ID Theft Red Flags Rule: Agencies Release FAQs

New Document Tackles Scope, Definitions and Other Common Issues Found During Red Flags Exams
ID Theft Red Flags Rule: Agencies Release FAQs
The federal banking regulators and the Federal Trade Commission today issued a set of frequently asked questions (FAQs) to help financial institutions and other businesses comply with the ID Theft Red Flags Rule.

The Red Flags and Address Discrepancy Rules, part of the Fair and Accurate Credit Transaction Act of 2003 (FACT Act), issued in November 2007, apply to all financial institutions regulated by the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and Federal Trade Commission (FTC).

The rules require financial institutions and creditors to develop and implement written Identity Theft Prevention Programs and require issuers of credit cards and debit cards to assess the validity of notifications of changes of address. The rules also provide guidance for users of consumer reports regarding reasonable policies and procedures to employ when consumer reporting agencies send them notices of address discrepancy.

Regulators started examining institutions for Red Flags compliance last Nov. 1, and the FAQ's represent common questions and issues examiners have encountered.

The agencies' staff developed the answers to the FAQs to help give insight on various aspects of the rules, including which types of entities and accounts are covered; establishment and administration of an Identity Theft Prevention Program; address validation requirements applicable to card issuers; and the obligations of users of consumer reports upon receiving a notice of address discrepancy.

The FAQs are divided into four parts:

  • The ID Theft Red Flags scope: Eight questions cover record retention, relationship between information security standards and the Red Flags rules, which entities are required to comply.
  • The definitions of "covered account," and "service provider": Eleven questions illustrate the terms covered account and service provider, pre-paid card product questions, and other types of services that are covered accounts such as certificate of deposit, IRAs, trust accounts, and indirect lending such as when an institution buys a consumer loan.
  • Types of notices of address discrepancy that trigger the rule: The questions in this section cover which address discrepancy notices are applicable to the rule, and also cover resellers and consumer reports users and how the rule applies to them.
  • Furnishing a confirmed address to a consumer reporting agency: The three questions in this section establish what information must be submitted to consumer reporting agencies and the policies and procedures that businesses need to have in place to do so. The final question addresses the delinquent account reporting and notices of address discrepancy.

FTC's Betsy Broder says the FAQs are considered a "living document" and will be added to as needed when other questions come up regarding the regulations. Broder is the assistant director of the Division of Privacy and ID Protection at the FTC. She adds that the FTC will be issuing shortly a separate set of FAQs to address questions asked by those entities overseen by the FTC. The FTC recently moved back the enforcement date to August 1 to give companies more time to meet the rule's compliance requirements.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.