- Products
- Products Overview
- Enterprise Edition
- Orientation Management
- On-Boarding
- New Hire Orientation
- Employee Handbook
- Benefit Administration
- Disability Accommodation Management
- On the Job Management
- Harassment and Discrimination
- Wage & Hour Management
- Performance Management
- Time-Off Management
- Termination Management
- Discipline
- Termination
- Exit Interviews
- Turnover Prevention
- Professional Edition
- Compli's Enterprise Edition-Automotive
- Compli's Enterprise Edition-Trucking
- Compli CSA
- Compli Recruitâ„¢
- Sales, Finance and Insurance Compliance Module
- Compliance, Safety, Accountability (CSA) and Risk
- Environmental, Health and Safety Compliance Module
- Compli Counselâ„¢
- Compli Integrations
- View a Demo
- Solutions
- Industries
- Services
- Library
- Events
- About
- Blog
- Customer Login
Identifying Identity Theft: Complying With the New Red Flag Regulation
ARTICLES+ SEE ALL ARTICLES
Article: Identifying Identity Theft: Complying With the New Red Flag Regulation
Article Date: Tuesday, July 1, 2008
Author: Kelly Faehr
Article Source: Originally published in Dealership Flash, a Crowe Chizek and Company LLC publication, July 2008. All rights reserved
Identifying Identity Theft: Complying With the New Red Flag Regulation
By Kelly L. Faehr, CPA
Identity theft has cost Americans an estimated $15.6 billion in losses in recent years. To help combat this growing epidemic, a new red flag regulation has been passed to protect consumers. Author Kelly Faehr details what is required of dealers to comply with the new regulation and how the requirements affect the dealership industry.
Along with financial institutions and other creditors regulated by the U.S. Federal Trade Commission (FTC), dealerships face a new regulation to prevent and detect identity theft. To avoid potentially hefty fines and penalties, dealers need to take note of the Identity Theft Red Flags and Address Discrepancies regulation that takes effect on Nov. 1, 2008, and modify their systems and practices accordingly.
Regulatory Requirements
In November 2007, the FTC and federal financial institution regulators issued final rules and guidelines for implementing Sections 114 and 315 of the Fair and Accurate Credit Transaction Act of 2003 (FACT Act), which includes the red flag regulation. Section 114 requires financial institutions, defined to include motor vehicle dealers, and other creditors to develop and implement a written identity theft prevention program to detect, prevent, and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts, often referred to as "covered accounts." Dealers must also institute a program to review their identity theft program regularly to update or modify it as needed.1 Section 315 of the FACT Act provides guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a consumer reporting agency sends the user a notice of address discrepancy.2
Under the new regulation, dealers must implement an identity theft program that identifies, detects, and reacts to red flags raised to indicate identity theft. The new rules will require dealerships to automate as much of their compliance activity as possible and will require constant training of sales and finance and insurance personnel.
Previous regulations, such as the Gramm-Leach-Bliley Act of 1999 and other information security guidance, sought to safeguard information. The new regulation tackles identity theft from a different angle: It assumes that a criminal has already obtained consumer information and is now attempting to use that information.
Dealerships are bound by the new regulation because they are considered creditors based on the products and services they provide. Also, since covered accounts include accounts created to permit multiple payments or transactions, sales of vehicles financed through a retail installment sales contract are covered by the regulation.
Instituting an Identity Theft Prevention Program
Some of the safeguards required to comply with the new regulation might already be in place at some dealerships. For example, your employees may already verify an applicant’s address against consumer reports. For many, however, the task could be cumbersome and costly: Systems will need to be implemented to train employees so they are able to recognize pertinent red flags and take appropriate action; automate as many compliance functions as possible; generate annual reports; and review at least annually the effectiveness of the current system and identify areas that need to be updated or modified.
A dealership’s identity theft prevention program must be appropriate to the size and complexity of the dealership. The larger your business and the more employees who work with credit applicants, the more detailed your program will need to be. Program policies should ensure that the dealership is prepared to:
- Review red flags and identity-theft-prevention practices already incorporated into the dealership’s program;
- Identify relevant red flags that might arise in the course of a transaction with a buyer;
- Respond appropriately to any red flags that are detected; and
- Periodically update the program (including which red flags are considered relevant) to reflect changes in risks to customers and to the safety and soundness of the dealership from identity theft.
A dealership must also designate a person to serve as its program’s manager. This person will be charged with monitoring on a regular basis the effectiveness of the dealership’s program, new trends in identity theft, and any updates in the regulation and will need to modify the dealership’s program accordingly. The program manager must also generate annual reports on the program’s effectiveness.
Red Flag Requirements
A red flag – a pattern, practice, or specific activity that indicates the possibility of identity theft – falls into one of five categories:
- Alerts, notifications, or other warnings received from consumer reporting agencies or service providers;
- The presentation of suspicious documents;
- The presentation of suspicious personal identifying information;
- Unusual use of or suspicious activity related to a covered account; and
- Notices from customers, victims of identity theft, law enforcement authorities, or others regarding possible identity theft in connection with covered accounts.
The red flag regulation includes guidelines that offer a list of 26 types of red flags and instructs organizations to review activity for signs of these flags. These guidelines include how to identify relevant red flags, typical scenarios in which identity theft is more likely to occur, how to detect the existence of red flags, steps to take to prevent or mitigate identity theft when a red flag is detected, and how to update the program to keep it current. Some examples of red flags as noted by the FTC include:
- Verifying that the date of birth and Social Security numbers provided by a customer match the accepted ranges;
- Verifying that the address provided by a consumer during a credit transaction matches the consumer’s address provided to the dealer by consumer credit reporting agencies;
- Determining whether a customer’s address, Social Security number, or phone number is the same as that submitted by other credit applicants; and
- Determining that personal information submitted by a customer is not consistent with information already on file for that person.
Once a red flag has been detected, the dealership is required to take action. The regulation lists nine possible actions that could be appropriate when a flag or flags are triggered:
- Monitoring a covered account for evidence of identity theft;
- Contacting the customer;
- Changing any passwords, security codes, or other security devices that permit access to the covered account;
- Reopening a covered account with a new account number;
- Not opening a new covered account;
- Closing an existing covered account;
- Not attempting to collect on a covered account or not selling a covered account to debt collector;
- Notifying law enforcement; or
- Determining that no response is warranted under the particular circumstances.3
Processes should be in place for taking each of these actions, including how to determine which action is appropriate; how to notify dealership management of the red flag and action being taken; what steps must be taken to follow through on a particular action; and how to document the entire process so the program manager can include the incident in the reporting.
Balancing the Challenge
Owing to the number of flags and the volume of potential transactions in which these flags might be found, the challenge for most dealers can seem daunting. Particularly challenging will be managing consumer expectations of quick responses when processing transactions against complying with the regulations and the processes you’ve developed. In the long run, however, growing awareness of identity theft among the general public means that your customers are demanding that their personal and financial information be secure. It is hoped that customers will understand if purchasing a vehicle takes longer than usual because you are working diligently to protect their information.
By Nov. 1, 2008, dealers will need to be able to prove they are doing their part to help counter identity theft by having a program in place to comply with the red flag regulation. Complying with the new regulation will not only safeguard your dealership from penalties and criminal action; it will help maintain your business’s reputation as well.
Kelly Faehr is an executive with Crowe Chizek and Company LLC in the Indianapolis office. She can be reached at 317.706.2737 or kfaehr@crowechizek.com.
1 Federal Register, Volume 72, No. 217, Nov. 9, 2007, Rules and Regulations, www.occ.treas.gov/fr/fedregister/72fr63718.pdf, p.1.
2 Ibid.
3 Ibid., p. 39.
-
more