Will new rules stem identity theft?

By Bankrate.com

Identity thieves face tough going this year if they think pilfering your personal information will be a stroll through the park. Or at least that's what regulators hope.

This is because new "red-flag" rules aimed at impeding identity thieves are being phased in.

You've never heard of them? Join the crowd.

"There hasn't been a big consumer-education push," says Chris Hoofnagle, a senior fellow with the Berkeley Center for Law & Technology in California. "These rules are not well-known, even among consumer advocates."

Hoofnagle says the information is relatively scarce because the rules stem from a 2003 law that took five years to implement.

"There's been a lot of waiting," he says.

What are red-flag rules?

The rules push financial institutions to make sure people are who they say they are. Authenticating identities will be the name of the game. Red-flag rules stipulate that financial institutions and creditors establish a written program to "detect, prevent and mitigate identity theft in connection with the opening of certain accounts or existing accounts," according to a Federal Trade Commission report (.pdf file).

The rules offer more than two dozen examples of suspicious behavior that financial institutions and creditors should consider warnings.

The presentation of altered documents, a suspicious address change, a fraud alert on a credit report and other unusual account activities are among the red flags.

The idea is to prompt banks and creditors to go into "authentication mode" and determine whether fraudsters are trying to apply for credit in someone else's name or hijack someone else's accounts.

• Talk back: What's your identity-theft nightmare?

The rules stem from the Fair and Accurate Credit Transactions Act of 2003. Relevant financial institutions have until November to come into full compliance or be subject to penalties.

Proponents say the rules will standardize how credit-issuing entities respond to suspicious activities regarding your accounts.

"These rules for the first time provide a uniform road map for protecting customer information and preventing identity theft," says Sai Huda, the CEO of Compliance Coach, a San Diego company that provides red-flag-compliance software. "Before the rule, there was only an implied obligation on business to protect information."

Now financial institutions and creditors must update their programs periodically to handle new threats as they emerge.

To whom do the rules apply?

The Federal Trade Commission says financial institutions and creditors who "offer or maintain covered accounts" must implement a red-flag program.

So what exactly is a covered account?

"Red-flag rules apply to financial institutions and creditors like banks, credit unions, auto dealers, mortgage brokers, utility companies and telecommunications companies," says Pavneet Singh, an FTC spokeswoman.

Compliance Coach's Huda says you don't necessarily have to be an account holder for the rules to apply to you.

Credit reporting agencies are exempt from the red-flag rules, but at least one, Experian, is getting involved at some level. In February, Experian hosted a Web seminar on the rules and attracted more than 700 clients.

"We tried to make sure that all our existing and prospective clients understood what these red-flag rules meant," says Keir Breitenfeld, a senior product manager with Experian's Fraud & Identity Solutions. "We tried to do that educationally."

How will red-flag rules benefit you?

Red-flag advocates say that banks and creditors with sloppy fraud-prevention programs will eventually be exposed by litigation and negative publicity.

"The public disclosure of identity theft will create more of an onus for these companies to be up to par," Huda says. "Consumers will eventually benefit because of the higher standards."

Hoofnagle says the prospects of the agencies, such as the FTC and the Federal Deposit Insurance Corp., enforcing the rules combined with possible litigation "will involve some transparency of procedures."

Another added benefit is that employees may be more vigilant in spotting identity fraud.

Anita Marchion, the assistant vice president of regulatory compliance at Navy Federal Credit Union in Virginia, says the training of new recruits has been beefed up to include more focus on identity theft.

She says that the nation's largest credit union will be in compliance by the November deadline and that "members should have a comfort level knowing that we are taking extra steps to protect them from identity fraud."

Hoofnagle has been pushing for a ratings system for banks like the ones that measure vehicle safety. His 2006 study of ID thefts among financial institutions reveals a wide variance in frequency of customer complaints.

"You can go online and look at the crash test of your car and the rollover rating, and all this is available to consumers now," he says. "It wasn't available 40 years ago, but I think we will have a similar situation with banks."

Hoofnagle says the red-flag process is not foolproof. For example, financial institutions need to keep an eye on sales where affiliate marketing agreements come into play. When consumers apply for a credit card or cell phone contract, often the agreement's privacy policy will provide for the company's right to share your information with third-party affiliates that sell products. Hoofnagle believes some commissioned salespeople may have strong incentives to override the red flags.

He is also concerned that some banks may find ways to simply override authentication procedures.

"There has to be some counterweight to that problem," he says.

Heather Grover, a director of product management with Experian's Fraud & Identity Solutions, says there has to be some balance between the consumer's best interest and an organization's need to keep its defenses opaque to thieves.

"Fraudsters are students of their craft, and they'll really game the system as soon as they find the hole," she says.

Continued: Not all want the new rules

 1 | 2 | next >