To close this window, press the ESC key or click the close button in the top corner of this window.

What are the FACT Act Red Flags Rules?

Sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) were revised in October 2007. The changes require financial institutions and creditors to take specific actions to detect, prevent, and mitigate loss due to identity theft. They are known as “The Red Flags Rules.” You may be surprised to find that you are a creditor.

Red Flags

In October 2007, the Joint Committee of the Office of the Comptroller of Currency (OCC), the Federal Reserve Board, the Federal Deposit Insurance Corporation (FDIC), the Office of Thrift Supervision (OTS), the National Credit Union Administration (NCUA), and the Federal Trade Commission passed final legislation for sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). They are known as Red Flag Regulations and Guidelines.

Purpose: The Red Flag Regulations and Guidelines require each financial institution or creditor to develop and implement a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts. The final rules also require users of consumer reports to implement policies and procedures for address discrepancy notices from consumer reporting agencies. Furthermore, credit and debit card issuers must have policies and procedures in place to assess the validity of a change of address that is immediately followed by a request for replacement or additional cards.

Compliance Deadline: Effective January 1, 2008. The initial deadline for compliance was November 1, 2008. The current deadline for compliance is May 1, 2009.

Companies that Must Comply: Financial institutions and creditors must comply with Red Flag Regulations and Guidelines.

The term creditor is defined by the Equal Credit Opportunity Act as any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit. According to the same Act, the term “credit” means the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment thereof.

Examples include:

Banks
Credit Issuers
Credit Unions
Utility Companies
Mortgage Brokers
TelecommunicationsCompanies
Auto Dealers
Healthcare Companies
Debt Collectors

Defining Covered Accounts. Both new and existing accounts where a continuing relationship exists between the company and the customer must be addressed in the Identity Theft Prevention Program. They are defined by the regulation as “covered accounts.” There are two definitions.

An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, which involves or is designated to permit multiple payments or transactions. Examples include a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account.
Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or mitigation risks.

Elements of Red Flags. There are four basic elements to Red Flags Regulations and Guidelines.

Element One: Identify Red Flags

Each financial institution or creditor that is subject to the regulation must identify patterns, practices, or specific activities that indicate the possible risk of identity theft. These items are known as “red flags.” In doing so, the organization must consider which of its accounts are subject to the risk of identity theft; the methods it provides to open its accounts; the methods it provides to access its accounts; its size, location, and customer base; and its previous experiences with identity theft. Examples are provided in section 114, subpart J, Appendix A of FACTA.

Element Two: Detect Red Flags

The regulation states that the Identity Theft Prevention Program should address the detection of Red Flags in connection with the following:

The opening of new covered accounts by obtaining identifying information and verifying the identity of the person opening the account. Using the policies and procedures set forth in the CIP rules of section 326 of the US Patriot Act.
Authenticating customers, monitoring transactions, and verifying the validity of change of address requests in existing covered accounts.

Element Three: Responding to Red Flags

The Identity Theft Prevention Program must address the risk of identity theft to the customer, and the financial institution or creditor commensurate with the degree of risk posed. The regulation provides an illustrative list of appropriate measures, which includes:

Monitoring an account for evidence of identity theft;
Contacting the customer;
Changing any passwords, security codes, or other security devices that permit access to a customer”™s account;
Reopening an account with a new account number;
Not opening a new account;
Closing an existing account;
Notifying law enforcement;
Implementing any requirements regarding limitations on credit extensions;
Implementing any requirements for furnishing of information to consumer reporting agencies;
Determining that no response is warranted under the circumstances.

Element Four: Updating the Program

The financial institution or creditor should periodically update its Identity Theft Prevention Program considering its own experiences with identity theft, changes in the methods of identity theft, changes in methods to detect, prevent, and mitigate identity theft, changes in accounts that it offers and maintains, and changes in its business arrangements.

Administration of the Identity Theft Prevention Program. The regulation describes the steps that a financial institution or creditor must take to administer the Identity Theft Prevention Program including obtaining approval of the initial written program, ensuring oversight of the development, implementation, and administration, training staff, and overseeing service provider arrangements.

The Initial Program must be adopted in writing by the Board of Directors, a committee of the board, or a designated member of senior management.
The Board of Directors, a committee of the board, or a designated member of senior management must oversee, develop, implement, and administer the Identity Theft Prevention Program.
The responsible committee or person must report to the Board of Directors, at least annually, on the effectiveness of the program, significant events and response, and make recommendations for material changes.
Service providers performing activities in connection with covered accounts must have an Identity Theft Prevention Program.
Financial institutions or creditors must train staff as necessary to effectively implement the program.

This information is not intended to be relied on as a complete and accurate interpretation of the law for any person or entity. Identity Theft Loss Prevention, LLC is not providing legal advice for specific companies or financial institutions. Please consult your legal counsel before taking action on this information.