Red Flag Rules

--by Keir Breitenfeld
 
Many compliance regulations such the Red Flags Rule, USA Patriot Act, and ESIGN require specific identity elements to be verified and specific high risk conditions to be detected. However, there is still much variance in how individual institutions reconcile referrals generated from the detection of high risk conditions and/or the absence of identity element verification. With this in mind, risk-based authentication, (defined in this context as the “holistic assessment of a consumer and transaction with the end goal of applying the right authentication and decisioning treatment at the right time") offers institutions a viable strategy for balancing the following competing forces and pressures:

• Compliance – the need to ensure each transaction is approved only when compliance requirements are met;
• Approval rates – the need to meet business goals in the booking of new accounts and the facilitation of existing account transactions;
• Risk mitigation – the need to minimize fraud exposure at the account and transaction level.

A flexibly-designed risk-based authentication strategy incorporates a robust breadth of data assets, detailed results, granular information, targeted analytics and automated decisioning. This allows an institution to strike a harmonious balance (or at least something close to that) between the needs to remain compliant, while approving the vast majority of applications or customer transactions and, oh yeah, minimizing fraud and credit risk exposure and credit risk modeling.

 Sole reliance on binary assessment of the presence or absence of high risk conditions and identity element verifications will, more often than not, create an operational process that is overburdened by manual referral queues. There is also an unnecessary proportion of viable consumers unable to be serviced by your business. Use of analytically sound risk assessments and objective and consistent decisioning strategies will provide opportunities to calibrate your process to meet today’s pressures and adjust to tomorrow’s as well.
 
 
 

--by Matt Ehrlich

On Friday, October 30th, the FTC again delayed enforcement of the “Red Flags” Rule – this time until June 1, 2010 – for financial institutions and creditors subject to the FTC’s enforcement.   Here’s the official release: http://www.ftc.gov/opa/2009/10/redflags.shtm. 

But this doesn’t mean, until then, businesses get a free pass.  The extension doesn’t apply to other federal agencies that have enforcement responsibilities for institutions under their jurisdiction.  And the extension also doesn’t alleviate an institution’s need to detect and respond to address discrepancies on credit reports.

Red Flag compliance

Implementing best practices to address the identity theft under the Red Flags Rule is not just the law, it’s good business.  The damage to reputations and consumer confidence from a problem gone unchecked or worse yet – unidentified – can be catastrophic.  I encourage all businesses – if they haven’t already done so – to use this extension as an opportunity to proactively secure a Red Flags Rule to ensure Red Flag compliance.  It’s an investment in protecting their most important asset – the customer.

--by Keir Breitenfeld

As I wrote in my previous posting, a key Red Flags Rule challenge facing many institutions is one that manages the number of referrals generated from the detection of Red Flags conditions.  The big ticket item in referral generation is the address mismatch condition.

Identity Theft Prevention Program
I’ve blogged previously on the subject of risk-based authentication and risk-based pricing, so I won’t rehash that information.  What I will suggest, however, is that those institutions who now have an operational Identity Theft Prevention Program (if you don’t, I’d hurry up) should continue to explore the use of alternate data sources, analytics and additional authentication tools (such as knowledge-based authentication) as a way to detect Red Flags conditions and reconcile them all within the same real-time transaction.

Referral rates
Referral rates stemming from address mismatches (a key component of the Red Flags Rule high risk conditions) can approach or even surpass 30 percent.  That is a lot.  The good news is that there are tools which employ additional data sources beyond a credit profile to “find” that positive address match.  The use of alternate data sources can often clear the majority of these initial mismatches, leaving the remaining transactions for treatment with analytics and knowledge-based authentication and Identity Theft Prevention Program.

Whatever “referral management” process you have in place today, I’d suggest exploring risk-based authentication tools that allow you to keep the vast majority of those referrals out of the hands of live agents, and distanced from the need to put your customers through the authentication wringer.  In the current marketplace, there are many services that allow you to avoid high referral costs and risks to customer experience.  Of course, we think ours are pretty good.

--by Keir Breitenfeld

Well, here we are at the beginning of November and The Red Flags Rule has been with us for nearly two years now.  And to add to that, the FTC’s November 1, 2009 enforcement date has passed (I know I’ve said that before).  There is little value in me chatting about the core requirements of the Red Flags Rule at this point.  Instead, I’d like to shed some light on what we are seeing and hearing these days from our clients and industry experts related to this initiative:

Red Flags Rule client comments

1. Most clients have a solid written and operational Identity Theft Prevention Program that arguably meets their interpretation of the Red Flags Rule requirements.

2. Most clients have a solid written and operational Identity Theft Prevention Program in place that creates a boat-load of referrals due to the address mismatches generated in their process(es) and the requirement to do something with them.

3. Most clients are now focusing on ways in which to reduce the number of referrals generated and procedures to clear the remaining referrals via a cost-effective and automated manner…of course, while preventing fraud and staying compliant..

In 2008, a key focus at Experian was to help educate the market around the Red Flags Rule concepts and requirements.

The concentration in 2009 of Red Flags Rule concepts has nearly fully shifted to assisting the market in creating risk-based authentication programs that leverage holistic views of a consumer, flexible tools that are pointed to a consumer based on that person’s authentication and risk profile. There is also an overall decisioning strategy that balances risk, compliance, and resource constraints.

Spirit of Red Flags Rule
The spirit of the Red Flags Rule is intended to ensure all covered institutions are employing basic identity theft prevention procedures (a pretty good idea).  I believe most of these institutions (even those that had very robust programs in place years before the rule was introduced) can appreciate this requirement that brings all institutions up to speed.  It is now, however, a matter of managing process within the realities of, and costs associated with, manpower, IT resources, and customer experience sensitivities.

--by Matt Ehrlich

In my last entry, I talked about the challenges clients face in trying to meet multiple and complex regulatory requirements, such as FACT Act’s Red Flags Rule and the USA Patriot Act.  While these regulations serve both different and shared purposes, there are some common threads between the two:

1. You must consider the type of accounts and methods of account opening: The type of account offered - credit or deposit, consumer or business – as well as the method of opening – phone, online, or face-to-face – has a bearing on the steps you need to take and the process that will be established.

2. Use of consumer name, address, and identification number:The USA Patriot Act requires each of these – plus date of birth – to open a new account.  Red Flags stops short of “requiring” these for new account openings, but it consistently illustrates the use of these Personally Identifiable Information (PII) elements as examples of reasonable procedures to detect red flags.

3. Establishing identity through non-documentary verification:Third party information providers, such as a credit reporting agency or data broker, can be used to confirm identity, particularly in the case where the verification is not done in person.

Knowing what’s in common means you can take a look at where to leverage processes or tools to gain operational and cost efficiencies and reduce negative impact on the customer experience.  For example, if you’re using any authentication products today to comply with the USA Patriot Act and/or minimize fraud losses, the information you collect from consumers and authentication steps you are already taking now may suffice for a large portion of your Red Flags Identity Theft Prevention Program. 

And if you’re considering fraud and compliance products for account opening or account management – it’s clear that you’ll want something flexible that, not only provides identity verification, but scales to the compliance programs you put in place, and those that may be on the horizon.

--by Matt Ehrlich

While the FACT Act’s Red Flags Rule seems to capture all of the headlines these days, it’s just one of a number of compliance challenges that banks, credit unions, and a myriad of other institutions face on a daily basis.  And meeting today’s regulatory requirements is more complicated than ever.  Risk managers and compliance officers are asked to consider many questions, including:

1. Do FACTA Sections 114 and 315 apply to me?
2. What do I have to do to comply?
3. What impact does this have on the customer’s experience?
4. What is this going to cost me in terms of people and process?

Interpretation of the law or guideline – including who it applies to and to whom it does not - varies widely.  Which types of businesses are subject to the Red Flags Rule?  What is a “covered account?”  If you’re not sure, you’re not alone - it’s a primary reason why the Federal Trade Commission (FTC) continues to postpone enforcement of the rule, while this healthy debate continues.

And by the way, FTC – it’s almost November 1st…aren’t we about due for another delay? But we’re not talking about just protecting consumers from identity theft and reducing fraud and protecting themselves using the Identity Theft Prevention Program.

The USA Patriot Act and “Know Your Customer” requirements have been around much longer, but there are current challenges of interpretation and practical application when it comes to identifying customers and performing due diligence to deter fraud and money laundering.  Since Customer Identification Programs require procedures based on the bank’s own “assessment of the relevant risks,” including types of accounts opened, methods of opening, and even the bank’s “size, location, and customer base,” it’s safe to say that each program will differ slightly – or even greatly.

So it’s clear there’s a lack of specificity in the regulations of the Red Flags Rule which cause heartburn for those tasked with compliance…but are there some common themes and requirements across the two?  The short answer is Yes.  In my next post, I’ll talk about the elements in common and how authentication products can play a part in addressing both.

Red Flags Rule and commercial accounts

-- by Kristan Keelan

Most financial institutions are well underway in complying with the FTC’s ID Theft Red Flags Rule by:

1.  Identifying covered accounts  
2.  Determining what red flags need to be monitored
3.  Implementing a risk based approach 

However, one of the areas that seems to be overlooked in complying with the rule is the area of commercial accounts.  Did your institution include commercial accounts when identifying covered accounts?  You’re not alone if you focused only on consumer accounts initially.

Keep in mind that commercial credit and deposit accounts also can be included as covered accounts when there is a “reasonably foreseeable risk” of identity theft to customers or to safety and soundness.

Start by determining if there is a reasonably foreseeable risk of identity theft in a business or commercial account, especially in small business accounts.   Consider the risk of identity theft presented by the methods used to open business accounts, the methods provided to access business accounts, and previous experiences with identity theft on a business account.

I encourage you to revisit your institution’s compliance program and review whether commercial accounts have been examined closely enough.

What are your thoughts on the third extension to the Identity Theft Red Flags Rule deadline?

Was your institution ready to meet Red Flag guidelines? 

The Federal Trade Commission announced on April 30, one day before the intended May 1 Red Flags Rule enforcement deadline, a third extension of that deadline to August 1, 2009.  It's like showing up to class without your homework and the teacher is out sick that day….kind of.  The first extension from November 1, 2008 to May 1, 2009 seems to center on the general confusion among many market sectors around their level of coverage under the Identity Theft Red Flags Rule.  This latest delay seems to be a result of pushback from businesses with a lower risk of identity theft occurrences and a more "known" consumer base.

So, it looks like we have at least three more months of preparation time.  This can be a good thing for all institutions regardless of their current Red Flag guidelines readiness status.  Those who scrambled to get a program in place now have time to fine tune it.  Those that were hoping for another extension have it.  Those who still question what their program should look like or if they are even covered can look forward to some more clarifying information out soon.

Some key takeaways from the announcement:

• The FTC announcement does not impact other federal agency enforcement deadlines dating back to November 1, 2008.
• Specific to institutions that may have a perceived lower risk of identity theft, or businesses that generally know their customers personally, the Commission will be publishing more clarifying language and sample process (in the form of a template) to help those types of businesses comply with the Rule.

Finally, this quote from the announcement sums it up:  “Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further,” FTC Chairman Jon Leibowitz said.
 

We’ve stopped taking phone applications and are using the out-of-wallet questions for Internet credit applications. Are we going overboard?

The Red Flags Rule does not preclude phone applications or otherwise limit the manner in which you m ay accept applications for covered accounts. However, different methods to open covered accounts present different identity theft risks, and you must consider those differing risks in identifying the relevant Red Flags for each type of covered account that you provide.

 

As we approach the FTC's May 1, 2009 Red Flags Rule enforcement deadline, we are still working with many of our existing and prospective clients to support their Red Flags Identity Theft Prevention Program.  In my opinion, the May 1, 2009 extension did much good on two fronts: 

1.  It brought to light the need for all institutions, particularly in markets outside of traditional financial services arenas, to re-evaluate the expectation of their being 'covered' under the Red Flag guidelines. 

2.  It allowed 'covered' institutions the opportunity to take additional steps to not only create and operationalize their programs, but to spend time making those programs efficient and in line with business and regulatory objectives.

In the spirit of information gathering and sharing, we at Experian are conducting a quick survey to gauge how 'helpful' the May 1, 2009 extension was to your organization.  We're also trying to informally keep our finger on the pulse of market readiness, as the enforcement deadline is upon us.

Via the link below, please take about 60 seconds to answer a few questions that will help us better understand the current state of the market's Red Flags Rule readiness.

Experian Red Flags Survey

We certainly appreciate your time.

I encourage all of you to have a look at this newly launched Federal Trade Commission Web site dedicated to the Red Flags Rule guidelines.  It is a good resource to that organizes the requirements of the Rule in a user-friendly manner.  It also looks to be an ongoing resource for the posting of updates and related commentary.  I suggest you make this site one of your bookmarks today:
 

The Federal Trade Commission has launched a Web site to help entities covered by the Red Flags Rule design and implement identity theft prevention programs. The Rule requires “creditors” and “financial institutions” to develop written programs to identify the warning signs of ID theft, spot them when they occur, and take appropriate steps to respond to those warning “red flags.”
 

Of particular interest, is the "Read the Guide" tab, where you can view and download the new FTC guide to Red Flag Rules.  For those in the telecommunications and utilities spaces, check out the "Publish the Articles" tab where you will find two bulletins on Red Flags in these arenas.  Enjoy.

• Deliver consistent responses based on objective authentication results, while eliminating subjectivity often found in more manual review processes. 
• Save time and money associated with a manual review process currently attributed to Red Flag Rule referrals. 
• Provide examiners a detailed process flow including decision elements. 
• Create champion / challenger flows to test, compare and alter new strategies over time. 
• Revise, over time, the specific elements used in your decisioning to appropriately weight each from a fraud detection and/or compliance perspective.