Certified Red Flag Specialist

Identity Management Institute (IMI) introduced the Certified Red Flag Specialist® (CRFS) program to address the growing concerns regarding identity theft in the workplace. CRFS is a training and certification program for employees of all organizations facing identity theft. The program supports businesses and the Federal agencies in their efforts for improving identity theft prevention controls at organizations where the risks of identity theft might be high as some businesses provide ample opportunities for committing identity fraud.

Brief History

Due to the rise in identity fraud across many industries in the United States of America, a joint committee of various government entities including the Federal Trade Commission (FTC), OCC, Federal Reserve Board, FDIC, OTS, and National Credit Union Administration (NCUA) passed the final legislation for Section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), also known as the Identity Theft Red Flags and Notices of Address Discrepancy or Red Flags Rule (Rule) on October 31, 2007, which went into effect on January 1, 2008, and had to be implemented by covered entities by November 1, 2008. Following many enforcement delays by the FTC to allow congress more clearly define the scope of covered entities, the Rule is now enforced by the FTC and other regulatory bodies as of January 1, 2011.

Purpose and Scope

The Rule simply requires that all covered entities such as financial institutions and creditors with covered accounts develop, document, implement and maintain and up to date identity theft prevention program. Covered accounts refer to those accounts which might represent a foreseeable risk of identity theft such as personal and small business accounts which include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts.

Organizations which clearly fall into the covered entity category as defined by the Rule include banks, credit unions, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. The Red Flags Clarification Act of 2010 which was approved by the House, Senate and the President excludes certain entities from the covered entity scope under the Red Flags rules. For example, creditors do not include those that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person. Such creditors include individual practitioners such as lawyers, doctors, dentists, accountants and others alike who sometimes defer payments for their services and do not need to comply with the Red Flags Rule law.

The Red Flag Clarification Act defines a creditor as one that regularly and in the ordinary course of business:

• Obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction,
• Furnishes information to consumer reporting agencies in connection with a credit transaction, and
• Advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.

The Red Flags Rule requires that the identity theft prevention program is administered properly with oversight at the highest levels of management and the Board of Directors and includes steps to identify, detect and stop identity theft red flags or warning signs from escalating. The program must address policies and procedures, staff training, third party service provider controls if any, and periodic updates.

Certified Red Flag Specialist (CRFS)®

Identity Management Institute (IMI) introduced the CRFS certification program for employees, consultants and auditors of covered financial institutions and creditors as defined by the Red Flags Rule. The Certified Red Flag Specialist®(CRFS) designation is specifically designed to train and certify individuals responsible for fighting identity theft within entities covered by the Rule as noted above. Identity theft experts who might benefit by becoming a Certified Red Flag Specialist (CRFS) include compliance analysts and managers as well as employees, auditors and consultants of organizations that need to implement, manage, and support an identity theft prevention program.

The following Critical Risk Domains (CRD) developed by IMI are closely aligned with the Federal government’s Red Flags Rule and are used for training, testing and certifying CRFS candidates:

1- Regulation
2- Program Administration
3- Risk Assessment
4- Red Flags
5- Program Management

Identity Management Institute (IMI) is a globally recognized identity risk management training and certification organization.

Learn more about IMI’s programs including the Certified Red Flag Specialist (CRFS).