technology supervision branch interagency identity theft red flags regulation bank compliance...

Technology Supervision Branch

Interagency Identity Theft Red Flags Regulation

Bank Compliance Association of CTBristol, CT

September 3, 2008


Agenda

• Background

• Overview of regulation & guidelines

• Issues

• Exam procedures

• Questions


Background

• Regulation & guidelines implement sections 114 & 315 of FACT Act of 2003

• FACTA was enacted to help prevent ID theft, improve resolution of consumer disputes, and improve accuracy of consumer records.

• Joint final rule: 5 federal banking agencies & FTC

• Published in 11/9/07 Federal Register• Effective 1/1/08, compliance by 11/1/08


Overview

• Regulation requires 3 things:– Financial institutions and creditors must have a

written ID theft prevention program– Debit and Credit Card issuers must assess

validity of change of address requests before issuing new cards

– Users of consumer reports must reasonably verify that the consumer report relates to the consumer about whom it has been requested, when user receives notice of address discrepancy


Overview

• Issuance has 3 parts:– Regulation (covers all 3 provisions)– Guidelines (red flags only)– Supplement to guidelines (red flags only)

• Form is confusing, but required by statute


Red Flags Overview

• Program must be designed to detect, prevent, and mitigate identity theft in connection with “covered accounts”

• Appropriate to size & complexity of the FI and nature & scope of business

• Regulation does not require use of automated systems

• Board of Directors must approve initial program


Identification of Covered Accounts

• Identify covered accounts:– All consumer transactional accounts covered– Any other accounts that pose reasonably

foreseeable risk of ID theft to customer or bank

• FI must decide whether to cover business accounts, based on:– Methods for opening accounts– Methods for accessing accounts– Previous experiences with ID theft


Identification of Red Flags

• Identify relevant red flags from 3 sources:– Incidents of ID theft experienced– Methods of ID theft bank has identified that reflect

changes in risks– Supervisory guidance (Appendix + future

publications)

• Red flags from 5 categories:– Alerts, notices, warnings from CRAs or others– Suspicious documents– Suspicious identifying information– Suspicious account activity– Notice from customers, law enforcement, others


Detection of Red Flags

• Program must be able to detect red flags in connection with opening of any covered account or any existing covered account

• Guidelines provide 2 examples:– By verifying identity of person opening a

covered account, e.g., by using CIP rules– By authenticating customers, monitoring

transactions, and verifying change of address requests for existing accounts


Preventing & Mitigating ID Theft

• Guidelines list 9 possible responses:– Monitor the account– Contact the customer– Change passwords or security codes– Reopen account with new number– Decline to open new account– Close existing account– Do not attempt to collect on account– Notify law enforcement– Determine that no response is warranted


Preventing & Mitigating ID Theft

• Guidelines provide that in determining response, banks should consider aggravating circumstances such as:– Data security incident that results in

unauthorized access to customer account records

– Notice that customer has provided information to a fraudster, i.e., as a result of phishing attack


Address Discrepancies

• Banks that uses consumer reports and receives a notice of address discrepancy from a CRA, must form a reasonable belief that report relates to consumer about whom it has been requested

• If not, agencies expect that bank will not use the consumer report



• Bank can verify identity by comparing information in consumer report with:– Information bank uses to verify identity in

accordance with CIP;– Information in its own records; or– Information obtained from 3rd party

sources

• Bank can verify information with consumer directly



• If bank regularly & in ordinary course of business furnishes information to CRA, then it must furnish confirmed address to CRA when:– It forms reasonable belief that report

relates to consumer, and– It establishes a new relationship with that

consumer


Change of Address Requests

• Bank that issues credit or debit cards must assess the validity of change of address requests if, within a short time thereafter, it receives request for new or replacement card

• Request can be from consumer or USPS• Applies to credit, debit and payroll cards• Does not apply to gift cards or other

prepaid cards



• Bank can choose to verify address change either:– When it receives request for new card; or– When it receives notice of address

change

• Many banks commented that it may be easier to simply verify all address changes when received



• Regulation sets forth 2 methods:– Notify cardholder at former address or by

any other means previously agreed to, and

– Provide the cardholder a reasonable means to report incorrect address change

• Or:– By any other reasonable means in

accordance with policies established pursuant to red flags rule


Issues

• Interplay among 3 parts can be confusing

• Regulation straddles multiple disciplines, e.g., fraud prevention, risk management, IT security, compliance

• The structure of ID theft prevention programs will vary; but trade associations working on help documents


Issues

• Program can be human based, computer based, or combination of both

• Is a business account a “covered account”?

• Some banks waiting for exam procedures to begin complying


Exam Procedures

• FDIC is still drafting exam procedures• Expect that address changes and

address discrepancies will be handled as part of compliance examination.

• Red Flag will be part of safety and soundness examination. The BSA and IT examiners will collaborate on the review.

• Do not expect a roadmap to compliance; but it is always helpful to see what questions examiners will be asking


Contact Information

James Avery, CISAIT Examiner

FDICEmail: [email protected]


Questions?

technology supervision branch interagency identity theft red flags regulation bank compliance...

Documents