Red Flag Guidelines

--by Matt Ehrlich

While the FACT Act’s Red Flags Rule seems to capture all of the headlines these days, it’s just one of a number of compliance challenges that banks, credit unions, and a myriad of other institutions face on a daily basis.  And meeting today’s regulatory requirements is more complicated than ever.  Risk managers and compliance officers are asked to consider many questions, including:

1. Do FACTA Sections 114 and 315 apply to me?
2. What do I have to do to comply?
3. What impact does this have on the customer’s experience?
4. What is this going to cost me in terms of people and process?

Interpretation of the law or guideline – including who it applies to and to whom it does not - varies widely.  Which types of businesses are subject to the Red Flags Rule?  What is a “covered account?”  If you’re not sure, you’re not alone - it’s a primary reason why the Federal Trade Commission (FTC) continues to postpone enforcement of the rule, while this healthy debate continues.

And by the way, FTC – it’s almost November 1st…aren’t we about due for another delay? But we’re not talking about just protecting consumers from identity theft and reducing fraud and protecting themselves using the Identity Theft Prevention Program.

The USA Patriot Act and “Know Your Customer” requirements have been around much longer, but there are current challenges of interpretation and practical application when it comes to identifying customers and performing due diligence to deter fraud and money laundering.  Since Customer Identification Programs require procedures based on the bank’s own “assessment of the relevant risks,” including types of accounts opened, methods of opening, and even the bank’s “size, location, and customer base,” it’s safe to say that each program will differ slightly – or even greatly.

So it’s clear there’s a lack of specificity in the regulations of the Red Flags Rule which cause heartburn for those tasked with compliance…but are there some common themes and requirements across the two?  The short answer is Yes.  In my next post, I’ll talk about the elements in common and how authentication products can play a part in addressing both.

We at Experian have been conducting a survey of visitors to our Red Flag guidelines microsite (www.experian.com/redflags).

Some initial findings show that approximately 40 percent of those surveyed were "ready" by the original November 1, 2008 deadline.  However, nearly 50 percent of the respondents found the Identity Theft Red Flag deadline extension(s) helpful.

For those of you that have not taken the survey, please do so.  We welcome your feedback.

 

One of the handful of mandatory elements in the Red Flag guidelines, which focus on FACTA Sections 114 and 315, is the implementation of Section 315.  Section 315 provides guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a consumer reporting agency sends the user a notice of address discrepancy. 

A couple of common questions and answers to get us started:

1.  How do the credit reporting agencies display an address discrepancy?

Each credit reporting agency displays an “address discrepancy indicator,” which typically is simply a code in a specified field. Each credit reporting agency uses a different indicator. Experian, for example, supplies an indicator for each displayable address that denotes a match or mismatch to the address supplied upon inquiry.

2.  How do I “form a reasonable belief” that a credit report relates to the consumer for whom it was requested?

Following procedures that you have implemented as a part of your Customer Identification Program (CIP) under the USA PATRIOT Act can and should satisfy this requirement. You also may compare the credit report with information in your own records or information from a third-party source, or you may verify information in the credit report with the consumer directly.

In my last posting, I discussed the value of a risk-based approach to Red Flag compliance.  Foundational to that value is the ability to efficiently and effectively reconcile Red Flag conditions…including addressing discrepancies on a consumer credit report.

Arguably, the biggest Red Flag problem we solve for our clients these days is in responding to identified and detected Red Flag conditions as part of their Identity Theft Prevention Program.  There are many tools available that can detect Red Flag conditions.  The best-in-class solutions, however, are those that not only detect these conditions, but allow for cost-effective and accurate reconciliation of high risk conditions.  Remember, a Red Flag compliant program is one that identifies and detects high risk conditions, responds to the presence of those conditions, and is updated over time as risk and business processes change.

A recent Experian analysis of records containing an address discrepancy on the credit profile showed that the vast majority of these could be positively reconciled (a.k.a. authenticated) via the use of alternate data sources and scores.  Layer on top of a solid decisioning strategy using these elements, the use of consumer-facing knowledge-based authentication questions, and nearly all of that potential referral volume can be passed through automated checks without ever landing in a manual referral queue or call center.  Now that address discrepancies can no longer be ignored, this approach can save your operations team from having to add headcount to respond to this initially detected condition.
 

What are your thoughts on the third extension to the Identity Theft Red Flags Rule deadline?

Was your institution ready to meet Red Flag guidelines? 

The Federal Trade Commission announced on April 30, one day before the intended May 1 Red Flags Rule enforcement deadline, a third extension of that deadline to August 1, 2009.  It's like showing up to class without your homework and the teacher is out sick that day….kind of.  The first extension from November 1, 2008 to May 1, 2009 seems to center on the general confusion among many market sectors around their level of coverage under the Identity Theft Red Flags Rule.  This latest delay seems to be a result of pushback from businesses with a lower risk of identity theft occurrences and a more "known" consumer base.

So, it looks like we have at least three more months of preparation time.  This can be a good thing for all institutions regardless of their current Red Flag guidelines readiness status.  Those who scrambled to get a program in place now have time to fine tune it.  Those that were hoping for another extension have it.  Those who still question what their program should look like or if they are even covered can look forward to some more clarifying information out soon.

Some key takeaways from the announcement:

• The FTC announcement does not impact other federal agency enforcement deadlines dating back to November 1, 2008.
• Specific to institutions that may have a perceived lower risk of identity theft, or businesses that generally know their customers personally, the Commission will be publishing more clarifying language and sample process (in the form of a template) to help those types of businesses comply with the Rule.

Finally, this quote from the announcement sums it up:  “Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further,” FTC Chairman Jon Leibowitz said.
 

As we approach the FTC's May 1, 2009 Red Flags Rule enforcement deadline, we are still working with many of our existing and prospective clients to support their Red Flags Identity Theft Prevention Program.  In my opinion, the May 1, 2009 extension did much good on two fronts: 

1.  It brought to light the need for all institutions, particularly in markets outside of traditional financial services arenas, to re-evaluate the expectation of their being 'covered' under the Red Flag guidelines. 

2.  It allowed 'covered' institutions the opportunity to take additional steps to not only create and operationalize their programs, but to spend time making those programs efficient and in line with business and regulatory objectives.

In the spirit of information gathering and sharing, we at Experian are conducting a quick survey to gauge how 'helpful' the May 1, 2009 extension was to your organization.  We're also trying to informally keep our finger on the pulse of market readiness, as the enforcement deadline is upon us.

Via the link below, please take about 60 seconds to answer a few questions that will help us better understand the current state of the market's Red Flags Rule readiness.

Experian Red Flags Survey

We certainly appreciate your time.

I encourage all of you to have a look at this newly launched Federal Trade Commission Web site dedicated to the Red Flags Rule guidelines.  It is a good resource to that organizes the requirements of the Rule in a user-friendly manner.  It also looks to be an ongoing resource for the posting of updates and related commentary.  I suggest you make this site one of your bookmarks today:
 

The Federal Trade Commission has launched a Web site to help entities covered by the Red Flags Rule design and implement identity theft prevention programs. The Rule requires “creditors” and “financial institutions” to develop written programs to identify the warning signs of ID theft, spot them when they occur, and take appropriate steps to respond to those warning “red flags.”
 

Of particular interest, is the "Read the Guide" tab, where you can view and download the new FTC guide to Red Flag Rules.  For those in the telecommunications and utilities spaces, check out the "Publish the Articles" tab where you will find two bulletins on Red Flags in these arenas.  Enjoy.

We have talked about: the creation of the vision for our loan portfolios (current state versus future state) – e.g. the strategy for moving our current portfolio to the future vision. Now comes the time for execution of that strategy.

In changing portfolio composition and improving credit quality, the discipline of credit must be strong (this includes in the arenas of commercial loan origination, loan portfolio monitoring, and credit risk modeling of course). Consistency, especially, in the application of policy is key. Early on in the change/execution process there will be strong pressure to revert back to the old ways and stay in a familiar comfort zone.  Credit criteria/underwriting guidelines will have indeed changed in the strategy execution.

In the coming blogs we will be discussing:

• assessment of the current state in your loan portfolio;
• development of the specific strategy to effect change in the portfolio from a credit quality perspective and composition;
• business development efforts to affect change in the portfolio composition; and 
• policy changes to support the strategy/vision.

If the business is a creditor or a “financial institution” (defined as a depository institution) that offers covered accounts, you must develop a Program to detect possible identity theft in the accounts and respond appropriately. The federal banking agencies, the NCUA and the FTC have issued Guidelines to help covered entities identify, detect and respond to indicators of possible identity theft, as well as to administer the Program.

A copy of the Red Flag Guidelines can be found:
Federal Reserve Board – 12 C.F.R. pt 222, App. J
Federal Deposit Insurance Corporation – 12 C.F.R. pt 334, App. J
FTC – 16 C.F.R. pt 681, App. A
NCUA – 12 C.F.R. pt 717, App. J
Office of the Comptroller of the Currency - 12 C.F.R. pt 41, App. J
Office of Thrift Supervision - 12 C.F.R. pt 571, App. J
 

If you have detected a Red Flag in connection with a credit application, are you prohibited from opening the account when following the Red Flag guidelines?

First, you must assess whether the Red Flag evidences a risk of identity theft and your response must be commensurate with the degree of risk that is posed. You generally are not prohibited from opening the account, unless the only appropriate response in light of the degree of risk posed by the Red Flag would be not to open the account. In some instances, for example, you may be able to contact the applicant directly to verify that the application is legitimate.
 

Here are a few more frequently asked questions.

1. Am I a “creditor” under the rule?
The term “creditor” has the same meaning as under the Equal Credit Opportunity Act (ECOA) and is defined as a person who regularly participates in credit decisions, including, for example, a mortgage broker, a person who arranges credit or a servicer of loans who participates in “workout” decisions. The term “credit” is defined, as in the ECOA, as the right granted by a creditor to defer payment for goods or services. It is important to note that commercial, as well as consumer, credit accounts may be covered by the Rule.

2. We are an insurance company that uses credit reports to underwrite insurance. Does the Red Flags Rule apply to us?
The Red Flag Rule applies to creditors and depository institutions and should not apply to an insurer when engaged in activities related to insurance underwriting. To the extent that you extend credit, however, you may be covered. For example, you may wish to examine whether you permit consumers to finance their premiums; whether you extend credit to vendors, independent agents or other business partners; or whether you extend credit in connection with your investment activities, including real-estate investments.

3. I am an auto dealer. Does the rule apply to me?
If the business extends auto credit to consumers or arranges auto credit for consumers, the Red Flag guidelines may apply.
 

Address discrepancies aren't the end of the road, but they sure can be a bump in it. One of the handful of mandatory elements in the Red Flag guidelines, which focus on FACTA Sections 114 and 315, is the implementation of Section 315.  Section 315 provides guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a consumer reporting agency sends the user a notice of address discrepancy. 

A couple of common questions and answers to get us started:

1.  How do the credit reporting agencies display an address discrepancy?

Each credit reporting agency displays an “address discrepancy indicator,” which typically is simply a code in a specified field. Each credit reporting agency uses a different indicator. Experian, for example, supplies an indicator for each displayable address that denotes a match or mismatch to the address supplied upon inquiry.

2.  How do I “form a reasonable belief” that a credit report relates to the consumer for whom it was requested?

Following procedures that you have implemented as a part of your Customer Identification Program (CIP) under the USA PATRIOT Act can and should satisfy this requirement. You also may compare the credit report with information in your own records or information from a third-party source, or you may verify information in the credit report with the consumer directly.

In my last posting, I discussed the value of a risk-based approach to Red Flag compliance.  Foundational to that value is the ability to efficiently and effectively reconcile Red Flag conditions…including addressing discrepancies on a consumer credit report.

Arguably, the biggest Red Flag problem we solve for our clients these days is in responding to identified and detected Red Flag conditions as part of their Identity Theft Prevention Program.  There are many tools available that can detect Red Flag conditions.  The best-in-class solutions, however, are those that not only detect these conditions, but allow for cost-effective and accurate reconciliation of high risk conditions.  Remember, a Red Flag compliant program is one that identifies and detects high risk conditions, responds to the presence of those conditions, and is updated over time as risk and business processes change.

A recent Experian analysis of records containing an address discrepancy on the credit profile showed that the vast majority of these could be positively reconciled (a.k.a. authenticated) via the use of alternate data sources and scores.  Layer on top of a solid decisioning strategy using these elements, the use of consumer-facing knowledge-based authentication questions, and nearly all of that potential referral volume can be passed through automated checks without ever landing in a manual referral queue or call center.  Now that address discrepancies can no longer be ignored, this approach can save your operations team from having to add headcount to respond to this initially detected condition.
 

How do I know which Red Flags apply to me?

The Red Flag guidelines that will apply to you depend on a number of factors including:

1. The types of covered accounts you offer and how those accounts may be opened and accessed
2. Your previous experiences with identity theft

In order to determine the applicable Red Flags, you must consider these factors as well as various sources and categories of Red Flags identified in the Guidelines.

There are many resources available to help you gain the upper hand on Identity Theft Red Flags. I encourage you to visit this site for more information including a white paper, webinar, data sheet and more.
 

1. The door is open for many entities, not clearly called out in the Red Flags Rule as 'covered' to be more formally placed under that umbrella, and
2. A new series of mandates may be on the horizon as the focus on identity theft prevention and, of critical note, consumer protection continues to sharpen.

Part 2

This post continues my discussion of the reasons for going through the time and trouble to analyze risk-based pricing for loans. For the discussion of the key elements involved in risk-adjusted loan pricing, please visit my earlier posts. In my last blog we discussed reason number one: good corporate governance. Governance, or responsible and disciplined leadership, makes a lot of sense and promotes trust and confidence which has been missing lately in many large financial institutions. The results can be seen in the market in multiples now and are associated with both the struggling companies and, through guilt by association, the rest of the industry.  But, let’s move beyond the “soft” reason. The second major justification for going through the effort to risk-adjust loan pricing as a normal part of the lending function is financial.

Profit performance
By financial, we mean profit performance or bottom line earnings. This reason relies on the key belief that risk has a cost. Just because risk can be difficult to measure and/or is not addressed within GAAP, doesn’t mean it can’t ultimately cost you something. If, for any reason, you believe you can get away with taking on any unmitigated risk without it ever costing anything, do not continue reading this or any of my other posts. You are wasting your valuable time.

Risk will surface
The saying that “risk will out,” I believe, is true. The question is not if risk will eventually surface, but when, how and how hard it will bite.  Risk can be transferred (hedges, swaps and so on), but it doesn’t disappear from the universe. Once risk is created, someone owns it. The news headlines of the past 18 months are replete with stories of huge writedowns of toxic assets. The securitized assets and/or their collateral loans always contained risk – from the moment the underlying loan was closed. The loans and their payment streams were sliced a dozen ways, repackaged and resold. The risk was also sliced up, but like mercury, it all remained in the system.  Another familiar casino saying that brings this to mind is: “If you don’t know who the ‘mark’ at the table is, it’s you.” There are now several world class examples of such marks. Some have now failed completely and many more would have without federal intervention.

Lending, in the leveraged/banking sense, involves all major types of risk: credit risk, market risk, operational risk and business risk. And, beyond the identifiable and potentially insurable portions of these risks, like any business, it includes the risk of unexpected loss, which needs to be covered by capital. Banks have developed policies and guidelines to mitigate, identify and measure many of their risks. These all fall under the world of risk management and these efforts all cost something. There is no free way to offset risk – other than not doing the loan at all. But lending is the business of banking, isn’t it?

Further, the risk mitigation efforts cost more or less depending on the various risk characteristics of the bank’s loan portfolio each loan. For instance, a floating rate loan involves little market risk and requires little if any expense to offset. A five-year fixed rate, interest-only loan involves a lot of market risk and that costs something to offset. Alternatively, a loan with a pass risk rating of ‘2’ involves a much lower likelihood of defaulting than a loan with a pass risk rating of ‘4’. The lower risk loan; therefore, involves less of an ALLL (Allowance for Loan and Lease Losses) reserve and provisioning expense.  Also, an owner occupied commercial mortgage is normally much less expensive to monitor than a credit backing a floor plan or construction project. Those cost differences could be reflected in the pricing.

Finally, for today, the amount of risk capital needed to back these kinds of differing loan characteristics, for purposes of unexpected loss, is substantially different. If these kinds of differences are not priced into the loans somehow, one of two situations exists:
 

1. Either the bank is not getting paid for the risk it is incurring; or,
2. If it is, it is charging the lower risk borrowers a rate that pays for added risk-adjusted expenses of the higher risk borrowers.

The business risk to the bank then becomes losing the better clients over time in lieu of attracting the riskier deals. This process has a name: adverse selection.

The ongoing expenses of risk mitigation and the negative impact of unexpected losses on retained earnings, over time, materially hurt the bank’s earnings. Someone is paying for all of the risks of being in the business of lending and it’s usually one of two groups: the customers or the shareholders. In the worst of cases, it’s also the taxpayers. The idea of risk-based pricing, at the loan level, is to have the clients pay for the risks the bank is incurring on their behalf by pricing the loan appropriately from the beginning. As a result:

• This tends to protect, and often enhance, the bank’s financial performance;
• It is clever;
• It puts some teeth in the bank’s already existing risk management policies;
• It is justifiable to the client; and
• It even makes sense to most lending officers.