In order to protect consumers, the US government has identified 5 categories of identity theft red flags and a total of 26 specific red flags as part of the Red Flags Rule regulation to help businesses detect and prevent identity theft in their day to day business operations. The Red Flags Rule requires companies to establish a formal identity theft prevention program to address how the business identifies, detects, and responds to identity theft red flags to prevent identity theft using these 26 identity theft red flags which offer guidance to businesses for identity theft prevention.
What are Identity Theft Red Flags?
Identity theft red flags are suspicious patterns, practices, and activities that indicate the possibility of identity theft. For example, if a customer offers a unique identifier such as a social security number and the SSN is already used by another customer, it is potentially a strong red flag or indication of possible identity theft or if a personal document looks fake, it also may represent a potential identity theft red flag.
Purpose of Identity Theft Prevention Program
The main requirement of the Red Flags Rule is the establishment of an identity theft prevention program. The purpose of an identity theft prevention program is to develop policies and procedures for the following 4 areas:
- Identify identity theft red flags with a risk assessment to document how identity theft may occur in your daily business operations
- Detect the identified red flags
- Prevent identity theft after the red flags are detected
- Update the identity theft prevention program to address new threats
Once the program is developed, it is extremely important to train the appropriate staff to become familiar with the program, identity theft threats, and steps to be taken.
Who Should Comply
All financial institutions and creditors must comply with the Red Flags Rule. The Red Flags Rule defines a “financial institution” as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or a person that, directly or indirectly, holds a transaction account belonging to a consumer.
5 Identity Theft Areas under the Red Flags Rule
The Red Flags Rule lists 26 specific red flags under the following 5 general categories that companies must identify to detect identity theft. These categories provide guidance and direction to help businesses focus in on sources of useful information for identity theft prevention:
- consumer reports
- identification documents and information
- address discrepancy notices
- suspicious address changes, and
- warning notices received from customers and other sources.
26 Identity Theft Red Flags
The Red Flags Rule regulation lists 26 specific identity theft red flags that companies should consider as part of their identity theft prevention program and training. These identity theft red flags are not only important for compliance with the Red Flags Rule, but they also form the basis for identity theft risk assessment and prevention. Companies should consider these 26 identity theft red flags in their risk assessment process and select the ones that apply to their unique business for developing the identity theft prevention program and employee identity theft training.
- Consumer report fraud alerts must be considered as a possible identity theft red flag.
- Notice of a credit freeze in response to a request for a consumer report is a potential red flag because a consumer who placed a credit freeze is less likely to apply for credit.
- Unusual credit activity, such as an increased number of new accounts or inquiries and spending appear in the credit reports.
- Identification documents provided by the customer appears altered or forged.
- Photograph on ID card is inconsistent with the appearance of the customer present.
- Information on ID card such as name or address is inconsistent with information provided by the person opening account.
- Information on ID card is inconsistent with information on file in the organization.
- Application appears forged, altered and reassembled.
- Personal information is inconsistent across multiple sources.
- Lack of correlation between social security number range and date of birth exists.
- Personal information is associated with known fraud activity and cases.
- Suspicious information and address is supplied, such as a PO Box, prison, or phone numbers associated with an answering service.
- Social security number provided matches social security number submitted by another person opening an account or existing customer.
- An address or phone number matches information provided by other applicants and customers.
- The person opening the account is unable to supply additional identifying information in response to incomplete applications.
- Personal information is inconsistent with information already on file at financial institution or creditor.
- An existing customer is unable to correctly answer challenge questions.
- Shortly after change of address, creditor receives a request for additional users for the account.
- A consumer reporting agency provides a notice of address discrepancy.
- Most of available credit is used for cash advances, jewelry or electronics, and customer fails to make first payment.
- Drastic change in payment patterns, use of available credit or spending patterns.
- An account that has been inactive for a long time suddenly becomes unusually active.
- Mail sent to customer repeatedly is returned as undeliverable despite ongoing transactions on the account.
- Financial institution or creditor is notified that customer is not receiving paper account statements.
- Financial institution or creditor is notified of unauthorized charges or transactions on customer’s account.
- Financial institution or creditor is notified that it has opened a fraudulent account.