Red Flags: Unusual Account Activity


Visit the FTC guide to Red Flags for low-risk businesses.
Fighting Fraud with the Red Flags Rule: A How-to Guide for Business

October 30, 2009:
FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule to June 1st, 2010

 

Identity Theft Red Flags Rule Training

Contact us for complimentary access to the Identity Theft Red Flags Rule course for employees. To see a short demo, click here.

What is Identity Theft Red Flags?

The Red Flag Rules implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Full text of the rule is available from the Federal Trade Commission web site.

Who must comply with Identity Theft Red Flags?

The Identity Theft Red Flag Rules apply broadly to (1) financial institutions and (2) creditors which handle covered accounts.

The first step is to determine whether your business or organization falls under the category of financial institution or creditor.

  1. Financial institutions include banks, savings and loans, credit unions or any other entity that holds a transaction account belonging to a consumer.  A transaction account is an account that allows the owner to make payments or transfers--examples include checking accounts, savings accounts that permit automatic transfers, share draft accounts, and brokerage accounts.
  2. Creditor means an entity that defers payment of debts or accepts deferred payments for the purchase of property or services.  According to the FTC, examples of creditors include finance companies, automobile dealers, mortgage brokers, utilities, and telecommunications companies.  Additionally, the FTC considers creditors to include health care providers, such as doctors office and hospitals, if the health care provider bills consumers after their services are completed.  Also, health care providers that accept insurance are considered creditors under FTC guidance, if the consumer ultimately is responsible for the medical fees.

Step 2, if your business or organization falls under the category of financial institution or creditor, the next step is to determine whether you handle "covered accounts".    Two types of covered accounts are defined under the rules:

  1. An account used mostly for personal, family, or householder purposes that involves multiple payments or transactions, such as credit card accounts, mortgage loans, car loans, margin accounts, cell phone accounts, utility accounts and checking or savings accounts.  According to the FTC, this includes continuing relationships with consumers for the provision of medical services.
  2. An account for which there is a foreseeable risk of identity theft, such as small business accounts. In determining whether you have such an account, the FTC advises to consider the risks associated with how the accounts may be opened or accessed - i.e. what type of interaction and documentation is required - as well as your experience with identity theft. 

Under Step 2, if you determine you handle covered accounts, you must comply with the Identify Theft Red Flag Rules.

When must Red Flag compliance be in place?

The Federal Trade Commission issued an Enforcement Policy statement that delayed enforcement of the Red Flag Rules for non-financial institutions until December 30, 2010.

Why is the government requiring Red Flag compliance?

Businesses that offer credit can be the first to spot or stop identity theft, but only if a program is implemented to systematically identify and report suspicious activity. FACTA Red Flags requires the implementation of a Red Flag program by any credit or lending institution, and appropriate periodic training of all employees is a key component of any Red Flag program.

Enforcement and Penalties

The Red Flags Rule empowers the FTC to impose civil penalties against companies without adequate identity theft programs in amounts up to $3,500 per knowing violation. While we do not know how the FTC will calculate penalties, it is possible that the fine amount chosen could be assessed against a noncompliant company for each covered account it maintains.

What does your institution need to do to comply?

The rules require every institution that handles covered accounts implement a documented identity theft prevention program. Relevant employee training must be provided as part of the program.

Where can I get Identity Theft Red Flag training for employees?

eLearning Corner has developed Red Flags courses for healthcare and utilty providers. We also build custom Red Flag training for clients on request. We work with you to identify roles within your organization that require periodic Red Flag training (e.g., Tellers, Customer Services, New Accounts, and Executives). We build effective, engaging courses with material specific to each role in either separate role-based courses, or in a single course with role-dependent learning paths.

Sources of Red Flags

  • Incidents of ID theft that the financial institution has experienced.
  • Methods of ID theft that the financial institution has identified that reflect changes in ID theft risks.

Types of Red Flags

  1. Alerts, notifications, or warnings from a consumer reporting agency
    • e.g., recent or significant increase in volume of inquiries
  2. Suspicious documents
    • ID documents appear altered or forged
  3. Suspicious PII
    • Address doesn't match any address in consumer report.
  4. Unusual account use or activity
    • Shortly following notice of change of address, requests for new or additional cards or authorized users.
  5. Notice from customers, law enforcement, ID theft victims, or others regarding possible ID theft.
 
eLearning Corner, LLC • Gaithersburg, MD, USA • +1.240.477.8758