Presentation is loading. Please wait.

Presentation is loading. Please wait.

Technology Supervision Branch Interagency Identity Theft Red Flags Regulation Bank Compliance Association of CT Bristol, CT September 3, 2008.

Published byWalter Thornton Modified over 8 years ago

Similar presentations

Presentation on theme: "Technology Supervision Branch Interagency Identity Theft Red Flags Regulation Bank Compliance Association of CT Bristol, CT September 3, 2008."— Presentation transcript:

1 Technology Supervision Branch Interagency Identity Theft Red Flags Regulation Bank Compliance Association of CT Bristol, CT September 3, 2008

2 Technology Supervision Branch Agenda Background Overview of regulation & guidelines Issues Exam procedures Questions

3 Technology Supervision Branch Background Regulation & guidelines implement sections 114 & 315 of FACT Act of 2003 FACTA was enacted to help prevent ID theft, improve resolution of consumer disputes, and improve accuracy of consumer records. Joint final rule: 5 federal banking agencies & FTC Published in 11/9/07 Federal Register Effective 1/1/08, compliance by 11/1/08

4 Technology Supervision Branch Overview Regulation requires 3 things: –Financial institutions and creditors must have a written ID theft prevention program –Debit and Credit Card issuers must assess validity of change of address requests before issuing new cards –Users of consumer reports must reasonably verify that the consumer report relates to the consumer about whom it has been requested, when user receives notice of address discrepancy

5 Technology Supervision Branch Overview Issuance has 3 parts: –Regulation (covers all 3 provisions) –Guidelines (red flags only) –Supplement to guidelines (red flags only) Form is confusing, but required by statute

6 Technology Supervision Branch Red Flags Overview Program must be designed to detect, prevent, and mitigate identity theft in connection with “covered accounts” Appropriate to size & complexity of the FI and nature & scope of business Regulation does not require use of automated systems Board of Directors must approve initial program

7 Technology Supervision Branch Identification of Covered Accounts Identify covered accounts: –All consumer transactional accounts covered –Any other accounts that pose reasonably foreseeable risk of ID theft to customer or bank FI must decide whether to cover business accounts, based on: –Methods for opening accounts –Methods for accessing accounts –Previous experiences with ID theft

8 Technology Supervision Branch Identification of Red Flags Identify relevant red flags from 3 sources: –Incidents of ID theft experienced –Methods of ID theft bank has identified that reflect changes in risks –Supervisory guidance (Appendix + future publications) Red flags from 5 categories: –Alerts, notices, warnings from CRAs or others –Suspicious documents –Suspicious identifying information –Suspicious account activity –Notice from customers, law enforcement, others

9 Technology Supervision Branch Detection of Red Flags Program must be able to detect red flags in connection with opening of any covered account or any existing covered account Guidelines provide 2 examples: –By verifying identity of person opening a covered account, e.g., by using CIP rules –By authenticating customers, monitoring transactions, and verifying change of address requests for existing accounts

10 Technology Supervision Branch Preventing & Mitigating ID Theft Guidelines list 9 possible responses: –Monitor the account –Contact the customer –Change passwords or security codes –Reopen account with new number –Decline to open new account –Close existing account –Do not attempt to collect on account –Notify law enforcement –Determine that no response is warranted

11 Technology Supervision Branch Preventing & Mitigating ID Theft Guidelines provide that in determining response, banks should consider aggravating circumstances such as: –Data security incident that results in unauthorized access to customer account records –Notice that customer has provided information to a fraudster, i.e., as a result of phishing attack

12 Technology Supervision Branch Address Discrepancies Banks that uses consumer reports and receives a notice of address discrepancy from a CRA, must form a reasonable belief that report relates to consumer about whom it has been requested If not, agencies expect that bank will not use the consumer report

13 Technology Supervision Branch Address Discrepancies Bank can verify identity by comparing information in consumer report with: –Information bank uses to verify identity in accordance with CIP; –Information in its own records; or –Information obtained from 3 rd party sources Bank can verify information with consumer directly

14 Technology Supervision Branch Address Discrepancies If bank regularly & in ordinary course of business furnishes information to CRA, then it must furnish confirmed address to CRA when: –It forms reasonable belief that report relates to consumer, and –It establishes a new relationship with that consumer

15 Technology Supervision Branch Change of Address Requests Bank that issues credit or debit cards must assess the validity of change of address requests if, within a short time thereafter, it receives request for new or replacement card Request can be from consumer or USPS Applies to credit, debit and payroll cards Does not apply to gift cards or other prepaid cards

16 Technology Supervision Branch Change of Address Requests Bank can choose to verify address change either: –When it receives request for new card; or –When it receives notice of address change Many banks commented that it may be easier to simply verify all address changes when received

17 Technology Supervision Branch Change of Address Requests Regulation sets forth 2 methods: –Notify cardholder at former address or by any other means previously agreed to, and –Provide the cardholder a reasonable means to report incorrect address change Or: –By any other reasonable means in accordance with policies established pursuant to red flags rule

18 Technology Supervision Branch Issues Interplay among 3 parts can be confusing Regulation straddles multiple disciplines, e.g., fraud prevention, risk management, IT security, compliance The structure of ID theft prevention programs will vary; but trade associations working on help documents

19 Technology Supervision Branch Issues Program can be human based, computer based, or combination of both Is a business account a “covered account”? Some banks waiting for exam procedures to begin complying

20 Technology Supervision Branch Exam Procedures FDIC is still drafting exam procedures Expect that address changes and address discrepancies will be handled as part of compliance examination. Red Flag will be part of safety and soundness examination. The BSA and IT examiners will collaborate on the review. Do not expect a roadmap to compliance; but it is always helpful to see what questions examiners will be asking

21 Technology Supervision Branch Contact Information James Avery, CISA IT Examiner FDIC Email: Jaavery@Fdic.govJaavery@Fdic.gov

22 Technology Supervision Branch Questions?

Download ppt "Technology Supervision Branch Interagency Identity Theft Red Flags Regulation Bank Compliance Association of CT Bristol, CT September 3, 2008."

Similar presentations

Red-Flag Identity Theft Requirements February 19th 2009 Cathy Casagrande, Privacy Officer.

Red-Flag Identity Theft Requirements February 19th 2009 Cathy Casagrande, Privacy Officer.
Fair Credit Reporting Act You must be told if information in your file has been used against you You can find out what is in your file You can dispute.

Fair Credit Reporting Act You must be told if information in your file has been used against you You can find out what is in your file You can dispute.
UNDERSTANDING RED FLAG REGULATIONS AND ENSURING COMPLIANCE University of Washington Red Flag Rules Protecting Against Identity Fraud.

UNDERSTANDING RED FLAG REGULATIONS AND ENSURING COMPLIANCE University of Washington Red Flag Rules Protecting Against Identity Fraud.
Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.

Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.
Compliance with Federal Trade Commission’s “Red Flag Rule”

Compliance with Federal Trade Commission’s “Red Flag Rule”
WELCOME Iowa State University Identity Theft Prevention Program

WELCOME Iowa State University Identity Theft Prevention Program
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Detecting, Preventing and Mitigating Identity Theft Presented by the Bursar’s Office.

Detecting, Preventing and Mitigating Identity Theft Presented by the Bursar’s Office.
1 Identity Theft Program Procedures Viewing RED FLAGS in the MEDITECH System.

1 Identity Theft Program Procedures Viewing RED FLAGS in the MEDITECH System.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
Technology Supervision Branch New FFIEC Guidance on Strong Authentication ABA Webcast January 11, 2006.

Technology Supervision Branch New FFIEC Guidance on Strong Authentication ABA Webcast January 11, 2006.
Red Flag Identity Theft Training California State University, Fullerton Campus Information Technology Training August 2012.

Red Flag Identity Theft Training California State University, Fullerton Campus Information Technology Training August 2012.
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.

FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
The New Rules of F&I with Peter Jones The New Rules of F&I What are the Rules? Red Flag Rule Graham / Leach / Bliley Act Privacy Notice Safeguard Rule.

The New Rules of F&I with Peter Jones The New Rules of F&I What are the Rules? Red Flag Rule Graham / Leach / Bliley Act Privacy Notice Safeguard Rule.
Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.

Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.
Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A. 2618 Centennial.

Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A Centennial.
©2012 CliftonLarsonAllen LLP 1 111 Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact.

©2012 CliftonLarsonAllen LLP Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
The Minnesota State Colleges and Universities system is an Equal Opportunity employer and educator. The Red Flag Rule Detecting, Preventing, and Mitigating.

The Minnesota State Colleges and Universities system is an Equal Opportunity employer and educator. The Red Flag Rule Detecting, Preventing, and Mitigating.
Red Flags 101. What It’s All About Section’s 114 and 315 of the FACT Act were implemented in October 2007 and became effective January 1, 2008. These.

Red Flags 101. What It’s All About Section’s 114 and 315 of the FACT Act were implemented in October 2007 and became effective January 1, These.

Similar presentations

Ads by Google