Identity Theft Prevention Program - How Red Flags Rule affects risk managers and compliance officers, Part 1

--by Matt Ehrlich

While the FACT Act’s Red Flags Rule seems to capture all of the headlines these days, it’s just one of a number of compliance challenges that banks, credit unions, and a myriad of other institutions face on a daily basis. And meeting today’s regulatory requirements is more complicated than ever. Risk managers and compliance officers are asked to consider many questions, including:

1. Do FACTA Sections 114 and 315 apply to me?
2. What do I have to do to comply?
3. What impact does this have on the customer’s experience?
4. What is this going to cost me in terms of people and process?

Interpretation of the law or guideline – including who it applies to and to whom it does not - varies widely. Which types of businesses are subject to the Red Flags Rule? What is a “covered account?” If you’re not sure, you’re not alone - it’s a primary reason why the Federal Trade Commission (FTC) continues to postpone enforcement of the rule, while this healthy debate continues.

And by the way, FTC – it’s almost November 1st…aren’t we about due for another delay? But we’re not talking about just protecting consumers from identity theft and reducing fraud and protecting themselves using the Identity Theft Prevention Program.

The USA Patriot Act and “Know Your Customer” requirements have been around much longer, but there are current challenges of interpretation and practical application when it comes to identifying customers and performing due diligence to deter fraud and money laundering. Since Customer Identification Programs require procedures based on the bank’s own “assessment of the relevant risks,” including types of accounts opened, methods of opening, and even the bank’s “size, location, and customer base,” it’s safe to say that each program will differ slightly – or even greatly.

So it’s clear there’s a lack of specificity in the regulations of the Red Flags Rule which cause heartburn for those tasked with compliance…but are there some common themes and requirements across the two? The short answer is Yes. In my next post, I’ll talk about the elements in common and how authentication products can play a part in addressing both.

Comments for How Red Flags Rule affects risk managers and compliance officers, Part 1

Saturday, October 24, 2009 by kj anderson:: www.kj3rd.com On Nov. 1, virtually every business nationwide will be required to comply with the Red Flags Rule, another piece of legislation designed to control identity theft by changing how businesses handle sensitive information of their customers and their employees. Most states have privacy laws in addition to federal privacy and informational security laws, yet many businesses fail to comply because few are aware the laws exist on privacy compliance, and best practices are required. It is estimated that more than half of all businesses and most small enterprises are at significant financial risk if they lose consumer or employee information. Compliance with federal and state laws as well as having documented best practices goes a long way to reducing liabilities and risk. The Identity Theft Education Center has posted a free online class for business owners to understand the law, their new responsibility and liability, and the most cost effective methods to lower their liability , comply with the law and better protect the information it collects on its clients and customers. The online presentation is conducted by KJ Anderson III, CITRMS (www.kj3rd.com ) and can be found at www.factalaw.com .