Is Your CU Ready, or Will You Wave Red Flag?
Aug. 1 marks the date that financial institutions and other creditors must be in compliance with the Red Flag provisions of the Fair and Accurate Credit Transactions Act of 2003 (FACTA).
The Red Flags rules initially went into effect on Jan. 1, 2008, with little comment or debate. The deadline for compliance was November Nov. 1, 2008. The Federal Trade Commission (FTC) announced that the deadline would be extended for entities under its jurisdiction, which was regarded as good fortune. Anecdotal evidence suggests that many financial institutions are not ready and some estimates indicate that only one-third of U.S. financial institutions would have been compliant by the Nov. 1 deadline.
While the FTC's decision provides an additional six months for those particular organizations to comply with the Red Flags provisions, including state-chartered credit unions, it does not afford them a "Get Out of Jail Free" card. Legally, the FTC cannot push back the previous deadline for any organization; what the FTC is essentially doing is saying they will not prosecute for non-compliance for another six months. As a result, any credit union that has not been in compliance, particularly federal credit unions that were not specified in the deadline extension, is exposed to potential lawsuits from plaintiff attorneys.
In order to be compliant, any "financial institution and creditor that holds any customer account, or other account, for which there is a reasonable foreseeable risk of identity theft" must develop an identity theft prevention program. The rules have four principle components:
- Identification of activity that may signal possible identity theft.;
- Ongoing detection of red flags that have been identified.;
- Ability to respond effectively to red flags to prevent and mitigate theft; and
- Periodic review and updating of red flags and procedures to keep pace with emerging threats.
In addition to the four principle components above, the Red Flag provisions state that the identity theft prevention program must be written and managed by the board of directors or senior employees of the credit union. Credit unions must ensure that there is training for all appropriate staff members as well as proper oversight of any service providers. Both of these are considered aspects of a Red Flag rules-compliant identity theft prevention program and can be examined by the FTC when judging if a credit union's identity theft program meets with the regulations.The first step credit unions should take is conducting a thorough risk assessment with clear and comprehensive criteria for how different areas of the business are assessed. Among the criteria that should be evaluated are the types of accounts offered by the organization, the methods of opening and accessing such accounts, and the organization's prior experience with identity theft.
There is no one-size-fits-all approach to compliance and the Red Flag rules provide credit unions with the ability to deploy measures that are tailored for their business. A successful identity theft prevention program will take into account the size and complexity of the institution and the nature of their operations.
The second phase requires the credit union to develop a set of the policies and procedures it will need-based on the findings of the risk assessment — to protect themselves and their customers. These policies must be written and designed to protect against identity theft in new and existing accounts. The written policy should contain: a list of relevant red flags (including, but not limited to, those outlined by the government); procedures detailing how the company intends to monitor for these red flags; and procedures for how the company will respond when red flags are detected.
The actual red flags will differ by industry, but CUs should be looking for unusual account activity, fraud alerts on a member's consumer report, or suspicious account documents, including those related to an application to open or update an account.
The last stage addresses the implementation of the developed policy, which should be immediate. Once the policy is in place, businesses should monitor for red flags consistently and periodically review their procedures for evolving risks. For credit unions, an important time to look for red flags is at the time of account origination when identifying information is being submitted, often for the first time.
Organizations are expected to report on the effectiveness of their policies; whether or not service providers are implementing adequate safety procedures, significant security incidents, recommendations for material changes to the program, etc. Forms of identity theft are constantly evolving and it is in the best interest of the credit union to continue updating their program in order to keep pace with them.
Identity theft is costly and destructive; business and consumer losses totaled $56.6 billion in 2005 alone. The failure to comply with regulations such as the Red Flags rules, designed to mitigate the negative affects of identity theft, can be even more disruptive and costly.
In order to avoid potential losses, coupled with regulatory fines, costly investigations and potential lawsuits, it is imperative that all affected institutions quickly deploy effective, compliant programs to implement the most effective identity theft prevention program possible.
Deb Geister is Director of Fraud Prevention & Compliance Solutions with LexisNexis Risk & Information Analytics Group.