Red Flags Rule
The Federal Trade Commission Issues Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy
The Federal Trade Commission and the federal financial institution regulatory agencies have sent to the Federal Register for publication final rules on identity theft “red flags” and address discrepancies. The final rules implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003.
The Federal Trade Commission (“FTC”) requires every utility, including public water and waste water systems, to implement an Identity Theft Prevention Program. The deadline to implement a program to prevent theft of customer information was extended to December 31, 2010.
According to a report of the President’s Identity Theft Task Force, identity theft (a fraud attempted or committed using identifying information of another person without authority), results in billions of dollars in losses each year to individuals and businesses.
The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft in connection with new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft and enable a financial institution or creditor to:
1. Identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft and incorporate those red flags into the Program;
2. Detect red flags that have been incorporated into the Program;
3. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft;
4. Ensure the Program is updated periodically to reflect changes in risks from identity theft.
FACTA requires that municipalities, as creditors, develop a written Identity Theft Protection Program that is appropriate for the size and complexity of the municipality. The Program must include elements to identify, detect, and respond to Red Flags. In addition, the Program must provide for a periodic updating process to reflect changes in risks to the creditor’s customers.
Red Flags. The FTC regulations identify numerous red flags that must be considered in adopting an identity theft policy. The FTC has defined a red flag as a pattern, practice, or specific activity that indicates the possible existence of identity theft. The following red flags are examples provided in the regulations of the FTC:
(1) Notifications from Consumer Reporting Agencies.
(2) Suspicious documents. Possible red flags include:
i) presentation of documents appearing to be altered or forged;
ii) presentation of photographs or physical descriptions that are not consistent with the appearance of the applicant or customer;
iii) presentation of other documentation that is not consistent with the information provided when the account was opened or existing customer information;
iv) presentation of information that is not consistent with the account application; or
v) presentation of an application that appears to have been altered, forged, destroyed, or reassembled.
(3) Suspicious personal identifying information. Possible red flags include:
i) personal identifying information is being provided by the customer that is not consistent with other personal identifying information provided by the customer or is not consistent with the customer’s account application;
ii) personal identifying information is associated with known fraudulent activity;
iii) the social security number (if required or obtained) is the same as that submitted by another customer;
iv) the telephone number or address is the same as that submitted by another customer;
v) the applicant failed to provide all personal identifying information requested on the application; or
vi) the applicant or customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.
(4) Unusual use of or suspicious activity related to an account. Possible red flags include:
i) a change of address for an account followed by a request to change the account holder’s name;
ii) a change of address for an account followed by a request to add new or additional authorized users or representatives;
iii) an account is not being used in a way that is consistent with prior use (such as late or no payments when the account has been timely in the past);
iv) a new account is used in a manner commonly associated with known patterns of fraudulent activity (such as customer fails to make the first payment or makes the first payment but no subsequent payments);
v) mail sent to the account holder is repeatedly returned as undeliverable;
vi) the Utility receives notice that a customer is not receiving his paper statements; or
vii) the Utility receives notice of unauthorized activity on the account.
(5) Notice regarding possible identity theft. Possible red flags include:
i) notice from a customer, an identity theft victim, law enforcement personnel or other reliable sources regarding possible identity theft or phishing related to utility accounts.
If you need assistance reviewing the procedures and creating an Identity Theft Prevention Program for your utility, please contact one of the Michigan RCAP Technical Assistance Providers.
Click here for Michigan RCAP contact information.
For further information:
Michigan RCAP is part of the Great Lakes Rural Community Assistance Program, administered by the Michigan Community Action Agencies Association (MCAAA).
© 2008-2011 Michigan RCAP All Rights Reserved