Under a new Federal regulation, by November 1, 2008, banks, credit unions, mortgage lenders, auto dealers, credit card lenders, payday lenders, landlords, utility companies, phone companies, and any business that extends credit, must perform a risk assessment to identify "red flag" weaknesses in their systems and procedures that could lead to identity theft. The companies should then take steps to develop a written Identity Theft Prevention Program. Failure to comply can lead to civil penalties for each violation, cease and desist orders, private lawsuits, negative publicity, and loss of business.
The Federal Trade Commission (FTC) and the federal financial institution regulatory agencies have issued final rules on identity theft red flags and notices of address discrepancies in response to the growing problem of identity theft and to meet the requirements of the Fair and Accurate Transactions Act of 2003.
Two million businesses could be affected by the new rule, according to ComplianceCoach, a leading provider of automated regulatory compliance solutions to the financial services industry. ComplianceCoach has launched a wizard-based tool, CompliancePal, which is designed to help small and medium sized businesses comply with the new requirements.
The FTC's press release says that new rules require that the financial institution or creditors refer to the agencies' guidelines and "red flags" when developing their program. Specifically, the business should:
CompliancePal, which costs $295 to $995, depending on the size of the business will produce:Identity theft risk assessment
Mapping of reds flags to appropriate detection and response procedures
Written Identity Theft Prevention Program
Compliance Status Report
You can view a demo of the product.
Examples of 26 Red Flags listed in the Supplement to the Red Flags Rules and Guidelines published on the FTC's Web site include:Alerts, Notifications or Warnings from a Consumer Reporting Agency such as a notice of a credit freeze, a notice of address discrepancy or a pattern of activity that is inconsistent with the history and unusual pattern of activity.Suspicious Documents, which might include document that appear to have been forged or a photograph that is not consistent with the appearance of an applicant.Suspicious Personal Identifying Information, which might include personal identifying information provided that is not consistent with other know identification such as date of birth or Social Security number.Unusual Use of or Suspicious Activity Related to the Covered Account; for example, "shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for new, additional, or replacement cards or a cell phone, or for the addition of authorized users on the account."