Identity theft affects millions of people every year. It carries a high cost for both individuals and organizations, so regulations require many financial institutions and creditors to protect account holders against identity theft. The patterns and activities used to recognize identity theft are called red flags, so these regulations are known as “the Red Flags Rule.”
The Red Flag Rule
Also known as the Fair Credit Reporting Act (FCRA) Identity Theft Rules, the Red Flag Rule is detailed in the Code of Federal Regulations (CFR).
It requires financial institutions and creditors that are subject to FCRA regulations to have a written program to detect, prevent, and mitigate identity theft. This program must address identity theft related to both opening and managing accounts.
Knowing when the Red Flag Rule applies and how it relates to access control will clarify how to optimize your identity theft prevention program for compliance.
Who is Subject to the Red Flag Rule?
Data and account security are always essential, but not every organization is subject to the Red Flag Rule. Financial institutions and creditors with covered accounts as defined by U.S. Code Title 15 are required to comply.
Financial institutions that must comply with the Red Flag Rule are:
- State and national banks
- State and federal savings and loan associations
- Mutual savings banks
- State and federal credit unions
Additionally, any person who holds a transaction account that belongs to a consumer is considered a financial institution in this case and also must comply.
A creditor is defined as any organization, person, or assignee who does the following:
- Extends, renews, or continues credit regularly
- Arranges credit extensions, renewals, or continuation
- Participates in decisions on credit extensions, renewals, or continuation
The Red Flag Rule stipulates that any financial institution or creditor must evaluate whether any new or existing accounts are considered “covered accounts” by the regulations.
Covered accounts are described as those that are typically used by individuals and households to facilitate multiple transactions. Examples of covered accounts are:
- Credit card accounts
- Checking and savings accounts
- Mortgages and auto loans
They also include any other type of account that could be at risk of identity theft or lead to other risks for the consumer, financial institution, or creditor.
Why the Red Flag Rule Matters for Access Control
Access control is one of the cornerstones of identity and access management and is essential to keep accounts protected against identity theft. It keeps access to digital and physical systems and assets limited to those who have the required permissions.
Keeping accounts, systems, and assets secure against identity theft and other breaches requires proper identification, authorization, authentication, and approval when access is requested.
There are several practices and controls for organizations to consider and implement as needed to comply with the Red Flag Rule:
- Public key infrastructure (PKI) authentication – Account holders or personnel use a personal identifier to initiate an encrypted authentication process via their device.
- One-time passwords (OTPs) – These single-use, generated passwords can offer more security than standard credentials by enforcing multifactor authentication via pin codes that only remain valid for set durations (e.g., 30 seconds).
- Robust password requirements – Require robust, unique passwords, store them securely, and disallow weak passwords.
- Account maintenance controls – Require an authentication process for attempts to change sensitive account information.
- Transaction controls – Implement appropriate limitations or restrictions on transaction attempts.
- Authentication controls – Limit login attempts, the number of allowed failed attempts, and require re-authentication after a specified period of inactivity.
- Automated de-provisioning – Configure automatic suspension or de-provisioning of inactive accounts.
- Account notifications and monitoring – Ensure administrators are notified of significant changes to a user’s status.
Implementing robust access control protocols will protect account holders and the overall system, but it’s only one facet of a robust identity theft red flags program.
How to Optimize an Identity Theft Prevention Program
Organizations that must comply with the Red Flag Rule have to establish and maintain a written identity theft prevention program. It must be developed to match the organization’s size, complexity, and activities.
Each program will be unique, but all must include policies and procedures to identify, detect and respond to relevant red flags and update the program as needed.
A compliant program will address the following categories of identity theft red flags:
- Alerts from consumer reporting agencies and fraud detection services
- Suspicious documents or identifying information
- Unusual usage of an account
- Notifications regarding possible identity theft of an account holder
The program must be approved by and involve the organization’s board of directors or one of its committees. It must also include sufficient staff training and service provider oversight to ensure the program’s efficacy.
Guard Against Identity Theft
Following the Red Flag Rule is mandatory for designated financial institutions and creditors. But strong access control protocols and following the best practices detailed by the rule will improve security for any organization.