Written by Mark Sisco, as originally published in The Reverse Review.

 The Red Flags Rule is enforced by the Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration. The Red Flags Rule, in effect since January 1, 2008, requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations, take steps to prevent crime, and mitigate the damage it inflicts. By identifying red flags in advance, businesses will be better equipped to spot suspicious patterns when they arise and take the necessary steps to prevent a red flag from escalating into a costly and hurtful episode of identity theft.

The Red Flags Rule protects those on all sides of the equation and describes how certain businesses and organizations must develop, implement, and administer their Identity Theft Prevention Program. Now more than ever, we as an industry need to embrace these regulations to weed out the undesirables that prey upon seniors. Remember, fraud comes from all areas, including those that it is set up to protect. Just because they are seniors does not mean they are all honest. The same goes for lenders and brokers/TPOs, and here is where negative situations can arise. The larger the company, the better chance of fraud within its organization, whereas the smaller company can go undetected. Remember fraud can come from within the institution as well as outside the institution and is all around us, more than 9 million Americans’ identities are stolen each year.

Determining Who Must Comply With the Red Flags Rule

The Red Flags Rule applies to financial institutions and creditors. The rule requires you to conduct a periodic risk assessment to determine if you have covered accounts. If you have covered accounts you will need to implement a written agreement. The program must be designed to prevent, detect and mitigate identity theft in connection with the opening of new accounts and the operation of existing ones. Your program must be appropriate to the size and complexity of your business or organization and the nature and the scope of its activities. A company with a higher risk of identity theft or a variety of covered accounts may need a more comprehensive program.

How to Comply: 

First, your program must include reasonable policies and procedures to identify the red flags of identity theft you may come across in the day-to-day operations of your business. Red flags are suspicious patterns or practices, or specific activities that indicate the possibility of identity theft. For example, if a customer has to provide some form of identification to open an account with your company and presents an ID that looks like it might be a fake, that would be a red flag for your business.

Second, your program must be designed to detect the red flags you’ve identified. For example, if you identified fake IDs as a red flag, you must have procedures in place to detect possible fake, forged, or altered identification.

Third, your program must spell out appropriate actions you’ll take when you detect red flags.

Fourth, your program must address how you will re-evaluate your program periodically to reflect new risk from this crime.

Just getting something down on paper won’t reduce the risk of identity theft. That’s why the Red Flags Rule sets out requirements on how to incorporate your program into daily operations of your business. Your board of directors (or a committee of the board) has to approve your first written program, or in the case of a TPO your acting lender and FHA will be the one to approve. If you do not have a board, approval is up to the senior-level employee. Your program must state who’s responsible for implementing and administering it effectively. Because your employees have a role to play in preventing and detecting identity theft, your program must also include appropriate staff training. If you outsource or subcontract parts of your operations that would be covered by the rule, your program must address how you’ll monitor your contractors’ compliance.

The Red Flags Rule allows you the flexibility to design a program appropriate for your company in regards to its size and potential risk of identity theft. While some businesses and organizations may need a comprehensive program that addresses a high risk of identity theft in a complex organization, others with low risk of identity theft could have a more streamlined program.

In my opinion, you must be aware that your program addresses all areas of concern. As more approved FHA lenders entertain the TPOs in the wholesale arena, make sure you abide and do your part in the elimination of fraud within and outside your organization.