 |
|
Red Flag Provisions: Automating Compliance and Reporting
6/6/08
OverviewThe Red Flag provisions of the Fair and Accurate Credit Transactions (FACT) ACT take effect on Nov. 1, 2008. Although the final regulations were issued October 31, 2007, there has been some confusion as to how financial institutions can rapidly deploy an effective Red Flag rules program while regulators have issued no guidance on how to do so. The good news is that most financial institutions already have the processes and technology systems in place that can be leveraged in developing their Red Flag rules program. However, a dedicated effort needs to be employed to ensure appropriate compliance with the new requirements. Regulatory ProvisionsRed Flag provisions are intended to help consumers fight the growing crime of identity theft. In an appendix to the requirements, regulators list 26 suggested “Red Flags” as indicators of possible identity theft. If a Red Flag is detected, it doesn’t necessarily mean that identity theft has occurred; it means that the institution should investigate the warning and document an appropriate response. All financial institutions and other creditors with “covered accounts” including consumer loans and deposit accounts need to comply. The Red Flag rules are comprised of three regulations including requirements for an identity theft prevention program, address discrepancy requirements and requirements for card issuers. Each financial institution that holds any consumer account or other account for which there is a reasonably foreseeable risk of identity theft, is required to develop and implement an Identity Theft Prevention Program for combating identity theft in connection with new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing and mitigating identity theft and enable a financial institution to:
In addition to identity theft prevention, the institution is required to investigate address discrepancies. For institutions accessing consumer reports, they must implement reasonable policies and procedures to investigate notice of address discrepancy from a consumer reporting agency. Institutions are also required to identify a substantial difference between the address provided by the consumer and that reported in the agency’s file for the consumer. In regards to card issuers, requests for change of address must be verified prior to issuing an additional or replacement card if the request is received within 30 days after notification. An additional or replacement card cannot be issued until you assess the validity of the change in address. Red Flag ProgramThe single most important aspect of any institution’s effort to create and implement a Red Flag program should be defining the program itself. The basic requirement mandated to the regulations is that there is a documented program that is approved by the board of directors. A key factor in constructing a successful written identity theft control program depends on making sure the bank's key business units - deposits, loans, new accounts, IT, anti-money laundering and fraud - are represented. Input from this cross-functional team will help to facilitate a complete risk assessment of the institution’s covered accounts to determine relevant red flags. To meet these regulatory requirements, technology can help facilitate a rapid program deployment including program design, program documentation, customer identification, ongoing assessment, account monitoring and reporting. Leveraging Existing AutomationMany institutions are leveraging automation to detect the identified relevant red flags. In addition to providing real-time data validation against current data sets, automated solutions reinforce internal policies and procedures consistently throughout operations. Many institutions have already implemented technology to facilitate identity verification and authentication for Bank Secrecy Act and anti-money laundering requirements. Existing Customer Identification Programs (CIP) and Customer Due Diligence (CDD) controls provide many of the required validations for new and existing customers. Through the use comprehensive CIP software solutions, like Wiz SentriTM: RiskID, existing BSA/AML tests can be easily leveraged to meet Red Flag requirements for detection, investigation and reporting simultaneously. In addition to identity theft red flag detection, ongoing monitoring of accounts and employee activity can be facilitated through automated solutions like Wiz Sentri: Anti-Fraud. This system monitors all account and employee activity in real-time and provides automated alerts on ID theft activities such as account beneficiary, address or name changes that may be of a suspicious nature. There are often common patterns of this kind of activity that our behavioral monitoring can detect which is often difficult to differentiate between normal business activities. Sometimes employing an automated system can generate “false positive” alerts, which our system helps manage. Finally, to help with sifting through the volumes of data and alerts to help differentiate between false positives and real ID theft, a case management services platform can greatly enhance the tracking and management of ID theft cases while facilitating the productivity and workflow of reporting and filing. A system such as our Wiz Sentri: Case Officer for Fraud can easily facilitate such case needs, facilitating the data collection of red flag detection from the RiskID and Anti-Fraud modules while keeping case information organized and up-to-date and providing an enterprise view of cases for any type of fraudulent activity. Our Red Flag Resource Center offers compliance information and software solutions to assist your organization in meeting the red flag regulatory effective date of November 1, 2008. |
