copyright© 2010 wecomply, inc. all rights reserved. 10/10/2015 facta red flags

Copyright© 2010 WeComply, Inc. All rights reserved.

04/21/23

FACTA Red Flags

Copyright© 2010 WeComply, Inc. All rights reserved. 3

What Is Identity Theft?

Identity theft: "A fraud committed or attempted using the identifying information of another person without authority"

Identifying information includes —

•Names, Social Security numbers, dates of birth, or driver's license, alien-registration and passport numbers

•Unique biometric data — e.g., fingerprints or retinal scans

•Unique electronic data — e.g., identification number, address, routing code

Identity theft is more prevalent where accounts may be opened/accessed remotely


Fighting Identity Theft with FACTA

This training will help you —

•Identify, detect and respond appropriately to red flags

•Ensure that red flags are updated periodically

Every organization that handles consumer data should be alert for red flags that apply to its business

FACTA —

•Is a federal consumer-rights law

•Is intended to lower risk of identity theft

•Requires organizations to have an Identity Theft Prevention Program


Identifying and Detecting Red Flags

Red flag: Pattern, practice or activity that indicates the possible existence of identity theft

Categories of FACTA red flags:

•Warnings from consumer reporting agencies

•Suspicious documents

•Suspicious personal identifying information

•Suspicious accounts or unusual use of an account

•Notice or alerts of possible identity theft from customers, law enforcement or other persons


In the news…


Identifying and Detecting Red Flags (cont'd)

Consider how likely you are to encounter red flags in yourwork based on —

•The types of business and personal accounts we offer ormaintain

•The methods we provide for opening these accounts

•The methods we provide for allowing access to theseaccounts

•Our previous experience with identity theft


Warnings from Consumer Reporting Agencies

Red flag may be alert or notification from consumer reporting agency

Red flag might also arise if consumer report shows suspicious pattern of activity —

•Significant increase in volume of inquiries

•Many recently established credit relationships

•Material change in the use of credit, especially with new credit relationships

•Account being closed for cause or flagged for abuse of account privileges


Suspicious Documents

Red flags for suspicious documents:

•Documents appear to have been altered or forged

•Photograph, physical description or other information is inconsistent with appearance of applicant/customer

• Information is not consistent with information on file — e.g., signature card or recent check

• Application gives appearance of having been destroyed and reassembled

Fraudulent documents are much more prevalent — and harder to detect — now that identity thieves use digital methods


Suspicious Personal Identifying Information

Red flags for personal identifying information:

•Information provided is inconsistent with that obtained from other sources

•Information provided is inconsistent with other personal identifying information provided by the individual

•Information provided is associated with known fraudulent activity

•The individual cannot answer a challenge question correctly


Suspicious Account Activity

Red flags for suspicious account activities:

•Unauthorized charges or transactions in a customer's account

•Request for new, additional or replacement materials or to add authorized users

•Account usage inconsistent with established patterns of activity

•Mail sent to customer is returned repeatedly, though transactions continue to be conducted


Pop Quiz!

Which of the following is an example of suspicious account activity?

A. A significant change in fund-transfer patterns.

B. A substantial increase in available credit.

C. Nonpayment after a long history of consistent, timely payments.

D. An inactive account is used suddenly.

E. All of the above.


Notice or Alert of Identity Theft

Red flag may arise if customer, victim, law-enforcement authority or other third party notifies us of possible identity theft or suspicious activity:

• Customer notifying us of unauthorized charges to his/her account

• Local police notifying us that we have opened fraudulent account for person engaged in identity theft

• Internal alert indicating that certain accounts have been accessed by unauthorized users

• Report by financial institution, creditor or other organization of breach of security involving individuals who are or may be account-holders


Low-Tech Red Flags

There are many low-tech ways — called social engineering — used to gain unauthorized access to confidential information:

• Impersonating an authorized person online, by phone or even in person

• Coaxing information out of employees by preying on their trust, charming them or flirting

• Rigging the system, offering to "fix it," then accessing passwords in the course of repairing it

• Entering work area and looking over people's shoulders to see passwords

• Sifting through unshredded documents in trash


Pop Quiz!

Based on what you've learned in this course thus far, which of the following do you think is the most commonly reported form of identity theft?

A. Credit-card fraud.

B. Utilities fraud.

C. Employment fraud.

D. Bank fraud.


Responding to Red Flags

If you encounter any red flags, we must assess the risk of identity theft

If we conclude that there is not a risk, we have satisfied our responsibilities

If we determine that there is a risk of identity theft, we might —

•Monitor an account

•Contact the customer

•Change passwords or security codes

•Not open a new account or close an existing account

•Reopen an account with a new account number

•Notify law enforcement


Other Information-Security Practices

Employees must use responsible information-security practices:

• Never leaving computers unattended when account information is on screen

• Disposing of documents properly

• Using strong passwords and never letting anyone "borrow" them

• Safeguarding mobile devices that contain personal data

• Using encryption when transporting confidential information outside office

Third-party service providers must have their own Identity Theft Prevention Program in compliance with FACTA


Address Discrepancies

We have special obligations if a credit agency notifies us that address on credit report does not match what we provided for the consumer

We must determine whether report belongs to correct consumer by —

• Verifying consumer's identity in accordance with Customer Information Program (CIP) rules

• Maintaining our own records — e.g., applications, change-of-address notifications, other consumer account records, retained CIP documentation

• Obtaining records from third-party sources

In lieu of this, we may verify credit-report information with consumer directly


Change-of-Address Requests

Card issuers must validate address change when request for additional/replacement card is within 30 days of address-change request

New card may not be issued unless card issuer —

• Notifies cardholder of address-change request and provides way to report incorrect address change, or

• Assesses validity of address-change request according to FACTA-compliant procedures

Validation may also be performed before request for additional/replacement card


Identity Theft – a Moving Target

FACTA requires us to keep our identity-theft-prevention policies and procedures updated

If experience has led you to identify other red flags, share them with your supervisor

About half of consumers said they would switch the company they do business with for one that offered better protection against identity theft

By improving our ability to identify, detect and respond to red flags, we can —

•Serve our customers better

•Increase our customer base

•Play a valuable role in limiting identity theft


04/21/23

Final Quiz


04/21/23

Questions?


04/21/23

Thank you for participating!

This course and the related materials were developed by WeComply, Inc. and the Association of Corporate Counsel.