By November 1, 2008 financial institutions and other creditors must be in full compliance with the Red Flag provisions of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). These provisions require organizations to be able to “identify patterns, practices and specific forms of activity that indicate the possible existence of identity theft,” and to develop and deploy effective prevention programs.
The Red Flag rules went into effect on January 1, 2008 with little comment or debate. Anecdotal evidence suggests that many financial institutions have yet to make any effort at compliance while many insurance companies are unsure if—or how—these regulations affect them. Unfortunately, any misconception that these rules are relatively insignificant or easily complied with is exactly that, a misconception. This is especially true within the insurance industry where some insurers seem to believe that the provisions of FACTA do not apply.
For the purposes of these regulations, financial institutions are defined as any organization engaged in banking, insurance or similar activities. In fact, depending on how loosely the law is interpreted, the regulations easily could be stretched to cover collections agencies, utilities, telecommunications companies and a variety of other types of organizations. In addition, many of the definitions within the new rules could greatly expand the scope of compliance. Organizations need to understand if they offer a covered account. A covered account, as defined in this legislation, is any consumer account involving multiple payments or transactions. With insurance companies evolving to offer more and more traditional financial services or investment products, and with the vast amount of personal information that insurance companies store electronically, it is absolutely critical that the industry take the Red Flag rules seriously and that companies implement thorough and effective compliance programs.
The Scale of the Problem
Identity theft is defined as any fraud that involves obtaining benefits, especially financial, by pretending to be someone else. With the rise of the digital economy, the problem of identity theft—always a significant criminal justice issue—has become especially acute.
Consider the numbers. In 2007, 32% of complaints received by the Federal Trade Commission (FTC) were related to identity theft. A recent study by the Gartner Group estimated that there were 15 million victims of identity theft in 2006—suggesting that 28.5 people are victimized every minute. A spring 2006 study conducted by the Identity Theft Resource Center (IDTRC) revealed that victims spend 330 hours on average recovering from an instance of identity theft. Identity theft does not just victimize consumers, however. In fact, the same IDTRC study shows that business losses per victim cost U.S. businesses $49,254 in 2004. In addition, data breaches have been shown to cost businesses an average of $660,000 per instance, stemming from the costs associated with notifying customers, legal expenses and so on.
These numbers are significant—totaling up to $56.6 billion in business and consumer losses in 2005 alone. However, as destructive as identity theft can be to a business, the failure to comply with regulations such as the Red Flag rules can be even more disruptive and costly. Taken together, the potential losses coupled with regulatory fines make it imperative that insurers quickly deploy effective, compliant programs.
FACTA and the Red Flag Rules
Adopted in December 2003, FACTA addresses a range of issues related to the use of private data by creditors and the financial services industry. Among other provisions, the act forced credit agencies to allow consumers to obtain a free credit report every twelve months. The act also addressed the problem of identity theft, mandating the secure use of consumer data and establishing the Red Flag rules designed to prevent identity theft.
The Red Flag rules mandate the development of an identity theft prevention program by any “financial institution and creditor that holds any customer account, or other account for which there is a reasonable foreseeable risk of identity theft.” The rules have four principle components:
- Identification of activity that may signal possible identity theft.
- Ongoing detection of red flags that have been identified.
- Ability to respond effectively to red flags to prevent and mitigate theft.
- Periodic review and updating of red flags and procedures to keep pace with emerging threats.
To help organizations in their efforts to comply, the FTC published a list of twenty-six illustrative examples of potential red flags. Beyond this, however, the guidance has been vague, allowing individual companies to determine how best to proceed. This lack of specificity should be a particular point of concern for all organizations. It provides regulators with the flexibility to take punitive action against companies that may have made good faith efforts to comply, but were still victimized. With this in mind, insurers need to be particularly careful, making sure to leave regulators little room to find fault.
What Insurers Need to Know
The first and most important piece of information every affected organization needs to know is that there is no one-size-fits-all approach to compliance. Every organization will have a slightly different risk profile based on their industry, their past experience and whatever unique business processes they may employ. The Red Flag rules are designed to force organizations to deploy measures that are tailored for their business; simply importing processes from another firm will not be sufficient.
Conducting an Assessment
The first—and arguably most important—step is to conduct a thorough risk assessment with clear and comprehensive criteria for how different areas of the business are assessed. Among the criteria that should be evaluated are the types of accounts offered by the organization, the methods of opening and accessing such accounts, and the organization’s prior experience with identity theft. An important wrinkle for insurers is that, for the first time, insurers have to evaluate all their sales channels. Prior regulations may have excluded indirect agents or other third parties involved in on-boarding customers. The Red Flag rules no longer allow this exemption, meaning insurers will have to monitor these channels at a minimum.
While the assessment will focus on individual accounts, it is also important for organizations to pay close attention to business accounts as well. Small businesses or sole proprietors may be covered under the regulations. This is where the criteria become important. Small business accounts should be scoped into an organization’s program if there is “reasonably foreseeable risk” to the consumer from identity theft or risk to the organization. That risk can be financial, operational, compliance, reputational or litigation risk.
In evaluating risks to the organization, it is important to use the list of 26 red flags supplied by the government. The following is a brief sampling of these illustrative examples:
- Is an alert, notification, or warning from a consumer reporting agency attached to the customer record?
- Do the customer's documents appear to be altered or forged?
- Are there obvious inconsistencies with the personal identifying information supplied by the customer and information secured from external information sources?
These Red Flags and the others supplied by the government are important, but organizations need to remember that they are provided as examples only. Risks can come from a variety of places and in a variety of forms. For instance, one obvious red flag not on the government’s list is whether or not an individual has more than one Social Security Number.
The information gained through the assessment should be detailed and well-documented. While the purpose of the assessment is to help craft an effective and compliant set of policies and procedures, it can also serve as an insurance policy. Should an instance of identity theft occur after the November 1 deadline, an organization might be able to protect itself by showing a detailed assessment justifying whatever safeguards were put in place.
The second phase is for each organization to develop the policies it needs—based on the findings of the risk assessment—to protect themselves and their customers. These policies must be written and designed to protect against identity theft in new and existing accounts.
The written policy should contain the following elements:
- A list of relevant red flags (including, but not limited to, those outlined by the government).
- Procedures detailing how the company intends to monitor for these red flags.
- Procedures for how the company will respond when red flags are detected. The approach should be commensurate with the risk. In some cases it may be wise to shut down an account and in others a much milder response—for instance, a phone call to the customer—may be warranted. A key factor that might warrant a more serious response would be whether or not there is any suspicion or indication of a widespread data security breach.
When performing and analyzing a risk assessment, organizations need to keep in mind the current risk mitigation processes that are already in place. For example, if an organization currently has a customer information program (CIP) as part of their USA PATRIOT Act compliance program, these practices can be leveraged. This gives organizations the ability to minimize both costs and operational impacts. However, when creating policies, organizations need to be sure to add them to their official “Red Flags” policy and procedures. Simply directing regulators and internal customers to current policies probably is not an acceptable path. By moving this process into the new policy and procedure guides, regulators and examiners are assured that organizations have addressed the issues rather than simply linking to another policy. Organizations also need to show that they have thought through the impact of Red Flags on current processes.
Implementation and Beyond
Implementation of the developed policy should be immediate (and mindful of the November 1 deadline). Once the policy is in place, organizations consistently should monitor for red flags and periodically review their procedures for evolving risks. For insurers, an important time to look for red flags once the system is in place is at the time of policy application. The advent of online insurance applications requires identity verification for both compliance and good business practices, and might go a long way in preventing premium fraud as well as identity theft.
Annually, and possibly more frequently, organizations are expected to report on the effectiveness of their policies—whether or not service providers are implementing adequate safety procedures, significant security incidents and recommendations for material changes to the program, additional red flags and so on. Forms of identity theft are constantly evolving and the Red Flag regulations assume that organizations will evolve to keep pace with them.
Complying with the Red Flag rules is labor and time intensive, but it needn’t be burdensome. The truth is that the Red Flag rules are as much an opportunity for insurers as they are a government mandate. Identity theft is a large and growing problem; those that shirk their duty not only will face significant consequences, but can be expected to lose customers and suffer a diminished brand. Conversely, organizations that use the Red Flag rules to beef up their security and protect their customers will reap the benefit.
Jan Tankersley is vice president of Insurance & Health Care Solutions and Deb Geister is director of Fraud Prevention & Compliance Solutions with LexisNexis Risk & Information Analytics Group.