ID Theft Red Flags Rule: Agencies Release FAQsNew Document Tackles Scope, Definitions and Other Common Issues Found During Red Flags Exams
The Red Flags and Address Discrepancy Rules, part of the Fair and Accurate Credit Transaction Act of 2003 (FACT Act), issued in November 2007, apply to all financial institutions regulated by the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and Federal Trade Commission (FTC).
The rules require financial institutions and creditors to develop and implement written Identity Theft Prevention Programs and require issuers of credit cards and debit cards to assess the validity of notifications of changes of address. The rules also provide guidance for users of consumer reports regarding reasonable policies and procedures to employ when consumer reporting agencies send them notices of address discrepancy.
Regulators started examining institutions for Red Flags compliance last Nov. 1, and the FAQ's represent common questions and issues examiners have encountered.
The agencies' staff developed the answers to the FAQs to help give insight on various aspects of the rules, including which types of entities and accounts are covered; establishment and administration of an Identity Theft Prevention Program; address validation requirements applicable to card issuers; and the obligations of users of consumer reports upon receiving a notice of address discrepancy.
The FAQs are divided into four parts:
- The ID Theft Red Flags scope: Eight questions cover record retention, relationship between information security standards and the Red Flags rules, which entities are required to comply.
- The definitions of "covered account," and "service provider": Eleven questions illustrate the terms covered account and service provider, pre-paid card product questions, and other types of services that are covered accounts such as certificate of deposit, IRAs, trust accounts, and indirect lending such as when an institution buys a consumer loan.
- Types of notices of address discrepancy that trigger the rule: The questions in this section cover which address discrepancy notices are applicable to the rule, and also cover resellers and consumer reports users and how the rule applies to them.
- Furnishing a confirmed address to a consumer reporting agency: The three questions in this section establish what information must be submitted to consumer reporting agencies and the policies and procedures that businesses need to have in place to do so. The final question addresses the delinquent account reporting and notices of address discrepancy.
FTC's Betsy Broder says the FAQs are considered a "living document" and will be added to as needed when other questions come up regarding the regulations. Broder is the assistant director of the Division of Privacy and ID Protection at the FTC. She adds that the FTC will be issuing shortly a separate set of FAQs to address questions asked by those entities overseen by the FTC. The FTC recently moved back the enforcement date to August 1 to give companies more time to meet the rule's compliance requirements.