Anna DeSimone - The Red Flag Rules are implemented under the Fair and Accurate Credit Transactions Act of 2003 (FACTA) Sections 114 & 315. The final rule became effective January 1, 2008 and full compliance of the rules became effective November 1, 2008. Enforcement of rules were previously delayed until May 1, 2009 , and have just been delayed for a second time, to give creditors and financial institutions and somewhat of a breather, since mortgage lenders have been busy originating loans.

The rules apply to creditors and financial institutions that deal in covered accounts which may be vulnerable to identity theft. Creditors and financial institutions with covered accounts must have an identity theft prevention program to identify and respond to patterns, practices or specific activities that could indicate identity theft.

Financial institutions include: banks, thrifts, credit unions, or entities that hold a "transaction account" where a consumer can make payments, drafts or transfers. Examples are:

• Checking Accounts
• Savings Accounts
• Brokerage Accounts allowing consumers to write checks

Creditors include: a business or organization that regularly extends, renews or continues credit; arranges for another entity to extend/renew/continue credit; or is the assignee of a creditor who extends/renews/continues credit. Examples are:

• Finance Companies
• Utility Companies
• Mortgage Brokers
• Mortgage Companies
• Automobile Dealers
• Telecommunications Companies

Covered Accounts include credit cards, checking/savings accounts, car loans, mortgage loans, cell phone, utility and margin accounts. Other covered accounts include small business or sole proprietorship accounts that may have risks associated with account opening or access.

Identity Theft Program

The regulation requires that every business have a written plan that serves to detect, prevent and mitigate identity theft. The plan must reflect the size, structure and business model of the institution and updated periodically. The plan must be approved by the company's board of directors or senior executive committee who shall direct a designated senior management employee to oversee the program. The designated person must implement the program, train staff, oversee audits, complete annual reports and monitor compliance to all persons who have access to covered accounts, which include both new and existing borrowers.

The plan must outline a thorough and pro-active system that covers the following topics, as applicable to the creditor:

• Executive Policy Statement
• Organizational Structure & Areas of Accountability
• Plan Overview & Definitions
• Information Security  & Spyware Control
• Phishing & Re-pollution Procedures
• Internal Fraud Procedures
• External Procedures & Vendor Approval Process
• Risk Monitoring Schedule
• Risk Assessment Procedures
• Red Flag Categories & List of Red Flags
• Customer Identity Verification Process
• Address Discrepancy Procedures
• Change of Address Procedures
• Active Duty Alert Procedures
• Red Flag Detection tools & steps
• Red Flag Response
• Red Flag Mitigation
• Fraud & Investigation Procedures
• Customer Fraud Hotline
• Customer Theft Forms & Procedures
• Resources (FTC, Equifax, TransUnion & Experian)
• Reporting to Authorities
• Staff Training
• Document Retention
• Quality Control & Audit Policy

The overall compliance program should address day-to-day operations and internal workflow on an interdepartmental level as well as external branches & operations centers. The program must address 3rd party originators, loan correspondents, closing agents and other service providers.

Red flags apply to covered accounts that include new or existing customer information accessed by the creditor or accessed by 3rd parties and are identified on various sources:

• Documents furnished by the consumer
• Documents furnished by transaction parties
• Documents furnished by employers or other income source
• Notices received from outside persons or entities in connection to the account being serviced

Red flags are often discovered by cross-checking telephone directories, public or internet sources. Red Flags are generally identified as follows on consumer reports:

• Alerts, notifications or warnings on the credit report
• Alerts noted on an SSN validation check
• Alerts noted on a Factual ID or Fraud-Check

Ordering vendor reports, such as SSN checks or Factual ID are not mandatory, but help support red flag detection. Vendor reports can help a lender save time and also resolve "false positives" by clearing unwarranted discrepancies. If a vendor report indicates any type of alert or variance, the lender must respond to that alert. There are risk assessment and red flag detection tools that enable the lender to enter comments and other mitigation steps. An interactive, automated system is very effective since it allows the detection, investigation and outcome to be combined in one report. The lender's LOS system can have a built-in audit trail that substantiates red flag compliance.

The Federal Trade Commission has identified "26 Red Flags" to be used as a guide for drafting an internal policy. The FTC list is not be used as a "checklist" and companies must list sources and examples that are specific to their business model.

• A fraud alert was indicated in the consumer report
• Notice of a credit freeze in a consumer report
• A consumer reporting agency provided notice of address discrepancy
• Unusual credit activity, such as an increased # of accounts or inquiries
• Documents provided for identification appear altered or forged
• Photograph on ID inconsistent with appearance of customer
• Information on ID inconsistent with information provided by customer
• Information on ID, such as signature, inconsistent with information on file at financial institution
• Application appearing forged, altered or destroyed and reassembled
• Information on ID does not match any address in the consumer report, SSN has not been issued or appears on the SSN Administration's Death Master File
• Lack of correlation between SS number range and date of birth
• Personal identifying information associated with known fraud activity
• Suspicious addresses supplied, such as a mail drop, prison, phone numbers associated with pagers or answering service
• SS number provided matches info submitted by another customer
• Address or phone number matches other applicants
• Customer unable to supply identifying information in response to notification that the application is incomplete
• Personal information inconsistent with information already on file at financial institution or creditor
• Person opening account or customer unable to correctly answer challenge questions
• Shortly after change of address, creditor receives request for additional users of account
• Most of available credit used for cash advances, jewelry or electronics, plus customer fails to make first payment
• Drastic change in payment patterns, use of available credit or spending patterns
• An account that has been inactive for a lengthy time suddenly exhibits unusual activity
• Mail sent to customer repeatedly returned as undeliverable despite ongoing transactions on active account
• Financial institution or creditor notified that customer is not receiving paper account statements
• Financial institution or creditor notified of unauthorized charges or transactions on customer's account
• Financial institution or creditor notified that it has opened a fraudulent account for a person engaged in identity theft

Address Discrepancies

A notice of address discrepancy is a notice that is sent to Mortgage lenders from a consumer reporting agency that informs the company of a substantial difference between the address of a consumer that the company provided to request the consumer report and the address(es) in the agency's file for the consumer. Upon receipt of such notice, it is the responsibility of the lender to a) compare the information in the consumer report provided by the consumer reporting agency and b) verify the information in the consumer report provided by the consumer reporting agency directly with the consumer.

In addition, lenders are required to furnish an address for the consumer that the company has reasonably confirmed is accurate to the consumer reporting agency from whom it received the notice of address discrepancy. Reasonable confirmation is when the lender can form a reasonable belief that the consumer report relates to the consumer about whom the company requested the report; has establishes a continuing relationship with the consumer, or regularly furnishes information to that consumer reporting agency.

Response and Mitigation

Whenever a Red Flag is detected, the institution must assess the level of risk and evaluate the exposure to identity theft to the lender and/or consumer. Examples of responses are:

• Ask borrower to submit a written explanation
• Ask borrower to submit supporting documentation to clear the discrepancy
• Request borrower's employer to furnish supplementary payroll records.

Lenders should complete an internal "red flag checklist" or use another procedure to document the detection, investigation, and outcome or response. The checklist can be placed in borrower's folder or stored with borrower's other information in database. Copies should be provided to the compliance officer.