technology supervision branch interagency identity theft red flags regulation bank compliance...
TRANSCRIPT
Technology Supervision Branch
Interagency Identity Theft Red Flags Regulation
Bank Compliance Association of CTBristol, CT
September 3, 2008
Technology Supervision Branch
Agenda
• Background
• Overview of regulation & guidelines
• Issues
• Exam procedures
• Questions
Technology Supervision Branch
Background
• Regulation & guidelines implement sections 114 & 315 of FACT Act of 2003
• FACTA was enacted to help prevent ID theft, improve resolution of consumer disputes, and improve accuracy of consumer records.
• Joint final rule: 5 federal banking agencies & FTC
• Published in 11/9/07 Federal Register• Effective 1/1/08, compliance by 11/1/08
Technology Supervision Branch
Overview
• Regulation requires 3 things:– Financial institutions and creditors must have a
written ID theft prevention program– Debit and Credit Card issuers must assess
validity of change of address requests before issuing new cards
– Users of consumer reports must reasonably verify that the consumer report relates to the consumer about whom it has been requested, when user receives notice of address discrepancy
Technology Supervision Branch
Overview
• Issuance has 3 parts:– Regulation (covers all 3 provisions)– Guidelines (red flags only)– Supplement to guidelines (red flags only)
• Form is confusing, but required by statute
Technology Supervision Branch
Red Flags Overview
• Program must be designed to detect, prevent, and mitigate identity theft in connection with “covered accounts”
• Appropriate to size & complexity of the FI and nature & scope of business
• Regulation does not require use of automated systems
• Board of Directors must approve initial program
Technology Supervision Branch
Identification of Covered Accounts
• Identify covered accounts:– All consumer transactional accounts covered– Any other accounts that pose reasonably
foreseeable risk of ID theft to customer or bank
• FI must decide whether to cover business accounts, based on:– Methods for opening accounts– Methods for accessing accounts– Previous experiences with ID theft
Technology Supervision Branch
Identification of Red Flags
• Identify relevant red flags from 3 sources:– Incidents of ID theft experienced– Methods of ID theft bank has identified that reflect
changes in risks– Supervisory guidance (Appendix + future
publications)
• Red flags from 5 categories:– Alerts, notices, warnings from CRAs or others– Suspicious documents– Suspicious identifying information– Suspicious account activity– Notice from customers, law enforcement, others
Technology Supervision Branch
Detection of Red Flags
• Program must be able to detect red flags in connection with opening of any covered account or any existing covered account
• Guidelines provide 2 examples:– By verifying identity of person opening a
covered account, e.g., by using CIP rules– By authenticating customers, monitoring
transactions, and verifying change of address requests for existing accounts
Technology Supervision Branch
Preventing & Mitigating ID Theft
• Guidelines list 9 possible responses:– Monitor the account– Contact the customer– Change passwords or security codes– Reopen account with new number– Decline to open new account– Close existing account– Do not attempt to collect on account– Notify law enforcement– Determine that no response is warranted
Technology Supervision Branch
Preventing & Mitigating ID Theft
• Guidelines provide that in determining response, banks should consider aggravating circumstances such as:– Data security incident that results in
unauthorized access to customer account records
– Notice that customer has provided information to a fraudster, i.e., as a result of phishing attack
Technology Supervision Branch
Address Discrepancies
• Banks that uses consumer reports and receives a notice of address discrepancy from a CRA, must form a reasonable belief that report relates to consumer about whom it has been requested
• If not, agencies expect that bank will not use the consumer report
Technology Supervision Branch
Address Discrepancies
• Bank can verify identity by comparing information in consumer report with:– Information bank uses to verify identity in
accordance with CIP;– Information in its own records; or– Information obtained from 3rd party
sources
• Bank can verify information with consumer directly
Technology Supervision Branch
Address Discrepancies
• If bank regularly & in ordinary course of business furnishes information to CRA, then it must furnish confirmed address to CRA when:– It forms reasonable belief that report
relates to consumer, and– It establishes a new relationship with that
consumer
Technology Supervision Branch
Change of Address Requests
• Bank that issues credit or debit cards must assess the validity of change of address requests if, within a short time thereafter, it receives request for new or replacement card
• Request can be from consumer or USPS• Applies to credit, debit and payroll cards• Does not apply to gift cards or other
prepaid cards
Technology Supervision Branch
Change of Address Requests
• Bank can choose to verify address change either:– When it receives request for new card; or– When it receives notice of address
change
• Many banks commented that it may be easier to simply verify all address changes when received
Technology Supervision Branch
Change of Address Requests
• Regulation sets forth 2 methods:– Notify cardholder at former address or by
any other means previously agreed to, and
– Provide the cardholder a reasonable means to report incorrect address change
• Or:– By any other reasonable means in
accordance with policies established pursuant to red flags rule
Technology Supervision Branch
Issues
• Interplay among 3 parts can be confusing
• Regulation straddles multiple disciplines, e.g., fraud prevention, risk management, IT security, compliance
• The structure of ID theft prevention programs will vary; but trade associations working on help documents
Technology Supervision Branch
Issues
• Program can be human based, computer based, or combination of both
• Is a business account a “covered account”?
• Some banks waiting for exam procedures to begin complying
Technology Supervision Branch
Exam Procedures
• FDIC is still drafting exam procedures• Expect that address changes and
address discrepancies will be handled as part of compliance examination.
• Red Flag will be part of safety and soundness examination. The BSA and IT examiners will collaborate on the review.
• Do not expect a roadmap to compliance; but it is always helpful to see what questions examiners will be asking
Technology Supervision Branch
Contact Information
James Avery, CISAIT Examiner
FDICEmail: [email protected]