New Red Flags Law Has Indirect but Real Meaning to CUs
This past December, the Red Flag Program Clarification Act became law. The new law ends a multi-year impasse over the Federal Trade Commission's (FTC) enforcement of the Red Flags Rule, which requires creditors to identify, detect and mitigate identity theft risks known as "Red Flags."
While credit unions have been subject to the rule since 2008, objections from doctors, lawyers, accountants, small business owners and other industries under the FTC's jurisdiction have delayed the commission's enforcement of the rule.
On the surface, credit unions' Red Flags Rule obligations have not changed with this new law. However, the final implementation of the rule by the FTC should have an indirect effect on credit unions.
From a fraud-fighting perspective, it is good news for credit unions that non-financial institutions like wireless companies, utilities and auto dealers will be held accountable for how they protect consumer's personal data and defend against identity theft.
Identity theft knows no boundaries. Fraudsters steal personal information from the most easily available source, and then use the information to attack all manner of financial targets. Increasing protections for these industries will hopefully lighten the burden for credit union fraud detection teams.
Additionally, the new law removes any lingering doubt about regulatory enforcement of the rule. We now know the full scope of Congressional activity on Red Flags. For the foreseeable future, we will have a law in place that requires creditors across multiple industries to have accountability for the identity theft that occurs on their watch. Moreover, credit unions will need to keep tabs on the fraud prevention efforts in these other industries as regulators will look broadly for changing standards of care.
Perhaps, of greatest interest, the publicity about the rule gives credit unions an opportunity to revisit their Red Flags Rule compliance strategy. Here are some operational issues that credit unions should look out for:
1. Check the volume of Red Flags triggered by your compliance program. A recent study by ID Analytics found that:
a. 14% of a Fortune 500 creditors' applications triggered an invalid address flag;
b. 10% had phone number mismatches with their ZIP Code; and
c. 5% triggered flags associated with high-volume application activity.
If your institution is experiencing a high volume of flags, you should look for automated ways to resolve them. Otherwise, handling the flags will likely spur increased backlogs in account openings, higher personnel costs and unwanted friction with members.
2. Ensure your external data sources effectively resolve flags. Consider the requirement to resolve mismatches between addresses on credit applications and those on credit reports. An ID Analytics study of three leading data providers found that only 14 percent of the validated addresses were consistent across all three vendors. In essence, calling out to external data can in some cases lead to more confusion.
3. Finally, the Red Flags Rule requires creditors' compliance programs to keep pace with evolving fraud risks. Review and adjust your program on a regular basis to ensure it is up to date.
Thomas Oscherwitz is vice president of government affairs and chief privacy officer at San Diego-based ID Analytics Inc., a leader in consumer risk management. He is also a former U.S. Senate legislative expert on ID fraud.