FACTA Red Flags Rule: Re-Evaluating the Rulebook

On February 11, 2019, 31 state Attorneys General (AGs) submitted comment on a public request by the Federal Trade Commission (FTC) regarding the 2007 Red Flags Rule governing bank account information. In those original rules, financial institutions were required to begin screening customer address changes to reduce account takeover.  

The rationale for creating the 2007 rules was sound: the primary way identity thieves worked back then was low-tech. All they had to do was call a financial institution, change a customer address and request a new credit card, debit card or checks. That’s it. Once a new card was delivered to the customer’s “new” address (really the fraudster’s address), account takeover was complete.  

In a letter, the AGs acknowledged that the 2007 rules have had a significant positive impact on reducing account takeover and identity fraud.  However, the AGs also stressed that ID theft is still a major concern, and the vast increase in data breaches is fueling fraud losses. They went on to say that financial institutions must remain vigilant and keep up with advancements in fraud-fighting strategy and technology tools.   

The FTC reviews all of its rules and guides on a periodic basis, in order to capture information from those regulated by its rules. The information is then used to determine whether the Commission should modify or update the rules based on changes in the economic landscape. The open-ended comment period yielded feedback from hundreds of financial institutions and adjacent service providers. 

The American Bankers Association (ABA) offered a different perspective when issuing its comments in their letter to the FTC, acknowledging that FACTA identity theft rules have allowed banks to develop and implement controls to suit the “size and complexity” of each institution and citing the continued relevance of the Red Flags Rule. 

According to the ABA:

“(The) Red Flags Rule is sufficiently flexible to accommodate these changing identity theft patterns and strategies in innovations in technology. (It) recognizes that an institution’s identity theft program will vary based on… the nature and scope of its activities. (We) believe that both rules provide appropriate flexibility to accommodate changes in identity theft trends and the technology needed to combat identity theft. We do not believe it is necessary to amend them at this time.”

In addition, the ABA argued that the existing FACTA Card Issuers Rule gives banks enough flexibility to validate customer information changes using additional contact points, such as phone number and email address. With digital banking becoming the most preferred means of communication between customer and bank, account takeover schemes are rarely limited to physical address alone. By changing multiple points of contact, the fraudster can get in-between the financial institution and the customer and intercept all communications, including fraud alerts. 

Those of us working in fraud prevention have observed the fraud schemes evolve over time and we hear first-hand accounts from financial institutions each and every day.For example, a longtime customer requests a change of address on a Monday. Then on Tuesday, there’s a request to change the email address. Then on Wednesday there’s a request to change the phone number. This is not indicative of normal customer behavior. Taken alone, a series of seemingly-innocent non-monetary transactions may be easily ignored or viewed as an anomaly.

While address changes are still a very real and persistent threat, digital banking has opened up a new way for fraudsters to perpetrate account takeover. However, we do agree that the existing FACTA rules already allow for innovation and change in how banks screen non-monetary customer transactions. Using data and analytics solutions designed to automatically resolve information mismatches and predict the likelihood of future fraud activity, banks can focus on high-risk requests in real time and act immediately to protect consumers and prevent serious losses. These technologies represent “reasonable risked-based means” approach that are already covered in the existing rules.

By holistically monitoring any non-monetary changes to the customer communication channel and providing deep intelligence on the suspicious way in which these changes are being made, financial institutions can greatly reduce their risk and keep one step ahead of the fraudsters. Because the FACTA Red Flags Rule of 2007 represented such a giant leap forward in fraud prevention, it empowers financial institutions to harness the power of technology, data science and predictive analytics, to take its regulatory requirements to a new level of vigilance. 

More regulations won’t compel banks to address new methods of fraud, but innovation within the existing compliance landscape – especially analytics involving non-monetary account changes – will make it increasingly easy (and cost-effective) for banks to move beyond basic compliance and address emerging threats.  

 Adam Elliot is founder and president of ID Insight