ID
Theft
Red
Flags
Update
Stacy Shelley– Product Marketing
Audio dial-in number:
1-866-516-5393
International:
1-617-213-4221
Passcode:
Before we get started…
1. Archive of this webcast: available at www.secureworks.com within 48 hours 2. Q&A: Submit your questions your questions at any time using the GoToWebinar GoToWebinar interface
Agenda
• ID Theft Red Flags background • Impact on banks
• What's being done? • Q&AQ
ID Theft Red Flags Rule
Timeline
FACTA signed into law 12/3/2003
Compliance deadline 11/1/2008
Red Flags rule Proposed 7/18/2006
Final rule issued 11/8/2007
2003 2004 2005 2006 2007 2008
law 12/3/2003 Proposed 7/18/2006 11/8/2007
FACTA goes into effect 12/1/2004
Comment period closed 9/18/2006
Final rule go into effect 1/1/2008
Why Red Flags? Regulation Evolution
stication ack Sophi s Att a Attack Frequency Attack FrequencyWhy Red Flags? Regulation Evolution
Maximum Protection sticationRISK
ack Sophi s Regulations Att a Attack Frequency Attack FrequencyID Theft Red Flags Background
Overview
• Jointly proposed: OCC, FRB, FDIC, OTS, NCUA, and FTC • Regulations located at Section 114 and 315 of Fair and
Accurate Credit Transactions Act of 2003 (FACT Act) • “…Guidelines for financial institutions and creditors
identifying patterns, practices, and specific forms of activity, that indicate the possible existence of identity theft.”
• “…Provide guidance regarding reasonable policies and g g g p
procedures that a user of consumer reports must employ when such a user receives a notice of address discrepancy from a consumer reporting agency.”
ID Theft Red Flags Background
Who does it apply to? • Covered
"any person or business who arranges for the extension, renewal, or continuation of credit" credit • Specifically Named Fi i l I tit ti Financial Institutions Utility Companies Car Dealers T l i ti C i Telecommunications Companies Health Care Companies
Debt Collectors • Exempted
ID Theft Red Flags
ID Theft Prevention Program
Staff Fraud Staff Training Fraud Mgmt Verify Identities
ID Theft
Prevention
Detect Red Flags Mitigate ID TheftProgram
Assess Board Oversight Vendor Oversight Assess Red FlagsID Theft Red Flags
Example Red Flags: Supplement A to Appendix A
From a Consumer
Reporting Agency SuspiciousDocuments Suspicious PII Suspicious Account Activity Notice from Persons Involved
Fraud or active duty alert ID alteration / forgery Inconsistent with
external info Request for new card or users after change of Notification of identity theft by customer victim external info users after change of
address notice
theft by customer, victim of ID theft, law
enforcement or others Credit freeze Inconsistent photo PII not consistent with
other PII New revolving credit account used in manner common to fraud Address discrepancy Inconsistent ID info PII is associated with Account activity that is Address discrepancy Inconsistent ID info PII is associated with
known fraud Account activity that is inconsistent with established patterns Unusual applicant activity ID info inconsistent with
info on file PII type is commonly associated with fraud Account activity after lengthy period of no use Application alteration /
f
SSN is the same as other Mail returned as d li bl l h h forgery customers undeliverable although
transactions continue Same address or phone
number submitted for unusually large number of others
Customer no longer receives paper account statements
Applicant fails to provide
all required PII Notification of unauthorized account changes
PII provided not
consistent with PII on file Incorrect answers to Incorrect answers to challenge questions
ID Theft Red Flags
Estimated Work Hours to Become Compliant • Developing program: 25
• Preparing annual report: 4 • Training: 2
• Developing policies and procedures to assess validity of changes of address: 4
• Developing policies and procedures to respond to notices of address discrepancy: 4
• Key assumptions:
“…Most of the covered entities already employ a variety of measures to detect and address identity theft…to minimize y losses due to fraud”
“…Many financial institutions and creditors already have
implemented some of the requirements as a result of having
t l ith th i ti l ti d id ”
ID Theft Red Flags
Enforcement
• For financial institutions already under FFIEC: FDIC, OTS, OCC, FRB, NCUA
ID Theft Red Flags
Enforcement
• Will be incorporated into existing examinations
Reports of FDIC Exam procedures being released soon • Same approach as new regulations in the past?
Based on realistic expectations and continous improvement More specific requirements and exam procedures as agencies
ID Theft Red Flags
What banks are doing
Gap
Analysis E t d i ti •Review Red Flag
requirements •Map to customer
channels •Compare requirements to current state •Identify gaps
Analysis •Extend existing capabilities? •Buy/build new technology? •Modify/Add Policies and Procedures? Implement Controls Identify
ID Theft Red Flags
What banks are doing
Gap
Analysis E t d i ti •Review Red Flag
requirements •Map to customer
channels •Compare requirements to current state •Identify gaps
Analysis •Extend existing capabilities? •Buy/build new technology? •Modify/Add Policies and Procedures? Implement Controls Identify
ID Theft Red Flags
With less than 4 months to go…
• Over half believe they will be compliant by Nov. 1 60% according to Gartner (May 2008)
53% di t B ki f it (J l 2007)
ID Theft Red Flags
ID Theft Red Flags
Commercial Products
• Many vendors have stepped forward with "Red Flags" products W lt Kl Wolters Kluwer Compliance Coach Zoot Enterprises Ad itO S it AdmitOne Security
• Many developed for anti-fraud, not specifically red flags
• Still can be viable point solutions for pain pointsStill can be viable point solutions for pain points
Lots of organizations spending money on technology for Red Flags
Best Practices
With 4 months before the deadline… • Don't panic
Still time to get it right
• Leverage existing efforts where possible Anti-fraud, employee training, etc.
Best Practices
Continued
• Ask your examiner for advice Be proactive
• Pay attention to agency updates Exam procedures
• Use Red Flags Rule as an opportunity to improve • Remember that it's an ongoing process