Presentation Overview Course Objective 2013 Data Breaches 2013 Identity Fraud Data Identity Fraud Prevention Techniques Audit Considerations Quiz Certified Red Flag Specialist (CRFS) ® Raffle Questions 2 Copyright Identity Management Institute®
Course Objective The main topic of this session is to discuss: Identity fraud prevention techniques (and more) **This session excludes information security controls. The Key points to remember are: Personal information continues to be stolen despite our efforts Identity fraud is rising Regulations and focus will increase because consequences include: Consumers are impacted in large numbers Expectation for government assistance is high Business losses justify prevention. (Lower margins, bad publicity, lawsuits, fines and penalties, lost customers, and lower revenues) 3 Copyright Identity Management Institute®
2013 Data Breaches 2164 separate incidents, 822 million records lost or stolen (double since 2011) Hacking accounted for 60% of all cases Just a few cases accounted for most damage: o Target, Adobe, JP Morgan Chase, Facebook, IRS US leads the way % of total incidents, and 66.5% of all lost records o UK was 2 nd and South Korea 3 rd with just one massive incident (credit bureau employee stole and sold 20 million customer card information) 4 Copyright Identity Management Institute®
2013 Identity Fraud Data Stolen personal records lead to: More than 12 million victims of identity fraud annually Over $50 billion in identity fraud losses Increased need for resources: IRS employing 3000 employees to just work on identity theft cases who: o Detected 14 million suspicious tax returns o Prevented $50 billion in fraudulent refunds 5 Copyright Identity Management Institute®
Red Flag Categories Copyright Identity Management Institute® 6 There are 5 Red Flag categories to which we must pay attention: 1. Alerts received from consumer reporting agencies or service providers. 2. The presentation of suspicious documents. 3. The presentation of suspicious personal information. 4. Unusual and suspicious activity. 5. Notices from customers, law enforcement authorities, or other persons regarding possible identity theft.
Consumer Reporting Agency Alerts Copyright Identity Management Institute® 7 Consumer reporting agency alerts and reports often include information which can be used to detect identity theft. 1. Fraud alert placed by consumers. 2. Notice of credit freeze in response to a request for a consumer report. 3. Notice of address discrepancy. 4. Unusual pattern of activity such as: a. A recent and significant increase in the volume of inquiries; b. An unusual number of new accounts; c. A material change in the use of credit, especially with respect to recently established credit relationships; or d. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.
Suspicious Documents Copyright Identity Management Institute® 8 1. Identification documents or applications appear to have been altered, forged or reassembled. 2. The photograph or physical description on the identification is not consistent with the appearance of the applicant. 3. Information on the identification is not consistent with information provided by the person. 4. Information on the identification is not consistent with readily accessible information that is on file such as a signature card or a recent check.
Suspicious Information Copyright Identity Management Institute® 9 1. Personal identifying information provided is inconsistent. For example: a. SSN is other than 9 digits b. Zip code does not match the address location 2. Personal identifying information provided by the customer is not valid. For example: a. Phone number, address or SSN do not exist b. SSN is listed on the Social Security Administration's Death Master File 3. Personal identifying information provided is associated with known fraudulent activity. For example: a. The address or phone number on an application is the same as the information provided on a fraudulent application.
Suspicious Information – Cont. Copyright Identity Management Institute® Duplicate SSN, phone number or address provided are the same as that submitted by other persons opening an account or existing customers. 5. The person opening the account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete. 6. The person opening the account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report. (Crook on the phone)
Suspicious Account Activity Copyright Identity Management Institute® 11 Shortly following the notice of a change of address, the institution receives a request for a new, additional, or replacement card, cell phone, and/or users on the account. Company must validate within 30 days. A new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns. For example: The majority of credit available for cash is used The majority of available credit is used to purchase merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or The customer fails to make the first payment or makes an initial payment but no subsequent payments.
Suspicious Account Activity – Cont. Copyright Identity Management Institute® 12 An account usage is inconsistent with established patterns of activity: a. Nonpayment when there is no history of late or missed payments, b. A material increase in the use of available credit or cell phone account, c. A material change in purchasing or spending patterns, d. A material change in electronic fund transfer patterns in connection with a deposit account. A covered account that has been inactive for a reasonably lengthy period of time is used. Mail sent to the customer is returned repeatedly as undeliverable and transactions are occurring. The company is notified that the customer is not receiving paper account statements. **The company is notified of unauthorized transactions.
Don’t Forget Service Providers Copyright Identity Management Institute® 13 The company remains responsible for preventing fraud even if it outsources operations to a third party service provider. The written agreement between the company and the third party service providers must require the third parties to: a) Have reasonable policies and procedures designed to identify, detect and respond to identity theft red flags. b) Share its identity theft prevention program at the request of the company. c) Communicate major incidents and/or control deficiencies which may adversely affect the company and its customers.
Identification & Authentication Copyright Identity Management Institute® 14 Key controls include: Obtain and verify customer identification Authenticate customers in person, by phone, mail, and online Consider FFIEC guidelines for online multi-factor authentication Monitor transactions Follow up on alerts and notices Validate change of address requests
Audit Considerations Copyright Identity Management Institute® 15 Written and updated Identity Theft Prevention Program Oversight body approval initially and for updates Periodic risk assessments Policies and procedures Annual compliance report Employee training Address discrepancy notices received from credit reporting agencies. Keep an eye on service providers
Regulation In response to record breaking identity theft cases and consumer impact, the US Federal government introduced the Red Flags Rule to require the implementation of an identity theft prevention program in companies where consumers may be adversely affected by identity theft. 16 Copyright Identity Management Institute®
Professional Certification Copyright Identity Management Institute® The Certified Red Flag Specialist (CRFS) ® designation is a registered trademark of Identity Management Institute ® and is the leading identity theft prevention training and certification program which is closely aligned with the Red Flags Rule. Visit the IMI website to learn more: 17
Quiz 1 Copyright Identity Management Institute® 18 Which of the following is considered a “Red Flag” which may indicate the possibility of identity theft? □ High volume of c ustomer service calls □ Credit line increase request □ High volume of inquiries in the credit report
Quiz 2 Copyright Identity Management Institute® 19 The identity theft prevention program must be: □ Approved annually □ In writing □ Updated annually □ All of the above
Raffle Copyright Identity Management Institute® 20 Send an to with name, company and title by Friday 4/4/14. Write “IIA Raffle” in the subject 2 persons will be selected in April 2014 to waive the membership and CRFS application fees.
Questions Copyright Identity Management Institute® 21 Thank you for your participation.