FIGHTING FRAUD WITH THE RE D FLAGS RULE & E NSURING ACCURACY WITH THE ADDRE SS DISCRE PANCY RULE Tiffany George Attorney, Division of Privacy & Identity Protection Federal Trade Commission
WHAT’S ON YOUR MIND � So what So what is is the Red Flags Rule? the Red Flags Rule? � � Who Who’ ’s covered by the Red Flags Rule? s covered by the Red Flags Rule? � � If we If we’ ’re covered by the Red Flags Rule, what re covered by the Red Flags Rule, what � do we need to do? do we need to do? � How do we design an Identity Theft Prevention How do we design an Identity Theft Prevention � Program? Program? � What are the Red Flag Guidelines? What are the Red Flag Guidelines? � � What about the Address Discrepancy Rule? What about the Address Discrepancy Rule? �
THE FACT ACT THE FACT ACT Fair and air and F Accurate ccurate A Credit redit C Transactions Act of 2003 ransactions Act of 2003 T amending the amending the Fair Credit Reporting Act (FCRA) Fair Credit Reporting Act (FCRA) RULES: 72 Fed. Reg. 63718 (November 9, 2007) www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf (FTC Rules p.63771-63773, Guidelines p. 63773-63774, Supplement p. 63774)
BACKGROUND � Joint rulemaking Joint rulemaking � � Final rules published November 9, 2007 Final rules published November 9, 2007 � � Compliance required by November 1, Compliance required by November 1, � 2008, but enforcement forbearance for 2008, but enforcement forbearance for the Red Flags Rule until May 1, 2009, for the Red Flags Rule until May 1, 2009, for entities under FTC jurisdiction entities under FTC jurisdiction
SO WHAT IS THE RE D FLAGS RULE ? Red Flags Rule
RE D FLAGS RULE � FACT Act Section 114 FACT Act Section 114 � � FCRA Section 615(e) FCRA Section 615(e) � � 16 C.F.R. 16 C.F.R. § § 681.2 681.2 �
PURPOSE OF THE RE D FLAGS RULE � To ensure To ensure that your business or organization � is on the lookout for the signs that a crook is using someone else’s information, typically to get your products or services with no intention of paying. • A A “ “red flag red flag” ” is a pattern, practice, or specific is a pattern, practice, or specific • activity that could indicate identity theft activity that could indicate identity theft � It It’ ’s not just another data security regulation. s not just another data security regulation. �
STRUCTURE OF THE RE D FLAGS RULE � Risk Risk- -based rule based rule � � Guidelines (Appendix A) Guidelines (Appendix A) � � Supplement A Supplement A – – 26 examples of red flags 26 examples of red flags �
WHO’S COVE RE D BY THE RE D FLAGS RULE ? Red Flags Rule
WHO’S COVE RE D BY THE RE D FLAGS RULE ? � Financial institutions Financial institutions � � Creditors Creditors �
WHO’S COVE RE D BY THE RE D FLAGS RULE ? From the FCRA, a “ “financial institution financial institution” ” is: is: From the FCRA, a � A state or national bank A state or national bank � � A state or federal savings and loan association A state or federal savings and loan association � � A mutual savings bank A mutual savings bank � � A state or federal credit union, or A state or federal credit union, or � � Any other person that directly or indirectly holds a Any other person that directly or indirectly holds a � transaction account* belonging to a consumer transaction account* belonging to a consumer * From the Federal Reserve Act, Section 19(b) – – an account that allows an account that allows * From the Federal Reserve Act, Section 19(b) withdrawals by negotiable or transferable instrument, payment orders of withdrawals by negotiable or transferable instrument, payment or ders of withdrawal, telephone transfers, or similar items to make payments or ts or withdrawal, telephone transfers, or similar items to make paymen transfers to third persons or others transfers to third persons or others
WHO’S COVE RE D BY THE RE D FLAGS RULE ? From the ECOA, a “ “creditor creditor” ” is: is: From the ECOA, a � � Any person who regularly extends, renews, or continues credit Any person who regularly extends, renews, or continues credit � � Any person who regularly arranges for the extension, renewal, or Any person who regularly arranges for the extension, renewal, or continuation of credit, or continuation of credit, or � � Any assignee of an original creditor who participates in the Any assignee of an original creditor who participates in the decision to extend, renew, or continue credit decision to extend, renew, or continue credit � A “ person” means “ a natural person, a corporation, government or governmental subdivision or agency, trust, estate, partnership, cooperative, or association.” � “ � “ Credit Credit ” ” means an arrangement by which you defer payment of debts or accept deferred payments for the purchase of property or services.
IF WE ’RE COVE RE D BY THE RE D FLAGS RULE , WHAT DO WE NE E D TO DO? Red Flags Rule
IF WE ’RE COVE RE D BY THE RE D FLAGS RULE , WHAT DO WE NE E D TO DO? � Financial institutions and creditors must Financial institutions and creditors must � conduct a periodic risk assessment to determine conduct a periodic risk assessment to determine if they have “ “covered accounts. covered accounts.” ” if they have � If they do, they must develop, implement, and If they do, they must develop, implement, and � administer a written Identity Theft Prevention administer a written Identity Theft Prevention Program to detect, prevent, and mitigate Program to detect, prevent, and mitigate identity theft in connection with: identity theft in connection with: • the opening of a covered account, or the opening of a covered account, or • • any existing covered account. any existing covered account. •
IF WE ’RE COVE RE D BY THE RE D FLAGS RULE , WHAT DO WE NE E D TO DO? An “ “account account” ” is: is: An � A continuing relationship established by a A continuing relationship established by a � person with an FI or creditor to obtain a person with an FI or creditor to obtain a product or service for personal, household, or product or service for personal, household, or business purposes. business purposes.
IF WE ’RE COVE RE D BY THE RE D FLAGS RULE , WHAT DO WE HAVE TO DO? A “ “covered account covered account” ” is: is: A � A consumer account designed to permit multiple A consumer account designed to permit multiple � payments or transactions, and payments or transactions, and � Any other account for which there is a reasonably Any other account for which there is a reasonably � foreseeable risk from identity theft foreseeable risk from identity theft * Risk factors Risk factors * 1. Methods provided to open the account 1. Methods provided to open the account 2. Methods provided to access the account 2. Methods provided to access the account 3. Previous experiences with identity theft 3. Previous experiences with identity theft
HOW DO WE DE SIGN AN IDE NTITY THE FT PRE VE NTION PROGRAM? Red Flags Rule
DE SIGNING YOUR PROGRAM Develop reasonable processes and procedures for : Develop reasonable processes and procedures for : TEP #1 – – Identify relevant red flags Identify relevant red flags. Identify the red flags . Identify the red flags � S � S TEP #1 you’ ’re likely to come across in your business that indicate a re likely to come across in your business that indicate a you crook is using someone else’ ’s information to get your products s information to get your products crook is using someone else or services with no intention of paying. or services with no intention of paying. TEP #2 – – Detect red flags Detect red flags. Set up procedures to detect them in . Set up procedures to detect them in � S your day- -to to- -day operations. day operations. your day TEP #3 – – Prevent and mitigate identity theft Prevent and mitigate identity theft. When you spot . When you spot � S the red flags you’ ’ve identified, respond appropriately to prevent ve identified, respond appropriately to prevent the red flags you and mitigate harm. and mitigate harm. TEP #4 – – Update your Program Update your Program. The risks of . The risks of � S � S TEP #4 identity theft can change rapidly, so identity theft can change rapidly, so keep your Program current and keep your Program current and educate your staff. educate your staff.
DE SIGNING YOUR PROGRAM The Program must be appropriate to the The Program must be appropriate to the size and complexity of the financial size and complexity of the financial institution or creditor and the nature institution or creditor and the nature and scope of its activities. and scope of its activities.
USING THE GUIDE LINE S The Rules require you to: The Rules require you to: � Consider the Guidelines Consider the Guidelines � � Incorporate appropriate Guidelines into your Program Incorporate appropriate Guidelines into your Program �
Recommend
More recommend