Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Published byHelena Quinn Modified over 9 years ago

Similar presentations

Presentation on theme: "Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008."— Presentation transcript:

1 Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008

2 2 Background to New Requirements The OCC, Board, FDIC, OTS, NCUA and FTC (the Agencies) have jointly issued final rules and guidelines implementing section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT) and final rules implementing section 315 of the FACT Act During FACT Act legislative process, Congress was concerned about several emerging issues (Including increasing incidence of identity theft) New obligations for lenders and others to prevent, detect, and mitigate ID theft

3 3 Key FCRA Definitions Expansive definition of “credit” Any deferral of payment (12 C.F.R. § 202.2(j)) Can include telecom, utilities, invoicing, subscriptions Expansive definition of “creditor” Anyone who participates in credit decision (12 C.F.R. § 202.2(l)) Can include brokers, arrangers

4 4 Key FCRA Definitions Expansive definition of “identity theft” Includes new accounts and existing accounts Includes attempted identity theft Includes the “identity” of a business (16 C.F.R. § 603.2) Definition of “red flag” narrower than proposed Indicator of “possible existence of ID theft” (“Red Flag means a pattern, practice, or specific activity that indicates the possible existence of identity theft”…..not “the possible risk of identity theft”).

5 5 Red Flags Rule Three segments of final Rule The Rule itself: covered entities must develop written ID theft prevention program Accompanying Guidelines: must be considered when developing program Appendix J: may consider list of red flags possibly indicating ID theft

6 6 Red Flags Rule Mandatory compliance date was Nov. 1, 2008 – The FTC has delayed enforcement of the rule for six months to May 1, 2009 Preempts state law requirements With respect to “conduct required by” FCRA section 615(e)

7 7 “Covered Accounts” Entities must determine whether they offer or maintain “covered accounts” Consumer accounts involving multiple payments or transactions are always “covered accounts” (Credit cards, checking accounts, mortgage loans) Other accounts if reasonably foreseeable fraud or ID theft risk to customers or institution itself

8 8 “Covered Accounts” Business accounts also may be “covered accounts” Such as small business, sole proprietors If there is a “reasonably foreseeable risk” to customers or to safety and soundness from identity theft Risk = financial, operational, compliance, reputation, or litigation

9 9 “Covered Accounts” In making this risk determination, entity must consider - Methods it uses to open accounts Methods available to access accounts Previous experiences with ID theft for that product or for other products

10 10 Program Required for Covered Accounts All depository institutions and creditors that offer “covered accounts” must establish a program Complementary or an extension to existing programs …..much work has already been done GLBA data security, section 326 USA PATRIOT Act, AML/BSA programs But must combine into a single written program Risk based program

11 11 Establishing a Program Entities that offer or maintain covered accounts must Develop and implement a WRITTEN identity theft prevention program that is designed to Prevent, detect, and mitigate ID theft in New accounts and Existing accounts Must include policies and procedures to Identify relevant red flags Detect those red flags Respond when red flags are detected Must be updated periodically to reflect new risks

12 12 Establishing a Program Must be approved by the Board or committee of the Board Must be overseen by senior management Must include staff training and oversight of service providers Must consider the Guidelines provided by the agencies Must be updated to consider new threats as they arise

13 13 The Accompanying Guidelines Guidelines, 12 CFR pt. 222, App. J, are a “cookbook” Provide agency guidance on Identifying red flags Detecting red flags Preventing and mitigating ID theft Administering the program

14 14 The Accompanying Guidelines The guidance provided is important because Rule will be enforced based on this guidance Enforcement Private right of action? Administrative enforcement may be applicable, given flexible, risk-based requirements

15 15 Guidelines: Identifying Red Flags “Should consider” Types of covered accounts offered or maintained Methods of opening and accessing such accounts Previous experiences with ID theft Should incorporate red flags from Entity’s own experience New methods of ID theft “Applicable supervisory guidance” Also may consider list of possible red flags prepared by agencies

16 16 Using Agencies’ List to Identify Red Flags Must consider four major categories and may consider examples identified for each 1.Alerts and notifications received from credit bureaus and third- party service providers Examples: fraud alerts, address discrepancy notices, credit freeze, and unusual patterns of activity on credit report 2.Presentation of suspicious documents or suspicious identifying information Examples: IDs that appear altered or forged, inconsistent ID information, invalid SSN, address is mail drop 3.Unusual or suspicious account usage patterns Examples: changes in account usage or purchase of jewelry and electronics 4.Notice from customer, ID theft victim, or law enforcement Note: Compliance officers should refer to the full list of examples at 12 CFR pt. 222, App. J, Supp. A

17 17 Guidelines: Detecting Red Flags Verify the identity of a person opening a covered account And, in the case of existing covered accounts Authenticate customers Monitor transactions Verify validity of change-of-address requests Action taken should be commensurate with the risk of ID theft

18 18 Guidelines: Prevent and Mitigate ID Theft Provide for appropriate responses to red flags that are commensurate with risk presented (Consider aggravating factors, such as data security breach or phishing) Possible appropriate responses Monitoring account Contacting customers Changing passwords or PINs Closing account or assigning new account number Not opening a new account Not attempting to collect, or not selling/assigning account Notifying law enforcement Determining no response is necessary 12 CFR pt. 222, App. J

19 19 Guidelines: Administering the Program Board of directors or senior management Assign specific responsibility for implementation Review reports by staff Approve material changes to program Staff report at least annually on Effectiveness of policies Service provider arrangements Significant security incidents Recommendations for material changes

20 20 Guidelines: Administering the Program Ensure by written contract that service providers Perform designated activities for covered accounts Implement procedures to detect, prevent, and mitigate ID theft Update program as necessary

Download ppt "Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008."

Similar presentations

Red-Flag Identity Theft Requirements February 19th 2009 Cathy Casagrande, Privacy Officer.

Red-Flag Identity Theft Requirements February 19th 2009 Cathy Casagrande, Privacy Officer.
Fair Credit Reporting Act You must be told if information in your file has been used against you You can find out what is in your file You can dispute.

Fair Credit Reporting Act You must be told if information in your file has been used against you You can find out what is in your file You can dispute.
UNDERSTANDING RED FLAG REGULATIONS AND ENSURING COMPLIANCE University of Washington Red Flag Rules Protecting Against Identity Fraud.

UNDERSTANDING RED FLAG REGULATIONS AND ENSURING COMPLIANCE University of Washington Red Flag Rules Protecting Against Identity Fraud.
© 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED. Raising a Red Flag: Understanding the Fair and Accurate Credit Transactions Act, the Red Flag.

© 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED. Raising a Red Flag: Understanding the Fair and Accurate Credit Transactions Act, the Red Flag.
Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.

Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.
Compliance with Federal Trade Commission’s “Red Flag Rule”

Compliance with Federal Trade Commission’s “Red Flag Rule”
WELCOME Iowa State University Identity Theft Prevention Program

WELCOME Iowa State University Identity Theft Prevention Program
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Detecting, Preventing and Mitigating Identity Theft Presented by the Bursar’s Office.

Detecting, Preventing and Mitigating Identity Theft Presented by the Bursar’s Office.
1 Identity Theft Program Procedures Viewing RED FLAGS in the MEDITECH System.

1 Identity Theft Program Procedures Viewing RED FLAGS in the MEDITECH System.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
Red Flag Identity Theft Training California State University, Fullerton Campus Information Technology Training August 2012.

Red Flag Identity Theft Training California State University, Fullerton Campus Information Technology Training August 2012.
Unified Carrier Registration (UCR) Update August 24, 2006.

Unified Carrier Registration (UCR) Update August 24, 2006.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.

FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
Identity Fraud Prevention 1 Copyright Identity Management Institute®

Identity Fraud Prevention 1 Copyright Identity Management Institute®
Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.

Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.
Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A. 2618 Centennial.

Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A Centennial.
©2012 CliftonLarsonAllen LLP 1 111 Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact.

©2012 CliftonLarsonAllen LLP Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact.
The Minnesota State Colleges and Universities system is an Equal Opportunity employer and educator. The Red Flag Rule Detecting, Preventing, and Mitigating.

The Minnesota State Colleges and Universities system is an Equal Opportunity employer and educator. The Red Flag Rule Detecting, Preventing, and Mitigating.
Red Flags 101. What It’s All About Section’s 114 and 315 of the FACT Act were implemented in October 2007 and became effective January 1, 2008. These.

Red Flags 101. What It’s All About Section’s 114 and 315 of the FACT Act were implemented in October 2007 and became effective January 1, These.

Similar presentations

Ads by Google