Stopping ID Theft By Raising“Red Flags”
By Brendan B Read
Senior Contributing Editor, Customer Interaction Solutions
Beginning this month contact centers including teleservices firms that
handle consumer financial information are required by Federal law
have formal written plans to identify, detect, and respond to patterns,
practices, or specific activities that could indicate ID theft.
The Federal Trade Commission (FTC (News - Alert)),
federal bank regulatory agencies, and the
National Credit Union Administration
(NCUA) mandate formal written and
current ID theft prevention programs
(ITPPs). Firms must have their senior executives
sign off on ITPPs and educate and
train their staff on complying with them.
These regulations are known as the ‘Red
Flags’ rules, technically sections 114
and 315 of the federal Fair and Accurate
Credit Transactions (FACT) Act of
2003. They apply to banks, credit card
issuers, lenders, government agencies,
nonprofits and their outsourcers such as
teleservices agencies, that hold consumer
and small business credit information,
known as ‘covered accounts’.
The Red Flags rules are designed to
stanch the losses from ID theft, which,
reports the President’s Identity Theft Task
Force, costs billions of dollars each year to
individuals and businesses. They are also
aimed at ending the unaccountable fear,
aggravation, and time spent in responding
and recovering from such crimes.
Every consumer data touchpoint including
contact centers, data processing, and
HR must follow Red Flags, and for good
reason. Thieves, both outside and inside
target these operations to obtain data, such
for credit card fraud or to sell to spammers.
“Any function or department that has
personal information you have to be careful
about and make sure they know about
and take steps to comply with Red Flags,”
explains Direct Marketing Association
Senior Vice President, Government Affairs
Jerry Cerasale. “They hold data: from Social
Security numbers to mother’s maiden
names, 401(k) information and to bank
deposit and health insurance numbers that
crooks want to get their hands on.”
The Red Flags regulations also requires
credit and debit card issuers to develop
policies and procedures to assess the validity
of a request for a change of address
that is followed closely by a request for
an additional or replacement card. These
too, could be warnings of ID theft.
“With the prevalence of ID theft, you
can no longer just accept a change of
address, “Cerasale points out. “You have
to try and make sure a thief is not trying
to steal IDs. The change of address
rules in Red Flags adds a critical new
and complimentary layer of security to
existing protections that have long been
implemented by the US Postal Service.”
To help firms design programs to comply
with these rules, the FTC, the federal
banking agencies, and the NCUA issued
guidelines including a supplement that
identifies 26 possible red flags (see box).
These red flags are not a checklist, but
rather are examples that financial institutions
and creditors may want to use as a
starting point. They fall into five categories:
• Alerts, notifications, or warnings from
a consumer reporting agency;
• Suspicious documents;
• Suspicious personally identifying information,
such as a suspicious address;
• Unusual use of – or suspicious activity
relating to – a covered account;
• Notices from customers, victims
of identity theft, law enforcement
authorities, or other businesses about
possible identity theft in connection
with covered accounts.
Michele Shuster is senior partner Mac
Murray, Cook, Petersen & Shuster LLP,
which works with the teleservices industry.
She supports the Red Flags rules
and believes they are reasonable because
they could help prevent the theft from
happening. Existing federal and state
laws have focused on responding to such
crimes such as by requiring consumers
to be notified when their data have been
accessed by unauthorized individuals,
whether deliberately or accidentally.
“I’m glad we’re focusing on the prevention
instead of notifying consumers after
the fact, which some firms were not doing
when required to do so,” says Shuster.
“While I am no fan of increased regulations,
Red Flags is an exception as it is
indeed an ounce of prevention which is
worth a pound of cure. We are trying to
prevent the victimization of consumers
and businesses, which is a very good move
forward in privacy laws.”
The DMA’s Cerasale believes Red Flags
will force firms to have programs in
place to catch security breaches. Even
with the best data security theft and
breaches will happen.
“The last thing you want is if you have a
breach is not to have a plan in how you
deal with it,” says Cerasale.
Making Red Flags Work
To make Red Flags work, Shuster recommends
that contact centers develop and
implement compliance training programs
on the written policies. This way every-one: contact center director, VP customer
service to IT and to supervisors and agents
understand the importance of these rules
and what steps to live up to them.
“The FTC has said that consumer
privacy is their number one priority,”
says Shuster. “They are taking it very
seriously, which means not only must
firms have their written ID theft policies
in place now, but they should also have
their staff trained on them to prevent
thefts from happening.”
Teleservices companies should consider
getting a head start by developing their own
Red Flags-compliant ID theft prevention
program before they are asked to do so by
current or prospective clients. It sends a message,
she says, that they are aware of clients’/
prospects’ legal requirements and that it is
a priority for them, which would be very
comforting for teleservices buyers to receive.
“If I am with a financial institution
and I’m using a teleservices company
that is included in this law, I would
be very impressed with that company
if they sent me a copy of their Red-
Flags-compliant ITPP,” says Shuster.
“If I am with a teleservices company
I would be requesting a copy of their
ITPP as well so that my teams can
comply with them.”
Cerasale suggests that firms take a hard
look at the types of data they keep. The
more they hold the greater the risk of
loss of data and the greater the risk of ID
theft from that loss.
For example getting ahold of bank deposit
information is like a virtual ATM card that
enables an instant cleanout of accounts.
Handling this information also consumes
a large amount of data storage,
and supporting computer processing
resources. The less data that needs to be
handled the lower the costs.
“If you don’t or no longer need the information
such as credit card numbers both
front and back, get rid of them,” recommends
Cerasale. “You reduce your ID theft
risk and at the same time free up resources
that you can better deploy elsewhere.
ASR, and Patience Keys To Mobile Voice CRM
Identity Theft Prevention Program (ITPP)-26 Red Flags
1. A fraud alert included with a consumer report
2. Notice of a credit freeze in response to a request for a
consumer report
3. A consumer reporting agency providing a notice of address
discrepancy
4. Unusual credit activity, such as an increased number of accounts
or inquiries
5. Documents provided for identification appearing altered
or forged
6. Photograph on ID inconsistent with appearance of customer
7. Information on ID inconsistent with information provided
by person opening account
8. Information on ID, such as signature, inconsistent with
information on file at financial institution
9. Application appearing forged or altered or destroyed
and reassembled
10. Information on ID not matching any address in the consumer
report, Social Security number has not been issued
or appears on the Social Security Administration’s Death
Master File, a file of information associated with Social
Security numbers of those who are deceased
11. Lack of correlation between Social Security number range
and date of birth
12. Personal identifying information associated with known
fraud activity
13. Suspicious addresses supplied, such as a mail drop or prison,
or phone numbers associated with pagers or answering service
14. Social Security number provided matching that submitted
by another person opening an account or other customers
15. An address or phone number matching that supplied
by a large number of applicants
16. The person opening the account unable to supply identifying
information in response to notification that the
application is incomplete
17. Personal information inconsistent with information already
on file at financial institution or creditor
18. Person opening account or customer unable to correctly
answer challenge questions
19. Shortly after change of address, creditor receiving request
for additional users of account
20. Most of available credit used for cash advances, jewelry or
electronics, plus customer fails to make first payment
21. Drastic change in payment patterns, use of available credit
or spending patterns
22. An account that has been inactive for a lengthy time suddenly
exhibiting unusual activity
23. Mail sent to customer repeatedly returned as undeliverable
despite ongoing transactions on active account
24. Financial institution or creditor notified that customer is
not receiving paper account statements
25. Financial institution or creditor notified of unauthorized
charges or transactions on customer’s account
26. Financial institution or creditor notified that it has opened
a fraudulent account for a person engaged in identity theft
Source: Federal Trade Commission, supplied courtesy of Michele
A. Shuster, Mac Murray, Cook, Petersen
& Shuster LL P
CIS Magazine Table of Contents