Identity Theft 101: What is the Red Flags Rule?

This is a good article on the basics of the Red Flags Rule:

The Red Flags Rule is a U.S. federal law that requires most every business and organization to develop and implement an identity theft prevention program. The purpose of the identity theft prevention program is to authenticate the identity of customers to reduce incidences of identity theft. Authentication is required when a new financial or credit account is opened or when a change is requested on an existing covered account. The law covers consumer and business accounts.

The broad definitions of “covered account” and “creditor” include most every business and organization. If a business or organization accepts payment for products or services after they are delivered, they are a creditor under the law and must comply. Those that only accept payment prior to or upon delivery are not creditors regardless of how payment is accepted—cash, check or credit card.

Compliance is risk based, meaning that entities must implement a compliance program that is reasonable and appropriate to cover the risks the organization is likely to encounter. For most entities, especially small businesses, compliance is simple, straightforward and will prevent fraud and financial loss by assuring the entity is doing business with a legal person or legal business, and not with an identity thief.

The Red Flags Rule was enacted on January 1, 2008 under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), the first revision to the Fair Credit Reporting Act (FCRA). Compliance under the Red Flags Rule was effective on November 1, 2008 for those entities under the purview of any of five federal banking and credit union regulators (OCC, Federal Reserve System, FDIC, OTS, NCUA). Compliance has been required on August 1, 2009 for those entities regulated by the Federal Trade Commission (FTC).

The law requires that entities regularly conduct a risk assessment to determine if they have covered accounts and to determine if they have any other accounts for which there may be a reasonably foreseeable risk to identity theft. If there are, a written identity theft prevention program is required to describe how the entity will authenticate customers that open new accounts, change existing accounts and access accounts electronically. The program also requires top-level management support and oversight as well as regular risk assessments and program review.

The law gets its name from methods commonly used to authenticate the identity of customers. For example, if new customers are authenticated by requesting picture identification and the picture and description of the person does not bear any resemblance to the person presenting the identification, this is a red flag.

By Joe Campana, July 20, 2009

FTC's Red Flags Rule May Color Some Surprised

While many businesses are surprised to learn of the new Red Flag Rules, none seem more surprised than medical and dental practices - all of which are required to comply by the upcoming Aug 1 deadline.

Definition of 'creditor' expands impact of identity theft rule

WASHINGTON—The Federal Trade Commission next week begins enforcing a data safeguard rule that requires businesses to develop identity theft prevention programs, but observers say many organizations remain unaware the rule applies to them.

Under the FTC's Red Flags Rule that goes into effect Aug. 1, financial institutions and creditors are required to implement a program that identifies and detects warning signs of identity theft. Organizations also must have measures to safeguard data and respond to identity thefts.

“We are trying to get businesses to do their part,” said Manas Mohapatra, an attorney with the FTC in Washington.

Some 9 million U.S. residents' identities are stolen each year, which the FTC said has been its No. 1 consumer complaint the past three years.

A number of initiatives and state laws already address data and network security breaches, but the rule targets identity theft at “its point of origin” and “really picks up where data security leaves off,” Mr. Mohapatra said. “We think this is a more comprehensive fraud detection program.”

Under the rule, companies are required to have written procedures that recognize red flags when someone may be using another person's information. It will require employee training in identifying suspicious patterns or activities that point to fraud, Mr. Mohapatra said.

Organizations also must update their plan because the risks of identity theft and the methods of stealing personal information change rapidly, he said.

Since the rule was enacted in January 2008, the FTC said it has extended its enforcement deadline twice to give more preparation time. To help build awareness, it has held outreach programs through a variety of trade associations, yet observers say many organizations remain unprepared.

Part of the confusion is due to the FTC's broad definition of “creditor,” which includes just about any entity that defers payment for goods or services, observers say. The FTC says creditors can be finance companies, car dealers, health care firms, mortgage brokers, utility companies, telecommunications firms and nonprofits involved in financial transactions.

Experts say the rule extends to retailers, universities, real estate brokers and service providers who may not realize they are subject to the rule.

“Obviously, the financial institutions are on board, but other sectors are getting caught off guard,” said Nicholas Economidis, an underwriter with Beazley USA's technology, media and business service team in Philadelphia.

He said retailers that issue private-label credit cards are particularly confused. “They think that because they have a financial institution handling the accounts, that they have outsourced the exposure and therefore are not subject to the rules.” They are incorrect, he said.

Failure to comply with Red Flags could result in civil fines up to $3,500 per incident. “More importantly, the regulation opens up the door to a wave of potential negligence claims, and companies that fail to comply could be exposed,” Mr. Economidis said.

A number of high-profile, costly cases have boosted organizations' concerns about security and data breaches and many have taken risk-mitigation steps. But the new rule should be a wake-up call that companies need to re-evaluate their programs in order to comply, experts say.

To identify red flags, companies should evaluate their potential exposures and examine the types of accounts they offer or maintain, as well as how access is provided to the accounts. In addition, companies should use identity verification methods for anyone opening up a new account. This could include using a credit reporting company, data broker or the Social Security Number Death Master File, to compare information, the FTC said.

Some firms already may have some procedures in place that can simply be implemented into the program, such as a “know-your-customer rule,” Mohapatra said.

Combating data breaches and identity theft “actually has much more to do with human behavior than it does with technology,” said Mark Pribish, vp and identify theft practice leader with Phoenix-based consulting firm Merchants Information Solutions Inc. He said, with current or former employees often involved in such breaches, every business should consider using pre-employment screening.

Likewise, outsourcing is a risk and companies should review all provider contracts and include language to support security policies, he said.

Companies increasingly are turning to cyber liability and network liability insurance for additional protection, and observers say the Red Flags Rule likely will boost the market.

“We are seeing a huge uptick in both—people looking for coverage and people buying coverage,” said Bob Parisi, national leader for the Tech/Telecom E&O and Network Risk practice at Marsh Inc. in New York.

Data security breaches can be costly. Last year, companies that experienced a data breach paid an average $202 per record compromised, according to the Traverse City, Mich.-based Ponemon Institute L.L.C.

FTC guidance on the Red Flags Rule is at www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf.

by: COLLEEN MCCARTHY, www.businessinsurance.co

Amid Anxiety, Red Flag Rules Take Effect

The Red Flag Rules take effect later this week. To date, a survey conducted by i-Comply - the leading provider of compliance tools for physicians - has revealed that more than 65% of all physician practices have yet to take any steps towards Red Flag compliance, although 95% say they will be in compliance by the end of the week.

The Federal Trade Commission’s compliance deadline for its so-called Red Flag Rules has finally arrived, requiring banks and other creditors to have written programs in place to find, stop, and mitigate theft of consumers’ personal data.

The rules formally go into effect Aug. 1, after a three-month extension to give companies more time to find their compliance footing. Still, experts say, many companies are struggling to understand whether they fall under the new rules’ jurisdiction, and how to nail down basic compliance procedures.

One of the most nettlesome questions is who fits the definition of a creditor under the rules, according to Randy Green, a principal with Grant Thornton, who spoke on the Red Flag Rules during a July 23 Webcast.

The rules clearly identify “financial institutions” as entities that offer accounts that let consumers write checks or make payments to third parties through other means, such as telephone transfers. A “creditor,” however, is any entity that regularly extends or renews credit or arranges for others to do so. That could be an auto dealership that provides financing; a doctor’s office billing someone’s co-payment; retailers offering store-only credit cards; or any number of other businesses not in the financial sector per se.

“The bottom line is that the Red Flag Rules apply to many different types of organizations, and it’s important to note that the rule will apply to all covered entities regardless of size,” Jay Brietz, a senior manager at Grant Thornton, said during the same Webcast.

And compliance officers should understand the difference between Red Flag Rules and other data protection rules. Nick Economidis, an underwriter of data privacy risks at the insurance firm Beazley, says most data protection rules aim to prevent sensitive data from exiting out “the back door” of a company when hackers steal it. In contrast, the Red Flag Rules seek to prevent imposters “the front door” when they walk into a store with already-stolen data, posing as someone else.

Best Practices

Regardless of a company’s current preparation, denial is not a good idea, Green said. “As we are all aware, the bad guys are coming out with new techniques to use stolen identity way faster than anybody can write a regulation,” he said. “Don’t expect that this thing is just going to go away.”

As always, start with a risk assessment—and specifically begin by reviewing how many accounts (both new and old) fall under the rules’ jurisdiction. Brietz recommend asking the following questions: How are customer accounts obtained and maintained? How are new accounts set up? Do people submit a form in person, over the phone, or online?

Also remember that not all credit card purchases are considered covered transactions, unless you can reasonably foresee the transaction leading to identity theft, Green said. The FTC has released a template to help entities that have a low risk of identity theft (businesses that know their customers personally, for example) to comply with the law.

From there, if you know the number of covered accounts you have and then identify all the places those covered accounts can be touched, “that will give you an idea of the places you’re going to need to have controls,” Green said.

Those possible control-points will also help controllers or internal auditors “if there are reasonably foreseeable risks that exist,” Brietz said. For example, asking for a Social Security number could allow someone to use the number of a deceased person; or after asking for an applicant’s home address, the applicant might then immediately change it to another.

Once you see where the gaps and risks are, you can develop a plan to address them, Brietz said. The bad news: “There really isn’t going to be a one-size-fits-all plan to this.”

Other important steps to take for effective compliance:

• Get your board up to speed. A compliance report should be delivered to boards at least annually, Green said.
• Re-evaluate your plan annually. That means recognizing what new types of identity theft threats have emerged, Green said. Perhaps some innovative new scheme has emerged; perhaps your business has changed (via a merge, for example), and that has created new holes your plan must fill.
• Have the appropriate skills. “This regulation is going to cover more than just your internal audit group,” Green warned. Experts from the legal, financial, IT, and other departments should all be versed in the effort.
• Train. With so many different people involved, don’t underestimate the training efforts that will need to be involved. Employees should be trained on what to look for and how to treat it, Green said.
• Document the program. The FTC does not spell out any specific recordkeeping, so put yourself in the shoes of the FTC investigator. “What level of reporting would you be comfortable in showing them?” Green said. “That’s probably the best way to think about it.”

Legal Ramifications

Companies must also be wary of any “big event,” Economidis says—anything newsworthy that causes damage to a company’s reputation, or sparks both state and federal investigations. Those events attract the attention of plaintiff lawyers, he warns. “I don’t think a lot of these companies realize that these new government regulations increase their exposure to negligence claims.”

And because the legal consequences of non-compliance can be serious, watch how courts will enforce Red Flag violations, said Peter Vogel, a partner at the law firm Gardere Wynne Sewell, who also spoke during the Webcast. “When we evaluate how courts and judges evaluate each instance of non-compliance, it will give us more information about what we need to do to maybe modify our plans,” he said.

By Jaclyn Jaeger — July 28, 2009, www.complianceweek.com

Coming Soon to a Doctor's Office Near You: Photo ID Check

Most physician practices currently check photo identification only for new patients. With the recent Red Flag Rules enforcement, physicians should check the ID of every patient to make absolutely sure that there is no identity theft occurring. With the current economy, medical identity theft is on the rise, and physicians must take precautions to prevent abuse of insurance coverage and deferred payment plans. Below is an interesting article:

By Jenny Gold, Kaiser Health News
JUL 24, 2009

Elena Castro was finishing the paperwork to buy her first home when the bank called to warn her of a problem-- nearly $10,000 in unpaid hospital bills on her credit report. The charges were for several ear, nose and throat procedures done at hospitals in her region.

But they weren’t for her. And, at the time, Castro was an insured medical student. The charges had been quietly festering for several years, the bank told her, eating away at her credit score.

"It was very, very upsetting and overwhelming. We were about to get married and buy our first home," she remembers. Castro soon discovered that a thief had used her personal information to obtain medical care.

Armed with as little as a stolen name, Social Security number and date of birth, an imposter can walk into a doctor’s office or hospital and receive services billed to the victim or the insurance provider.

Although few statistics are available, the Federal Trade Commission reports that medical identity theft accounts for1.3 percent to 3 percent of all identity theft crime -- about 250,000 cases each year.

The FTC hopes to address a part of the problem with a new regulation called the "Red Flags Rule," set to take effect on August 1. The rule would require physicians’ offices and hospitals, among other businesses, to create new protocols to spot the "red flags" of identity theft. These could include detecting fake or altered IDs, inconsistencies in a patient’s medical records or fraud alerts from consumer reporting agencies.

Doctors are not only required to implement procedures – such as checking a photo ID - that allow them to detect these warning signs effectively but also to spell out what they'll do when they find something fishy. Physicians would likely plan to alert the victim and avoid sending out a bill for services.

But medical provider groups, including the American Medical Association, insist the rule is misguided.

Their reasoning, in part, comes down to the actual language of the law. The statute specifies that all "creditors" – which are defined as businesses that regularly extend or renew credit – are required to implement the new protocols. That includes auto dealers, lawyers, utility companies and, according to the FTC, any physician’s office or hospital that accepts insurance or allows a payment plan.

The AMA and nearly 100 other physicians groups argue in letters to the FTC that while doctors defer payment for services, they are not creditors. One of the letters says the rule imposes an "unjustified, unfunded mandate on physicians" and could have "serious adverse consequences" on patients’ access to health care.

Dr. Ardis Hoven, an AMA board member and infectious disease specialist in Lexington, Ky., believes the rules "add another degree of regulatory burden for physicians and patients to a system that’s already burdened with responsibilities."

Although the AMA recognizes the problem of medical identity theft, Hoven said her worry is that the regulations could "severely impact" a doctor’s administrative work load. She is also concerned about the rule’s effect on patients: "In my practice, patients arrive acutely ill. The last thing I want is my patient to be detained at the check-in desk when they’re having acute medical problems."

Although Elena Castro, now an emergency room doctor, was a victim herself, she worries that it will also make doctors' practices more difficult. "It may be worth it if it prevents situations like mine, but we already do a ton of paperwork," she says.

Betsy Broder, who oversees the FTC’s Red Flags program, says patients shouldn’t notice much of a difference at the doctor’s office. They might be asked to show a photo ID when they arrive, but most of the changes will affect doctors behind the scenes.

She also notes that the extent of the policies a physician would need to put in place depends on the risk of identity theft at each particular office. A small office with a regular patient base, for example, is less likely to confront an imposter than an office that receives many walk-ins.

The ‘red flag’ regulations, which were developed under the Fair and Accurate Credit Transactions Act of 2003, actually went into effect on November 1, 2008. But beginning August 1, penalties will kick in. Creditors - including doctors or hospitals - could be slapped with a $3,500 fine for each "knowing violation" of the rule.

Broder says the FTC will monitor consumer complaints to look for any patterns of theft at a particular office to pursue investigations. But she adds that "at this early stage, we will be looking for good faith efforts at compliance."

Pam Dixon, executive director of the World Privacy Forum, says "the health care sector is where the financial sector was 10 to 15 years ago." As cost and incidence data emerged, officials in the financial sector realized they needed to take action. She believes the new protections are well worth the obligations the rule imposes.

"Ultimately it’s in the providers’ best interest to work on resolving this problem earlier than later," she says, adding that aside from being one of the most expensive forms of identity theft, the medical variety also is one of the most difficult types to remedy because a victim’s medical records can be nearly impossible to clear.

Elena Castro's fraudulent medical records under her social security number still remain in hospital files. And it's taken her years to completely clear her credit report. "It was very frustrating and a waste of my time," she says.

Theresa Fleming, another victim of medical identity theft in which a thief used her social security number to access emergency medical care, says she has called the hospital repeatedly to get her record expunged. "I felt so violated, it just feels so eerie," she says. "After you get this, you get very leery about everything."

Red Flag Toolkit for Physicians

The FTC requires all physician and dental practices to have completed "Red Flag Rule" procedures in place by August 1, 2009. Join thousands of other doctors and dentists in purchasing our cost-effective Red Flag Rule toolkit - bringing your practice into immediate compliance for only $79. What are you waiting for?

i-Comply's Red Flag Toolkit is specifically designed to be the ONLY solution your practice needs to be in compliance with the FTC regulations. While some companies offer extremely complex, expensive subscriptions or CD-ROM packages costing $500-$1000 per year or more, we think that is just exploiting the situation. The reality is that the FTC requires medical and dental practices to have a straightforward written policy for their office, and to have procedures in place to identify and mitigate identity theft. Our solution does just that, at a fraction of the price and requiring almost no effort or time to your practice.

FTC Red Flag Rule Guide

The FTC has published a guide to their Red Flag Rules. If you're interested in developing your own program, this guide is instrumental. For the average practice manager, you should expect to devote between 25-40 hours to properly develop your own Red Flag Policy and training program.