New FTC rule requires widespread, bank-like protection of consumer IDs
The regulation, known as the Red Flags Rule, will require mortgage and auto loan issuers, wireless carriers, and other potential targets for identity thieves to better catch warning signs and thwart fraud threats.
"The identity theft prevention programs must be designed to help identify, detect, and respond to patterns, practices, or specific activities - known as 'red flags' - that could indicate identity theft," said FTC spokesman Frank Dorman.
The new rule is designed to cover many more types of "creditors" by applying that term broadly to any business that regularly provides goods and services first and allows customers to pay later, according to a guide prepared by the FTC.
"Fraudsters can get the same personal information from an auto dealer or a utility company that they can get from a financial services company," said Thomas Oscherwitz, chief privacy officer of ID Analytics, an identity intelligence firm. "Consumers may see a little more friction when they go to a variety of service providers, such as a more vigorous verification process, but I would argue that additional burden would be worth it for them."
The Red Flags Rule requires creditors to conduct a risk assessment to determine if they have accounts that might be attractive to identity thieves. If so, the companies have to create programs to spot and respond to potential threats. Such risks could include, for example, whether the manner in which the accounts are opened makes them more susceptible to identity fraud, the firm's earlier experiences with ID theft, or types of suspicious activity related to the way accounts are accessed.
The dour economic climate and the evolving craftiness of criminals have led to a steady uptick in identity theft. According to recent research, 4.8% of the population, or 11.1 million Americans, had their identity stolen in 2009, compared to 10 million in 2008 and 8.4 million in 2007. On average, consumers last year spent 21 hours and $373 out of pocket to resolve the crimes, which amounted to $54 billion.
The regulation, written in 2007, already has been delayed three times as a result of continued lobbying from the American Medical Association and others. They have argued the rule should not apply to health care providers, the majority of whom bill patients or insurance companies after visits, despite rising medical identity theft.