Download presentation
Presentation is loading. Please wait.
Published byShavonne Lambert Modified over 9 years ago
1
New Identity Theft Rules Rodney J. Petersen, J.D. Government Relations Officer Security Task Force Coordinator EDUCAUSE
2
Big Picture of New Rules It’s not about privacy of personally identifiable information It’s not about the security of information systems It’s about protecting individuals from identity theft once their identity has been assumed by another individual Thus, RED FLAGS! ~ a pattern, practice, or specific activity that indicates the possible existence of identity theft
3
Statutory Basis The Fair and Accurate Credit Transactions Act of 2003 (FACT Act) amended the Fair Credit Reporting Act (FCRA) Sections 114 and 315 of the FACT Act
4
Rulemaking Joint rulemaking Final rules published November 9, 2007 Rules: 72 Fed. Reg. 63718 (November 9, 2007) http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf Full compliance originally required by November 1, 2008 Deadline extended to May 1, 2009
5
New ID Theft Rules Users of Consumer Reports (Sec. 681.1) Financial Institutions and Creditors holding “covered accounts” (Sec. 681.2) Debit and Credit Card Issuers (Sec. 681.3)
6
Use of Consumer Reports Effective November 1, 2008 Duties of users regarding address discrepancies Triggered by a notice of address discrepancy sent from a consumer reporting agency to an institution to inform them of a “substantial difference between the address for the consumer” that the institution provided
7
Policies and Procedures Institutions must develop and implement reasonable policies and procedures designed to enable the institution to form a reasonable belief that a consumer report relates to the consumer Comparing the information in the consumer report with: Information the institution obtains and uses to verify the consumer’s identity Maintains in its own records, such as applications, change of address notifications, other customer account records, etc.; or Obtains from third-party sources. Verifying the information in the consumer report provided by the consumer reporting agency with the consumer.
8
Consumer’s Address Institutions must develop and implement reasonable policies and procedures for furnishing an address for the consumer that the institution has reasonably confirmed is accurate to the consumer reporting agency from whom it received the notice of address discrepancy Examples of confirmation methods: Verifying the address with the consumer Reviewing its own records to verify the address Verifying the address through third-party sources; or Using other reasonable means
9
Creditors Holding “Covered Accounts” Effective May 1, 2009 Creditor - any entity that regularly extends, renews, or continues credit Conduct periodic risk assessments to determine if the institution has “covered accounts” Jurisdiction of FTC- “Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors.” FTC Business Alert, June 2008
10
Covered Account Credit card accounts Mortgage loans Automobile loans Margin accounts Cell phone accounts Utility accounts Checking accounts Savings accounts Any account for which there is “a foreseeable risk of identity theft”
11
Application to Higher Ed Participating in the Federal Perkins Loan program, Participating as a school lender in the Federal Family Education Loan Program, Offering institutional loans to students, faculty, or staff, or Offering a plan for payment of tuition throughout the semester rather than requiring full payment at the beginning of the semester
12
ID Theft Prevention Program Include reasonable policies and procedures to detect or mitigate identity theft and enable a creditor to: Identity relevant “red flags” (patterns, practices, and specific activities that signal possible identity theft) and incorporate them into the program; Detect the red flags that the program incorporates; Respond appropriately to detected red flags to prevent and mitigate identity theft; and Ensure that the Program is updated periodically to reflect changes in risks
13
Administration and Maintenance The board of directors (or appropriate board committee) must approve the initial written program. Involve the board, committee, or designated employee at the level of senior management in the oversight, development, implementation, and administration of the program Train staff, as necessary, to effectively implement the Program; and Exercise appropriate and effective oversight of service provider arrangements.
14
Conclusion This is clearly a legal and regulatory compliance issue This is mostly about business processes There will be implications for IT – but what??? Information Privacy and Security Technology Support of Business Processes Programs, Policies, Procedures, and Training Management of Identities to Prevent Fraud
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.