Saturday, April 13, 2024

December 2007 Legal Briefs

Discussion of Identity Theft Red Flags

  1. Developing Responses to Red Flags
  2. Suspicious Activity Reports & Privacy Exceptions
  3. Example of SAR Filing      
  4. Credit Report Alerts & Notices
  5. Suspicious Documents
  6. Suspicious Personal Identifying Information
  7. Unusual Use/Suspicious Activity on Account
  8. Notice of Identity Theft

Discussion of Identity Theft Red Flags

My November article discussed the regulators’ new joint regulation on identity theft red flags.  This month I am discussing the regulation’s “illustrative examples” of Red Flags.  (These appear in Supplement A to Appendix J of the regulation–in Title 12 CFR, numbered as § 334.90 for the FDIC version, § 41.90 for the OCC version and § 222.90 for the Federal Reserve version.)

Below I make comments or suggestions as to what a bank’s proper response might be to each of these Red Flags.  (A bank must develop its own written procedures, including selecting Red Flags appropriate for its business.)

A. Developing Responses to Red Flags

As stated last month, the regulation requires a financial institution or other creditor to “develop and implement a written Identity Theft Prevention Program . . .  designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.” 

The Guidelines (discussed last month) provide some broad principles that a bank can use in developing appropriate procedures for responding to particular Red Flags.  In some respects, Supplement A to Appendix J is a “blank slate”: It doesn’t dictate what must be included in a bank’s responses to various Red Flags.  Yet it’s obvious a bank is required to develop workable and practical responses to Red Flag situations.  Without these, a bank’s Identify Theft Prevention Program couldn’t succeed in “mitigating” or “preventing” identity theft.  

A bank’s proposed responses to Red Flags should be carefully matched to whatever level of identity theft risk may exist in a particular case.  A bank has a lot of flexibility in drafting a policy, but still needs to come up with something that works, and something that examiners will see as appropriate.

Generally, the regulation assumes that “something needs to happen” when Red Flags are present.  Until now, the average bank perhaps never had a reason to consider in advance what would be appropriate responses to many of the situations now identified as Red Flags.  

If a bank’s response to an identity-theft situation is not aggressive enough or fast enough, the bank may not succeed in adequately limiting the risk of loss for itself, for the person who is the “real owner” of the stolen identity, or for other victims.  A well-thought-out plan for responding when Red Flags are present will make it easier to stop attempted identity theft.

B.  Suspicious Activity Reports & Privacy Exceptions

When a bank sees a Red Flag that might signal the existence of  identity-theft-related activity on a new or existing deposit account or loan, the bank should (1) analyze the situation carefully enough to understand what’s going on, and (2) take appropriate steps to shut down the problem, limit its harmful outcome, or prevent it from occurring again.

In the past, a bank was not expected to become so directly involved in addressing identity theft—after the bank had done what was necessary to protect itself from greater loss.  The new regulation pushes banks more strongly into the area of “what should we do to stop this activity and assist the victim.”

I believe the regulation’s requirement to “mitigate” the identity-theft-related incident also encompasses how to limit the impact on customers and third parties.  Having procedures for “prevention” of future incidents potentially includes not only tightening the bank’s own internal policies, but also finding ways to work externally with law enforcement and other banks, as appropriate.

A bank’s written procedures for addressing Red Flags should include the possibility of filing a Suspicious Activity Report (SAR), even in situations where Federal law does not mandate such a filing.  (Filing a SAR—even when it’s optional—creates a “safe harbor” under Federal law. The bank then can share a copy of the SAR with local law enforcement, without any liability or privacy violation.  Although Federal officials may not investigate a SAR filed on an “optional” basis, local law enforcement officials can still take action.)

In many cases an unsuccessful identity-theft incident may be known only to the bank—and not to the intended victim, if that person is not a bank customer.  Unless the bank finds permissible ways to inform law enforcement and/or other banks about attempted or actual fraud, there may be no “mitigation” or “prevention,” and the fraud may continue elsewhere.

C.  Example of SAR Filing  

Let’s say a bank receives a credit card application by mail, but discovers that there is a “file freeze” on the credit report. When the bank calls the applicant concerning the freeze, the applicant seems surprised.  If the applicant just backs away from the application process and does not attempt to get the file freeze released, the bank may be dealing with a fraudster attempting to steal the “real” consumer’s credit. 

What should be done in a case like this?  If the credit report is frozen and never released, the bank is permitted to treat the application as incomplete. The loan isn’t made, the bank has no loss, and if the bank isn’t completely sure what’s going on, maybe this is all that should happen.

However, if there is some actual or suspected criminal violation, the bank can file a SAR on an optional basis.  Identity theft is a crime under Oklahoma law; and submitting a false loan application to a financial institution (for example, applying in a different person’s name, with fraudulent intent) is a Federal crime.

Does filing a SAR (and giving a copy to local law enforcement) help to “prevent and mitigate identity theft” in this example? I would say “yes.”  It may help to catch or run off the fraudster before his activities cause even more damage.  Generally, the regulation anticipates that bank will do something rather than nothing, if it detects a Red Flag and is uneasy about what it sees.

If a bank does not file a SAR and provide a copy to local law enforcement, the local officials may not learn about or investigate the person who has attempted to commit fraud. The bank would not be doing all that it could to “prevent” future identity theft.

D. Credit Report Alerts & Notices

This heading is the first of five categories of Red Flags attached to the regulation.  In this category are four Red Flags, which I will discuss separately:

1. “A fraud or active duty alert is included with a consumer report.”  Since 2004 the FACT Act has allowed a consumer to put a “fraud alert” in his own credit report, lasting for a period of not less than 90 days.  (This typically happens when a consumer is the victim of fraud or identity theft, or learns that someone has attempted to fraudulently gain access to his credit.) 

An “active duty military consumer” can put an “active duty alert” on his credit report when he is assigned to service away from his usual duty station.  (This precaution does not necessarily indicate an attempt to steal the person’s identity, but a service member abroad is potentially more vulnerable to identity theft—just as anyone who is gone for an extended time is more vulnerable.)

Based on 15 U.S.C. Section 1681c-1, a lender obtaining a credit report including either a “fraud alert” or “active duty alert” cannot (1) approve any new closed-end loan, (2) give an additional person a card on an existing account, or (3) grant a request to increase the credit limit on an existing account, unless the lender utilizes reasonable policies and procedures to form a reasonable belief that the lender knows the identity of the person making the request.

This Red Flag covers a situation that every bank is required by law to address.  A bank should already be using reasonable verification procedures whenever it encounters a “fraud alert” or “active duty alert.”  But now the bank must include the procedures in its Identity Theft Prevention Program (or may reference where this matter is covered in a separate policy).

The only change may be that a bank’s previously separate requirement becomes part of a more comprehensive policy.  The subject becomes part of a more formal “checklist,” and that helps to ensure better training and compliance.

 One bank’s response to a “fraud alert” or “active duty alert” may differ somewhat from what other banks do.  Even within the same bank, the appropriate response may depend on what the bank already knows about the particular consumer’s circumstances.  One bank’s procedure might state that the individual loan officer is required to verify the applicant’s identity in an “alert” situation.  Another bank may require its “risk control committee” or fraud officer to verify in any “alert” situation that the bank is dealing with the right person. 

Some banks might retain a written account of what the bank did to verify the applicant’s identity, if an “alert” appears on the credit report.  Also, some banks might require any loan application to be approved by a supervisor or the loan committee if there is any type of “alert” in the file–even though the loan falls within the individual loan officer’s lending limit. 

2.  “A consumer reporting agency provides a notice of credit freeze.”  Since January 1, 2007, any consumer in Oklahoma can place a “freeze” on his credit file.  (Only identity theft victims or persons at least 65 years of age can obtain a freeze without paying a fee.  Very few consumers in Oklahoma have requested credit freezes.)  

A credit freeze on a consumer’s credit report is reason for caution, but not always cause for alarm.  Some credit freezes are not tied to identity theft.  (A consumer can request a credit freeze for any or no reason.) 

For example, a bank’s elderly customer who is afraid of identity theft might place a freeze on his credit report just for “peace of mind.”  Although the bank has a very risk-averse consumer, there has been no identity theft incident. This specific situation (although a freeze is in place) involves no higher fraud-loss risk to the bank than the average loan applicant who has no freeze in place.  Any credit report “freeze” should be a Red Flag, but in some situations no further action or precautions by the bank are needed.

On the other hand, in some circumstances where there is a freeze on a credit report, the applicant might be a person attempting to commit fraud, rather than the victim.  A bank probably won’t incur losses in this “credit freeze” scenario if it never approves a loan application until the “frozen” credit report is released.

A credit bureau will always require appropriate verification from the consumer before releasing a “frozen” credit report.  If a loan applicant is successful in obtaining a release of the freeze, the bank is probably safe in concluding that it is dealing with the correct person. 

However, if the loan applicant for whatever reason does not attempt to release the freeze so that the application can be processed, a bank may legitimately begin to suspect that it is dealing with the fraudster, not the victim. It should consider appropriate steps such as filing a SAR and providing a copy to local law enforcement.

3. “A consumer reporting agency provides a notice of address discrepancy, as defined in § 334.82(b) [FDIC version].”  As discussed last month, if a credit bureau gives a lender a “notice of address discrepancy” because the applicant’s stated address does not match any of the addresses on the credit report, the lender will be required by the regulation (1) to take steps necessary to form a reasonable belief that it is dealing with the same person listed in the credit report, or else (2) not use that credit report as a basis for approving the transaction.

In following the regulation’s requirements, a bank must ask questions if a borrower’s stated current address does not match the credit report address.

A “notice of address discrepancy” is different from most of the other Red Flags, because for this one the regulation already tells the bank what response is required—either (1) learning facts that would explain the address discrepancy to the bank’s reasonable satisfaction, or else (2) not making the loan. Whenever a loan applicant is bogus, these two steps will greatly reduce the chance of a credit loss for the bank and identity theft for the “real consumer.” A SAR can also be filed (with a copy to local law enforcement) if the bank remains uneasy as to the identity of the applicant.  

I know of one case involving a father and son who had the same name.  The father had good credit, but the son’s was bad.  The son stole his father’s identity, taking out credit cards, and attempted to make the payments for a while.  The father’s Social Security number was used on the loans, but with the son’s address.  When the son obtained the first loan using a different address, the application would not have matched anything on the father’s credit report.  After that, both addresses would have appeared.  This type of fraud is difficult for a lender to detect, even by examining the son’s valid driver’s license in the same name.  Only a notice of “address discrepancy” might have tipped off a lender—or perhaps some loan relationship (such as a mortgage) on the father’s credit report that was obviously too old to belong to someone of the son’s age.  

4. “A consumer report indicates a pattern of activity inconsistent with the history or usual pattern of activity of an applicant or customer.”This category is very broad.  No pre-established written procedure will fit everything that may fall under this heading.  A strange pattern of activity on a credit report may indicate that a bank needs to investigate more thoroughly before going forward. This particular Red Flag is just as likely to be an indicator of deteriorating finances, as it is of identity theft, but either way the lender needs to understand what’s happening. 

Four sub-categories are listed under this general heading: (a) “a recent and significant increase in the volume of inquiries,” (b) “an unusual number of recently established credit relationships,” (c) “a material change in the use of credit, especially with respect to recently established credit relationships,” or (d) “an account that was closed for cause or identified for abuse of account privileges.”

Particularly on credit card applications, lenders often decline an application if the credit report indicates the consumer has made an excessive number of recent credit applications. If recent credit cards that a consumer has obtained recently have all been run up to the maximum balance, this might be identity theft or might be extreme financial stress, perhaps caused by a major illness, loss of a job, or even a gambling addiction. 

For an elderly consumer who has excellent credit and almost no outstanding debt, if a lot of new credit suddenly shows up, this may indicate identity theft.  When a consumer has older credit cards with almost no balance, but also has a lot of newer cards that are “maxed out,” this might indicate that a fraudster obtained the newer cards. 

E.  Suspicious Documents

The “suspicious documents” category has five separate Red Flags.  These are so serious that the bank probably needs to decline the transaction, and also may want to report the situation, depending on what it is.

5. “Documents provided for identification appear to have been altered or forged.” When a document looks bad, it almost certainly is bad, and hopefully a bank wouldn’t go any farther.

6. “The photograph or physical description on the ID is not consistent with the appearance of the applicant or customer.”  Maybe a wig or change in hair color or style could change the person’s appearance to some extent.  I think its O.K. to ask someone (if necessary) to take off their sunglasses, scarf or hood; and you can even joke with them a bit, stating “it’s to get a better look at your beauty” (young or old, male or female).  If you explain that this is for their protection, the “real” customer usually won’t object—and often appreciates that you’re being careful. 

Sometimes a thief who steals a purse or billfold may look somewhat like the victim.  A thief might deliberately fix her hair in a similar way and try to use the victim’s ID to write checks, etc.  If the picture doesn’t look quite right, a bank employee should carefully check the height and eye color information.  (The weight on anyone’s driver’s license may be less accurate, over time.)

7. “Other information on the ID is not consistent with information provided by the person.” For example, an ID might have a birth year that doesn’t match the person at all.  A “different address” is not necessarily a problem, but creates an opportunity for more checking. Drivers’ licenses in Oklahoma are now issued for four years, and lots of people move within that period of time.  If a driver’s license address does not match the loan application, this is not automatically a bad sign; but hopefully the address history on the person’s loan application will include a past address that matches the time period when a driver’s license was issued with that same address.  

8. “Other information on the ID is inconsistent with readily accessible information on file, such as a signature card.”  If the bank is uncertain whether the ID presented by someone matches its actual customer, the bank can compare the signatures on the bank’s signature card and the ID.  There might be “conflicting information” if the ID uses a “nickname” (Bunny or Junior) but bank records show the person’s actual legal name.  Someone’s “formerly single” or “formerly married” surname on an ID or on the bank’s records may also cause a mismatch.  Asking for appropriate legal documents (birth certificate, marriage license, divorce decree, or legal change of name) is always appropriate to resolve this particular Red Flag—and it needs to be straightened out anyway.

9. “Application appears to have been altered or forged, or destroyed and reassembled.” With mailed applications that also show an address change, a bank may legitimately be suspicious, and can check the signature and information against any other available records.  If an application appears to have been torn up, and then pasted together before it was filled out, this is a really bad sign that the form may have been stolen out of a customer’s trash.

F. Suspicious Personal Identifying Information

There are nine separate Red Flags under this category:

10. & 11.  “Personal identifying information provided is inconsistent when compared against external information sources or other personal identifying information provided by the customer.”  The Social Security Administration will not verify that a Social Security number (SSN) belongs to a particular consumer.  However, it is possible to determine through other sources (1) that a particular SSN used by a consumer is one that has been issued to someone, (2) that the number is active (in other words, the person to whom it belongs is living), and (3) that it was issued in a particular state.  Obviously, if a bank can determine that the SSN provided by the consumer has not been issued, or that the person to whom it belongs is no longer living, there is fraud. Even when a SSN’s owner is shown as “living,” if the SSN was issued in a state that does not seem to match a loan applicant’s known background, the lender can ask in what state his SSN was issued, and if he cannot answer correctly, there is probably fraud.

Additionally, all SSNs have been issued in ranges of numbers that relate to certain spans of time.  By using charts that explain the sequence of issuance of SSNs, it may be possible to determine that a particular SSN (although belonging to someone who is still living) was issued too long ago to belong to a particular applicant.  I will discuss the methods of detecting fraudulent SSNs in a future article.

12 & 13. “Personal identifying information provided is associated with known fraudulent activity or is of a type commonly associated with fraudulent activity.”  The list of Red Flags gives some examples of this:  The address or phone number on an application is the same as the address or phone number on a fraudulent application received by the financial institution or a third party.  (A fraudster applying for credit under multiple names, including stolen identities, would logically use the same address or phone number, as his contact information.)

An additional example provided with the Red Flags is an “address on an application [that] is fictitious, a mail drop, or prison.”  A fraudster applying for a loan in person might use a valid cell phone number but a bogus address.  Particularly if a loan is small and unsecured, the applicant may be notified of approval by phone; and the loan might be closed without the lender learning that the address provided is phony or no longer effective.  To avoid this problem, a loan officer who does not personally know a loan applicant might attempt to verify the person’s address online, at or similar sites.  Even persons owning a cell phone are usually not listed in the phone book.

Particularly in metro areas, “mail service” stores provide mail and shipping services and also lease private mail boxes.  If the address shown on a loan or deposit account application is a box number at one of these store-front businesses (not a P.O. Box), under CIP a bank must also require the physical street address of the individual’s residence or business, or at least a physical address of next of kin or a contact individual. If an applicant refuses to provide this information, the loan or deposit account probably should be declined.

 (I’m not saying that everyone who rents a box at a mailing service is a fraudster.  I do think someone renting a box of this type is interested in privacy and may be trying to make it difficult for people to find him.  Using one of these boxes as a primary mailing address is a Red Flag, and should be investigated, but it’s not an automatic indicator of fraudulent intent.)

Another example is a “phone number [that] is invalid, or is associated with a pager or answering service.”  Some consumers may not have a phone number, but that’s not why an applicant lists a phone number that is not in service or a “wrong number.” Someone doing this is trying to deceive.

If someone gives only a pager number on an application, this is similar to a person trying to hide behind the mailing service company’s mail box as an address.  He is sort of saying, “My pager lets me talk to you whenever I want, but I want to be in control of whether you can get in touch with me.”  

Much the same issue applies to someone who gives an answering service as his phone number.  A person may be trying to hide behind a “front” by giving an answering service number instead of his “direct access” number. (Sometimes the operator won’t even disclose that it’s an answering service.)  Dozens of different phone numbers ring to the same operator, who answers one call as “Dr. Bob’s Vet Clinic,” the next as “Bill’s Plumbing Supply,” and another as “ABC Manufacturing.”  (If “ABC Manufacturing” is your loan customer and this is the only contact number available during normal business hours, it may indicate you’re dealing with only a “shoe-string” operation, a fly-by-night scam, or someone trying to impersonate a real company.) 

14 & 15.  “The SSN provided is the same as for other persons opening an account or other customers; the address or telephone number is the same as for an unusually large number of other persons opening accounts, or other customers.” This problem is less likely at a smaller bank, where the same people process most applications and would notice the similarity.  It is harder to detect this at larger banks that have many branches.  However, many banks have an information system that allows them to search by SSN, and when all related accounts using the same SSN are pulled up, the fact that several individuals are using the same SSN could be caught, and would be an obvious indication of fraud. It probably isn’t possible to search the new customer’s information against existing accounts by phone number or by street address.  A whole group of “real” people will not use the same address and phone number, but a fraudster certainly does. 

16.  “A person opening an account, or other customer fails to provide all required personal identifying information on an application or in response to notice of missing information.”  Certainly some people won’t slow down, hate to fill out forms, are not detail-oriented, and continually procrastinate.  However, the “genuine” customer should have available, or can obtain, all information necessary to complete an application, and, if prodded enough, will eventually give the bank adequate information.  An “identity thief,” by contrast, may not know enough information to fill out an application correctly with respect to the person whose identity he is stealing.  Any person’s apparent lack of sufficient information to fill out the form, or his protests about having to fill out the answers, should be viewed as a Red Flag, and may indicate a fraudster. 

17. “Personal identifying information provided is not consistent with personal identifying information on file with the financial institution.”  If a bank mails to its customers a credit card solicitation, and a customer throws the form away, a thief could find it, fill it out, and attempt to change the mailing address. That thief may put something on the form that doesn’t match what the bank already knows.  If new loan applications by existing borrowers are always channeled through the pre-existing loan officer, there is a greater chance that incorrect information will be noticed and investigated before a new transaction is approved.

18. “If asked ‘challenge questions,’ the person transacting on an account or opening a new account cannot provide authenticating information beyond what might be available in a stolen wallet or consumer report.”  Many banks ask authenticating questions before disclosing any customer information by phone, acting on verbal wire instructions, or changing the customer’s online banking password.  For example, the bank may have previously obtained the customer’s mother’s maiden name, or city of birth, or birthdate and year.  If someone later is unable to supply this information when requested, this strongly suggests that the person who is attempting the transaction is not the accountholder.

G. Unusual Use/Suspicious Activity on Account

There are seven Red Flags listed under this category:

19.  “Shortly after a bank receives a notice of change of address for an account, it also receives a request for new, additional or replacement cards on the account, or a request to add authorized signers.”  (For accounts with cards, this subject has its own section in the new regulations—Section 334.91 (FDIC version)—which I will cover next month.)

A fraudster who steals a customer’s identity often seeks to hide the theft by changing the mailing address for the checking account, credit card, etc.  The imposter may also state that the credit or debit card has been lost and needs to be replaced, or that he wants to authorize an additional person to have a card or to sign on the account.  This second step could give the thief access to a card account for which he had stolen the information but not the card, or may help him to access an account under a fraudulent identity that he has established.

Certainly when people change their residence they can misplace a card.  Boxes go into storage, or may not be unpacked for months.  A request for a replacement card can be legitimate. Also, as elderly people become feebler and move closer to their adult children, it often makes sense for a child to be added to the parent’s account following the address change. Ideally, someone at the bank who knows the customer’s voice can call to verify the situation, or the bank can use “challenge questions” (information known only to customer) to verify that it is really the customer who wants these changes.  

20. “A new revolving credit account is used in ways associated with common patterns of fraud.” A pattern of card use may be a Red Flag, but first someone has to notice it.  A fraudster who applies for a credit card tends to run up the balance quickly, does so in large transactions, and uses mostly cash advances, or purchases only those items (such as electronics or jewelry) that can easily be sold for cash.  (A thief is unlikely to use a fraudulent credit card for transactions of a type that can be linked directly to him or his address—such as utility payments, payments on other accounts, or items purchased on the internet and mailed to his address.  By contrast, a “real” cardholder uses a card in more typical consumer shopping patterns—for gas, groceries, restaurants, entertainment, etc., and not in amounts that are always large.)

An additional Red Flag is a cardholder who doesn’t make even the first payment, or makes one payment and stops.  Instead of handling the account with normal late-payment notices until it is 60 days past due, a bank’s system perhaps should kick the loan out for review much more quickly if the first or second payment is missed.  This probably should include reviewing the type of transactions on the account.

21. “An account is used in a manner not consistent with established patterns of activity on the account.”  Examples include the following:  (a)  “nonpayment when there is no history of late or missed payments,” (b) “a material increase in the use of available credit,” (c) “a material change in purchasing or spending patterns,” or (d) “a material change in EFT patterns in connection with a deposit account.”  In these situations an immediate careful investigation is warranted, but it can’t happen until someone notices the change in activity.  An account that is never overdrawn might become overdrawn, or a teller may notice some large checks that seem completely out of line with a customer’s known spending patterns.

Most such examples could also be explained by a rapid deterioration in the accountholder’s financial condition, instead of identity theft, but either situation needs quick investigation as soon as the pattern is noticed.

22. “An account has been inactive for a reasonably lengthy period of time, but then is used.”  This might occur on either a credit card or deposit account.  To determine whether this is a Red Flag, the type of account, expected pattern of usage, and other relevant factors should be considered.  For example, if someone has an MMDA and makes no deposits and writes no checks for a long time, it’s not necessarily strange that there’s suddenly a large expenditure of a type that someone might have been saving for—a payment to a travel agency for a cruise, or a check for a child’s first semester of college expenses.  By contrast, if there’s an inactive account belonging to a customer known to be in a nursing home, and money starts being spent at casinos, something is badly wrong.

23. “Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted on the customer’s account.”  It may be a more serious issue if the bank has lost contact with its credit card customer but transactions continue.  A fraudster who owes money would certainly try to “get lost” and not provide a change of address.  On a checking account, a person could legitimately move away but continue to write checks against the existing balance—after all, that person wants his money.  Maybe the customer has forgotten to provide a notice of address change, or is procrastinating.  Maybe the customer continues to have direct deposits (such as Social Security) and continues to write checks.  For a checking account, the bank probably would want to scrutinize carefully the signature on at least some of the checks being written, to satisfy itself that the customer still has control of the account. The bank should probably try to communicate with a relative or friend who may be able to provide a new address or telephone number, so that the bank can reestablish contact with its customer.  

24. “The financial institution or creditor is notified that the customer is not receiving paper account statements.”  This is almost always a bad sign, and should be investigated immediately.  It usually means either (1) that statements are being stolen out of the mail (for example, from an unlocked outside mail box) by someone who is trying to gain access to account information from a deposit account or credit card statement, or (2) the mail is actually being received at the proper address, but the person intercepting it (a bookkeeper, caregiver, relative, etc.), is hiding the statements from the accountholder so that unauthorized checks or charges will go undiscovered.

25. “The financial institution or creditor is notified of unauthorized charges or transactions in connection with a customer’s account.”  Unauthorized items must be investigated immediately–(1) so that additional unauthorized items will not be paid; (2) so that any unauthorized paid items that the bank is required to reimburse will not cause authorized items to be returned unpaid (or additional overdraft charges to be incurred); and (3) so that the bank can promptly determine how much liability it has, and can respond to its customer.  

 (For alleged unauthorized debit and credit card transactions, Regulation E sets out the time periods for the customer to report a transaction and for the bank to re-credit its customer.  For unauthorized checks–and particularly those that occur over a span of several months before they are discovered–the bank’s liability may be cut back by some combination of the “repeat forger” rule in UCC Section 4-406 and the time period for reporting bad items, as set out in the monthly statement.)

Whenever there is actual identity theft (someone has gotten hold of checks or a card and is using the account as if they were the customer), the standard response is to close the account immediately and open another one, to avoid incurring losses for additional bad items presented later.

H. Notice of Identity Theft

This is the last Red Flag category and contains only one item:

26. “The bank is notified by a customer, victim of identity theft, law enforcement agency, or other person that it has opened a fraudulent account for a person engaged in identity theft.”  This is the opposite of the previous item (where a thief attacks a legitimate account).  Here, the account itself is bogus, because the bank has been dealing only with the thief and not with the person who owns that identity.

Of course, the bank does not start by knowing that it has set up a fraudulent account.  But someone contacts the bank (someone who is not the thief) to indicate that the account is fraudulent.  Various privacy exceptions or procedures will allow the bank to communicate certain items of information to persons who are not the bank’s (fraudulent) customer.

First, filing a SAR is an excellent idea (even if the bank’s loss is below the level at which filing a SAR would be mandatory).  After filing the SAR, the bank can turn over a copy of the information to local law enforcement, who may be able to investigate and take action. 

Second, if the bank has a fraud loss from the incident, the bank can bring criminal charges against the thief, and can turn over to the D.A. any information in support of the criminal charges it is filing.

Third, Section 216.15(a)(2)(ii) of Regulation P, as an exception to the privacy rules, allows a bank to disclose a customer’s information “to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability.”  When an account is entirely fraudulent (set up by a trickster who has stolen someone else’s identity), this exception certainly applies.  However, the bank’s first task is to satisfy itself that there is a fraud or potential fraud (in other words, it must look at the account and the information provided, and determine that the person providing notice of a fraud is apparently right), before the bank turns over information based on the “fraud exception.” This exception allows the bank to share information with other banks, third parties, or law enforcement, as necessary in the situation.

Fourth, if the person providing notice can demonstrate to the bank that he is the victim of an identity theft, he can obtain information on the fraudulent account established in his name–although technically it is not his account.