What are Red Flag Rules?

The Red Flag Rules, under the Fair and Accurate Credit Transactions Act of 2003 (FACTA), demands businesses and organizations to create and implement an Identity Theft Prevention Program (ITTP). The Identity Theft Prevention Program (ITPP) is designed to detect, prevent, and mitigate the red flags of identity theft. Organizations must ensure their written program is published and maintained in compliance with relevant federal guidelines, including those found in the Federal Register and the Code of Federal Regulations.

Identity theft is the unauthorized usage of another person's identifying information. Identity thieves and scam artists exploit stolen identities at a staggering cost to individuals and institutions alike. Identifying information can mean any name or number that may be used to identify a specific person, like: Name, Social Security Number (SSN), date of birth, driver's license number, alien registration number, government passport number, company identification number, and taxpayer identification number. Unique biometric data like fingerprints, voice prints, retina or iris images, and other physical representations. Distinctive electronic identification number, address, or routing code. Telecommunication identifying information or access device, including telephone numbers and pager information.

Contents
Red Flag Rule

What are the four Elements Of The Red Flags Rule?

The four elements of the Red Flags Rule are the key elements of an identity theft prevention program. The identity theft prevention program's development, implementation, and continued administration are stated under the Red Flags Rule. The Red Flag Rule's four basic elements for an identity theft framework are:

A program that includes rational policies and procedures to identify the relevant red flags of identity theft. The red flags of identity theft happen in the day-to-day operations of businesses or organizations, and the program must reflect patterns, practices, and specific activity associated with fraudulent activity.

A program should be able to detect red flags that are identified by the businesses or organizations. Businesses or organizations, for example, must have procedures to identify forged or altered documents, fraudulent use of identification cards, and fake IDs if they are set as red flags.

A program must dictate the appropriate steps to respond appropriately once red flags are detected, including steps to prevent identity theft, monitor accounts, and report information to relevant authorities or law enforcement.A program should provide in detail the updating procedures in response to new and evolving threats, including changes arising from mergers, acquisitions, joint ventures, and arrangements with service providers.

How do Red Flags Rules Work?

The Red Flags Rule require financial institutions and creditors to focus on identifying relevant red flags. Red flags are found in account opening activities, existing account maintenance, and new activities on a dormant account for two years or more. The program must also consider risk factors such as the complexity of accounts, the nature of service connections, and the reasonably foreseeable risks posed to customers and the organization. The mandatory requirements are:

To keep a current and written Identity Theft Prevention Program (ITPP), which includes rational policies and procedures to recognize, detect red flags, and respond to red flags, and to keep the program updated. The board of directors or an appropriate committee of senior management must be involved in approving and overseeing the program.

To confirm that the consumer reports from the consumer reporting agencies are related to the consumer whom the financial institution or creditor is doing business with, including verifying address discrepancies and reviewing credit information.To review address discrepancies, including situations where a mail drop or mail sent to an address does not match the address on file.

To train staff and employees to carry out the program, assigning specific responsibility for implementation and ensuring employees understand their role in detecting and responding to red flags.

To incorporate methods for monitoring a covered account for unusual use, unauthorized charges, unauthorized access, and suspicious activity, including cash advances and changes in spending patterns.

View Pricing

Why were Red Flag Rules created?

Red Flags Rule were created as a response to the increasing threats to the integrity and privacy of personal information. The increasing threats are results of the growth and development of information technology and electronic communication, which allow the collection, maintenance, and transfer of personal data with ease. Identity thieves and scam artists have taken advantage of these developments to commit and attempt fraud, often draining accounts and damaging credit at a staggering cost to victims. These technological advancements and the threats attributed to them are the building blocks of the Red Flags Rule.The Red Flags Rule was formed under the Fair Credit Reporting Act of 1970 (FCRA). The FCRA was amended in 2003 and required an issue of joint rules and guidelines for the detection, prevention, and mitigation of identity theft coming from federal agencies. These federal agencies include:

  • Office of the Comptroller of the Currency (OCC)
  • Board of Governors of the Federal Reserve System
  • Federal Deposit Insurance Corporation (FDIC)
  • Office of Thrift Supervision (OTS)
  • National Credit Union Administration (NCUA)
  • Federal Trade Commission (FTC)

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act) amended the FCRA. The FCRA has added the Commodity Futures Trading Commission (CFTC) and the Securities and Exchange Commission (SEC) to the list of federal agencies that must adopt together and enforce as individuals the Red Flags Rule. The Red Flags rules and guidelines were made public in February 2012 by the joint commission of CFTC and SEC, and can be found in the relevant notices published in the Federal Register under 1681m and Appendix A of the applicable regulations.

What is a Red Flag checklist?

The Red Flags checklist is a set of five categories that the Federal Trade Commission (FTC) recommends to financial institutions and creditors as a guide. Financial institutions and creditors can use them as a launch point, supplementing the list with additional relevant red flags specific to their operations. The five categories of Red Flags:

Warnings, notification alerts, alarms, or notifications from a consumer reporting agency, including active duty alerts, fraud alerts, or a credit freeze placed by a consumer.Suspicious documents, including government-issued identification cards, driver's licenses, or other official state documents that appear forged, altered, or inconsistent with the photograph or description on file.

Unusual use of, or suspicious activity related to, a covered account, such as a pattern of unusual number of transactions, first payment defaults, or no history of activity followed by sudden high-value activity.

Suspicious personal identifying information, such as a suspicious inconsistency with a surname, address, telephone number, taxpayer identification number, or Social Security numbers belonging to deceased persons or minors, as identified through the Social Security Administration's Death Master File.

Notifications from customers, law enforcement authorities, or other businesses and victims of identity theft about possible identity thefts on specified accounts, including notices received by mail, email, or telephone.

Who Does The Red Flags Rule Apply To?

The Red Flags Rule applies to financial institutions and creditors. Financial institutions are defined as:

All banks, savings associations, savings and loan associations, mutual savings banks, federal savings banks, federal credit unions, and credit unions. Any other person that has a direct or indirect consumer transaction account, including those offering margin accounts or other financial products that permit multiple transactions. Identity relational and behavioral anomalies. SSNs belonging to deceased persons or minors. Consumer statements on credit files. Identity verification issues. Social security number issuance and misuse. Address misuse. Phone number misuse. Synthetic fraud.

Creditors can be determined according to the Red Flags Rule by answering "YES" to any of the following questions: Does the business or institution regularly defer payment for goods and services? Does the business or institution grant or arrange credit? Does the business or institution participate in the decision to renew, extend, or set credit terms?

If the answer to all of the questions above is "NO," these are the follow-up questions: Does the business or institution regularly request, acquire, and use consumer reports about a credit transaction? Does the business or institution regularly turn in information to credit reporting agencies regarding a credit transaction? Does the business or institution provide funding to someone who must repay them, whether with funds or pledge property as collateral?

The Red Flags Rule also applies to functionally regulated subsidiaries of insured depository institutions, including third-party service providers engaged in relevant activities. Functionally regulated subsidiaries are companies that are not bank holding companies or depository institutions, and those are: Brokers or dealers that are registered under the Securities Exchange Act. Registered investment advisors that are registered with the SEC. Investment firms that are registered under the Investment Company Act of 1940. Insurance companies that are subject to state insurance regulator supervision. Entities that are regulated by the CFTC.

View Pricing

What are the Red Flags Rule requirements for Banks?

The Red Flags Rule requires financial institutions and creditors to establish an ITPP. An ITPP has the ability to detect, prevent, and mitigate identity theft. Senior management and the board of directors must approve, oversee, and continue to evaluate the program, assigning specific responsibility to employees and staff to carry out its provisions. The identity theft prevention program guidelines are:

Definitions of financial institutions and creditors, including national banks, federal savings institutions, and federal credit unions, that must develop and implement a written ITPP. Objectives of the ITPP. Elements that the ITPP must contain, including four core components set forth under the Red Flags Rule framework. Steps that financial institutions and creditors need to take to administer the ITPP, including how to train staff, work with service providers, and supplement the program as new threats emerge.

Financial institutions and creditors are required to conduct a periodic risk assessment. A periodic risk assessment identifies if the financial institutions and creditors have covered accounts. Covered accounts are accounts that are maintained by financial institutions and creditors to protect against identity theft, such as:

Consumer accounts that permit multiple payments or transactions for personal, family, or household purposes, including:

  •     1. Credit card accounts
        2. Mortgage loans
        3. Automobile loans
        4. Checking accounts
        5. Savings accounts
  • Other accounts that have reasonably foreseeable identity theft risks — including financial, operational, compliance, reputation, or litigation risks — to customers, financial institutions, or creditors, such as:
        1. Small business accounts
        2. Sole proprietorship accounts
        3. Single transaction consumer accounts

For more information contact the professionals at iSoftpull today.

iSoftpull credit reporting agency blue logoinfo@isoftpull.com760-579-6171
Technology
Credit ReportsIntegration SuiteCredit WebformsCredit IntelligenceCredit ScoresIdentity Risk SuiteIncome Analysis Suite
Industries
MortgageBusiness & Personal LoansHealth & DentalHome ImprovementOnline Lenders & Brokers
Automotive, ATVs & RVs
Resources
Case StudiesPodcastBlogReviewsDownloadsiSoftpull Resource Center
Company
AboutCareersContactPricingTerms & Conditions
iSoftpull® 2022 © All rights reserved.  
FICO and FICO® Scores are registered trademarks of Fair Isaac Corporation