In 2004, Congress amended the 1970s-era Fair Credit Report Act (FRCA) to address the growing problem of identity theft. Under these adjustments to the FCRA, the FTC (along with other regulatory agencies) was asked to develop rules for preventing some of the most common scenarios: thieves opening up fake credit card accounts or taking out loans in someone else’s name. The Red Flag Rule—finalized in 2010—is as straight forward as it sounds: financial companies were to establish a program to “detect, prevent, and mitigate identity theft” of consumer accounts.
If you think about the whole identity theft ecosystem, hackers and data thieves provide the raw personally identifiable information (PII) ingredients. Identity thieves, who can be different from the original hackers, then use this data to manufacture fake consumer accounts at any company that extends credit. The Red Flag Rule is a mechanism for making it much harder for ID thieves to profit from their inventory of social security, credit card, and bank account numbers.
Financial companies or any creditors (for say, car loans or home mortgage) that give consumers a way to make multiple charges have to be on the lookout for signs of identity theft—the red flags. For example, if documents appear forged, or photos don’t match the person requesting credit, or identifying information is inconsistent or similar to an existing customer, then this could be considered a “suspicious pattern or practice” that would trigger a red flag.
Each business is different, and the Red Flag Rule allows for companies to develop their own policies and procedures for detection. And I should add that these regulations, as with many other US data security regulations, are technology neutral.
However, the most common flags come about when a request to national credit report agency (NCRA) for a consumer’s credit profile is made. Typically, the identity thief will use all the same PII, but give a different address so that the victim remains unaware of the false transactions. When the financial company requests the customer’s profile, the CRAs are required to notify the requester of the address discrepancy—one of the reddest flags. Another red flag arises when a consumer directly tells the CRA they are victims of identity theft: the CRA is supposed to then include a fraud alert with the report.
The FTC also came up with general guidelines for “appropriate responses” to prevent the ID robbery from taking place. This could include contacting the real customer, not opening the new account, and possibly alerting law enforcement. Another significant point in these informal FTC guidelines is that companies should take into consideration a previous data security incident—if there’s already been a breach, the response effort should reflect the higher risks involved.
Remember the financial meltdown from 2008? A few years later Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act, which included language to extend the Red Flag Rule to the investment securities sector—with the SEC and Commodities Futures Trading Commission (CFTC) as the regulators charged with enforcement.
So everything I said above about the Red Flag Rule now applies specifically to stock and commodity investment companies. A short list of firms that are now under the recently finalized Red Flag regulations would include stock broker-dealers, investment advisers, swap dealers, commodity poolers, and foreign exchange dealers.
The overall intent of Dodd-Frank’s Red Flag extension is to prevent identity thieves from obtaining credit in securities transactions, where the risks and liabilities of fraudulent trades can have a global impact.