Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines issued in October 2007 pursuant to the Fair and Accurate Credit Transactions Act requires implementation of an Identity Theft Prevention Program by November 1, 2008.

What is ID Theft “Identity Theft” has the same meaning as under 16 CFR 603.2(a) “A fraud committed or attempted using the identifying information of another person without authority.”

Legislation covers three main areas: Address Discrepancies Recipients of credit reports now must take action upon receipt of Address Discrepancy Indicators (ADI) with credit reports. Red Flags Red Flag Rules require development and implementation of a written Identity Theft Prevention Program to detect, prevent and mitigate identity theft. Duty of Card Issuers Card issuers that receive a change of address notice may not issue new cards within 30 days unless the address is validated.

Legislation covers three main areas: Address Discrepancies Recipients of credit reports now must take action upon receipt of Address Discrepancy Indicators (ADI) with credit reports. Red Flags Red Flag Rules require development and implementation of a written Identity Theft Prevention Program to detect, prevent and mitigate identity theft. Duty of Card Issuers Card issuers that receive a change of address notice may not issue new cards within 30 days unless the address is validated.

What is a Red Flag? A pattern, practice, or specific activity that indicates the possible existence of identity theft. Affects both new and existing accounts. Red Flag Categories  Alerts, notifications or warnings from a CRA  Suspicious documents  Suspicious personal identifying information  Unusual use of, or suspicious activity relating to, the covered account  Notices from customer, victims of ID theft, law enforcement authorities, or other persons regarding possible ID theft in connection with covered accounts held by the organization

Red Flag Requirements Four basic elements of an Identity Theft Prevention Program (ITPP): Identify Detect Respond Update

Red Flag Requirements Four basic elements of an Identity Theft Prevention Program (ITPP): Identify Detect Respond Update

To achieve compliance: – Perform a risk assessment to identify all covered accounts – For each covered account, identify relevant red flags that may indicate possible identity theft – For each red flag, identify appropriate detection and response procedures to detect and prevent possible identity theft – Develop a written identity theft prevention program – Obtain board of directors approval of the program – Provide training to appropriate staff – Monitor changes in identity theft and update program periodically – Oversee service provider arrangements – Review the program at least annually

Five Common Mistakes and Pitfalls 1.Approach compliance like any other Rule 2.Simply update existing Information Security Program 3.Consider all accounts as covered, include all 26 Red Flags 4.Ignore service providers, business partners. 5.Forget to implement periodic Program update process

Five Common Mistakes and Pitfalls 1.Approach compliance like any other Rule 2.Simply update existing Information Security Program 3.Consider all accounts as covered, include all 26 Red Flags 4.Ignore service providers, business partners. 5.Forget to implement periodic Program update process

What are the consequences? Non-compliance penalties can include: Civil Money Penalty for Each Violation Cease and Desist Order Lowering of Examination Rating Negative Publicity, Loss of Business Consumer Lawsuit

Alerts, Notifications or Warnings from a Consumer Reporting Agency 1.Fraud or active duty alert 2.Credit freeze 3.Address discrepancy 4.Inconsistent activity pattern

Alerts, Notifications or Warnings from a Consumer Reporting Agency 1.Fraud or active duty alert 2.Credit freeze 3.Address discrepancy 4.Inconsistent activity pattern

Suspicious Personal Identifying Information 10.Personal ID info inconsistent with external information 11.Personal ID info inconsistent with other ID info 10.Personal ID info inconsistent with external information 11.Personal ID info inconsistent with other ID info

Suspicious Personal Identifying Information, continued 12.Personal ID info associated with known fraud 13.Personal ID info is type commonly associated with fraud 14.Duplicate SSN

Suspicious Personal Identifying Information, continued 15.Duplicate address or telephone number 16.Incomplete required info 17.Personal ID info inconsistent with info on file 18.Inability to correctly authenticate via challenge questions

Red Flag Scope Some rules are flexible: Creditors can tailor program to fit the size/complexity of operation Creditors can incorporate existing policies and procedures Creditors should consider all 26 example Red Flags across the five categories Creditors should include the Red Flags that make sense in the context of their businesses More fine print: Each financial institution is responsible for making subjective determination of applicability of regulations for their customers/accounts

Some Helpful Web Links for FDIC FIL (Identity Theft Red Flags) to view OCC Bulletin (Identity Theft Red Flags and Address Discrepancies) to view OTS (Agencies Issue Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy)

Questions?