Common Questions About the Red Flags Rule

Q: What exactly does a designated institution or business have to do to become compliant with the Red Flags Rule?

A: The Red Flags Rule requires all designated institutions and businesses to implement an Identity Theft Prevention Program to detect, prevent, and mitigate identity theft for covered accounts. The requirements include:

1. The institution/business must assess risks and develop a written Red Flags Rule Program.
2. The Board of Directors, a committee thereof, or senior management must initially approve the institution's Red Flags Rule Program.
3. Institution/business staff must be trained initially, and as needed. Newly hired employees must be trained immediately.
4. Institution or business must have procedures in place to not only verify the identifying information presented by an individual, but to also authenticate the actual identity of the individual presenting the information.

Without a mechanism to actually authenticate the identity of an individual presenting identifying information, your institution may only be verifying stolen information from an identity thief and thus is exposed to federal fines and civil litigation. By performing the required compliance elements, your institution or business most likely creates "safe harbor" status in case of inadvertent violations.

Q: What is "safe harbor"?

A: "Safe harbor" is generally associated with performance of required compliance performance as required by law. In most legal opinions, it is considered the most effective legal defense in litigation.

Q: Why is your company, RedFlagsComp, considered the most "complete" Red Flags Rule solution for my business or institution?

A: RedFlagsComp is produced by an attorney with over 40 years of experience in aiding multi-million dollar corporations with legal and compliance issues. While other Red Flags Rule compliance companies tout themselves to be a complete solution, only RedFlagsComp offers a written Red Flags Rule Program, online Red Flags Rule Training, and a Compliance Identity Scan which exceeds requirements from the federal government.

His online Red Flags Compliance service is a total web-based product with no software or hardware to purchase or install. Simple, effective and affordable, RedFlagsComp provides the following services to bring your institution or business into complete Red Flags compliance:

• A compliant Red Flags Rule Program tailored specifically to comply with regulations germane to your institution or business on printable PDF format.
• A required copy of your Red Flags Rule Program specifically for the Board of Directors approval, also on PDF format to subscribers.
• Required Red Flags Rule Training through our unique and exciting online training module recently voted best in class by an independent focus group.
• An interactive online Knowledge Test which immediately follows our Red Flags Rule Training session.
• Secured server storage for the institution's Red Flags Rule Program data including all compliance identity scans, staff registrations and staff test scores. This data is accessible at anytime to only designated senior management for monitoring purposes
• An online scanning service which exceeds Red Flags Rule requirements and includes the Federal Trade Commission's OFAC list as required by the U. S. Patriot Act.
• A printable Compliance Identity Scan report that searches across over 30 million data sources in two - five seconds, and automatically displays 5 "Challenge Questions"
• The ability to integrate your industry specific Red Flags Rule Program with your in-house server system or inter-company intranet.
• An off-site monitoring system created especially for lenders contracted with dealerships or other service providers to ensure compliance and oversight as directed within the federal Red Flags Rule.

Click on your business or institution to view a sample >>>>>

Q: The Red Flags Rule states that we must develop a Program appropriate to the size and complexity of our operation and the nature and scope of our activities. Is the Red Flags Rule Program you offer institutions a "cookie cutter" or "one-size-fits-all" Program?

A: Our written Red Flags Rule Programs and our online Compliance Training modules were created to address Red Flags Rule compliance issues confronted by the various designated institutions, businesses or industries.

For example, our written Program and our online Training for a Financial Institution differs dramatically from our Program and Training for Transportation Institutions, if for nothing else, the special section pertaining to "Card Issuers" addressed in the final Red Flags Rule.

Q: How often is Red Flags Rule Compliance training required?

A: The Red Flags Rule states that staff must be trained initially, and as needed. However, most legal opinions concur that staff should be trained annually, and the newly-hired, immediately.

Q: What are the fines and penalties for institutions or businesses that are not compliant with the Red Flags Rule?

A: Designated institutions or businesses that do not comply with the FTC's Red Flags Rule face civil money penalties of up to $2,500 per occurrence. In other words, a business involved in only 1,000 non-compliant transactions in one year is subject to a penalty of $2.5 million, and the FTC may also use its adjudicatory authority to issue a cease and desist order, meaning, you are out of business.

Q: Are Identity Compliance Scans mandatory under the Red Flags Rule?

A: Mandatory, no; probably necessary, yes. The Red Flags Rule demands that when a designated business or institution opens a new "covered account" or receives a Notice of Address Discrepancy on a consumer report, there must be procedures of due diligence to verify the identifying information provided by an individual, and also procedures to authenticate the actual identity of the individual presenting the identifying information.

Most compliance scans offer means to verify the identifying information presented by an individual by scanning such sources as the Social Security Verification Services, the Social Security Death Master File, etc., but very few compliance scans include "Challenge Questions" to authenticate the actual identity of the individual presenting the identifying information. Without posing prescribed Challenge Questions from outside sources directed within the Red Flags Rule, your institution may in fact only be verifying stolen information from an identity thief and thus may be exposed to fines and civil litigation.

RedFlagsComp's unique online Compliance Identity Scan is the only compliance product which confirms the individual’s name, date of birth, SSN, address, previous addresses, telephone number assignment, and also automatically displays 5 Challenge Questions to eliminate any guesswork about whom you are dealing with. In addition, we also perform an OFAC List scan required for most institutions under the United States Patriot Act, Presidential Executive Order 13224.

Our 1Scan Compliance Identity Scan product performs over 400 searches across over 30 million data sources and displays all results in a printable report in just two-five seconds. In addition, we also archive all scans on our secure server and tabulate your Program data to be included in the required annual report to the Board of Directors. Click on your institution or business on the right side of this page to view a sample Identity Scan report.

Q: We are a Health Care Provider and don't use credit reports. Why are we designated to be Red Flags Rule compliant?

A: The Red Flags Rule defines a "creditor" as any person who regularly extends, renews or continues credit. "Credit" is defined as the right granted by a creditor to a debtor to purchase property or services and defer payment for such purchases.

Under these definitions, a health care provider would be designated as a "creditor" whenever the health care provider allows a patient to defer payment for services rendered. Most health care providers will meet the definition of "creditor" since few health care providers collect all, or even most, fees in advance or at the time of services rendered. In addition, under the Rule's definition of "covered account", many billing accounts maintained by health care providers would likely rise to the standard applied to a "covered account".

Q: Our company uses its own intranet system to communicate within our organization. Can RedFlagsComp be integrated into our system and will our compliance officer be able to monitor the required staff training throughout the organization?

A: Answering your question with a blanket "yes" would not be prudent since there are so many intranet and internal internet systems which employ different infrastructures. Suffice to say that as of this communication we have successfully integrated our entire online compliance program in those businesses or institutions which have requested such.

And, yes, our integrated administrative system allows for designated senior management to monitor training and test scoring of all staff throughout the entire organization.

Q: Our bank is contracted with several automotive dealerships regarding indirect loans. If one of our dealers is not Red Flags Rule compliant and sells a car to an identity thief, who has the ultimate liability in either federal or civil litigation?

A: First, let's address one of the directives that must be included in your institution's Red Flags Rule Program. According to the Rules, the institution:

"... must exercise appropriate and effective oversight of all service provider arrangements... this provision provides maximum flexibility to financial institutions and creditors (your bank) in managing their service provider arrangements, while making it clear that a covered entity (your bank) cannot escape its obligations to comply with the final rules".

Later in the rules:

"...whenever a financial institution or creditor engages a service provider to perform an activity in connection with one or more covered accounts, the financial institution or creditor should take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft".
((PDF Page 16 of The Final Rules)

The government seems to have established its position that both your bank and the non-compliant dealership could face fines and penalties, but the institution (your bank) has the ultimate exposure and liability. But forget about the government for the moment. Since the Red Flags Rule provides for civil actions against non-compliant violators, rest assured that an identity theft victim's attorney will seek action against both parties, the dealership for neglect and non-compliance, and your bank for lack of oversight to ensure the dealership's compliance as mandated in the Red Flags Rule.

Q: Since banks have the ultimate liability for indirect loans at dealerships, how far can our bank go to ensure our indirect dealerships are Red Flags Rule compliant?

A: Again, let's review a section directly from the final Red Flags Rule:

"The guidelines state that a financial institution or creditor could require the service provider (dealership), by contract, to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider's activities..."
(PDF Page 16 of The Final Rules)

Based upon this section of the final Red Flags Rule, most legal opinions concur that banks have the autonomy to audit their service provider's compliance performance, and may even dictate to their service providers the bank's choice of a Red Flags Rule compliance service by contract. To aid in the lender's capability to audit and monitor its contracted dealerships, RedFlagsComp also created a separate Red Flags Rule Compliance module specifically tailored for indirect lending through dealerships. Our Transportation compliance Program and Training module obviously differs from that of a bank, but the compatibility of the two Programs' infrastructure is essentially the same allowing for greater ease in monitoring.

Our technical staff even created integration protocols allowing your bank to unobtrusively access any of their contracted dealership's administration page off-site to monitor staff training in addition to the actual compliance identity scans for Red Flags and OFAC performed on their customers through RedFlagsComp's unique1Scan identity scanning tool. All that is required is a contract stating such.

Q: Does your company, RedFlagsComp, store our Red Flags Rule Program data, and if so, is it safe?

A: We host and archive your Program data, however, we do not store any consumer non-public information whatsoever. Although our 1Scan Compliance Identity Scan product does require an individual's SSN, that information immediately vanishes once the "Submit" bar is clicked.

As for security, RedFlagsComp employs Linux as its operating system, the same system used by several government agencies including the Department of Homeland Security. Our site is hosted as a secure site and protected by a plethora of various firewalls, multiple servers and back-up systems, and is monitored 24/7 by our technical support staff.