Some have argued against overly focusing on the 26 Red Flags, citing the fact that the Red Flags are not prescriptive nor are they a checklist. I have to agree with this point. Following the 26 Red Flags myopically does not give “special protection” from regulatory enforcement. Covered entities must conduct a self assessment and incorporate their previous experiences with identity theft. Yet, covered institutions still have a lot of flexibility in addressing the requirements of Red Flags. In my view a prescriptive approach is without question the best place to start in achieving good faith compliance with Red Flags.
The 59-page Federal Register regulation can be broken down as follows: 2 pages of title and signature pages, 35 pages of background and discussion of earlier proposals; 22 pages of rules, which is itself 6 virtually identical sets of rules, one for each of the agencies whose regulations are being modified or amended: CofC, NCUA, OTS, FRB, FRB and FTC. So the rules themselves are about 3.5 pages or so. Within each rule are 3 sets of rules and an appendix. The rules deal with (1) notices of address discrepancy, (2) id theft, and (3) changes of address. Within these three sections are found the “must do” language of the regulations. Analyzing the FTC section, within the address discrepancy section are 3 “musts;” within id theft are 11 “musts;” and within change of address, 2 “musts.” Everything else is “should do” or “may do” language. The appendix matters because at the end of the id theft section is stated: “each [covered entity]…must consider the guidelines in Appendix A of this part and include in its Program those guidelines that are appropriate.” The seven guidelines sections contain the categories of red flags but don’t even contain the “26 Red Flags” yet. Those are left for to a supplement of “may include examples” at the end of the appendix.
As with virtually all governmental regulations in our society, there are those who view these regulations as intrusive, illegal, too costly, bad policy or an ineffectual waste of time. This is evident from the extensive commentary discussed in the preamble. Besides good faith compliance with the rules, other coping mechanisms include malicious compliance, myopia (too narrow application of checklist), and cost minimization (just doing the barest minimum to create the illusion of compliance). While it is quite correct to observe that the 26 Red Flags are not a checklist nor are they prescriptive (meaning that once you’ve included them you’ve done enough), under the regulation, however, covered entities “must…identify the relevant Red Flags for the covered accounts.”
Assuming the covered entity has selected good faith compliance rather than the other coping mechanisms, each covered entity must “consider the guidelines in [the] appendix.” The word “consider” implies some sort of deliberation or analysis, which in order to demonstrate compliance should be documented to support definitive decisions. Within the supplement are offered the 26 Red Flags, which entities “may consider incorporating into its program.” I argue that given the list of Red Flags was once proposed by the regulators to be included as mandatory – based upon the identity theft experience as of 2007 – it would be far easier, faster and less costly to start with the 26, reject any that are clearly inappropriate for that organization, add any others that that institution considers necessary, and close the list until the next review.
An additional benefit of this approach is in dealings with third party providers. The regulation requires covered entities to “exercise appropriate and effective oversight of service provider arrangements.” The 26 Red Flags are the only reasonable place to start in enforcing relevant controls on service providers (in addition, of course, to the rules about address discrepancies and changes of address). Covered entities are responsible for the compliance of the service providers who process their covered accounts. This means service providers must know the Red Flags and have appropriate procedures to detect and respond to the red flags when they come up. Service providers might, in theory, have a separate custom list of Red Flags for each customer they service, which would be an untenable situation for any real confrontation of identity theft. Service providers have to have a common list (or nearly common), and covered entities should expect to pay extra if they levy additional custom Red Flags on their service providers.
While the 26 Red Flags are certainly not a checklist or prescriptive, they should be regarded as a highly effective “over the counter” inoculation against a red flags violation, torturing a metaphor. Covered entities should start with the 26 Red Flags but should also review their operations for other red flags, and include their own experience with identity theft to complete their Identity Theft Prevention Program.
—-
(This is a virtually identical post to a post made on the LinkedIn Red Flags Forum on Saturday the 12th. It is included here because many Rook clients are following Red Flags but not everyone has access to the other forum, which is for customers of LinkedIn.)
Related posts:
- Identity Theft Red Flags for Medical Providers
- ‘Red Flag’ Requirements for Financial Institutions and Creditors
- FTC Red Flags Primer (Screen Cast)
- Red Flags Delayed (Again)
- Agiliance Webinar Visitors – Red Flags Checklist
2 Comments
Comment by Roberto — October 4, 2009 @ 04:08
cool blog. this intel will be a big help. keep it coming!
Comment by Glerimma — October 11, 2009 @ 02:22
Good work!
RSS feed for comments on this post. TrackBack URL
Leave a comment