Iowa Banking Law Blog

On November 1, 2008, the so-called “red flag” rules that implement Sections 114 and 315 of the Fair and Accurate Credit Transaction Act of 2003 (“FACT Act”) become effective.  The rules will require all financial institutions and certain other companies (e.g., retailers that take applications for third party credit cards or their own cards, or automobile dealers that partner with banks to facilitate car loans, utility account issuers, margin account issuers, or others that defer payment for goods and services) to identify and respond to account activities that may indicate identity theft.    The rules also require any user of consumer credit reports to develop policies and procedures to respond to apparent address discrepancies.  Also, issuers of credit or debit cards must also develop policies and procedures to address the validity of an address change request when it is followed within 30 days with a request for an additional or replacement card.  As part of these responsibilities, financial institutions must develop and implement a Board-approved identity theft prevention program before November 1, 2008.

Although financial institutions should already have in place Customer Identification Program policies and procedures that with applicable laws and regulations that may already be helping them detect red flags, these policies and procedures probably should be integrated into the identity theft prevention program for purposes of complying with the FACT Act.   Note, however, that those policies and procedures may need to be supplemented for purposes of the FACT Act because under the CIP rules, which were directed toward facilitating the prevention, detection, and prosecution of money laundering and financing terrorism, certain types of accounts and customers are exempted or treated specially in the CIP rules because the pose a lower risk of money laundering or terrorist financing.  Such special treatment may not be appropriate to accomplish the broader objective of detecting, preventing, and mitigating identity theft.

Covered Entities

The rules apply to any financial institution that offers or maintains a “covered account”. A “covered account” is an account primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions, or any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution from identity theft. Loan accounts, credit card accounts, checking accounts, savings accounts, and other types of accounts are included as examples in the definition of “covered account”.  While the definition of “account” includes business accounts, the risk-based nature of the rules allow the creditor to determine which business accounts will be covered by the program through a risk evaluation process. 

Identity Theft Prevention Program Requirements

The rules define “identity theft” as “a fraud committed or attempted using the identifying information of another person without authority”.  Identifying information means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person including any:

• Name, social security number, date of birth, official State or government issued driver’s license or ID number, alien registration number, employer or taxpayer ID number;
• Unique biometric data, such as fingerprint, voice print, retina, or iris image, or other unique physical representation;
• Unique electronic ID number, address, or routing code; or
• Telecommunication identifying information or access device. 

The identity theft prevention program requirements require that the program’s policies and procedures be in writing, and be tailored to the size, complexity and nature of the financial institution’s operations.  Each program must have reasonable policies and procedures that contain four essential features:

• Identify:  Relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft must be incorporated in the program.  This should be guided by any regulatory pronouncements applicable to the creditor and the creditor’s own experiences.
• Detect:  Programs should include policies and procedures aimed at detecting red flags that have been incorporated into the program such as obtaining identifying information about, and verifying the identity of a person opening an account, and, for existing accounts, authenticating customers and monitoring transactions and address change requests.
• Respond:  Programs must include appropriate response procedures if red flags are detected, such as contacting the customer, contacting law enforcement, changing passwords or security devices that allow access, closing accounts and so forth.
• Update:  Programs should be changed as necessary to reflect changing risks to the customer and the creditor.

Financial institutions that issue credit and debit cards must also develop policies and procedures to assess the validity of address change requests, when the requests are followed within 30 days for an additional or replacement card.

Finally, because financial institutions use consumer credit reports, they must also develop policies and procedures to respond to notices from credit reporting agencies regarding address discrepancies.

The rules require that the initial written identity theft prevention program be approved by the Board of Directors or a committee of the Board, appropriate staff be trained, and service provider arrangements be appropriately overseen.

Guidance for Program Development and Compliance

The rules contain guidance that addresses program design, identification of red flags and detection of red flags, prevention and mitigation measures, and other requirements.  While the guidance is helpful, clients should not expect that merely parroting the guidelines in their individual programs will be sufficient for compliance purposes. 

Contact Allyn Dixon at adixon@dickinsonlaw.com or at 515.246.2530 with further questions regarding the FACT Act's soon-to-be effective rules and regulations.