FACT Act: Red Flag ID Theft Prevention Program

Source:  Joint Final Rules issued by the federal banking regulators (OCC, Federal Reserve Board, FDIC, OTS, NCUA and FTC), as required under ß114 of the Fair and Accurate Credit Transactions (FACT) Act, in the Federal Register (Vol. 72, No. 217) published on November 9, 2007

Effective Date:  Effective January 1, 2008, with mandatory compliance by November 1, 2008

A financial institution or creditor must develop and implement a written Identity Theft Prevention Program (hereafter ďProgramĒ) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of an account or the maintenance of an existing account. The Program must be appropriate to the size and complexity of the institution and the scope of its activities. The program must be approved by the institutionís board of directors or a committee of the board.

Definitions
Account Ė A continuing relationship established with a financial institution or creditor (hereafter ďinstitutionĒ) by a person to obtain a product or service for personal, family, household, or business purposes. An account includes an extension of credit, deposit account, or any other account that the institution offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the institution from identity theft, including financial, operational, compliance, reputation, or litigation risks.

Creditor Ė Includes lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, telecommunication companies, and third-party debt collectors.

Customer Ė A person who has an account with an institution.

Financial institution Ė A state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other person that directly or indirectly holds a transaction account belonging to a consumer.

Identity theft Ė A fraud committed or attempted using the identifying information of another person without authority, such as the personís name; SSN; date of birth; driver's license or identification number; alien registration number; government passport number; employer or taxpayer identification number; unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; unique electronic identification number, address, or routing code; or telecommunication identifying information or access device.

Red Flag Ė A pattern, practice, or specific activity that indicates the possible existence of identity theft.

Service provider Ė A person that provides a service directly to the institution.

Program Elements
The Program must include reasonable policies and procedures for all of the following:

  • Identify relevant Red Flags for accounts the institution offers or maintains and incorporate those Red Flags into the Program.
  • Detect Red Flags that have been incorporated into the Program.
  • Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft.
  • Ensure the Program, including relevant Red Flags, is updated periodically to reflect changes in risks from identity theft to customers as well as to the safety and soundness of the institution.

In designing the Program, an institution may incorporate, as appropriate, its existing policies, procedures, and other arrangements that control reasonably foreseeable risks from identity theft to customers and the institution. Additionally, institutions should be mindful of current requirements under existing laws in developing the Program, such as filing a Suspicious Activity Report, confirming a request for credit after being notified by a credit bureau of a fraud or military alert, correcting or updating inaccurate or incomplete information on a customerís credit report, not reporting information to a credit bureau that the institution has reason to believe is inaccurate, and not selling, transferring or placing debts for collection that are a result of identity theft.

Program Administration, Oversight & Reporting
The institution must continually administer the Program by:

  • Obtaining approval of the initial written Program from either its board of directors or an appropriate committee of the board.
  • Involving the board of directors, an appropriate committee of the board, or a designated senior management member in the oversight, development, implementation, and administration of the Program.
  • Training staff, as necessary, to effectively implement the Program.
  • Exercising appropriate and effective oversight of service provider arrangements.

Oversight by the board of directors, an appropriate committee of the board, or a designated senior management member should include (1) assigning specific responsibility for the Programís implementation, (2) reviewing reports prepared by staff to ensure compliance with these regulations, and (3) approving material changes to the Program, as necessary, to address changing identity theft risks.

The institutionís staff responsible for development, implementation, and administration of the Program should report on the institutionís compliance with these regulations at least annually to the board of directors, an appropriate committee of the board, or the designated senior management member. The report should address material matters related to the Program and evaluate issues such as (1) the effectiveness of the institutionís policies and procedures in addressing the risk of identity theft in connection with the opening of accounts and maintenance of existing accounts, (2) service provider arrangements, (3) significant incidents involving identity theft and managementís response, and (4) recommendations for material changes to the Program.

Service Provider Oversight
Whenever an institution engages a service provider to perform an activity in connection with accounts, the institution should take steps to ensure that the service providerís activity is conducted with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. For example, an institution could contractually require the service provider to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service providerís activities and either report the Red Flags to the institution or to take appropriate steps to prevent or mitigate identity theft.

Identifying Relevant Red Flags
In developing the Program, an institution should consider the following factors in identifying relevant Red Flags, as appropriate: the types of accounts it offers or maintains, the methods it provides to open accounts, the methods it provides to access accounts, and its previous experiences with identity theft.

Institutions should incorporate relevant Red Flags from sources such as incidents of identity theft the institution has experienced, methods of identity theft the institution has identified that reflect changes in identity theft risks, and applicable supervisory guidance by a regulating agency.

The Program should include relevant Red Flags from the following categories, as appropriate:

  • Alerts, notifications, or other warnings received from credit bureaus or service providers, such as fraud detection services

    Examples include (1) a fraud or active duty alert included with a credit report, (2) a credit bureau providing a credit freeze notice in response to a request for a credit report, (3) a credit bureau providing an address discrepancy notice, or (4) a credit bureau indicating a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as a recent and significant increase in the volume of inquiries, an unusual number of recently established credit relationships, a material change in the use of credit (especially with respect to recently established credit relationships), or an account that was closed for cause or identified for abuse of account privileges by an institution.


  • The presentation of suspicious documents

    Examples include (1) documents provided for identification appear to have been altered or forged, (2) the photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification, (3) other information on the identification is not consistent with information provided by the person opening a new account or customer presenting the identification, (4) other information on the identification is not consistent with readily accessible information that is on file with the institution, such as a signature card or a recent check, and (5) an application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.


  • The presentation of suspicious personal identifying information

    Examples include (1) a suspicious address change, (2) personal identifying information provided is inconsistent when compared against external information sources used by the institution, such as the address does not match any address in the credit report or the SSN has not been issued or is listed on the Social Security Administrationís Death Master File, (3) personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer, such as a lack of correlation between the SSN range and date of birth, (4) personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the institution, such as the address or phone number on an application is the same as the address or phone number provided on a fraudulent application, (5) personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the institution, such as the address on an application is fictitious, a mail drop, or a prison, or the phone number is invalid or is associated with a pager or answering service, (6) the SSN provided is the same as that submitted by other persons opening an account or other customers, (7) the address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other customers, (8) the person opening the account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete, (9) personal identifying information provided is not consistent with personal identifying information that is on file with the institution, (10) for institutions that use challenge questions, the person opening the account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or credit report.


  • The unusual use of, or other suspicious activity related to, an account

    Examples include (1) shortly following the notice of a change of address for an account, the institution receives a request for the addition of authorized users on the account, (2) a new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns, such as the customer fails to make the first payment or makes an initial payment but no subsequent payments, (3) an account is used in a manner that is not consistent with established patterns of activity on the account, such as nonpayment when there is no history of late or missed payments or a material increase in the use of available credit, (4) an account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage, and other relevant factors), (5) mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customerís account, (6) the institution is notified that the customer is not receiving paper account statements, or (7) the institution is notified of unauthorized charges or transactions in connection with a customerís account.


  • Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with accounts held by the institution

    For example, the institution is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.

Detecting Red Flags
The Programís policies and procedures should address the detection of Red Flags in connection with the opening of accounts and maintenance of existing accounts. For example, detection may occur through obtaining identifying information and verifying the identity of a person opening an account by using the policies and procedures regarding identification and verification in the Customer Identification Program (CIP) rules under the USA PATRIOT Act. Also, detection may occur through authenticating customers, monitoring transactions, and verifying the validity of change of address requests in the case of existing accounts.

Responding to Red Flags to Prevent and Mitigate Identity Theft
The Programís policies and procedures should provide for appropriate responses to the Red Flags the institution has detected that are relevant to the degree of risk posed. In determining an appropriate response, an institution should consider aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to a customerís account records, receiving notice that a customer has provided information related to an account held by the institution to someone fraudulently claiming to represent the institution, or receiving notice that a customer has provided information related to an account held by the institution to a fraudulent website.

Appropriate responses by the institution may include (1) monitoring an account for evidence of identity theft, (2) contacting the customer, (3) changing any passwords, security codes, or other security devices that permit access to an account, (4) reopening an account with a new account number, (5) not opening a new account, (6) closing an existing account, (7) not attempting to collect on an account or not selling an account to a debt collector, (8) notifying law enforcement, or (9) determining that no response is warranted under the particular circumstances.

Updating the Program
Institutions should periodically update the Program, including the Red Flags determined to be relevant, to reflect changes in risks from identity theft to customers or to the safety and soundness of the institution. Updates to the Program should be based on factors such as (1) the experiences of the institution with identity theft, (2) changes in methods of identity theft, (3) changes in methods to detect, prevent, and mitigate identity theft, (4) changes in the types of accounts that the institution offers or maintains, and (5) changes in the business arrangements of the institution, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.

Requirements to have a written identity theft prevention program in place to identify, mitigate, and respond to identity theft did not previously exist.

Notice to persons not employed by Nelnet and entities not owned or controlled by Nelnet:  The information set forth herein represents Nelnetís interpretation of changes to certain federal and/or state statutes, regulations, and/or guidance. This document is provided for informational purposes and is not intended as legal or other advice of any kind and may not be relied upon as such. Nelnetís interpretations are not necessarily appropriate or applicable to the readerís needs. As such, readers of this information should not rely upon the information contained herein and are encouraged to consult with their legal counsel and the appropriate regulatory authorities with respect to the information contained in this document. All information prepared by Nelnet is subject to copyright protection. © 2007, Nelnet, Inc. and affiliates.