FTC Now Requires Organizations to Have an Identity Theft Prevention Program

Did you know that if you are a U.S. financial organization, *AND/OR* if you have information about your U.S. customers with which identity theft could occur, you are now legally required to have a documented Identity Theft Prevention Program to help prevent identity theft in connection with new and existing accounts?


Yesterday (10/31) the FTC issued the final rules on what organizations must do to prevent identity theft.

“The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft in connection with new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft and enable a financial institution or creditor to:
* Identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft and incorporate those red flags into the Program;
* Detect red flags that have been incorporated into the Program;
* Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
* Ensure the Program is updated periodically to reflect changes in risks from identity theft.
The agencies also issued guidelines to assist financial institutions and creditors in developing and implementing a Program, including a supplement that provides examples of red flags.
The final rules also require credit and debit card issuers to develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. In addition, the final rules require users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a consumer reporting agency.”

You can find a copy of the final rule, a 256-page document, here.
Don’t let the size of the document scare you away; there is much white space and the font is large. 🙂
The document has some great guidance. Use it to create your formal identity theft program. Use it within your information security and privacy training sessions for the folks handling, or with access to, personally identifiable information (PII).
Incorporate digestable chunks of information within many ongoing awareness communications about how to spot identity theft red flags. Too many organizations issue a huge, multi-page communication once a year, which most personnel do not even try to start wading through. To get your personnel to read your awareness messages, make them short and interesting…with information that relates to their job responsibilities, or to them personally.
As an example, here is an excerpt from the final rule regarding some identity theft red flags:

“Unusual Use of, or Suspicious Activity Related to, the Covered Account
19. Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for a new, additional, or replacement card or a cell phone, or for the addition of authorized users on the account.
20. A new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns. For example:
a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or
b. The customer fails to make the first payment or makes an initial payment but no subsequent payments.
21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example:
a. Nonpayment when there is no history of late or missed payments;
b. A material increase in the use of available credit;
c. A material change in purchasing or spending patterns;
d. A material change in electronic fund transfer patterns in connection with a deposit account; or
e. A material change in telephone call patterns in connection with a cellular phone account.
22. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors).
23. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer’s covered account.
24. The financial institution or creditor is notified that the customer is not receiving paper account statements.
25. The financial institution or creditor is notified of unauthorized charges or transactions in connection with a customer’s covered account.”

This shows 7 red flags for suspicious account activity. You could target your business units that process customer information, and that have direct contact with customers, for receiving targeted training for these red flags, followed by ongoing awareness communications about these red flags.
You could provide a short computer-based training session, or better yet, a webinar or classroom training, to allow for questions and answers from your learners. You could provide this training within a 15- to 30-minute time period. Follow-up the training with ongoing awareness messages, each about one of the red flags. You could provide one awareness message each week or two, along with examples that would be explicitly applicable to your organization.

Tags: , , , , , , , , ,

Leave a Reply