Update on Identity Theft 'Red Flags'

July 19, 2010

By Kimberly Bohannon

Last year, identity theft was the Federal Trade Commission’s (FTC) No. 1 consumer complaint category. About 1.3 million people were victims of the crime, accounting for 21% of total complaints.

Identity thieves are hard at work finding new ways to use members’ personal information to open new accounts and misuse existing accounts. It’s a crime that wreaks havoc for members and credit unions.

The Fair and Accurate Credit Transactions Act (FACT Act), enacted in 2003, created new regulations and guidelines regarding identity theft detection, prevention, and mitigation. The identity theft “red flags” rules became effective in 2008 for federal credit unions and some state-chartered credit unions. All state charters must comply by December 2010. (Check with your compliance liaison if you're unsure about your specific compliance timeline.)

The red flags rules apply to “financial institutions” and “creditors” with “covered accounts.” Covered accounts include those used mostly for personal, family, or household purposes, and that involve multiple payments or transactions. Examples are credit card accounts, mortgage loans, automobile loans, checking accounts, and savings accounts. Other covered accounts are small-business or sole-proprietorship accounts.

Encourage staff to be aware of and vigilant for red flags of identity theft, including:

  • A fraud alert included with a consumer credit report;
  • Unusual credit activity, such as an increased number of accounts or inquiries;
  • Identification (ID) documents appear altered or forged;
  • An ID photo inconsistent with the member’s appearance;
  • An application appears forged, altered, or destroyed and reassembled;
  • ID information doesn’t match any address in the member’s report, or the Social Security number hasn’t been issued or appears on the Social Security Administration’s Death Master File, which includes Social Security numbers of deceased individuals;
  • A Social Security number that matches a number submitted by another person opening an account, or other members;
  • A suspicious address, such as a mail drop or a prison;
  • A phone number associated with a pager or an answering service;
  • An address or phone number that is supplied by a large number of applicants;
  • A person opening an account or a member is unable to correctly answer challenging questions;
  • The member uses most of his or her available credit for cash advances, jewelry, or electronics, and fails to make the first payment;
  • An account that has been inactive for a long time suddenly exhibits unusual activity; or
  • Mail sent to the member repeatedly returns as undeliverable, despite ongoing transactions on an active account.

The FTC identified 26 possible red flags of identity theft your credit union should review in its training program. It’s also a good idea to include specific incidents of identity theft that your credit union has experiencedFor example, if the credit union had an incidence of wire transfer fraud, red flags training could include this scenario.

Encourage staff to be alert to red flags that might have indicated possible identity theft that led to a specific incidence of fraud. And review security measures the credit union has in place to prevent further fraud.

In addition to the red flags, regularly review and update your credit union’s policies, practices, and previous experiences with identity theft and fraud cases.

For more information on the FTC’s red flags rules, visit

Kimberly Bohannon is compliance and risk management officer at Knoxville (Tenn.) TVA Employees Credit Union. Contact her at 865-544-5443.