1 / 30

FACTA Red Flags

FACTA Red Flags. Identity Theft Prevention Program Development Presented By: John P. Bonora, CRCM. Overview. Program Structure & Administration Risk Assessment Strategy General Identity Theft Risk Exposure Covered Account Identification & Analysis Red Flag Identification

priscillamartin
Download Presentation

FACTA Red Flags

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FACTA Red Flags Identity Theft Prevention Program Development Presented By: John P. Bonora, CRCM

  2. Overview • Program Structure & Administration • Risk Assessment Strategy • General Identity Theft Risk Exposure • Covered Account Identification & Analysis • Red Flag Identification • Red Flag Detection Methods • Red Flag Responses

  3. Policy-Program Flow

  4. Program Structure & Admin. • Regulatory Terms vs. Internal Terms • Regulatory • Covered Account • Red Flags • Internal Terms • Forms & Job Aids • All other accounts besides “covered accounts”

  5. Program Structure & Admin. • Approval & Annual Reporting • Initial Board Approval • Compliance/Risk Committee • Program Administrator • Red Flag Project Team • Should be Representative of the Bank

  6. Structure Pitfalls • Inquire about the Board’s risk appetite relative to covered accounts. • Have explanatory examples • Have Program specify what the annual report will include.

  7. Training • Leverage off current training program • Training need only be to the level to evidence effectiveness • Customized Targeted Training • May serve a more critical role for implementation • Online Training Modules

  8. Training Pitfalls • Ensure training sessions have been properly forecasted into implementation plan. • Document project team training as well as business line sessions

  9. Third Party Oversight • Leverage opportunity for Vendor Mgmt. Program (i.e. Due Diligence & Ongoing Monitoring Efforts) • “take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate, the risk of identity theft.” • FIL-44-2008 (Managing Third Party Risk) • Contract Addenda

  10. Third Party Oversight Question • Should we be getting contract addendums on all service providers that are permitted access to our customer information? For example, a processor that directly obtains, processes, stores, or transmits customer information on our behalf. Similarly, an attorney, accounting firm, or consultant who performs services for our bank and has access to customer information. Regulation vs. Recommendation • It is not required, however it is recommended in guidelines. • “For example, a FI or creditor could require the service provider by contract to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider’s activities, and either report the Red Flags to the FI or creditor, or to take appropriate steps to prevent or mitigate identity theft.

  11. Third Party Oversight Question • How do we address the Red Flag requirements with a credit card or investment servicer such as Elan or Infinex? Responsibilities • Third party oversight obligations. (FIL-44-2008) • For covered accounts, define the lines of responsibility (i.e. origination & servicing). • Develop red flags, detection mechanisms, and responses.

  12. Oversight Pitfalls • Reconcile your Identity Theft Program to your Vendor Management Program. • Empty references create control gaps • “An institution can outsource the function, but not the responsibility” -FDIC

  13. Program Update • A Sound Update Methodology = Power • A Pulse to Your Environment • Past Experiences Log • Number & Types of Cases • Affected Business Lines • Let Metrics Support Your Position

  14. Program Update • Tracking basic statistics can allow you to compare to published data. • Allows you to support current control environments.

  15. Risk Assessment • Geographic & Demographic Analysis • Covered Account Identification

  16. Geo & Demo Analysis • Footprint Analysis • Geographic & Demographic Analysis • Industry Communications & News • Conclusions

  17. Covered Account Analysis • No right or wrong method, provided the approach can be justified. • Take an inventory of all accounts offered by the Bank. • Identify all accounts that are automatically covered accounts

  18. Covered Account Analysis • Identify the applicable business lines for each account. • Communicate all “auto” covered accounts and non “auto” covered accounts to each business line. (Business Line Covered Account Analysis) • Require business lines to assess each non “auto” covered account. (Discretionary Account R.A.)

  19. Covered Account Analysis • Finalize each business line’s covered account list. (Enterprise-wide Covered Account Matrix) • Require each business line to assess each covered account by considering: • Types of covered accounts offered • Methods to open covered accounts • Methods to access covered accounts • Previous experiences

  20. Covered Analysis Summary

  21. Red Flag Identification • The covered account analysis will germinate the Red Flag identification process. • Supplement “A” serves as an excellent guide for the process. • Starting from the breach can serve as a nice way to “back-in” to the appropriate Red Flags. (Think like the crook)

  22. Red Flag Identification Breach Example • A small business LOC has $75,000 fraudulently accessed and transferred to a Karachi National Bank checking account. Potential Red Flags • Signature on faxed request does not match customer • Destination of funds • Amount or timing of transfer • Bank representative does not recognize client verifier

  23. Detection of Red Flags • Methods of Detection • Institution Reporting • Personnel Observations & Customer Contact • Geographic & Industry Observations • Continue to utilize the “back-in” philosophy to identify your detection methods for Red Flags.

  24. Institution Reporting → Personnel Contact → Industry Observation → Alert is detected on credit profile during application process Customer informs Bank of alert on credit profile N/A Detection of Red Flags Bank is notified that the consumer has placed an initial fraud alert on credit profile

  25. Red Flag Identification • Using a summary worksheet can assist in the development process of: Red Flag ↓ Detection Method ↓ Response

  26. Red Flag Responses • Responses should be commensurate with Red Flag detected. • Virtually all response procedures should start with identity verification. • Responses will be result dependent. • Response procedures should include a process to report and log the event. (Past Experiences Log)

  27. Red Flag Responses

  28. Red Flag Responses Suspected or Confirmed Cases • Internal procedures to mitigate risk. • Issuance of new access devices • Closure of accounts • Completion of affidavit • Additional Information • Victim toolkit • Provision of sample letters

  29. Program Keystones • Leverage to your advantage. • Use data & past experiences to support your program structure • Keep the pulse • Sell the Program (ABC)

  30. Good Luck! Contact Information: John P. Bonora, CRCM John.Bonora@FairfieldCountyBank.com 203.431.7351

More Related