Red Flags Rules Mandate Identity Risk Analysis, Management

MBA (4/25/2008 ) Palaparty, Vijay
Government issuance of Identity Theft Red Flags Rules requires all financial institutions and creditors to develop and implement an identity theft prevention program. The mandate presents an active opportunity for companies to assess risk areas and create a plan to combat risk.
Several government agencies including the Federal Trade Commission and the Federal Deposit Insurance Corp. jointly issued final rules and guidelines, section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) and final rules implementing section 315 of the FACT Act. Section 114 requires companies to detect, prevent and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts. Additionally, agencies are issuing guidelines to assist financial institutions and creditors to formulate and maintain a program that satisfies the requirements of the rules.

“Banks, mortgage lenders, brokers, pay day lenders—any financial institution or creditor is affected by this rule and each of these entities has to do a risk assessment of covered accounts,” said Sai Huda, CEO of ComplianceCoach, San Diego. “They have to determine the level of risk of identity theft and then identify corresponding red flags.”

The rules provide five categories of red flags that make up 26 types of red flags. But the agencies also encourage companies to identify more red flags based on external red flag sources such as identity theft schemes.

“If you see red flag, then you have to do something about it,” Huda said. “You have to look for it, detect it and respond to it. Beyond identifying, a detection response mapping has to take place. This is not just a technical requirement; it’s an affirmative obligation to prevent identity theft for companies and their consumers.”

As part of the procedure, companies are required to train employees and also monitor changes in business and new risks, regularly updating the program. New products, accounts, lines of business and schemes all have to be accounted for in the system. The rules also require companies to conduct a self audit that is presented to the board. Federal or state regulators would also conduct an audit for compliance.

“The rules apply to covered accounts—accounts that are offered to personal, family or household purposes,” Huda said. “A mortgage loan is a good example. The general covered loan is a mortgage but there is a sleeper in the rule. Companies need to know if they have any other accounts that also have foreseeable chance of identity theft."

For example, Huda said commercial mortgage loans might not qualify for companies that have non-consumer accounts. "But what if there were identity theft on commercial mortgage borrower acocunts? As you see, there are risks and you need to bring them all into your coverage," he said. "Eventually, the effort is all about risk management and leads to an overall coverage. It’s a broad rule that’s affirmative."

ComplianceCoach offers a web-based tool, CompliancePal, targeted toward lenders to help them achieve compliance. The service provides a questionnaire for lenders to complete and the software produces an assessment. It includes the 26 red flags already included in the rules, but Huda said it will add 17 new red flags to the list this month. CompliancePal also provides training for employees in areas of risk management and identity theft.

“If a lender has a weak program, either external or internal identity theft could take place and result in negative publicity, loss of customers and high legal costs," Huda said. "What we’re telling the industry is that complying with the rule is not a cost of doing business. It’s goodwill and revenue enhancement.”

The rules could be seen as yet another demand and some may treat it like another requirement; Huda saw the measure as highly beneficial. “It’s goodwill-building. When identity theft takes place, no one wins and most importantly, the consumer is damaged and angry and will certainly blame the lender or broker—the person who has the information.”

The rules could also contribute to eliminating fraud in the industry—weeding out bad actors who take advantage of unsuspecting borrowers. “Identity theft happens knowingly or unknowingly," Huda said. "What the rules bring are higher standards and lenders will look at brokers for compliance and borrowers will look at both lenders and borrowers for compliance.”