Identity Theft Red Flags Scheme
September 25, 2008
Based on a recent rise in global identity theft and fraud risks,
the U.S. government has issued an amendment to the financial
regulation to tackle the issue. This new addition is the Identity
Theft Red Flag scheme.
Under this scheme, financial institutions and creditors must
develop a written program that identifies and detects the relevant
warning signs—or "red flags"—of identity theft. These signs
may include unusual account activity, fraud alerts on a consumer
report, or attempted use of suspicious account application
documents. The program must also describe appropriate responses that
would prevent and mitigate the crime and detail a plan to update the
program. The program must be managed by the Board of Directors or
senior employees of the financial institution or creditor, must
include appropriate staff training, and must provide for oversight of
any service providers.
The rule is composed of 26 red flags for companies to
implement. These red flags cover major identity fraud controls and
focus on the following areas:
- Personal identification: ensuring customer identity, validity, and
consistency
- Fraud monitoring: checking consumer reports for any suspicious
behavior as well as unusual credit activity
- Personal address changes: control uniqueness of address
- Consumer behavior: credit default payment, changes in account
activity, or unusual behavior
This rule has been in effect from January 2008, and compliance must
be met by November 2008.
One of the things this rule shows is how much governments have to
enforce best practices to minimize risks faced by the financial
sector, since it is a critical sector for a country's economy. The
U.S. has always been a leader in this type of financial regulation,
and the proposed controls are quite discernable for many
companies. Identity theft is a worldwide threat that is not limited to
the boundaries of one country, so other countries could adopt similar
regulation by following or adapting these main ideas.
Here in the Middle East, recent issues related to fraud in payment
card systems, for example, should help regulators think about adopting
similar processes and ideas. Trends show that bringing more security
to the market should help to gain global confidence and enforce better
governance. The Middle East is still a young and growing marketplace;
therefore, more maturity in regulation is welcome.
The initial 26 red flags are listed below, but they do not
represent an exhaustive list, because companies will use their own
experience to implement more appropriate controls:
- A fraud alert included with a consumer report
- Notice of a credit freeze in response to a request for a consumer
report
- A consumer reporting agency providing a notice of address
discrepancy
- Unusual credit activity, such as an increased number of accounts
or inquiries
- Documents provided for identification appearing altered or
forged
- Photograph on ID inconsistent with appearance of customer
- Information on ID inconsistent with information provided by person
opening account
- Information on ID, such as signature, inconsistent with
information on file at financial institution
- Application appearing forged or altered or destroyed and
reassembled
- Information on ID not matching any address in the consumer report;
Social Security number has not been issued or appears on the Social
Security Administration's Death Master File
- Lack of correlation between Social Security number range and date
of birth
- Personal identifying information associated with known fraud
activity
- Suspicious addresses supplied, such as a mail drop or prison, or
phone numbers associated with pagers or answering service
- Social Security number provided matching one submitted by another
person opening an account or other customers
- An address or phone number matching information supplied by a
large number of applicants
- The person opening the account unable to supply identifying
information in response to notification that the application is
incomplete
- Personal information inconsistent with information already on file
at financial institution or creditor
- Person opening account or customer unable to correctly answer
challenge questions
- Shortly after change of address, creditor receiving request for
additional users of account
- Most of available credit used for cash advances, jewelry, or
electronics, plus customer fails to make first payment
- Drastic change in payment patterns, use of available credit or
spending patterns
- An account that has been inactive for a lengthy time suddenly
exhibits unusual activity
- Mail sent to customer repeatedly returned as undeliverable despite
ongoing transactions on active account
- Financial institution or creditor notified that customer is not
receiving paper account statements
- Financial institution or creditor notified of unauthorized charges
or transactions on customer's account
- Financial institution or creditor notified that it has opened a
fraudulent account for a person engaged in identity theft
