I attended an ISSA-Silicon Valley chapter meeting this week, where the featured speaker, Jim Anderson, gave an interesting presentation on the Red Flags Rule. For the uninitiated, the rule – issued by federal regulators in 2007 – requires financial institutions and creditors to have a program for spotting red flags that indicate possible identity theft. Anderson, who is president of consulting firm Professional Assurance in Pleasanton, Calif., and has 12 years of experience working in commercial banks, stressed that the Red Flags Rule requires organizations ensure their contractors are compliant. High up on organizations’ Red Flags to-do list is notifying relevant third parties of their obligation to comply with the rule, he said.
In a phone interview after the meeting, Anderson said the main types of service providers that are subject to the Red Flags rule are one that are involved in the process of evaluating credit worthiness or that process credit-based transactions. Those service providers need to demonstrate to their customers that they are compliant with the rule, ideally with a written identity-theft prevention program, as called for in the regulation, he said. If the third party can’t provide definitive evidence of compliance, they should be put on notice that their contract may be subject to modification or termination, Anderson said.
“The regulated entity, the one with the covered accounts, is responsible for compliance, but what Red Flags does is raise the visibility level of third parties and that they have to be considered in one’s compliance,” he said.