Red Flags Compliance - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

Red Flags Compliance

Description:

... notice may not issue new cards within 30 days unless the address is validated. What is a Red Flag? ... For each red flag, identify appropriate detection and ... – PowerPoint PPT presentation

Number of Views:116
Avg rating:3.0/5.0
Slides: 21
Provided by: allan98
Category:
Tags: compliance | flags | red

less

Transcript and Presenter's Notes

Title: Red Flags Compliance


1
(No Transcript)
2
Are You Ready?
  • Identity fraud and identity management are
    quickly becoming critical operational concerns
    for the financial industry. The Red Flags
    Guidelines issued in October 2007 pursuant to the
    Fair and Accurate Credit Transactions Act
    requires implementation of an Identity Theft
    Prevention Program by November 1, 2008.

3
What is ID Theft
  • Identity Theft has the same meaning as under 16
    CFR 603.2(a)
  • A fraud committed or attempted using the
    identifying information of another person without
    authority.

4
Legislation covers three main areas
  • Address Discrepancies
  • Recipients of credit reports now must take action
    upon receipt of Address Discrepancy Indicators
    (ADI) with credit reports.
  • Red Flags
  • Red Flag Rules require development and
    implementation of a written Identity Theft
    Prevention Program to detect, prevent and
    mitigate identity theft.
  • Duty of Card Issuers
  • Card issuers that receive a change of address
    notice may not issue new cards within 30 days
    unless the address is validated.

5
Legislation covers three main areas
  • Address Discrepancies
  • Recipients of credit reports now must take action
    upon receipt of Address Discrepancy Indicators
    (ADI) with credit reports.
  • Red Flags
  • Red Flag Rules require development and
    implementation of a written Identity Theft
    Prevention Program to detect, prevent and
    mitigate identity theft.
  • Duty of Card Issuers
  • Card issuers that receive a change of address
    notice may not issue new cards within 30 days
    unless the address is validated.

6
What is a Red Flag?
  • A pattern, practice, or specific activity that
    indicates the possible existence of identity
    theft.
  • Affects both new and existing accounts.
  • Red Flag Categories
  • Alerts, notifications or warnings from a CRA
  • Suspicious documents
  • Suspicious personal identifying information
  • Unusual use of, or suspicious activity relating
    to, the covered account
  • Notices from customer, victims of ID theft, law
    enforcement authorities, or other persons
    regarding possible ID theft in connection with
    covered accounts held by the organization

7
Red Flag Requirements
  • Four basic elements of an Identity Theft
    Prevention Program (ITPP)
  • Identify
  • Detect
  • Respond
  • Update

8
Red Flag Requirements
  • Four basic elements of an Identity Theft
    Prevention Program (ITPP)
  • Identify
  • Detect
  • Respond
  • Update

9
To achieve compliance
  • Perform a risk assessment to identify all
    covered accounts
  • For each covered account, identify relevant red
    flags that may indicate possible identity theft
  • For each red flag, identify appropriate
    detection and response procedures to detect and
    prevent possible identity theft
  • Develop a written identity theft prevention
    program
  • Obtain board of directors approval of the
    program
  • Provide training to appropriate staff
  • Monitor changes in identity theft and update
    program periodically
  • Oversee service provider arrangements
  • Review the program at least annually

10
Five Common Mistakes and Pitfalls
  • Approach compliance like any other Rule
  • Simply update existing Information Security
    Program
  • Consider all accounts as covered, include all 26
    Red Flags
  • Ignore service providers, business partners.
  • Forget to implement periodic Program update
    process

11
Five Common Mistakes and Pitfalls
  • Approach compliance like any other Rule
  • Simply update existing Information Security
    Program
  • Consider all accounts as covered, include all 26
    Red Flags
  • Ignore service providers, business partners.
  • Forget to implement periodic Program update
    process

12
What are the consequences?
  • Non-compliance penalties can include
  • Civil Money Penalty for Each Violation
  • Cease and Desist Order
  • Lowering of Examination Rating
  • Negative Publicity, Loss of Business
  • Consumer Lawsuit

13
Alerts, Notifications or Warnings from a Consumer
Reporting Agency
  • Fraud or active duty alert
  • Credit freeze
  • Address discrepancy
  • Inconsistent activity pattern

14
Alerts, Notifications or Warnings from a Consumer
Reporting Agency
  • Fraud or active duty alert
  • Credit freeze
  • Address discrepancy
  • Inconsistent activity pattern

15
Suspicious Personal Identifying Information
  • Personal ID info inconsistent with external
    information
  • Personal ID info inconsistent with other ID info

16
Suspicious Personal Identifying Information,
continued
  • Personal ID info associated with known fraud
  • Personal ID info is type commonly associated with
    fraud
  • Duplicate SSN

17
Suspicious Personal Identifying Information,
continued
  • Duplicate address or telephone number
  • Incomplete required info
  • Personal ID info inconsistent with info on file
  • Inability to correctly authenticate via challenge
    questions

18
Red Flag Scope
  • Some rules are flexible
  • Creditors can tailor program to fit the
    size/complexity of operation
  • Creditors can incorporate existing policies and
    procedures
  • Creditors should consider all 26 exampleRed
    Flags across the five categories
  • Creditors should include the Red Flagsthat make
    sense in the context of their businesses
  • More fine print
  • Each financial institution is responsible for
    making subjective determination of applicability
    of regulations for their customers/accounts

19
Some Helpful Web Links
  • http//www.bankersonline.com/redflags/sr222appj_su
    ppa.html
  • http//www.bankersonline.com/regs/222/222-90.html
  • http//www.bankersonline.com/redflags/focus_sis_re
    dflagchecklist.html
  • http//www.fdic.gov/news/news/financial/2007/fil07
    100.html for FDIC FIL-100-2007 (Identity Theft
    Red Flags)
  • http//www.occ.treas.gov/ftp/bulletin/2007-45.html
    to view OCC Bulletin 2007-45 (Identity Theft Red
    Flags and Address Discrepancies)
  • http//www.ots.treas.gov/docs/7/777079.html to
    view OTS 07-079 (Agencies Issue Final Rules on
    Identity Theft Red Flags and Notices of Address
    Discrepancy)

20
Questions?
Write a Comment
User Comments (0)
About PowerShow.com