Lora Bentley spoke with Sai Huda, CEO and president of Compliance Coach, regarding the identity theft Red Flag Rules. Financial institutions and others must be fully compliant with the rules by Nov. 1, 2008. Compliance Coach's Compliance Pal is one tool companies can use to prepare.
Bentley: The Fair and Accurate Credit Transactions Act, which contains the Red Flag Rules, was passed in 2003, but it didn't become effective until January of this year. Why the five year wait?
Huda: The FACT Act is a significant piece of legislation that amended the Fair Credit Reporting Act (FCRA) and required a number of regulations to implement the law. Some of the regulations were required to be jointly issued by the various regulatory agencies as opposed to one agency such as the Federal Trade Commission (FTC). The Identity Theft Red Flags Regulation is one that required a joint rule. Whenever all of the agencies are involved, it takes a lot more time to put together a rule that everyone can agree on. Add to that the rule required a proposed rule. There were many comments from consumers, businesses and others that required careful consideration. All of this plus other hot issues requiring the immediate attention of regulators delayed the issuance.
Bentley: What are the Red Flag Rules, exactly? How did they come about?
Huda: According to the FTC, each year over 8 million consumers fall victim to identity theft, and over $15 billion in losses are caused by fraudsters. Identity theft is a growing crime affecting not only consumers but also businesses negatively. Per the U.S. Secret Service, the agency that investigates identity theft, 50 percent of the time it is a business' poor internal controls and procedures that provide thieves the opportunity to steal consumer information and commit identity theft. Something had to be done to deter identity theft. As such, Congress added a provision to the FCRA to put the onus on businesses to take affirmative steps to prevent identity theft. Hence, the Identity Theft Red Flags Rules.
Bentley: When I saw the FTC alert a few weeks ago, it was the first I'd heard about such requirements. Why does there seem to be little awareness when the compliance deadline is less than six months away?
Huda: The Identity Theft Red Flags Rule became effective January 1, 2008 but compliance is not mandatory until November 1, 2008. This was to provide affected businesses ample time to get into compliance. However, whenever there is a long time period involved before a rule becomes mandatory, there is tendency to think there is plenty of time to get into compliance. The regulators have informed affected entities and businesses about the rule and the need to get into compliance sooner than later. The FTC alert is an example of the effort to raise the awareness. However, the media and the press have not done enough stories about the Rule to increase the level of awareness. There is a tendency to think the deadline is months away and there will be plenty of time to talk about it and raise the awareness. This is a big mistake that will create a compliance challenge for thousands of affected businesses.
Complying with the rule is not an easy or quick task. Non-compliance risks are huge. Failing to comply creates civil fines, regulatory enforcement action, plaintiff lawsuits and harm to one's reputation. The bar has been raised. The Rule creates an affirmative obligation to prevent, detect and mitigate identity theft. That is the why the Rule explicitly mandates the development and implementation of a written Identity Theft Prevention Program. Notice the word "Prevention" in the requirement. Affected entities and business must proactively look for red flags and take appropriate steps to prevent identity theft. Failing to do is asking for not only regulatory penalties but plaintiff lawsuits. We expect a large number of lawsuits in the coming months against affected entities and businesses for non-compliance. The enforcer will be to a large extent the plaintiffs and class action lawyers. One must take this issue seriously and ensure full compliance.
Bentley: What do the rules require?
Huda: The Identity Theft Red Flags Rule requires that an affected entity or business perform a risk assessment to identify covered accounts. Then for each covered account it must consider from a list of 26 red flags that the Rule provides as a guide that may indicate possible identity theft when opening or servicing the covered account. The Rule also requires considering red flags from historical experience or other credible sources. Then for each red flag, an appropriate detection and response procedure must be mapped. All of this must then be incorporated into a written Identity Theft Prevention Program. This program must be approved by the board of directors of the affected entity or business. Then appropriate employees must be trained on the program in order to implement it. The program must also be updated periodically for changes in program elements, identity theft risk or if new products or accounts are offered. At least annually a report must be made to assess the effectiveness of the program.
As you can see compliance will not be easy or quick. There is a lot of work that needs to be done to get into compliance. Then compliance must be ongoing. It will take hundreds of hours and thousands of dollars for compliance. Unfortunately, most affected entities or businesses are vastly underestimating the impact. While some have started their compliance efforts, the majority have not even started. It will be quite challenging for thousands of businesses to get into compliance before the deadline date.
Bentley: To whom do they apply?
Huda: The Rule applies to a financial institution or a creditor. So it not only applies to every single bank, thrift and credit union, but also thousands of other entities that are considered a creditor. The Rule uses the definition of a creditor as under the ECOA, so the coverage is very broad. It is anyone that makes a credit decision or is involved in a credit decision. The Rule also applies to an account for personal, family or household purposes with multiple payments or transactions. Also any other account with a reasonably foreseeable risk of identity theft. This is the sleeper. So it affects a very large population of entities and businesses that include mortgage brokers, mortgage lenders, consumer finance companies, small business lenders, motor vehicle dealers, utility companies, municipalities, phone companies, among many others. Approximately 2 million entities and businesses are affected and must comply before the deadline date.