FACT Act Identity Theft Program

--by Matt Ehrlich

On Friday, October 30th, the FTC again delayed enforcement of the “Red Flags” Rule – this time until June 1, 2010 – for financial institutions and creditors subject to the FTC’s enforcement.   Here’s the official release: http://www.ftc.gov/opa/2009/10/redflags.shtm. 

But this doesn’t mean, until then, businesses get a free pass.  The extension doesn’t apply to other federal agencies that have enforcement responsibilities for institutions under their jurisdiction.  And the extension also doesn’t alleviate an institution’s need to detect and respond to address discrepancies on credit reports.

Red Flag compliance

Implementing best practices to address the identity theft under the Red Flags Rule is not just the law, it’s good business.  The damage to reputations and consumer confidence from a problem gone unchecked or worse yet – unidentified – can be catastrophic.  I encourage all businesses – if they haven’t already done so – to use this extension as an opportunity to proactively secure a Red Flags Rule to ensure Red Flag compliance.  It’s an investment in protecting their most important asset – the customer.

--by Matt Ehrlich

In my last entry, I talked about the challenges clients face in trying to meet multiple and complex regulatory requirements, such as FACT Act’s Red Flags Rule and the USA Patriot Act.  While these regulations serve both different and shared purposes, there are some common threads between the two:

1. You must consider the type of accounts and methods of account opening: The type of account offered - credit or deposit, consumer or business – as well as the method of opening – phone, online, or face-to-face – has a bearing on the steps you need to take and the process that will be established.

2. Use of consumer name, address, and identification number:The USA Patriot Act requires each of these – plus date of birth – to open a new account.  Red Flags stops short of “requiring” these for new account openings, but it consistently illustrates the use of these Personally Identifiable Information (PII) elements as examples of reasonable procedures to detect red flags.

3. Establishing identity through non-documentary verification:Third party information providers, such as a credit reporting agency or data broker, can be used to confirm identity, particularly in the case where the verification is not done in person.

Knowing what’s in common means you can take a look at where to leverage processes or tools to gain operational and cost efficiencies and reduce negative impact on the customer experience.  For example, if you’re using any authentication products today to comply with the USA Patriot Act and/or minimize fraud losses, the information you collect from consumers and authentication steps you are already taking now may suffice for a large portion of your Red Flags Identity Theft Prevention Program. 

And if you’re considering fraud and compliance products for account opening or account management – it’s clear that you’ll want something flexible that, not only provides identity verification, but scales to the compliance programs you put in place, and those that may be on the horizon.

--by Matt Ehrlich

While the FACT Act’s Red Flags Rule seems to capture all of the headlines these days, it’s just one of a number of compliance challenges that banks, credit unions, and a myriad of other institutions face on a daily basis.  And meeting today’s regulatory requirements is more complicated than ever.  Risk managers and compliance officers are asked to consider many questions, including:

1. Do FACTA Sections 114 and 315 apply to me?
2. What do I have to do to comply?
3. What impact does this have on the customer’s experience?
4. What is this going to cost me in terms of people and process?

Interpretation of the law or guideline – including who it applies to and to whom it does not - varies widely.  Which types of businesses are subject to the Red Flags Rule?  What is a “covered account?”  If you’re not sure, you’re not alone - it’s a primary reason why the Federal Trade Commission (FTC) continues to postpone enforcement of the rule, while this healthy debate continues.

And by the way, FTC – it’s almost November 1st…aren’t we about due for another delay? But we’re not talking about just protecting consumers from identity theft and reducing fraud and protecting themselves using the Identity Theft Prevention Program.

The USA Patriot Act and “Know Your Customer” requirements have been around much longer, but there are current challenges of interpretation and practical application when it comes to identifying customers and performing due diligence to deter fraud and money laundering.  Since Customer Identification Programs require procedures based on the bank’s own “assessment of the relevant risks,” including types of accounts opened, methods of opening, and even the bank’s “size, location, and customer base,” it’s safe to say that each program will differ slightly – or even greatly.

So it’s clear there’s a lack of specificity in the regulations of the Red Flags Rule which cause heartburn for those tasked with compliance…but are there some common themes and requirements across the two?  The short answer is Yes.  In my next post, I’ll talk about the elements in common and how authentication products can play a part in addressing both.

--by Kennis Wong

In Part 1 of Generic fraud score, we emphasized the importance of a risk-based approach when it comes to fraud detection. Here are some further questions you may want to consider.

What is the performance window?

When a model is built, it has a defined performance window. That means the score is predicting a certain outcome within that time period. For example, a traditional risk score may be predicting accounts that are decreasing in twenty-four months. That score may not perform well if your population typically worsens in two months. This question is particularly important when it relates to scoring your population. For example, if a bust-out score has a performance window of three months, and you score your accounts at the time of acquisition, it would only catch accounts that are busting-out within the next three months. As a result, you should score your accounts during periodic account reviews in addition to the time of acquisition to ensure you catch all bust-outs.  Therefore, bust out fraud is an important indicator. 

Which accounts should I score?

While it’s typical for creditors to use a fraud score on every applicant at the time of acquisition, they may not score all their accounts during review. For example, they may exclude inactive accounts or older accounts assuming those with a long history means less likelihood of fraud. This mistake may be expensive. For instance, the typical bust-out behavior is for fraudsters to apply for cards way before they intend to bust out. This may be forty-eight months or more. So when you think they are good and profitable customers, they can strike and leave you with seriously injury. Make sure that your fraud database is updated and accurate.  As a result, the recommended approach is to score your entire portfolio during account review. 

How often do I validate the score?

The answer is very often -- this may be monthly or quarterly. You want to understand whether the score is working for you – do your actual results match the volume and risk projections? Shifts of your score distribution will almost certainly occur over time. To meet your objectives over the long run, continue to monitor and adjust cutoffs.  Keep your fraud database updated at all times.

--- by Kennis Wong

In this blog entry, we have repeatedly emphasized the importance of a risk-based approach when it comes to fraud detection. Scoring and analytics are essentially the heart of this approach.

However, unlike the rule-based approach, where users can easily understand the results, (i.e. was the S.S.N. reported deceased? Yes/No; Is the application address the same as the best address on the credit bureau? Yes/No), scores are generated in a black box where the reason for the eventual score is not always apparent even in a fraud database.

Hence more homework needs to be done when selecting and using a generic fraud score to make sure they satisfy your needs. Here are some basic questions you may want to ask yourself:

What do I want the score to predict?
This may seem like a very basic question, but it does warrant your consideration. Are you trying to detect these areas in your fraud database? First-party fraud, third-party fraud, bust out fraud, first payment default, never pay, or a combination of these? These questions are particularly important when you are validating a fraud model. For example, if you only have third-party fraud tagged in your test file, a bust out fraud model would not perform well. It would just be a waste of your time.

What data was used for model development?
Other important questions you may want to ask yourself include:  Was the score based on sub-prime credit card data, auto loan data, retail card data or another fraud database? It’s not a definite deal breaker if it was built with credit card data, but, if you have a retail card portfolio, it may still perform well for you. If the scores are too far off, though, you may not have good result. Moreover, you also want to understand the number of different portfolios used for model development. For example, if only one creditor’s data is used, then it may not have the general applicability to other portfolios.

-- by Kristan Keelan

What do you think of when you hear the word “fraud”?  Someone stealing your personal identity?  Perhaps the recent news story of the five individuals indicted for gaining more than $4 million from 95,000 stolen credit card numbers?  It’s unlikely that small business fraud was at the top of your mind.   Yet, just like consumers, businesses face a broad- range of first- and third-party fraud behaviors, varying significantly in frequency, severity and complexity. Business-related fraud trends call for new fraud best practices to minimize fraud.

First let’s look at first-party fraud.  A first-party, or victimless, fraud profile is characterized by having some form of material misrepresentation (for example, misstating revenue figures on the application) by the business owner without  that owner’s intent or immediate capacity to pay the loan item.  Historically, during periods of economic downturn or misfortune, this type of fraud is more common.  This intuitively makes sense — individuals under extreme financial pressure are more likely to resort to desperate measures, such as misstating financial information on an application to obtain credit.  

Third-party commercial fraud occurs when a third party steals the identification details of a known business or business owner in order to open credit in the business victim’s name.  With creditors becoming more stringent with credit-granting policies on new accounts, we’re seeing seasoned fraudsters shift their focus on taking over existing business or business owner identities.

Overall, fraudsters seem to be migrating from consumer to commercial fraud.   I think one of the most common reasons for this is that commercial fraud doesn’t receive the same amount of attention as consumer fraud.  Thus, it’s become easier for fraudsters to slip under the radar by perpetrating their crimes through the commercial channel.   Also, keep in mind that businesses are often not seen as victims in the same way that consumers are.  For example, victimized businesses aren’t afforded the protections that consumers receive under identity theft laws, such as access to credit information.   These factors, coupled with the fact that business-to-business fraud is approximately three-to-ten times more “profitable” per occurrence than consumer fraud, play a role in leading fraudsters increasingly toward commercial fraud.
 

-- By Ken Pruett

Earlier this week I blogged about some of the other types of frauds that impact our customers such as “never pay” and “bust out” fraud. Today I want to touch a bit on some of the third party fraud scenarios that are often top of mind with our customers: identity theft; synthetic identities; and account takeover.  

Identity Theft
Identity theft usually occurs during the acquisition stage of the customer life cycle. Simply put, identity theft is the use of stolen identity information to fraudulently open up a new account.  These accounts do not have to be just credit card related. For example, there are instances of people using others identities to open up wireless phone and utilities accounts 

Recent fraud trends show this type of fraud is on the rise again after a decrease over the past several years.  A recent Experian study found that people who have better credit scores are more likely to have their identity stolen than those with very poor credit scores. It does seem logical that fraudsters would likely opt to steal an identity from someone with higher credit limits and available purchasing power.  This type of fraud gets the majority of media attention because it is the consumer who is often the victim (as opposed to a major corporation). 

Fraud changes over time and recent findings show that looking at data from a historical perspective is a good way to help prevent identity theft.  For example, if you see a phone number being used by multiple parties, this could be an indicator of a fraud ring in action.  Using these types of data elements can make your fraud models much more predictive and reduce your fraud referral rates. 

Synthetic Identities
Synthetic Identities are another acquisition fraud problem.  It is similar to identity theft, but the information used is fictitious in nature.  The fraud perpetrator may be taking pieces of information from a variety of parties to create a new identity.  Trade lines may be purchased from companies who act as middle men between good consumers with good credit and perpetrators who creating new identities.   This strategy allows the fraud perpetrator to quickly create a fictitious identity that looks like a real person with an active and good credit history. 

Most of the trade lines will be for authorized users only.  The perpetrator opens up a variety of accounts in a short period of time using the trade lines. When creditors try to collect, they can’t find the account owners because they never existed.  As Heather Grover mentioned in her blog, this fraud has leveled off in some areas and even decreased in others, but is probably still worth keeping an eye on.  One concern on which to focus especially is that these identities are sometimes used for bust out fraud. 

The best approach to predicting this type of fraud is using strong fraud models that incorporate a variety of non-credit and credit variables in the model development process.  These models look beyond the basic validation and verification of identity elements (such as name, address, and social security number), by leveraging additional attributes associated with a holistic identity -- such as inconsistent use of those identity elements.

Account Takeover
Another type of fraud that occurs during the account management period of the customer life cycle is account takeover fraud.  This type of fraud occurs when an individual uses a variety of methods to take over an account of another individual. This may be accomplished by changing online passwords, changing an address or even adding themselves as an authorized user to a credit card.  

Some customers have tools in place to try to prevent this, but social networking sites are making it easier to obtain personal information for many consumers.  For example, a person may have been asked to provide the answer to a challenge question such as the name of their high school as a means to properly identify them before gaining access to a banking account.  Today, this piece of information is often readily available on social networking sites making it easier for the fraud perpetrators to defeat these types of tools. 

It may be more useful to use out of wallet, or knowledge-based authentication and challenge tools that dynamically generate questions based on credit or public record data to avoid this type of fraud. 

-- by Jeff Bernstein

So, here I am with my first contribution to Experian Decision Analytics’ collections blog, and what I am discussing has practically nothing to do with analytics. But, it has everything to do with managing the opportunities to positively impact collections results and leveraging your investment in analytics and strategies, beginning with the most important weapon in your arsenal – collectors.

Yes, I know it’s a bit unconventional for a solutions and analytics company to talk about something other than models; but the difference between mediocre results and optimization rests with your collectors and your organization’s ability to manage customer interactions.

Let’s take a trip down memory lane and reminisce about one of the true landscape changing paradigm shifts in collections in recent memory – the use of skill models to become payment of choice.

AT&T Universal Card was one of the first early adopters of a radical new approach towards managing an emerging Gen X debtor population during the early 1990s. Armed with fresh research into what influenced delinquent debtors into paying certain collectors while dogging others, they adopted what we called a “management systems” approach towards collections.

They taught their entire collections team a new set of skills models that stressed bridging skills between the collector and the customer, thus allowing the collector to interact in a more collaborative, non-aggressive manner. The new approach enabled collectors to more favorably influence customer behavior, creating payment solutions collaboratively that allowed AT&T to become “payment of choice” when competing with other creditors competing for share of wallet.

A new of set of skill metrics, which we now affectionately call our “dashboard,” were created to measure the effective use of the newly taught skill models, and collectors were empowered to own their own performance – and to leverage their team leader for coaching and skills development. Team developers, the new name for front line collection managers, were tasked with spending 40-50% or more of their time on developmental activities, using leadership skills in their coaching and development activities.  

The game plan was simple.

• Engage collectors with customer focused skills that influenced behavior and get paid sooner.
• Empower collectors to take on the responsibility for their own development.
• Make performance results visible top-to-bottom in the organization to stimulate competitiveness, leveraging our innate desire for recognition.
• Make leaders accountable for continuous performance improvement of individuals and teams.

It worked. AT&T Universal won the Malcom Baldrige National Quality Award in 1992 for its efforts in “delighting the customer” while driving their delinquencies and charge-offs to superior levels. A new paradigm shift was unleashed and spread like wildfire across the industry, including many of the major credit card issuers and top tier U.S. banks, and large retailers.

Why do I bring this little slice of history up in my first blog?

I see many banking and financial services companies across the globe struggle with more complex customer situations and harder collections cases -- with their attention naturally focused on tools, models, and technologies. As an industry, we are focused on early lifecycle treatment strategy, identifying current, non-delinquent customers who may be at-risk for future default, and triaging them before they become delinquent. Risk-based collections and segmentation is now a hot topic. Outsourcing and leveraging multiple, non-agent based contact channels to reduce the pressures on collection resources is more important than ever. Optimization is getting top billing as the next “thing.”

What I don’t hear enough of is how organizations are engaged in improving the skills of collectors, and executing the right management systems approach to the process to extract the best performance possible from our existing resources. In some ways, this may be lost in the chaos of our current economic climate. With all the focus on analytics, segmentation, strategy and technology, the opportunity to improve operational performance through skill building and leadership may have taken a back seat.

I’ve seen plenty of examples of organizations who have spent millions on analytical tools and technologies, improving portfolio risk strategy and targeting of the right customers for treatment. I’ve seen the most advanced dialer, IVR, and other contact channel strategies used successfully to obtain the highest right party contact rates and the lowest possible cost. Yet, with all of that focus and investment, I’ve seen these right party contacts mismanaged by collectors who were not provided with the optimal coaching and skills.

With the enriched data available for decisioning, coupled with the amazing capabilities we have for real time segmentation, strategy scripting, context-sensitive screens, and rules-based workflow management in our next generation collections systems, we are at a crossroads in the evolution of collections.

Let’s not forget some of the “nuts and bolts” that drive operational performance and ensure success.

Something old can be something new. Examine your internal processes aimed at producing the best possible skills at all collector levels and ensure that you are not missing the easiest opportunity to improve your results.

I encourage all of you to have a look at this newly launched Federal Trade Commission Web site dedicated to the Red Flags Rule guidelines.  It is a good resource to that organizes the requirements of the Rule in a user-friendly manner.  It also looks to be an ongoing resource for the posting of updates and related commentary.  I suggest you make this site one of your bookmarks today:
 

The Federal Trade Commission has launched a Web site to help entities covered by the Red Flags Rule design and implement identity theft prevention programs. The Rule requires “creditors” and “financial institutions” to develop written programs to identify the warning signs of ID theft, spot them when they occur, and take appropriate steps to respond to those warning “red flags.”
 

Of particular interest, is the "Read the Guide" tab, where you can view and download the new FTC guide to Red Flag Rules.  For those in the telecommunications and utilities spaces, check out the "Publish the Articles" tab where you will find two bulletins on Red Flags in these arenas.  Enjoy.

Behavioral scoring is one of the most important tools that allow collections management and account management groups to evaluate accounts in an efficient and cost-effective manner. Although behavioral models are developed in a similar manner as new applicant models, there are several key differences that make behavioral models a better choice for many account management applications and collections workflow systems:

By using only internal master file data as opposed to external credit bureau data, for example, accounts can be regularly evaluated without incremental cost. The most common practices are to score accounts on a weekly or monthly basis, which allows for quick strategic responses to a customer’s change in behavior. Frequent evaluations can result in automated or manual actions such as the acceleration or deceleration of collections efforts, adjusting credit limits and changing terms and conditions.

The performance definitions of behavioral scores are very specific to each strategy and task, and it is typically not advised to use models in applications for which they were not designed. For example, a new applicant model definition of “bad” may be a high probability of charge off during the initial term of a line of credit. For collections strategy, a more appropriate bad definition might be the likelihood of an account rolling to the next delinquency bucket, regardless of the age of the account. 

Behavioral models also have a much shorter outcome period of three to four months versus new applicant models that forecast over one to two years. Since behaviors with one creditor can typically be recognized more quickly than with all lending institutions associated with a particular debtor, behavioral models provide a unique and timely evaluation of the ongoing risk once the account is already on the books.

If the business is a creditor or a “financial institution” (defined as a depository institution) that offers covered accounts, you must develop a Program to detect possible identity theft in the accounts and respond appropriately. The federal banking agencies, the NCUA and the FTC have issued Guidelines to help covered entities identify, detect and respond to indicators of possible identity theft, as well as to administer the Program.

A copy of the Red Flag Guidelines can be found:
Federal Reserve Board – 12 C.F.R. pt 222, App. J
Federal Deposit Insurance Corporation – 12 C.F.R. pt 334, App. J
FTC – 16 C.F.R. pt 681, App. A
NCUA – 12 C.F.R. pt 717, App. J
Office of the Comptroller of the Currency - 12 C.F.R. pt 41, App. J
Office of Thrift Supervision - 12 C.F.R. pt 571, App. J
 

Here are a few more frequently asked questions.

1. Am I a “creditor” under the rule?
The term “creditor” has the same meaning as under the Equal Credit Opportunity Act (ECOA) and is defined as a person who regularly participates in credit decisions, including, for example, a mortgage broker, a person who arranges credit or a servicer of loans who participates in “workout” decisions. The term “credit” is defined, as in the ECOA, as the right granted by a creditor to defer payment for goods or services. It is important to note that commercial, as well as consumer, credit accounts may be covered by the Rule.

2. We are an insurance company that uses credit reports to underwrite insurance. Does the Red Flags Rule apply to us?
The Red Flag Rule applies to creditors and depository institutions and should not apply to an insurer when engaged in activities related to insurance underwriting. To the extent that you extend credit, however, you may be covered. For example, you may wish to examine whether you permit consumers to finance their premiums; whether you extend credit to vendors, independent agents or other business partners; or whether you extend credit in connection with your investment activities, including real-estate investments.

3. I am an auto dealer. Does the rule apply to me?
If the business extends auto credit to consumers or arranges auto credit for consumers, the Red Flag guidelines may apply.
 

Part 2

Reason one
Unfortunately, there is a management issue regarding their transparency with the investment community and/or client base.  Regrettably for the managers and leaders choosing this approach, if this problem persists too long, the organization may choose to rectify with a change in the management and leadership

Reason two
The solution is both simple and complex.  In simplistic terms, the financial institution must evolve its portfolio risk management reduction techniques and take a more proactive stance.  Both internal and external data exists that can provide significant insight to the portfolio, its trends and potential future loss. 

Such data sources include:

• Internal behavioral characteristics (negative changes outside of just delinquencies)
  • High line usage
  • Non sufficient funds frequency & severity (for those borrowers who also have a deposit account with the institution)
  • Deposit account closures
    
    External data
  • Regular rescore of the borrowers (both small business and consumer)
  • Derogatory payment trends with other creditors (the borrower may be current with you but for how long?)
  • Judgments or liens
     

Such data can be used to create models for portfolio performance calculating:

• Delinquency trends by score (as the portfolio trends up or down in the score ranges we can adjust the expected loss rates, delinquency rates, etc.)
• Within score ranges and based upon other behavioral characteristics, what is the likelihood for charge-off or recovery.

The biggest takeaway is that these portfolio management techniques are not new and untested.  Your data provider (such as Experian), has used these techniques and has the data to support the effectiveness.  While we are in trouble, we may find ourselves wanting to keep the “dirty secrets” to ourselves.  Too often such an approach leads to one’s demise.  Seek information, seek help, get control and truly start to move in a positive direction.
 

I’m speculating a bit here, but I have a feeling that as the first wave of Red Flag rule examinations occurs, one of the potential perceived weak points in your program(s) may be your vendor relationships.  Of particular note are collections agencies.  Per the guidelines, “Section 114 applies to financial institutions and creditors.” Under the FCRA, the term “creditor” has the same meaning as in section 702 of the Equal Credit Opportunity Act (ECOA), 15 U.S.C. 1691a.15 ECOA defines “creditor” to include a person who arranges for the extension, renewal or continuation of credit, which in some cases could include third-party debt collectors.  Therefore, the Agencies are not excluding third-party debt collectors from the scope of the final rules and “a financial institution or creditor is ultimately responsible for complying with the final rules and guidelines even if it outsources an activity to a third-party service provider.”

A general rule of thumb in any examination process is to look closely at activities that are the most difficult for the examinee to control.  Third-party relationship management certainly falls into this category.  So, make sure your written and operational programs have procedures in place to ensure and regularly monitor appropriate Red Flag compliance -- even when customer (or potential customer) activities occur outside your walls.

Good luck!

We continue to receive inquiries from our clients, and the market in general, around whether they are required to comply with the Red Flag Rule or not. That final decision can be found with the legal and compliance teams within your organization. I am finding, however, that there generally seems to be too literal and narrow an interpretation of the terms ‘creditor’ or ‘financial institution’ as described in the guidelines. 

I often hear an organization state that they don’t believe they’re covered because they are not one of those types of entities. Ultimately, as I said, that’s up to your internal team(s) to establish. I would recommend, however, that you ensure that opinion and ultimate determination is well researched. It may sound simple, but reach out to your examining agencies or the Federal Trade Commission (FTC) and discuss any ambiguities you feel exist related to covered accounts. 

There is some great clarifying language out there beyond the initial Red Flag Rule. For example, the FTC provided a very useful article (www.ftc.gov/bcp/edu/pubs/articles/art11.shtm) that described how even health care providers can be covered under the Red Flag Rule. 

At first glance, they may not seem to fall under the umbrella of a ‘creditor or financial institution.’ As stated in the article, the extension of credit “means an arrangement by which you defer payment of debts or accept deferred payments for the purchase of property or services. In other words, payment is made after the product was sold or the service was rendered. Even if you’re a non-profit or government agency, you still may be a creditor if you accept deferred payments for goods or services.”

Maybe it’s just me, but that description is arguably much broader-reaching than one might initially think. Long story short: do your research, and don’t assume you or your accounts are not covered under the guidelines. Better to find out now instead of after your first examination….for obvious reasons.

The Federal Trade Commission (FTC) suspended enforcement of the new Red Flag Rule until May 1, 2009.  According to the FTC’s Enforcement Policy, “…during the course of the Commission’s education and outreach efforts following publication of the rule, the Commission has learned that some industries and entities within the FTC’s jurisdiction have expressed confusion and uncertainty about their coverage under the rule.  These entities indicated that they were not aware that they were undertaking activities that would cause them to fall within FACTA Sections 114 and 315 definitions of ‘creditor’ or ’financial institution’.”

So, depending upon which enforcement entity (or entities) will be knocking on your door in the coming months, you may (and I emphasize “may”) have some extra time to get your house in order.   While many of you are likely confident that you have a compliant written and operational Identity Theft Prevention Program, this break in the action can be a great time to take care of setting up some ongoing procedures for keeping your program up to date.  Here are some ideas to keep in mind along the way:

1. Make sure you have clear responsibilities and accountabilities identified and assigned to appropriate persons.  Lack thereof may lead to everyone thinking someone else is keeping tabs.

2. Start setting the stage for a process to update your program based on:

a. Your new experiences with identity theft;
b. Changes in methods of identity theft;
c. Changes in methods to detect, prevent, and mitigate identity theft;
d. Changes in the types of accounts you offer or maintain; and
e. Changes in your business arrangements, including mergers, acquisitions, alliances, joint ventures and service provider arrangements.

3. Set up a process for program review at the board level.  Remember that your program does not have to be approved by your board of directors annually, but the board (or a committee of the board) or senior management must review reports regarding your program each year.  They must approve any material changes to your program should they occur.

4. Prepare now for follow up actions associated with your first Red Flag Rule examination(s).  There will surely be suggestions or mandates stemming from that exercise, and now is a good time to start securing appropriate resources and time.

My key message here is that, while there may be lull in the world of Red Flags activity, this is a great time to keep momentum in your program development and upkeep by planning for the next wave of updates and your impending examinations.  Best of luck.

As someone heavily engaged with the market and our clients discussing Red Flag Rule compliance, Red Flag guidelines, etc...this question has come up over and over again.  You’d think by now I’d have a simple, clever, and strategically created product name to throw out there.  Well, I don’t, and here’s why: we had Red Flag relevant products before Red Flags were in vogue.  So, why didn’t we just rename them under the Red Flag brand?  Because honestly, that would border on irresponsibility.  Let me explain briefly…

If you recall, the Red Flags Rule requires that covered institutions employ a written and operational Program that addresses the four mandatory elements of:

• Identifying Red Flags applicable to covered accounts and incorporating them into the Program;

• Detecting and evaluating the Red Flags included in the Program;

• Responding to the Red Flags detected in a manner that is appropriate to the degree of risk they pose; and

• Updating the Program to address changes in the risks to customers, and to the financial institution’s or creditor’s safety and soundness, from identity theft.

You read in these requirements words like “applicable” and “appropriate” and “degree of risk.”  You don’t read words like “use this tool” or “detect this specific set of conditions.”  My point here is that, over the past year, we’ve been working with our clients to map in the “appropriate” and “applicable” set of products and services to allow them to become Red Flag compliant.  These products and services range in data leverage and provision, predictive power, decisioning, and of course, cost.  That is a good thing, as our clients require individualized tool sets and processes based on their serviced market, gathered information, consumer relationships, products offered, and risk associated with all of those factors.

We don’t offer an unlimited or overwhelming number of Red Flag relevant products, but we do offer a diverse enough set that has afforded our clients an opportunity to select the best fit.  Whether you choose to adopt Experian as your Red Flag partner or another service provider, keep in mind that one size does not fit all, and be wary of those claiming to be just that. 

As Red Flag examinations start rolling out in the coming months, there will be a focus on ensuring that your programs are comprehensive and effective.  Examiners will be looking at your programs, not your service provider.  Be sure to collaborate with your partners to meticulously apply the best solution.  At Experian, we’ve taken this collaborative approach with each of our clients, and have employed products ranging from our robust Precise ID SM consumer authentication platform to our Fraud Shield SM risk warning product.  Time spent up front in identifying your Red Flag requirements and working with your service provider to determine the best course of action will pay dividends down the road, and ensure you implement a compliant process once….not twice.