In 2008, identity theft rose to 22% affecting 9.9 million American adults annually. The average fraud per incident was $4,849, while the total annual fraud amount increased to a staggering $48 billion. At that rate, one of every five Americans will have their identity stolen this year alone. Fraud continues to be a substantial threat and difficulty for the U.S. increasing considerably by 12.6% annually. The average cost of new account fraud is $3197, and typically takes 151 days to detect an occurrence, according to Javelin Strategy and Research.
The federal government developed and imposed rules and regulations to prevent thieves from stealing private data. But there was a loophole: these rules did not clearly define the use of stolen data after it was stolen.
The Red Flag Rule is a component of the Fair and Accurate Credit Transaction Act (FACT), which aims to do just that. It attempts to make it harder for identity thieves to use stolen data. This act requires “agencies that regulate financial institutions and businesses to jointly develop a set of rules to mandate the detection, prevention, and mitigation of identity theft,” as stated by the Federal Trade Commissioner Julie Brill.
Even still, identity theft has gone global. Identity theft is now favored by terrorist organizations, organized crime members, and individuals who obtain stolen data for personal use.
If your organization falls into the creditor category, then you are required to implement a plan to identify, detect and respond to attempts to use stolen identity information. To its credit, the FTC did not specify exactly what the indicators of potential identity theft might be. Instead, it requires your business to take a risk-based view of your operations, and identify where and how a thief could be using someone else’s identity to steal from you.
“The rule, however, was purposely written by the FTC to cover virtually any company that does not require full payment up front. The rule defines a creditor: as any business that allows a customer to defer payment. In short, if you send invoices, you are probably covered by this rule”
The FTC envisions that businesses will identify potential identity theft through the use of the Red Flag Rule. A red flag might be a customer presenting suspicious credentials, multiple address changes in a short period of time, or a notification from a credit reporting agency that the customer has placed a hold on his or her credit history.
The rule requires you to identify all of the indicators that might tip you off to possible identity theft, implement appropriate predictive and detective controls, and react appropriately.
While the rule allows leeway on determining which red flags are relevant to your businesses, it is very specific on what you have to do, and how you have to do it. The Red Flag’s compliance program must be adequately designed, documented, and regularly updated. It must be approved, and regularly reviewed by the board of directors. Adequate training must be delivered. In the case that you have outsourced pieces of your business operations where an identity thief might strike, you are required to ensure that your outsourcer has an adequate Red Flags plan in place.
Although the rule does not specifically outline which types of businesses must comply, instead requirements are defined by the type of account businesses have with their customers.
The Red Flag Rule was established on the existence of covered accounts. The first type of covered account is one that is “a continuing relationship established by a person with a creditor to obtain a product or service for personal, family, Household, or business purposes,” according to the FTC.
Dissimilar to many other federal regulations, the rule does not specify an arduous checklist of specific red flags that you must be on the lookout for. Conversely, it identifies that identity theft techniques are changing faster than the agencies could conceivably update the regulations.
The rule lists 26 possible red flags that you may want to consider, but you are not required to use all (or even any) of these possible indicators in your program. The burden of determining how someone could steal from you is yours.
The Red Flag Rules also distinguishes that your business may change over time, and those changes may affect the red flags you need to keep an eye on.
“Mergers, acquisitions, alliances, joint ventures, outsourcing and in-sourcing events will likely trigger the need for a re-assessment of your Red Flags plan,”
This regulation is a comprehensive plan that is dynamic, and constantly changing. The capacious scope of the rule means that compliance will touch many parts of your organization. CEOs, CFOs, COOs, chief legal officers, chief compliance officers, chief revenue officers and even your security department may need to be involved.
Finally, the FTC deems that Red Flag compliance is critical enough to be handled at the board of director’s level. The board (i.e. lacking a board, a member of senior management) must endorse the initial plan, and evaluate the plan annually, on a minimum basis. The Red Flag Rule plan must be managed by a senior resource, up to and including the audit committee.
The rule lists 26 possible red flags that you may want to consider, but you are not required to use all (or even any) of these possible indicators in your program. The burden of determining how someone could steal from you is yours.” Ximena Boyle C&M Software, LLC Business
Not following federal compliance rules is always an option, although not recommended.
“Upon receipt of a complaint from one of your customers, the FTC may launch an investigation, assess your plan and determine whether it was realistic. At this point, no one knows exactly what realistic means, but it is a pretty good bet that a plan that has allowed multiple identity thefts will not rise to the reasonable level. You can also expect any enforcement actions to be well publicized, and the reputational damage following the instance to be significant,”
Initially, the FTC can assess penalties for violations retroactive to the Dec. 31, 2010 enforcement date; and require additional compliance reporting from you and obtain an injunctive compliance order. Further violations can result in a visit to federal district court and a fine of up to $16,000 per occurrence of identity theft.
On the litigation side, there are two risks associated with compliance. The first is through state attorneys general, who may be able to file class-action suits under unfair and deceptive acts and practices theories. These actions usually permit both actual and punitive damages, and can include attorneys’ fees and court costs.
The greatest litigation risk will come from injured parties who file suit against businesses that did not prevent identity theft. The cost, effort, and aggravation associated with repairing damaged credit can be significant, and in today’s litigious environment, injured parties will be looking for a target. If you are sued by one of these injured parties, expect that the plaintiff’s first request will be “Please show me your Red Flag compliance program.”
If you do not have one, or it is poorly written and/or executed, the plaintiff will likely allege a breach of duty to protect the information. In summary, the Red Flags Rule is likely to become the standard of care that all companies will need to provide to prevent identity theft. Skipping Red Flag compliance will expose you to real regulatory, reputational and litigation risks.