The Red Flag Rule meaning

The Red Flag Rules, under the Fair and Accurate Credit Transactions Act of 2003, demands businesses and organizations to create and implement an Identity Theft Prevention Program (ITTP). The Identity Theft Prevention Program (ITPP) can detect, prevent, and mitigate the red flags of identity theft.

Identity theft is the unauthorized usage of another person's identifying information. Identifying information can mean any name or number that may be used to identify a specific person, like:

  • Name, Social Security Number (SSN), date of birth, driver's license number, alien registration number, government passport number, company identification number, and tax identification number.
  • Unique biometric data like fingerprints, voice prints, retina or iris images, and other physical representations.
  • Distinctive electronic identification number, address, or routing code
  • Telecommunication identifying information or access device
Red Flag Rule

The Four Elements Of The Red Flags Rule

The four elements of the Red Flags Rule are the key elements of an identity theft prevention program. The identity theft prevention program’s development, implementation, and administration are stated under the Red Flags Rule. The Red Flag Rule’s four basic elements for an identity theft framework are:

  • A program that includes rational policies and procedures to identify the red flags of identity theft. The red flags of identity theft happen in the day-to-day operations of businesses or organizations.
  • A program should be able to detect the red flags that are identified by the businesses or organizations. Businesses or organizations, for example, must have procedures to identify fake IDs if they are set as red flags.
  • A program must dictate the appropriate steps to follow once red flags are detected.
  • A program should provide in detail the updating procedures in response to new and evolving threats.

The Red Flags Rule Process

The Red Flags Rule does require financial institutions and creditors to focus on identifying Red Flags. Red Flags are found in account opening activities, existing account maintenance, and new activities on a dormant account for two years or more. The mandatory requirements are:

  • To keep a current and written Identity Theft Prevention Program (ITPP), which includes rational policies and procedures to recognize, detect, and respond to Red Flags and keep the program updated.
  • To confirm that the consumer reports from the consumer reporting agencies are related to the consumer whom the financial institution or creditor is doing business with.
  • To review address discrepancies.
View Pricing

The History Of The Red Flag Rules

The history of the Red Flags Rule started when it was created as a response to the increasing threats to the integrity and privacy of personal information. The increasing threats to the integrity and privacy of personal information are results of the growth and development of information technology and electronic communication. The growth and development of information technology and electronic communication allow the collection, maintenance, and transfer of personal data with ease. These technological advancements and the threats attributed to them are the building blocks of the Red Flags Rule.

The Red Flags Rule was formed under the Fair Credit Reporting Act of 1970 (FCRA). The Fair Credit Reporting Act of 1970 was amended in 2003 and required an issue of joint rules and guidelines for the detection, prevention, and mitigation of identity theft coming from federal agencies. These federal agencies are:

  • Office of the Comptroller of the Currency (OCC)
  • Board of Governors of the Federal Reserve System
  • Federal Deposit Insurance Corporation (FDIC)
  • Office of Thrift Supervision (OTS)
  • National Credit Union Administration (NCUA)
  • Federal Trade Commission (FTC)

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act) amended the FCRA. The FCRA has added the Commodity Futures Trading Commission (CFTC) and the Securities and Exchange Commission (SEC) to the list of federal agencies that must adopt together and enforce as individuals the Red Flags Rule. The Red Flags rules and guidelines were made public in February 2012 by the joint commission of CFTC and SEC.

The Red Flags checklist

The Red Flags checklist is a set of five categories that the Federal Trade Commission (FTC) recommends to financial institutions and creditors. Financial institutions and creditors can use them as a launch point. The five categories of Red Flags:

  • Warnings, notification alerts, alarms, or notifications from a consumer reporting agency
  • Suspicions documents
  • Unusual usage of, or suspicious activity related to, a covered account
  • Suspicious personal identifying information like a suspicious inconsistency with a surname or address
  • Notifications from customers, law enforcement authorities, or other businesses and victims of identity theft about possible identity thefts on specified accounts

Who Does The Red Flags Rule Apply To?

The Red Flags Rule applies to financial institutions and creditors. Financial institutions are defined as:

  • All banks, savings associations, and credit unions
  • Any other person that has a direct or indirect consumer transaction account
  • Identity relational and behavioral anomalies
  • SSNs belonging to deceased persons or minors
  • Consumer statements on credit files
  • Identity verification issues
  • Social security number issuance and misuse
  • Address misuse
  • Phone number misuse
  • Synthetic fraud

Creditors can be determined according to the Red Flags Rule by answering “YES” to any of the following questions:

  • Does the business or institution regularly defer payment for goods and services?
  • Does the business or institution grant or arrange credit?
  • Does the business or institution participate in the decision to renew, extend or set credit terms?

If the answer to all of the questions above is “NO," these are the follow-up questions:

  • Does the business or institution regularly request, acquire, and use consumer reports about a credit transaction?
  • Does the business or institution regularly turn in information to credit reporting agencies regarding a credit transaction?
  • Does the business or institution provide funding to someone who must repay them, whether with funds or pledge property as collateral?

The Red Flags Rule also applies to functionally regulated subsidiaries of insured depository institutions. Functionally regulated subsidiaries are companies that are not bank holding companies or depository institutions, and those are:

  • Brokers or dealers that are registered under the Securities Exchange Act
  • Registered investment advisors that are registered with the SEC
  • Investment firms that are registered under the Investment Company Act of 1940
  • Insurance companies that are subject to state insurance regulator supervision
  • Entities that are regulated by the CFTC
View Pricing

The Red Flags Rule Requiremnts for Banks

The Red Flags Rule requires financial institutions and creditors to establish an ITPP. An ITPP has the ability to detect, prevent, and mitigate identity theft. The identity theft prevention program guidelines are:

  • Definitions of financial institutions and creditors that must develop and implement a written ITPP
  • Objectives of the ITPP
  • Elements that the ITPP must contain
  • Steps that financial institutions and creditors need to take to administer the ITPP

Financial institutions and creditors are required to conduct a periodic risk assessment. A periodic risk assessment identifies if the financial institutions and creditors have covered accounts. Covered accounts are accounts that are maintained by financial institutions and creditors from identity theft, such as:

  • Consumer accounts that allow multiple payments or transactions for personal, family, or household purposes.
        1. Credit card accounts
        2. Mortgage loans
        3. Automobile loans
        4. Checking accounts
        5. Savings accounts
  • Other accounts that have foreseeable identity theft risks like financial, operational, compliance, reputation, or litigation to customers, financial institutions, or creditors.
        1. Small business accounts
        2. Sole proprietorship accounts
        3. Single transaction consumer accounts

For more information contact the professionals at iSoftpull today.