Compliance Solutions

Equifax identity and fraud management solutions can help businesses comply with specific regulations, laws and industry standards regarding fraud, online data security, and personal identity protection.

NIST LOA3

As more business and personal transactions occur online, the issue of privacy and security for online portals and data services is taking center stage. Realizing the importance of having strict standards for remote identity proofing (IDP), the Office of Management and Budget (OMB) issued Memorandum M-04-04, E-Authentication Guidance for Federal Agencies, to help agencies provide secure electronic services that protect individual privacy. The National Institute of Standards and Technology (NIST) developed standards used by public sector and commercial businesses for remote identity proofing. Special Publication 800-63-1 addresses NIST Level 3 IDP, the highest level of remote IDP process allowable.

NIST Level 3 IDP provides a standard methodology to issue credentials to previously unknown individuals in a remote/online environment.

  • Verify that the unknown applicant can demonstrate possession of a valid government ID (driver’s license or other government ID) that associates the applicant’s biographic information with that ID number
  • Verify the unknown applicant has records of a financial account number that associates the applicant’s biographic information with that account number
  • Confirm the address of record supplied by the applicant or confirm the ability of the applicant to receive telephone communications at a number associated with the applicant’s records, while recording the applicant’s voice

Equifax provides identity fraud solutions that can help you comply with NIST Level 3 IDP. To learn more, please contact us.

Red Flag Rules

Under the Red Flag Rules (RFR), financial institutions and other businesses with covered accounts must have identity theft prevention programs in place to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.

The regulations, which were developed by the United States Federal Trade Commission, along with the Office of the Comptroller of the Currency (OCC), FDIC, Federal Reserve and several other federal agencies, fall under the Fair and Accurate Credit Transaction Act of 2003 (FACT Act). In the event of an RFR violation, the regulations state that the FTC may commence a civil action and seek pecuniary penalties not to exceed $2,500 per infraction. Failure to comply with Red Flag Rules can also serve as the basis for private civil and/or class action lawsuits.

Equifax solutions help evaluate the following RFR indicators to help you comply with Red Flag Rules:

  • CRA alerts, notifications, warnings
  • Suspicious documents
  • Suspicious ID information
  • Suspicious account activity
  • Notices of potential ID theft

USA PATRIOT Act

In the wake of the terrorist attacks of September 11th, Congress passed the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, better known as the USA PATRIOT Act. The USA PATRIOT Act requires institutions to check certain applicants against the government’s Office of Foreign Asset Control (OFAC) list. The USA PATRIOT Act also requires businesses to record specific identification information on applications such as passports, military IDs and driver’s licenses.

Equifax helps business comply with the USA PATRIOT Act by providing an automated solution for checking applicant information against the OFAC list and additional watch lists.

FFIEC

The Federal Financial Institutions Examination Council (FFIEC) issued guidance entitled “Authentication in an Electronic Banking Environment” that requires financial institutions to establish plans which go beyond single-factor authentication (for example, the use of only a logon ID/password). Businesses offering electronic banking services were advised to implement multi-factor authentication by the end of 2006. This guidance was updated in 2012 to reinforce the need for layered security and multi-factor authentication to protect consumer and business accounts.

Equifax helps you comply with the authentication guidance issued by the FFIEC by providing strong multifactor authentication solutions through a variety of channels to meet business needs.

HIPAA and ARRA

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires a risk-based security assessment and the implementation of appropriate authentication for access to electronic Protected Health Information (ePHI). The American Recovery and Reinvestment Act of 2009 (ARRA) provides incentive payments for Medicare and Medicaid providers who adopt, implement, upgrade, or meaningfully use certified electronic health records (EHR) technology.

The Centers for Medicare and Medicaid Services (CMS), which is responsible for enforcing the HIPAA Security Rule, recommends two-factor authentication as the Authentication Technical Standard for remote access to ePHI.

HITECH

The Health Information Technology for Economic and Clinical Health Act (HITECH) requires multi-factor authentication in certain cases involving remote access to patient information. The authentication must meet NIST Level of Assurance 3 standards. The trusted identity recommendations relate to physicians and other clinical staff who access patient records

  • From outside of an organization's/entity's private network
  • From an IP address not recognized as part of the organization/entity or that is outside of the organization/entity's compliance environment
  • From across a network any part of which is or could be unsecure, such as across the open Internet or using an unsecure wireless connection.

Equifax helps you comply with trusted identity requirements of these healthcare regulations by providing NIST LOA3 identity proofing and strong multifactor authentication solutions through a variety of channels.