The Federal Trade Commission Red Flags Rule which implements the identity theft provisions in the Fair and Accurate Credit Transactions Act of 2003 (FACTA) for certain businesses and organizations, has received much attention in the banking industry. However, many insurers may be surprised to discover that the Red Flags Rule can actually be an insurance compliance issue as well.
If you haven't examined the Rule and its potential reach on your organization yet, the good news is there is still time. While the original enforcement date was Nov. 1, 2008, the FTC has now delayed the enforcement of the rule for creditors and financial institutions, with the new effective date set for June 1, 2010. The purpose of this extension is to help companies determine if their business is "covered by the Rule and what they must do to comply."
The Red Flags Rule was developed to help combat fraud. It requires financial institutions and creditors to conduct a risk assessment to determine if they have "covered accounts," those being consumer-type accounts that pose a reasonable risk of identity theft. Under the Rule, those entities with determined covered accounts are required to develop a written program that identifies and detects key warning signs and suspicious patterns of possible identity theft, provide for ongoing detection, define an action plan that includes prevention and mitigation, and allow for control, auditing and updating.
While on its face, identity theft risk is generally viewed as a bank and finance company issue, it's easy to see the Red Flags Rule's potential impact on insurance companies when you examine the term "covered accounts." The FTC definition is, accounts used mostly for "personal, family, or household purposes that involve multiple payments or transactions." Common examples of these accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts–with no obvious mention of an insurance company situation. To determine Rule applicability, insurers should look not solely at the lines of business they write, but rather undertake an analysis of the customer transactions and activities they are engaged in. Consider the following insurer-specific examples, which could fall under the Rule:
–Claims Payment Process
Life insurers may process death benefits by opening an account either in one of their subsidiaries or within a third party's corporate structure. While the goal of such an action would be to hold the proceeds of the death benefit, allowing the beneficiary to draw upon these funds, this process may create what is defined as a "covered account."
–Procuring New Business
Another functional area or process that should be examined is that of the selling and solicitation by agents as they procure new and renewal business. Assessing whether any of their activities pose a risk of identity theft or create such opportunities is important in determining overall potential applicability to any insurer's operations. Activities downstream of the backroom operations can sometimes be clouded by an out-of-sight, less transparent framework.
Whether it is life insurers providing a controlled account process to handle death benefits distributions, insurers engaged in financing premium payments, or life insurers offering varied investment products, taking stock now of original risk assessment of insurer operational activities can help prevent possible findings of noncompliance by regulators in the future.