The Red Flag provisions of the Fair and Accurate Credit Transactions Act take effect on Nov. 1, 2008. Although the final regulations were issued Oct. 31, 2007, and regulators have issued initial guidance, there is still some confusion as to how credit unions can rapidly deploy an effective Red Flag rules program. The good news is that many credit unions already have the processes and technology systems in place that can be leveraged in developing their Red Flag rules program. However, a dedicated effort needs to be employed to ensure appropriate compliance with the new requirements.
Red Flag provisions are intended to help consumers fight the growing crime of identity theft. If a Red Flag is detected, it doesn't necessarily mean that identity theft has occurred; it means that the credit union should investigate the warning and document an appropriate response.
The Red Flag rules are in three regulations, including requirements for an identity-theft prevention program, address discrepancy requirements and requirements for card issuers. Each credit union that holds any member account or other account for which there is a reasonably foreseeable risk of identity theft is required to develop and implement an identity-theft prevention program. The program must include reasonable policies and procedures for detecting, preventing and mitigating identity theft.
Recommended For You
In addition to identity-theft prevention, the credit union is required to investigate address discrepancies. For institutions accessing consumer reports, they must implement reasonable policies and procedures to investigate notice of address discrepancy from a consumer reporting agency. Credit unions are also required to identify a substantial difference between the address provided by the member and that reported in the agency's file for the consumer. In regards to card issuers, requests for change of address must be verified prior to issuing an additional or replacement card.
The single most important aspect of any credit union's effort to create and implement a Red Flag program should be defining the program itself. The basic requirement mandated to the regulations is that there is a documented program approved by the board of directors. A key factor in constructing a successful written identity-theft control program depends on making sure the credit union's key business units–deposits, loans, new accounts, IT, anti-money laundering and anti-fraud–are represented. Input from this cross-functional team will help facilitate a complete risk assessment of the covered accounts to determine relevant Red Flags.
To meet these regulatory requirements, technology can help facilitate a rapid program deployment including program design, program documentation, member identification, ongoing assessment, account monitoring and reporting.
Many credit unions are leveraging automation to detect the identified relevant Red Flags. In addition to providing real-time data validation against current data sets, automated solutions reinforce internal policies and procedures consistently throughout operations. Many credit unions have already implemented technology to facilitate identity verification and authentication for Bank Secrecy Act and anti-money laundering requirements. Existing customer identification programs and customer due diligence controls provide many of the required validations for new and existing members. Through the use comprehensive CIP software solutions, existing BSA/AML tests can be easily leveraged to meet Red Flag requirements for detection, investigation and reporting simultaneously.
In addition to identity-theft Red Flag detection, ongoing monitoring of accounts and employee activity can be facilitated through automated solutions. These systems can monitor all account and employee activity in real-time and provide automated alerts on identity-theft activities such as account beneficiary, address or name changes that may be of a suspicious nature. There are often common patterns of this kind of activity that our behavioral monitoring can detect which is often difficult to differentiate between normal business activities.
Finally, to help with sifting through the volumes of data and alerts to help differentiate between false positives and real identity theft, a case management services platform can greatly enhance the tracking and management of identity-theft cases while facilitating productivity and workflow. An automated case management system can facilitate such case needs, facilitating the data collection of Red Flag detection from the CIP and anti-fraud systems while keeping case information organized and up-to-date and providing an enterprise view of fraudulent activity.
Heather Czermak is senior product manager for automated compliance
at Wolters Kluwer Financial Services. She can be reached at
781-663-5355or [email protected]
© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more inforrmation visit Asset & Logo Licensing.
