Identity Theft

About This Presentation

Title:

Identity Theft

Description:

Telephone Scams. Dumpster Diving. Theft of information. Hacking. Etc... Commercial email message must give recipient the ability to send a reply message ... – PowerPoint PPT presentation

Number of Views:294

Avg rating:3.0/5.0

Slides: 95

Provided by: chriskr

Category:

more less

Transcript and Presenter's Notes

Title: Identity Theft

1
Identity Theft the FACT Act

Jacci Grawburg
Vice President General Counsel
College Foundation, Inc.

2
Identity Theft

Identity Theft and Assumption Deterrence Act of
1998
Fair and Accurate Credit Transaction Act (FACT
Act)
www.consumer.gov/idtheft/

3
Identity Theft

Approximately 10 million Americans affected each
year
Internet related complaints accounted for 53 of
fraud and ID theft complaints
National and State trends
(www.consumer.gov/idtheft/pdf/clearinghouse_2004.
pdf)

4
Identity Theft

Phishing
Skimming
Telephone Scams
Dumpster Diving
Theft of information
Hacking
Etc

5
Identity Theft

23 States have enacted security breach and
security freeze legislation
(www.pirg.org/consumer/credit/statelaws.htm)
Federal bills introduced
Federal preemption?

6
FACT Act

FACT Act enacted on Dec. 4, 2003
Amends Fair Credit Reporting Act (FCRA)

7
FACT Act

Primary components of FACT Act
identity theft prevention
improve consumer access to credit reports
enhance accuracy of credit reports
federal preemption provisions

8
Identity Theft Prevention

Simplified requirements for consumers to report
identity theft and fraud
Initial fraud alert (good faith suspicion)
Extended fraud alert (ID theft report)
Active duty military alerts
Free annual credit reports
Disclosure of credit scores

9
Identity Theft Prevention

Initial Fraud Alert creditor must have
reasonable policies and procedures to form a
reasonable belief of consumers identity prior
to extending credit
Extended Fraud Alert -- creditor must contact
consumer prior to extending credit

10
Identity Theft Prevention

Creditor must provide loan application
and business transaction records resulting
from identity theft if
Request is in writing
Mailed to designated creditor address
Positive proof of identification
Copy of police report and ID theft affidavit (if
required)

11
Identity Theft Prevention

Notice of information block to creditor (data
furnisher)
Prevention of repollution of credit reports
Prohibition on sale or transfer of debt caused by
identity theft

12
Identity Theft Prevention

Record Disposal
FTC November 24, 2004 Regs published effective
June 1, 2005
Banking regulators December 24, 2004 published
regs effective
July 1, 2005

13
Identity Theft Prevention

Creditors must give notice to consumers upon
reporting negative information
Federal Reserve Board published model notice on
June 8, 2004

14
Future Regulations

Red Flag guidelines for financial institutions
to prevent ID theft
Accuracy and integrity guidelines
Ability of consumer to dispute information with
creditor (data furnisher)
Reconciling addresses

15
Federal Preemption

FACT Act preempts state laws related to
Fraud and military alerts (605A)
Information reporting blocks due to ID theft
(605B)
Prohibition against sale or transfer of debt
(615(f))
Repollution of credit reports (623(a)(6))
Sharing of affiliate information (624)
Disposal of records (628)

16
THANK YOU!Please be sure to complete your
conference evaluation forms after the conference!

Jacci Grawburg
Vice President General Counsel
College Foundation, Inc.

17
USA PATRIOT Act CAN-SPAM

Shelly Repp
General Counsel, NCHELP

18
Uniting and Strengthening America by Providing
Appropriate Tools Required to Intercept and
Obstruct Terrorism Act of 2001 (USA PATRIOT Act)
19
Section 326 Customer Identification Programs

The Secretary of the Treasury shall prescribe
regulations setting forth minimum standards for
financial institutions that shall apply in
opening an account

20
Section 326 Minimum Requirements

The regulations must, at minimum require
Verification of identity
Maintaining records used to verify identity
Consulting terrorist lists

21
Treasury Rule Published 5/9/03

Requires banks, savings associations, credit
unions, private banks and trust companies to
establish customer identification procedures.
Treasury said it intended to issue separate rules
for non-bank financial institutions. None have
been issued to date.

22
CIP Rule - Definitions

Applies to customers who open accounts
What is an account?
A formal banking relationship including a deposit
account and a credit account

23
CIP Rule - Definitions

Who is a customer?
A person who opens a new account
Existing customer exception
If no account is opened, the applicant is not a
customer
Accounts acquired by asset purchase are not new
accounts.

24
CIP Rule Basic Requirement

A financial institution must have a customer
identification program (CIP) appropriate for its
size and type of business. The procedures should
be risk-based.
What is the risk with student loans?
FAFSA processing verifications
School certifications
Directed disbursement procedures

25
CIP Rule Elements

Information to be obtained from customers prior
to time an account is opened
Name
Date of Birth
Street Address
TIN

26
CIP Rule Elements

The identity of the customer must be verified
after the account is opened, using either
documentary or non-documentary methods.
Information from third-party sources may be used
(FAFSA, credit bureaus)

27
CIP Rule Elements

The CIP must provide for keeping a record of all
information obtained.
For information retained from customersmust be
kept for five years after account closes.
Verification informationmust be retained for
five years after the record is made.

28
CIP Rule Elements

The CIP must include procedures for determining,
within a reasonable time after account is opened,
whether the customer is on any government list of
known or suspected terrorists
Customers must be provided notice that the
financial institution is requesting information
to verify identity

29
CIP Rule Contractors

A bank can contract with third parties to comply
with requirements, but remains liable for
compliance (unless the contractor is a regulated
financial institution subject to anti-money
laundering compliance requirements)

30
Section 352 Anti-Money Laundering (AML)
Programs

Amends the Bank Secrecy Act (BSA)
Requires each financial institution to establish
a money laundering program, including at a
minimum
Development of internal policies, procedures and
controls
An ongoing employee training program
An independent audit program to test the program
Authorizes the Secretary of Treasury to prescribe
minimum standards

31
What is Money Laundering?

Converting money gained from illegal activity
into money that appears legitimate so that its
illegal sources cannot be traced
How can this occur in our world?

32
AML Programs

What is a financial institution?
Statutory definition is extremely broad, and
includes entities already subject to Federal
regulation (e.g. banks), and also dealers in
precious metals and jewels, pawnbrokers, loan or
finance companies, travel agencies, car dealers,
real estate companies, investment bankers,
investment companies and others

33
AML Programs

Since 1987 depository institutions had been
required to have anti-money laundering programs
These programs contain the same requirements set
forth in the USA PATRIOT Act
Broker-dealers, money services businesses, mutual
funds and operators of credit card systems were
required to have AML programs under regulations
issued in 2002 pursuant to the USA PATRIOT Act

34
AML Programs - Policies

Objective is to comply with BSA and prevent use
of the financial institution for money
laundering
Must assess BSA requirements and risks
applicable to it
Design procedures to meet risks
Program must be in writing and approved by the
Board of Directors

35
AML Programs - Officer

Individual or committee
Knowledgeable about BSA and money laundering
Authorized to enforce requirements throughout the
financial institution
Full or part time

36
AML Programs - Training

Relevant to functions
Include employees and service providers
General awareness of money laundering and
job-specific requirements

37
AML Programs - Testing

Either employee or third party
Independent not involved in operation or
management program
Knowledgeable about BSA requirements
Submit assessment or report

38
Controlling the Assault of Non-Solicited P
ornography and Marketing Act of 2003
CAN-SPAM

Thanks to Tom Levandowski, Wachovia Corporation
for materials and advice
39
CAN-SPAM

Need to understand CAN-SPAM if you plan to
communicate with your customers electronically -
- and/or want to generate new customers through
email advertisements.

40
CAN-SPAM

Congressional Findings
Electronic mail has become an extremely important
means of communication
The convenience and efficiency of electronic mail
are threatened by the rapid growth of unsolicited
commercial electronic mail
The receipt of a large number of unwanted
messages creates risk that wanted electronic mail
messages will be lost or overlooked

41
CAN-SPAM

Effective 1/1/04
General Scope Regulates, but doesnt ban,
SPAM.
Allows companies to send email ads to potential
customers, even where
the recipients have not given prior consent to
such ads, and
the sender does not have a preexisting or current
business relationship with the recipient.

42
CAN-SPAM

General Scope (cont.)
Senders of commercial email messages must
provide an opt-out tool for recipients
process opt-out requests
use truthful subject lines,
use legitimate return e-mail addresses,
include physical postal addresses in messages,
and
clearly label commercial e-mail as advertising.

43
CAN-SPAM

Covers Commercial electronic mail messages
Definition any electronic mail message
the primary purpose of which
is the commercial advertisement or promotion
of a commercial product or service (including
content on an Internet website operated for a
commercial purpose).

44
CAN-SPAM

What isnt a commercial electronic message?
Transactional or Relationship Messages An
electronic mail message the primary purpose of
which is--
to facilitate, complete, or confirm a commercial
transaction that the recipient has previously
agreed to enter into with the sender

45
CAN-SPAM

What isnt a commercial electronic message?
Transactional or Relationship Messages An
electronic mail message the primary purpose of
which is--
to provide with respect to a account or loan
notification concerning a change in terms or
features
at regular periodic intervals, account balance
information or other type of account statement

46
CAN-SPAM

What isnt a commercial electronic message?
Referencing Company/Website - Referencing a
commercial entity or a link to its website in an
email does not, by itself, cause such email to be
treated as a commercial email message if
the contents or circumstances of the message
indicate a primary purpose
other than commercial advertisement or promotion
of a commercial product/service.

47
CAN-SPAM

Must Offer Opt-out
Commercial email message must give recipient the
ability to send a reply message or other
Internet based communication that opts out of
future emails from the sender.
Email can also provide a list or menu from which
recipient chooses the specific types of
commercial email messages the recipient wants, or
does not want, to receive from the sender.
Recipients ability to make such an opt out
response must be good for at least 30 days after
the original message is sent

48
CAN-SPAM

Opt-outs must be honored
If an email ad recipient opts-out of receiving
future mailings, the sender must not
transmit email ads to that recipient after 10
days from the date of receipt of the opt out
request.
sell or otherwise transfer email addresses of
persons who have opted out of future mailings.
When a consumer opts out, ensure they receive no
more commercial emails advertising your company,
from any source.

49
CAN-SPAM

Prohibits certain fraudulent and misleading
practices
Aimed at stopping any and all attempts to conceal
the origins of email ads or the identities of
their senders.
Prohibits "harvesting" e-mail addresses (sending
emails to email addresses harvested from Internet
chat rooms, blogs and other sources without the
permission of the Web site or its members/users.)

50
CAN-SPAM

Prohibits certain fraudulent and misleading
practices
Prohibits
falsification of header information,
false registrations for email accounts or IP
addresses used in connection with email ads, and
retransmissions of email ads for the purpose of
concealing their origins.

51
CAN-SPAM

Must Identify Email as Ad
Unless a sender has obtained the recipients
affirmative consent, the sender must
identify its messages as advertisements or
solicitations, and
to do so by means that are clear and
conspicuous.
does not mandate how (compare with many state
laws that required an "ADV" label on unsolicited
commercial e-mail).
Email must also provide valid physical postal
address of the sender.

52
CAN-SPAM

Preempts tougher state anti-spam laws
Supersedes any state statute, regulation, or rule
that expressly regulates the use of electronic
mail to send commercial messages
except to the extent that any such statute,
regulation, or rule prohibits fraud or deception
in any portion of a commercial email message or
information attached thereto.

53
CAN-SPAM

Enforcement no private right to sue spammers
Commercial email recipients cannot sue senders
for CAN-SPAM violations.
Enforcement will be only by means of criminal and
civil actions brought by the FTC, the functional
federal regulator for banks, state law
enforcement authorities, and Internet Service
Providers.

54
CAN-SPAM

Enforcement Civil Actions
State enforcement authorities -
Injunction against further violations
Damages greater of actual loss or statutory fines
of up to 250 per message
No cap for actual loss if statutory fine
applies, capped at 2 million
Applicable damages (actual or statutory) may be
tripled in particularly egregious cases.

55
CAN-SPAM

Enforcement Criminal Actions
Violation of some provisions bring criminal
penalties.
fines, plus
jail sentences up to 5 years in some instances,
plus
confiscation of any real or personal property
purchased with spam earnings.

56
CAN-SPAM

Enforcement
Compliance tip You are responsible not only for
the legality of your own e-mail lists, but also
the legality any lists you rent or buy.
Senders can be held liable for using an email
list procured "with actual knowledge, or by
consciously avoiding knowing, that the list was
gathered in violation of the Act.
If you use third party lists, ensure that names
on the list were gathered in a manner allowed
under CAN-SPAM.

57
CAN-SPAM

Enforcement
Compliance tip (third party lists cont.)
Get written assurances from list-provider that
information on list was collected in accordance
with CAN-SPAM any other applicable laws,
all consumers on the list provided the level of
consent advertised by the list owner,
no consumer listed has opted out of receiving
e-mail

58
THANK YOU!Please be sure to complete your
conference evaluation forms after the conference!

Shelly Repp, General Counsel
NCHELP
(202) 822-2106
shelly_repp_at_nchelp.org

59
Laws and Regulations that Impact FFEL Outside of
HEA

Larry Laskey
Vice President, Counsel
Van Ru Credit Corporation

60
No matter where you go

Technology
Access to more, and more quickly
Promotes efficiencies
Increased concerns
Information privacy
leave me alone
Identity theft

61
there you are!

Unintended consequences
Limits on
Information access
Utilization of technology
Decreased effectiveness
Increased cost

62
Social Security Numbers

Social Security administration
IRS Taxpayer ID number
Other federal programs
State databases
Credit reporting agencies
Health care organizations

63
Social Security Numbers

Traditional protections
Privacy Act
Government/agents
Limits on use/disclosure
Notification of records
FDCPA
Debt collectors
Third party disclosure

64
Social Security Numbers

More recently
GLB disclosure/use limits
Safeguard Rules
FACT Act redaction
FTC Disposal rules
Breach notification

65
Social Security Numbers

States lead/limit ID theft
Use in mailed materials, unless
Required by law
Applications/forms
But not
post or accesscards
visible through envelope
Encoded/imbedded

66
Social Security Numbers

secure (or encrypted) Internet transmission
website access w/additional authentication
Conditioning receipt of services
Disclosure by phone or email

67
Social Security Numbers

Limiting availability in public records
State databases
Federal court files
Potential National effect?
conducting business
recipients

68
Social Security Numbers

Impacting reliance on SSN
to confirm ID
To obtain/maintain information
Federal (HEA) pre-emption?
State cant use, include or ask for laws
States control their databases
Decreases voluntary compliance

69
Social Security Numbers

Federal Proposals
Cannot display (non-government records) w/o
consent
Must redact electronic (government) records
(Potentially) must redact paper records

70
Social Security Numbers

Federal Proposals
On-line reference services cannot disclose w/o
consent
Cannot solicit it unless no alternative
Alternatives?
Different identifier?
Multiple identifiers

71
E-mail

The new key to communication
Low cost
Any time
Efficient
Effective
Anonymous?

72
E-mail

FDCPA issues
Third party disclosure
Adequacy of consent
Any e-mails to employers?
State law compliance
Communication content
Which state?

73
E-mail

Privacy concerns
Credit card truncation
SSN as identifier
Know your recipient?

74
E-mail

Increased expense
Secure/encrypt
Communicate the password
Confirm recipient ID
Payment systems

75
E-mail

Commercial Electronic Messages
Opt out notice/procedures
labeled as advertisement
truthful header/subject line
Valid return email/physical return address

76
E-mail

transactional or relationship message
FCC
absent a contrary ruling by the FTC, messages
that concern a debt owedfall under the exemption

77
E-mail

Primary purpose of dual purpose
commercial (not exempt) if
Subject line test
Content test
Reference collection/ mention repayment
alternatives?

78
Cell Phones

Increasing over landline usage
Subscribers in 1991 7.5 million
Subscribers in 2004 182 million
6 us households are cell only
Preferred means of communication

79
Cell Phones

FDCPA issues
Charges by concealing purpose
Call times

80
Cell Phones
Cell Phones

Privacy concerns (absent consent)
No dialer calls (all dialers?)
No recorded messages
Includes text messaging
Consent in loan documents?
Pre-screen all numbers?

81
Cell Phones

How do you pre-screen?
Reliability of prefix lists?
Landline to wireless porting
Proposal to exclude from 411w/o consent
Area codes not reliable indicator of local
time
Frequency/cost of updates

82
Automated Messaging

FDCPA (communication?)
Privacy issues prohibit (w/o consent)
To cell phones
To any other phone to solicit absent EBR
collection exempt, but
dual Purpose calls?
Compliance with other rules

83
Automated Messaging

Other rules require
Caller identification
Real return phone number
Five second line release

84
State Messaging Rules

States are not preempted
Many (not all) limited to soliciting
Others are unclear
Requirements can include
Notification to local Telecom
Permit/Registration/license
No ANI blocking

85
State Messaging Rules

Live operator initiation
Called party consent
Expanded no call rules
Maximum dialer drop rates
Practical prohibition?

86
Telemarketing Rules

Debt collection
Up-selling or dual purpose
Do not call list
Transmission of caller ID
Dialer Ring time
Call abandon
Nomessaging (absent EBR)

87
Existing Business Relationship?

Not an exception to prohibitions
Dialers/messaging to cell phones
Fax solicitation w/o consent
FCC Reconsideration
18 months after account closed
FACT Act affiliate sharing
while contracts are in force

88
Footnote 111
A debt collector that offers a debtor a means
of payment during a collection call would not be
making a telephone solicitation or unsolicited
advertisement.
89
So, Here We Are