Guzzo the Contrarian

Out of curiosity, I conducted a little further investigation into identity theft after my previous post about Arizona’s Identity Theft Law, and I found something that piqued my interest.

Have you heard of the new “Reg Flag Rules” that were implemented at the beginning of this year? I know that I haven’t. It’s all new to me.

According to Wolters Kluwer Financial Services:

Final regulations implementing the Fair and Accurate Credit Transactions Act (FACT Act) identity theft prevention program provisions became effective on January 1, 2008. Known as the “Red Flags Rules,” this regulation requires financial institutions to develop and implement an identity theft prevention program to help protect account owners and your organization from the risk of identity theft. An ID theft program must be formally approved by the board and include policies for detecting and responding to red flags of ID theft.

Created by the FTC, Federal Reserve, and NCUA, the programs must be in place by November 1, 2008, and must provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

The official regulations can be found in the November Federal Register (pdf). However, Bankrate.com has a more concise and easier-to-read post about the red flag rules, what they are, and how they should benefit consumers.

The red flag rules are designed to fill the cracks in the system through which identity thieves could fraudulently pilfer the identities of others for their personal gain. There are 26 red flag triggers that financial institutions should incorporate in order to help prevent identity theft. If financial institutions should fail to follow their own mandatory written guidelines, and you experience losses because of such a failure, then those institutions could be held liable for your losses.

According to Experian (pdf):

While institutions are not required to implement any predetermined number of the 26 Red Flag examples, they should consider those that are applicable to their business processes, consumer relationships and risk levels.

In general, creditors should focus on identifying Red Flags for account openings, existing accounts and new activity on an account that has been inactive for two years or more. Some provisions of the guidelines are mandatory, including the following:

• Each institution must create, and keep updated, a written Identity Theft Prevention Program that outlines the steps it will take to detect and prevent identity theft.

• Institutions are required to confirm that the consumer reports they request from credit reporting agencies are related to the consumer with whom they are doing business.

• Institutions must review discrepancies in addresses.

While all the kinks still need to be worked out, IMO, the most important aspect of these rules are that they will hold financial institutions more liable in protecting our identities. Businesses tend to take these things more seriously when it could affect their bottom line. With increased liability comes better oversight, and eventually better consumer protection.

Of course, these new protections are a positive step in the right direction, but they’re not foolproof. Common sense dictates that we shouldn’t rely on them alone to safeguard our financial accounts and credit cards from identity theft. We still need to remain vigilant, pay attention to our bank and credit card accounts, use a good shredder, say three “Hail Marys” daily, and continue to check our credit reports regularly.