Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tiffany George Attorney, Division of Privacy & Identity Protection Federal Trade Commission COMPLYING WITH THE RED FLAGS RULE & ADDRESS DISCREPANCY RULE.

Published byTamsin Shelton Modified over 9 years ago

Similar presentations

Presentation on theme: "Tiffany George Attorney, Division of Privacy & Identity Protection Federal Trade Commission COMPLYING WITH THE RED FLAGS RULE & ADDRESS DISCREPANCY RULE."— Presentation transcript:

1 Tiffany George Attorney, Division of Privacy & Identity Protection Federal Trade Commission COMPLYING WITH THE RED FLAGS RULE & ADDRESS DISCREPANCY RULE

2 WHAT’S ON YOUR MIND  So what is the Red Flags Rule?  Who’s covered by the Red Flags Rule?  If we’re covered by the Red Flags Rule, what do we need to do?  How do we design an Identity Theft Prevention Program?  What are the Red Flag Guidelines?  What about the Address Discrepancy Rule?

3 THE FACT ACT Fair and Accurate Credit Transactions Act of 2003 amending the Fair Credit Reporting Act (FCRA) RULES: 72 Fed. Reg. 63718 (November 9, 2007) www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf (FTC Rules p.63771-63773, Guidelines p. 63773-63774, Supplement p. 63774)

4 BACKGROUND  Joint rulemaking  Final rules published November 9, 2007  Compliance required by November 1, 2008, but enforcement forbearance for the Red Flags Rule until May 1, 2009, for entities under FTC jurisdiction

5 SO WHAT IS THE RED FLAGS RULE? Red Flags Rule

6 RED FLAGS RULE  FACT Act Section 114  FCRA Section 615(e)  16 C.F.R. § 681.2  A “red flag” is a pattern, practice, or specific activity that could indicate identity theft

7 STRUCTURE OF THE RED FLAGS RULE  Risk-based rule  Guidelines (Appendix A)  Supplement A – 26 examples of red flags

8 PURPOSE OF THE RED FLAGS RULE  To ensure  To ensure that your business or organization is on the lookout for the signs that a crook is using someone else’s information, typically to get your products or services with no intention of paying.  It’s not just another data security regulation.

9 WHO’S COVERED BY THE RED FLAGS RULE? Red Flags Rule

10 WHO’S COVERED BY THE RED FLAGS RULE?  Financial institutions  Creditors

11 WHO’S COVERED BY THE RED FLAGS RULE? From the FCRA, a “financial institution” is:  A state or national bank  A state or federal savings and loan association  A mutual savings bank  A state or federal credit union, or  Any other person that directly or indirectly holds a transaction account* belonging to a consumer * From the Federal Reserve Act, Section 19(b) – an account that allows withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or similar items to make payments or transfers to third persons or others

12 WHO’S COVERED BY THE RED FLAGS RULE? From the ECOA, a “creditor” is:  Any person who regularly extends, renews, or continues credit  Any person who regularly arranges for the extension, renewal, or continuation of credit, or  Any assignee of an original creditor who participates in the decision to extend, renew, or continue credit

13 Red Flags Rule IF WE’RE COVERED BY THE RED FLAGS RULE, WHAT DO WE NEED TO DO?

14  Financial institutions and creditors must conduct a periodic risk assessment to determine if they have “covered accounts.”  If they do, they must develop, implement, and administer a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with: the opening of a covered account, orthe opening of a covered account, or any existing covered account.any existing covered account.

15 An “account” is:  A continuing relationship established by a person with an FI or creditor to obtain a product or service for personal, household, or business purposes. IF WE’RE COVERED BY THE RED FLAGS RULE, WHAT DO WE NEED TO DO?

16 A “covered account” is:  A consumer account designed to permit multiple payments or transactions, and  Any other account for which there is a reasonably foreseeable risk from identity theft * Risk factors 1.Methods provided to open the account 2.Methods provided to access the account 3.Previous experiences with identity theft IF WE’RE COVERED BY THE RED FLAGS RULE, WHAT DO WE HAVE TO DO?

17 Red Flags Rule HOW DO WE DESIGN AN IDENTITY THEFT PREVENTION PROGRAM?

18 DESIGNING YOUR PROGRAM Develop reasonable processes and procedures for :  STEP #1 – Identify relevant red flags. Identify the red flags you’re likely to come across in your business that indicate a crook is using someone else’s information to get your products or services with no intention of paying.  – Detect red flags. Set up procedures to detect them in  STEP #2 – Detect red flags. Set up procedures to detect them in your day-to-day operations.  – Prevent and mitigate identity theft. When you spot  STEP #3 – Prevent and mitigate identity theft. When you spot the red flags you’ve identified, respond appropriately to prevent and mitigate harm.  STEP #4 – Update your Program. The risks of identity theft can change rapidly, so keep your Program current and educate your staff.

19 The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities. DESIGNING YOUR PROGRAM

20 USING THE GUIDELINES  Consider the Guidelines  Incorporate appropriate Guidelines into your Program The Rules require you to:

21 ADMINISTERING YOUR PROGRAM  Get approval of the initial Program from your Board of Directors or from a committee of the Board  After that, the Board may designate a senior management employee to oversee:  Development, implementation, and administration of the Program  Training of appropriate staff  Arrangements with service providers

22 WHAT ARE THE IDENTITY THEFT RED FLAGS GUIDELINES? Red Flags Rule

23 RED FLAGS GUIDELINES 1.Incorporate existing policies and procedures. 2.Identify relevant red flags. 3.Set up procedures to detect red flags. 4.Respond appropriately to red flags. 5.Update your Program periodically. 6.Administer your Program. 7.Consider other legal requirements.

24 Incorporate existing policies and procedures  Evaluate your existing anti-fraud programs  Evaluate your information security programs

25 Identify relevant red flags  Risk factors: Types of covered accounts you offer or maintainTypes of covered accounts you offer or maintain Methods for opening or accessing covered accountsMethods for opening or accessing covered accounts Previous experience with identity theftPrevious experience with identity theft  Sources of red flags: Episodes of identity theft that have already happenedEpisodes of identity theft that have already happened Changes in how crooks are committing identity theftChanges in how crooks are committing identity theft Applicable supervisory guidanceApplicable supervisory guidance

26 Identify relevant red flags  Five categories of red flags*: Alerts, notifications, or other warnings received from credit reporting agencies or service providersAlerts, notifications, or other warnings received from credit reporting agencies or service providers Suspicious documentsSuspicious documents Suspicious personal identifying informationSuspicious personal identifying information Unusual use of or other suspicious activity related to a covered accountUnusual use of or other suspicious activity related to a covered account Notice from customers, victims of identity theft, or law enforcement authoritiesNotice from customers, victims of identity theft, or law enforcement authorities * 26 examples are found in Supplement A

27 Set up procedures to detect red flags  Verify identity  Authenticate customers  Monitor transactions  Verify validity of address changes

28 Respond appropriately to red flags  Monitor accounts  Contact customer  Change passwords  Close and reopen account  Refuse to open account  Don’t sell the account or collect on it against the identity theft victim  Notify law enforcement  In some cases, no response may be warranted

29 Update your Program periodically in light of:  Experience with identity theft  Changes in methods of identity theft  Changes in methods to detect, prevent, and mitigate identity theft  Changes in types of accounts offered  Changes in business arrangements

30 Administer your Program  Oversight of the Program by your Board or a senior manager involves: Assigning specific responsibility for implementationAssigning specific responsibility for implementation Reviewing reportsReviewing reports Approving materials changes to your Program.Approving materials changes to your Program.

31 Administer your Program  At least once a year, the Board or the senior manager should get a report addressing material matters like: Service provider arrangementsService provider arrangements Whether your policies and procedures have been effective in addressing the risk of identity theft in connection with covered accountsWhether your policies and procedures have been effective in addressing the risk of identity theft in connection with covered accounts Significant incidents involving identity theft and management’s responseSignificant incidents involving identity theft and management’s response Recommendations for changes to the ProgramRecommendations for changes to the Program

32 Administer your Program  Oversight of your service providers involves ensuring their activities are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.

33 Other legal requirements  Other FCRA provisions – for example, information furnisher duties to update or correct inaccurate information, and not report inaccurate information (15 U.S.C. 1681s-2)

34 WHAT ABOUT THE ADDRESS DISCREPANCY RULE? Address Discrepancies

35 ADDRESS DISCREPANCY RULE  FACT Act Section 315  FCRA Section 605(h)  16 CFR § 681.1

36  Users of credit reports WHO’S COVERED?

37 NOTICE OF ADDRESS DISCREPANCY  Address the user provided, and  Address in the credit reporting company’s files  “Nationwide credit reporting agency” (NCRA) – as defined in FCRA “Notice of address discrepancy” comes from a nationwide credit reporting agency and notifies the user of a substantial difference between:

38 Regulatory Requirement: The user must have reasonable policies and procedures to establish a reasonable belief that the credit report relates to the consumer about whom the report was requested ENSURING ACCURACY

39 REASONABLE BELIEF  Compare information in the credit report to information the user: Maintains in its recordsMaintains in its records Gets from third-party sourcesGets from third-party sources Gets to comply with CIP rulesGets to comply with CIP rules  Verify information in the credit report with the consumer Establishing a “reasonable belief” ― examples

40 CONFIRMING ADDRESS  Can form a reasonable belief that the report relates to the consumer  Establishes a continuing relationship with the consumer  Regularly furnishes information to the NCRA Regulatory requirement: The user must have reasonable policies and procedures to furnish a confirmed address for the consumer to the NCRA when the user:

41 ENFORCEMENT OF RULES  Administrative enforcement under 15 U.S.C. 1681s (Section 621 of the FCRA).  No private right of action for 16 C.F.R. 681.2  State Attorneys General  No criminal penalties

42 QUESTIONS? RedFlags@ftc.gov www.ftc.gov

Download ppt "Tiffany George Attorney, Division of Privacy & Identity Protection Federal Trade Commission COMPLYING WITH THE RED FLAGS RULE & ADDRESS DISCREPANCY RULE."

Similar presentations

Red-Flag Identity Theft Requirements February 19th 2009 Cathy Casagrande, Privacy Officer.

Red-Flag Identity Theft Requirements February 19th 2009 Cathy Casagrande, Privacy Officer.
Fair Credit Reporting Act You must be told if information in your file has been used against you You can find out what is in your file You can dispute.

Fair Credit Reporting Act You must be told if information in your file has been used against you You can find out what is in your file You can dispute.
UNDERSTANDING RED FLAG REGULATIONS AND ENSURING COMPLIANCE University of Washington Red Flag Rules Protecting Against Identity Fraud.

UNDERSTANDING RED FLAG REGULATIONS AND ENSURING COMPLIANCE University of Washington Red Flag Rules Protecting Against Identity Fraud.
© 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED. Raising a Red Flag: Understanding the Fair and Accurate Credit Transactions Act, the Red Flag.

© 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED. Raising a Red Flag: Understanding the Fair and Accurate Credit Transactions Act, the Red Flag.
Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.

Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.
Compliance with Federal Trade Commission’s “Red Flag Rule”

Compliance with Federal Trade Commission’s “Red Flag Rule”
WELCOME Iowa State University Identity Theft Prevention Program

WELCOME Iowa State University Identity Theft Prevention Program
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Detecting, Preventing and Mitigating Identity Theft Presented by the Bursar’s Office.

Detecting, Preventing and Mitigating Identity Theft Presented by the Bursar’s Office.
1 Identity Theft Program Procedures Viewing RED FLAGS in the MEDITECH System.

1 Identity Theft Program Procedures Viewing RED FLAGS in the MEDITECH System.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
Red Flag Identity Theft Training California State University, Fullerton Campus Information Technology Training August 2012.

Red Flag Identity Theft Training California State University, Fullerton Campus Information Technology Training August 2012.
The New Rules of F&I with Peter Jones The New Rules of F&I What are the Rules? Red Flag Rule Graham / Leach / Bliley Act Privacy Notice Safeguard Rule.

The New Rules of F&I with Peter Jones The New Rules of F&I What are the Rules? Red Flag Rule Graham / Leach / Bliley Act Privacy Notice Safeguard Rule.
Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.

Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.
Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A. 2618 Centennial.

Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A Centennial.
©2012 CliftonLarsonAllen LLP 1 111 Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact.

©2012 CliftonLarsonAllen LLP Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
The Minnesota State Colleges and Universities system is an Equal Opportunity employer and educator. The Red Flag Rule Detecting, Preventing, and Mitigating.

The Minnesota State Colleges and Universities system is an Equal Opportunity employer and educator. The Red Flag Rule Detecting, Preventing, and Mitigating.
Red Flags 101. What It’s All About Section’s 114 and 315 of the FACT Act were implemented in October 2007 and became effective January 1, 2008. These.

Red Flags 101. What It’s All About Section’s 114 and 315 of the FACT Act were implemented in October 2007 and became effective January 1, These.
Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA.

Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA.

Similar presentations

Ads by Google