Identity Theft

1
Identity Theft the FACT Act

• Jacci Grawburg
• Vice President General Counsel
• College Foundation, Inc.

2
Identity Theft

• Identity Theft and Assumption Deterrence Act of
  1998
  
• Fair and Accurate Credit Transaction Act (FACT
  Act)
  
• www.consumer.gov/idtheft/

3
Identity Theft

• Approximately 10 million Americans affected each
  year
  
• Internet related complaints accounted for 53 of
  fraud and ID theft complaints
  
• National and State trends
• (www.consumer.gov/idtheft/pdf/clearinghouse_2004.
  pdf)

4
Identity Theft

• Phishing
• Skimming
• Telephone Scams
• Dumpster Diving
• Theft of information
• Hacking
• Etc

5
Identity Theft

• 23 States have enacted security breach and
  security freeze legislation
  
• (www.pirg.org/consumer/credit/statelaws.htm)
• Federal bills introduced
• Federal preemption?

6
FACT Act

• FACT Act enacted on Dec. 4, 2003
• Amends Fair Credit Reporting Act (FCRA)

7
FACT Act

• Primary components of FACT Act
• identity theft prevention
• improve consumer access to credit reports
• enhance accuracy of credit reports
• federal preemption provisions

8
Identity Theft Prevention

• Simplified requirements for consumers to report
  identity theft and fraud
  
• Initial fraud alert (good faith suspicion)
• Extended fraud alert (ID theft report)
• Active duty military alerts
• Free annual credit reports
• Disclosure of credit scores

9
Identity Theft Prevention

• Initial Fraud Alert creditor must have
  reasonable policies and procedures to form a
  reasonable belief of consumers identity prior
  to extending credit
• Extended Fraud Alert -- creditor must contact
  consumer prior to extending credit

10
Identity Theft Prevention

• Creditor must provide loan application
• and business transaction records resulting
• from identity theft if
• Request is in writing
• Mailed to designated creditor address
• Positive proof of identification
• Copy of police report and ID theft affidavit (if
  required)

11
Identity Theft Prevention

• Notice of information block to creditor (data
  furnisher)
  
• Prevention of repollution of credit reports
• Prohibition on sale or transfer of debt caused by
  identity theft

12
Identity Theft Prevention

• Record Disposal
• FTC November 24, 2004 Regs published effective
  June 1, 2005
  
• Banking regulators December 24, 2004 published
  regs effective
  
• July 1, 2005

13
Identity Theft Prevention

• Creditors must give notice to consumers upon
  reporting negative information
  
• Federal Reserve Board published model notice on
  June 8, 2004
  

14
Future Regulations

• Red Flag guidelines for financial institutions
  to prevent ID theft
  
• Accuracy and integrity guidelines
• Ability of consumer to dispute information with
  creditor (data furnisher)
  
• Reconciling addresses

15
Federal Preemption

• FACT Act preempts state laws related to
• Fraud and military alerts (605A)
• Information reporting blocks due to ID theft
  (605B)
  
• Prohibition against sale or transfer of debt
  (615(f))
  
• Repollution of credit reports (623(a)(6))
• Sharing of affiliate information (624)
• Disposal of records (628)

16
THANK YOU!Please be sure to complete your
conference evaluation forms after the conference!

• Jacci Grawburg
• Vice President General Counsel
• College Foundation, Inc.

17
USA PATRIOT Act CAN-SPAM

• Shelly Repp
• General Counsel, NCHELP

18
Uniting and Strengthening America by Providing
Appropriate Tools Required to Intercept and
Obstruct Terrorism Act of 2001 (USA PATRIOT Act)
19
Section 326 Customer Identification Programs

• The Secretary of the Treasury shall prescribe
  regulations setting forth minimum standards for
  financial institutions that shall apply in
  opening an account

20
Section 326 Minimum Requirements

• The regulations must, at minimum require
• Verification of identity
• Maintaining records used to verify identity
• Consulting terrorist lists

21
Treasury Rule Published 5/9/03

• Requires banks, savings associations, credit
  unions, private banks and trust companies to
  establish customer identification procedures.
  Treasury said it intended to issue separate rules
  for non-bank financial institutions. None have
  been issued to date.

22
CIP Rule - Definitions

• Applies to customers who open accounts
• What is an account?
• A formal banking relationship including a deposit
  account and a credit account
  

23
CIP Rule - Definitions

• Who is a customer?
• A person who opens a new account
• Existing customer exception
• If no account is opened, the applicant is not a
  customer
  
• Accounts acquired by asset purchase are not new
  accounts.
  

24
CIP Rule Basic Requirement

• A financial institution must have a customer
  identification program (CIP) appropriate for its
  size and type of business. The procedures should
  be risk-based.
• What is the risk with student loans?
• FAFSA processing verifications
• School certifications
• Directed disbursement procedures

25
CIP Rule Elements

• Information to be obtained from customers prior
  to time an account is opened
  
• Name
• Date of Birth
• Street Address
• TIN

26
CIP Rule Elements

• The identity of the customer must be verified
  after the account is opened, using either
  documentary or non-documentary methods.
  Information from third-party sources may be used
  (FAFSA, credit bureaus)

27
CIP Rule Elements

• The CIP must provide for keeping a record of all
  information obtained.
  
• For information retained from customersmust be
  kept for five years after account closes.
  
• Verification informationmust be retained for
  five years after the record is made.
  

28
CIP Rule Elements

• The CIP must include procedures for determining,
  within a reasonable time after account is opened,
  whether the customer is on any government list of
  known or suspected terrorists
• Customers must be provided notice that the
  financial institution is requesting information
  to verify identity
  

29
CIP Rule Contractors

• A bank can contract with third parties to comply
  with requirements, but remains liable for
  compliance (unless the contractor is a regulated
  financial institution subject to anti-money
  laundering compliance requirements)

30
Section 352 Anti-Money Laundering (AML)
Programs

• Amends the Bank Secrecy Act (BSA)
• Requires each financial institution to establish
  a money laundering program, including at a
  minimum
  
• Development of internal policies, procedures and
  controls
  
• An ongoing employee training program
• An independent audit program to test the program
• Authorizes the Secretary of Treasury to prescribe
  minimum standards
  

31
What is Money Laundering?

• Converting money gained from illegal activity
  into money that appears legitimate so that its
  illegal sources cannot be traced
  
• How can this occur in our world?

32
AML Programs

• What is a financial institution?
• Statutory definition is extremely broad, and
  includes entities already subject to Federal
  regulation (e.g. banks), and also dealers in
  precious metals and jewels, pawnbrokers, loan or
  finance companies, travel agencies, car dealers,
  real estate companies, investment bankers,
  investment companies and others

33
AML Programs

• Since 1987 depository institutions had been
  required to have anti-money laundering programs
  
• These programs contain the same requirements set
  forth in the USA PATRIOT Act
  
• Broker-dealers, money services businesses, mutual
  funds and operators of credit card systems were
  required to have AML programs under regulations
  issued in 2002 pursuant to the USA PATRIOT Act

34
AML Programs - Policies

• Objective is to comply with BSA and prevent use
  of the financial institution for money
  laundering
  
• Must assess BSA requirements and risks
  applicable to it
  
• Design procedures to meet risks
• Program must be in writing and approved by the
  Board of Directors

35
AML Programs - Officer

• Individual or committee
• Knowledgeable about BSA and money laundering
• Authorized to enforce requirements throughout the
  financial institution
  
• Full or part time

36
AML Programs - Training

• Relevant to functions
• Include employees and service providers
• General awareness of money laundering and
  job-specific requirements

37
AML Programs - Testing

• Either employee or third party
• Independent not involved in operation or
  management program
  
• Knowledgeable about BSA requirements
• Submit assessment or report

38
Controlling the Assault of Non-Solicited P
ornography and Marketing Act of 2003
CAN-SPAM

Thanks to Tom Levandowski, Wachovia Corporation
for materials and advice
39
CAN-SPAM

• Need to understand CAN-SPAM if you plan to
  communicate with your customers electronically -
  - and/or want to generate new customers through
  email advertisements.

40
CAN-SPAM

• Congressional Findings
• Electronic mail has become an extremely important
  means of communication
  
• The convenience and efficiency of electronic mail
  are threatened by the rapid growth of unsolicited
  commercial electronic mail
  
• The receipt of a large number of unwanted
  messages creates risk that wanted electronic mail
  messages will be lost or overlooked

41
CAN-SPAM

• Effective 1/1/04
• General Scope Regulates, but doesnt ban,
  SPAM.
  
• Allows companies to send email ads to potential
  customers, even where
  
• the recipients have not given prior consent to
  such ads, and
  
• the sender does not have a preexisting or current
  business relationship with the recipient.
  

42
CAN-SPAM

• General Scope (cont.)
• Senders of commercial email messages must
• provide an opt-out tool for recipients
• process opt-out requests
• use truthful subject lines,
• use legitimate return e-mail addresses,
• include physical postal addresses in messages,
  and
  
• clearly label commercial e-mail as advertising.

43
CAN-SPAM

• Covers Commercial electronic mail messages
• Definition any electronic mail message
• the primary purpose of which
• is the commercial advertisement or promotion
• of a commercial product or service (including
  content on an Internet website operated for a
  commercial purpose).

44
CAN-SPAM

• What isnt a commercial electronic message?
• Transactional or Relationship Messages An
  electronic mail message the primary purpose of
  which is--
  
• to facilitate, complete, or confirm a commercial
  transaction that the recipient has previously
  agreed to enter into with the sender

45
CAN-SPAM

• What isnt a commercial electronic message?
• Transactional or Relationship Messages An
  electronic mail message the primary purpose of
  which is--
  
• to provide with respect to a account or loan
• notification concerning a change in terms or
  features
  
• at regular periodic intervals, account balance
  information or other type of account statement

46
CAN-SPAM

• What isnt a commercial electronic message?
• Referencing Company/Website - Referencing a
  commercial entity or a link to its website in an
  email does not, by itself, cause such email to be
  treated as a commercial email message if
• the contents or circumstances of the message
• indicate a primary purpose
• other than commercial advertisement or promotion
  of a commercial product/service.

47
CAN-SPAM

• Must Offer Opt-out
• Commercial email message must give recipient the
  ability to send a reply message or other
  Internet based communication that opts out of
  future emails from the sender.
• Email can also provide a list or menu from which
  recipient chooses the specific types of
  commercial email messages the recipient wants, or
  does not want, to receive from the sender.
• Recipients ability to make such an opt out
  response must be good for at least 30 days after
  the original message is sent

48
CAN-SPAM

• Opt-outs must be honored
• If an email ad recipient opts-out of receiving
  future mailings, the sender must not
  
• transmit email ads to that recipient after 10
  days from the date of receipt of the opt out
  request.
  
• sell or otherwise transfer email addresses of
  persons who have opted out of future mailings.
  
• When a consumer opts out, ensure they receive no
  more commercial emails advertising your company,
  from any source.
  

49
CAN-SPAM

• Prohibits certain fraudulent and misleading
  practices
  
• Aimed at stopping any and all attempts to conceal
  the origins of email ads or the identities of
  their senders.
  
• Prohibits "harvesting" e-mail addresses (sending
  emails to email addresses harvested from Internet
  chat rooms, blogs and other sources without the
  permission of the Web site or its members/users.)

50
CAN-SPAM

• Prohibits certain fraudulent and misleading
  practices
  
• Prohibits
• falsification of header information,
• false registrations for email accounts or IP
  addresses used in connection with email ads, and
  
  
• retransmissions of email ads for the purpose of
  concealing their origins.

51
CAN-SPAM

• Must Identify Email as Ad
• Unless a sender has obtained the recipients
  affirmative consent, the sender must
  
• identify its messages as advertisements or
  solicitations, and
  
• to do so by means that are clear and
  conspicuous.
  
• does not mandate how (compare with many state
  laws that required an "ADV" label on unsolicited
  commercial e-mail).
  
• Email must also provide valid physical postal
  address of the sender.
  

52
CAN-SPAM

• Preempts tougher state anti-spam laws
• Supersedes any state statute, regulation, or rule
  that expressly regulates the use of electronic
  mail to send commercial messages
  
• except to the extent that any such statute,
  regulation, or rule prohibits fraud or deception
  in any portion of a commercial email message or
  information attached thereto.

53
CAN-SPAM

• Enforcement no private right to sue spammers
• Commercial email recipients cannot sue senders
  for CAN-SPAM violations.
  
• Enforcement will be only by means of criminal and
  civil actions brought by the FTC, the functional
  federal regulator for banks, state law
  enforcement authorities, and Internet Service
  Providers.

54
CAN-SPAM

• Enforcement Civil Actions
• State enforcement authorities -
• Injunction against further violations
• Damages greater of actual loss or statutory fines
  of up to 250 per message
  
• No cap for actual loss if statutory fine
  applies, capped at 2 million
  
• Applicable damages (actual or statutory) may be
  tripled in particularly egregious cases.

55
CAN-SPAM

• Enforcement Criminal Actions
• Violation of some provisions bring criminal
  penalties.
  
• fines, plus
• jail sentences up to 5 years in some instances,
  plus
  
• confiscation of any real or personal property
  purchased with spam earnings.
  

56
CAN-SPAM

• Enforcement
• Compliance tip You are responsible not only for
  the legality of your own e-mail lists, but also
  the legality any lists you rent or buy.
  
• Senders can be held liable for using an email
  list procured "with actual knowledge, or by
  consciously avoiding knowing, that the list was
  gathered in violation of the Act.
• If you use third party lists, ensure that names
  on the list were gathered in a manner allowed
  under CAN-SPAM.

57
CAN-SPAM

• Enforcement
• Compliance tip (third party lists cont.)
• Get written assurances from list-provider that
• information on list was collected in accordance
  with CAN-SPAM any other applicable laws,
  
• all consumers on the list provided the level of
  consent advertised by the list owner,
  
• no consumer listed has opted out of receiving
  e-mail

58
THANK YOU!Please be sure to complete your
conference evaluation forms after the conference!

• Shelly Repp, General Counsel
• NCHELP
• (202) 822-2106
• shelly_repp_at_nchelp.org

59
Laws and Regulations that Impact FFEL Outside of
HEA

• Larry Laskey
• Vice President, Counsel
• Van Ru Credit Corporation

60
No matter where you go

• Technology
• Access to more, and more quickly
• Promotes efficiencies
• Increased concerns
• Information privacy
• leave me alone
• Identity theft

61
there you are!

• Unintended consequences
• Limits on
• Information access
• Utilization of technology
• Decreased effectiveness
• Increased cost

62
Social Security Numbers

• Social Security administration
• IRS Taxpayer ID number
• Other federal programs
• State databases
• Credit reporting agencies
• Health care organizations

63
Social Security Numbers

• Traditional protections
• Privacy Act
• Government/agents
• Limits on use/disclosure
• Notification of records
• FDCPA
• Debt collectors
• Third party disclosure

64
Social Security Numbers

• More recently
• GLB disclosure/use limits
• Safeguard Rules
• FACT Act redaction
• FTC Disposal rules
• Breach notification

65
Social Security Numbers

• States lead/limit ID theft
• Use in mailed materials, unless
• Required by law
• Applications/forms
• But not
• post or accesscards
• visible through envelope
• Encoded/imbedded

66
Social Security Numbers

• secure (or encrypted) Internet transmission
• website access w/additional authentication
• Conditioning receipt of services
• Disclosure by phone or email

67
Social Security Numbers

• Limiting availability in public records
• State databases
• Federal court files
• Potential National effect?
• conducting business
• recipients

68
Social Security Numbers

• Impacting reliance on SSN
• to confirm ID
• To obtain/maintain information
• Federal (HEA) pre-emption?
• State cant use, include or ask for laws
• States control their databases
• Decreases voluntary compliance

69
Social Security Numbers

• Federal Proposals
• Cannot display (non-government records) w/o
  consent
  
• Must redact electronic (government) records
• (Potentially) must redact paper records

70
Social Security Numbers

• Federal Proposals
• On-line reference services cannot disclose w/o
  consent
  
• Cannot solicit it unless no alternative
• Alternatives?
• Different identifier?
• Multiple identifiers

71
E-mail

• The new key to communication
• Low cost
• Any time
• Efficient
• Effective
• Anonymous?

72
E-mail

• FDCPA issues
• Third party disclosure
• Adequacy of consent
• Any e-mails to employers?
• State law compliance
• Communication content
• Which state?

73
E-mail

• Privacy concerns
• Credit card truncation
• SSN as identifier
• Know your recipient?

74
E-mail

• Increased expense
• Secure/encrypt
• Communicate the password
• Confirm recipient ID
• Payment systems

75
E-mail

• Commercial Electronic Messages
• Opt out notice/procedures
• labeled as advertisement
• truthful header/subject line
• Valid return email/physical return address

76
E-mail

• transactional or relationship message
• FCC
• absent a contrary ruling by the FTC, messages
  that concern a debt owedfall under the exemption

77
E-mail

• Primary purpose of dual purpose
• commercial (not exempt) if
• Subject line test
• Content test
• Reference collection/ mention repayment
  alternatives?

78
Cell Phones

• Increasing over landline usage
• Subscribers in 1991 7.5 million
• Subscribers in 2004 182 million
• 6 us households are cell only
• Preferred means of communication

79
Cell Phones

• FDCPA issues
• Charges by concealing purpose
• Call times

80
Cell Phones
Cell Phones

• Privacy concerns (absent consent)
• No dialer calls (all dialers?)
• No recorded messages
• Includes text messaging
• Consent in loan documents?
• Pre-screen all numbers?

81
Cell Phones

• How do you pre-screen?
• Reliability of prefix lists?
• Landline to wireless porting
• Proposal to exclude from 411w/o consent
• Area codes not reliable indicator of local
  time
  
• Frequency/cost of updates

82
Automated Messaging

• FDCPA (communication?)
• Privacy issues prohibit (w/o consent)
• To cell phones
• To any other phone to solicit absent EBR
• collection exempt, but
• dual Purpose calls?
• Compliance with other rules

83
Automated Messaging

• Other rules require
• Caller identification
• Real return phone number
• Five second line release

84
State Messaging Rules

• States are not preempted
• Many (not all) limited to soliciting
• Others are unclear
• Requirements can include
• Notification to local Telecom
• Permit/Registration/license
• No ANI blocking

85
State Messaging Rules

• Live operator initiation
• Called party consent
• Expanded no call rules
• Maximum dialer drop rates
• Practical prohibition?

86
Telemarketing Rules

• Debt collection
• Up-selling or dual purpose
• Do not call list
• Transmission of caller ID
• Dialer Ring time
• Call abandon
• Nomessaging (absent EBR)

87
Existing Business Relationship?

• Not an exception to prohibitions
• Dialers/messaging to cell phones
• Fax solicitation w/o consent
• FCC Reconsideration
• 18 months after account closed
• FACT Act affiliate sharing
• while contracts are in force

88
Footnote 111
A debt collector that offers a debtor a means
of payment during a collection call would not be
making a telephone solicitation or unsolicited
advertisement.
89
So, Here We Are

• Technology provides opportunity
• Implementation provokes Privacy
• challenges and opportunities
• Challenge cost effective compliance
• Opportunity improved, efficient communications

90
THANK YOU!Please be sure to complete your
conference evaluation forms after the conference!

• Larry Laskey
• Vice President, Counsel
• Van Ru Credit Corporation

91
Title of Session

• Presenters Name
• Title
• Presenters Name
• Title

92
Session Item

• Text (please keep the font size relative large)
• Text
• Text
• Text

93
Session Item

• Text (please keep the font size relative large)
• Text
• Text
• Text

• Text (please keep the font size relatively
  large)
  
• Text
• Text
• Text

94
Title of Session

• Presenters Name
• Title
• Presenters Name
• Title