I have just asked the Government Affairs Representative for the Colorado Association of Mortgage Broker's to "enlighten" me on this, here is what I got:
FTC Announces delay in
Enforcement of November 1 st Red Flags Rule
On October 22 nd the FTC announced a six month extension of a little known, widely misunderstood rule that was to be enforced beginning November 1, 2008. The new enforcement date is now May 1, 2008.
From what CAMB has been able to discern, most of the mortgage brokers in Colorado and around the country were generally unaware of the complex rule that affects all of them. In fact, it seems even the brokers who were aware of the Red Flags Rule, had been led to believe that all they had to do was pay a couple more dollars to the credit reporting agencies to get the fraud protection and as was well.
That is absolutely wrong!
Whether you are a current or a future CAMB member, if you are a mortgage broker you or your company as of November 1, 2008 you are required to comply with the Red Flags Rule that became effective January 1, 2008.
Yes, the FTC did announce a delay in enforcing this new identity theft protection rule, but that does not mean that you are immune from financial risk if you fail to comply as of November last year!
Given the turmoil in 2008, it's not surprising that you may have missed it - - but a very serious new compliance and operational requirement has basically fallen through the cracks - nationally and locally.
Mortgage Brokers are among those specifically required to comply with the Red Flags Rules that modified the FACT Act. When the FTC learned that almost no one really understood the requirements and with what appears to be significant pressure from financial institutions and their lobbyists, the FTC on October 22 nd extended enforcement until May 1, 2009. That is the FTC. Their extension of enforcement will not prevent exposure to litigation if one of your customer's information is breached and you get sued.
The Red Flags Rule requires that every mortgage banker and broker must have a written plan to address risks of identity theft . If you don't comply, you may well be liable for financial penalties in the event of an identity theft breach. In addition, non-compliance could lead to class action claims. Your failure to respond with the requisite custom, written program actually "proves" "your negligence with respect to preventing identity theft.
If this all of this is new news to you, maybe you'll feel lucky that the FTC issued a reprieve. But, if you wait until May 1, 2009 just because the FTC won't be enforcing, you are still at risk and you are still exposing your customers to unnecessary risk.
So, what is the "Red Flags Rule"? What is needed for you to comply with the new rule?
The Fair and Accurate Credit Transactions Act of 2003 (FACTA) established a requirement for the implementation of an Identity Theft "Red Flags" Rule by January 1, 2008. Subsequently, in order to allow time for businesses to implement the rule, the deadline was extended to November 1, 2008. When it became obvious that no one was reacting and many were trying to figure out who was required to comply, the FTC announced an enforcement delay through May 1, 2009.
The FTC and five other federal agencies: the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, and the National Credit Union Administration issued the final "Red Flag" rules on October 31, 2007. The purpose of the Red Flags Rule is to minimize incidents of Identity Theft and Fraud related to the handling of customers' non-public information.
The Rules apply to federal banks, state and federal loan associations, mutual savings banks, state or federal credit unions, finance companies, automobile dealers and mortgage companies including brokers .
The new rules are documented in slightly more than 250 pages of regulation.
"Red Flag" Rule requirements:
The rules require that the program is in writing. There isn't a "one size fits all" prescribed solution. Each entity is required to structure its own program based on its interpretation of the applicability of the rules and its business practices. The major requirement is that the written program must detect , prevent and mitigate Identity Theft.
Each Identity Theft prevention program must:
The Federal Trade Commission identified 26 "sample" Red Flags. The list is not meant to be comprehensive, but provides guidance for consideration in implementing the program.
26 "Red Flags":
4. Unusual credit activity, such as an increased number of accounts or inquiries.
5. Documents provided for identification appearing altered or forged.
6. Photograph on ID inconsistent with appearance of customer.
7. Information on ID inconsistent with information provided by person opening account.
8. Information on ID, such as signature, inconsistent with information on file at financial institution.
9. Application appearing forged or altered or destroyed and reassembled.
10. Information on ID not matching any address in the consumer report, Social Security number has not been issued or appears on the Social Security Administration's Death Master File, a file of information associated with Social Security numbers of those who are deceased.
11. Lack of correlation between Social Security number range and date of birth.
12. Personal identifying information associated with known fraud activity.
13. Suspicious addresses supplied, such as a mail drop or prison, or phone numbers associated with pagers or answering service.
14. Social Security number provided matching that submitted by another person opening an account or other customers.
15. An address or phone number matching that supplied by a large number of applicants.
16. The person opening the account unable to supply identifying information in response to notification that the application is incomplete.
17. Personal information inconsistent with information already on file at financial institution or creditor.
18. Person opening account or customer unable to correctly answer challenge questions.
19. Shortly after change of address, creditor receiving request for additional users of account.
20. Most of available credit used for cash advances, jewelry or electronics, plus customer fails to make first payment.
21. Drastic change in payment patterns, use of available credit or spending patterns.
22. An account that has been inactive for a lengthy time suddenly exhibiting unusual activity.
23. Mail sent to customer repeatedly returned as undeliverable despite ongoing transactions on active account.
24. Financial institution or creditor notified that customer is not receiving paper account statements.
25. Financial institution or creditor notified of unauthorized charges or transactions on customer's account.
26. Financial institution or creditor notified that it has opened a fraudulent account for a person engaged in identity theft.
Twenty Six Red Flags - Source: Federal Trade Commission
Use the list to guide your development and apply them to your business?
The "Red Flags" that apply to you depend on a number of factors, including: the type of business you are providing, plus your company‘s previous experiences with Identity Theft. The program developed must consider these and other factors, as well as various sources and categories of "Red Flags" identified in the guidelines.
Considerations for the content of the Red Flag Identity Theft Program:
First, incorporate the Theft Program into current Policies and Procedures. Some of the activities and areas that you will want to consider include:
1. Record destruction. Adequately shred, burn, or pulverize papers containing non-private information to prevent reading or reconstruction
2. Computer Security
a. Destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed;
b. Email security - encrypt personal data being sent over the web or through email
c. Stored electronic private information and data should be encrypted
d. Encrypt document storage
e. Consider security and access to physical storage.
f. Use Computer system firewalls
g. Install and maintain antivirus software protection
h. Consider password protection and lockdown of your computers
i. How are laptops and other mobile devices secured?
3. Building/office security
4. Background screening of all employee's and service providers
5. Associate training of the Identity Theft Program
6. Reporting and dealing with identity theft, including the filing and maintaining of an Suspicious Activity Reports (SAR's).
7. Pre-funding check of borrower information for "red flags" and fraud,
a. What information to obtain from the customer
b. How to evaluate the information provided. Using third party validating sources is a possible option.
c. Appropriate responses when detection of a red flag. Assess whether the red flag evidences a risk of identity theft, and your response must be commensurate with the degree of risk posed.
d. How to document the conclusion - The rule requires regular reports on the program's effectiveness.
8. Implement a Disaster Recovery Plan. All data whether electronic or physical must be secured from loss due to environmental hazards such as floods, as well as from technological hazards such as system failures.
9. Test and periodically update the Identity Theft Program
10. Board of Directors or Senior Management approval and annual review of the program
In the final analysis the Red Flag Program is intended to reflect the documented focus of your company, it board of directors and senior management attention on the detection, prevention and mitigation of identity theft. Properly written based on consideration of your company's business and practices, the program documents the policies and procedures that enable compliance with this new FTC and Agency rule. The on-going reports and reviews will ensure data, employee and customer protection and will help the company protect the company against the potentially disastrous financial consequences of non-compliance.