|Are you red flag ready? (July 2008)|
As the November deadline for ID theft regs approaches, here’s what you must do to be prepared.
By Jorge Rey, information security manager at Kaufman, Rossin & Co., a regional accounting and consulting firm based Coconut Grove, Fla. He is a Certified Information Systems Auditor.
The Nov. 1 deadline for compliance with new ID theft rules is fast approaching. Read this to be sure you’re ready
Last October, six federal agencies issued final rules imposing anti-identity-theft requirements on financial institutions, creditors, credit and debit card issuers, and users of consumer credit reports. The new “red flags” regulation enacts sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) and calls for every financial institution or creditor to develop and implement a written “identity theft prevention program.” (See “Basics of the new rules,” p. 48) The final rules became effective on Jan. 1, 2008, and full compliance is required by Nov. 1, 2008.
The identity theft prevention program is at the heart of the new rules. Each financial institution or creditor must establish a program that sets policies and procedures to identify which key indicators of possible identity theft are relevant; detects them when they occur; and responds appropriately when they are detected. As the environment changes, either through internal changes in the organization or the development of new techniques on the part of identity thieves, the program must be updated.
Though complying with these rules may be challenging to some affected organizations, like car dealers or retailers, the policies and procedures required won’t be new to most banks and savings institutions.
Obtaining and verifying identifying information about a person opening an account should be second nature to them, given such factors as the customer identification program requirements they must already fulfill in the Bank Secrecy Act/anti-money-laundering area. Authenticating customers, monitoring transactions, and verifying the validity of change of address requests for existing accounts should be business-as-usual.
What’s new in these rules is their specificity. The regulations include guidelines listing 26 patterns, practices, and specific forms of activity that should raise a “red flag” signaling a possible risk of identity theft.
But the list is not intended to be comprehensive. Rather, in the words of the regulators, “when identifying red flags, financial institutions and creditors must consider the nature of their business and the type of identity theft to which they may be subject.”
Each organization might do well to consider this guidance in developing internal controls, structuring a program that is specific to the business lines it is in, and that complies with the regulations, while maintaining a high level of vigilance (to see changes in the environment) and flexibility (to evaluate and adjust procedures to respond to those changes).
The indicators listed in the guidelines are classified into five categories:
1. Alerts, notifications or warnings from a consumer reporting agency. If a fraud or active duty alert is included with a consumer’s credit report, or a credit reporting agency provides a notice of credit freeze in response to a request for a consumer report, this is the most obvious type of red flag.
2. Suspicious documents. Do the documents provided for identification appear to have been altered or forged? Is information on the identification inconsistent with information provided by the person presenting it, whether an existing client or a new customer?
3. Suspicious personal identifying information. When compared against external information sources, is personal identifying information inconsistent? Some examples include cases where the address does not match any address in the credit report, the Social Security Number has not been issued, or the Social Security Number is listed on the Social Security Administration’s Death Master File. Another example would be failure to provide all the information required on an application, even when asked twice. If the phone number provided by an applicant is invalid, or is an answering service or a pager, this could raise suspicion.
5. Notice of possible identity theft. This notice can come from customers, victims, or law enforcement authorities, indicating that the financial institution has opened a fraudulent account.
For example, if a financial institution was aware that a data security incident had resulted in unauthorized access to a customer’s account records, seeing one of the key indicators would warrant stronger action. If a customer had provided information relating to his or her account to someone fraudulently claiming to represent the financial institution, or to a fraudulent website, this would be another aggravating factor. When determining the level of response required, risk factors might include the company’s previous experience with identity theft.
Program oversight and administration
In addition to establishing the identity theft prevention program, the regulations require credit issuers to provide for the program’s continued administration. The organization must:
• have the program approved by the board of directors or senior management;
• involve the board, an appropriate committee, or a designated member of senior management in program development, implementation and administration;
• train staff to implement the program effectively, and
• exercise effective oversight of service providers.
Oversight includes assigning specific responsibility for implementation, including approving material changes necessary to address changing identity theft risks, and reviewing reports prepared by staff regarding compliance. These reports should be presented at least once a year, and should address and evaluate issues such as the effectiveness of the policies and procedures; service provider arrangements; significant incidents involving identity theft and management’s response; and recommendations for material changes to the program.
Organizations should update the program (including the red flags determined to be relevant) periodically, to reflect changes in risks to customers or to the safety and soundness of the institution. These updates might be based on experiences with identify theft, changes in methods of identity theft, or changes in measures to detect, prevent, and mitigate identity theft. They could also be based on business changes, such as changes in the types of accounts offered, or other activities like mergers, acquisitions, alliances, joint ventures, or service provider arrangements.
Particular attention should be paid when an outside service provider is engaged. The institution should ensure the service provider maintains controls to detect, prevent, and mitigate ID theft.
Fighting the usual suspects
In addition to the implementation of a program, the new regulations specifically require organizations that extend credit to address two very common indicators of potential identity theft: replacement cards and address discrepancies.
• Requesting replacement cards is an extremely common identity theft technique. The new rules require credit and debit card issuers to establish and implement policies and procedures to manage the request for replacing or issuing a new card after receiving a change of address notification: they must verify address changes. In addition to following procedures documented in their identity theft program to assess validity of an address change, they must attempt to contact the cardholder at the previous address and provide means to report an erroneous address change.
• Address discrepancies are another important indicator. The new rules require that a user of credit reports, when notified by the credit reporting agency that an address discrepancy exists, must have reasonable policies and procedures to be sure that the credit report is truly related to the individual. If the user cannot obtain a “reasonable belief” that the consumer report relates to the consumer, they should not use the report.
Ensuring red flag compliance
The new rules are very broad, in many cases overlapping with existing practices that financial institutions should already have in place, either in response to other regulatory actions or simply to protect themselves and their customers. Key to implementing these new requirements will be engaging the appropriate stakeholders. Compliance requires buy-in from the highest levels, as well as cooperation from legal and compliance functions, fraud specialists, and the information technology group.
Clearly regulators consider identity theft a critical issue: full compliance with these new regulations is required a mere 11 months after they were finalized. Non-compliance could result in civil penalties and regulatory fines. And although specific penalties are not yet clear, the risk of being held liable if an identity theft occurs should be more than enough to press most organizations into action.
Whether the bank determines to work this internally, with outside consultants, or a blend of the two approaches, a general plan for implementation will ensure readiness for Nov. 1. The following section outlines those steps that need urgent attention.
ASAP to-do list and timeframe
Designate senior management in charge of the Program and stakeholders, including information technology, compliance, legal and fraud professionals. Meet to introduce the project and its urgency and perform the following:
1. Conduct a risk assessment and identify covered accounts. Evaluate the role of service providers and other third parties.
2. Review procedures for opening and accessing covered accounts.
3. Create a consolidated short list of red flags to monitor and identify risk for new and existing covered accounts. Brainstorm ways to detect these flags within current procedures.
4. Identify any new procedures that need to be developed, where current procedures won’t detect incidents. Assign sub-teams to develop these procedures. Be sure to include IT experts in these sub-teams.
5. Draft the red flags identity theft program
6. Obtain approval of the initial written program from either the board of directors or appropriate senior management.
July–August: Update affected business forms and documents. Beta test the new program.
September: Incorporate results from the beta test into the program and documents as necessary. Develop training materials.
October: Roll-out the program in phases and train staff.
November 1: Activate the program, administer it, and comply. BJ
The electronic version of this article available at: http://lb.ec2.nxtbook.com/nxtbooks/sb/ababj0708/index.php?startid=46
| TechTopics Plus