Please Login
Username
Password

Register Today!

---

Lead Story

Interchange: What gives?

Patti Murphy
The Takoma Group

QSGS

Quick Summary Green Sheet

News

Industry Update

Sun setting on PCI version 1.1

Bohemia, payments style

No wiggle room with Red Flag Rule

Processing for newbies

VeriFone turns triple play

Features

GS Advisory Board:
What's up in this downturn? - Part II

The payments doctor is in

Industry Leader

Stuart C. Harvey Jr. –
In the zone

Views

Building relationships - priceless

Biff Matthews
CardWare International

Education

Street Smarts^SM:
MLS compensation options

Jason Felts
Advanced Merchant Services

PCI vendors: Welcome to the jungle

Tim Cranny
Panoptic Security Inc.

What's your business?

Daniel Wadleigh
Marketing Consultant

Admit, own, fix your bloopers

Jeff Fortney
Clearent LLC

Reduce stress, raise retention

Curt Hensley
CSH Consulting

Be calendar-wise

Adam Atlas
Attorney at Law

Sweet-spot MLS training

Christian Murray
Global eTelecom Inc.

New Products

Mobile computing for feet on the street

Dolphin 9900 Mobile Computer
Honeywell International Inc.

Back office synergy online

Synergy Express
Jack Henry & Associates Inc.

Inspiration

Revamp that problem mindset

Miscellaneous

Interchange in brief

POScript

Departments

Forum

Resource Guide

Datebook

September 08, 2008   •  Issue 08:09:01

No wiggle room with Red Flag Rule

he Nov. 1, 2008, deadline to comply with the FACTA (Fair and Accurate Credit Transactions Act of 2003) Identity Theft Red Flags Rule is looming. In light of that deadline, the Office of Thrift Supervision (OTS) unveiled new examination procedures Aug. 11, 2008, to determine deficiencies in financial organizations' ability to comply with FACTA's 37 red flags.

Additionally, OTS issued two prescriptive guidelines regarding address changes and discrepancies. Many financial institutions, therefore, are realizing they need to expedite implementation of the necessary policies and procedures.

Countdown for covered accounts

"The red flags apply to anyone that has a covered account," said Adam Elliott, President of ID Insight Inc. "This can be banks, issuers, insurance, retailers that offer credit or even 'bill me' pay options. In essence, anyone that grants credit. From a value chain perspective, this brings the processors into the fold."

Accounts covered under FACTA's Red Flag Rule are at possible risk of identity theft because they are credit card accounts, utility or cell phone bills, and medical insurance accounts that may contain Social Security numbers, driver's license numbers and other types of consumer data information.

"When something like this [Red Flag Rule compliance] comes up, the first thing the credit granters do is reach out to their processors to see what solutions they have that can help, since the processor is usually the one facilitating their fraud and risk services," Elliott added.

Six degrees of examination

Red flags are relevant indicators of a possible risk of identity theft. Section 114 of FACTA specifically explains rules about how to develop and implement a written ID theft prevention program. Red flag guidelines include 15 assessments related to three principal elements of the rule - address discrepancies, card or check requests within 30 days following address changes, and ID theft and red flag conformity.

In addition to overseeing and enforcing the two prescriptive guidelines, OTS examiners will undertake six procedures to test compliance with the 37 red flag guidelines. These procedures include:

• Verifying that financial institutions periodically identify accounts maintained for personal, family and household purposes that permit multiple payments or transactions
• Conducting risk assessments of accounts that may be vulnerable to customer data theft
• Reviewing findings from other areas, including the Bank Secrecy Act, Consumer Identification Program and Customer Information Security Program, to assess any red flag compliance deficiencies
• Reviewing financial institutions' audit reports and annual reports to determine if management adequately addressed red flag deficiencies
• Verifying that financial institutions develop and implement a comprehensive program designed to detect, prevent and mitigate identity theft, then train the appropriate staff - either the chief security officer or legal compliance officer - to effectively implement and administer that program
• Determining whether financial institutions exercised effective oversight of service providers that perform activities related to customer accounts covered under FACTA

Deadline carved in stone

The OTS requires that boards of directors approve their financial institutions' FACTA compliance programs by Nov. 1. The OTS also mandates that financial institutions implement programs to identify, detect and respond to ID theft indicators.

Elliott said this means all system changes, policies, procedures and training programs must be in place by the Nov. 1, 2008, deadline.

"One thing that came out of this OTS thing that caught our ears is that financial organizations are not making this a high priority. They think they can have a tentative plan in place and are counting on some flexibility until they get their first audit in February 2009," Elliott said. "But based on the OTS exam procedures, they want everything in place by November first, period."

---

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Back to Top