November 6, 2007 - When the Fair and Accurate Credit Transaction Act (FACTA) was signed into law by President Bush, it contained provisions that would eventually force financial institutions to implement an identity theft prevention program. The law required that various federal regulatory agencies collaborate to come up with a set of rules for financial institutions to follow. This week, the FTC and other agencies released their 256 page set of final rules for identity theft "red flags". They are much weaker than what was originally proposed.

The new federal rules require financial institutions to develop procedures to identify activities that lead to identity theft (red flags) and to notify consumers when they suspect that their identities are being used fraudulently. 

The rules include requiring financial institutions to verify address changes under various circumstances, and requiring them to notify consumers when credit accounts that have been dormant for two years or more are used.

Originally, the rules would have required all financial institutions to develop a written set of rules for dealing with identity theft red flags. But the final rules require "only those financial institutions and creditors that offer or maintain ‘covered accounts' must develop and implement a written Program. A covered account is (1) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft. Each financial institution and creditor must periodically determine whether it offers or maintains a ‘covered account.'" In plain English, this means that financial institutions get to decide if they really need to have written rules regarding red flags, and which accounts are actually covered.

The original proposed rule also included a list of 31 red flags that were identified by government regulators. Financial institutions would have had to include procedures for dealing with each of these. But because financial institutions objected to these, the final rules placed the red flags in a "suggested guidelines" area. This means that financial institutions may be free to ignore some or all of them.

There is no doubt that the final rules do provide consumers with some additional protections that they have not had to date, but they could have been significantly stronger. The way in which the final rules were issued gives financial institutions far too much flexibility in deciding whether or not accounts are so called "covered accounts", and over which red flags to watch.

The new rules become effective January 1 and financial institutions must have them in place by November 1, 2008.

by Jim Malmberg

Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.