Red Flags: I think I’m compliant, but this is costing me big time!

Published: November 11, 2008 by Keir Breitenfeld

One of the more significant operational concerns around Red Flags compliance centers on the management of resultant referral volumes, i.e., the potential that the account origination or maintenance process will get bogged down due to a significant number of red flags detected.

These concerns are not without merit, and are arguably the most frequently discussed Red Flag issue with our client base.

Organizations may be able to control referral volumes through the use of automated tools that evaluate the level of identity theft risk in a given transaction. For example, customers with a low-risk authentication score can be moved quickly through the account origination process absent any additional red flags detected in the ordinary course of the application or transaction. In fact, using such tools may allow organizations to speed up the origination process for these customers and identify and focus resources on those transactions that pose the greatest potential for identity theft.

A risk-based approach to Red Flags compliance affords an institution the ability to reconcile the majority of detected Red Flag conditions efficiently, consistently and with minimal consumer impact. Detection of Red Flag conditions is literally only half the battle. In fact, responding to those Red Flag conditions is a substantial problem to solve for most institutions. A response policy that incorporates scoring, alternate data sources and flexible decisioning can reduce the vast majority of referrals to real-time approvals without staff intervention or customer hardship.

Rather than implementing a “rules-based” program (one in which particular Red Flags are identified, detected and used in isolation or near isolation in decisioning), many institutions are opting to approach Red Flag compliance from a “risk-based” perspective. This “risk-based” approach assumes that no single Red Flag Rule or even set of rules provides a comprehensive view of a consumer’s identity and associated fraud risk. Instead, a “risk-based” systematic approach to consumer authentication employs a process by which an appropriately comprehensive set of consumer data sources can provide the foundation for highly effective fraud prediction models in combination with detailed consumer authentication conditions (such as address mismatches or Social Security number inconsistencies).

A risk-based fraud detection system allows institutions to make consumer relationship and transactional decisions based not on a handful of rules or conditions in isolation, but on a holistic view of a consumer’s identity and predicted likelihood of associated identity theft.

Many, if not all, of the suggested Rules in the published guidelines are not “silver bullets” that ensure the presence or absence of identity theft. A substantial ratio of false positives will comprise the set of consumers and accounts being reviewed as having met one or more of the suggested Red Flag rule conditions. These rules and guidelines are intended neither to prevent legitimate consumers from establishing relationships with institutions nor create a burdensome and prohibitive volume of consumer “referrals.” While those rules incorporated into an institution’s Program must be addressed when detected, a risk-based system allows for an operationally efficient method of reconciliation in tandem with identity theft mitigation.