Enforcement date for FACT's Red Flags Rule approaches

The Red Flags Rule, which mandates companies develop methods by which they will identify, detect and respond to identity theft incidents, is set to go into effect May 1.

This May Day, banks and financial services institutions will be waving the red flags. And, no -- they're not the

kind with the hammer and sickle. (Though the recent bailouts by Washington, D.C., make you wonder whether the prefix "People's bank of" shouldn't be affixed to more than a few Wall Street giants.) This time around, the "red flags" refer to identity theft and the Federal Trade Commission's (FTC) Red Flags Rule, which is intended to help thwart it.

Paul Roberts
Paul Roberts
Enforcement of the Red Flags Rule by government and industry regulators is set to begin May 1. Like most May Day celebrations in this country, the go-live date for the Red Flags Rule will be light on ceremony, but this law could be the beginning of something much bigger for enterprises that are concerned about data protection and fraud prevention.

If you haven't been following this story, the Red Flags Rule addresses the kind of loose practices that led to data breaches like the one at identity broker ChoicePoint Inc., where poor internal controls over customer account creation and monitoring allowed identity thieves to request detailed financial information on 145,000 people. The Red Flags Rule mandates that companies develop and document methods by which they will identify, detect and respond to identity theft incidents, or patterns of activities that could indicate identity theft is taking place. The rule has been a long time coming. Initially conceived as part of the Fair and Accurate Credit Transactions Act of 2003 (FACT), Red Flags technically went into force on Jan. 1, 2008, but the FTC made clear that it would not start enforcement efforts before Nov. 1, 2008, to give companies time to prepare. That extension got extended another six months, until this May, after the FTC said there was confusion over which organizations were bound by the new law.

More on information security
Let's Talk About PCI (Payment Card Industry) DSS (Data Security Standards)

How to Secure Cloud Computing
For enterprise IT professionals, Red Flags is both more and less than it might seem at first glance. First: If you think Red Flags does not apply to your organization, you may be in for a rude awakening. According to FTC guidance, Red Flag requirements apply both to financial institutions (banks, savings and loans, credit unions) and a wide range of other creditors. Experts agree that enforcement, at least initially, will focus on not only banks and credit card issuers, but also firms on the periphery -- such as account management and servicing companies and even insurers. The FTC has also mentioned finance companies, automobile dealers, mortgage brokers, utilities and telecommunications companies as the kinds of firms bound by the Red Flags Rule. There's no reason to think that the net won't someday be cast much wider. At a recent meeting with the IT staff of a northeast municipality, I was told Red Flags Rule compliance was a concern for the city, which owned a public water utility that was deemed to be covered by FACT and Red Flags.

For most companies, though, the Red Flags Rule won't be the compliance tsunami that accompanied regulations like the Payment Card Industry's Data Security Standard, which compelled companies handling credit card transactions to invest in areas like vulnerability scanning and endpoint security. The agencies charged with enforcing Red Flags Rule compliance -- the Office of Thrift Supervision, the Federal Deposit Insurance Corp. and the Office of the Comptroller of Currency -- have all issued guidance on where enforcement efforts will focus initially. Companies will be expected to have developed and documented clear and comprehensive identity theft prevention programs and to have trained staff members to implement them. There will be a lot of scrutiny of account creation and account management procedures; Creditors will be expected to know which accounts they maintain could be the target of identity theft and to have developed procedures to spot possible compromises of those accounts (say, an address change request followed by a request for a replacement card in the case of credit card companies) and take appropriate action (notifying the customer, cutting off access, launching an investigation, etc.).

If you think Red Flags does not apply to your organization, you may be in for a rude awakening.
,

Companies will also be expected to have strengthened the procedures by which they validate the identity of their customers before creating accounts, and verify that third-party companies and vendors they do business with protect customer identity data, also. As Paul Henninger, director of fraud solutions at transaction monitoring firm Actimize Inc., points out, many of these are things that banks, credit card issuers and other financial institutions are already doing or have started doing in the wake of high-profile data breaches or in response to other, overlapping regulations.

Indeed, provisions of existing laws or new regulations like the Massachusetts data protection law may do more in the short term to shape financial services firms' actions on data privacy and identity theft than the Red Flags Rule. As an acquaintance noted, the broker-dealer outfit they worked for was ready to be "as compliant as possible" with the Red Flags Rule come May 1 but was far more concerned about abiding by standing rules like the Gramm-Leach-Bliley Act's Regulation S-P.

Down the road, the Red Flags Rule could spur broader investment in technologies like fraud detection and enterprise case management tools, which can help companies spot suspicious behavior early and manage risk. But the real test of the new law will be how well it is enforced and how broadly it is applied. Though its initial targets are banks and financial services firms, there's ample evidence that firms across the economy would benefit from having to pay more attention to what kind of data they are holding about their customers, the security of that data and the business case for retaining it.

Paul F. Roberts is a senior analyst at The 451 Group. Let us know what you think about the story; email: editor@searchcompliance.com


This was first published in April 2009

Dig deeper on Financial services compliance requirements

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCIO

SearchHealthIT

SearchCloudComputing

SearchDataCenter

SearchDataManagement

SearchSecurity

Close