Skip to main content
Compliance

(FACTA) Red Flag Rules

I. PURPOSE

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) is intended to ensure the confidentiality, accuracy, relevancy, and proper use of credit information by consumer reporting agencies as well as to ensure that financial institutions and creditors implement practices designed to detect, prevent, and mitigate identity theft.

II. HISTORY

In 1968, Congress enacted the Consumer Credit Protection Act to safeguard consumer credit. This act was amended in 1970 by the Fair Credit Reporting Act, which regulates the use and dissemination of information from consumer reporting agencies (persons that regularly engage in assembling or evaluating consumer credit information and that prepare or provide consumer reports). In 2003, FACTA amended the Fair Credit Reporting Act to include rules to protect consumer credit information and reduce identity theft. FACTA regulations were finalized in 2004. In 2008, the Federal Trade Commission and other relevant agencies adopted additional FACTA rules known as the Red Flag Rules. Red flags are patterns, practices, or specific activities that indicate the possibility of identity theft. The Red Flag Rules, which require creditors to implement identity theft prevention measures, were amended in 2010 and again in 2013 to expand their coverage.

III. APPLICABILITY TO BYU–Hawaii

FACTA applies to creditors and financial institutions (hereafter “Institutions”) that handle covered accounts. Creditors are persons who regularly extend, renew, or continue credit, and who

  • obtain or use consumer reports;
  • furnish information to consumer reporting agencies in connection with credit transactions; or
  • advance funds to or in behalf of a person, based on that person’s obligation to repay the funds.

A covered account is an account maintained or offered by an Institution that permits multiple payments or transactions or presents a risk of identity theft to customers or to the soundness of the Institution.

BYU–Hawaii satisfies the definition of “creditor” because it offers loans to students. These loans are considered covered accounts. As a result, BYU–Hawaii must comply with FACTA requirements, including the Red Flag Rules.

IV. REQUIREMENTS

Institutions that offer or maintain covered accounts must establish programs to identify and assess red flags.

A. Periodic Identification of Covered Accounts

Institutions must periodically determine if they offer or maintain covered accounts by reviewing methods for opening and accessing accounts as well as previous experiences with identity theft.

B. Identity Theft Program

Institutions must develop and implement identity theft prevention programs for new and existing covered accounts. These programs should be tailored to their individual needs but must include procedures to

  • identify relevant red flags;
  • detect red flags;
  • respond to detected red flags to prevent and mitigate identity theft; and
  • update the program periodically to reflect changes in identified risks and incorporate detected red flags.

The Institution’s program must

  • be approved and managed by its board of directors or senior employees,
  • include appropriate staff training to effectively implement the program, and
  • provide for oversight of any service providers.

C. Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation

The regulations include a list of guidelines that an Institution “must consider” in determining how to implement the Red Flag Rules. These guidelines are known as the Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation. Highlights from these guidelines are outlined below.

1. Program Structure, Updates, and Administration

Institutions may incorporate existing programs, policies, and risk controls into their identity theft prevention programs. Institutions are required to periodically update their programs to reflect changes in risks based on previous incidents of identity theft, the types of accounts the institution offers, or the method of identity theft and identity theft prevention. Institutions that contract with service providers in connection with their covered accounts must take steps to ensure that its service providers also follow these regulations (e.g., through contracts).

2. Identifying Relevant Red Flags

An Institution identifies red flags based on

  • incidents of identity theft that the institution has experienced;
  • methods of identity theft that the institution has identified, which point to changes in identity theft risks; and
  • applicable supervisory guidance.

Categories of red flags include:

  • alerts, notifications, or warnings from a consumer reporting agency28or service provider;
  • suspicious documents;
  • the presentation of suspicious personal information (e.g., a suspicious address change);
  • unusual use of or suspicious activity relating to a covered account; and
  • notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.

3. Detecting Red Flags

Policies must address verification and authentication of consumers’ identities and transactions in opening and maintaining covered accounts.

4. Preventing and Mitigating Identity Theft

Appropriate responses to red flags include monitoring covered accounts, contacting consumers, notifying law enforcement agencies, changing passwords or account numbers, and not opening or closing existing covered accounts. Institutions may also determine that no response is needed.

5. Other Applicable Legal Requirements

Institutions should be mindful of other relevant legal requirements.

V. PENALTIES

The FTC is authorized to enforce compliance with the Red Flag Rules and may impose a maximum penalty of $3,756 per violation. Also, while private citizens cannot sue for a violation of the Red Flag Rules, courts may impose injunctive relief.

VI. COMPLIANCE CALENDAR

At least annually, staff responsible for an Institution’s identity theft prevention program should report FACTA compliance to the Institution’s board of directors or individuals with similar oversight. The report should address the effectiveness of existing policies and procedures, its service provider arrangements, significant incidents of identity theft and the management’s responses to those incidents, and recommendations for changes to the program.