Copyright 2007, Integrated Compliance Solutions, LLC FACT Act Red Flags Bank Compliance Association of Connecticut September 3, 2008 Copyright 2007, Integrated

Copyright 2007, Integrated Compliance Solutions, LLC

FACT Act Red Flags

Bank Compliance Association of Connecticut

September 3, 2008


1


Agenda

Conducting a Risk Assessment for ID Theft Red Flags (Michele)

Developing an ID Theft Prevention Program (John) Break Auditing for Compliance (Steve) Roundtable Questions and Answers Lunch Regulatory expectations (FDIC) Questions and Answers

2

Copyright 2007, Integrated Compliance Solutions, LLC 3

In A Perfect World . . . TIMELINE:

1/08: Read regulation2/08: Assign responsibility3/08: Attend a Webinar; update the Board4/08: Do the Risk Assessment5/08: Modify Procedures6/08: Draft Program (Policy)7/08: Go on vacation8/08: Finalize Procedures and Program9/08: Board training10/08: Staff training; Board approval 11/1/08: Go live!


In the Real World . . .


TIMELINE:1/08:2/08:3/08: Attend a Webinar4/08: System problem5/08: New product roll out6/08: Read a white paper7/08: Do the Risk Assessment8/08: Assign responsibility9/08: Modify procedures; Draft the Program; 10/08: Board training, Board approval, staff training11/1/08: Go live!!

. . . here is how it goes sometimes . . .


ID Theft Provisions Existing FCRA Requirements:

Correct or update inaccurate or incomplete information and not report information which is inaccurate

Do not sell, transfer and placement for collection of debt Credit agency must “block” information as it relates to any alleged

identity theft Handle alerts Process notification of claims of ID theft Circumstances under which credit may not be extended when fraud or

active duty alert is detected: Lender may not extend credit to individuals with identity theft alerts,

unless lender correctly identifies the consumer ECOA prohibits discrimination against any person for exercising

rights under Federal Consumer Credit Protection Act (this includes FCRA) … avoid this fair lending violation.

Existing Connecticut Law: ID theft is a crime (Section 53a-129)

So what’s new?

6


2008 FACT Act Changes

7


Definitions

Identity Theft - a fraud committed or attempted using the identifying information of another person without authority.

Red Flag - a pattern, practice, or specific activity that indicates the possible risk of identity theft. This definition is expansive enough to include activities which, in a given circumstance, constitute such a possible precursor to identity theft as to pose a risk of identity theft to the Institution and its customers.

8


The Red Flags

Refer to the job aid in the handouts for a list of the 26 red flags.

Provide job aid to all employees for easy reference when they are detecting red flags and completing the Red Flag Detection Report form (refer to sample in handout).


Risk Assessment

The Program must be developed using a risk-based approach to the threat of identity theft

Written Procedures should be designed to focus the Institution’s resources on those potential incidents of identity theft that present the greatest risk to the Institution.

10


Risk Assessment Methodology

1. Identify the “covered accounts”:

a. All consumer accountsb. Business accounts if sole proprietorc. Any other accounts (such as all business/commercial accounts)

• Document your process!! (collect product descriptions, brochures, rate sheets, or system product listings to support your conclusions)

11


2. Evaluate the methods to open and to access each “covered account” and risk rate by account type:

• Highest Risk: consumer accounts, open-end accounts, and accounts opened over the internet

• Lowest Risk: commercial, closed-end, and accounts opened face-to-face


3. Perform a risk analysis based on the Institution’s characteristics to identify the “institution risk” level.

• Characteristics include: size, location, demographics of communities served, stability of work force, and previous experience with identity theft).


4. Risk rate each account type to develop an overall inherent “account type” risk level.

• This takes into account the previously mentioned methods to open, methods to access, and the Institution’s risk levels.


5. Determine “model controls” that would be necessary to mitigate the risk posed by each Red Flag.


6. Each account type must then be analyzed in relation to the actual controls existing within the Institution to determine weaknesses.

• Examples of “model controls”--Does the Institution have any of the following controls in place addressing each Red Flag?:

• Policies• Written procedures• Reports to Board or Compliance Committee • Automation• Monitoring• Auditing• Training


7. The resulting residual risk per account type within each Red Flag would then been calculated taking into account controls that are or are not in place.

So what?? What is the next step??


8. An aggregate residual risk for each Red Flag is determined by totaling the residual risk score by account type. Then, an overall risk rating for the Institution is calculated.


The result of the Risk Assessment process is that the Institution knows its:

• “covered accounts”

• “account type” risks by Red Flag

• “institution risk” level

• “Red Flag” risks and the controls that need to be put into place by account and by Red Flag in order to “detect, prevent, and mitigate” the risk of identity theft, as required by the FACT Act.


Risk Assessment as a Procedural Tool

The Institution is also responsible for keeping abreast of any regulatory publications identifying any new Red Flags and for updating the Risk Assessment when a new Flag is identified by the regulators or the Institution.

The Risk Assessment should be updated at least annually (good idea to do continually when new products or services are developed or other factors change).

20


When Red Flags are detected, staff should complete a Red Flags Detection Report form and forward to the senior official overseeing the program, or designee, particularly if the Flag cannot be resolved. (See sample in handouts.)

This will enable the official to maintain a record, such as on a log, and evaluate the effectiveness of the Program and whether new Red Flags have presented themselves.

The official will then be able to provide effective reports to the Board indicating whether the Risk Assessment should be updated.


In many instances, the Institution will be able to resolve discrepancies or otherwise determine that risk of identity theft does not exist, even though the Red Flag presented itself.

For example, an address discrepancy notice on a credit report is usually resolved by following the CIP and other procedures. Complete the Detection Report form and indicate “does not constitute a risk of identity theft” and explain why.

This proves that the Institution detected the Red Flag and followed its Identity Theft Prevention Program, including CIP.


Red Flag is Detected; Incidents

If a Red Flag is detected or when incidents occur, appropriate Responses include:

• Monitor an account for evidence of identity theft; • Contact the customer; • Change any passwords, security codes, or other security devices

that permit access to a customer’s account; • Reopen an account with a new account number; • Not open a new account; • Close an existing account; • Not attempt to collect on a covered account or not sell a covered

account to a debt collector;• Notify law enforcement and file a Suspicious Activity Report in

accordance with applicable law and regulation; • Determine that no response is warranted under the particular

circumstances

Update the Risk Assessment if a new Flag is identified.23


FCRA Liability for Institutions

Administrative Cease and Desist Orders Other procedural actions

Civil Liability Willful violations, including “users” of credit:

Actual and punitive damages Costs and reasonable attorney’s fees

Negligent violations Actual damages Costs and reasonable attorney’s fees

Criminal Liability Criminal fines Imprisonment

24


Contact Information

Michele A. Johnson, CRCMAssistant Director

Integrated Compliance Solutions

[email protected]

203-526-1589


Notes

ID Theft Notes

Documents

Copyright 2007, Integrated Compliance Solutions, LLC FACT Act Red Flags Bank Compliance Association of Connecticut September 3, 2008 Copyright 2007, Integrated