After several false starts, the FTC has finally initiated enforcement of the Fair and Accurate Credit Transactions Act’s, Red Flags Rule, and has placed the burden of policing identity theft activity squarely on the shoulders of both big and small businesses. However, the FTC may be the least of your concerns if you originate credit for an identity thief because attorneys across the country have been eagerly awaiting this dangerous and virtually impossible regulation. Your problem? Verifying the identity of your customer. If you don’t have required and accepted procedures in place to do so, it could cost you everything you’ve ever worked for. Your Required Red Flags Rule Policy & Program. First, your operation must develop and implement a Red Flags Rule Policy which must include four required key elements in addition to other regulations and issues that must be addressed. To demonstrate the importance the FTC places on the Rule, your operation’s Board of Directors is required to approve your Red Flags Rule Policy and Program. For those operations without a board, a committee of senior management must approve the initial Program and monitor it on an annual basis.
But don’t be misled! Simply downloading a “template” from the internet might possibly get you off the hook with the feds, but it probably won’t suffice in litigation with an identity theft victim’s lawyer. Attorneys already view this regulation as a “cash cow”, and if one of your customers points the finger at your company because someone was using their identity unchallenged, rest assured the victim’s attorney will request your written Red Flags Rule Policy and documentation of required staff training. If you don’t have a Policy, or it is poorly written, the plaintiff will most likely allege a breach of duty to protect a consumer’s identity information, or in other words, “wilful non-compliance”, which is as bad as it sounds. Required Staff Compliance Training. The Rule also requires your operation to provide formal Red Flags Rule compliance training for your staff… and be able to prove it! If your idea of “training” is nothing more than allowing your staff to read your Policy, that faint odor of diesel fuel you smell is from the bus about to run over you. Let’s be honest. The federal government is asking you to do the impossible to prevent identity theft. Your only defense, not if it happens, but when it happens, is that you have put forth a valid effort to prevent it from occurring.
In fact, virtually all compliance litigation, federal or civil, comes down to one basic question: “…did the business do everything within reason to prevent this illegal act from occurring, and if so, where is the proof?” Any attorney worth his pinstripes will tell you that there are two keys in a compliance litigation defense – periodic training and documentation. Your operation should train newly hired employees as part of their orientation, and all staff at least once a year, complete with documentation, in order to fend off the potential for enormous fines, penalties and jury awards. The Identity Information Verification Process. The days of just making a copy of a consumer’s driver’s license as a premise for identity verification are over. Within the Red Flags Rule, there are 26 listed potential red flags risks that designated institutions must consider when performing a covered transaction. In theory, if any of these flags exist in the identifying information presented by an individual, your business must search outside third party sources to confirm the identity of the person. The problem is that virtually all of these potential red flags are open to interpretation… in other words, a guess!
What one of your staff views as a red flag, another staff member may not, and therefore your well-intentioned effort to become compliant is undermined and may cost you. And if that isn’t enough to cause you concern, there’s the potential for allegations of bias or discrimination if you don’t perform the same identity verification process on each and every customer opening a new covered account. It’s not hard to imagine a plaintiff accusing your business of discrimination because you performed an identity verification scan on them because of their ethnic heritage, and not on most Caucasians. Picture an identity theft victim’s attorney ripping through all of your files in the discovery phase of litigation like a kid attacking presents on Christmas morning. For what purpose, you ask? How about the fact that you performed identity verification procedures on 80% of your minority applicants, but on 20% of the time for Caucasians. The smart thing is to take the guesswork out of trying to interpret red flags in your customer’s identifying information by using a compliant identity verification scan, and while we’re on this subject, it may not be wise to rely on the one included in your client’s credit report.
The Rule requires identity verification from outside data sources, or as the Rule states; “… cannot be from information contained in a consumer credit report, or information generally contained in a wallet.” Authenticating Your Customer’s Identity Through Challenge Questions. If you haven’t developed an involuntary twitch by now, this may put you over the edge. There is a difference between verifying the identifying information presented by an individual, and actually authenticating the identity of the individual presenting the information. For instance, the person applying for a loan may in fact be an identity thief providing you with stolen information. The remedy is to issue “Challenge Questions” to authenticate that the individual is in fact whom they represent themselves to be. The questions should be framed in such a matter that only the individual whose identity is in question can answer, and in a timely manner. And again, according to the Rule, these questions cannot be formed from information contained in a consumer credit report or information generally contained in a wallet, but from outside data sources such as the SSN Verification Service, The SSN Death Master File, state, federal, and global data bases to verify DOB, all associated addresses, telephone number assignment, etc.
All of this could take an entire day for just one client, or perhaps it’s time to consider a compliant Identity Verification Service that also provides Challenge Questions. Either way, if you issue Challenge Questions on one, you should do it on all to distance yourself from allegations of bias and discrimination. Your Lender Relationship. The Red Flags Rule charges your lenders with the responsibility of ensuring your compliance with the Red Flags Rule, and under the Rule, they may do so by contract. This gives your lender the right to inspect and audit your procedures at any time, and already Brokers across the country have been denied services until they are deemed by the lender to be compliant. Non-Compliance Fines And Penalties. The Federal Trade Commission has made it abundantly clear that compliance with the Red Flags Rule is not merely a suggestion, and has indicated they will employ “rolling enforcement” to ensure this regulation is not taken lightly. Assuming that “rolling enforcement” means unannounced investigations and audits, here’s what you can look forward to if you are found to be non-compliant:
- Federal fines for non-compliance are up to $3,5000 per occurrence. In other words, if your business performs 1,000 non-compliant transactions in a year, the fine will be $3.5 million.
- Your state attorney general may be able to file class-action suits under “unfair and deceptive acts and practices” theories which usually permit both actual and punitive damages.
- You may be held responsible for actual losses of a victim ($92,893 average) if you can’t produce a substantial written Red Flags Rule Policy and documented proof of required staff training.
In Summary. It’s no secret the FTC intends to come down hard on non-compliant businesses in their rounds of “rolling enforcement”, but more importantly, private attorneys eagerly await your wilful non-compliance. The same proliferation of hi-tech software to make businesses more efficient, is also available to the identity theft criminal element to phony up driver’s licenses, tax records, utility bills, credit cards, etc., for the purpose of providing you with false identity information. It’s an impossible task to prevent identity theft – you know it, I know it, and the federal government knows it, and your only defense is to put forth your best effort to become compliant, and again, be able to prove it with documentation. Don’t make the mistake of thinking this regulation is impotent or will just fade away.
The drumbeat from consumers regarding identity theft grows louder each day, and surely more regulations will follow along with the horror stories of those institutions found to be non-compliant. Make sure one of those horror stories isn’t about you; the best chance for you to get it right is from the beginning. NOTE: The content in this article is not providing legal advice and is intended as an initial resource guide only. Furthermore, the content is not intended to answer specific questions or suggest suitability of action in a particular case or circumstance. The author recommends the reader consult legal counsel for guidance regarding this compliance issue.