The US government audit of a company’s compliance with the Red Flags Rule may be inevitable as the number of identity theft cases increases affecting more people and their credit worthiness. A government audit of a company’s identity theft prevention program as agreed by an inter-agency committee will cover three major aspects of the Red Flags Rule.

This identity theft red flags rule examination procedures checklist can be used by businesses to ensure compliance level with the Red Flags Rule and prepare for a government audit.

These major Red Flags Rule compliance audit areas are as follows:

  1. Identity theft red flags,
  2. Address discrepancies, and
  3. Changes of address.

The above identity theft prevention compliance areas will be audited using 15 identity theft red flags rule examination procedures during a Red Flags Rule compliance audit by a government agency. Whether your company is audited by the FDIC, NCUA, Federal Trade Commission (FTC) or any other regulatory body, the following identity theft compliance audit procedures will be followed by the examiners to assess the completeness and effectiveness of your company’s identity theft prevention program. Therefore, these audit procedures must be considered by all financial institutions and creditors to comply with the identity theft Red Flags Rule regulation, which has been adopted and is currently enforced. Government risk management examiners are also instructed to test institutions for Red Flags Rule compliance as well as address discrepancy and change management during risk management audits.

Specifically, the Red Flags Rule requires the following:

  1. Financial institutions and creditors to implement a written identity theft prevention program,
  2. Institutions to assess the validity of change of address requests, and
  3. Users of consumer reports to verify the identity of the subject of a consumer report in the event of a notice of address discrepancy.

Government Identity Theft Red Flags Rule Examination Procedures

The following list of identity theft compliance audit procedures will be followed by government examiners and can be used by all covered entities to determine their compliance level and preparedness for a government audit:

1. Covered Accounts – Government Red Flags Rule audit examiners will verify that the institution periodically identifies covered accounts it offers or maintains. As part of this initial procedure in the examination, examiners will verify that the institution:

  • included accounts for personal, family and household purposes, that permit multiple payments or transactions;
  • conducted a risk assessment to identify any other accounts that pose a reasonably foreseeable risk of identity theft, taking into consideration the methods used to open and access accounts, and the institution’s previous experiences with identity theft.

2. Other Regulations – Examiners will review examination findings in other areas (e.g. Bank Secrecy Act, Customer Identification Program and Customer Information Security Program) to determine whether there are deficiencies adversely affecting the institution’s ability to comply with the identity theft Red Flags Rules .

3. Management Oversight – Government auditors will review reports, such as audit reports and annual reports prepared by staff for the board of directors (or an appropriate committee thereof or a designated senior management employee) on compliance with the Red Flags Rule. These include reports that address:

  • Effectiveness of the institution’s ID Theft prevention program,
  • Significant ID Theft incidents and management’s response,
  • Oversight of service providers that perform activities related to covered accounts, and
  • Recommendations for material changes to the prevention program.

4. Comprehensive Program – Examiners will verify the institution has developed and implemented a comprehensive written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft. The program must be appropriate to the size and complexity of the institution and the nature and scope of its activities. Examiners also will determine whether the institution uses technology to detect red flags; whether the program is updated periodically; and that the board approved and oversees the program.

5. Trained Staff – Examiners will verify that the institution trains appropriate staff to effectively implement and administer the program.

6. Vendor Management – Examiners will determine whether the institution exercises appropriate and effective oversight of service providers that perform activities related to covered accounts.

When these procedures are complete, examiners will form a conclusion about whether the institution has developed and implemented an effective and comprehensive written program designed to detect, prevent and mitigate identity theft.

Address Discrepancy Audit Procedures

The regulation also requires users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a credit reporting agency. The government identity theft red flags rule examination procedures include five steps to assess address discrepancy compliance:

7. Recognition – Examiners will determine whether the user of consumer reports has policies and procedures to recognize notices of address discrepancies.

8. Reasonable Belief – Examiners will determine whether users have policies and procedures to form a reasonable belief that the consumer report relates to the consumer whose report was requested.

9. Accurate Address – Examiners will determine whether users have policies and procedures to furnish to the nationwide consumer reporting agency a consumer address that the users have reasonably determined is accurate.

10. Timing – Examiners will determine whether the users’ policies and procedures require it to furnish the confirmed address as part of the information it regularly furnishes to the credit reporting agencies during the reporting period when it establishes a relationship with the consumer.

11. Sampling – If procedural weakness or risks are determined, examiners will obtain a sample of consumer reports requested by the user from a credit reporting agency regarding notices of address discrepancies to determine:

  • how the user established reasonable belief that the reports related to the consumer in question,
  • if the consumer relationship was established,
  • whether the institution furnished a consumer address that was reasonably confirmed, and
  • whether the user furnished the address in the appropriate reporting period.

Change of Address Audit Procedures

The regulation also requires institutions to develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. Under these circumstances, the card issuer may not issue an additional or replacement card until the institution:

  • Notifies the cardholder of the address change request and provides the customer a communication means to report unauthorized address changes, 
  • Notifies the customer with a previously agreed upon means of communication, or
  • Assesses the validity of the change of address according to procedures established as part of the ID Theft prevention program.

A government identity theft prevention compliance audit will include four steps to test change of address compliance:

12. Verification – Examiners will determine whether the card issuer has policies and procedures to assess the validity of a change of address.

13. Prevention – Examiners will determine whether policies and procedures prevent card issuers from issuing additional or replacement cards until they notify the cardholder or use other reasonable means to evaluate the validity of the address change.

14. Special Notice – Examiners will determine whether written or electronic notice is sent to cardholders to validate a change of address. This notice must be exclusive from any regular correspondence.

Certified Red Flag Specialist CRFS for identity theft certification and Red Flags Rule compliance
Get certified in identity theft prevention and Red Flags Rule compliance

15. Sampling – If procedural weaknesses or risks are noted, examiners will obtain a sample of notifications from cardholders to ensure that card issuers complied with regulatory requirements to evaluate the validity of address changes before issuing cards.

In order to protect consumers, the US government has identified 5 categories of identity theft red flags and a total of 26 specific red flags as part of the Red Flags Rule regulation to help businesses detect and prevent identity theft in their day to day business operations. The Red Flags Rule requires companies to establish a formal identity theft prevention program to address how the business identifies, detects, and responds to identity theft red flags to prevent identity theft using these 26 identity theft red flags which offer guidance to businesses for identity theft prevention.

Red Flags Rule identity theft prevention program compliance solutions by Identity Management Institute

What are Identity Theft Red Flags?

Identity theft red flags are suspicious patterns, practices, and activities that indicate the possibility of identity theft. For example, if a customer offers a unique identifier such as a social security number and the SSN is already used by another customer, it is potentially a strong red flag or indication of possible identity theft or if a personal document looks fake, it also may represent a potential identity theft red flag.

Purpose of Identity Theft Prevention Program

The main requirement of the Red Flags Rule is the establishment of an identity theft prevention program. The purpose of an identity theft prevention program is to develop policies and procedures for the following 4 areas:

  1. Identify identity theft red flags with a risk assessment to document how identity theft may occur in your daily business operations
  2. Detect the identified red flags
  3. Prevent identity theft after the red flags are detected
  4. Update the identity theft prevention program to address new threats

Once the program is developed, it is extremely important to train the appropriate staff to become familiar with the program, identity theft threats, and steps to be taken.

Who Should Comply

All financial institutions and creditors must comply with the Red Flags Rule. The Red Flags Rule defines a “financial institution” as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or a person that, directly or indirectly, holds a transaction account belonging to a consumer.

5 Identity Theft Areas under the Red Flags Rule

The Red Flags Rule lists 26 specific red flags under the following 5 general categories that companies must identify to detect identity theft. These categories provide guidance and direction to help businesses focus in on sources of useful information for identity theft prevention:

  1. consumer reports
  2. identification documents and information
  3. address discrepancy notices
  4. suspicious address changes, and 
  5. warning notices received from customers and other sources.

26 Identity Theft Red Flags

The Red Flags Rule regulation lists 26 specific identity theft red flags that companies should consider as part of their identity theft prevention program and training. These identity theft red flags are not only important for compliance with the Red Flags Rule, but they also form the basis for identity theft risk assessment and prevention. Companies should consider these 26 identity theft red flags in their risk assessment process and select the ones that apply to their unique business for developing the identity theft prevention program and employee identity theft training.

  1. Consumer report fraud alerts must be considered as a possible identity theft red flag.
  2. Notice of a credit freeze in response to a request for a consumer report is a potential red flag because a consumer who placed a credit freeze is less likely to apply for credit.
  3. Unusual credit activity, such as an increased number of new accounts or inquiries and spending appear in the credit reports.
  4. Identification documents provided by the customer appears altered or forged.
  5. Photograph on ID card is inconsistent with the appearance of the customer present.
  6. Information on ID card such as name or address is inconsistent with information provided by the person opening account.
  7. Information on ID card is inconsistent with information on file in the organization.
  8. Application appears forged, altered and reassembled.
  9. Personal information is inconsistent across multiple sources.
  10. Lack of correlation between social security number range and date of birth exists.
  11. Personal information is associated with known fraud activity and cases.
  12. Suspicious information and address is supplied, such as a PO Box,  prison, or phone numbers associated with an answering service.
  13. Social security number provided matches social security number submitted by another person opening an account or existing customer.
  14. An address or phone number matches information provided by other applicants and customers.
  15. The person opening the account is unable to supply additional identifying information in response to incomplete applications.
  16. Personal information is inconsistent with information already on file at financial institution or creditor.
  17. An existing customer is unable to correctly answer challenge questions.
  18. Shortly after change of address, creditor receives a request for additional users for the account.
  19. A consumer reporting agency provides a notice of address discrepancy.
  20. Most of available credit is used for cash advances, jewelry or electronics, and customer fails to make first payment.
  21. Drastic change in payment patterns, use of available credit or spending patterns.
  22. An account that has been inactive for a long time suddenly becomes unusually active.
  23. Mail sent to customer repeatedly is returned as undeliverable despite ongoing transactions on the account.
  24. Financial institution or creditor is notified that customer is not receiving paper account statements.
  25. Financial institution or creditor is notified of unauthorized charges or transactions on customer’s account.
  26. Financial institution or creditor is notified that it has opened a fraudulent account.
Certified Red Flag Specialist CRFS for identity theft certification and Red Flags Rule compliance
Get certified in identity theft prevention and Red Flags Rule compliance

The market for biometric data systems is expected to grow from its 2019 value of 33.0 billion to 65.3 billion by 2024. What’s driving this rapid growth? Biometrics are being incorporated into more consumer devices.

There are certain business outsourcing risks when companies decide to let another company take care of their business operations. When companies make a decision to outsource some of their services to an outsourcee, they have basically concluded that their companies are better off letting someone else do the job for them. Although their assumptions may be true when we look at specific benefits, it may not be true when we look at the entire picture.

Data protection and business risks of outsourcing business functions and services

There are sometimes good reasons to outsource which we will cover later, and companies may outsource some business operations such as customer service or call centers, certain aspects of their system security management specially if the outsourcee offers independence and state of the art technology, IT operations, marketing, etc. However, outsourcing decisions are sometimes based on myths and lack of awareness of the risks. A myth is a false belief and there are a few of them when it comes to outsourcing business operations.

Outsourcing Myths

Myth #1) We will save money – this is actually far from the truth when we look at the big and entire picture. What happens when you decide to bring the outsourced process or function back in-house one day? You will incur huge costs associated with hiring, training, and productivity, that is if your outsourcing contract allows you to easily reverse your past decision and, if the other company supports your decision since they have no incentive to cooperate.

Myth #2) It’s less headache for us – the reality is that when it comes to outsourcing, less is more because when  you have less control over the process, you have more problems and less flexibility to address those problems efficiently and effectively. Remember, when you outsource, you are at the mercy of the other company to solve your problems and manage your risks. The risk significantly increases when the outsourcing company directly deals with your customers and appears to be an extension of you in the marketplace.

Myth # 3) They have better skills – this may be true and is often the basis for outsourcing thinking that they can do a better job. But, it comes at a cost. Your company can also hire and retain the best skilled staff at a higher cost. Nothing is free and some skills like IT are even more expensive no matter who employs them.

Business Outsourcing Risks

Risk #1) Service Level Agreements or SLAs may not be clear enough – sometimes there is a lack of understanding regarding service agreements or responsibility assignments. Roles and procedures may also not be clear or properly defined and communicated. This can lead to a complete breakdown in the business operations initially and slow recovery in operations efficiency and effectiveness which can take months and years affecting productivity and morale which is another component of business outsourcing risks.

Risk #2) The outsourcing project may be poorly planned – one of the consequences of poor planning is fully trusting the outsourcee and letting knowledgeable employees leave the company before their knowledge is adequately transferred. This cost saving error ends up in service delivery delays in the short run and costing companies even more in the long run.

Risk #3) Lack of control over outsourcee staff – usually, firms have bad apples in their pool of employees for good reasons; to bring costs down and not be detected while doing that. When we have control over staff, we can tie their job retention to their job performance but not when the staff is an outsourcee employee who may also be overworked and engaged in serving other customers with or without your knowledge. Remember, the outsourcee objective is to make money by serving as many clients as possible. And when they have too many clients, they can take the risk of losing one client for poor services.

Risk #4) Contracts may not allow early and easy exit – can you imagine waking up one morning, realizing that your company has made the mistake of outsourcing some functions, and yet also realize that you can not easily reverse your decision while the service renewal contract is staring you in the face? If you discover early on that you made the wrong decision, you may be obligated to abide by the contract and even when the contract ends, it will be a huge undertaking to bring the task back in house depending on the scope which will require the cooperation of the outsourcee which will have yet another opportunity to squeeze in more money.   

Risk #5) Transition back to in-house is costly and can take time – remember the myth about saving money on labor cost when your company first decided to outsource? Now think again about bringing the outsourced functions back in house with the unimaginable cost of re-hiring skilled staff and training. That is if your company reputation is still good enough to attract past or new employees. Having an exit strategy is and should be part of the plan for managing business outsourcing risks.

Risk #6) You may be liable for data breach – if you are sharing personal and confidential data with the vendor as part of the outsourcing arrangement, the vendor may sell or use the data for other reasons, and, may not protect the data as well as necessary to comply with the regulations. If the vendor experiences a data breach, your company will be liable and suffer the consequences as noted in risk #7. To reduce the data security and compliance risks associate with business outsourcing, Henry Bagdasarian, founder of Identity Management Institute suggests that companies establish solid data protection SLAs with their vendors and require independent audit reports to confirm compliance with the SLAs and appropriate regulations.

Risk #7) Your company reputation may be at risk – depending on the type of function outsourced and its nature, the outsourcee can be viewed as an extension of your company which can either directly affect your image if they interact with your customers, or, reflect poorly on your outsourcing decision and planning if they don’t perform well.

On the bright side, outsourcing is not all that bad and it may even make sense in some cases. For example, outsourcing is a great option when the skills needed for the project are not immediately available in-house or the skills needed are just temporary, part time, or for a special project which means that you can easily change vendors or bring the function back in house if needed. Managing business outsourcing risks is critical from the start which includes a complete risk assessment and oversight of the vendor and the project.

Blockchain identity management is increasingly being adopted for validating identities through blockchain authentication, ensuring data privacy and integrity, and managing access. With the massive growth of online business and data comes the equally massive complexity of securing business transactions and system or data access. Cybercrime risks require industries to incorporate technical solutions to keep systems and data safe. One solution leading the field for cyber security and privacy is blockchain technology.

Blockchain identity management and authentication

Current identity and access management systems offer a few security and privacy weaknesses which a blockchain based technology can help solve. However, blockchain is new and may offer risks associated with sensitive data stored on blockchain public ledger.

Blockchain or Distributed Ledger Technology (DLT) in identity management helps control data in a decentralized manner. Traditionally, businesses use a centralized system for identity management which makes the database a honeypot for hackers. For example, the popular use of Lightweight Active Directory Protocol (LDAP) stores information in a database owned by a single organization.

Identity management with blockchain works in a different way. There is no centralized database, instead, information is stored over a peer-to-peer type environment, by adopting a decentralized framework. The data is stored immutably in publicly owned blocks over the network. This solution provides flexibility, security and privacy for data management with reliable authentication and integrity check.

The Small Business Innovation Research program, supported by the Small Business Administration describes blockchain as “a common, public ledger, which utilizes cryptographic mechanisms to verify transactions and information in a decentralized manner.” In this way, blockchain integrity is verifiable by businesses without relying on third parties to ensure trust.

The role of blockchain in identity management is to provide a means to verify identities, control access, and ensure the integrity the data and transactions. Everything stored in the database is publicly owned and immutable.

The future of blockchain identity management as a standard solution for cryptocurrency and other online transactions looks bright. The World Economic Forum reports that while banks spent $75 million to develop this technology in 2015, they spent closer to $400 million in 2019. This is because blockchain technology costs less to develop and implement than standard technologies, offers data integrity, and ensures data is not modified or manipulated by unauthorized persons. According to International Data Corporation (IDC), global blockchain spending will be around $19 billion by 2024 compared to $6.6bn in 2021 as reported in IDC’s Worldwide Blockchain Spending Guide forecasts.

Blockchain technology is in its infancy. There are clear signs that future business solutions for security and privacy will include blockchain technology. The question that remains is how long it will take to see its full potential. That said, blockchain does not come without challenges and will require time to mature. While blockchain offers a beneficial model to make identities portable, verifiable, secure and private, potential challenges remain to be addressed.

Projections show cybersecurity spending exceeding $133 billion by 2022, including spending on artificial intelligence and machine learning solutions. Many businesses use AI to assist in breach detection and prevention, but as the technology becomes more ubiquitous, hackers are turning the tables and deploying AI-powered attacks. If such sophisticated solutions can backfire, can enterprises really rely on AI for their security needs while mitigating artificial intelligence threats and security issues?

Artificial Intelligence Threats

A Few AI Statistics

According to Gartner, information security and risk management spending could be as much as $175.5 billion by 2023. Seventy-five percent of enterprises currently rely on AI-based solutions for network security, and 51% use AI as a “primary” threat detection option.

These numbers suggest increasing confidence in sophisticated cybersecurity solutions, but 22% of organizations still lack sufficient resources to respond when incidents occur. There remains a significant gap between the 62% of enterprises making the most of AI and exploring new ways to implement AI solutions and those with little or no solid grasp of how to properly implement the technology.

AI is Changing Cybersecurity (For Better or Worse)

Speed is where AI excels the most by surpassing the human capacity to detect and mitigate threats. Seventy-five percent of cybersecurity executives agree AI allows them to respond to breaches faster, and the technology has been found to speed up evaluations of “breach-worthy” vulnerabilities by 73%. Fifty-nine percent of cybersecurity professionals say AI streamlines the process of detecting and responding critical system weaknesses, and enterprises using the technology are able to find and fix such weaknesses 40% faster.

What does this mean for enterprise cybersecurity in practice?

With the rapidly evolving threat landscape, AI has become a necessity for 69% of enterprise executives. Sixty percent of cybersecurity professionals agree the technology is able to provide networks with “deeper security,” which can be a critical factor in separating enterprises affected by breaches from those able to avoid attacks.

Artificial intelligence shows significant potential for detecting fraudulent activity, malware and intrusions, as well as gauging the risk levels of login attempts. By making threat detection more sensitive and enabling nuanced behavior tracking, AI increases flexibility within identity and access management strategies. IT professionals can use the technology to create conditional rules and reduce friction for users with complex access requirements.

AI Can Backfire in the Hands of Hackers

Ironically, speed is also a major drawback of AI. Hackers are embracing the machine learning algorithms behind the technology’s success to create nuanced attacks personalized for specific individuals. Because AI can be “taught” with data sets, hackers can either create their own programs or manipulate existing systems for malicious purposes. Attacks executed with AI tend to be more successful, perhaps because the technology makes it easier to develop malware with the ability to evade even sophisticated threat detection. For example, pairing polymorphic malware with AI allows these programs to change their code rapidly, making them almost invulnerable to existing cybersecurity systems.

Hackers may also modify enterprise machine learning algorithms by altering inputs to change the way the system recognizes specific elements. This technique can be used to make the system overlook threats and allow hackers to bypass identity and access management controls.

System behaviors are potential targets, as well; with the right modifications, hackers can change the way devices respond or communicate, which may result in dangerous outcomes. Once system information has been changed, it can be very difficult to correct problems and return the network to its original state.

In light of these threats, it’s important for enterprise executives and IT professionals to resist the temptation to be complacent. Although AI is becoming more autonomous, it is by no means a replacement for human diligence. Systems require correct setup and management from the start, beginning with extensive data sets to prevent false positives and continuing with consistent monitoring and updates to maintain strong security.

Avoiding the Pitfalls of AI Technology

No single security solution, including AI, is enough to protect enterprise networks on its own. In addition to developing robust cybersecurity policies for comprehensive protection, enterprises must:

• Promote cybersecurity awareness through ongoing employee education
• Prioritize data protection
• Employ IT professionals with an awareness and understanding of emerging threats
• Use high-quality data sets when training AI systems
• Automate key security processes for faster detection and response
• Go beyond compliance to create tailored security solutions
• Perform routine security audits and penetration testing
• Upgrade software and hardware as needed
• Amend security policies to address new threats

Identity and access management certifications

Like all security solutions, artificial intelligence has its limitations. Enterprises interested in incorporating the technology into cybersecurity frameworks must assess their needs and design multifaceted strategies to address both known and potential threats. Instead of seeing AI as the ultimate solution to all cybersecurity problems, it’s necessary to acknowledge potential drawbacks and implement the technology as part of a dynamic and adaptable security solution.