|
|
•
ClickFor
| HomePage
|
KudoAds-101spot
/
•
vMusic-Sponsors101
•
HomePage
|
KudoAds-100spot
|
vMusic-Sponsors100
 •
PAGES-1FTC
Part
01h
•
Feature
Story
•PAGES-1FTC
(Reprint
and tviNews WiTEL®™©
Reflections & Plan Coments with Points
& Authorities.)
•
CLICK ANY
COVER IMAGE FOR FTC PAGE #
 • •• • •  • • • • • •
FEDERAL TRADE COMMISSION
600 Pennsylvania Avenue, NW
Washington, DC 20580
1-877-FTC-HELP (1-877-382-4357)
ftc.gov/redflagsrule
 •
PAGES-2-3FTC
•
FIGHTING
FRAUD WITH THE RED FLAGS
RULE
A How-To
Guide for Business
•••
As many as nine million Americans
have their identities stolen each year.
Identity thieves may drain their accounts,
damage their credit, and even endanger
their medical treatment. The cost to
businesses -- left with unpaid bills
racked up by scam artists -- can be
staggering, too.
•••The
"RED FLAGS" RULE, in effect since January
1, 2008, requires many businesses and
organizations to implement a written
Identity Theft Prevention Program designed
to detect the warning signs -- or "RED
FLAGS" -- of identity theft in their
day-to-day operations, take steps to
prevent the crime, and mitigate the damage
it inflicts.
"•
01-inflicts.
- "See
P&A:1"
•••
By identifying RED FLAGS in advance, they
will be better equipped to spot suspicious
patterns when they arise and take steps to
prevent a RED FLAG from escalating into a
costly episode of identity theft.
•••The
RED FLAGS RULE is enforced by the Federal
Trade Commission (FTC), the federal bank
regulatory agencies, and the National
Credit Union Administration. If you work
for a bank, federally chartered credit
union, or savings and loan, check with
your federal regulatory agency for
guidance. Otherwise, this booklet has tips
for determining if you are covered by the
RULE and guidance for designing your
Identity Theft Prevention
Program.
• PAGES:
2-3
///
 •PAGES-4-5FTC
•
THE
RED FLAGS
RULE
An
Overview
The RED FLAGS
RULE sets out how certain businesses and
organizations must develop, implement, and
administer their Identity Theft Prevention
Programs.
•••First,
Your Program
must include four basic elements, which
together create a framework to address the
threat of identity theft.
"•
02-theft.
- "See
P&A:
2"
First, your Program must include
reasonable policies and procedures to
identify the "RED FLAGS" of identity theft
you may run across in the day-to-day
operation of your business. RED FLAGS are
suspicious patterns or practices, or
specific activities, that indicate the
possibility of identity theft.3 For
example, if a customer has to provide some
form of identification to open an account
with your company, an ID that looks like
it might be fake would be a "RED FLAG" for
your business.
•••Second,
your
Program must be designed to detect the RED
FLAGS you've identified. For example, if
you've identified fake IDs as a RED FLAG,
you must have procedures in place to
detect possible fake, forged, or altered
identification.
•••Third,
your
Program must spell out appropriate actions
you'll take when you detect RED FLAGS.
•••Fourth,
because
identity theft is an ever-changing threat,
you must address how you will re-evaluate
your Program periodically to reflect new
risks from this crime.
•••
Just getting something down on paper won't
reduce the risk of identity theft. That's
why the RED FLAGS RULE sets out
requirements on how to incorporate your
Program into the daily operations of your
business. Your board of directors (or a
committee of the board) has to approve
your first written Program. If you don't
have a board, approvals up to an
appropriate senior-level employee. Your
Program must state who's responsible for
implementing and administering it
effectively. Because your employees have a
role to play in preventing and detecting
identity theft, your Program also must
include appropriate staff training. If you
outsource or subcontract parts of your
operations that would be covered by the
RULE, your Program also must address how
you'll monitor your contractors'
compliance.
•••
The RED FLAGS RULE gives you the
flexibility to design a Program
appropriate for your company -- its size
and potential risks of identity theft.
While some businesses and organizations
may need a comprehensive Program that
addresses a high risk of identity theft in
a complex organization, others with a low
risk of identity theft could have a more
streamlined Program.
PAGES: 4-5
///
 •
•
PAGES-6-7FTC
•
QUESTION:
How does
the RED FLAGS RULE fit in with the data
security measures we're already
taking?
•
ANSWER:
•••
Preventing identity theft requires a
360° approach. Data security plays an
essential role in keeping people's
sensitive information from falling into
the wrong hands. Protect what you have
[as] a legitimate business reason
to keep and securely dispose of what you
no longer need. But even with appropriate
data security measures in place, thieves
are resourceful and still may find ways to
steal information and use it to open or
access accounts. That hurts individual
identity theft victims, who may have to
spend hundreds of dollars and many days
repairing damage to their good name and
credit record. But it also hurts your
bottom line. Identity thieves run up huge
bills with no intention of paying &endash;
leaving you with accounts receivable
you'll never be able to collect.
•••
The RED FLAG RULE picks up where data
security leaves off. It seeks to prevent
identity theft by ensuring that your
business or organization is on the lookout
for the signs that a crook is using
someone else's information, typically to
get products or services from you with no
intention of paying. That's why it's
important to fight the battle against
identity theft on two fronts: First, by
implementing data security practices that
make it harder for crooks to get access to
the personal information they use to open
or access accounts, and second, by paying
attention to the RED FLAGS that suggest
that fraud may be afoot. For more on how
to implement data security protections in
your business, visit
ftc.gov/infosecurity.
••••
The RED FLAGS RULE picks up where data
security leaves off.
PAGES: 6-7
///
•
02.
WHO
MUST COMPLY
 ••
PAGES-
8-9-10-11FTC
•
WHO
MUST COMPLY WITH THE RED FLAGS RULE?
•••
The RED FLAGS
RULE applies to "Financial Institutions"
and "creditors." The RULE requires you to
conduct a periodic risk assessment to
determine if you have "covered accounts."
You need to implement a written program
only if you have covered accounts.
•••
It's
important to look closely at how the RULE
defines "financial institution" and
"creditor" because the terms apply to
groups that might not typically use those
words to describe themselves. For example,
many non-profit groups and government
agencies are "creditors" under the Rule.
"•
04-Rule.
- "See P&A:
4"
•••
The
determination of whether your business or
organization is covered by the RED FLAGS
RULE isn't based on your industry or
sector, but rather on whether your
activities fall within the relevant
definitions.
••
Financial
Institution
•••The
RED FLAGS RULE defines a "financial
institution" as a state or national bank,
a state or federal savings and loan
association, a mutual savings bank, a
state or federal credit union, or any
other person that, directly or indirectly,
holds a transaction account belonging to a
consumer.
"•
05-consumer
-"See
P&A:
5"
Banks, federally chartered credit unions,
and savings and loan associations come
under the jurisdiction of the federal bank
regulatory agencies and/or the National
Credit Union Administration. Check with
those agencies for guidance tailored to
those businesses. The remaining financial
institutions come under the jurisdiction
of the FTC.
••••
EXAMPLES - of Financial Institutions under
the FTC's jurisdiction are state-chartered
credit unions, mutual funds that offer
accounts with check-writing privileges, or
other institutions that offer accounts
where the consumer can make payments or
transfers to third parties.
••••
Goods, Products &
Services
Creditors
Such As: NBS WiTEL®™© -- and
Verizon, fall under the definition of
"CREDITOR" -- The definition is broad and
includes businesses or organizations that
regularly defer payment for goods or
services or provide goods or services and
bill customerrs later.
"•
06-later
-"See P&A:
6"
Utility companies, health care providers,
and telecommunications companies are among
the entities that may fall within this
Sections:
The determination of whether your business
or organization is covered by the RED
FLAGS RULE isn't based on your industry or
sector, but rather on whether your
activities fall within the relevant
definitions•definition,
depending on how and when they collect
payment for their services. The Rule also
defines a "creditor" as one who regularly
grants loans, arranges for loans or the
extension of credit, or makes credit
decisions.
••••
EXAMPLES - include finance companies,
mortgage brokers, real estate agents,
automobile dealers, and retailers that
offer financing or help consumers get
financing from others, say, by processing
credit applications. In addition, the
definition includes anyone who regularly
participates in the decision to extend,
renew, or continue credit, including
setting the terms of credit.
••••
FOR EXAMPLE, a third-party debt collector
who regularly renegotiates the terms of a
debt. If you regularly extend credit to
other businesses, you also are covered
under this definition.
• Covered
Accounts
•••
Once you've
concluded that your business or
organization is a Financial Institution or
creditor, you must determine if you have
any "covered accounts," as the RED FLAGS
RULE defines that term. To make that
determination, you'll need to look at both
existing accounts and new ones. Two
categories of accounts are --
"•
07-covered.
- "See: P&A:
7"
•••
The first kind is a consumer account you
offer your customers that's primarily for
personal, family, or household purposes
that involves or is designed to permit
multiple payments or transactions.
"•
08-transactions.
- "See: P&A:
8"
••••
EXAMPLES -- are credit card accounts,
mortgage loans, automobile loans, margin
accounts, cell phone accounts, utility
accounts, checking accounts, and savings
accounts.
•••
The second
kind of "covered account" is "any other
account that a Financial Institution or
Creditor offers or maintains for which
there is a reasonably foreseeable risk to
customers or to the safety and soundness
of the Financial Institution or creditor
from identity theft, including financial,
operational, compliance, reputation, or
litigation risks.
"•
09-risks.
- "See: P&A:
9"
••••
EXAMPLES - include small business
accounts, sole proprietorship accounts, or
single transaction consumer accounts that
may be vulnerable to identity theft.
Unlike consumer accounts designed to
permit multiple payments or transactions
&endash; they always are "covered
accounts" under the RULE -- other types of
accounts are "covered accounts" only if
the risk of identity theft is reasonably
foreseeable.
•••
In
determining if accounts are covered under
the second category, consider how they're
opened and accessed. For example, there
may be a reasonably foreseeable risk of
identity theft in connection with business
accounts that can be accessed remotely
&endash; such-as through the Internet or
by telephone. Your risk analysis must
consider any actual incidents of identity
theft involving accounts like these.
•••///
••••
QUESTION:
•••
I know our
company is a "creditor" under the RULE
because we issue credit cards. But we also
have non-credit accounts. Do we have to
determine if both types of accounts are
"covered accounts?"
••••
ANSWER:
•••
Yes, and the
same goes for Financial Institutions with
transaction and non-transaction accounts.
For example, a telecommunications company
that has accounts that are billed after
service is rendered (credit accounts) and
accounts that are prepaid or paid when
service is rendered (non-credit accounts)
would have to evaluate both types of
accounts to determine if they're
covered.
••••
Likewise, a broker-dealer that offers
accounts with check-writing privileges
(transaction accounts) and without those
privileges (non-transaction accounts)
would have to consider both kinds of
accounts to determine if they're
covered.
••••
QUESTION:
I manage a
restaurant that accepts credit cards. Are
we covered by the RED FLAGS RULE?
••••
ANSWER:
•••
Probably not.
Simply accepting credit cards as a form of
payment does not make you a "creditor"
under the RED FLAGS RULE. But if a company
offers its own credit card, arranges
credit for its customers, or extends
credit by selling customers goods or
services now and billing them later, it is
a "creditor" under the law.
PAGES: 8-9- 10-11
///
 ••
PAGES-12-13FTC
• Don't have any covered
accounts?
Don't have any covered accounts? You don't
need to have a written Program. But
business models and services change.
That's why you must conduct a periodic
risk assessment to help you determine if
you've acquired any covered accounts
through changes to your business
structure, processes, or
organization.•
•••
QUESTION:
•••
My business
isn't subject to much of a risk that a
crook is going to misuse someone's
identity to steal from me, but I do have
covered accounts. How should I structure
my Program?
•••
ANSWER:
•••
If identity
theft isn't a big risk in your business,
complying with the RULE should be simple
and straightforward, with only a few RED
FLAGS. For example, where the risk of
identity theft is low, your Program might
focus on how to respond if you are
notified -- say, by a consumer or a law
enforcement officer -- that the person's
identity was misused at your business. The
Guidelines to the RULE have examples of
possible responses. But even a low-risk
business needs to have a written Program
that is approved either by its board of
directors or an appropriate senior
employee. And because risks change, you
must assess your Program periodically to
keep it current.
••••
Don't have any covered accounts? You don't
need to have a written Program. But
business models and services change.
That's why you must conduct a periodic
risk assessment to help you determine if
you've acquired any covered accounts
through changes to your business
structure, processes, or organization.
PAGES: 12-13
///
•
03h
/
A
FOUR STEP PROCESS
 ••
PAGES-14-15FTC
•
HOW TO
COMPLY:
A FOUR STEP
PROCESS
•••1.
Identify relevant RED FLAGS.
Identify
the RED FLAGS of identity theft you're
likely to come across in your
business.
•••2.
Detect RED FLAGS.
•
Set up procedures to detect those RED
FLAGS in your day-to-day operations.
•••3.
Prevent and mitigate identity theft.
• If
you spot the RED FLAGS you've identified,
respond appropriately to prevent and
mitigate the harm done.
•••4.
Update your Program.
•
The risks of identity theft can change
rapidly, so it's important to keep your
Program current and educate your
staff.
••••
If you're a creditor or Financial
Institution with covered accounts, you
must develop and implement a written
Identity Theft Prevention Program. The
Program must be designed to prevent,
detect, and mitigate identity theft in
connection with the opening of new
accounts and the operation of existing
ones. Your Program must be appropriate to
the size and complexity of your business
or organization and the nature and scope
of its activities. A company with a higher
risk of identity theft or a variety of
covered accounts may need a more
comprehensive Program.
•••
Many
companies already have plans in place to
combat identity theft and related fraud.
If that's the case for your business, you
may be able to incorporate procedures that
already have proven effective.
••••
PAGES: 14-15:
///
 ••
PAGES-16-17FTC
•
Although
there's no one-size-fits-all approach,
consider:
••
•
Risk Factors
••••
Sources of Red Flags
••••
Categories of Common Red
Flags
•••
•••1.
IDENTIFY RELEVANT RED FLAGS
•••
What are "RED
FLAGS"? They're the potential patterns,
practices, or specific activities
indicating the possibility of identity
theft.
"•
10-identity
theft. - See: P&A:
10"
•••
Although
there's no one-size-fits-all approach,
consider:
••••
Risk Factors
Different types
of accounts pose different kinds of risk.
For example, RED FLAGS for deposit
accounts may differ from RED FLAGS for
credit accounts. Similarly, the RED FLAGS
for consumer accounts may not be the same
as those for business accounts. And RED
FLAGS for accounts opened or accessed
online or by phone may differ from those
involving face-to-face contact.
•••Therefore,
in identifying the relevant RED FLAGS,
consider the types of accounts you offer
or maintain; the methods used to open
covered accounts; how you provide access
to those accounts; and what you have
learned about identity theft in your
business.
••••
Sources of RED FLAGS
Consider
other sources of information, including
how identity theft may have affected your
business and the experience of other
members of your industry.
•••
Because
technology and criminal techniques change
constantly, keep up-to-date on new
threats.
•••
Categories of
Common RED FLAGS Supplement A to the RED
FLAGS RULE lists five specific categories
of warning signs to consider including in
your Program. Some examples may be
relevant to your business or organization.
Some may be relevant only when combined or
considered with other indicators of
identity theft. The examples, listed on
the following pages, aren't an exhaustive
compilation or a mandatory checklist, but
rather a way to help think about relevant
RED FLAGS in the context of your
business.
••••
PAGES: 16-17:
///•
 ••
PAGES-18-19FTC
•
1.
Alerts, Notifications, and Warnings from a
Credit Reporting Company.
•••Here
are some examples of changes in a credit
report or a consumer's credit activity
that may signal-identity theft:
••••
a fraud or active duty alert on a credit
report
••••
a notice of credit freeze in response to a
request for a credit report
••
• a
notice of address discrepancy provided by
a credit reporting agency
••
• a
credit report indicating a pattern of
activity inconsistent with the person's
history.
••
• FOR
EXAMPLE, a big increase in the volume of
inquiries or the use of credit, especially
on new accounts; an unusual number of
recently established credit relationships;
or an account that was closed because of
an abuse of account privileges
2. Suspicious
Documents.
•••Sometimes
paperwork has the telltale signs of
identity theft.
••••
Here are EXAMPLES of RED FLAGS involving
documents:
••••
identification that looks altered or
forged
••••
the person presenting the identification
doesn't look like the photo or match the
physical description • information on
the identification that differs from what
the person presenting the identification
is telling you or doesn't match with other
information, like a signature card or
recent check
•••
• an
application that looks like it's been
altered, forged, or torn up and
reassembled.
PAGES: 18-19:
///
•••3.
Suspicious Personal-identifying
Information.
•••Identity
thieves may use personally identifying
information that doesn't ring true. Here
are some RED FLAGS involving identifying
information: • inconsistencies with
what else you know &endash;
••••
FOR EXAMPLE, an address that doesn't match
the credit report, the use of a Social
Security number that's listed on the
Social Security Administration Death
Master File.
"•
11-Death
Master File, - "See: P&A:
11"
or a number that hasn't been issued,
according to the monthly issuance tables
available from the Social Security -
"•
12-Administration.
- "See: P&A:
12"
•••
•
inconsistencies in the information the
customer has given you -- say, a date of
birth that doesn't correlate to the number
range on the Social Security
Administration's issuance tables
•••
• an
address, phone number, or other personal
information that's been used on an account
you know to be fraudulent a bogus
address
•••
• an
address for a mail drop or prison, a phone
number that's invalid, or one that's
associated with a pager or answering
service
•••
• Social
Security number that's been used by
someone else opening
•••
• an
account an address or telephone number
that's been used by many other people
opening accounts
•••
• a
person who omits required information on
an application and doesn't respond to
notices that the application is incomplete
a person who can't provide authenticating
information beyond what's generally
available from a wallet or credit report
--
••••
FOR EXAMPLE, a person who can't answer a
challenge question:
•••4.
Suspicious Account Activity.
•••Sometimes
the tip-off is how the account is being
used. Here are some RED FLAGS related to
account activity:
••••
soon after you're notified of a change of
address, you're asked for new or
additional credit cards, cell phones,
etc., or to add users to the account
• a new account that's used in ways
associated with fraud --
••••
FOR EXAMPLE, the customer doesn't make the
first payment, or makes only an initial
payment or most of the available credit is
used for cash-advances or for jewelry,
electronics, or other merchandise easily
convertible to cash
•••
• an
account that's used in a way inconsistent
with established patterns --
•••
• FOR
EXAMPLE, nonpayment when there's no
history of missed payments, a big increase
in the use of available credit, a major
change in buying or spending patterns or
electronic fund transfers, or a noticeable
change in calling patterns for a cell
phone account
•••
• an
account that's been inactive for a long
time is suddenly used again
•••
• mail
sent to the customer that's returned
repeatedly as undeliverable although
transactions continue to be conducted on
the account
•••
•
information that the customer isn't
receiving their account statements in the
mail
•••
•
information about unauthorized charges on
the account:
•••5.
Notice from Other Sources.
•••Sometimes
a RED FLAG that an account has been opened
or used fraudulently can come from a
customer, a victim of identity theft, a
law enforcement authority, or someone
else.••••
PAGES:
20-21:•
///•
 ••
PAGES-22-23FTC
•
2
DETECT RED FLAGS
•••
Once you've
identified the RED FLAGS of identity theft
for your business, it's time to lay out
procedures for detecting them in your
day-to-day operations. Sometimes using
identity verification and authentication
methods can help you turn up RED FLAGS.
Consider how your procedures may differ
depending on whether an identity
verification or authentication is taking
place in person or at a distance &endash;
say, by telephone, mail, Internet, or
wireless system.
••••
New accounts
When
verifying the identity of the person who
is opening a new account, reasonable
procedures may include getting a name,
address, and identification number and,
for in-person verification, checking a
current government-issued identification
card, like a driver's license or passport.
Depending on the circumstances, you may
want to compare that information with the
information you can find out from other
sources, like a credit reporting company
or data broker, the Social Security Number
Death Master File, or publicly available
information.
"•
13-information.
- "See: P&A:
13"Asking
challenge questions based on information
from other sources can be another way of
verifying someone's identity.
••••
Existing accounts
••••
To detect RED FLAGS for existing accounts,
your Program may include reasonable
procedures to authenticate customers
(confirming that the person you're dealing
with really is your customer), monitor
transactions, and verify the validity of
change-of-address requests. For online
authentication, consider the Federal
Financial Institutions Examination
Council's guidance on authentication as a
starting point.
"•
14-point.
- "See: P&A:
14"
•••It
explores the application of multi-factor
authentication techniques in high-risk
environments, including using passwords,
PIN numbers, smart cards, tokens, and
biometric identification. Certain types of
personal information &endash; like a
Social Security number, date of birth,
mother's maiden name, or mailing address
-- are not good authenticators because
they're so easily accessible.
•••You
may already be using programs to monitor
transactions, identify behavior that
indicates the possibility of fraud and
identity theft, or validate changes of
address. If that's the case, incorporate
these tools into your Program.
PAGES: 22-23: ///
 ••
PAGES-24-25FTC
•
3
PREVENT AND MITIGATE IDENTITY
THEFT
When you spot a
RED FLAG, be prepared to respond
appropriately.
••••
Your response will depend upon the degree
of risk posed. It may need to accommodate
other legal obligations -- FOR EXAMPLE,
laws for medical providers or utility
companies regarding the provision and
termination of service.
••••
The Guidelines in the RED FLAGS RULE offer
examples of some appropriate responses,
including:
••••
monitoring a covered account for evidence
of identity theft:
••••
contacting the customer;
••••
changing passwords, security codes, or
other ways to access a covered
account;
••••
closing an existing account;
••••
reopening an account with a new account
number;
••••
not opening a new account;
••••
not trying to collect on an account or not
selling an account to a debt collector
••••
notifying law enforcement;
••••
determining that no response is warranted
under the particular circumstances;
••••
The facts of a particular case may warrant
using one or several of these options, or
another response altogether. In
determining your response, consider
whether any aggravating factors heighten
the risk of identity theft. For example, a
recent breach that resulted in
unauthorized access to a customer's
account records or a customer who gave
personal information to an impostor would
certainly call for a stepped-up response
because the risk of identity theft would
go up.
•••
4 UPDATE
THE
PROGRAM
••••
The RULE recognizes that new RED FLAGS
emerge as technology changes or identity
thieves change their tactics. Therefore,
it requires periodic updates to your
Program to ensure that it keeps current
with identity theft risks. Factor in your
own experience with identity theft;
changes in how identity thieves operate;
new methods to detect, prevent, and
mitigate identity theft; changes in the
accounts you offer; and changes in your
business, such-as mergers, acquisitions,
alliances, joint ventures, and
arrangements with service
providers.••••
PAGES:
24-25:•
///
 ••
PAGES-26-27FTC
•
ADMINISTERING
YOUR
PROGRAM:
••••
Your initial written Program must get the
approval of your board of directors or an
appropriate committee of the board; if you
don't have a board, someone in senior
management must approve it.
••••
Your board may oversee, develop,
implement, and administer the Program or
it may designate a senior employee to do
the job.
••••
Responsibilities include assigning
specific responsibility for the Program's
implementation, reviewing staff reports
about how your organization is complying
with the RULE, and approving important
changes to your Program.
••••
The RULE requires that you train relevant
staff only as "necessary" &endash;
••••
FOR EXAMPLE, staff that has received
anti-fraud prevention training may not
need to be re-trained. Remember though,
that employees at many levels of your
organization can play a key role in
identity theft deterrence and
detection.
••••
In administering your Program, monitor the
activities of your service providers. If
they're conducting activities covered by
the RULE.
••••
FOR EXAMPLE, opening or managing accounts,
billing customers, providing customer
service, or collecting debts &endash; they
must apply the same standards you would if
you were performing the tasks yourself.
One way to make sure your service
providers are taking reasonable steps is
to add a provision to your contracts that
they have procedures in place to detect
RED FLAGS and either report them to you or
respond appropriately to prevent or
mitigate the crime themselves. Other ways
to monitor them include giving them a copy
of your Program, reviewing their RED FLAGS
policies, or requiring periodic reports
about RED FLAGS they have detected and
their response.
••••
It's likely that service providers offer
the same services to a number of client
companies. As a result, the Guidelines are
flexible about using service providers
that have their own Programs as long as
they meet the requirements of the
RULE.
••••
The person responsible for your Program
should report at least annually to the
board of directors or a designated senior
manager. The report should evaluate how
effective your Program has been in
addressing the risk of identity theft; how
you're monitoring the practices of your
service providers; significant incidents
of identity theft and your response; and
recommendations for major changes to the
Program."•
15-Program.
- "See: P&A:
15"
PAGES: 26-27:
///
•
Questions
about complying with the RED FLAGS
RULE?
Contact
RedFlags@ftc.gov
 ••
PAGES-28-29FTC
•
RESOURCES
•
For
more information on developing your
Identity Theft Prevention
Program:
••••
New "RED FLAG" Requirements for
Financial Institutions and Creditors Will
Help Fight Identity Theft
ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm
••••
The "RED FLAGS" RULE: Are You Complying
with New Requirements for Fighting
Identity Theft?
ftc.gov/bcp/edu/pubs/articles/art10.shtm
Pages:
28-29:
///
•
The RED FLAGS RULE
ftc.gov/os/fedreg/2007/november/071109redflags.pdf
•
Find
out about identity theft and data
security:
The
FTC's Identity Theft Site
ftc.gov/idtheft
OnGuard
OnlineIdentity Theft Site •
onguardonline.gov/topics/identity-theft.aspx
The FTC's
Information Security Site
ftc.gov/infosecurity
Protecting
Personal information:
A Guide for Business
ftc.gov/bcp/edu/pubs/business/idtheft/bus69.pdf
Information
Security Interactive Video
Tutorial
ftc.gov/bcp/edu/multimedia/interactive/infosecurity/index.html.
 •
•
04
- END FOOTNOTES:
Pages:
•
01-inflicts.
- "See
P&A:1
The RED FLAGS RULE was promulgated
in 2007 pursuant to Section 114 of the
Fair and Accurate Credit Transaction Act
of 2003 (FACT Act), Pub. L. 108- 159,
amending the Fair Credit Reporting Act
(FCRA), 15 U.S.C. § 1681m(e). The RED
FLAGS RULE is published at 16 C.F.R.
§ 681.2. See also 72 Fed. Reg. at
63,772 (Nov. 9, 2007). You can find the
full text at www.ftc.gov/os/fedreg/2007/
november/071109redflags.pdf. The preamble
&endash; pages 63718-63733 &endash;
discusses the purpose, intent, and scope
of coverage of the RULE. The text of the
FTC RULE is at pages 63772-63774. The RULE
includes Guidelines &endash; Appendix A,
pages 63773-63774&endash; that are
intended to help businesses develop and
maintain a compliant Program. The
Supplement to the Guidelines &endash; page
63774 &endash; provides a list of 26
examples of RED FLAGS for businesses and
organizations to consider incorporating
into their Programs. This guide does not
address companies' obligations under the
Address Discrepancy RULE or the Card
Issuer RULE, also contained in the Federal
Register with the RED FLAGS RULE.
•
02-theft.
- "See
P&A:
2
•
2. "Identity theft" means a fraud
committed or attempted using the
identifying information of another person
without authority. See 16 C.F.R. §
603.2(a). • "Identifying information"
means "any name or number that may be
used, alone or in conjunction with any
other information, to identify a specific
person, including any -- (1) Name, Social
Security number, date of birth, official
State or government issued driver's
license or identification number, alien
registration number, government passport
number, employer or taxpayer
identification number;
•••(2)
Unique biometric data, such-as
fingerprint, voice print, retina or iris
image, or
other unique physical representation;
•••(3)
Unique electronic identification number,
address, or routing code; or
•••(4)
Telecommunication identifying information
or access device (as defined in
18 U.S.C. 1029(e))."
See 16 C.F.R. § 603.2(b).
•
03-Related.
- "See
P&A:3
• 3. See 16 C.F.R. §
681.2(b)(9).
•
04-Rule.
- "See P&A:
4
•
05-consumer
- "See
P&A:
5
••
5. The RULE's definition of "Financial
Institution" is found in the FCRA. See 15
U.S.C. § 1681a(t). The term
"transaction account" is defined in
section 19(b) of the Federal Reserve Act.
See 12 U.S.C. § 461(b)(1)(C). A
"transaction account" is a deposit or
account from which the owner may make
payments. . . or transfers to third
parties or others. Transaction accounts
include checking accounts, negotiable
orders of withdrawal accounts, savings
deposits subject to automatic transfers,
and share draft accounts.
•
06-later
- "See P&A:
6
••
6. "Creditor" and "credit" are defined
in the FCRA, see 15 U.S.C. §
1681a(r)(5), by reference to section 702
of the Equal Credit Opportunity Act
(ECOA), 15 U.S.C. § 1691a. The ECOA
defines "credit" as "the right granted by
a creditor to a debtor to defer payment of
debt or to incur debts and defer its
payment or to purchase property or
services and defer payment therefor." 15
U.S.C. § 1691a(d). The ECOA defines
"creditor" as "any person who regularly
extends, renews or continues credit; any
person who regularly arranges for the
extension, renewal, or continuation of
credit; or any assignee of any original
creditor who participates in the decision
to extend, renew, or continue credit." 15
U.S.C. § 1691a(e). The term "person"
means "a natural person, a corporation,
government or governmental subdivision or
agency, trust, estate, partnership,
cooperative, or association." 15 U.S.C.
§ 1691a(f). See also Regulation B, 68
Fed. Reg. 13161 (Mar. 18, 2003).
•
07-covered.
- "See: P&A: 7
••
7. An "account" is a continuing
relationship established by a person with
a Financial Institution or creditor to
obtain a product or service for personal,
family, household, or business purposes.
16 C.F.R. § 681.2(b)(1). An account
does not include a one-time transaction
involving someone who isn't your customer,
such-as a withdrawal from an ATM
machine.
•
08-transactions.
- "See: P&A: 8
•
8. See 16 C.F.R. §
681.2(b)(3)(i).
•
09-risks.
- "See: P&A: 9
•
9. 16 C.F.R. §
681.2(b)(3)(ii).
•
10-identity
theft. - "See: P&A: 10
•
10. See 16 C.F.R. §
681.2(b)(9).
•
11-Death
Master File, - "See: P&A: 11
•
11. The Social Security Administration
Death Master File is a service companies
can buy that contains records of deaths
that have been reported to the Social
Security Administration. See
www.ntis.gov/products/ssa-dmf.aspx.
•
12-Administration.
- "See: P&A: 12
•
12. See
www.ssa.gov/employer/ssnvhighgroup.htm.
•
13-information.
- "See: P&A: 13
•
13. These verification procedures are
set forth in the Customer Identification
Program RULE applicable to banking
institutions, 31 C.F.R. § 103.121.
This RULE may be a helpful starting point
in developing your Program.
•
14-point.
- "See: P&A: 14
•
14. "Authentication in an Internet
Banking Environment" (Oct. 12, 2005),
available at
www.ffiec.gov/press/pr101205.htm.
•
15-Program.
- "See: P&A: 15
••
15. See 72 Fed. Reg. at
63,773.
///
|
• • 106
-Internet-WiTEL
- Defining
TVInews Topics •
SMART90.com/102-s90/
- 106 - FTC
•
