How to Set Up Red Flag Procedures

Identify the Red Flags

• 1

  List the risk factors of different types of personal accounts: deposit versus credit, consumer versus business, accounts opened online versus accounts opened in person, etc.

• 2

  Look for clues about relevant red flags in existing business and industry information. Use your own experience with identity theft to identify red flags --- and keep abreast of new identity theft scams.

• 3

  Make a list of common red flags. Supplement A to the "Red Flags Rule" lists several warning signs that point to identity theft. A few examples include: an alert from a credit reporting agency, a document that appears altered or forged, a bogus address or Social Security number and suspicious account activity.

Design Procedures for Detecting Red Flags

• 4

  Establish methods for exposing red flags when verifying and authenticating identity in person and remotely.

• 5

  Design procedures for verifying the identity of someone opening a new account. These might include asking for a customer's name, address and identification number. Asking for a driver's license or passport might be adequate for verifying a customer's identity in person. Comparing information that the customer provides with information from other sources --- such as a credit report --- can also be useful.

• 6

  Set up procedures for verifying the identity of an existing customer. Your program should contain reasonable procedures for making sure that your customers are who they say they are. For advice regarding online authentication procedures, you may want to consult the Federal Financial Institutions Examination Council's guidance on authentication.

Set Up Response and Prevention Procedures

• 7

  Detail appropriate response procedures in your program. How you respond to a particular threat depends on the particular risk that the threat poses to your organization.

• 8

  Establish response methods for low-level threats. These may include monitoring an account, contacting the customer or changing passwords. If you detect a red flag with a new customer, the appropriate response might be not opening a new account.

• 9

  Establish response protocol for higher level threats. Certain red flags may call for a more aggressive response. For example, if a security breach recently resulted in unauthorized access to a customer's account or a customer has informed you that she unknowingly provided personal information to an impostor, your response may be freezing an account or contacting law enforcement.

• 10

  Identify situations in which the appropriate response is no response. Some red flags, upon close inspection, may prove to be "false alarms." Your Identity Theft Prevention Program should clearly describe these situations.

Reassess and Update the Program

• 11

  Outline how you will reassess your program on an ongoing basis.

• 12

  Incorporate new red flags that grow from changes in your business, new methods for detecting identity theft or new criminal techniques.

• 13

  Update your detection procedures to reflect new threats and to make use of new detection technologies.

• 14

  Modify your red flag response procedures to incorporate improved tactics for preventing criminal activity.