IDENTITY THEFT PREVENTION PROGRAM

1
IDENTITY THEFT PREVENTION PROGRAM

• Implementing Sections 114 and 315 of the FACT Act
  of 2003

2
Identity Theft Prevention
3
Background of the New Regulatory Requirements

• Fair and Accurate Transactions Act (FACT Act) of
  2003.
• Fact Act added new provisions to Fair Credit
  Reporting Act of 1970
• Agencies published a joint notice of proposed
  rulemaking in the Federal Register on July 18,
  2006.
• Guidelines set forth to implement sections 114
  and 315 of the FACT Act.
• Effective date of ruling is January 1, 2008.
• Compliance Deadline is November 1, 2008.

4
Overview of Final Rule
5
What are the Final Rule Regulatory Requirements?

• All federally insured credit unions are required
  to prepare, adopt and implement an Identity Theft
  Prevention Program (Program). The Program must
• Be in writing and designed to detect, prevent and
  mitigate identity theft in connection with new or
  existing covered accounts.
• Identify and incorporate relevant red flags, and
  provide for appropriate responses to red flags
  designed to prevent and mitigate identity theft.
• Be periodically updated and properly administered.

NOTE Many credit unions already have some
aspects of an identity theft prevention program
in place, and will not be starting from scratch.
6
How do Credit Unions Apply the Final Rule?
7
How do you Develop Your Identity Theft Program
Model?

• Complete a Risk Assessment
• Depends on
• Size and complexity of your credit union
• Nature and scope of your activities

8
What is the next step after completing a risk
assessment?

• Use your risk assessment to help you develop and
  implement a written Identity Theft Prevention
  Program (Program) designed to detect, prevent and
  mitigate identity theft.

9
What are some key terms your Program should
define?
10
What is Identity Theft?

• A fraud committed or attempted using the
  identifying information of another person without
  authority.

11
What is a Covered Account?

• An account that a financial institution or
  creditor offers or maintains, primarily for
  personal, family or household purposes that
  involves or is designed to permit multiple
  payments or transactions.

12
What are the Other Key Program Definitions?
13
What are Information Sources Used for Identity
Theft?

• Dumpster Diving
• Phishing
• Pharming
• Vishing
• Imposter websites
• Other Examples (Card Skimming Shoulder Surfing)
• Identity Fraud

14
What are the New NCUA Regulatory Requirements?
15
What are the Duties regarding Address
Discrepancies?
NCUA Rules and Regulations Section 717.82
16
What are the Duties regarding Address
Discrepancies?

• Develop and implement procedures for furnishing
  members addresses to consumer reporting agencies
  (CRAs), which include
• Confirming the accuracy of a members address by
• Verifying directly with the member
• Reviewing credit union records
• Verifying the information via third party
  sources.
• Verifying consumer report information to ensure
  the report relates to the correct person and
• Reporting the validated address to the CRA as
  part of the information regularly reported.

17
What are the Duties Regarding Detection,
Prevention and Mitigation of Identity Theft?
NCUA Rules and Regulations Section 717.90
18
What are the Duties Regarding Detection,
Prevention and Mitigation of Identity Theft?
NCUA Rules and Regulations Section 717.90

• Develop and Implement a written Identity Theft
  Prevention Program designed to detect, prevent
  and mitigate identity theft in connection with
  the opening of a new covered account or an
  existing covered account

19
What are the Required Elements of an Identity
Theft Prevention Program?
NCUA Rules and Regulations Section 717.90
20
What are the Required Elements of an Identity
Theft Prevention Program?
NCUA Rules and Regulations Section 717.90
21
What are the Required Elements of an Identity
Theft Prevention program?
NCUA Rules and Regulations Section 717.90
22
How Often and Why Should You Update Your Program
23
What are the Sources of Red Flags?

• Section 717, Appendix J, NCUA Rules and
  Regulations
• Sources of Red Flags
• Incidents of identity theft experienced by your
  credit union
• Methods of identity theft your credit union has
  identified that reflect changes in identity theft
  risk
• Applicable supervisory guidance

lt Supplement A, Appendix J, Section 334 of FACT
Act
24
What are the Five Major Categories of Red Flags?
25
What are Guidelines for Detecting Red Flags?

• Detecting Red Flags
• Obtaining identifying information about, and
  verifying the identity of, a person opening a
  covered account for example, using the policies
  and procedures regarding identification and
  verification set forth in your credit unions
  written Customer Identification Program
• Authenticating members
• Monitoring transactions
• Verifying the validity of change of address
  requests, in the case of existing covered accounts

26
What are Appropriate Responses to Red Flags?
27
What are Guidelines for Updating an Identity
Theft Prevention Program?
28
What are Guidelines for Administering an Identity
Theft Prevention Program?

• Administering the Program
• Oversight by Board of Directors
• Reporting process
• At least annually to the board regarding
  compliance
• Report on Program effectiveness
• Report significant incidents of identity theft,
  including managements response
• Service provider arrangements
• Recommendations for changes to the Program
• Oversight of service provider arrangements

29
What are Other Applicable Legal Requirements?
30
What are Duties of Card Issuers Regarding Changes
of Address?

• NCUA Rules and Regulations Section 717.91
• Applies to debit and credit card issuers
• Must implement policies and procedures to assess
  validity of address changes if your credit union
  also receives, within 30 days after the change of
  address, a request for additional or replacement
  cards for that account.

31
What are Duties of Card Issuers Regarding Changes
of Address?
32
What are Ways You Can Educate Your Members
Regarding Identity Theft Prevention?

• Use Publications
• NCUA Brochure Enclosure from Letters to Credit
  Unions 04-CU-12, and 05-CU-20, You Can Fight
  Identity Theft, issued September 2004, and
  December 2005, respectively.

33
What are Ways You Can Educate Your Members
Regarding Identity Theft Prevention?

• NCUA publication of a second Identity Theft
  brochure entitled Identity Theft Dont Let it
  Happen to You.
• This brochure is also available on NCUAs
  website, www.ncua.gov.

34
What are Some Other Publications Available about
Identity Theft Prevention?

• Publications from Federal Trade Commission
  (www.ftc.gov)
• Detailed Publication, Talking About Identity
  Theft A How-To Guide
• Statement Stuffer (bi-lingual)

35
What are Some Other Publications Available about
Identity Theft Prevention?

• Publication from Federal Reserve Bank of Boston
  at www.bos.frb.org
• Detailed Brochure
• Condensed Summary
• ID theft information from Balance, a financial
  education and credit counseling service
  www.balancepro.net

36
What are Other Ways You Can Educate Your Members
About ID Theft Prevention?

• Let your members know how they can obtain their
  credit reports from all three major credit
  bureaus annually for free, from the U.S.
  Government
• www.annualcreditreport.com, or 1-877-322-8228

37
Resources

• National Credit Union Administration, 12 CFR,
  717, and Federal Trade Commission 12 CFR, 681,
  Identity Theft Red Flags and Address
  Discrepancies under the Fair and Accurate Credit
  Transactions Act of 2003
• NCUA Letter to Credit Unions 08-CU-24, Identity
  Theft Red Flags and Consumer Reports Address
  Discrepancies Records Disposal Procedures AIRES
  Questionnaires
• NCUA Letter to Credit Unions 04-CU-12, Phishing
  Guidance for Credit Union Members
• NCUA Letter to Credit Unions 05-CU-20, Phishing
  Guidance for Credit Unions and their Members
• NCUA Letter to Credit Unions 01-CU-09, Identity
  Theft and Pretext Calling
• NCUA Letter to Credit Unions 00-CU-02, Identity
  Theft Prevention