FACT Act Training for Staff Identity Theft “Red Flags”
-
Upload
ladonna-amaya -
Category
Documents
-
view
63 -
download
1
description
Transcript of FACT Act Training for Staff Identity Theft “Red Flags”
FACT Act Training for StaffIdentity Theft “Red Flags”
WHAT IS IDENTITY THEFT?
Under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), Identity Theft means:
“A fraud committed or attempted using the identifying information of another person without authority”
Identity Theft Statistics
One study found that ID theft cost US businesses and consumers $56.6 billion in 2005
Dept. of Justice reports that ID theft is now passing up drug trafficking as the number one crime in the nation
In 2006, 15 million people were victims of identity theft
Identity Theft Statistics
ITRC* found in 2007 that 78% of respondents reported financial identity theft crimes
Check fraud and debit card fraud are increasing (based on 2007 study)
50% of respondents said that personal info had been used to open a new line of credit
*Identity Theft Resource Center
How at risk are you? Yes or No? I receive several offers of pre-approved credit every week. I do not shred credit card offers before placing them in the trash. I carry my Social Security card in my wallet. I do not use “Verified by VISA” on my VISA debit and credit
cards. I do not have a PO Box or locked secured mailbox. I use an unlocked, open box at work or at my home to drop off
my outgoing mail. I have not copied every item in my wallet front and back. I do not have information and instructions if I become a victim of
identity theft. I provide my SSN whenever asked, without asking questions as
to how that information will be safeguarded.
Yes or No?
I provide personal information orally without checking to see who might be listening.
I am required to use my SSN at work as an employee ID or at college as a student ID number.
I write checks to pay all my bills and/or as a method of payment at retail stores.
I have my SSN and/or driver’s license number printed on my personal checks.
I do not use a “cross cut” shredder to shred any sensitive documents or information at home.
My pin numbers are the last 4 digits of my house number, phone number, birth date, or Social Security number.
I have not ordered a copy of my credit report for at least 2 years. I do not believe that people would root around in my trash for
information.
If you answered yes…
Then you could be at risk for identity theft.
Read more at www.privacyrights.org for information on consumer risk and more quizzes about ID theft.
As a financial institution, how do we respond?
Fair Credit Reporting Act and FACT Act FACT Act amended FCRA in 2003 to require
guidelines for ID Theft and address discrepancies
Final rules issued in November 2007 Mandatory compliance date: November 1,
2008 NCUA rules apply to federal credit unions;
FTC rules apply to state-chartered credit unions
“Red Flags” “Red flags” are patterns, practices, or activities that indicate the
possible existence of identity theft. Examples
A fraud or active duty alert is included with a consumer report Personal identifying information is inconsistent when compared
against external sources (address does not match the address in consumer report)
The phone number is invalid, or is associated with a pager or answering service
An account is used in a manner inconsistent with established patterns (nonpayment when no history of late payments)
Examples of Red Flags
Photograph is inconsistent with consumer.
Examples of Red Flags
Documents appear to be altered.
Examples of Red Flags
Mail is returned even though transactions continue to occur on account.
Examples of Red Flags
Multiple names associated with social security number (credit reports):
Credit report:Joe Doe DOB 2-7-67SSN: 294-12-1234
Your records indicate that you have:John Doe DOB 4-15-68
SSN: 294-12-1234
Program
Written program that is designed to detect, prevent, and mitigate identity theft when opening accounts or for existing accounts
Risk-based program Contains policies and procedures to:
1. Identify red flags2. Detect incorporated red flags3. Respond to red flags to prevent and mitigate identity
theft4. Update the program periodically
Identifying Red Flags When identifying red flags, the following is considered:
Types of accounts offered and maintained Methods to open accounts Methods to access accounts Previous experience with identity theft
Incorporate red flags from sources such as: Incidents of identity theft experienced by the CU Methods of identity theft the CU has identified that reflects
changes in identity theft risk Applicable supervisory guidance
Must consider nature of credit union’s business and types of identity theft might be subject to
Detecting Red Flags
Credit union must detect red flags that are incorporated into the program.
Opening new accounts: look to CIP rules that CU already has in place-verify identity of person opening account
Existing accounts: authenticate customers, monitor transactions, and verify change of address requests
BHFCU Credit Union’s Detection Procedures BHFCU Credit union utilizes account checklists to
detect red flags at account opening A separate checklist is available for credit cards,
loans and lines of credit, and deposit accounts Staff should complete the checklist when any
possible red flag is detected If any red flags are indicated on the checklist, staff
should refer to the Red Flag Procedures to determine the credit union’s response
The Training Coordinator shall receive a completed copy of the checklist when a red flag has been detected
Responding to Red Flags
Policies and procedures to respond to red flags to prevent and mitigate identity theft
Response is based on risk Procedures for response include:
Assessment of whether red flags detected evidence a risk of identity theft; document reasonable basis for conclusion
Consideration of aggravating factors that may heighten the risk of identity theft
BHFCU’s Responses BHFCU’s Red Flag Procedures detail responses for red
flags The response will depend on the circumstances Management should be contacted if the staff member
concludes that the account should not be opened based on the red flag
If staff is unsure how to respond to the red flag, the Training Coordinator shall be contacted
Response to a Significant Incident A significant incident and the credit union’s
response shall be documented in the designated logbook.
The credit union Training Coordinator shall determine when the incident warrants documentation in the logbook.
The logbook should only contain incidents that are likely to or did have a major effect on the credit union or the member.
The logbook should provide the Board with a meaningful compilation of significant red flag incidents.
Updating the Program
The credit union will update the program periodically depending on: The experiences of the CU with identity theft Changes in methods of identity theft Changes in methods to detect, prevent, and
mitigate identity theft Changes in the types of accounts offered Changes in the structure of the CU, including
mergers or service provider arrangements
FACT Act Change of Address and Address Discrepancies
Change of Address
The credit union may not issue an additional or replacement debit or credit card if a request is received during at least the first 30 days after receiving notification of a change of address for that account, unless the credit union assesses the validity of the change of address request.
Working on a warning in Symitar and a letter in Connections to help with this.
Validating Change of Address Request
To determine the validity of the request, the credit union must: Notify the cardholder of the request at the cardholder’s former
address or by any other means of communication previously agreed to, and provide the cardholder with a means to promptly report an incorrect address; or
Use other means of evaluating the validity of the address change, in accordance with the credit union’s policies and procedures outlined in its Red Flag Program.
Any written or electronic notice must be clear and conspicuous and provided separately from the CU’s regular correspondence with the cardholder
Consumer Reports Address Discrepancies
If the credit union receives a notice of address discrepancy, it must form a reasonable belief that the consumer report relates to the person for whom it was requested
Can form reasonable belief by comparing CRA information with CIP information Information in application, change of address notification,
account record or retained CIP documentation Information from 3rd party sources The consumer
If can’t form reasonable belief, don’t use the report
Address Policy Changes
We will no longer accept post office returns for address changes
If a card request is received in the first 30 days after an address change on the account, we must assess the validity of the change before ordering the card.
Members will be receiving a generated letter stating that there has been an address change on the account and to contact the CU if they didn’t request the change.
Thank you!
We can help secure our members’ identities by doing these steps.
Questions? Contact me anytime.