Decision Analytics | Red Flag Compliance

I’m speculating a bit here, but I have a feeling that as the first wave of Red Flag rule examinations occurs, one of the potential perceived weak points in your program(s) may be your vendor relationships.  Of particular note are collections agencies.  Per the guidelines, “Section 114 applies to financial institutions and creditors.” Under the FCRA, the term “creditor” has the same meaning as in section 702 of the Equal Credit Opportunity Act (ECOA), 15 U.S.C. 1691a.15 ECOA defines “creditor” to include a person who arranges for the extension, renewal or continuation of credit, which in some cases could include third-party debt collectors.  Therefore, the Agencies are not excluding third-party debt collectors from the scope of the final rules and “a financial institution or creditor is ultimately responsible for complying with the final rules and guidelines even if it outsources an activity to a third-party service provider.”

A general rule of thumb in any examination process is to look closely at activities that are the most difficult for the examinee to control.  Third-party relationship management certainly falls into this category.  So, make sure your written and operational programs have procedures in place to ensure and regularly monitor appropriate Red Flag compliance -- even when customer (or potential customer) activities occur outside your walls.

Good luck!

I have heard this question posed and you may be asking yourselves:

Why are referral volumes (the potential that the account origination or maintenance process will get bogged down due to a significant number of red flags detected) such a significant operations concern?

These concerns are not without merit.  Because of the new Red Flag Rules, financial institutions are likely to be more cautious.  As a result, many transactions may be subject to greater customer identification scrutiny than is necessary.

Organizations may be able to control referral volumes through the use of automated tools that evaluate the level of identity theft risk in a given transaction.  For example, customers with a low-risk authentication score can be moved quickly through the account origination process absent any additional red flags detected in the ordinary course of the application or transaction.  In fact, using such tools may allow organizations to quicken the origination process for customers. They can then identify and focus resources on transactions that pose the greatest potential for identity theft.

A risk-based approach to Red Flags compliance affords an institution the ability to reconcile the majority of detected Red Flag conditions efficiently, consistently and with minimal consumer impact. 

Detection of Red Flag conditions is only half the battle.  Responding to those conditions is a substantial problem to solve for most institutions.  A response policy that incorporates scoring, alternate data sources and flexible decisioning can reduce the majority of referrals to real-time approvals without staff intervention or customer hardship. 

We continue to receive inquiries from our clients, and the market in general, around whether they are required to comply with the Red Flag Rule or not. That final decision can be found with the legal and compliance teams within your organization. I am finding, however, that there generally seems to be too literal and narrow an interpretation of the terms ‘creditor’ or ‘financial institution’ as described in the guidelines. 

I often hear an organization state that they don’t believe they’re covered because they are not one of those types of entities. Ultimately, as I said, that’s up to your internal team(s) to establish. I would recommend, however, that you ensure that opinion and ultimate determination is well researched. It may sound simple, but reach out to your examining agencies or the Federal Trade Commission (FTC) and discuss any ambiguities you feel exist related to covered accounts. 

There is some great clarifying language out there beyond the initial Red Flag Rule. For example, the FTC provided a very useful article (www.ftc.gov/bcp/edu/pubs/articles/art11.shtm) that described how even health care providers can be covered under the Red Flag Rule. 

At first glance, they may not seem to fall under the umbrella of a ‘creditor or financial institution.’ As stated in the article, the extension of credit “means an arrangement by which you defer payment of debts or accept deferred payments for the purchase of property or services. In other words, payment is made after the product was sold or the service was rendered. Even if you’re a non-profit or government agency, you still may be a creditor if you accept deferred payments for goods or services.”

Maybe it’s just me, but that description is arguably much broader-reaching than one might initially think. Long story short: do your research, and don’t assume you or your accounts are not covered under the guidelines. Better to find out now instead of after your first examination….for obvious reasons.

The Federal Trade Commission (FTC) suspended enforcement of the new Red Flag Rule until May 1, 2009.  According to the FTC’s Enforcement Policy, “…during the course of the Commission’s education and outreach efforts following publication of the rule, the Commission has learned that some industries and entities within the FTC’s jurisdiction have expressed confusion and uncertainty about their coverage under the rule.  These entities indicated that they were not aware that they were undertaking activities that would cause them to fall within FACTA Sections 114 and 315 definitions of ‘creditor’ or ’financial institution’.”

So, depending upon which enforcement entity (or entities) will be knocking on your door in the coming months, you may (and I emphasize “may”) have some extra time to get your house in order.   While many of you are likely confident that you have a compliant written and operational Identity Theft Prevention Program, this break in the action can be a great time to take care of setting up some ongoing procedures for keeping your program up to date.  Here are some ideas to keep in mind along the way:

1. Make sure you have clear responsibilities and accountabilities identified and assigned to appropriate persons.  Lack thereof may lead to everyone thinking someone else is keeping tabs.

2. Start setting the stage for a process to update your program based on:

a. Your new experiences with identity theft;
b. Changes in methods of identity theft;
c. Changes in methods to detect, prevent, and mitigate identity theft;
d. Changes in the types of accounts you offer or maintain; and
e. Changes in your business arrangements, including mergers, acquisitions, alliances, joint ventures and service provider arrangements.

3. Set up a process for program review at the board level.  Remember that your program does not have to be approved by your board of directors annually, but the board (or a committee of the board) or senior management must review reports regarding your program each year.  They must approve any material changes to your program should they occur.

4. Prepare now for follow up actions associated with your first Red Flag Rule examination(s).  There will surely be suggestions or mandates stemming from that exercise, and now is a good time to start securing appropriate resources and time.

My key message here is that, while there may be lull in the world of Red Flags activity, this is a great time to keep momentum in your program development and upkeep by planning for the next wave of updates and your impending examinations.  Best of luck.

As someone heavily engaged with the market and our clients discussing Red Flag Rule compliance, Red Flag guidelines, etc...this question has come up over and over again.  You’d think by now I’d have a simple, clever, and strategically created product name to throw out there.  Well, I don’t, and here’s why: we had Red Flag relevant products before Red Flags were in vogue.  So, why didn’t we just rename them under the Red Flag brand?  Because honestly, that would border on irresponsibility.  Let me explain briefly…

If you recall, the Red Flags Rule requires that covered institutions employ a written and operational Program that addresses the four mandatory elements of:

• Identifying Red Flags applicable to covered accounts and incorporating them into the Program;

• Detecting and evaluating the Red Flags included in the Program;

• Responding to the Red Flags detected in a manner that is appropriate to the degree of risk they pose; and

• Updating the Program to address changes in the risks to customers, and to the financial institution’s or creditor’s safety and soundness, from identity theft.

You read in these requirements words like “applicable” and “appropriate” and “degree of risk.”  You don’t read words like “use this tool” or “detect this specific set of conditions.”  My point here is that, over the past year, we’ve been working with our clients to map in the “appropriate” and “applicable” set of products and services to allow them to become Red Flag compliant.  These products and services range in data leverage and provision, predictive power, decisioning, and of course, cost.  That is a good thing, as our clients require individualized tool sets and processes based on their serviced market, gathered information, consumer relationships, products offered, and risk associated with all of those factors.

We don’t offer an unlimited or overwhelming number of Red Flag relevant products, but we do offer a diverse enough set that has afforded our clients an opportunity to select the best fit.  Whether you choose to adopt Experian as your Red Flag partner or another service provider, keep in mind that one size does not fit all, and be wary of those claiming to be just that. 

As Red Flag examinations start rolling out in the coming months, there will be a focus on ensuring that your programs are comprehensive and effective.  Examiners will be looking at your programs, not your service provider.  Be sure to collaborate with your partners to meticulously apply the best solution.  At Experian, we’ve taken this collaborative approach with each of our clients, and have employed products ranging from our robust Precise ID SM consumer authentication platform to our Fraud Shield SM risk warning product.  Time spent up front in identifying your Red Flag requirements and working with your service provider to determine the best course of action will pay dividends down the road, and ensure you implement a compliant process once….not twice.

One of the handful of mandatory elements in the Red Flag guidelines, which focus on FACTA Sections 114 and 315, is the implementation of Section 315.  Section 315 provides guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a consumer reporting agency sends the user a notice of address discrepancy. 

A couple of common questions and answers to get us started:

1.  How do the credit reporting agencies display an address discrepancy?

Each credit reporting agency displays an “address discrepancy indicator,” which typically is simply a code in a specified field. Each credit reporting agency uses a different indicator. Experian, for example, supplies an indicator for each displayable address that denotes a match or mismatch to the address supplied upon inquiry.

2.  How do I “form a reasonable belief” that a credit report relates to the consumer for whom it was requested?

Following procedures that you have implemented as a part of your Customer Identification Program (CIP) under the USA PATRIOT Act can and should satisfy this requirement. You also may compare the credit report with information in your own records or information from a third-party source, or you may verify information in the credit report with the consumer directly.

In my last posting, I discussed the value of a risk-based approach to Red Flag compliance.  Foundational to that value is the ability to efficiently and effectively reconcile Red Flag conditions…including addressing discrepancies on a consumer credit report.

Arguably, the biggest Red Flag problem we solve for our clients these days is in responding to identified and detected Red Flag conditions as part of their Identity Theft Prevention Program.  There are many tools available that can detect Red Flag conditions.  The best-in-class solutions, however, are those that not only detect these conditions, but allow for cost-effective and accurate reconciliation of high risk conditions.  Remember, a Red Flag compliant program is one that identifies and detects high risk conditions, responds to the presence of those conditions, and is updated over time as risk and business processes change.

A recent Experian analysis of records containing an address discrepancy on the credit profile showed that the vast majority of these could be positively reconciled (a.k.a. authenticated) via the use of alternate data sources and scores.  Layer on top of a solid decisioning strategy using these elements, the use of consumer-facing knowledge-based authentication questions, and nearly all of that potential referral volume can be passed through automated checks without ever landing in a manual referral queue or call center.  Now that address discrepancies can no longer be ignored, this approach can save your operations team from having to add headcount to respond to this initially detected condition.

One of the more significant operational concerns around Red Flags compliance centers on the management of resultant referral volumes, i.e., the potential that the account origination or maintenance process will get bogged down due to a significant number of red flags detected. 

These concerns are not without merit, and are arguably the most frequently discussed Red Flag issue with our client base.

Organizations may be able to control referral volumes through the use of automated tools that evaluate the level of identity theft risk in a given transaction.  For example, customers with a low-risk authentication score can be moved quickly through the account origination process absent any additional red flags detected in the ordinary course of the application or transaction.  In fact, using such tools may allow organizations to speed up the origination process for these customers and identify and focus resources on those transactions that pose the greatest potential for identity theft.

A risk-based approach to Red Flags compliance affords an institution the ability to reconcile the majority of detected Red Flag conditions efficiently, consistently and with minimal consumer impact.  Detection of Red Flag conditions is literally only half the battle.  In fact, responding to those Red Flag conditions is a substantial problem to solve for most institutions.  A response policy that incorporates scoring, alternate data sources and flexible decisioning can reduce the vast majority of referrals to real-time approvals without staff intervention or customer hardship. 

Rather than implementing a “rules-based” program (one in which particular Red Flags are identified, detected and used in isolation or near isolation in decisioning), many institutions are opting to approach Red Flag compliance from a “risk-based” perspective. This “risk-based” approach assumes that no single Red Flag Rule or even set of rules provides a comprehensive view of a consumer’s identity and associated fraud risk. Instead, a “risk-based” systematic approach to consumer authentication employs a process by which an appropriately comprehensive set of consumer data sources can provide the foundation for highly effective fraud prediction models in combination with detailed consumer authentication conditions (such as address mismatches or Social Security number inconsistencies). 

A risk-based fraud detection system allows institutions to make consumer relationship and transactional decisions based not on a handful of rules or conditions in isolation, but on a holistic view of a consumer’s identity and predicted likelihood of associated identity theft.

Many, if not all, of the suggested Rules in the published guidelines are not “silver bullets” that ensure the presence or absence of identity theft. A substantial ratio of false positives will comprise the set of consumers and accounts being reviewed as having met one or more of the suggested Red Flag rule conditions. These rules and guidelines are intended neither to prevent legitimate consumers from establishing relationships with institutions nor create a burdensome and prohibitive volume of consumer “referrals.” While those rules incorporated into an institution’s Program must be addressed when detected, a risk-based system allows for an operationally efficient method of reconciliation in tandem with identity theft mitigation.

For those of us that have been following the Red Flag Rules adoption for more than a year now, the recent arrival and passing of the November 1 compliance deadline allows us to pause to assess where we are -- and where we are heading.  One question seems to surface regularly these days:

How ready or compliant is the market today?

Well, I think it’s safe to say that the market is certainly not 100% home when it comes to compliance readiness. 

Experian surveys registrants on our Red Flags online resource site.  As of October 31 -- a.k.a. ‘Compliance Eve’ -- nearly half of the registrants (48%) fell into the category of ‘just starting to review the rules and determine a compliance plan’.  Other industry surveys, interviews, and analyst reports suggest an even lower rate of compliance (closer to only one-third of covered institutions) in the market. 

The Federal Trade Commission seemed to sense this market condition, and granted a six-month reprieve from Red Flags compliance enforcement – to May 1, 2009.  While this extension is welcome news for those institutions falling under the FTC’s jurisdictional umbrella, other institutions are arguably out of compliance today, and face pending examinations in the coming months. 

So, is the market ready today?  The broad answer is a resounding ‘no.’ 

Much of the market’s effort has gone into the creation of written Identity Theft Prevention Programs as part of the Red Flag Rule requirements.  How well will these written procedures be received by the examining agencies?  How will these written programs translate into effective and (as importantly) manageable operational processes?  The first wave of examinations will help answer some of these questions and concerns….and ongoing cost analysis (associated with: referral volumes; application acceptance rates; manual or automated processes; and, of course, fraud losses) will help paint a clearer picture in the months to come.