1 / 22

Understanding Identity Theft Regulations in Banking

Explore the FCC regulations and guidelines regarding identity theft prevention and mitigation in financial institutions. Learn the identification of red flags, detection methods, and steps to prevent and mitigate identity theft incidents.

jun
Download Presentation

Understanding Identity Theft Regulations in Banking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Interagency Identity Theft Red Flags Regulation Bank Compliance Association of CT Bristol, CT September 3, 2008

  2. Agenda • Background • Overview of regulation & guidelines • Issues • Exam procedures • Questions

  3. Background • Regulation & guidelines implement sections 114 & 315 of FACT Act of 2003 • FACTA was enacted to help prevent ID theft, improve resolution of consumer disputes, and improve accuracy of consumer records. • Joint final rule: 5 federal banking agencies & FTC • Published in 11/9/07 Federal Register • Effective 1/1/08, compliance by 11/1/08

  4. Overview • Regulation requires 3 things: • Financial institutions and creditors must have a written ID theft prevention program • Debit and Credit Card issuers must assess validity of change of address requests before issuing new cards • Users of consumer reports must reasonably verify that the consumer report relates to the consumer about whom it has been requested, when user receives notice of address discrepancy

  5. Overview • Issuance has 3 parts: • Regulation (covers all 3 provisions) • Guidelines (red flags only) • Supplement to guidelines (red flags only) • Form is confusing, but required by statute

  6. Red Flags Overview • Program must be designed to detect, prevent, and mitigate identity theft in connection with “covered accounts” • Appropriate to size & complexity of the FI and nature & scope of business • Regulation does not require use of automated systems • Board of Directors must approve initial program

  7. Identification of Covered Accounts • Identify covered accounts: • All consumer transactional accounts covered • Any other accounts that pose reasonably foreseeable risk of ID theft to customer or bank • FI must decide whether to cover business accounts, based on: • Methods for opening accounts • Methods for accessing accounts • Previous experiences with ID theft

  8. Identification of Red Flags • Identify relevant red flags from 3 sources: • Incidents of ID theft experienced • Methods of ID theft bank has identified that reflect changes in risks • Supervisory guidance (Appendix + future publications) • Red flags from 5 categories: • Alerts, notices, warnings from CRAs or others • Suspicious documents • Suspicious identifying information • Suspicious account activity • Notice from customers, law enforcement, others

  9. Detection of Red Flags • Program must be able to detect red flags in connection with opening of any covered account or any existing covered account • Guidelines provide 2 examples: • By verifying identity of person opening a covered account, e.g., by using CIP rules • By authenticating customers, monitoring transactions, and verifying change of address requests for existing accounts

  10. Preventing & Mitigating ID Theft • Guidelines list 9 possible responses: • Monitor the account • Contact the customer • Change passwords or security codes • Reopen account with new number • Decline to open new account • Close existing account • Do not attempt to collect on account • Notify law enforcement • Determine that no response is warranted

  11. Preventing & Mitigating ID Theft • Guidelines provide that in determining response, banks should consider aggravating circumstances such as: • Data security incident that results in unauthorized access to customer account records • Notice that customer has provided information to a fraudster, i.e., as a result of phishing attack

  12. Address Discrepancies • Banks that uses consumer reports and receives a notice of address discrepancy from a CRA, must form a reasonable belief that report relates to consumer about whom it has been requested • If not, agencies expect that bank will not use the consumer report

  13. Address Discrepancies • Bank can verify identity by comparing information in consumer report with: • Information bank uses to verify identity in accordance with CIP; • Information in its own records; or • Information obtained from 3rd party sources • Bank can verify information with consumer directly

  14. Address Discrepancies • If bank regularly & in ordinary course of business furnishes information to CRA, then it must furnish confirmed address to CRA when: • It forms reasonable belief that report relates to consumer, and • It establishes a new relationship with that consumer

  15. Change of Address Requests • Bank that issues credit or debit cards must assess the validity of change of address requests if, within a short time thereafter, it receives request for new or replacement card • Request can be from consumer or USPS • Applies to credit, debit and payroll cards • Does not apply to gift cards or other prepaid cards

  16. Change of Address Requests • Bank can choose to verify address change either: • When it receives request for new card; or • When it receives notice of address change • Many banks commented that it may be easier to simply verify all address changes when received

  17. Change of Address Requests • Regulation sets forth 2 methods: • Notify cardholder at former address or by any other means previously agreed to, and • Provide the cardholder a reasonable means to report incorrect address change • Or: • By any other reasonable means in accordance with policies established pursuant to red flags rule

  18. Issues • Interplay among 3 parts can be confusing • Regulation straddles multiple disciplines, e.g., fraud prevention, risk management, IT security, compliance • The structure of ID theft prevention programs will vary; but trade associations working on help documents

  19. Issues • Program can be human based, computer based, or combination of both • Is a business account a “covered account”? • Some banks waiting for exam procedures to begin complying

  20. Exam Procedures • FDIC is still drafting exam procedures • Expect that address changes and address discrepancies will be handled as part of compliance examination. • Red Flag will be part of safety and soundness examination. The BSA and IT examiners will collaborate on the review. • Do not expect a roadmap to compliance; but it is always helpful to see what questions examiners will be asking

  21. Contact Information James Avery, CISA IT Examiner FDIC Email: Jaavery@Fdic.gov

  22. Questions?

More Related