MENU

NEWSLETTER

Toll Free: (800) 610-6680

Premier Provider of Mortgage Quality Control and Risk Mitigation

Services

Do you have a “Red Flag” Identity Theft Program in place? Written by Ralph LoVuolo, Jr.

Fraudmit has been receiving quite a number of phone calls from our clients asking about the Federal Trade Commission's new Identity Theft Program and the new “Red Flag” Rules and Guidelines. Most of all, our callers want to know what mortgage companies need to do to stay compliant.

Since there is so much interest surrounding this topic we thought would address it in a Newsletter.

At Fraudmit we strive to go above and beyond normal customer service.  One way we do that is to keep track and stay educated on everything that affects our clients, including Identity Theft.  More than that, we think it is prudent to advise our clients of these changes.

The Identity Theft “Red Flags” Rule is a part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA).  Last year the FTC and five other federal agencies: the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, and the National Credit Union Administration established “Red Flag” Rules that go into effect for financial institutions and creditors starting November 2008. The purpose of this ruling is to minimize incidents of Identity Theft and Fraud related to the handling of customers’ non-public information.  After several revisions, the final rules were issued on October 31, 2007.

The Rules specifically refer to federal banks, state and federal loan associations, mutual savings banks, state or federal credit unions, finance companies, automobile dealers and mortgage companies including brokers. To our clients this means is as a mortgage brokers or bankers you must have design, implement and start operating an internal system to detect and combat Identity Theft no later than November 1, 2008.

Compliance with this new regulation is not terribly difficult, but it does require an understanding of the Rules and the methods available to become compliant.

“Red Flag” Rule requirements:

It is important that your program be in writing. The FTC does provide some flexibility as to the size and scope of your written program allowing it to correspond to the size of your business, as long as the program that you implement will detect, prevent and mitigate Identity Theft.

Each Identity Theft prevention program must:

• Identify “Red Flags”. Incorporate into your business a process of identifying

relevant patterns, practices, and specific activities that are "“red flags”" and

may signal possible Identity Theft.

• Detect “Red Flags”. Develop a process of detecting “red flags” by obtaining

specific identifying information about your clients and then verifying their

identity.

• Respond to “Red Flags”. Responding to “Red Flags” requires “appropriate

responses” that prevent and mitigate identity theft.  Examples include

contacting the consumer or notifying law enforcement,

• Be approved by the board of directors. The company's board or

committee must approve the identity theft prevention program.  And more over,thereafter be involved directly, or through a designated senior management

employee, in the oversight, development, implementation and administration of

the program. In addition, the company must assign specific responsibility for

the implementation of the program, train staff, audit compliance, generate

annual reports and supervision of employees who are granted access to

covered accounts.  Plus you must ensure the program is updated periodically

to reflect changes in the risks from Identity Theft.

The following is a sampling of the 26 “Red Flags” established by the Federal Trade Commission.  This sampling is not intended to be a complete list of possible “Red Flags”, nor is it intended to be used as a checklist.  Rather this list is meant to serve  as a guide in establishing your own policies and procedures.

26 “Red Flags”:

1. A fraud alert included with a consumer report.

2. Notice of a credit freeze in response to a request for a consumer report.

3. A consumer-reporting agency providing a notice of address discrepancy.

4. Unusual credit activity, such as an increased number of accounts or

inquiries.

5. Documents provided for identification appearing altered or forged.

6. Photograph on ID inconsistent with appearance of customer.

7. Information on ID inconsistent with information provided by person opening

account.

8. Information on ID, such as signature, inconsistent with information on file at

financial institution.

9. Application appearing forged or altered or destroyed and reassembled.

10. Information on ID not matching any address in the consumer report, Social

Security number has not been issued or appears on the Social Security

Administration's Death Master File, a file of information associated with Social

Security numbers of those who are deceased.

11. Lack of correlation between Social Security number range and date of birth.

12. Personal identifying information associated with known fraud activity.

13. Suspicious addresses supplied, such as a mail drop or prison, or phone

numbers associated with pagers or answering service.

14. Social Security number provided matching that submitted by another

person opening an account or other customers.

15. An address or phone number matching that supplied by a large number of

applicants.

16. The person opening the account unable to supply identifying information in

response to notification that the application is incomplete.

17. Personal information inconsistent with information already on file at financial         institution or creditor.

18. Person opening account or customer unable to correctly answer challenge

       questions.

19. Shortly after change of address, creditor receiving request for additional

users of account.

20. Most of available credit used for cash advances, jewelry or electronics, plus

customer fails to make first payment.

21. Drastic change in payment patterns, use of available credit or spending

patterns.

22. An account that has been inactive for a lengthy time suddenly exhibiting

unusual activity.

23. Mail sent to customer repeatedly returned as undeliverable despite ongoing         transactions on active account.

24. Financial institution or creditor notified that customer is not receiving paper

account statements.

25. Financial institution or creditor notified of unauthorized charges or

transactions on customer's account.

26. Financial institution or creditor notified that it has opened a fraudulent

account for a person engaged in identity theft.

Source: Federal Trade Commission

How Do I Know Which “Red Flags” Apply To My Business?

The “Red Flags” that apply to you depend on a number of factors, including: the type of business you are providing, plus your company‘s previous experiences with Identity Theft.  You must consider these other factors, as well as various sources and categories of “Red Flags” identified in the guidelines.

10 Steps In Writing Your Identity Theft Program:

Now that you have a basic understanding of the FTC’s requirements and what the “Red Flags” are, it is now time to put pen to paper and write out a formal Identity Theft Program Plan that can be incorporated into your current Policies and Procedures. 

The following listing is a guide that is meant to serve as an introduction to procedures that you will want to incorporate as a part of your Program. Please be advised however, that as an “ introductory guide” these ten procedures do not represent all of the necessary elements that may be required in your Plan.

 

Your program should include these rules:

1. Burn, pulverize, or shred papers containing non-private information so that

the information cannot be read or reconstructed

2. Computer Security

a. Destroy or erase electronic files or media containing consumer report                     information so that the information cannot be read or reconstructed;

b. Email security - sending personal data over the web or through email

should be encrypted during any sort of transmission

c. Stored electronic private information and data should be encrypted

d. Document storage should be encrypted.  Physical storage should

consider security and access rights.

e. Computer system firewall's

f. Antivirus software protection

g. Password protection and lockdown of your computers

h. Laptop and other mobile device security

3. Building/office security

4. Background screening of all employee’s and service providers

5. Associate training of the Identity Theft Program

6. Reporting and dealing with identity theft, including the filing and maintaining

of an Suspicious Activity Reports.

7. Pre-funding check of borrower information for “red flags” and fraud,

a. What information to obtain from the customer

b. How to evaluate the information provided.  Using third party validating

sources is a possible option.

c. Appropriate responses when detection of a red flag.  Assess whether                     the red flag evidences a risk of identity theft, and your response must be

commensurate with the degree of risk posed.

d. How to document the conclusion – The rule does not require you to

maintain a log, nor do the guidelines suggest that a log should be

maintained.  However you are required to prepare regular reports on the

effectiveness of your program, and you are required to incorporate your

own experiences with identity theft when you review and update your

program.  So maintaining a Suspicious Activity Report (SAR) is

recommended.

8. Have a Continuity Plan (aka Disaster Recovery Plan). All data whether

electronic or physical must be secured from loss due to environmental hazards

such as floods, as well as from technological hazards such as system failures.  

9. Test and periodically updating of the Identity Theft Program

10. Board of Directors approval along with annual review of the program

Conclusion

You can be sure that the FTC and other consumer groups will be diligent in monitoring the implementation of and compliance with new Identity Theft Programs.  Let us know if you have any questions or would like us to assist you in creating or administering such a program.

To Purchase a Customized Plan from Fraudmit - Click Here

If you have any questions as it pertains to this Newsletter, please contact us at customerservice@fraudmit.com or (800) 610-6680.

Please note that the information contained in this Newsletter is being provided as a courtesy by Fraudmit and for informational purposes only and is not meant to serve as legal advice.

Back to Top

Web site designed & hosted at Homestead™