The Federal Trade Commission (FTC) recently issued a reminder to financial companies of the upcoming November 1st 2008 deadline to be in compliance with the identity theft prevention program, and the pursuant FTC “Red Flag Rules.” If this is news to you, then you probably aren’t alone; but you should make yourself aware as your company might be subject to this regulation.
Although this pending regulation is widely known within the banking industry, organizations outside of the financial industry might be caught unawares that they too could be subject to penalties if they are found to be out of compliance. Financial Institutions and “Creditors” are subject to the Red Flag regulation but what companies might overlook is the definition as to what constitutes a creditor. Companies need to ascertain if they are fall under this classification since, if they need, they need to comply with the FTC regulation. The FTC defines a “Creditor” as the following:
- You are a creditor as defined by the FTC;
- If you are subject to FCRA (Fair Credit Reporting Act);
- Provide covered accounts i.e. allowing multiple payments or transactions.
If you are unsure whether you fall into the area of compliance it would be wise to seek legal help to ensure you aren’t leaving yourself open to liability. Although there are no active plans to audit organizations, a negative event could trigger an investigation of your company. Any negative event such as a data breach, or even a whistle blower, could open your company up to monetary penalties and civil litigation. There are three area of concern when discussing penalties:
- Federal Trade Commission. The FTC is authorized to bring enforcement actions in federal court for violations, and could enact penalties of up to $2500 for each independent violation of the rule.
- State Enforcement. States are authorized to bring actions on behalf of their residents and may recover up to $1000 for each violation, and may recover attorney’s fees.
- Civil Liability. This area is where companies stand to lose the most. Not only will companies suffer untold damage to their reputation and subsequent customer churn, but each consumer may be entitled to recover actual damages sustained from a violation. There is the possibility of class action law suits potentially resulting in massive damages.
So, what are the Red Flag Rules trying to protect and how does it affect compliance and IT? Basically the Red Flags are relevant indicators of a possible risk to identity theft. Federal regulators have described various patterns, practices, and specific forms of activity that are possible precursors to identity theft. They have then outlined broad categories and specific incidents which must be complied with by both financial institutions and creditors.
To comply with the Red Flag Rules, financial institutions and creditors must implement a program to identify, detect and respond to the indicators of identity theft. The designed program must be approved by the organization’s board of directors or appointed committee, and it must be updated and monitored according to changes in risk. This mandates a covered company should enact a program that detects, prevents, and mitigates identity theft and should include reasonable policies and procedures, assign specific oversight, train staff, and audit compliance to accomplish the following:
- Identify Red Flags. Some Red Flags indicators are: Types of covered accounts offered; Methods to open covered accounts; Methods to access open accounts; and, previous experiences with identity theft.
- Detect Red Flags. This includes how to authenticate customers, monitor customer transactions and verify validity of change-of-address requests.
- Respond to Red Flags. You must take appropriate responses that prevent and mitigate identity theft.
- Ensure the program is updated. You must update your program accordingly to reflect changes to risks to your customers.
As companies have automated processes and brought services to the Internet this has made it a certainty that IT will play a large role in compliance with the Red Flag rules. -Possible areas of concern for IT are:
- Data Flow Analysis. Understanding how data flows within and throughout your organization by doing a gap analysis to understand the risks to companies IT systems and then mitigating those risks as they pertain to the Red Flag Rules.
- Identity Verification. Verifying a persons I.D. will entail going beyond current single step password authentication in favor of a knowledge-based authentication method as well as detecting suspicious authentication activity on customer accounts.
- Multiple authentication requests coming from the same IP address. Understanding and monitoring fraud precursors such as this. While burdensome, is necessary to detect fraud.
- Transaction monitoring. Ensuring transactions are valid and information is not being exposed to unauthorized persons.
- Phishing prevention. Phishing is an increasingly popular and unfortunately successful way of gaining personally identifiable information for customer account access. It is necessary to understand what constitutes phishing and then take the steps necessary to mitigate the risk of this type of activity.
Providing a way to track and respond to risk factors as it pertains to IT systems is a complicated issue, but one that could have a large impact on an organization if a negative event starts an investigation or the FTC audits your organization. With automated systems and electronic data, IT will play a central role in ensuring the steps necessary for compliance with the FTC Red Flag Rules. But, like all regulation it can be burdensome to an already stretched IT team and budget. Failure to take appropriate steps to protect customers from identity theft can have far reaching impact to an organization in the form of customer churn and damaged reputation, not to mention the unlimited civil possibilities from customer law suits. The reminder from the FTC is a warning that time is running out and IT has its work cut out for them, but securing customer data is paramount to company success and customer confidence.