If your organization is involved in the financial services industry, or in any way has a regular practice of "extending, renewing or continuing credit" to your customers, then June 1st, 2010 is an important deadline for you. This is when the Red Flag Rules finally kick-in for any organization that handles certain transactions types.
The Red Flag Rule requires that organizations handling "covered" transactions must develop and implement a written "Identity Theft Prevention Program" to DETECT, PREVENT and MITIGATE identity theft.
Enforcement for organizations subject to oversight by the Federal Trade Commission has been extended four times and is now pushed forward to June 1st, 2010.
Part III. Prevent identity theft and mitigate its effect by responding appropriately
The Red Flag Program regulations require organizations to prepare appropriate responses to the Red Flags they detect which are "commensurate with the degree of risk posed". An analysis of the legislative text in this section of the regulations suggests that this should involve an assessment of exposure to both the customer and to the financial institution. A financial institution should evaluate the nature of the Red Flag along with any other aggravating factors that may increase the risk of identity theft. The regulation provides two examples of aggravating factors; (1) the institution has experienced a breach of security that resulted in the loss of personal data of customers, or (2) a customer has provided information related to a covered account to someone who is fraudulently claiming to represent the financial institution or creditor, or to a cloned website.
The regulation states that appropriate responses may include the following:
(a) Monitoring a covered account for evidence of identity theft
(b) Contacting the customer,
(c) Changing any passwords, security codes, or other security devices that permit access to a covered account,
(d) Reopening a covered account with a new number,
(e) Not opening a new covered account,
(f) Closing an existing covered account,
(g) Not attempting to collect on a covered account or not selling a covered account to a debt collector;
(h) Notifying law enforcement; or
(i) Determining that no response is warranted under the particular circumstances.
There may be times when a Red Flag detection program produces a false positive alert, meaning that the circumstances indicate a Red Flag is present but it can be determined that no risk of identity theft exists. The text clearly states that it is "implicit" in an appropriate response to a Red Flag for the financial institution to not only assess the degree of risk but also to have a "reasonable basis" for concluding that the Red Flag does not evidence a risk of identity theft.
In our fourth, and final, article in this series, we will discuss Maintaining and Updating the Red Flags Program.