• No results found

The FACT Act: An Overview of the Final Rulemaking on Identity Theft Red Flags and Address Discrepancies

N/A
N/A
Protected

Academic year: 2021

Share "The FACT Act: An Overview of the Final Rulemaking on Identity Theft Red Flags and Address Discrepancies"

Copied!
72
0
0

Loading.... (view fulltext now)

Full text

(1)

The FACT Act:

An Overview of the Final Rulemaking on Identity Theft Red Flags

and Address Discrepancies

A Web and Telephone Seminar

(2)

Tuesday, June 17, 2008 2:00 p.m. –– 3:30 p.m. EDT Wednesday, June 18, 2008 10:00 a.m. ––11:30 a.m. EDT

The FACT Act

(3)
(4)

Speaker Biographies

Welcome by John C. Dugan

Outline of Presentation

(5)
(6)
(7)
(8)
(9)
(10)
(11)

The FACT Act – An Overview

Identity Theft Red Flags and Address Discrepancies

(12)

WELCOME

John C. Dugan

(13)

Outline of Presentation

ƒ

Identity Theft Red Flag Rules

ƒ

Identity Theft Red Flag Guidelines

ƒ

Special Rule for Card Issuers

ƒ

Rule on Address Discrepancies

(14)

Statutory Provisions Implemented

ƒ FACT Act amended the Fair Credit Reporting Act (FCRA)

ƒ Sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act)

Rules: 72 Fed. Reg. 63718 (November 9, 2007)

(15)

Background

ƒ Joint rulemaking

ƒ Final rules published November 9, 2007

(16)
(17)
(18)

Identity Theft Red Flags

FACT Act Section 114

FCRA Section 615(e)

(19)

Identity Theft Red Flags

ƒ

Risk-based final rule

ƒ

Guidelines

ƒ

Supplement (26 examples of red flags)

(20)

Program Requirement

“Financial institutions” and “creditors” with covered accounts” must implement a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with:

ƒ the opening of a covered account, or

(21)

Definitions

A “financial institution” is:

ƒ A state or national bank

ƒ A state or federal savings and loan association

ƒ A mutual savings bank

ƒ A state or federal credit union, or

(22)

Definitions (cont’d)

A “creditor” is:

ƒ Any person who regularly extends, renews, or continues credit

ƒ Any person who regularly arranges for the

extension, renewal, or continuation of credit, or

ƒ Any assignee of an original creditor who

(23)

Definitions (cont’d)

A “covered account” is:

ƒ A consumer account designed to permit multiple payments or transactions, or

(24)

Definitions (cont’d)

“Identity theft” is:

(25)

Elements of the Program

Must include policies and procedures to:

ƒ Identify relevant red flags and incorporate them into the Program

ƒ Detect red flags that are part of the Program

ƒ Respond appropriately to any red flags that are detected

(26)

Administration of the Program

ƒ Obtain approval of the initial Program by the board or a committee thereof

ƒ Ensure oversight of the Program

ƒ Train appropriate staff

(27)

Consideration of the Guidelines

Rules require:

ƒ Consideration of the Guidelines

(28)

Identity Theft

(29)

Overview of the Guidelines

I. Incorporate existing policies and procedures II. Identify relevant red flags

III. Procedures to detect red flags

IV. Appropriate responses to red flags V. Periodic updating of the Program VI. Administering the Program

(30)

I. Incorporate Existing Policies and Procedures

ƒ Existing anti-fraud program

ƒ Customer identification program (CIP)

(31)

II. Identify Relevant Red Flags

Risk factors for identifying relevant red flags are:

ƒ Types of covered accounts offered or maintained

ƒ Methods provided to open or access covered accounts

(32)

II. Identify Relevant Red Flags (cont’d)

Sources of red flags are:

ƒ Incidents of identity theft that have been experienced

ƒ Methods of identity theft reflecting changes in identity theft risks

(33)

II. Identify Relevant Red Flags (cont’d)

Five categories of red flags are:

ƒ Alerts, notifications, or other warnings received from consumer reporting agencies or service providers

ƒ Presentation of suspicious documents

ƒ Presentation of suspicious personal identifying information

ƒ Unusual use of, or other suspicious activity related to, a covered account

(34)

III. Procedures to Detect Red Flags

ƒ Verify identity

ƒ Authenticate customers

ƒ Monitor transactions

(35)

IV. Appropriate Responses to Red Flags

ƒ Monitor accounts

ƒ Contact customer

ƒ Change passwords

ƒ Close and reopen account

ƒ Refuse to open account

ƒ Don’t collect on or sell account

(36)

IV. Appropriate Responses to Red Flags (cont’d)

An appropriate response will consider aggravating factors that may heighten the risk of identity theft such as:

ƒ A data security breach

(37)

V. Periodic Updating of the Program

ƒ Experience with identity theft

ƒ Changes in methods of identity theft

ƒ Changes in methods to detect-prevent-mitigate identity theft

ƒ Changes in types of accounts offered

(38)

VI. Administering the Program

Oversight of the Program involves:

ƒ Assigning specific responsibility

ƒ Reviewing reports

(39)

VI. Administering the Program (cont’d)

Report Requirements:

ƒ Conducted annually

(40)

VI. Administering the Program (cont’d)

Evaluate issues such as:

ƒ Service provider arrangements

ƒ Effectiveness of the policies and procedures in addressing the risk of identity theft in connection with covered accounts

ƒ Significant incidents involving identity theft and management’s response

(41)

VI. Administering the Program (cont’d)

Oversight of service providers:

ƒ Ensure the service provider’s activities are

(42)

VII. Other Legal Requirements

ƒ Suspicious Activity Reports (SARs)

(43)

Examples of Red Flags

ƒ Warning from consumer

reporting agencies ƒ Suspicious documents ƒ Suspicious personal information >Inconsistent with external information

>Documents provided for identification appear to be

altered

>Fraud or active duty

(44)

Examples of Red Flags (cont’d)

ƒ Unusual use of account

ƒ Notice from customers >Customer notifies bank of unauthorized charges

>Account used in a manner that is not

(45)
(46)

Special Rule

For

(47)

Card Issuers’ Rule

A card issuer must have reasonable policies and procedures to assess the validity of:

ƒ A notice of a change of address for a

(48)

Card Issuers’ Rule (cont’d)

Card issuer may not issue an additional or replacement card without:

ƒ Notifying the cardholder of the request, and allowing the cardholder to report an incorrect address change, or

(49)

Card Issuers’ Rule (cont’d)

Notification procedures:

ƒ Notify the cardholder at the cardholder’s former address, or

ƒ By any other means of communication that the card issuer and the cardholder have

(50)

Card Issuers’ Rule (cont’d)

Form of notice to cardholder may be any written or electronic notice, provided it is:

ƒ Clear and conspicuous

(51)

Card Issuers’ Rule (cont’d)

Alternative timing of address validation:

A card issuer may validate an address when it

receives an address change notice, even before it receives a request for an additional or

(52)

Enforcement of Red Flags Rules

ƒ Administrative enforcement under 12 USC 1818

ƒ No private right of action

ƒ State Attorneys General

(53)
(54)

Rule on

Notices of

(55)

Notices of Address Discrepancy

(56)

Notices of Address Discrepancy

Duties of users of consumer reports that

receive a “notice of address discrepancy”

(57)

Notices of Address Discrepancy

An NCRA is a consumer reporting agency that

regularly engages in assembling or evaluating, and

maintaining, for the purpose of furnishing consumer reports to third parties bearing on a consumer’s credit worthiness, credit standing, or credit capacity, each of the following regarding consumers residing nationwide:

ƒ Public record information

(58)

Notices of Address Discrepancy

“Notice of address discrepancy” notifies the user of a substantial difference between:

ƒ Address the user provided, and

(59)

Notices of Address Discrepancy

Regulatory Requirement:

The user must have reasonable policies and

(60)

Notices of Address Discrepancy

Establishing a reasonable belief –– Examples ƒ Compare information in the consumer report to

information the user:

ƒ Maintains in its records

ƒ Obtains from third-party sources

ƒ Obtained to comply with CIP rules

(61)

Notices of Address Discrepancy

Regulatory Requirement:

The user must have reasonable policies and procedures to furnish a confirmed address for the consumer to the NCRA, when the user:

ƒ Can form a reasonable belief that the report relates to the consumer

(62)

Notices of Address Discrepancy

Confirmation methods –– Examples

ƒ Verifying the address with the consumer

ƒ Reviewing user’s records

ƒ Verifying with third-party sources

(63)

Notices of Address Discrepancy

Timing:

(64)
(65)

Red Flags

(66)

Red Flags - Implementation Issues

ƒ Involve the board and senior management

ƒ Ensure all business lines are considered

ƒ Perform comprehensive risk assessment for covered accounts and red flags

ƒ Document policies, procedures and controls in the written Program

(67)

Red Flags - Implementation Issues

ƒ Explore technology applications

ƒ Review service provider arrangements

ƒ Ensure adequate training of personnel

ƒ Validate the written Program and obtain board approval prior to November 1, 2008

ƒ Complete reporting requirements annually

(68)

Questions and Answers

Push *1 on your telephone key pad to comment or ask your question

OR

Send your comment/question by clicking on the “question icon” in the lower right corner of your screen. Type your question or comment in the window that appears, and click “send.”

(69)
(70)

Save this Date – September 10, 2008

A Web and Telephone Seminar

Low-Income Housing Tax Credit Funds: Investment Opportunities for Community Banks

Wednesday, September 10, 2008 2:00 p.m. –– 3:30 EDT

(71)

Evaluation Form

ƒ

Please complete the evaluation form online,

OR

(72)

insert this end first when faxing

What topics would you like OCC to address during the next 12 months? If yes, please feel free to provide specific recommendations.

Office of the Comptroller of the Currency

21+ 16-20 11-15 6-10 5 4 3 2 1 No Yes

10. Would you like a follow-up web and telephone seminar on the new

exam procedures, exam findings and best practices?... 9. How many people listened at your site?

8. Would you participate in another virtual seminar? ...

NO YES 7. Paul Utterback ... 6. Andra Shuster ... 5. Deborah Katz... 4. Ann Jaedicke ...

Presenter: Overall Effectiveness

3. Audio quality of seminar ... 2. Similarity of actual program content to advertised content ... 1. Overall rating ...

4 3 2 1

If you prefer to submit your evaluation online, please go to: http://eval.krm.com/eval.asp?id=14106

June 17, 2008

The FACT Act:

An Overview of the Final Rulemaking on Identity Theft Red Flags and Address Discrepancies

References

Related documents

The Identity Theft Prevention Program is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered

If this initial risk assessment leads a financial institution or creditor to determine that it does not need to implement a Program, those financial institutions and creditors

The purpose of this policy is to establish an Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in connection with the opening of a covered

To establish an Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in connection with the opening of a City of Morehead

The purpose of this policy is to establish an Identity Theft Prevention Program under the Red Flag Rules designed to detect, prevent and mitigate identity theft in connection with

The purpose of the program is to establish an Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in connection with the opening of a

The purpose of this policy is to establish an Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in connection with the opening of a covered

The purpose of this policy is to establish an Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in connection with the opening of a new