Stopping ID Theft By Raising“Red Flags”

By Brendan B Read
Senior Contributing Editor, Customer Interaction Solutions

Beginning this month contact centers including teleservices firms that handle consumer financial information are required by Federal law have formal written plans to identify, detect, and respond to patterns, practices, or specific activities that could indicate ID theft.

The Federal Trade Commission (FTC (News - Alert)), federal bank regulatory agencies, and the National Credit Union Administration (NCUA) mandate formal written and current ID theft prevention programs (ITPPs). Firms must have their senior executives sign off on ITPPs and educate and train their staff on complying with them.

These regulations are known as the ‘Red Flags’ rules, technically sections 114 and 315 of the federal Fair and Accurate Credit Transactions (FACT) Act of 2003. They apply to banks, credit card issuers, lenders, government agencies, nonprofits and their outsourcers such as teleservices agencies, that hold consumer and small business credit information, known as ‘covered accounts’.

The Red Flags rules are designed to stanch the losses from ID theft, which, reports the President’s Identity Theft Task Force, costs billions of dollars each year to individuals and businesses. They are also aimed at ending the unaccountable fear, aggravation, and time spent in responding and recovering from such crimes.

Every consumer data touchpoint including contact centers, data processing, and HR must follow Red Flags, and for good reason. Thieves, both outside and inside target these operations to obtain data, such for credit card fraud or to sell to spammers.

“Any function or department that has personal information you have to be careful about and make sure they know about and take steps to comply with Red Flags,” explains Direct Marketing Association Senior Vice President, Government Affairs Jerry Cerasale. “They hold data: from Social Security numbers to mother’s maiden names, 401(k) information and to bank deposit and health insurance numbers that crooks want to get their hands on.”

The Red Flags regulations also requires credit and debit card issuers to develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. These too, could be warnings of ID theft.

“With the prevalence of ID theft, you can no longer just accept a change of address, “Cerasale points out. “You have to try and make sure a thief is not trying to steal IDs. The change of address rules in Red Flags adds a critical new and complimentary layer of security to existing protections that have long been implemented by the US Postal Service.” To help firms design programs to comply with these rules, the FTC, the federal banking agencies, and the NCUA issued guidelines including a supplement that identifies 26 possible red flags (see box). These red flags are not a checklist, but rather are examples that financial institutions and creditors may want to use as a starting point. They fall into five categories:

• Alerts, notifications, or warnings from a consumer reporting agency;

• Suspicious documents;

• Suspicious personally identifying information, such as a suspicious address;

• Unusual use of – or suspicious activity relating to – a covered account;

• Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.

Michele Shuster is senior partner Mac Murray, Cook, Petersen & Shuster LLP, which works with the teleservices industry. She supports the Red Flags rules and believes they are reasonable because they could help prevent the theft from happening. Existing federal and state laws have focused on responding to such crimes such as by requiring consumers to be notified when their data have been accessed by unauthorized individuals, whether deliberately or accidentally.

“I’m glad we’re focusing on the prevention instead of notifying consumers after the fact, which some firms were not doing when required to do so,” says Shuster. “While I am no fan of increased regulations, Red Flags is an exception as it is indeed an ounce of prevention which is worth a pound of cure. We are trying to prevent the victimization of consumers and businesses, which is a very good move forward in privacy laws.”

The DMA’s Cerasale believes Red Flags will force firms to have programs in place to catch security breaches. Even with the best data security theft and breaches will happen.

“The last thing you want is if you have a breach is not to have a plan in how you deal with it,” says Cerasale. Making Red Flags Work To make Red Flags work, Shuster recommends that contact centers develop and implement compliance training programs on the written policies. This way every-one: contact center director, VP customer service to IT and to supervisors and agents understand the importance of these rules and what steps to live up to them.

“The FTC has said that consumer privacy is their number one priority,” says Shuster. “They are taking it very seriously, which means not only must firms have their written ID theft policies in place now, but they should also have their staff trained on them to prevent thefts from happening.”

Teleservices companies should consider getting a head start by developing their own Red Flags-compliant ID theft prevention program before they are asked to do so by current or prospective clients. It sends a message, she says, that they are aware of clients’/ prospects’ legal requirements and that it is a priority for them, which would be very comforting for teleservices buyers to receive.

“If I am with a financial institution and I’m using a teleservices company that is included in this law, I would be very impressed with that company if they sent me a copy of their Red- Flags-compliant ITPP,” says Shuster. “If I am with a teleservices company I would be requesting a copy of their ITPP as well so that my teams can comply with them.”

Cerasale suggests that firms take a hard look at the types of data they keep. The more they hold the greater the risk of loss of data and the greater the risk of ID theft from that loss.

For example getting ahold of bank deposit information is like a virtual ATM card that enables an instant cleanout of accounts.

Handling this information also consumes a large amount of data storage, and supporting computer processing resources. The less data that needs to be handled the lower the costs.

“If you don’t or no longer need the information such as credit card numbers both front and back, get rid of them,” recommends Cerasale. “You reduce your ID theft risk and at the same time free up resources that you can better deploy elsewhere.

CIS Magazine Table of Contents