Tiffany GeorgeAttorney, Division of Privacy & Identity ProtectionFederal Trade Commission

COMPLYING WITHTHE RED FLAGS RULE

&ADDRESS

DISCREPANCY RULE

WHAT’S ON YOUR MIND

So what So what isis the Red Flags Rule? the Red Flags Rule?

Who’s covered by the Red Flags Rule?Who’s covered by the Red Flags Rule?

If we’re covered by the Red Flags If we’re covered by the Red Flags Rule, what do we need to do?Rule, what do we need to do?

How do we design an Identity Theft How do we design an Identity Theft Prevention Program?Prevention Program?

What are the Red Flag Guidelines?What are the Red Flag Guidelines?

What about the Address Discrepancy What about the Address Discrepancy Rule?Rule?

THE FACT ACTTHE FACT ACT

FFair andair and

AAccurateccurate

CCreditredit

TTransactions Act of ransactions Act of 20032003 amending theamending the

Fair Credit Reporting Act (FCRA)Fair Credit Reporting Act (FCRA)

RULES: 72 Fed. Reg. 63718 (November 9, 2007)www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf

(FTC Rules p.63771-63773, Guidelines p. 63773-63774, Supplement p. 63774)

BACKGROUND

Joint rulemakingJoint rulemaking

Final rules published November Final rules published November 9, 20079, 2007

Compliance required by Compliance required by November 1, 2008, but November 1, 2008, but enforcement forbearance for the enforcement forbearance for the Red Flags Rule until May 1, 2009, Red Flags Rule until May 1, 2009, for entities under FTC jurisdictionfor entities under FTC jurisdiction

SO WHAT IS THERED FLAGS RULE?

RedFlagsRule

RED FLAGS RULE

FACT Act Section 114FACT Act Section 114

FCRA Section 615(e)FCRA Section 615(e)

16 C.F.R. § 681.216 C.F.R. § 681.2

A “red flag” is a pattern, A “red flag” is a pattern, practice, or specific activity that practice, or specific activity that could indicate identity theftcould indicate identity theft

STRUCTURE OF THERED FLAGS RULE

Risk-based ruleRisk-based rule

Guidelines (Appendix A)Guidelines (Appendix A)

Supplement A – 26 examples of Supplement A – 26 examples of red flagsred flags

PURPOSE OF THERED FLAGS RULE

To ensure To ensure that your business or organization is on the lookout for the signs that a crook is using someone else’s information, typically to get your products or services with no intention of paying.

It’s not just another data security It’s not just another data security regulation.regulation.

WHO’S COVERED BY THE

RED FLAGS RULE?RedFlagsRule

WHO’S COVERED BY THE

RED FLAGS RULE? Financial institutionsFinancial institutions

CreditorsCreditors

WHO’S COVERED BY THERED FLAGS RULE?

From the FCRA, a “From the FCRA, a “financial institutionfinancial institution” is:” is: A state or national bank A state or national bank A state or federal savings and loan association A state or federal savings and loan association A mutual savings bank A mutual savings bank A state or federal credit union, or A state or federal credit union, or Any other person that directly or indirectly Any other person that directly or indirectly

holds a transaction account* belonging to a holds a transaction account* belonging to a consumerconsumer

* From the Federal Reserve Act, Section 19(b) – an account * From the Federal Reserve Act, Section 19(b) – an account that allows withdrawals by negotiable or transferable that allows withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone instrument, payment orders of withdrawal, telephone transfers, or similar items to make payments or transfers to transfers, or similar items to make payments or transfers to third persons or othersthird persons or others

WHO’S COVERED BY THERED FLAGS RULE?

From the ECOA, a “From the ECOA, a “creditorcreditor” is:” is:

Any person who regularly extends, renews, or Any person who regularly extends, renews, or continues creditcontinues credit

Any person who regularly arranges for the Any person who regularly arranges for the extension, renewal, or continuation of credit, extension, renewal, or continuation of credit, oror

Any assignee of an original creditor who Any assignee of an original creditor who participates in the decision to extend, renew, participates in the decision to extend, renew, or continue credit or continue credit

RedFlagsRule

IF WE’RE COVEREDBY THE RED FLAGS RULE,

WHAT DO WE NEED TO DO?

IF WE’RE COVEREDBY THE RED FLAGS RULE,

WHAT DO WE NEED TO DO? Financial institutions and creditors Financial institutions and creditors

must conduct a periodic risk must conduct a periodic risk assessment to determine if they have assessment to determine if they have “covered accounts.”“covered accounts.”

If they do, they must develop, If they do, they must develop, implement, and administer a written implement, and administer a written Identity Theft Prevention Program to Identity Theft Prevention Program to detect, prevent, and mitigate identity detect, prevent, and mitigate identity theft in connection with:theft in connection with:

• the opening of a covered account, orthe opening of a covered account, or

• any existing covered account.any existing covered account.

An “An “accountaccount” is:” is:

A continuing relationship established A continuing relationship established by a person with an FI or creditor to by a person with an FI or creditor to obtain a product or service for obtain a product or service for personal, household, or business personal, household, or business purposes. purposes.

IF WE’RE COVEREDBY THE RED FLAGS RULE,

WHAT DO WE NEED TO DO?

A “A “covered accountcovered account” is:” is: A consumer account designed to permit A consumer account designed to permit

multiple payments or transactions, andmultiple payments or transactions, and

Any other account for which there is a Any other account for which there is a reasonably foreseeable risk from identity reasonably foreseeable risk from identity thefttheft

* * Risk factorsRisk factors1.1.Methods provided to open the accountMethods provided to open the account

2.2.Methods provided to access the accountMethods provided to access the account

3.3.Previous experiences with identity theftPrevious experiences with identity theft

IF WE’RE COVEREDBY THE RED FLAGS RULE,

WHAT DO WE HAVE TO DO?

RedFlagsRule

HOW DO WE DESIGN AN IDENTITY THEFT

PREVENTION PROGRAM?

DESIGNING YOUR PROGRAM

Develop reasonable processes and procedures for :Develop reasonable processes and procedures for :

STEP #1STEP #1 – – Identify relevant red flagsIdentify relevant red flags. Identify the . Identify the red flagsred flagsyou’re likely to come across in your business that you’re likely to come across in your business that indicate aindicate acrook is using someone else’s information to get your crook is using someone else’s information to get your productsproductsor services with no intention of paying.or services with no intention of paying.STEP #2 – – Detect red flagsDetect red flags. Set up procedures to . Set up procedures to detect them indetect them inyour day-to-day operations.your day-to-day operations.STEP #3 – – Prevent and mitigate identity theftPrevent and mitigate identity theft. When . When you spotyou spotthe red flags you’ve identified, respond appropriately the red flags you’ve identified, respond appropriately to preventto preventand mitigate harm.and mitigate harm.STEP #4STEP #4 – – Update your ProgramUpdate your Program. The risks of . The risks of identity theft can change rapidly, so identity theft can change rapidly, so keep your Program current and keep your Program current and educate your staff.educate your staff.

The Program must be appropriate The Program must be appropriate to the size and complexity of the to the size and complexity of the financial institution or creditor financial institution or creditor and the nature and scope of its and the nature and scope of its activities.activities.

DESIGNING YOUR PROGRAM

USING THE GUIDELINES

Consider the GuidelinesConsider the Guidelines

Incorporate appropriate Guidelines into your Incorporate appropriate Guidelines into your ProgramProgram

The Rules require you to:The Rules require you to:

ADMINISTERING YOUR PROGRAM

Get approval of the initial Program from your Get approval of the initial Program from your Board of Directors or from a committee of Board of Directors or from a committee of the Boardthe Board

After that, the Board may designate a senior After that, the Board may designate a senior management employee to oversee:management employee to oversee:

Development, implementation, and Development, implementation, and administration of the Programadministration of the Program

Training of appropriate staff Training of appropriate staff

Arrangements with service providersArrangements with service providers

WHAT ARE THE IDENTITY THEFT RED FLAGS GUIDELINES?

RedFlagsRule

RED FLAGS GUIDELINES

1.1. Incorporate existing policies and Incorporate existing policies and procedures.procedures.

2.2. Identify relevant red flags.Identify relevant red flags.

3.3. Set up procedures to detect red flags.Set up procedures to detect red flags.

4.4. Respond appropriately to red flags.Respond appropriately to red flags.

5.5. Update your Program periodically.Update your Program periodically.

6.6. Administer your Program.Administer your Program.

7.7. Consider other legal requirements.Consider other legal requirements.

Incorporate existingpolicies and procedures

Evaluate your existing anti-fraud Evaluate your existing anti-fraud programsprograms

Evaluate your information security Evaluate your information security programsprograms

Identify relevant red flags Risk factors:Risk factors:

• Types of covered accounts you offer or Types of covered accounts you offer or maintainmaintain

• Methods for opening or accessing covered Methods for opening or accessing covered accountsaccounts

• Previous experience with identity theftPrevious experience with identity theft Sources of red flags:Sources of red flags:

• Episodes of identity theft that have Episodes of identity theft that have already happenedalready happened

• Changes in how crooks are committing Changes in how crooks are committing identity theftidentity theft

• Applicable supervisory guidanceApplicable supervisory guidance

Identify relevant red flags Five categories of red flags*:Five categories of red flags*:

• Alerts, notifications, or other warnings Alerts, notifications, or other warnings received from credit reporting agencies or received from credit reporting agencies or service providersservice providers

• Suspicious documentsSuspicious documents

• Suspicious personal identifying Suspicious personal identifying informationinformation

• Unusual use of or other suspicious activity Unusual use of or other suspicious activity related to a covered accountrelated to a covered account

• Notice from customers, victims of identity Notice from customers, victims of identity theft, or law enforcement authoritiestheft, or law enforcement authorities

* 26 examples are found in Supplement A* 26 examples are found in Supplement A

Set up proceduresto detect red flags

Verify identityVerify identity

Authenticate customersAuthenticate customers

Monitor transactionsMonitor transactions

Verify validity of address changesVerify validity of address changes

Respond appropriatelyto red flags

Monitor accountsMonitor accounts Contact customerContact customer Change passwordsChange passwords Close and reopen accountClose and reopen account Refuse to open accountRefuse to open account Don’t sell the account or collect on it Don’t sell the account or collect on it

against the identity theft victimagainst the identity theft victim Notify law enforcement Notify law enforcement In some cases, no response may be In some cases, no response may be

warrantedwarranted

Update your Program periodicallyin light of:

Experience with identity theftExperience with identity theft

Changes in methods of identity theftChanges in methods of identity theft

Changes in methods to detect, Changes in methods to detect, prevent, and mitigate identity theftprevent, and mitigate identity theft

Changes in types of accounts offeredChanges in types of accounts offered

Changes in business arrangementsChanges in business arrangements

Administer your Program Oversight of the Program by your Oversight of the Program by your

Board or a senior manager involves:Board or a senior manager involves:• Assigning specific responsibility for Assigning specific responsibility for

implementationimplementation

• Reviewing reportsReviewing reports

• Approving materials changes to your Approving materials changes to your Program.Program.

Administer your Program At least once a year, the Board or the At least once a year, the Board or the

senior manager should get a report senior manager should get a report addressing material matters like:addressing material matters like:

• Service provider arrangementsService provider arrangements

• Whether your policies and procedures Whether your policies and procedures have been effective in addressing the risk have been effective in addressing the risk of identity theft in connection with of identity theft in connection with covered accountscovered accounts

• Significant incidents involving identity Significant incidents involving identity theft and management’s responsetheft and management’s response

• Recommendations for changes to the Recommendations for changes to the ProgramProgram

Administer your Program Oversight of your service providers Oversight of your service providers

involves ensuring their activities are involves ensuring their activities are conducted in accordance with conducted in accordance with reasonable policies and procedures reasonable policies and procedures designed to detect, prevent, and designed to detect, prevent, and mitigate the risk of identity theft.mitigate the risk of identity theft.

Other legal requirements

Other FCRA provisions – for example, Other FCRA provisions – for example, information furnisher duties to update information furnisher duties to update or correct inaccurate information, and or correct inaccurate information, and not report inaccurate information (15 not report inaccurate information (15 U.S.C. 1681s-2)U.S.C. 1681s-2)

WHAT ABOUT THEADDRESS DISCREPANCY

RULE?

AddressDiscrepancies

ADDRESS DISCREPANCY RULE

FACT Act Section 315FACT Act Section 315

FCRA Section 605(h)FCRA Section 605(h)

16 CFR16 CFR § § 681.1681.1

Users of credit reportsUsers of credit reports

WHO’S COVERED?

NOTICE OF ADDRESS DISCREPANCY

Address the user provided, andAddress the user provided, and

Address in the credit reporting Address in the credit reporting company’s files company’s files

““Nationwide credit reporting agency” Nationwide credit reporting agency” (NCRA) – as defined in FCRA(NCRA) – as defined in FCRA

““Notice of address discrepancy” comes Notice of address discrepancy” comes from a nationwide credit reporting from a nationwide credit reporting agency and notifies the user of a agency and notifies the user of a substantial difference between:substantial difference between:

Regulatory RequirementRegulatory Requirement: The : The user must have reasonable user must have reasonable policies and procedures to policies and procedures to establish a reasonable belief establish a reasonable belief that the credit report relates that the credit report relates to the consumer about whom to the consumer about whom the report was requestedthe report was requested

ENSURING ACCURACY

REASONABLE BELIEF

Compare information in the credit Compare information in the credit report to information the user:report to information the user:

• Maintains in its recordsMaintains in its records

• Gets from third-party sourcesGets from third-party sources

• Gets to comply with CIP rulesGets to comply with CIP rules

Verify information in the credit Verify information in the credit report with the consumerreport with the consumer

Establishing a “reasonable belief” Establishing a “reasonable belief” ― examples― examples

CONFIRMING ADDRESS

Can form a reasonable belief that the Can form a reasonable belief that the report relates to the consumerreport relates to the consumer

Establishes a continuing relationship Establishes a continuing relationship with the consumerwith the consumer

Regularly furnishes information to Regularly furnishes information to the NCRA the NCRA

Regulatory requirementRegulatory requirement: The user : The user must have reasonable policies and must have reasonable policies and procedures to furnish a confirmed procedures to furnish a confirmed address for the consumer to the address for the consumer to the NCRA when the user:NCRA when the user:

ENFORCEMENT OF RULES

Administrative enforcement Administrative enforcement under 15 U.S.C. 1681s (Section under 15 U.S.C. 1681s (Section 621 of the FCRA).621 of the FCRA).

No private right of action for 16 No private right of action for 16 C.F.R. 681.2C.F.R. 681.2

State Attorneys GeneralState Attorneys General

No criminal penaltiesNo criminal penalties

QUESTIONS?

RedFlags@ftc.govwww.ftc.gov