BankInfoSecurity.com - Information Security News, Regulations, & Education

Just Released: Our Online Webinar Catalog

Bank Information Security Articles

ID Theft Red Flags Rule: How to Help Your Business Customers Comply

Credit
EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Auto Dealers, Mortgage Brokers, Utility Companies are Among Non-Banking Entities That Must Comply by Nov. 1

September 8, 2008 - Linda McGlasson, Managing Editor

This article was originally created for BankInfoSecurity.com, and contains information that should interest our GovInfoSecurity.com readers.

Save

Digg

Delicious

Please login or register to save this article.

Comment on this article

With all the focus on banks and credit unions' work to comply with the ID Theft Red Flags Rule, many in the financial services industry have forgotten that the largest share of entities impacted by this new regulation are non-banking institutions -- finance companies, automobile dealers, mortgage brokers, etc.

And while banking institutions have their own hands full ensuring Red Flags compliance, they still can perform great customer service by assisting business customers who also must comply with the regulation.

The Red Flags Rule is part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. Under this rule, financial institutions and creditors with covered accounts must have identity theft prevention programs in place by November 1, 2008, to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.

Banking regulatory agencies are working with their institutions to ensure compliance. Meanwhile, the Federal Trade Commission oversees compliance by the rest of the covered entities identified as creditors.

Which Non-Banking Entities Must Comply?
The FTC has an extensive outreach effort to explain the Rule in greater detail. According to Tiffany George, attorney in FTC's Division of Privacy and Identity Protection, many companies that don't think of themselves as creditors or believe they need to create a prevention program for identity theft actually are deemed a covered entity under this rule.

Click to Get Updates on the Latest Information Security News

Company*

Title*

Email*

Subscription Type:

Healthcare Enews

General Healthcare Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Government Enews

General Government Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Banking Enews

General Banking Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Credit Union Enews

General Credit Union Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Need Help?

These covered entities, no matter how small, need to design and implement an identity theft prevention program, George adds.

She reminds companies that the rule is not based on what kind of information a business collects, but whether it is a financial institution or a creditor. "A creditor is broadly described as anyone who defers payment on a debt, or anyone who defers payment on goods or services," George says.

Further, a creditor is:

Any entity that regularly extends, renews or continues credit;

Any entity that regularly arranges for the extension, renewal or continuation of credit;

Any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.

Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors do include:

Finance companies,

Automobile dealers,

Mortgage brokers,

Utility companies,

Telecommunications companies.

Even healthcare providers who defer payment (provide credit) for patients also fall under the creditor status according to the rule. Any interaction where a consumer is not paying up front would make the business a creditor, "So in the healthcare context, even where a consumer offers insurance (that would normally cover the bill), if the patient is still ultimately responsible for medical fees not covered by insurance, then that hospital or doctor's office would be considered a creditor," George explains.

Other examples of companies that would fall under the ID Theft Red Flag rule: Home improvement service companies that offer monthly repayment schedules for customers' home improvement projects such as siding, window replacement and remodeling.

"Entities need to realize this applies to anyone who defers payment for a good or service," George says. "Even mom and pop stores that offer monthly credit to customers would fall under this rule. Again, the nature of their program should be tailored to the nature of their business. If their business isn't complex, then they could have a very straightforward, streamlined program."

Where non-profit and government entities defer payment for goods or services, they, too, are considered creditors. Most creditors, except for those regulated by the federal bank regulatory agencies and the NCUA, are under the jurisdiction of the FTC.

The Requirements

Under the Red Flags Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs - or "red flags" - of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.

1 | 2

View On 1 Page

Next Related Article:

Red Flags: No Delay for Credit Unions

How is your institution helping business customers with their own Red Flags compliance?

Here's your chance to be a part of the dialogue and engage with your peers! Just enter your comment to the right, click submit to send it to our Editor. All entries are posted anonymously.

Please login if you would like to post a comment on this question.

Does the Drivers License Bureau verify a change of address or other information when changes are made at the time a renewal of a license is made?

Not on topic but....I find it interesting that the Federal government is mandating the red flag identity theft regulation, and I agree that they should, but why are they exempt from it? The US Postal Service does not verify the identity when a change of address occurs. You can even change your address on the internet. Doesn't it make sense that the US Post Office compy as well? What am I missing here?

Topics of Interest

FinCEN

Cross-Border Money Laundering Threats
FinCEN: Comments Deadline Extended For Proposed Changes to Bank Secrecy Act

NIST

Iris Recognition: NIST Computer Scientist Patrick Grother
Guidelines for Secure Use of Social Media by Federal Departments and Agencies

ISO

Risk Management and ISO 27001 Certification – Mark Bernard, Credit Union Central, B.C.
Meeting the Security Standard: The Business Benefits of ISO 27001 Certification

Information Security Compliance

Complying with Financial Services Regulations
Identity Theft Red Flags Rule Compliance Survival Guide

Phishing

Online Transaction Origination: Ensuring Customer Confidence & Trust
Man-in-the-Middle Attacks: Helping to Eliminate the Threat Without Impacting the Business

Payments

Heartland's Bob Carr on Leadership in a Crisis
FDIC on Top Fraud Threats to Banks

Latest Tweets & Mentions

Recent Content
Most Popular

1Heartland, Discover Settle at $5 Million
2How to Protect Consumers from ID Theft
3The Mobile Mandate
4Church Latest Victim of ACH Fraud
5Video: Why Cyber Challenge is Needed
6FDIC: 829 Troubled Banks
7ID Theft: Courts Cracking Down
810 Tips to Thwart Skimming
9Skimming: Old Crime, New Tools
10Key Elements of Risk Management

1Failed Banks and Credit Unions, 2010
22010 Data Breach Timeline
3Pay-At-The-Pump Skimming on the Rise
4Account Takeover: The New Wrinkle
5Tapping the Power of Social Media
6ATM Skimming: How Effective is Jitter?
741 Banking Breaches So far in 2010
8New Fraud Spree Investigated
9Social Media Policy - The 6 Essentials
10FDIC: Top 5 Fraud Threats

BankInfoSecurity.com Research

Podcast:Mortgage Fraud: Compliance to be a Challenge
Webinar:Vendor Management Part I: FDIC Explains How to Manage Your Outsourcing Risks
Handbook:2010 Webinar Catalog
White Paper:Understanding Man-in-the-Browser Attacks and Addressing the Problem
Regulation:FHFA: Issues Subpoenas for PLS Documents

Recent Blog Entries

Be Mindful of Insider Fraud Against Seniors

California's Financial Abuse Reporting Act, SB 1018, which r…

Read The Agency Insider by Linda McGlasson

Vendor Solutions

Actimize

Solutions For:

Anti-Money Laundering, Authentication, Fraud Detection
TraceSecurity

Solutions For:

Identification and Authentication, Managed Security services (Monitoring, Penetration Test, Risk Assess, Etc), Regulatory Compliance Solution, ID-Certify

Marketplace

Information Security Media Group - Family of Websites

Banking

BankInfoSecurity.com
Careers
Blogs

Credit Unions

CUInfoSecurity.com
Careers
Blogs

Government

GovInfoSecurity.com
Careers
Blogs

Healthcare

HealthcareInfoSecurity.com
Careers
Blogs

About Us
Contact Us
Site Map
Terms of Service
Advertise
RSS

BankInfoSecurity NewsGet the RSS Feed
Agency ReleasesGet the RSS Feed
Latest ArticlesGet the RSS Feed
WebinarsGet the RSS Feed
BankInfoSecurity.com BlogGet the RSS Feed

Home
Training
Resources
Content Library
- Agency Releases
- Articles
- Handbooks
- Podcasts
- Surveys
- Webinars | Calendar
- White Papers
Careers
Blog

Advanced Search

Browse Topics

Agencies

Federal Deposit Insurance Corp
Federal Reserve Board
Federal Trade Commission
FFIEC
FHFA
FinCEN
Government Accountability Office
National Credit Union Admin.
NIST
Office Comptroller of Currency
Office of Thrift Supervision

Anti-Money Laundering

Banking Today

Confidence In Banking

Business Continuity & Disaster Recovery

Pandemic Preparation

Compliance

Bank Secrecy Act
Basel II
CA Bill 1386
E-SIGN Act
FACTA
Gramm-Leach-Bliley Act
Guidance
Identity Theft Red Flags Rule
NCUA Part 748
Patriot Act
PCI DSS
Sarbanes-Oxley Act

Emerging Technology

Application Security
Authentication
Cloud Computing
Data Loss
Encryption
GRC
ID Access & Management
Messaging
Mobile Banking
Network/Perimeter
Remote Capture
SIM/SEM
Social Media
Storage
Web Security

Fraud

ACH
ATM
Check
Debit, Credit, Prepaid Cards
First Party
Insider
Mortgage
Payments
Wire

Governance & Standards

BITS
Cobit
COSO
FFIEC Handbook
ISO
ITGI
ITIL
PCAOB

Identity Theft

Pharming
Phishing
Skimming

Leadership & Management

Physical Security

Biometrics

Risk Management

HR
Incident Response
Information Security Compliance
Insider Threat
IT Audit
Privacy
Risk Assessment
Social Engineering
Vendor Management

Training & Education

FHFA: Issues Subpoenas for PLS Documents..Next Topic
The Electronic Funds Transfer (EFT) Act - Regulation E..Next Topic
The Electronic Funds Transfer (EFT) Act - Regulation E..Next Topic
FFIEC Issues 2009 Mortgage Fraud White Paper:The Detection and Deterrence of Mortgage..Next Topic
DoJ: Report to Congress on Implementation of Section 1001 of the USA PATRIOT Act..Next Topic
FDIC: Fraudulent Work-at-Home Funds Transfer Agent Schemes..Next Topic
Joint Statement by Education Secretary Duncan, Homeland Security Secretary Napolitano and..Next Topic
Obama's Cyberspace Policy Review: Assuring a Trusted and Resilient Information and..Next Topic
Obama's Cyberspace Policy Review: Assuring a Trusted and Resilient Information and..Next Topic
NIST: PIV Card Application and Middleware Interface Test Guidelines, SP800-85A-1..Next Topic

A-
A
A+