330 likes | 351 Views
FACTA Red Flags. Identity Theft Prevention Program Development Presented By: John P. Bonora, CRCM. Overview. Program Structure & Administration Risk Assessment Strategy General Identity Theft Risk Exposure Covered Account Identification & Analysis Red Flag Identification
E N D
FACTA Red Flags Identity Theft Prevention Program Development Presented By: John P. Bonora, CRCM
Overview • Program Structure & Administration • Risk Assessment Strategy • General Identity Theft Risk Exposure • Covered Account Identification & Analysis • Red Flag Identification • Red Flag Detection Methods • Red Flag Responses
Program Structure & Admin. • Regulatory Terms vs. Internal Terms • Regulatory • Covered Account • Red Flags • Internal Terms • Forms & Job Aids • All other accounts besides “covered accounts”
Program Structure & Admin. • Approval & Annual Reporting • Initial Board Approval • Compliance/Risk Committee • Program Administrator • Red Flag Project Team • Should be Representative of the Bank
Structure Pitfalls • Inquire about the Board’s risk appetite relative to covered accounts. • Have explanatory examples • Have Program specify what the annual report will include.
Training • Leverage off current training program • Training need only be to the level to evidence effectiveness • Customized Targeted Training • May serve a more critical role for implementation • Online Training Modules
Training Pitfalls • Ensure training sessions have been properly forecasted into implementation plan. • Document project team training as well as business line sessions
Third Party Oversight • Leverage opportunity for Vendor Mgmt. Program (i.e. Due Diligence & Ongoing Monitoring Efforts) • “take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate, the risk of identity theft.” • FIL-44-2008 (Managing Third Party Risk) • Contract Addenda
Third Party Oversight Question • Should we be getting contract addendums on all service providers that are permitted access to our customer information? For example, a processor that directly obtains, processes, stores, or transmits customer information on our behalf. Similarly, an attorney, accounting firm, or consultant who performs services for our bank and has access to customer information. Regulation vs. Recommendation • It is not required, however it is recommended in guidelines. • “For example, a FI or creditor could require the service provider by contract to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider’s activities, and either report the Red Flags to the FI or creditor, or to take appropriate steps to prevent or mitigate identity theft.
Third Party Oversight Question • How do we address the Red Flag requirements with a credit card or investment servicer such as Elan or Infinex? Responsibilities • Third party oversight obligations. (FIL-44-2008) • For covered accounts, define the lines of responsibility (i.e. origination & servicing). • Develop red flags, detection mechanisms, and responses.
Oversight Pitfalls • Reconcile your Identity Theft Program to your Vendor Management Program. • Empty references create control gaps • “An institution can outsource the function, but not the responsibility” -FDIC
Program Update • A Sound Update Methodology = Power • A Pulse to Your Environment • Past Experiences Log • Number & Types of Cases • Affected Business Lines • Let Metrics Support Your Position
Program Update • Tracking basic statistics can allow you to compare to published data. • Allows you to support current control environments.
Risk Assessment • Geographic & Demographic Analysis • Covered Account Identification
Geo & Demo Analysis • Footprint Analysis • Geographic & Demographic Analysis • Industry Communications & News • Conclusions
Covered Account Analysis • No right or wrong method, provided the approach can be justified. • Take an inventory of all accounts offered by the Bank. • Identify all accounts that are automatically covered accounts
Covered Account Analysis • Identify the applicable business lines for each account. • Communicate all “auto” covered accounts and non “auto” covered accounts to each business line. (Business Line Covered Account Analysis) • Require business lines to assess each non “auto” covered account. (Discretionary Account R.A.)
Covered Account Analysis • Finalize each business line’s covered account list. (Enterprise-wide Covered Account Matrix) • Require each business line to assess each covered account by considering: • Types of covered accounts offered • Methods to open covered accounts • Methods to access covered accounts • Previous experiences
Red Flag Identification • The covered account analysis will germinate the Red Flag identification process. • Supplement “A” serves as an excellent guide for the process. • Starting from the breach can serve as a nice way to “back-in” to the appropriate Red Flags. (Think like the crook)
Red Flag Identification Breach Example • A small business LOC has $75,000 fraudulently accessed and transferred to a Karachi National Bank checking account. Potential Red Flags • Signature on faxed request does not match customer • Destination of funds • Amount or timing of transfer • Bank representative does not recognize client verifier
Detection of Red Flags • Methods of Detection • Institution Reporting • Personnel Observations & Customer Contact • Geographic & Industry Observations • Continue to utilize the “back-in” philosophy to identify your detection methods for Red Flags.
Institution Reporting → Personnel Contact → Industry Observation → Alert is detected on credit profile during application process Customer informs Bank of alert on credit profile N/A Detection of Red Flags Bank is notified that the consumer has placed an initial fraud alert on credit profile
Red Flag Identification • Using a summary worksheet can assist in the development process of: Red Flag ↓ Detection Method ↓ Response
Red Flag Responses • Responses should be commensurate with Red Flag detected. • Virtually all response procedures should start with identity verification. • Responses will be result dependent. • Response procedures should include a process to report and log the event. (Past Experiences Log)
Red Flag Responses Suspected or Confirmed Cases • Internal procedures to mitigate risk. • Issuance of new access devices • Closure of accounts • Completion of affidavit • Additional Information • Victim toolkit • Provision of sample letters
Program Keystones • Leverage to your advantage. • Use data & past experiences to support your program structure • Keep the pulse • Sell the Program (ABC)
Good Luck! Contact Information: John P. Bonora, CRCM John.Bonora@FairfieldCountyBank.com 203.431.7351