410 likes | 578 Views
Red Flags- Why This Matters to You. An overview of the FACT Act Identity Theft Red Flag Rule and its current impact. Justin Robinson Engagement Director CliftonLarsonAllen LLP. Agenda . Critical elements of the rule Red Flag compliance vs. BSA compliance
E N D
Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact. Justin Robinson Engagement Director CliftonLarsonAllen LLP
Agenda • Critical elements of the rule • Red Flag compliance vs. BSA compliance • What does an identity theft red flag risk assessment look like? • Are 26 red flags appropriate for all credit unions? • Using existing safeguarding member information program to mitigate and prevent Red Flags • Identification of other means currently utilized that prevent and mitigate risk • Red Flag Response Matrix
ID Theft Top Consumer Fraud Complaint • FTC reported the top consumer fraud complaint received in 2011 was identity theft • 12 years in row • 15% of all complaints • Misuse of government documents fraud was the most common form of reported identity theft (approximately 27% of complaints), followed by credit cards (14%).
Identity Theft Red Flag Requirements • In October 2007, the Federal Banking Regulators issued final rules implementing the Identity Theft Red Flag Requirements of the FACT Act • Written program to detect, prevent, and mitigate identity theft • Overlap of IT and consumer compliance
What is Identity Theft? • Fraud committed or attempted using, without authority, the identifying information of another person • Name, SSN, TIN, etc. • Very broad
Types of Identity Theft • Hacking, dumpster diving, insider theft, phishing, shoulder surfing, family members, stealing (laptop, purse), physical break-in • Shotgunning - the identity thief applies for multiple loans from multiple lenders on the same property within a short period of time. The identity thief then takes advantage of the lag time in recording mortgages as lenders are unable to identify the existence of the other mortgages before funding the loans
Important Point • The Identity Theft Red Flag Rules are very different from BSA • BSA – required to report on suspicious transactions and money laundering but not necessarily required to prevent it • Identity Theft Red Flag Rule – you are required to prevent identity theft and can be held accountable if you do not • Consequently, you must approach compliance with this rule differently
Four Critical Elements • Identify relevant Red Flags for the accounts the credit union offers or maintains, and incorporate those Red Flags into its Program; • Detect Red Flags that have been incorporated into the Program of the credit union; • Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and • Ensure the Program (including the Red Flags determined to be relevant) is updated periodically to reflect changes in risks to members
Seven Step Process • STEP 1: Identity Theft Program Administrator • STEP 2: Conduct a Risk Assessment • STEP 3: Identify Relevant Red Flags • STEP 4: Detect Red Flags • STEP 5: Preventing and Mitigating Red Flags • STEP 6: Board Approval and Staff Training • STEP 7: Updating the Program
STEP 1: Identity Theft Program Administrator • Select an individual or committee to oversee and administer the Program. • The Administrator is responsible for the implementation, oversight, and updating of the program. • The Administrator will need to be capable of addressing these steps to effectively implement the Program.
STEP 2: Conduct a Risk Assessment • Conduct a risk assessment to identify all covered accounts for the rule. The rule defines a “covered account” as: • An account that a credit union offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, checking account, or share account; or • Any other account that the credit union offers or maintains for which there is a reasonably foreseeable risk to members or to the safety and soundness of the federal credit union from identity theft, including financial, operational, compliance, reputation, or litigation risks.
STEP 2: Conduct a Risk Assessment • The credit union should take into consideration all of the following risk factors: • The types of accounts offered or maintained; • Methods provided to open accounts (web site, internet banking, etc.); • Methods provided to access accounts (bill payment, telephone banking, internet banking, etc.); and • Previous experiences with identity theft.
STEP 2: Conduct a Risk Assessment • Identify all threats and the potential for harm, determine your existing safeguards, analyze whether you need additional safeguards • Some threats include: • Scams • Hacking • Trusted Insiders • Physical Break-Ins • Shoulder Surfing • Do not forget general Fraud • Mortgage, check, appraisal, etc.
STEP 2: Conduct a Risk Assessment • Determine existing safeguards • Policies • Procedures • Automated tools • Training • Testing and monitoring • Authentication process
STEP 2: Conduct a Risk Assessment • Taking all of that into consideration, determine: • Likelihood of identity theft occurring • Potential impact of identity theft • No mandated format • May be combined with another risk assessment, such as your member information security risk assessment, but make sure all elements of the Identity Theft rule are met
STEP 3: Identify Relevant Red Flags The regulators have provided us with five general categories of Red Flags: • Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services; • The presentation of suspicious documents; • The presentation of suspicious personal identifying information, such as a suspicious address change; • The unusual use of, or other suspicious activity related to, a covered account; and • Notice from members, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the federal credit union.
STEP 3: Identify Relevant Red Flags • In addition, the Regulators have provided us with specific examples of Red Flags that fall into these general categories. Supplement A to Appendix J in the rule, includes a list of 26 different Identity Theft Red Flags • While these specific Red Flags are provided as examples, the list is not meant to be exhaustive
STEP 4: Detect Red Flags • Develop procedures and controls to detect the identified Red Flags • The detection requirement is simply a due diligence requirement to utilize sound controls that will help in detecting the Red Flags • Applies to new and existing accounts
STEP 4: Detect Red Flags • Use your existing Member Information Security Program and Customer Identification Program. • You already have these in place. These will be very important going forward and could be the ultimate determining factor in whether you can comply with the rule or not.
STEP 4: Detect Red Flags Ensure effective detective controls by: • Obtaining identifying information about, and verifying the identity of, a person opening a covered account • For example, using the policies and procedures regarding identification and verification set forth in your Customer (Member) Identification Policy (CIP) program. • Authenticating members • Monitoring transactions, accounts, systems, dormant accounts, applications
STEP 4: Detect Red Flags • Penetration testing • Vulnerability assessments • IT audit • Detect fraudulent activity • Financial audit • Verifying the validity of change of address requests, in the case of existing covered accounts. • Developing procedures referencing the existing CIP and security procedures as controls to detect appropriate Red Flags
STEP 5: Preventing and Mitigating Red Flags • IT audit • Written procedures and policies related to verifying identity that are enforced • CIP • Authentication • Encryption • Firewalls
STEP 5: Preventing and Mitigating Red Flags • Employee background checks • Employee training • Fraud and Identity Theft training • Record retention/disposal of information • Due diligence of service providers
STEP 5: Preventing and Mitigating Red Flags Responses to Red Flags • The Program must include appropriate responses to detected Red Flags • The appropriate credit union response will vary depending on the risk posed by the detected Red Flag • You probably already have an Incident Response Plan but you may need to expand it • Keep documentation related to response
STEP 5: Preventing and Mitigating Red Flags Examples of Credit Union responses to detected Red Flags: • Monitoring a covered account for evidence of identity theft • Contacting the member • Changing any passwords, security codes, or other security devices that permit access to a covered account • Reopening a covered account with a new account number • Not opening a new covered account • Closing an existing covered account • Not attempting to collect on a covered account or not selling a covered account to a debt collector • Notifying law enforcement • Determining that no response is warranted under the particular circumstances
STEP 5: Preventing and Mitigating Red Flags Third Party Providers • Your credit union should have controls in place to ensure that third party service providers have Red Flag detection procedures in place. • Take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. • For example, you could require the service provider by contract to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider’s activities, and either report the Red Flags to the federal credit union, or to take appropriate steps to prevent or mitigate identity theft.
STEP 6: Board Approval and Staff Training • Obtain written approval of the Program from the Board of Directors or an appropriate committee of the Board of Directors • Train appropriate staff to implement the Program. Staff should be aware of identified Red Flags, controls to detect these Red Flags, and appropriate responses to detection • Train any staff member who could detect or prevent Identity Theft • Training should cover your identified Red Flags, policies and procedures, and reporting process for Identity Theft
STEP 6: Board Approval and Staff Training Annual Reporting: “staff of credit union responsible for development, implementation, and administration of its Program should report to the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management, at least annually, on compliance by the credit union.”
STEP 6: Board Approval and Staff Training Contents of the report: • Material matters related to the Program such as: • The effectiveness of the policies and procedures in addressing the risk of identity theft; • Service provider arrangements; • Significant incidents involving identity theft and management’s response; • Recommendations for material changes to the Program.
STEP 7: Updating the Program The credit union should periodically update its Red Flags based on the following factors: • The experiences of the credit union with identity theft; • Changes in methods of identity theft; • Changes in methods to detect, prevent, and mitigate identity theft; • Changes in the types of accounts the credit union offers or maintains; and • Changes in the business arrangements of the credit union, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.
ID Theft Red Flags Today Risks • Exams • Potential for larger impact • Civil suits?
ID Theft Trends FinCEN Report on ID Theft Trends, Patterns and Typologies. • Report issued September 2010 • Studied SARs filed 2003-2009
ID Theft Trends • Credit Card ID Theft • Physical theft • Virtual theft • 30% of the time the thief added his/her name as an authorized user
ID Theft Trends • Deposit Account Fraud • ID thief opens a new joint account with member’s name. • Thief then poses as victim and directs transfer from existing member’s account into joint account
ID Theft Trends • Other notable trends • 22% of SARs filed involved friends or family members of the victim • 27% of SARS filed indicated the victim knew the identity thief • Only 18% of the SAR filings noted the identity theft was discovered within 1 week of the theft • 37% of the filings noted the theft was discovered 3+ months after the account was compromised
ID Theft Trends • Notable “Red Flags” that aided discovery: • Notification by consumer that a fraudulent account was opened • Notification by consumer that there are unauthorized transactions • Incorrect social security number • Change of address requests
ID Theft Trends • Tax Fraud, FinCEN Letter March 2012 (FIN-2012-A005) • Additional Red Flags related to Tax Refund ID Theft • Multiple direct deposit tax refund payments, directed to different individuals • Suspicious or authorized account opening at a depository institution, on behalf of individuals who are not present, with the fraudulent actor being named as having signatory authority. The subsequent source of funds is limited to the direct deposit of tax refunds.
Tips • Use existing risk assessments, policies, procedures and programs • Create a standard form staff can use to report suspected identity theft • Designate a centralized person/group to receive all incident reports of identity thefts and other incidents • Change/improve your response procedures as your system evolves and you learn what does/does not work • Make your program useable, not difficult to utilize and comprehend
Questions? Justin Robinson Engagement Director CliftonLarsonAllen LLP 612.414.6590 Justin.robinson@cliftonlarsonallen.com