Rule
Flags
Red
... and its impact on you.
Red Flags Rule Expert
Bruce Nelson
Vice President
SearchAmerica, A part of Experian
bruce.nelson@searchamerica.com
At the end of todays presentation, the speaker will be available for a Q&A
session. Please send your questions to us using the WebEx question function.
Agenda
Red Flags Rules Background
Compliance Requirements for Healthcare
Program Enforcement and Sample Policies
Best Practices in a Risk Based
Approach
Risk Based Reconciliation of
Address Discrepancies
Q&A
Red Flags Rule Background
On November 9, 2007, the FTC, FDIC, OCC, Board, OTS
and NCUA issued its final rules and guidelines for
implementing section 114 and section 315 of the of the Fair
and Accurate Credit Transactions Act of 2003 (FACT Act)
Section 114 Rule on duties regarding the detection,
prevention, and mitigation of identity theft (i.e., Red
Flags Rule)
Section 315 Rule on duties of users of consumer
credit reports regarding address discrepancies
Final Rules: http://ftc.gov/opa/2007/10/redflag.shtm
What is the Red Flags Rule?
Definition: Red Flag is a pattern, practice,
or specific activity that indicates the possible
risk of identity theft.
Purpose: To detect and stop identity thieves
using someone elses identifying information
at your institution to commit fraud.
Who Must Comply?
Rules apply to creditors with covered accounts.
A creditor is any entity or any assignee of an original creditor
that regularly extends, renews, or continues credit OR any entity
that regularly arranges for the extension, renewal, or
continuation of credit.
Examples: Finance companies, automobile dealers,
mortgage brokers, utility companies, and telecommunications
companies
A covered account is an account used mostly for personal,
family, or household purposes involving multiple payments or
transactions.
Examples: Credit card accounts, mortgage and automobile
loans, cell phone accounts, utility accounts, checking and
savings accounts.
What about Hospitals?
Most believe hospitals fall under the rules
broad definition of creditor and have patient
accounts that would fall within the broad
scope of covered accounts.
The definition of creditor drawn from the
Equal Credit Opportunity Act (ECOA)
includes anyone who defers payment for
services rendered.
Healthcare Scenario
A patient comes to an HCP. The HCP
collects information, including medical
history, billing, and insurance info. The
patient pays a co-pay, but is ultimately
responsible for payment for services. The
HCP provides services, later the patient
receives a bill (due upon receipt) for
amounts unpaid by insurance. The patient
never comes back to the HCP again.
What do I need to do?
The Red Flags Rule and regulations require
financial institutions and creditors to develop
and implement a written identity theft
prevention program
The program must be approved in writing by
the board of directors, an appropriate
committee of the board, or a designated
senior manager.
How much time do I have?
The original enforcement deadline of
November 1, 2008 was suspended until
November 1, 2009.
3 Days from Today!
Building Your Red Flags Policy
Your program must contain reasonable
policies and procedures to:
Identify relevant Red Flags for covered accounts and
incorporate those Red Flags into the Program
Detect Red Flags that have been incorporated into the
Program
Respond appropriately to any Red Flags that are
detected to prevent and mitigate identity theft
Ensure the Program is updated periodically, to reflect
changes in risks to customers or to the safety and
soundness of the financial institution or creditor from
identity theft.
Identify Red Flags
Final ruling includes 26 examples (Supplement A)
of Red Flags that fall into these 5 categories:
1. Alerts, notifications or other warnings received from
consumer reporting agencies or service providers
2. Presentation of suspicious documents
3. Presentation of suspicious personal identifying
information
4. Unusual use of, or other suspicious activity related to a
covered accounts
5. Notice from customers, victims of identity theft, or law
enforcement agencies
Example: Consumer Reporting Agency Warning
Warning from consumer reporting agencies:
Fraud Alert
Credit Freeze
Notice of address discrepancy
Unusual pattern of activity such as:
Significant increase in the volume of inquiries
An unusual number of recently established credit
relationships
A material change in the use of credit
Example: Suspicious Documents
Patient provides altered or forged documents
Patients appearance does not match the
photograph or physical description on their ID
Information on the documents is not
consistent with information provided by
patient or information you already have on file
Example: Suspicious Personal Identifying
Information
Patient provided info is inconsistent when compared
against external information sources
SSN or address does not match what is listed in the consumer
report
SSN has not been issued, or is listed on the SSAs Death Master
File.
Patient provided info is associated with known fraudulent
activity as indicated by internal or third-party sources
The SSN, address or phone number on an application is the same
as provided on a fraudulent application or submitted by other
persons
The address on an application is fictitious, a mail drop, or a prison
The phone number is invalid, or is associated with a pager or
answering service.
Example: Unusual Use of Account
Unusual account activity:
Nonpayment when there is no history of late or missed
payments
A material increase in the use of available credit
A material change in purchasing or spending patterns
New credit accounts used in a manner commonly associated with
fraud:
Majority of available credit is used for cash advances or
merchandise that is easily convertible to cash (e.g., electronics
or jewelry)
Customer fails to make the first payment or makes an initial
payment but no subsequent payments.
You are notified of unauthorized charges or transactions in
connection with a customers covered account.
Example: Notice From Consumer
You are notified by a customer, a victim
of identity theft, a law enforcement
authority, or any other person that it has
opened a fraudulent account for a
person engaged in identity theft.
Detect Red Flags
Your programs red flag detection procedures
may include:
Verify identity of new customers
Authenticate existing customers
Monitor transactions
Verify validity of address changes
Respond to Red Flags
Appropriate responses may include:
Monitor accounts
Contact customer
Change passwords
Close and reopen account
Refuse to open account
Dont collect on or sell account (against the true
consumer)
Notify law enforcement
No response is warranted
Red Flags Program Updates
You will need to update your program
periodically based on factors such as:
Your institutions experiences with identity theft
Changes in methods of identity theft
Changes in methods to detect, prevent, and
mitigate identity theft
Changes in your patient population and types of
accounts
Business arrangement changes such as mergers,
acquisitions, alliances, joint ventures, and service
provider arrangements.
Program Adaptability
The Program must be appropriate to the
size and complexity of the financial
institution or creditor and the nature and
scope of activities.
Non-Compliance Penalties
Compliance is monitored by FTC and there
are currently no criminal penalties for failing
to comply with the Red Flags Rule.
However, financial institutions or creditors
that violate the Rule may be subject to civil
monetary penalties.
$3,500 per violation
Sample Policy
See Red Flags Rule White Paper - Co-
authored by Experian and Hudson Cook, LLP
http://www.bulldogsolutions.net/ExperianDeci
sionAnalytics/knowledgebase/RedFlagRule_
FullWhitePaper.pdf
Address Discrepancy Rule
Section 315 of the Fact Act Rule on duties
of users of consumer credit reports regarding
address discrepancy notices received from a
nationwide consumer reporting agency (i.e.,
Credit Bureau)
This rule only applies to financial institutions
or creditors that use consumer reports (i.e.,
credit reports)
Address Discrepancy Rule Contd
Requires CRA to send a notice of address
discrepancy when it determines that the
address provided substantially differs from
the address the CRA has in the consumers
file.
Requires Creditor to put in place reasonable
policies and procedures users of a consumer
report should employ when the user receives
a notice of address discrepancy.
Address Discrepancy Rule Contd
Requires users to develop and implement reasonable
policies and procedures to furnish a confirmed address
for the consumer to the NCRA when the user meets
these criteria:
Can form a reasonable belief that the report relates to
the consumer
Establishes a continuing relationship with the
consumer
Regularly, and in the ordinary course of business,
furnishes information to the NCRA that provided the
notice of address discrepancy.
Helpful Technology
SearchAmerica automatically flags significant
address, SSN, and name discrepancies.
Helpful Technology
SearchAmerica automatically flags fraud alerts.
Helpful Technology
SearchAmerica offers Red Flags Rule reports
and analytics.
FTC Contact Info
Naomi Lefkovitz
Federal Trade Commission
redflags@ftc.gov
(202) 326-3058
http://www.ftc.gov/redflagsrule
Red Flags Rule Experts
Bruce Nelson
Vice President
SearchAmerica, A part of Experian
bruce.nelson@searchamerica.com
At the end of todays presentation, the speaker will be available for a Q&A
session. Please send your questions to us using the WebEx question function.
Thanks for your time and attention.
Questions or comments?
