Federal Agencies Issue 'Red Flags' ID Theft Rule
Several federal agencies published a final rule Nov. 9 directing all financial institutions and creditors that hold consumer account, or any other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program by Nov. 1, 2008. The rule covers both new and existing accounts. The FDIC, FTC, Federal Reserve, and Treasury are involved.
They call it an identity theft "red flags" rule; it will implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003. The President's Identity Theft Task Force has reported that ID theft costs individuals and businesses billions of dollars in losses each year. and there have been numerous high-profile cases that illustrate the danger.
The theft prevention programs must include reasonable policies and procedures for detecting, preventing, and mitigating ID theft and must allow the institution to identify patterns, practices, and specific forms of activity that are "red flags" signaling possible ID theft; detect red flags that have been incorporated into the program; and ensure the program is updated periodically to reflect changes in risks.
In comments submitted before the final rule was issued, consumer groups said the proposed rule gave institutions too much discretion to decide which accounts and red flags to include in their programs and how they would respond to them. Some small financial institutions said they wanted clearer, more structured guidance describing exactly how to develop and implement a program. Most, however, said they are already doing most of what the rule requires. The agencies responded by offering more guidance and by specifying which type of accounts are covered: (1) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from ID theft.