Red Flags Compliance

1
(No Transcript)
2
Are You Ready?

• Identity fraud and identity management are
  quickly becoming critical operational concerns
  for the financial industry. The Red Flags
  Guidelines issued in October 2007 pursuant to the
  Fair and Accurate Credit Transactions Act
  requires implementation of an Identity Theft
  Prevention Program by November 1, 2008.

3
What is ID Theft

• Identity Theft has the same meaning as under 16
  CFR 603.2(a)
• A fraud committed or attempted using the
  identifying information of another person without
  authority.

4
Legislation covers three main areas

• Address Discrepancies
• Recipients of credit reports now must take action
  upon receipt of Address Discrepancy Indicators
  (ADI) with credit reports.
• Red Flags
• Red Flag Rules require development and
  implementation of a written Identity Theft
  Prevention Program to detect, prevent and
  mitigate identity theft.
• Duty of Card Issuers
• Card issuers that receive a change of address
  notice may not issue new cards within 30 days
  unless the address is validated.

5
Legislation covers three main areas

• Address Discrepancies
• Recipients of credit reports now must take action
  upon receipt of Address Discrepancy Indicators
  (ADI) with credit reports.
• Red Flags
• Red Flag Rules require development and
  implementation of a written Identity Theft
  Prevention Program to detect, prevent and
  mitigate identity theft.
• Duty of Card Issuers
• Card issuers that receive a change of address
  notice may not issue new cards within 30 days
  unless the address is validated.

6
What is a Red Flag?

• A pattern, practice, or specific activity that
  indicates the possible existence of identity
  theft.
• Affects both new and existing accounts.
• Red Flag Categories
• Alerts, notifications or warnings from a CRA
• Suspicious documents
• Suspicious personal identifying information
• Unusual use of, or suspicious activity relating
  to, the covered account
• Notices from customer, victims of ID theft, law
  enforcement authorities, or other persons
  regarding possible ID theft in connection with
  covered accounts held by the organization

7
Red Flag Requirements

• Four basic elements of an Identity Theft
  Prevention Program (ITPP)
• Identify
• Detect
• Respond
• Update

8
Red Flag Requirements

• Four basic elements of an Identity Theft
  Prevention Program (ITPP)
• Identify
• Detect
• Respond
• Update

9
To achieve compliance

• Perform a risk assessment to identify all
  covered accounts
• For each covered account, identify relevant red
  flags that may indicate possible identity theft
• For each red flag, identify appropriate
  detection and response procedures to detect and
  prevent possible identity theft
• Develop a written identity theft prevention
  program
• Obtain board of directors approval of the
  program
• Provide training to appropriate staff
• Monitor changes in identity theft and update
  program periodically
• Oversee service provider arrangements
• Review the program at least annually

10
Five Common Mistakes and Pitfalls

• Approach compliance like any other Rule
• Simply update existing Information Security
  Program
• Consider all accounts as covered, include all 26
  Red Flags
• Ignore service providers, business partners.
• Forget to implement periodic Program update
  process

11
Five Common Mistakes and Pitfalls

• Approach compliance like any other Rule
• Simply update existing Information Security
  Program
• Consider all accounts as covered, include all 26
  Red Flags
• Ignore service providers, business partners.
• Forget to implement periodic Program update
  process

12
What are the consequences?

• Non-compliance penalties can include
• Civil Money Penalty for Each Violation
• Cease and Desist Order
• Lowering of Examination Rating
• Negative Publicity, Loss of Business
• Consumer Lawsuit

13
Alerts, Notifications or Warnings from a Consumer
Reporting Agency

• Fraud or active duty alert
• Credit freeze
• Address discrepancy
• Inconsistent activity pattern

14
Alerts, Notifications or Warnings from a Consumer
Reporting Agency

• Fraud or active duty alert
• Credit freeze
• Address discrepancy
• Inconsistent activity pattern

15
Suspicious Personal Identifying Information

• Personal ID info inconsistent with external
  information
• Personal ID info inconsistent with other ID info
  

16
Suspicious Personal Identifying Information,
continued

• Personal ID info associated with known fraud
• Personal ID info is type commonly associated with
  fraud
• Duplicate SSN

17
Suspicious Personal Identifying Information,
continued

• Duplicate address or telephone number
• Incomplete required info
• Personal ID info inconsistent with info on file
• Inability to correctly authenticate via challenge
  questions

18
Red Flag Scope

• Some rules are flexible
• Creditors can tailor program to fit the
  size/complexity of operation
• Creditors can incorporate existing policies and
  procedures
• Creditors should consider all 26 exampleRed
  Flags across the five categories
• Creditors should include the Red Flagsthat make
  sense in the context of their businesses
• More fine print
• Each financial institution is responsible for
  making subjective determination of applicability
  of regulations for their customers/accounts

19
Some Helpful Web Links

• http//www.bankersonline.com/redflags/sr222appj_su
  ppa.html
• http//www.bankersonline.com/regs/222/222-90.html
• http//www.bankersonline.com/redflags/focus_sis_re
  dflagchecklist.html
• http//www.fdic.gov/news/news/financial/2007/fil07
  100.html for FDIC FIL-100-2007 (Identity Theft
  Red Flags)
• http//www.occ.treas.gov/ftp/bulletin/2007-45.html
  to view OCC Bulletin 2007-45 (Identity Theft Red
  Flags and Address Discrepancies)
• http//www.ots.treas.gov/docs/7/777079.html to
  view OTS 07-079 (Agencies Issue Final Rules on
  Identity Theft Red Flags and Notices of Address
  Discrepancy)

20
Questions?