As of November 1, 2009, financial institutions and other creditors, including insurance companies, must be in compliance with the Red Flag provisions of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). In fact, this November 1st deadline represents a reprieve that the Federal Trade Commission granted to allow institutions more time to achieve compliance. The Red Flag rules are designed to mitigate and prevent identity theft, which is defined as any fraud that involves obtaining benefits, especially financial, by pretending to be someone else. Since many consumers have insurance benefits, compliance with the mandates is crucial for insurance companies.
The Red Flag rules are broad in scope, defining financial institutions as any organization engaged in banking, insurance or similar activities, and many of the definitions within the new rules could greatly expand compliance demands. Organizations that offer covered accounts—any consumer account involving multiple payments or transactions—are subject to the provisions. Insurance companies continue to evolve, offering more traditional financial services and investment products. With the vast amount of personal information that is stored electronically, it is absolutely critical that the industry take the Red Flag rules seriously and that companies implement thorough and effective compliance programs.
The rules state that, in order to be compliant, any “financial institution and creditor that holds any customer account, or other account, for which there is a reasonable, foreseeable risk of identity theft” must develop an identity theft prevention program. There are four principal components:
- Identification of activity that may signal possible identity theft
- Ongoing detection of red flags that have been identified
- Effective action to prevent and mitigate theft
- Periodic review and updating of red flags and procedures to keep pace with emerging threats.
In addition to the four principal components above, the Red Flag provisions state that an institution’s identity theft prevention program must be written and managed by the board of directors or senior company management. Training for all appropriate staff members and proper oversight of service providers must be given.
The first step any insurance company should take in complying with the rules is to conduct a thorough risk assessment with clear and comprehensive evaluation criteria for each different area of the business. Among the criteria that should be considered are the types of accounts offered by the organization, the methods of opening and accessing such accounts, and the organization’s prior experience with identity theft. Because there is no one-size-fits-all approach to compliance, the Red Flag rules provide insurance organizations with the ability to deploy measures that are tailored for their business.
The second phase of compliance requires that an insurance company develop written policies based on the findings of the risk assessment in order to protect the company and its customers against identity theft in new and existing accounts. The written policy should contain the following: a list of relevant red flags (including, but not limited to, those outlined by the government); procedures detailing how the company intends to monitor them; and planned company responses when warnings are detected. Because red flags differ by industry, insurance companies need to consider what kind of alerts they may encounter, including unusual account activity, fraud warnings on a customer’s consumer report, or suspicious account documents when they relate to an application to open or update an insurance account.
The last stage requires the immediate implementation of the developed policy. Once the policy is in place, a business should consistently monitor for red flags and periodically review its procedures for evolving risks. Organizations are expected to report on the effectiveness of their policies: for example, whether or not service providers are implementing adequate safety procedures, the occurrence of significant security incidents, recommendations for material changes to the program, etc.
Identity theft is a costly and destructive issue; business and consumer losses totaled $56.6 billion in 2005 alone. However, as destructive as identity theft can be to a business, failure to comply with regulations such as the Red Flag rules can be even more disruptive and costly. In order to avoid potential losses, regulatory fines, costly investigations and potential lawsuits, it is imperative that all affected institutions quickly deploy effective compliance programs to implement the best identity theft prevention program possible.
Deb Geister is director of Fraud Prevention & Compliance Solutions with LexisNexis Risk Solutions, and Peter Lynch is the general manager, Claims Solutions with LexisNexis Risk Solutions.