritten or imprinted, where the only method of recording the credit card number is by such means. The act did not become effective for three years after its enactment for any cash register manufactured before January 1, 2005 and did not become effective for one year after its enactment for any cash register manufactured after January 1, 2005.^[6]

Identification of Possible Instances of

Identity Theft (Red Flag Rules)

The act established so called Red Flag Rules, which required the Federal banking agencies, the National Credit Union Administration, and the Federal Trade Commission to jointly create regulations regarding identity theft prevention applicable to financial institutions and creditors. The Red Flag Rules also address how card issuers must respond to changes of address.^[7] Regulations that were established as a result include^{[citation needed]}:

• One that requires financial institutions or creditors to develop and implement an Identity Theft Prevention Program in connection with both new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft;

• Another that requires users of consumer reports to respond to Notices of Address Discrepancies that they receive; and

• A third that places special requirements on issuers of debit or credit cards to assess the validity of a change of address if they receive notification of a change of address for a consumer’s debit or credit card account and, within a short period of time afterward they receive a request for an additional or replacement card for the same account.

Another key item was the requirement that mortgage lenders provide consumers with a Credit Disclosure Notice that included their credit scores, range of scores, credit bureaus, scoring models, and factors affecting their scores. This form is typically available from credit reporting agencies, and many will send this directly to the consumer on the lenders’ behalf.

Confusion with the Scope of the Red Flag Rules

Financial institutions faced a mandatory deadline of November 1, 2008, to comply with the Red Flag Rules,^[8] section 114 and 315 of the Fair and Accurate Credit Transactions (FACT) Act. However, due to widespread confusion over coverage under the act, specifically whether the term “creditor” applies to particular businesses, the FTC postposed the deadline for compliance with Section 315 to May 1, 2009.

According to a Business Alert issued by the Federal Trade Commission in June 2008,^[9] the Red Flag Rules apply to a very broad list of businesses including “financial institutions” and “creditors” with “covered accounts”. A “creditor” is defined to include “lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies and telecommunications companies”. However, this is not an all-inclusive list.

The regulations apply to all businesses that have “covered accounts”. A “covered account” includes any account for which there is a foreseeable risk of identity theft. For example, credit cards, monthly billed accounts like utility bills or cell phone bills, social security numbers, drivers license numbers, medical insurance accounts, and many others. This significantly expands the definition to include all companies, regardless of size that maintain, or otherwise possess, consumer information for a business purpose. Because of the broad definitions in these regulations, few businesses will be able to escape these requirements.^{[citation needed]}

Protection and Restoration of

Identity Theft Victim Credit History

Summary of Rights of Identity Theft Victims

Provisions in this title require that the Federal Trade Commission, in consultation with the Federal banking agencies and the National Credit Union Agency, “prepare a model summary of the rights of consumers … with respect to the procedures for remedying the effects of fraud or identity theft…”. Beginning sixty days after the summary of these rights were established, all reporting agencies are required to provide a copy of this summary to any consumer that contacts an agency and states that he believes he has been a victim of fraud or identity theft.^[10]

Blocking of Information Resulting from

Identity Theft

The Act also allows requires any reporting agency to block the reporting of any information in a consumer’s file that the consumer identifies as information that originated from an alleged identity theft. Such agency must block the information within four days of receiving proof, a copy of an identity theft report, the identification of the information by the consumer, and a statement from the consumer that the information is not a result of any transaction he participated in.

Agencies are not required to block any information (and may rescind any existing blocks) in the case that the block was found to be made in error or based on erroneous information as provided by the consumer, or that the consumer “obtained possession of goods, services, or money as a result of the blocked transaction or transactions.^[11]

Coordination of Identity Theft Complaint Investigations

This section requires that all consumer reporting agencies develop a means of communicating to each other consumer complaints regarding fraud or identity theft, or requests for fraud alerts or blocks. Furthermore, the section requires that each consumer reporting agency release a report each year to the Federal Trade Commission of fraud alert requests and complaints involving fraud or identity theft received by the reporting agency. Finally, the section requires the Federal Trade Commission to set-up a means by which consumers can contact the reporting agencies and creditors with a complaint involving identity theft or fraud.^[12]

Criticism

After its enactment, some consumer advocacy groups criticised the FACT Act claiming that it preempts some stricter and already-existing state regulations, and provides exceptions that are ‘far too generous’ to new regulations regarding disclosure of personal information by banks as found in the act.^[13] Furthermore, an article in the Washington Post criticised the difficulty in retrieiving the credit reports in some of the states that were first eligible under the act.^[14].

Preemption of State Laws

According to U.S. Pirg, a U.S. public advocacy group, Vermont, Colorado, Georgia, Maine, Maryland, Massachuseets, New Jersey, and California had all established laws by 1994 requiring credit bureaus to provide a free credit report on demand. However, according to U.S. Pirg, “[w]ith the FACT Act, the financial industry won its primary goal: permanent preemption of stronger state credit and privacy laws.”^[15].

Difficulty in Obtaining Credit Reports

An article dated March 13, 2005 and published in the Washington Post stated that while “[r]esidents of six East Coast states — Maryland, Georgia, Maine, Massachusetts, New Jersey and Vermont — are already eligible for free reports from all three agencies as a result of state laws”, the phone numbers provided to request these reports connected to automated systems that the article described as “maddening in their complexity and unforgiving if your circumstances vary from the system’s programming.”. Furthermore, the article criticised the fact that the automated systems forced consumers to “navigate a thicket of recorded information — including sales pitches for their products, such as a credit ’score’ (an evaluation of your creditworthiness) or a ‘monitoring’ service to help guard against identity theft”.^[14]

References

See also

• Fair Credit Reporting Act
• Political and Economic Research Council — think tank that did much of the research on FACTA

External links

• White House press release
• Full text of the “Fair and Accurate Credit Transactions Act of 2003″

THE RED FLAG RULES COUNTDOWN HAS BEGUN

redflagclass.com

THE RED FLAG RULES DEADLINE IS 26 DAYS AWAY

RED FLAG CAR DEALER SCHOOL

COMPLETE RED FLAG PROGRAM

$ 500.

WE MAKE IT SIMPLE FOR YOU

800-901-5950

1. Are there samples or templates to help me set up my Program?

Yes.  The FTC has created a form to help businesses at low risk for identity theft design a Program.  It’s at www.ftc.gov/redflagsrule.  Many trade associations have developed guidance to help industry members comply with the Rule, too.  The FTC cannot recommend any particular vendor’s compliance products or services.

Bank of America CEO Lewis leaving by year’s end

NEW YORK

Ken Lewis, the embattled CEO of Bank of America Corp., is leaving the company, succumbing to nearly a year of strife that followed his company’s acquisition of Merrill Lynch & Co.

The bank said in a statement late Wednesday that Lewis, 62, would retire as CEO and also leave the company’s board by the end of the year. The company said his successor will be selected by the time he steps down Dec. 31.

The news, coming after shareholders had stripped Lewis of his chairman’s title earlier this year, wasn’t surprising because of the heavy pressure he came under after the Merrill deal. Lewis had said he would stay on as CEO until after the company’s financial problems were resolved, a process expected to take several years.

However, with the bank also under heavy criticism from government officials, Lewis was increasingly seen as vulnerable.

Since the Merrill deal closed Jan. 1, it was learned that the investment bank with the knowledge of Bank of America executives, gave billions of dollars in bonuses to employees even as it asked for more bailout money from the government. The deal was forged a year ago at the height of the financial crisis.

Identity Theft
Red Flags Rule
and Address Discrepancy Rule–Frequently Asked Questions

by Andrew M. Smith, Nathan D. Taylor

Identity Theft Red Flags Rule

The federal banking agencies, the National Credit Union Administration (NCUA) and the Federal Trade Commission (FTC) recently have issued a new requirement — called the “Red Flags Rule” — for “creditors” and “financial institutions” to assess whether they offer or maintain “covered accounts,” and if they do, to develop and implement an “Identity Theft Prevention Program” (Program) to detect, prevent and mitigate identity theft with respect to those accounts.

When does the Rule take effect?

The Rule took effect on Jan. 1, 2008. Compliance with the Rule, however, is not required until Nov. 1, 2008.

new red flag rules deadline
november 1, 2009

What is a “creditor” under the Rule?

The term “creditor” has the same meaning as under the Equal Credit Opportunity Act (ECOA) and includes a person who regularly participates in credit decisions, including, for example, a mortgage broker, a person who arranges credit or a servicer of loans who participates in “workout” decisions. The term “credit” is defined, as in the ECOA, as the right granted by a creditor to defer payment for goods or services. It is important to note that commercial, as well as consumer, credit accounts may be covered by the Rule. (See “what is a covered account” below.)

What is a “financial institution” under the Rule?

The term “financial institution” is defined as a person that holds a “transaction account” belonging to a consumer. A “transaction account” is an account on which the account holder is permitted to make withdrawals by a negotiable instrument, such as a check. Thus, the term “financial institution” includes a bank, savings association or other depository institution.

We are a “financial institution” for the purposes of the Gramm-Leach-Bliley Act (GLBA). Are we also a “financial institution” under the Red Flags Rule?

Not necessarily. GLBA defines “financial institution” much more broadly than does the Red Flags Rule.

Under GLBA, a “financial institution” is “any institution the business of which is engaging in financial activities as described in [the Bank Holding Company Act],” including banks, securities firms, money transmitters and insurers. To be classified as a “financial institution” under the Red Flags Rule, however, you must maintain transaction accounts belonging to consumers.

We are an insurance company that uses credit reports to underwrite insurance.

Does the Red Flags Rule apply to us?

The Red Flags Rule should not apply to an insurer when engaged in activities related to insurance underwriting. To the extent that you extend credit, however, you may be covered. For example, you may wish to examine whether you permit consumers to finance their premiums; whether you extend credit to vendors, independent agents or other business partners; or whether you extend credit in connection with your investment activities, including real-estate investments.

I am an auto dealer. Does the Rule apply to me?

If you extend auto credit to consumers or arrange auto credit for consumers, the Rule may apply.

Does the Rule apply to us even if we do not obtain credit reports?

Yes, if you are a “creditor” or “financial institution,” as defined above. The Rule applies to creditors and financial institutions without regard to whether they obtain or use credit reports.

Step 1 — Assessing Whether You Offer Covered Accounts

What is a “covered account”?

A “covered account” is a consumer account offered or maintained by a creditor or financial institution that involves multiple payments or transactions, such as a credit card account, mortgage loan, or checking account. Commercial accounts also can be “covered accounts” where there is a “reasonably foreseeable risk” from identity theft to customers or to safety and soundness.

How do I determine if there is a “reasonably foreseeable risk” from identity theft in a business or commercial account?

Risk is defined to include financial, operational, compliance, reputation or litigation risk. In making your risk determination, you should consider the risk of identity theft presented by the methods that you provide to open business accounts and the methods that you provide to access business accounts, as well as your previous experiences with identity theft, if any, with such business accounts.

Is a commercial real-estate loan a covered account?

Commercial credit accounts can be “covered accounts” if there is a “reasonably foreseeable risk” from identity theft to customers or to safety and soundness.

I service residential mortgage loans. Do I offer or maintain covered accounts?

Residential mortgage loans are covered accounts, and as a servicer you may be considered to be “maintaining” such accounts. Unless, however, you are considered to be a creditor, such as by regularly participating in credit decisions, you are not subject to the Rule. However, you may have contractual duties imposed upon you by the lenders for which you provide services that are related to their Programs.

I am an indirect lender — I do not open accounts directly with a consumer but purchase loans in the secondary market. Am I required to have a Program?

If the loans that you purchase would be considered “covered accounts,” you may be required to have a Program. As a secondary market purchaser of loans, however, you may not be considered to “regularly participate” in credit decisions and therefore may not be a “creditor” under the ECOA. In addition, the Rule requires you to address the risks of identity theft in connection with account opening and access. Because you do not originate or “open” accounts but rather purchase them on the secondary market, even if the loans you purchase are “covered” accounts, you should only be required to address the risk of identity theft in connection with account access.

Step 2 — Developing and Implementing a Program

If you are a creditor or a financial institution that offers covered accounts, you must develop a Program to detect possible identity theft in those covered accounts and respond appropriately. The federal banking agencies, the NCUA and the FTC have issued guidelines to help covered entities identify, detect and respond to indicators of possible identity theft, as well as to administer the Program.

Where can I find a copy of the guidelines?

* Federal Reserve Board — 12 C.F.R. pt. 222, App. J
* Federal Deposit Insurance Corporation — 12 C.F.R. pt. 334, App. J
* FTC — 16 C.F.R. pt. 681, App. A
* NCUA — 12 C.F.R. pt. 717, App. J
* Office of the Comptroller of the Currency — 12 C.F.R. pt. 41, App. J
* Office of Thrift Supervision — 12 C.F.R. pt. 571, App. J

Identifying “Red Flags”

What is a “Red Flag”?

A Red Flag is an indicator of the possible existence of identity theft. For example, a Red Flag might be an incorrect or invalid Social Security number (SSN) provided by a consumer applying for a loan. Or, in the case of an existing account, a Red Flag may be an unusual pattern of account usage, such as a credit card being used to purchase an unusually large amount of jewelry, electronics and other easily resold goods.

Does the Rule list the Red Flags?

The Red Flags Rule provides several examples of Red Flags in four separate categories: (1) alerts and notifications received from credit reporting agencies and third-party service providers, (2) the presentation of suspicious documents or suspicious identifying information, (3) unusual or suspicious account usage patterns and (4) notice from a customer, identity theft victim or law enforcement.

How do I know which Red Flags apply to me?

The Red Flags that apply to you depend on a number of factors, including: (1) the types of covered accounts you offer, (2) how those accounts may be opened and accessed and (3) your previous experiences with identity theft. You must consider these factors, as well as various sources and categories of Red Flags identified in the guidelines.

Detecting Red Flags

At which stage of the application process does the Rule apply?

The Rule would apply whenever you detect a Red Flag in connection with an application. This could occur as soon as you receive an application, for example, if the application appears to have been altered or forged or the consumer’s identification appears to be forged or is inconsistent with the information on the application.

Is an SSN check a requirement?

No, but an invalid SSN may be a Red Flag — i.e., an indicator of possible identity theft — and obtaining and verifying an SSN may be a reasonable means of addressing this Red Flag when opening an account. You also may be able to utilize your existing procedures under your Customer Identification Program (CIP) under the USA PATRIOT Act.

How are the Red Flags presented on the actual credit report?

The credit reporting agencies will not identify Red Flags as such on a credit report. However, there may be certain information on a credit report that you determine to be an indicator of possible identity theft and you incorporate into your Program, such as a consumer fraud alert or a notice of address discrepancy. In addition, the Guidelines specify that a credit report indicating a pattern of inconsistent or unusual recent activity might be a Red Flag.

We have stopped taking phone applications and are using the out-of-wallet questions for Internet credit applications. Are we going overboard?

The Rule does not preclude phone applications or otherwise limit the manner in which you may accept applications for covered accounts. However, different methods to open covered accounts present different identity theft risks, and you should consider those differing risks in identifying the relevant Red Flags for each type of covered account that you provide.

Responding To Red Flags

What am I supposed to do when I see a Red Flag?

Your Program should include appropriate responses when you detect a Red Flag. You must assess whether the Red Flag evidences a risk of identity theft, and your response must be commensurate with the degree of risk posed. Depending on the level of risk, an appropriate response may include, for example, contacting your applicant or not opening a new account. You also may determine that no response is necessary.

I have detected a Red Flag in connection with a credit application. Am I prohibited from opening the account?

You must assess whether the Red Flag evidences a risk of identity theft, and your response must be commensurate with the degree of risk posed. You are not prohibited from opening the account, unless the only appropriate response in light of the degree of risk posed by the Red Flag would be not to open the account. In some instances, for example, you may be able to contact the applicant to verify that the application is legitimate.

Would the regulators expect to see a log of detected activity and resulting mitigation?

The Rule does not require you to maintain a log, nor do the Guidelines suggest that a log should be maintained. You are, however, required to prepare regular reports on the effectiveness of your Program, and you also are required to incorporate your own experiences with identity theft when you review and update your Program.

Administering and Updating the Program

A Program must be written, must be approved and implemented by the board of directors, a board committee or senior management, and must include staff training and oversight of service providers. The board of directors or senior management should assign specific responsibility for implementation of the Program, should review reports by staff, and should approve material changes to the Program. Staff should report to the board of directors or senior management at least annually on (1) the effectiveness of the Program’s policies, (2) service provider arrangements, (3) significant security incidents and (4) any recommendations for material changes.

Does the Program have to be approved by the board annually?

No, but the board (or a committee of the board) or senior management must annually review reports prepared by staff regarding your Program and must approve any material changes to that Program.

Can I tie this in with the bank’s Customer Identification Program (CIP) so as not to overburden our staff with more rules to follow?

You may incorporate your CIP procedures into your Program to the extent that it is appropriate. For example, your CIP procedures likely would assist you in detecting relevant Red Flags in connection with new covered accounts but not with respect to existing accounts.

Address Discrepancy Rule

The nationwide credit reporting agencies — Experian, TransUnion and Equifax — are required to notify you when an address in their credit file for a consumer “substantially differs” from the address that you provide for the consumer when you request the credit report. New rules from the federal bank agencies and the FTC require you to confirm the identity of the consumer when you receive an address discrepancy notice from a credit reporting agency. These rules also may require you to reconcile the address provided by the consumer with the address in the credit reporting agency’s file, but only if you regularly furnish information to that credit reporting agency. Fair Credit Reporting Act § 605(h) — 15 U.S.C. § 1681c(h); Federal Reserve Board — 12 C.F.R. § 222.82; Federal Deposit Insurance Corporation — 12 C.F.R. § 334.82; FTC — 16 C.F.R. § 681.1; NCUA — 12 C.F.R. § 717.82; Office of the Comptroller of the Currency — 12 C.F.R. § 41.82; Office of Thrift Supervision — 12 C.F.R. § 571.82.

How do the credit reporting agencies display an address discrepancy?

Each credit reporting agency displays an “address discrepancy indicator,” which typically is simply a code in a specified field. Each credit reporting agency uses a different indicator.

How do we “form a reasonable belief” that a credit report relates to the consumer for whom it was requested?

Following procedures that you have implemented as a part of your Customer Identification Program under the USA PATRIOT Act would satisfy this requirement. You also can compare the credit report with information in your own records or information from a third-party source, or you may verify information in the credit report with the consumer directly.

If a credit report is pulled on a loan applicant who is not our customer, and there is an address discrepancy on the credit report, are we obligated to resolve the discrepancy if the loan is denied?

You are only required to reconcile the address with the credit reporting agency if you “establish a continuing relationship with” the consumer.

We do not regularly furnish data to any credit reporting agency. Are we required to furnish the consumer’s correct address?

If you do not regularly furnish data to a credit reporting agency in the ordinary course of your business, there is no obligation to report correct addresses.

When do we communicate the corrected address to the credit reporting agency?

You must furnish the verified address to the credit reporting agency with the other account data that you furnish to that credit reporting agency for the reporting period in which you establish the relationship with the consumer.