The Federal Trade Commission Red Flags Rule which implements the identity theft provisions in the Fair and Accurate Credit Transactions Act of 2003 (FACTA) for certain businesses and organizations, has received much attention in the banking industry. However, many insurers may be surprised to discover that the Red Flags Rule can actually be an insurance compliance issue as well.
If you haven't examined the Rule and its potential reach on your organization yet, the good news is there is still time. While the original enforcement date was Nov. 1, 2008, the FTC has now delayed the enforcement of the rule for creditors and financial institutions, with the new effective date set for June 1, 2010. The purpose of this extension is to help companies determine if their business is "covered by the Rule and what they must do to comply."
The Red Flags Rule was developed to help combat fraud. It requires financial institutions and creditors to conduct a risk assessment to determine if they have "covered accounts," those being consumer-type accounts that pose a reasonable risk of identity theft. Under the Rule, those entities with determined covered accounts are required to develop a written program that identifies and detects key warning signs and suspicious patterns of possible identity theft, provide for ongoing detection, define an action plan that includes prevention and mitigation, and allow for control, auditing and updating.
While on its face, identity theft risk is generally viewed as a bank and finance company issue, it's easy to see the Red Flags Rule's potential impact on insurance companies when you examine the term "covered accounts." The FTC definition is, accounts used mostly for "personal, family, or household purposes that involve multiple payments or transactions." Common examples of these accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts--with no obvious mention of an insurance company situation. To determine Rule applicability, insurers should look not solely at the lines of business they write, but rather undertake an analysis of the customer transactions and activities they are engaged in. Consider the following insurer-specific examples, which could fall under the Rule:
--Claims Payment Process
Life insurers may process death benefits by opening an account either in one of their subsidiaries or within a third party's corporate structure. While the goal of such an action would be to hold the proceeds of the death benefit, allowing the beneficiary to draw upon these funds, this process may create what is defined as a "covered account."
--Procuring New Business
Another functional area or process that should be examined is that of the selling and solicitation by agents as they procure new and renewal business. Assessing whether any of their activities pose a risk of identity theft or create such opportunities is important in determining overall potential applicability to any insurer's operations. Activities downstream of the backroom operations can sometimes be clouded by an out-of-sight, less transparent framework.
Whether it is life insurers providing a controlled account process to handle death benefits distributions, insurers engaged in financing premium payments, or life insurers offering varied investment products, taking stock now of original risk assessment of insurer operational activities can help prevent possible findings of noncompliance by regulators in the future.
Detailed information can be collected, reviewed, and retained for proof of analysis/proof of compliance purposes in future audits or exams. Insurers should remember the key action elements of the Red Flags Rule and use them in their internal risk assessment process:
o Identification of activity that may signal possible identity theft (the Red Flags);
o Ongoing detection of Red Flags that have been identified;
o Ability to respond effectively to Red Flags to prevent and mitigate theft; and
o Periodic review and updating of Red Flags and procedures to keep pace with emerging threats.
The FTC has noted that it is intensifying its efforts to educate organizations about Red Flags and help them determine if they are covered by the Rule. The extended enforcement date provides your company with more time to take advantage of industry resources, FTC guidance documents, consulting services and educational tools that can help.
It's important to remember that problems with Red Flags Rule non-compliance are not limited to a future exam or audit that is incorporated into a report with other findings. Rather, non-compliance by a covered entity could result in civil monetary penalties per violation being assessed by the FTC, with the maximum civil penalty per violation currently set at $3,500. The FTC is also permitted to seek injunctive relief for Red Flags Rule violations.
Preparing now helps protect your organization and the consumers you serve.
Kathy Donovan is senior compliance counsel for the Insurance Compliance Solutions group atWolters Kluwer Financial Services, which provides regulatory intelligence, policy management, process management, and oversight to help financial services organizations address their compliance needs. Her email address is Kathy.Donovan@wolterskluwer.com.