Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2012 CliftonLarsonAllen LLP 1 111 Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact.

Similar presentations


Presentation on theme: "©2012 CliftonLarsonAllen LLP 1 111 Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact."— Presentation transcript:

1 ©2012 CliftonLarsonAllen LLP Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact. Justin Robinson Engagement Director CliftonLarsonAllen LLP

2 ©2012 CliftonLarsonAllen LLP 2 Agenda Critical elements of the rule Red Flag compliance vs. BSA compliance What does an identity theft red flag risk assessment look like? Are 26 red flags appropriate for all credit unions? Using existing safeguarding member information program to mitigate and prevent Red Flags Identification of other means currently utilized that prevent and mitigate risk Red Flag Response Matrix

3 ©2012 CliftonLarsonAllen LLP 3 ID Theft Top Consumer Fraud Complaint FTC reported the top consumer fraud complaint received in 2011 was identity theft 12 years in row 15% of all complaints Misuse of government documents fraud was the most common form of reported identity theft (approximately 27% of complaints), followed by credit cards (14%).

4 ©2012 CliftonLarsonAllen LLP 4 Identity Theft Red Flag Requirements In October 2007, the Federal Banking Regulators issued final rules implementing the Identity Theft Red Flag Requirements of the FACT Act Written program to detect, prevent, and mitigate identity theft Overlap of IT and consumer compliance

5 ©2012 CliftonLarsonAllen LLP 5 What is Identity Theft? Fraud committed or attempted using, without authority, the identifying information of another person –Name, SSN, TIN, etc. –Very broad

6 ©2012 CliftonLarsonAllen LLP 6 Types of Identity Theft Hacking, dumpster diving, insider theft, phishing, shoulder surfing, family members, stealing (laptop, purse), physical break-in Shotgunning - the identity thief applies for multiple loans from multiple lenders on the same property within a short period of time. The identity thief then takes advantage of the lag time in recording mortgages as lenders are unable to identify the existence of the other mortgages before funding the loans

7 ©2012 CliftonLarsonAllen LLP 7 Important Point The Identity Theft Red Flag Rules are very different from BSA BSA – required to report on suspicious transactions and money laundering but not necessarily required to prevent it Identity Theft Red Flag Rule – you are required to prevent identity theft and can be held accountable if you do not Consequently, you must approach compliance with this rule differently

8 ©2012 CliftonLarsonAllen LLP 8 Four Critical Elements 1.Identify relevant Red Flags for the accounts the credit union offers or maintains, and incorporate those Red Flags into its Program; 2.Detect Red Flags that have been incorporated into the Program of the credit union; 3.Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and 4.Ensure the Program (including the Red Flags determined to be relevant) is updated periodically to reflect changes in risks to members

9 ©2012 CliftonLarsonAllen LLP 9 Seven Step Process STEP 1: Identity Theft Program Administrator STEP 2: Conduct a Risk Assessment STEP 3: Identify Relevant Red Flags STEP 4: Detect Red Flags STEP 5: Preventing and Mitigating Red Flags STEP 6: Board Approval and Staff Training STEP 7: Updating the Program

10 ©2012 CliftonLarsonAllen LLP 10 STEP 1: Identity Theft Program Administrator Select an individual or committee to oversee and administer the Program. The Administrator is responsible for the implementation, oversight, and updating of the program. The Administrator will need to be capable of addressing these steps to effectively implement the Program.

11 ©2012 CliftonLarsonAllen LLP 11 STEP 2: Conduct a Risk Assessment Conduct a risk assessment to identify all covered accounts for the rule. The rule defines a “covered account” as: –An account that a credit union offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, checking account, or share account; or –Any other account that the credit union offers or maintains for which there is a reasonably foreseeable risk to members or to the safety and soundness of the federal credit union from identity theft, including financial, operational, compliance, reputation, or litigation risks.

12 ©2012 CliftonLarsonAllen LLP 12 STEP 2: Conduct a Risk Assessment The credit union should take into consideration all of the following risk factors: –The types of accounts offered or maintained; –Methods provided to open accounts (web site, internet banking, etc.); –Methods provided to access accounts (bill payment, telephone banking, internet banking, etc.); and –Previous experiences with identity theft.

13 ©2012 CliftonLarsonAllen LLP 13 STEP 2: Conduct a Risk Assessment Identify all threats and the potential for harm, determine your existing safeguards, analyze whether you need additional safeguards Some threats include: –Scams –Hacking –Trusted Insiders –Physical Break-Ins –Shoulder Surfing Do not forget general Fraud –Mortgage, check, appraisal, etc.

14 ©2012 CliftonLarsonAllen LLP 14 STEP 2: Conduct a Risk Assessment Determine existing safeguards –Policies –Procedures –Automated tools –Training –Testing and monitoring –Authentication process

15 ©2012 CliftonLarsonAllen LLP 15 STEP 2: Conduct a Risk Assessment Taking all of that into consideration, determine: –Likelihood of identity theft occurring –Potential impact of identity theft No mandated format May be combined with another risk assessment, such as your member information security risk assessment, but make sure all elements of the Identity Theft rule are met

16 ©2012 CliftonLarsonAllen LLP 16 STEP 3: Identify Relevant Red Flags The regulators have provided us with five general categories of Red Flags: Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services; The presentation of suspicious documents; The presentation of suspicious personal identifying information, such as a suspicious address change; The unusual use of, or other suspicious activity related to, a covered account; and Notice from members, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the federal credit union.

17 ©2012 CliftonLarsonAllen LLP 17 STEP 3: Identify Relevant Red Flags In addition, the Regulators have provided us with specific examples of Red Flags that fall into these general categories. Supplement A to Appendix J in the rule, includes a list of 26 different Identity Theft Red Flags While these specific Red Flags are provided as examples, the list is not meant to be exhaustive

18 ©2012 CliftonLarsonAllen LLP 18 STEP 4: Detect Red Flags Develop procedures and controls to detect the identified Red Flags The detection requirement is simply a due diligence requirement to utilize sound controls that will help in detecting the Red Flags Applies to new and existing accounts

19 ©2012 CliftonLarsonAllen LLP 19 STEP 4: Detect Red Flags Use your existing Member Information Security Program and Customer Identification Program. You already have these in place. These will be very important going forward and could be the ultimate determining factor in whether you can comply with the rule or not.

20 ©2012 CliftonLarsonAllen LLP 20 STEP 4: Detect Red Flags Ensure effective detective controls by: Obtaining identifying information about, and verifying the identity of, a person opening a covered account –For example, using the policies and procedures regarding identification and verification set forth in your Customer (Member) Identification Policy (CIP) program. Authenticating members Monitoring transactions, accounts, systems, dormant accounts, applications

21 ©2012 CliftonLarsonAllen LLP 21 STEP 4: Detect Red Flags Penetration testing Vulnerability assessments IT audit –Detect fraudulent activity Financial audit Verifying the validity of change of address requests, in the case of existing covered accounts. Developing procedures referencing the existing CIP and security procedures as controls to detect appropriate Red Flags

22 ©2012 CliftonLarsonAllen LLP 22 STEP 5: Preventing and Mitigating Red Flags IT audit Written procedures and policies related to verifying identity that are enforced CIP Authentication Encryption Firewalls

23 ©2012 CliftonLarsonAllen LLP 23 Employee background checks Employee training Fraud and Identity Theft training Record retention/disposal of information Due diligence of service providers STEP 5: Preventing and Mitigating Red Flags

24 ©2012 CliftonLarsonAllen LLP 24 STEP 5: Preventing and Mitigating Red Flags Responses to Red Flags The Program must include appropriate responses to detected Red Flags The appropriate credit union response will vary depending on the risk posed by the detected Red Flag You probably already have an Incident Response Plan but you may need to expand it Keep documentation related to response

25 ©2012 CliftonLarsonAllen LLP 25 STEP 5: Preventing and Mitigating Red Flags Examples of Credit Union responses to detected Red Flags: Monitoring a covered account for evidence of identity theft Contacting the member Changing any passwords, security codes, or other security devices that permit access to a covered account Reopening a covered account with a new account number Not opening a new covered account Closing an existing covered account Not attempting to collect on a covered account or not selling a covered account to a debt collector Notifying law enforcement Determining that no response is warranted under the particular circumstances

26 ©2012 CliftonLarsonAllen LLP 26 STEP 5: Preventing and Mitigating Red Flags Third Party Providers Your credit union should have controls in place to ensure that third party service providers have Red Flag detection procedures in place. Take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. For example, you could require the service provider by contract to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider’s activities, and either report the Red Flags to the federal credit union, or to take appropriate steps to prevent or mitigate identity theft.

27 ©2012 CliftonLarsonAllen LLP 27 STEP 6: Board Approval and Staff Training Obtain written approval of the Program from the Board of Directors or an appropriate committee of the Board of Directors Train appropriate staff to implement the Program. Staff should be aware of identified Red Flags, controls to detect these Red Flags, and appropriate responses to detection Train any staff member who could detect or prevent Identity Theft Training should cover your identified Red Flags, policies and procedures, and reporting process for Identity Theft

28 ©2012 CliftonLarsonAllen LLP 28 STEP 6: Board Approval and Staff Training Annual Reporting: “staff of credit union responsible for development, implementation, and administration of its Program should report to the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management, at least annually, on compliance by the credit union.”

29 ©2012 CliftonLarsonAllen LLP 29 STEP 6: Board Approval and Staff Training Contents of the report: Material matters related to the Program such as: –The effectiveness of the policies and procedures in addressing the risk of identity theft; –Service provider arrangements; –Significant incidents involving identity theft and management’s response; –Recommendations for material changes to the Program.

30 ©2012 CliftonLarsonAllen LLP 30 STEP 7: Updating the Program The credit union should periodically update its Red Flags based on the following factors: The experiences of the credit union with identity theft; Changes in methods of identity theft; Changes in methods to detect, prevent, and mitigate identity theft; Changes in the types of accounts the credit union offers or maintains; and Changes in the business arrangements of the credit union, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.

31 ©2012 CliftonLarsonAllen LLP 31 ID Theft Red Flags Today Risks Exams –Potential for larger impact Civil suits?

32 ©2012 CliftonLarsonAllen LLP 32 ID Theft Trends FinCEN Report on ID Theft Trends, Patterns and Typologies. –Report issued September 2010 –Studied SARs filed

33 ©2012 CliftonLarsonAllen LLP 33 ID Theft Trends Credit Card ID Theft –Physical theft –Virtual theft –30% of the time the thief added his/her name as an authorized user

34 ©2012 CliftonLarsonAllen LLP 34 ID Theft Trends Deposit Account Fraud –ID thief opens a new joint account with member’s name. –Thief then poses as victim and directs transfer from existing member’s account into joint account

35 ©2012 CliftonLarsonAllen LLP 35 ID Theft Trends Other notable trends –22% of SARs filed involved friends or family members of the victim –27% of SARS filed indicated the victim knew the identity thief –Only 18% of the SAR filings noted the identity theft was discovered within 1 week of the theft –37% of the filings noted the theft was discovered 3+ months after the account was compromised

36 ©2012 CliftonLarsonAllen LLP 36 ID Theft Trends Notable “Red Flags” that aided discovery: –Notification by consumer that a fraudulent account was opened –Notification by consumer that there are unauthorized transactions –Incorrect social security number –Change of address requests

37 ©2012 CliftonLarsonAllen LLP 37 ID Theft Trends Tax Fraud, FinCEN Letter March 2012 (FIN A005) –Additional Red Flags related to Tax Refund ID Theft ◊ Multiple direct deposit tax refund payments, directed to different individuals ◊ Suspicious or authorized account opening at a depository institution, on behalf of individuals who are not present, with the fraudulent actor being named as having signatory authority. The subsequent source of funds is limited to the direct deposit of tax refunds.

38 ©2012 CliftonLarsonAllen LLP 38 Tips Use existing risk assessments, policies, procedures and programs Create a standard form staff can use to report suspected identity theft Designate a centralized person/group to receive all incident reports of identity thefts and other incidents Change/improve your response procedures as your system evolves and you learn what does/does not work Make your program useable, not difficult to utilize and comprehend

39 ©2012 CliftonLarsonAllen LLP 39 ©2012 CliftonLarsonAllen LLP Questions? Justin Robinson Engagement Director CliftonLarsonAllen LLP


Download ppt "©2012 CliftonLarsonAllen LLP 1 111 Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact."

Similar presentations


Ads by Google