Identity Theft Red Flag Rule 

RED FLAG RULE

• The Federal Trade Commission’s recent mandate requires organizations to develop sound identity-theft-prevention programs. Assessing key risk factors, adopting test policies and procedures and training employees to ensure that the precautions and procedures are implemented besets financial institutions with challenges for completing their mandated Red Flag Rule program. It places specific requirements on issuers of debit or credit cards to assess the validity of a change of address if they receive notification of a change of address for a consumer’s debit or credit card account and, within a short period of time afterward they receive a request for an additional or replacement card for the same account. It also mandates users of consumer reports to respond to Notices of Address Discrepancies that they receive immediately.

The Three Steps to Compliance:

Define, Determine, and Document

Define the cause of the red flag; determine who owns what process and how information management is linked to that process. Ask where the metrics, controls, policies, procedures and standards might overlap.

Then ask what must be added to existing processes and/or procedures in order to address the problem and document all findings.

R E D    F L A G S

• Notice of a credit freeze in response to a request for a consumer report.
• A consumer reporting agency providing a notice of address discrepancy.
• Unusual credit activity, such as an increased number of accounts or inquiries.
• Documents provided for identification appearing altered or forged.
• Photograph on ID inconsistent with appearance of customer.
• Information on ID inconsistent with information provided by person opening account.
• Information on ID, such as signature, inconsistent with information on file at financial institution.
• Application appearing forged or altered or destroyed and reassembled.
• Information on ID not matching any address in the consumer report, Social Security number has not been issued or appears on the Social Security Administration's Death Master File, a file of information associated with Social Security numbers of those who are deceased.
• Lack of correlation between Social Security number range and date of birth.
• Personal identifying information associated with known fraud activity.
• Suspicious addresses supplied, such as a mail drop or prison, or phone numbers associated with pagers or answering service.
• Social Security number provided matching that submitted by another person opening an account or other customers.
• An address or phone number matching that supplied by a large number of applicants.
• The person opening the account unable to supply identifying information in response to notification that the application is incomplete.
• Personal information inconsistent with information already on file at financial institution or creditor.
• Person opening account or customer unable to correctly answer challenge questions.
• Shortly after change of address, creditor receiving request for additional users of account.
• Most of available credit used for cash advances, jewelry or electronics, plus customer fails to make first payment.
• Drastic change in payment patterns, use of available credit or spending patterns.
• An account that has been inactive for a lengthy time suddenly exhibiting unusual activity.
• Mail sent to customer repeatedly returned as undeliverable despite ongoing transactions on active account.
• Financial institution or creditor notified that customer is not receiving paper account statements.
• Financial institution or creditor notified of unauthorized charges or transactions on customer's account.
• Financial institution or creditor notified that it has opened a fraudulent account for a person engaged in identity theft.

Identity Theft Red Flag Rule is the commonly referenced name for a compilation of Title 12 CFR Part 41, Title 12 CFR Part 222, Title 12 CFR Part 334, Title 12 CFR Part 571, Title 12 CFR Part 717, and Title 16 CFR Part 681. This document is also commonly referred to as Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003. This authority document originates from the Department of the Treasury’s Office of the Comptroller of the Currency, the Federal Reserve System, the Federal Deposit Insurance Corporation, the Department of the Treasury’s Office of Thrift Supervision, the National Credit Union Association, and the Federal Trade Commission. The rule was developed due to increased need of regular procedures and controls to reduce the effects and effectiveness of identity thieves. The mandatory compliance date for this rule is November 1, 2008