When the Customer does NOT Tell You They Moved: Addressing Red Flag Compliance Gaps
An anxious and overwhelmed driver pulls a U-Haul truck into the driveway of the home he just sold. The driver has a lot on his mind and attempted to put together a complete list of things he needed to get done to ensure a successful move from his old place to his new place: gather boxes, pack small items, recruit friends to load big furniture, buy new furniture, clean the old place, find a new doctor, and more. What about letting his bank know about the move? Shoot! In this case, he forgot to call his bank, but he did let the Post Office know about his new address.
The case of the U-Haul driver is not that unusual. Typically about one-third of customers will not contact their financial institution to provide their new, updated address. From a bank perspective, the correct new mailing address is important so you can safely send physical correspondence like credit cards, debit cards, checks, and privacy notices. Aside from the customer relationship and operational cost considerations, there are critical FACT Act Red Flag requirements that determine how you need to handle address changes.
Many consumers look to simplify the moving process and believe that if they fill out the National Change of Address (NCOA) form, their mail will quickly find its way to their new residence. In these cases where the customer completes the NCOA process, the financial institution will find out about the change of address primarily in one of two ways: 1) The financial institution sends that customer a piece of mail to the old address which prompts the United States Postal Service (USPS) to send back a post card indicating the customer’s new address, or 2) the financial institution runs a periodic NCOA process against their customer information file (CIF) which returns the customer’s updated address.
So now that you have updated address information—are you able to just go ahead and use it? No. In both cases above and per the FACT Act Red Flag Rules, financial institutions cannot simply take address change notifications from the USPS and write them directly to the CIF; they must first take precautions and steps to ensure the address change is actually valid. There is good rationale—these rules were put in place to avoid schemes where thieves pose as your legitimate customers, fill out a NCOA form, and then redirect credit cards and checks to an address controlled by a fraudster.
Although the Red Flag language from the regulators is clear, we are finding many cases where financial institutions are updating the CIF with the new address without scrutinizing the change—that is a no-no. If you fall into this category, there are simple steps you can take to keep customer addresses fresh and satisfy the Red Flag requirement for validating the updated information:
- When you receive USPS Yellow Stickers, run the new addresses through an address verification service. By screening address changes through a “reasonable risk –based means,” you are in compliance.
- Periodically run an address update process against the ‘active’ CIF to identify address changes that were not provided directly from your customers.
- When you are notified of an updated address, make sure you validate the address changes through an address verification service.
- When your customer moves and tells no one, this will result in return mail. Like the address change provisions of the FACT Act, return mail must also be addressed. When you receive return mail, attempt to find your customer’s new address from a location service. This service should also include an address verification component so that you are compliant with FACT Act Red Flag Rules.
As we continue to move towards a paperless environment, maintaining the correct and current address is going to continue to become more challenging. However, until we no longer have to send out privacy statements, checks, replacement cards and other correspondence, it is critical to obtain the most current address. Bad address information can and does lead to return mail and associated costs, NRI fraud, account takeover fraud and the cost of compliance.
Written by Adam Elliott
ID Insight President, Co-Founder
Adam has a passion for creating data-driven solutions that produce positive and measurable business results. A recognized name in the analytics area, Adam has won numerous awards for marketing and training, including “Minnesotans on the Move,” the Gold Award at the Houston International Film Festival for analytics training and an award from the American Marketing Association for leading the creation of the largest B2B Webcast in Yahoo’s history. When he’s not inventing new products, he’s on the ice coaching his daughter’s hockey team.