Complying with the New Red Flag Rules: A Recipe for Success

by By Thomas Oscherwitz, Vice President of Government Affairs, Chief Privacy Officer, ID Analytics

By November 1, credit issuers will need to be in compliance with major new Federal regulations designed to combat identity fraud. These rules are called the Red Flag Rules.

For the first time, all companies that issue credit now have enterprise-wide responsibilities to address identity theft risks. These businesses must address identity theft risks through every channel they communicate with consumers and with every type of customer credit account they maintain. In addition, companies must develop solutions to resolve the risks and keep their anti-fraud measures up-to-date as fraudsters' schemes evolve.

Understandably, the scope of these rules is daunting. To avoid compliance pitfalls, keep the following principles in mind:

1. Compliance starts at home: Companies cannot simply paste a vendor compliance solution and expect that they've met the rules. Companies must do a self-assessment of unique identity theft risks.
   
   
2. Start now, don't wait. Doing a meaningful risk-assessment takes some time and can't be completed properly a week before the compliance deadline.
   
   
3. Take credit for what you are already doing: Many companies have fraud prevention systems in place that can satisfy many of the Red Flag requirements.
   
   
4. Companies are now accountable for the identity theft that happens on their watch: Data security has gone beyond protecting against corporate vulnerabilities and includes ensuring the identity security of customers.
   
   
5. Build a Red Flag program for the long-term: Compliance systems must evolve along with evolving fraud threats. The regulators expect companies to have a program that can be regularly updated.
   
   
6. Resolving Risks: Companies must not only identify risks, they must also resolve them-as cost effectively as possible.
   
   
7. Design a program sensitive to business processes: Poorly drafted compliance programs can interfere with the customer experience, and slow business processes.
   
   
8. Yes, you should care: Companies who fail to comply face penalties and other enforcement actions.

At the end of the day, while Red Flag Rules give companies extraordinary flexibility in designing their anti-fraud programs, companies must be able to demonstrate that their programs work. To do this, companies should: avoid systems that rely solely on manual flag reviews; test their analytical tools to ensure they can actually resolve flags in an operational environment; and design Red Flag programs so they can be easily updated.

Keeping the above principles in mind should get companies headed in the right direction.

First published on BankersOnline.com 10/13/08