Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Slides:



Advertisements
Similar presentations
Red-Flag Identity Theft Requirements February 19th 2009 Cathy Casagrande, Privacy Officer.
Advertisements

Fair Credit Reporting Act You must be told if information in your file has been used against you You can find out what is in your file You can dispute.
UNDERSTANDING RED FLAG REGULATIONS AND ENSURING COMPLIANCE University of Washington Red Flag Rules Protecting Against Identity Fraud.
© 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED. Raising a Red Flag: Understanding the Fair and Accurate Credit Transactions Act, the Red Flag.
Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.
Compliance with Federal Trade Commission’s “Red Flag Rule”
WELCOME Iowa State University Identity Theft Prevention Program
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Detecting, Preventing and Mitigating Identity Theft Presented by the Bursar’s Office.
1 Identity Theft Program Procedures Viewing RED FLAGS in the MEDITECH System.
Red Flag Rules: What they are? & What you need to do
Red Flag Identity Theft Training California State University, Fullerton Campus Information Technology Training August 2012.
Unified Carrier Registration (UCR) Update August 24, 2006.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
Identity Fraud Prevention 1 Copyright Identity Management Institute®
Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.
Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A Centennial.
©2012 CliftonLarsonAllen LLP Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact.
The Minnesota State Colleges and Universities system is an Equal Opportunity employer and educator. The Red Flag Rule Detecting, Preventing, and Mitigating.
Red Flags 101. What It’s All About Section’s 114 and 315 of the FACT Act were implemented in October 2007 and became effective January 1, These.
Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA.
1 Red Flags Rule: Implementing an Identity Theft Prevention Program Health Managers Network May Chris Apgar, CISSP President, Apgar & Associates,
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.
Red Flags Rule & Municipal Utilities
 Federal Trade Commission (FTC)  Final Regulations issued November, 2007 › Effective 1/1/08 › Compliance and Enforcement Date 11/1/08  Enforcement.
IDENTITY THEFT & THE RED FLAGS RULE Presented by Brady Keith, Assistant General Counsel CREDIT MANAGEMENT SERVICES, INC.
University of Minnesota Identity Theft Prevention Program: Red Flags Rule Detecting, Preventing, and Mitigating Identity Theft This presentation was adapted.
© 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED. Raising a “Red Flag”: Understanding the Fair and Accurate Credit Transactions Act, the “Red Flag”
1 The FACT Act – An Overview The FACT Act An Overview of the Final Rulemaking on Identity Theft Red Flags and Address Discrepancies Naomi Lefkovitz Attorney,
Identity Theft and Red Flag Rules Training Module The University of Texas at Tyler.
E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.
Network security policy: best practices
Detecting, Preventing, and Mitigating Identity Theft
Copyright 2007, Integrated Compliance Solutions, LLC FACT Act Red Flags Bank Compliance Association of Connecticut September 3, 2008 Copyright 2007, Integrated.
Tiffany George Attorney, Division of Privacy & Identity Protection Federal Trade Commission COMPLYING WITH THE RED FLAGS RULE & ADDRESS DISCREPANCY RULE.
FAIR CREDIT REPORTING ACT.  Serves the following principal purposes:  To regulate the consumer-reporting industry.  To prohibit unfair actions from.
2015 ANNUAL TRAINING By: Denise Goff
Understanding the Fair and Accurate Credit Transaction Act, the “Red Flag” Regulations, and their impact on Health Care Providers Raising a “Red Flag”
The FTC’s Red Flag Rule. FTC Red Flag Regulations Why the Red Flag Regulations?
Red Flag Rules Training Class SD 428. Red Flag Rules SD 428 The Red Flag Rules course (SD 428) was implemented at UTSA to meet the requirements and guidelines.
Identity Protection (Red Flag/PCI Compliance/SSN Remediation) SACUBO Fall Workshop Savannah, GA November 3, 2009.
FTC RED FLAG RULE As many as nine million Americans have their identities stolen each year. Identity thieves may drain their accounts, damage their credit,
Lydia E. Payne-Johnson Peter A. Rabinowitz PricewaterhouseCoopers, LLP Harvard University August 20, 2008 New Identity Theft Red Flags Rule: What is New.
IDENTITY THEFT. RHONDA L. ANDERSON, RHIA, PRESIDENT ANDERSON HEALTH INFORMATION SYSTEMS, INC.
Copyright© 2010 WeComply, Inc. All rights reserved. 10/10/2015 FACTA Red Flags.
Available from BankersOnline.com/tools 1 FACT ACT RED FLAG GUIDELINES.
Red Flag Training IDENTITY THEFT PREVENTION PROGRAM OVERVIEW AUTOMOTIVE.
New Identity Theft Rules Rodney J. Petersen, J.D. Government Relations Officer Security Task Force Coordinator EDUCAUSE.
Winston & Strawn LLP © 2007 CHICAGO GENEVA LONDON LOS ANGELES MOSCOW NEW YORK PARIS SAN FRANCISCO WASHINGTON, D.C. Institute of International Bankers Seminar.
Technology Supervision Branch Interagency Identity Theft Red Flags Regulation Bank Compliance Association of CT Bristol, CT September 3, 2008.
ANTI-MONEY LAUNDERING COMPLIANCE PROGRAM FCM TRAINING
FIRMA April 2010 DATA BREACHES & PRIVACY Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.
Prevention of Identity Theft. Why now, Why us? Federal Trade Commission (FTC) regulations for Identity Theft which may not apply, but it is good business.
Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.
1 Identity Theft Prevention and the Red Flag Rules.
Red Flags Rule Red Flags Rule Staff Training Course Practice Administrator SAMPLE AAP PEDIATRICS.
UNC Asheville Red Flag Rule and NC Identity Protection Act Information.
Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA.
IDENTITY THEFT What’s a lawyer to do. H. Amos Goodall, Jr
The CFPB’s Legal Minefield for CREDIT UNIONS
University of St. Thomas
Red Flags Rule An Introduction County College of Morris
DATA BREACHES & PRIVACY Christine M
Red Flag Review and Updates
Identity Theft Prevention Program Training
Clemson University Red Flags Rule Training
FACT Act Training for Staff Identity Theft “Red Flags”
Getting the Green Light on the Red Flags Rule
Anatomy of a Common Cyber Attack
Presentation transcript:

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008

2 Background to New Requirements The OCC, Board, FDIC, OTS, NCUA and FTC (the Agencies) have jointly issued final rules and guidelines implementing section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT) and final rules implementing section 315 of the FACT Act During FACT Act legislative process, Congress was concerned about several emerging issues (Including increasing incidence of identity theft) New obligations for lenders and others to prevent, detect, and mitigate ID theft

3 Key FCRA Definitions Expansive definition of “credit” Any deferral of payment (12 C.F.R. § 202.2(j)) Can include telecom, utilities, invoicing, subscriptions Expansive definition of “creditor” Anyone who participates in credit decision (12 C.F.R. § 202.2(l)) Can include brokers, arrangers

4 Key FCRA Definitions Expansive definition of “identity theft” Includes new accounts and existing accounts Includes attempted identity theft Includes the “identity” of a business (16 C.F.R. § 603.2) Definition of “red flag” narrower than proposed Indicator of “possible existence of ID theft” (“Red Flag means a pattern, practice, or specific activity that indicates the possible existence of identity theft”…..not “the possible risk of identity theft”).

5 Red Flags Rule Three segments of final Rule The Rule itself: covered entities must develop written ID theft prevention program Accompanying Guidelines: must be considered when developing program Appendix J: may consider list of red flags possibly indicating ID theft

6 Red Flags Rule Mandatory compliance date was Nov. 1, 2008 – The FTC has delayed enforcement of the rule for six months to May 1, 2009 Preempts state law requirements With respect to “conduct required by” FCRA section 615(e)

7 “Covered Accounts” Entities must determine whether they offer or maintain “covered accounts” Consumer accounts involving multiple payments or transactions are always “covered accounts” (Credit cards, checking accounts, mortgage loans) Other accounts if reasonably foreseeable fraud or ID theft risk to customers or institution itself

8 “Covered Accounts” Business accounts also may be “covered accounts” Such as small business, sole proprietors If there is a “reasonably foreseeable risk” to customers or to safety and soundness from identity theft Risk = financial, operational, compliance, reputation, or litigation

9 “Covered Accounts” In making this risk determination, entity must consider - Methods it uses to open accounts Methods available to access accounts Previous experiences with ID theft for that product or for other products

10 Program Required for Covered Accounts All depository institutions and creditors that offer “covered accounts” must establish a program Complementary or an extension to existing programs …..much work has already been done GLBA data security, section 326 USA PATRIOT Act, AML/BSA programs But must combine into a single written program Risk based program

11 Establishing a Program Entities that offer or maintain covered accounts must Develop and implement a WRITTEN identity theft prevention program that is designed to Prevent, detect, and mitigate ID theft in New accounts and Existing accounts Must include policies and procedures to Identify relevant red flags Detect those red flags Respond when red flags are detected Must be updated periodically to reflect new risks

12 Establishing a Program Must be approved by the Board or committee of the Board Must be overseen by senior management Must include staff training and oversight of service providers Must consider the Guidelines provided by the agencies Must be updated to consider new threats as they arise

13 The Accompanying Guidelines Guidelines, 12 CFR pt. 222, App. J, are a “cookbook” Provide agency guidance on Identifying red flags Detecting red flags Preventing and mitigating ID theft Administering the program

14 The Accompanying Guidelines The guidance provided is important because Rule will be enforced based on this guidance Enforcement Private right of action? Administrative enforcement may be applicable, given flexible, risk-based requirements

15 Guidelines: Identifying Red Flags “Should consider” Types of covered accounts offered or maintained Methods of opening and accessing such accounts Previous experiences with ID theft Should incorporate red flags from Entity’s own experience New methods of ID theft “Applicable supervisory guidance” Also may consider list of possible red flags prepared by agencies

16 Using Agencies’ List to Identify Red Flags Must consider four major categories and may consider examples identified for each 1.Alerts and notifications received from credit bureaus and third- party service providers Examples: fraud alerts, address discrepancy notices, credit freeze, and unusual patterns of activity on credit report 2.Presentation of suspicious documents or suspicious identifying information Examples: IDs that appear altered or forged, inconsistent ID information, invalid SSN, address is mail drop 3.Unusual or suspicious account usage patterns Examples: changes in account usage or purchase of jewelry and electronics 4.Notice from customer, ID theft victim, or law enforcement Note: Compliance officers should refer to the full list of examples at 12 CFR pt. 222, App. J, Supp. A

17 Guidelines: Detecting Red Flags Verify the identity of a person opening a covered account And, in the case of existing covered accounts Authenticate customers Monitor transactions Verify validity of change-of-address requests Action taken should be commensurate with the risk of ID theft

18 Guidelines: Prevent and Mitigate ID Theft Provide for appropriate responses to red flags that are commensurate with risk presented (Consider aggravating factors, such as data security breach or phishing) Possible appropriate responses Monitoring account Contacting customers Changing passwords or PINs Closing account or assigning new account number Not opening a new account Not attempting to collect, or not selling/assigning account Notifying law enforcement Determining no response is necessary 12 CFR pt. 222, App. J

19 Guidelines: Administering the Program Board of directors or senior management Assign specific responsibility for implementation Review reports by staff Approve material changes to program Staff report at least annually on Effectiveness of policies Service provider arrangements Significant security incidents Recommendations for material changes

20 Guidelines: Administering the Program Ensure by written contract that service providers Perform designated activities for covered accounts Implement procedures to detect, prevent, and mitigate ID theft Update program as necessary

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.