Step 2 — Developing and implementing a Program
If the business is a creditor or a “financial institution” (defined as a depository institution) that offers covered accounts, you must develop a Program to detect possible identity theft in the accounts and respond appropriately. The federal banking agencies, the NCUA and the FTC have issued Guidelines to help covered entities identify, detect and respond to indicators of possible identity theft, as well as to administer the Program.
Where can I find a copy of the Guidelines? Federal Reserve Board — 12 C.F.R. pt 222,App. J Federal Deposit Insurance Corporation — 12 C.F.R. pt 334,App. J FTC — 16 C.F.R. pt 681,App.A NCUA — 12 C.F.R. pt 717,App. J Office of the Comptroller of the Currency — 12 C.F.R. pt 41,App. J Office of Thrift Supervision — 12 C.F.R. pt 571,App. J
Identifying “Red Flags”
What is a “Red Flag”? A Red Flag is an indicator of the possible existence of identity theft. For example, a Red Flag might be an invalid Social Security number (SSN) provided by a consumer applying for a loan. Or, in the case of an existing account, a Red Flag may be an unusual pattern of account usage, such as a credit card being used to purchase an unusually large amount of jewelry, electronics and other easily resold goods.
Does the Rule list the Red Flags? The Red Flags Rule provides several examples of Red Flags in four separate categories: (1) alerts and notifications received from credit reporting agencies and third-party service providers, (2) the presentation of suspicious documents or suspicious identifying information, (3) unusual or suspicious account usage patterns and (4) notices from a customer, identity theft victim or law enforcement.
How do I know which Red Flags apply to me? The Red Flags that will apply to you depend on a number of factors, including (1) the types of covered accounts you offer and how those accounts may be opened and accessed and (2) your previous experiences with identity theft. In order to determine the applicable Red Flags, you must consider these factors, as well as various sources and categories of Red Flags identified in the Guidelines.