In October 2007, the Federal Banking Agencies - Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve Board (the Board), Federal Deposit Insurance Corporation (FDIC), Office of Thrift Supervision (OTS), and National Credit Union Administration (NCUA) along with the Federal Trade Commission (FTC), jointly issued final rules on identity theft “red flags” and address discrepancies. The final rules implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003.
According to a report of the President’s Identity Theft Task Force, identity theft (a fraud attempted or committed using identifying information of another person without authority), results in billions of dollars in losses each year to individuals and businesses.
The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft in connection with new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft and enable a financial institution or creditor to:
- Identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft and incorporate those red flags into the Program;
- Detect red flags that have been incorporated into the Program;
- Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
- Ensure the Program is updated periodically to reflect changes in risks from identity theft.
The final rules also require credit and debit card issuers to develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. In addition, the final rules require users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a consumer reporting agency.
A Red Flag refers to a pattern, practice, or specific activity that indicates the possible existence of identity theft. Supplement A to the final rules and guidelines
provides 26 examples of Red Flags for consideration when implementing the Program. (See Sidebar – 26 Red Flags)
Red Flags fall into five categories:
- Alerts, notifications, or warnings from a consumer reporting agency; suspicious documents;
- Presentation of suspicious documents;
- Suspicious personally identifying information, such as a suspicious address;
- Unusual use of – or suspicious activity relating to – a covered account; and
- Notifications or Reports from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.
|Who complies with the Red Flags Rules
The Red Flags Rules apply to “financial institutions” and “creditors” with “covered accounts.” Under the Rules, a financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer.
A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.
A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies (credit cards), automobile dealers (auto loans), mortgage brokers (mortgages), utility companies (accounts for gas, electric, oil, etc.,), and telecommunications companies (cell phone accounts). Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors (higher education – student loans) and medical providers – payment accounts).
A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft – for example, small business or sole proprietorship accounts.
|Complying with the Red Flags Rules
Under the Red Flags Rules, financial institutions and creditors must develop and implement a written Identity Theft Prevention Program. The Program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the Program. The Program must include appropriate staff training. The organization must also report at least annually to the Board of Directors or senior management on compliance with the regulations.
The Program’s written policies and procedures should provide for appropriate responses to the Red Flags the financial institution or creditor has detected that are in proportion to the degree of risk posed.
Appropriate response to the identification and detection of red flags may include the following actions:
- Monitoring a covered account for evidence of Identification theft
- Contacting the customer
- Changing any passwords, security codes or other security devices that permit access to covered accounts
- Reopening a covered account with a new account number
- Declining to open a new covered account
- Closing an existing covered account
- Notifying law enforcement and filing a Suspicious Activity Report (SAR), if applicable
- Suspending or eliminating a method of accessing funds of certain accounts (i.e. fax transfers) where security procedures may have been compromised
- Declining to issue a new credit card when proceeded by a change of address or other account information change unless such change is independently verified
|How flexible are the Red Flags Rules?
The Red Flag Rules require a risk-based approach. Each financial institution or creditor must conduct a risk assessment in order to develop and implement a program that is appropriate to the size and intricacy of the organization and the nature and scope of its activities. In addition, the Program must allow the organization to address changing identity theft risks. The risk assessment should document a complete analysis of the identity theft risks in a succinct manner so that it can be easily shared and communicated across the organization, including to the board of directors, management and appropriate staff. Examples of risk factors that should be used to identify red flags include the:
- Types of covered accounts the organization offers or maintains
- Methods the organization offers to open covered accounts
- Methods the organization provides to access covered accounts and
- Previous experiences with identity theft
The Programs must incorporate oversight of third-party service providers to ensure regulatory compliance on their part as well. The Guidelines issued by the FTC and the Federal Banking should be helpful in assisting covered entities in designing their programs.
|How CPAs can assist their clients or organizations
CPAs can assist financial institutions or creditors with the Red Flag Rules by:
- Developing a risk assessment methodology and conducting a comprehensive risk assessment of the organization
- Defining and developing a written Identity Theft Red Flag Program
- Conducting independent Red Flag Program reviews to assess effectiveness of the program
- Offering training assistance
To adequately provide the services mentioned above, a CPA should reference the following resources to obtain a comprehensive awareness of the frameworks available in the marketplace:
|When the Red Flag Rules go into effect
Covered financial institutions and creditors were initially set to comply with the rules on November 1, 2008. This date has been postponed several times. At the request of several Members of Congress, the Federal Trade Commission (“FTC”) announced, on May 28th, 2010, that it is further delaying enforcement of the “Red Flags” Rule (“Rule”) through December 31, 2010. This action does not affect other federal agencies’ enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance. The reasoning for the delay, according to the FTC’s press release, is to give time for Congress to consider legislation that would affect the scope of entities covered by the Rule.
|26 Red Flags identified by the FTC
- A fraud alert included with a consumer report.
- Notice of a credit freeze in response to a request for a consumer report.
- A consumer reporting agency providing a notice of address discrepancy.
- Unusual credit activity, such as an increased number of accounts or inquiries.
- Documents provided for identification appearing altered or forged.
- Photograph on ID inconsistent with appearance of customer.
- Information on ID inconsistent with information provided by person opening account.
- Information on ID, such as signature, inconsistent with information on file at financial institution.
- Application appearing forged or altered or destroyed and reassembled.
- Information on ID not matching any address in the consumer report, Social Security number has not been issued or appears on the Social Security Administration’s Death Master File, a file of information associated with Social Security numbers of those who are deceased.
- Lack of correlation between Social Security number range and date of birth.
- Personal identifying information associated with known fraud activity.
- Suspicious addresses supplied, such as a mail drop or prison, or phone numbers associated with pagers or answering service.
- Social Security number provided matching that submitted by another person opening an account or other customers.
- An address or phone number matching that supplied by a large number of applicants.
- The person opening the account unable to supply identifying information in response to notification that the application is incomplete.
- Personal information inconsistent with information already on file at financial institution or creditor.
- Person opening account or customer unable to correctly answer challenge questions.
- Shortly after change of address, creditor receiving request for additional users of account.
- Most of available credit used for cash advances, jewelry or electronics, plus customer fails to make first payment.
- Drastic change in payment patterns, use of available credit or spending patterns.
- An account that has been inactive for a lengthy time suddenly exhibiting unusual activity.
- Mail sent to customer repeatedly returned as undeliverable despite ongoing transactions on active account.
- Financial institution or creditor notified that customer is not receiving paper account statements.
- Financial institution or creditor notified of unauthorized charges or transactions on customer’s account.
- Financial institution or creditor notified that it has opened a fraudulent account for a person engaged in identity theft.
©AICPA. Views expressed by AICPA employees are expressed for purposes of deliberation, providing member services and other purposes exclusive of practicing public accounting. Views expressed by AICPA staff do not necessarily represent the official views of the AICPA unless otherwise noted. Official AICPA positions are determined through certain specific committee procedures, due process and deliberation.