Identity theft "Red Flag" rules hit in November

As part of its ongoing effort to battle the growing identity theft blight, the Federal Trade Commission  today outlined the programs banks and other financial institutions must offer for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

Banks and other financial institutions typically account for about half of the identity theft complaints filed with the FTC and a recent survey showed Bank of America, JP Morgan, Capital One and Citibank topping the FTC list. That’s one of the reasons why under the Red Flags Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program.

The FTC, federal bank regulatory agencies, and the National Credit Union Administration (NCUA) issued the Red Flags Rules as part of the Fair and Accurate Credit Transactions (FACT) Act of 2003.

The final rules which must be in place by November 1, 2008, require financial  and credit institutions that hold any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program for combating identity theft in connection with new and existing accounts, the FTC said.

The program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft and enable a financial institution or creditor to:  

·          Identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft and incorporate those red flags into the program;

·          Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and

·          Ensure the program is updated periodically to reflect changes in risks from identity theft

Red Flags include such activities as:

·          alerts, notifications, or warnings from a consumer reporting agency; suspicious documents;

·          suspicious personally identifying information, such as a suspicious address;

·          unusual use of – or suspicious activity relating to – a covered account; and

·          notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.    

Of course it is unclear what would happen if an institution did not comply with the Red Flag requirements.     

Last week in an effort to buttress its enforcement and better understand the scourge that is identity theft, the FTC said it plans to conduct a wide-ranging study of victims of the crime.    The FTC is looking for people harmed by the crime and said the survey will examine the remedies available to victims under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Among other things, the FACT Act gave consumers the right to place fraud alerts on their credit files if they are, or suspect they may become, victims of identity theft; block information on their credit reports that resulted from identity theft; and obtain copies of their credit reports free of charge.    

The FTC in February released the list of top consumer fraud complaints for 2007 and showed that for the seventh year in a row, identity theft is the number one problem and it is showing no signs of letting up. Of 813,899 total complaints received in 2007, 258,427, or 32%, were related to identity theft. Consumers reported fraud losses totaling more than $1.2 billion; the median monetary loss per person was $349, the report states.     

Over the past five years, 43 U.S. states have adopted data breach notification laws, but such legislation has not cut down on identity theft.   

Layer 8 in a box

Check out these other hot stories:

All hail the IBM mainframe: PSI genuflects, for a price

FTC recruiting identity theft victims

Rocket Racing League primed for blast off

NSFnet celebrates 20 years of Internet obscurity, inspiration

Converged networks challenge Homeland Security

Tiny satellite set to hunt asteroids


Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022