are you ready? identity fraud and identity management are quickly becoming critical operational...
TRANSCRIPT
Are You Ready?Are You Ready?Identity fraud and identity
management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines issued in October 2007 pursuant to the Fair and Accurate Credit Transactions Act requires implementation of an Identity Theft Prevention Program by November 1, 2008.
Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines issued in October 2007 pursuant to the Fair and Accurate Credit Transactions Act requires implementation of an Identity Theft Prevention Program by November 1, 2008.
What is ID TheftWhat is ID Theft
“Identity Theft” has the same meaning as under 16 CFR 603.2(a)
• “A fraud committed or attempted using the identifying information of another person without authority.”
“Identity Theft” has the same meaning as under 16 CFR 603.2(a)
• “A fraud committed or attempted using the identifying information of another person without authority.”
Legislation covers three main areas:Legislation covers three main areas:
• Address Discrepancies• Recipients of credit reports now must take action upon
receipt of Address Discrepancy Indicators (ADI) with credit reports.
• Red Flags• Red Flag Rules require development and implementation of
a written Identity Theft Prevention Program to detect, prevent and mitigate identity theft.
• Duty of Card Issuers• Card issuers that receive a change of address notice may not issue
new cards within 30 days unless the address is validated.
• Address Discrepancies• Recipients of credit reports now must take action upon
receipt of Address Discrepancy Indicators (ADI) with credit reports.
• Red Flags• Red Flag Rules require development and implementation of
a written Identity Theft Prevention Program to detect, prevent and mitigate identity theft.
• Duty of Card Issuers• Card issuers that receive a change of address notice may not issue
new cards within 30 days unless the address is validated.
Legislation covers three main areas:Legislation covers three main areas:
• Address Discrepancies• Recipients of credit reports now must take action upon
receipt of Address Discrepancy Indicators (ADI) with credit reports.
• Red Flags• Red Flag Rules require development and implementation of
a written Identity Theft Prevention Program to detect, prevent and mitigate identity theft.
• Duty of Card Issuers• Card issuers that receive a change of address notice may not issue
new cards within 30 days unless the address is validated.
• Address Discrepancies• Recipients of credit reports now must take action upon
receipt of Address Discrepancy Indicators (ADI) with credit reports.
• Red Flags• Red Flag Rules require development and implementation of
a written Identity Theft Prevention Program to detect, prevent and mitigate identity theft.
• Duty of Card Issuers• Card issuers that receive a change of address notice may not issue
new cards within 30 days unless the address is validated.
What is a Red Flag?What is a Red Flag?A pattern, practice, or specific activity that indicates the
possible existence of identity theft.Affects both new and existing accounts.
Red Flag Categories Alerts, notifications or warnings from a CRA Suspicious documents Suspicious personal identifying information Unusual use of, or suspicious activity relating to, the
covered account Notices from customer, victims of ID theft, law
enforcement authorities, or other persons regarding possible ID theft in connection with covered accounts held by the organization
A pattern, practice, or specific activity that indicates the possible existence of identity theft.
Affects both new and existing accounts.
Red Flag Categories Alerts, notifications or warnings from a CRA Suspicious documents Suspicious personal identifying information Unusual use of, or suspicious activity relating to, the
covered account Notices from customer, victims of ID theft, law
enforcement authorities, or other persons regarding possible ID theft in connection with covered accounts held by the organization
Red Flag RequirementsRed Flag RequirementsFour basic elements of an Identity Theft Prevention
Program (ITPP):
•
• Identify
• Detect
• Respond
• Update
Four basic elements of an Identity Theft Prevention Program (ITPP):
•
• Identify
• Detect
• Respond
• Update
Red Flag RequirementsRed Flag RequirementsFour basic elements of an Identity Theft Prevention
Program (ITPP):
•
• Identify
• Detect
• Respond
• Update
Four basic elements of an Identity Theft Prevention Program (ITPP):
•
• Identify
• Detect
• Respond
• Update
To achieve compliance:To achieve compliance:– Perform a risk assessment to identify all covered accounts
– For each covered account, identify relevant red flags that may indicate possible identity theft
– For each red flag, identify appropriate detection and response procedures to detect and prevent possible identity theft
– Develop a written identity theft prevention program
– Obtain board of directors approval of the program
– Provide training to appropriate staff
– Monitor changes in identity theft and update program periodically
– Oversee service provider arrangements
– Review the program at least annually
– Perform a risk assessment to identify all covered accounts
– For each covered account, identify relevant red flags that may indicate possible identity theft
– For each red flag, identify appropriate detection and response procedures to detect and prevent possible identity theft
– Develop a written identity theft prevention program
– Obtain board of directors approval of the program
– Provide training to appropriate staff
– Monitor changes in identity theft and update program periodically
– Oversee service provider arrangements
– Review the program at least annually
Five Common Mistakes and PitfallsFive Common Mistakes and Pitfalls
1. Approach compliance like any other Rule
2. Simply update existing Information Security Program
3. Consider all accounts as covered, include all 26 Red Flags
4. Ignore service providers, business partners.
5. Forget to implement periodic Program update process
1. Approach compliance like any other Rule
2. Simply update existing Information Security Program
3. Consider all accounts as covered, include all 26 Red Flags
4. Ignore service providers, business partners.
5. Forget to implement periodic Program update process
Five Common Mistakes and PitfallsFive Common Mistakes and Pitfalls
1. Approach compliance like any other Rule
2. Simply update existing Information Security Program
3. Consider all accounts as covered, include all 26 Red Flags
4. Ignore service providers, business partners.
5. Forget to implement periodic Program update process
1. Approach compliance like any other Rule
2. Simply update existing Information Security Program
3. Consider all accounts as covered, include all 26 Red Flags
4. Ignore service providers, business partners.
5. Forget to implement periodic Program update process
What are the consequences?What are the consequences?
Non-compliance penalties can include:
• Civil Money Penalty for Each Violation
• Cease and Desist Order
• Lowering of Examination Rating
• Negative Publicity, Loss of Business
• Consumer Lawsuit
Non-compliance penalties can include:
• Civil Money Penalty for Each Violation
• Cease and Desist Order
• Lowering of Examination Rating
• Negative Publicity, Loss of Business
• Consumer Lawsuit
Alerts, Notifications or Warnings from a Consumer Reporting AgencyAlerts, Notifications or Warnings from a Consumer Reporting Agency
1. Fraud or active duty alert2. Credit freeze3. Address discrepancy4. Inconsistent activity pattern
1. Fraud or active duty alert2. Credit freeze3. Address discrepancy4. Inconsistent activity pattern
Alerts, Notifications or Warnings from a Consumer Reporting AgencyAlerts, Notifications or Warnings from a Consumer Reporting Agency
1. Fraud or active duty alert2. Credit freeze3. Address discrepancy4. Inconsistent activity pattern
1. Fraud or active duty alert2. Credit freeze3. Address discrepancy4. Inconsistent activity pattern
Suspicious Personal Identifying
Information Suspicious Personal Identifying
Information
10.Personal ID info inconsistent with external information
11.Personal ID info inconsistent with other ID info
10.Personal ID info inconsistent with external information
11.Personal ID info inconsistent with other ID info
Suspicious Personal Identifying Information, continued
Suspicious Personal Identifying Information, continued
12.Personal ID info associated with known fraud
13.Personal ID info is type commonly associated with fraud
14.Duplicate SSN
12.Personal ID info associated with known fraud
13.Personal ID info is type commonly associated with fraud
14.Duplicate SSN
Suspicious Personal Identifying Information, continued
Suspicious Personal Identifying Information, continued
15.Duplicate address or telephone number
16.Incomplete required info
17.Personal ID info inconsistent with info on file
18.Inability to correctly authenticate via challenge questions
15.Duplicate address or telephone number
16.Incomplete required info
17.Personal ID info inconsistent with info on file
18.Inability to correctly authenticate via challenge questions
Red Flag ScopeRed Flag ScopeSome rules are flexible:
• Creditors can tailor program to fit the size/complexity of operation
• Creditors can incorporate existing policies and procedures • Creditors should consider all 26 example
Red Flags across the five categories• Creditors should include the Red Flags
that make sense in the context of their businesses
More fine print:Each financial institution is responsible for making
subjective determination of applicability of regulations for their customers/accounts
Some rules are flexible:• Creditors can tailor program to fit the size/complexity of
operation• Creditors can incorporate existing policies and procedures • Creditors should consider all 26 example
Red Flags across the five categories• Creditors should include the Red Flags
that make sense in the context of their businesses
More fine print:Each financial institution is responsible for making
subjective determination of applicability of regulations for their customers/accounts
Some Helpful Web LinksSome Helpful Web Linkshttp://www.bankersonline.com/redflags/sr222appj_suppa.html
http://www.bankersonline.com/regs/222/222-90.html
http://www.bankersonline.com/redflags/focus_sis_redflagchecklist.html
http://www.fdic.gov/news/news/financial/2007/fil07100.html for FDIC FIL-100-2007 (Identity Theft Red Flags)
http://www.occ.treas.gov/ftp/bulletin/2007-45.html to view OCC Bulletin 2007-45 (Identity Theft Red Flags and Address Discrepancies)
http://www.ots.treas.gov/docs/7/777079.html to view OTS 07-079 (Agencies Issue Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy)
http://www.bankersonline.com/redflags/sr222appj_suppa.html
http://www.bankersonline.com/regs/222/222-90.html
http://www.bankersonline.com/redflags/focus_sis_redflagchecklist.html
http://www.fdic.gov/news/news/financial/2007/fil07100.html for FDIC FIL-100-2007 (Identity Theft Red Flags)
http://www.occ.treas.gov/ftp/bulletin/2007-45.html to view OCC Bulletin 2007-45 (Identity Theft Red Flags and Address Discrepancies)
http://www.ots.treas.gov/docs/7/777079.html to view OTS 07-079 (Agencies Issue Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy)
Questions?Questions?