Detecting Red Flags
At which stage of the application process does the Rule apply? The Rule would apply whenever you detect a Red Flag in connection with an application. This could occur as soon as you receive an application, for example, if the application appears to have been altered or forged or the consumer’s identification appears to be forged or is inconsistent with the information on the application.
Is an SSN check a requirement? No, but an invalid SSN may be a Red Flag — i.e., an indicator of possible identity theft — and obtaining and verifying an SSN may be a reasonable means of detecting this Red Flag when opening an account. You may be able to utilize your existing procedures under your Customer Identification Program (CIP) under the USA PATRIOTAct.
How are the Red Flags presented on the actual credit report? The credit reporting agencies will not identify Red Flags as such on a credit report. However, there may be certain information on a credit report that you have determined to be an indicator of possible identity theft and have incorporated into your Program, such as a consumer fraud alert or a notice of address discrepancy. In addition, the Guidelines specify that a credit report indicating a pattern of inconsistent or unusual recent activity might be a Red Flag.
We have stopped taking phone applications and are using the out-of-wallet questions for Internet credit applications. Are we going overboard? The Rule does not preclude phone applications or otherwise limit the manner in which you may accept applications for covered accounts. However, different methods to open covered accounts present different identity theft risks, and you must consider those differing risks in identifying the relevant Red Flags for each type of covered account that you provide.
Responding to Red Flags
What am I supposed to do when I see a Red Flag? Your Program should include appropriate responses when you detect a Red Flag. You must assess whether the Red Flag evidences a risk of identity theft, and your response must be commensurate with the degree of risk posed. Depending on the level of risk, an appropriate response may include, for example, contacting your applicant, not opening a new account or even determining that no response is necessary.