We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJody Barrett
Modified about 1 year ago
©2012 CliftonLarsonAllen LLP 1 111 Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact. Justin Robinson Engagement Director CliftonLarsonAllen LLP
©2012 CliftonLarsonAllen LLP 2 Agenda Critical elements of the rule Red Flag compliance vs. BSA compliance What does an identity theft red flag risk assessment look like? Are 26 red flags appropriate for all credit unions? Using existing safeguarding member information program to mitigate and prevent Red Flags Identification of other means currently utilized that prevent and mitigate risk Red Flag Response Matrix
©2012 CliftonLarsonAllen LLP 3 ID Theft Top Consumer Fraud Complaint FTC reported the top consumer fraud complaint received in 2011 was identity theft 12 years in row 15% of all complaints Misuse of government documents fraud was the most common form of reported identity theft (approximately 27% of complaints), followed by credit cards (14%).
©2012 CliftonLarsonAllen LLP 4 Identity Theft Red Flag Requirements In October 2007, the Federal Banking Regulators issued final rules implementing the Identity Theft Red Flag Requirements of the FACT Act Written program to detect, prevent, and mitigate identity theft Overlap of IT and consumer compliance
©2012 CliftonLarsonAllen LLP 5 What is Identity Theft? Fraud committed or attempted using, without authority, the identifying information of another person –Name, SSN, TIN, etc. –Very broad
©2012 CliftonLarsonAllen LLP 6 Types of Identity Theft Hacking, dumpster diving, insider theft, phishing, shoulder surfing, family members, stealing (laptop, purse), physical break-in Shotgunning - the identity thief applies for multiple loans from multiple lenders on the same property within a short period of time. The identity thief then takes advantage of the lag time in recording mortgages as lenders are unable to identify the existence of the other mortgages before funding the loans
©2012 CliftonLarsonAllen LLP 7 Important Point The Identity Theft Red Flag Rules are very different from BSA BSA – required to report on suspicious transactions and money laundering but not necessarily required to prevent it Identity Theft Red Flag Rule – you are required to prevent identity theft and can be held accountable if you do not Consequently, you must approach compliance with this rule differently
©2012 CliftonLarsonAllen LLP 8 Four Critical Elements 1.Identify relevant Red Flags for the accounts the credit union offers or maintains, and incorporate those Red Flags into its Program; 2.Detect Red Flags that have been incorporated into the Program of the credit union; 3.Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and 4.Ensure the Program (including the Red Flags determined to be relevant) is updated periodically to reflect changes in risks to members
©2012 CliftonLarsonAllen LLP 9 Seven Step Process STEP 1: Identity Theft Program Administrator STEP 2: Conduct a Risk Assessment STEP 3: Identify Relevant Red Flags STEP 4: Detect Red Flags STEP 5: Preventing and Mitigating Red Flags STEP 6: Board Approval and Staff Training STEP 7: Updating the Program
©2012 CliftonLarsonAllen LLP 10 STEP 1: Identity Theft Program Administrator Select an individual or committee to oversee and administer the Program. The Administrator is responsible for the implementation, oversight, and updating of the program. The Administrator will need to be capable of addressing these steps to effectively implement the Program.
©2012 CliftonLarsonAllen LLP 11 STEP 2: Conduct a Risk Assessment Conduct a risk assessment to identify all covered accounts for the rule. The rule defines a “covered account” as: –An account that a credit union offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, checking account, or share account; or –Any other account that the credit union offers or maintains for which there is a reasonably foreseeable risk to members or to the safety and soundness of the federal credit union from identity theft, including financial, operational, compliance, reputation, or litigation risks.
©2012 CliftonLarsonAllen LLP 12 STEP 2: Conduct a Risk Assessment The credit union should take into consideration all of the following risk factors: –The types of accounts offered or maintained; –Methods provided to open accounts (web site, internet banking, etc.); –Methods provided to access accounts (bill payment, telephone banking, internet banking, etc.); and –Previous experiences with identity theft.
©2012 CliftonLarsonAllen LLP 13 STEP 2: Conduct a Risk Assessment Identify all threats and the potential for harm, determine your existing safeguards, analyze whether you need additional safeguards Some threats include: –Scams –Hacking –Trusted Insiders –Physical Break-Ins –Shoulder Surfing Do not forget general Fraud –Mortgage, check, appraisal, etc.
©2012 CliftonLarsonAllen LLP 14 STEP 2: Conduct a Risk Assessment Determine existing safeguards –Policies –Procedures –Automated tools –Training –Testing and monitoring –Authentication process
©2012 CliftonLarsonAllen LLP 15 STEP 2: Conduct a Risk Assessment Taking all of that into consideration, determine: –Likelihood of identity theft occurring –Potential impact of identity theft No mandated format May be combined with another risk assessment, such as your member information security risk assessment, but make sure all elements of the Identity Theft rule are met
©2012 CliftonLarsonAllen LLP 16 STEP 3: Identify Relevant Red Flags The regulators have provided us with five general categories of Red Flags: Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services; The presentation of suspicious documents; The presentation of suspicious personal identifying information, such as a suspicious address change; The unusual use of, or other suspicious activity related to, a covered account; and Notice from members, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the federal credit union.
©2012 CliftonLarsonAllen LLP 17 STEP 3: Identify Relevant Red Flags In addition, the Regulators have provided us with specific examples of Red Flags that fall into these general categories. Supplement A to Appendix J in the rule, includes a list of 26 different Identity Theft Red Flags While these specific Red Flags are provided as examples, the list is not meant to be exhaustive
©2012 CliftonLarsonAllen LLP 18 STEP 4: Detect Red Flags Develop procedures and controls to detect the identified Red Flags The detection requirement is simply a due diligence requirement to utilize sound controls that will help in detecting the Red Flags Applies to new and existing accounts
©2012 CliftonLarsonAllen LLP 19 STEP 4: Detect Red Flags Use your existing Member Information Security Program and Customer Identification Program. You already have these in place. These will be very important going forward and could be the ultimate determining factor in whether you can comply with the rule or not.
©2012 CliftonLarsonAllen LLP 20 STEP 4: Detect Red Flags Ensure effective detective controls by: Obtaining identifying information about, and verifying the identity of, a person opening a covered account –For example, using the policies and procedures regarding identification and verification set forth in your Customer (Member) Identification Policy (CIP) program. Authenticating members Monitoring transactions, accounts, systems, dormant accounts, applications
©2012 CliftonLarsonAllen LLP 21 STEP 4: Detect Red Flags Penetration testing Vulnerability assessments IT audit –Detect fraudulent activity Financial audit Verifying the validity of change of address requests, in the case of existing covered accounts. Developing procedures referencing the existing CIP and security procedures as controls to detect appropriate Red Flags
©2012 CliftonLarsonAllen LLP 22 STEP 5: Preventing and Mitigating Red Flags IT audit Written procedures and policies related to verifying identity that are enforced CIP Authentication Encryption Firewalls
©2012 CliftonLarsonAllen LLP 23 Employee background checks Employee training Fraud and Identity Theft training Record retention/disposal of information Due diligence of service providers STEP 5: Preventing and Mitigating Red Flags
©2012 CliftonLarsonAllen LLP 24 STEP 5: Preventing and Mitigating Red Flags Responses to Red Flags The Program must include appropriate responses to detected Red Flags The appropriate credit union response will vary depending on the risk posed by the detected Red Flag You probably already have an Incident Response Plan but you may need to expand it Keep documentation related to response
©2012 CliftonLarsonAllen LLP 25 STEP 5: Preventing and Mitigating Red Flags Examples of Credit Union responses to detected Red Flags: Monitoring a covered account for evidence of identity theft Contacting the member Changing any passwords, security codes, or other security devices that permit access to a covered account Reopening a covered account with a new account number Not opening a new covered account Closing an existing covered account Not attempting to collect on a covered account or not selling a covered account to a debt collector Notifying law enforcement Determining that no response is warranted under the particular circumstances
©2012 CliftonLarsonAllen LLP 26 STEP 5: Preventing and Mitigating Red Flags Third Party Providers Your credit union should have controls in place to ensure that third party service providers have Red Flag detection procedures in place. Take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. For example, you could require the service provider by contract to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider’s activities, and either report the Red Flags to the federal credit union, or to take appropriate steps to prevent or mitigate identity theft.
©2012 CliftonLarsonAllen LLP 27 STEP 6: Board Approval and Staff Training Obtain written approval of the Program from the Board of Directors or an appropriate committee of the Board of Directors Train appropriate staff to implement the Program. Staff should be aware of identified Red Flags, controls to detect these Red Flags, and appropriate responses to detection Train any staff member who could detect or prevent Identity Theft Training should cover your identified Red Flags, policies and procedures, and reporting process for Identity Theft
©2012 CliftonLarsonAllen LLP 28 STEP 6: Board Approval and Staff Training Annual Reporting: “staff of credit union responsible for development, implementation, and administration of its Program should report to the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management, at least annually, on compliance by the credit union.”
©2012 CliftonLarsonAllen LLP 29 STEP 6: Board Approval and Staff Training Contents of the report: Material matters related to the Program such as: –The effectiveness of the policies and procedures in addressing the risk of identity theft; –Service provider arrangements; –Significant incidents involving identity theft and management’s response; –Recommendations for material changes to the Program.
©2012 CliftonLarsonAllen LLP 30 STEP 7: Updating the Program The credit union should periodically update its Red Flags based on the following factors: The experiences of the credit union with identity theft; Changes in methods of identity theft; Changes in methods to detect, prevent, and mitigate identity theft; Changes in the types of accounts the credit union offers or maintains; and Changes in the business arrangements of the credit union, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.
©2012 CliftonLarsonAllen LLP 31 ID Theft Red Flags Today Risks Exams –Potential for larger impact Civil suits?
©2012 CliftonLarsonAllen LLP 32 ID Theft Trends FinCEN Report on ID Theft Trends, Patterns and Typologies. –Report issued September 2010 –Studied SARs filed 2003-2009
©2012 CliftonLarsonAllen LLP 33 ID Theft Trends Credit Card ID Theft –Physical theft –Virtual theft –30% of the time the thief added his/her name as an authorized user
©2012 CliftonLarsonAllen LLP 34 ID Theft Trends Deposit Account Fraud –ID thief opens a new joint account with member’s name. –Thief then poses as victim and directs transfer from existing member’s account into joint account
©2012 CliftonLarsonAllen LLP 35 ID Theft Trends Other notable trends –22% of SARs filed involved friends or family members of the victim –27% of SARS filed indicated the victim knew the identity thief –Only 18% of the SAR filings noted the identity theft was discovered within 1 week of the theft –37% of the filings noted the theft was discovered 3+ months after the account was compromised
©2012 CliftonLarsonAllen LLP 36 ID Theft Trends Notable “Red Flags” that aided discovery: –Notification by consumer that a fraudulent account was opened –Notification by consumer that there are unauthorized transactions –Incorrect social security number –Change of address requests
©2012 CliftonLarsonAllen LLP 37 ID Theft Trends Tax Fraud, FinCEN Letter March 2012 (FIN-2012- A005) –Additional Red Flags related to Tax Refund ID Theft ◊ Multiple direct deposit tax refund payments, directed to different individuals ◊ Suspicious or authorized account opening at a depository institution, on behalf of individuals who are not present, with the fraudulent actor being named as having signatory authority. The subsequent source of funds is limited to the direct deposit of tax refunds.
©2012 CliftonLarsonAllen LLP 38 Tips Use existing risk assessments, policies, procedures and programs Create a standard form staff can use to report suspected identity theft Designate a centralized person/group to receive all incident reports of identity thefts and other incidents Change/improve your response procedures as your system evolves and you learn what does/does not work Make your program useable, not difficult to utilize and comprehend
©2012 CliftonLarsonAllen LLP 39 ©2012 CliftonLarsonAllen LLP Questions? Justin Robinson Engagement Director CliftonLarsonAllen LLP 612.414.6590 Justin.firstname.lastname@example.org
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
Technology Supervision Branch Interagency Identity Theft Red Flags Regulation Bank Compliance Association of CT Bristol, CT September 3, 2008.
Tiffany George Attorney, Division of Privacy & Identity Protection Federal Trade Commission COMPLYING WITH THE RED FLAGS RULE & ADDRESS DISCREPANCY RULE.
IDENTITY THEFT & THE RED FLAGS RULE Presented by Brady Keith, Assistant General Counsel CREDIT MANAGEMENT SERVICES, INC.
Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.
IDENTITY THEFT 2015 ANNUAL TRAINING By: Denise Goff.
UNDERSTANDING RED FLAG REGULATIONS AND ENSURING COMPLIANCE University of Washington Red Flag Rules Protecting Against Identity Fraud.
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.
New Identity Theft Rules Rodney J. Petersen, J.D. Government Relations Officer Security Task Force Coordinator EDUCAUSE.
Understanding the Fair and Accurate Credit Transaction Act, the “Red Flag” Regulations, and their impact on Health Care Providers Raising a “Red Flag”
Copyright 2007, Integrated Compliance Solutions, LLC FACT Act Red Flags Bank Compliance Association of Connecticut September 3, 2008 Copyright 2007, Integrated.
1 The FACT Act – An Overview The FACT Act An Overview of the Final Rulemaking on Identity Theft Red Flags and Address Discrepancies Naomi Lefkovitz Attorney,
Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.
FTC RED FLAG RULE As many as nine million Americans have their identities stolen each year. Identity thieves may drain their accounts, damage their credit,
ANTI-MONEY LAUNDERING COMPLIANCE PROGRAM FCM TRAINING.
Identity Theft and Red Flag Rules Training Module The University of Texas at Tyler.
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
1 Identity Theft Prevention and the Red Flag Rules.
Red Flag Identity Theft Training California State University, Fullerton Campus Information Technology Training August 2012.
© 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED. Raising a “Red Flag”: Understanding the Fair and Accurate Credit Transactions Act, the “Red Flag”
IDENTITY THEFT. RHONDA L. ANDERSON, RHIA, PRESIDENT ANDERSON HEALTH INFORMATION SYSTEMS, INC.
Red-Flag Identity Theft Requirements February 19th 2009 Cathy Casagrande, Privacy Officer.
Red Flags Rule & Municipal Utilities. What is the Red Flags Rule? The federal Fair and Accurate Credit Transactions Act (FACT Act, or FACTA) required.
The FTC’s Red Flag Rule. FTC Red Flag Regulations Why the Red Flag Regulations?
1 Red Flag Rules: What they are? & What you need to do Employee Training for Identity Theft : “RED FLAG RULES” February 2010.
Detecting, Preventing and Mitigating Identity Theft Presented by the Bursar’s Office.
Compliance with Federal Trade Commission’s “Red Flag Rule”
Lydia E. Payne-Johnson Peter A. Rabinowitz PricewaterhouseCoopers, LLP Harvard University August 20, 2008 New Identity Theft Red Flags Rule: What is New.
THE RED FLAGS RULE Detecting, Preventing, and Mitigating Identity Theft Training for Ball State University’s Identity Theft Protection Program.
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
Copyright© 2010 WeComply, Inc. All rights reserved. 10/10/2015 FACTA Red Flags.
Red Flag Training IDENTITY THEFT PREVENTION PROGRAM OVERVIEW AUTOMOTIVE.
University of Minnesota Identity Theft Prevention Program: Red Flags Rule Detecting, Preventing, and Mitigating Identity Theft This presentation was adapted.
Red Flag Rules Training Class SD 428. Red Flag Rules SD 428 The Red Flag Rules course (SD 428) was implemented at UTSA to meet the requirements and guidelines.
Available from BankersOnline.com/tools 1 FACT ACT RED FLAG GUIDELINES.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
FAIR CREDIT REPORTING ACT. Serves the following principal purposes: To regulate the consumer-reporting industry. To prohibit unfair actions from.
Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A Centennial.
Prevention of Identity Theft. Why now, Why us? Federal Trade Commission (FTC) regulations for Identity Theft which may not apply, but it is good business.
Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA.
1 Identity Theft Program Procedures Viewing RED FLAGS in the MEDITECH System.
Protecting Personal Information Guidance for Business.
September 14, David A. Reed Attorney at Law Reed & Jolly, PLLC (703)
ANTI-MONEY LAUNDERING TRAINING FOR LENDERS Bill Heyman Offit Kurman
Red Flags 101. What It’s All About Section’s 114 and 315 of the FACT Act were implemented in October 2007 and became effective January 1, These.
The Minnesota State Colleges and Universities system is an Equal Opportunity employer and educator. The Red Flag Rule Detecting, Preventing, and Mitigating.
1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.
AML Training Program Presented by Continental Funding Corp.
© 2017 SlidePlayer.com Inc. All rights reserved.