If you haven't been following this story, the Red Flags Rule addresses the kind of loose practices that led to data breaches like the one at identity broker ChoicePoint Inc., where poor internal controls over customer account creation and monitoring allowed identity thieves to request detailed financial information on 145,000 people. The Red Flags Rule mandates that companies develop and document methods by which they will identify, detect and respond to identity theft incidents, or patterns of activities that could indicate identity theft is taking place. The rule has been a long time coming. Initially conceived as part of the Fair and Accurate Credit Transactions Act of 2003 (FACT), Red Flags technically went into force on Jan. 1, 2008, but the FTC made clear that it would not start enforcement efforts before Nov. 1, 2008, to give companies time to prepare. That extension got extended another six months, until this May, after the FTC said there was confusion over which organizations were bound by the new law.
For most companies, though, the Red Flags Rule won't be the compliance tsunami that accompanied regulations like the Payment Card Industry's Data Security Standard, which compelled companies handling credit card transactions to invest in areas like vulnerability scanning and endpoint security. The agencies charged with enforcing Red Flags Rule compliance -- the Office of Thrift Supervision, the Federal Deposit Insurance Corp. and the Office of the Comptroller of Currency -- have all issued guidance on where enforcement efforts will focus initially. Companies will be expected to have developed and documented clear and comprehensive identity theft prevention programs and to have trained staff members to implement them. There will be a lot of scrutiny of account creation and account management procedures; Creditors will be expected to know which accounts they maintain could be the target of identity theft and to have developed procedures to spot possible compromises of those accounts (say, an address change request followed by a request for a replacement card in the case of credit card companies) and take appropriate action (notifying the customer, cutting off access, launching an investigation, etc.).
Companies will also be expected to have strengthened the procedures by which they validate the identity of their customers before creating accounts, and verify that third-party companies and vendors they do business with protect customer identity data, also. As Paul Henninger, director of fraud solutions at transaction monitoring firm Actimize Inc., points out, many of these are things that banks, credit card issuers and other financial institutions are already doing or have started doing in the wake of high-profile data breaches or in response to other, overlapping regulations.
Indeed, provisions of existing laws or new regulations like the Massachusetts data protection law may do more in the short term to shape financial services firms' actions on data privacy and identity theft than the Red Flags Rule. As an acquaintance noted, the broker-dealer outfit they worked for was ready to be "as compliant as possible" with the Red Flags Rule come May 1 but was far more concerned about abiding by standing rules like the Gramm-Leach-Bliley Act's Regulation S-P.
Down the road, the Red Flags Rule could spur broader investment in technologies like fraud detection and enterprise case management tools, which can help companies spot suspicious behavior early and manage risk. But the real test of the new law will be how well it is enforced and how broadly it is applied. Though its initial targets are banks and financial services firms, there's ample evidence that firms across the economy would benefit from having to pay more attention to what kind of data they are holding about their customers, the security of that data and the business case for retaining it.
This was first published in April 2009