Compliance with the Red Flags Rule (a new federal identity theft prevention measure) and the Address Discrepancy Rule (a new federal measure ensuring accuracy of consumer report information) is required as of Nov. 1, 2008. In this Commentary, Michael Goodman, a Partner in the Washington, DC office of Hudson Cook, LLP, provides an overview of the requirements of each new rule and guidance from the government to promote compliance. He writes:
The Red Flags Rule requires each covered entity that offers or maintains one or more covered accounts to develop and implement a written Identity Theft Prevention Program (Program). Each entity’s Program must be designed to detect, prevent, and mitigate identity theft, and must be appropriate to the size and complexity of the covered entity and the nature and scope of the entity’s activities. The Rule uses the term red flag as a point of reference to explain the compliance obligations imposed on covered entities. In other words, covered entities must be prepared to mitigate and prevent identity theft by identifying, detecting, and responding to red flags. The Rule defines red flag as a pattern, practice, or specific activity that indicates the possible existence of identity theft.
In order to detect, prevent, and mitigate identity theft, a covered entity’s Program must include reasonable policies and procedures to identify red flags that are relevant to the covered entity, detect when an identified red flag is present with respect to a covered account, and respond appropriately to red flags that have been detected. This Rule also establishes requirements to periodically update and administer the Program. The remainder of the Rule, and more substantially, the agencies’ official guidelines that accompany the Rule, provide a fuller explanation of how to comply with these components.
. . . .
The [Address Discrepancy] Rule establishes two related obligations on users of consumer report information once they receive a notice from a consumer reporting agency. First, they must develop and implement reasonable policies and procedures designed to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report. This obligation applies to all users receiving a notice of address discrepancy from a consumer reporting agency. That is, all users must conduct some type of investigation into the consumer’s address in response to the notice. The agencies explain that users are expected not to use the consumer report at issue if their investigation does not lead to a reasonable belief that they know the identity of the consumer.
The Rule provides several examples of what can constitute these reasonable policies and procedures. First, the user can compare the information in the consumer report provided by the consumer reporting agency with: (1) information the user obtains and uses to verify the consumer’s identity in accordance with the requirements of the Customer Information Program rules implementing the USA Patriot Act; (2) information the user maintains in its own records, such as applications, changes of address notifications, other customer account records, or retained Customer Information Program documentation; or (3) information the user obtains from third-party sources. Second, the user can verify the information in the consumer report with the consumer.
(footnotes omitted)