Red Flags- Why This Matters to You
description
Transcript of Red Flags- Why This Matters to You
©2012 CliftonLarsonAllen LLP1 111
©20
12 C
lifto
nLar
sonA
llen
LLP
Red Flags- Why This Matters to You
An overview of the FACT Act Identity Theft Red Flag Rule and its current impact.
Justin RobinsonEngagement DirectorCliftonLarsonAllen LLP
©2012 CliftonLarsonAllen LLP2
Agenda
• Critical elements of the rule• Red Flag compliance vs. BSA compliance• What does an identity theft red flag risk assessment
look like?• Are 26 red flags appropriate for all credit unions?• Using existing safeguarding member information
program to mitigate and prevent Red Flags• Identification of other means currently utilized that
prevent and mitigate risk• Red Flag Response Matrix
©2012 CliftonLarsonAllen LLP3
ID Theft Top Consumer Fraud Complaint
• FTC reported the top consumer fraud complaint received in 2011 was identity theft • 12 years in row• 15% of all complaints
• Misuse of government documents fraud was the most common form of reported identity theft (approximately 27% of complaints), followed by credit cards (14%).
©2012 CliftonLarsonAllen LLP4
Identity Theft Red Flag Requirements
• In October 2007, the Federal Banking Regulators issued final rules implementing the Identity Theft Red Flag Requirements of the FACT Act
• Written program to detect, prevent, and mitigate identity theft
• Overlap of IT and consumer compliance
©2012 CliftonLarsonAllen LLP5
What is Identity Theft?
• Fraud committed or attempted using, without authority, the identifying information of another person– Name, SSN, TIN, etc. – Very broad
©2012 CliftonLarsonAllen LLP6
Types of Identity Theft
• Hacking, dumpster diving, insider theft, phishing, shoulder surfing, family members, stealing (laptop, purse), physical break-in
• Shotgunning - the identity thief applies for multiple loans from multiple lenders on the same property within a short period of time. The identity thief then takes advantage of the lag time in recording mortgages as lenders are unable to identify the existence of the other mortgages before funding the loans
©2012 CliftonLarsonAllen LLP7
Important Point
• The Identity Theft Red Flag Rules are very different from BSA
• BSA – required to report on suspicious transactions and money laundering but not necessarily required to prevent it
• Identity Theft Red Flag Rule – you are required to prevent identity theft and can be held accountable if you do not
• Consequently, you must approach compliance with this rule differently
©2012 CliftonLarsonAllen LLP8
Four Critical Elements
1. Identify relevant Red Flags for the accounts the credit union offers or maintains, and incorporate those Red Flags into its Program;
2. Detect Red Flags that have been incorporated into the Program of the credit union;
3. Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and
4. Ensure the Program (including the Red Flags determined to be relevant) is updated periodically to reflect changes in risks to members
©2012 CliftonLarsonAllen LLP9
Seven Step Process
• STEP 1: Identity Theft Program Administrator• STEP 2: Conduct a Risk Assessment• STEP 3: Identify Relevant Red Flags• STEP 4: Detect Red Flags• STEP 5: Preventing and Mitigating Red Flags• STEP 6: Board Approval and Staff Training• STEP 7: Updating the Program
©2012 CliftonLarsonAllen LLP10
STEP 1: Identity Theft Program Administrator • Select an individual or committee to oversee and
administer the Program. • The Administrator is responsible for the
implementation, oversight, and updating of the program.
• The Administrator will need to be capable of addressing these steps to effectively implement the Program.
©2012 CliftonLarsonAllen LLP11
STEP 2: Conduct a Risk Assessment
• Conduct a risk assessment to identify all covered accounts for the rule. The rule defines a “covered account” as:– An account that a credit union offers or maintains, primarily for
personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, checking account, or share account; or
– Any other account that the credit union offers or maintains for which there is a reasonably foreseeable risk to members or to the safety and soundness of the federal credit union from identity theft, including financial, operational, compliance, reputation, or litigation risks.
©2012 CliftonLarsonAllen LLP12
STEP 2: Conduct a Risk Assessment
• The credit union should take into consideration all of the following risk factors: – The types of accounts offered or maintained;– Methods provided to open accounts (web site, internet
banking, etc.);– Methods provided to access accounts (bill payment,
telephone banking, internet banking, etc.); and– Previous experiences with identity theft.
©2012 CliftonLarsonAllen LLP13
STEP 2: Conduct a Risk Assessment
• Identify all threats and the potential for harm, determine your existing safeguards, analyze whether you need additional safeguards
• Some threats include:– Scams– Hacking– Trusted Insiders– Physical Break-Ins– Shoulder Surfing
• Do not forget general Fraud– Mortgage, check, appraisal, etc.
©2012 CliftonLarsonAllen LLP14
STEP 2: Conduct a Risk Assessment
• Determine existing safeguards– Policies– Procedures– Automated tools– Training– Testing and monitoring – Authentication process
©2012 CliftonLarsonAllen LLP15
STEP 2: Conduct a Risk Assessment
• Taking all of that into consideration, determine:– Likelihood of identity theft occurring– Potential impact of identity theft
• No mandated format• May be combined with another risk assessment, such
as your member information security risk assessment, but make sure all elements of the Identity Theft rule are met
©2012 CliftonLarsonAllen LLP16
STEP 3: Identify Relevant Red Flags
The regulators have provided us with five general categories of Red Flags:
• Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;
• The presentation of suspicious documents;• The presentation of suspicious personal identifying information, such as a
suspicious address change;• The unusual use of, or other suspicious activity related to, a covered
account; and• Notice from members, victims of identity theft, law enforcement
authorities, or other persons regarding possible identity theft in connection with covered accounts held by the federal credit union.
©2012 CliftonLarsonAllen LLP17
STEP 3: Identify Relevant Red Flags
• In addition, the Regulators have provided us with specific examples of Red Flags that fall into these general categories. Supplement A to Appendix J in the rule, includes a list of 26 different Identity Theft Red Flags
• While these specific Red Flags are provided as examples, the list is not meant to be exhaustive
©2012 CliftonLarsonAllen LLP18
STEP 4: Detect Red Flags
• Develop procedures and controls to detect the identified Red Flags
• The detection requirement is simply a due diligence requirement to utilize sound controls that will help in detecting the Red Flags
• Applies to new and existing accounts
©2012 CliftonLarsonAllen LLP19
STEP 4: Detect Red Flags
• Use your existing Member Information Security Program and Customer Identification Program.
• You already have these in place. These will be very important going forward and could be the ultimate determining factor in whether you can comply with the rule or not.
©2012 CliftonLarsonAllen LLP20
STEP 4: Detect Red Flags
Ensure effective detective controls by:• Obtaining identifying information about, and
verifying the identity of, a person opening a covered account – For example, using the policies and procedures regarding
identification and verification set forth in your Customer (Member) Identification Policy (CIP) program.
• Authenticating members• Monitoring transactions, accounts, systems,
dormant accounts, applications
©2012 CliftonLarsonAllen LLP21
STEP 4: Detect Red Flags
• Penetration testing• Vulnerability assessments• IT audit
– Detect fraudulent activity• Financial audit• Verifying the validity of change of address requests,
in the case of existing covered accounts.• Developing procedures referencing the existing CIP
and security procedures as controls to detect appropriate Red Flags
©2012 CliftonLarsonAllen LLP22
STEP 5: Preventing and Mitigating Red Flags
• IT audit• Written procedures and policies related to verifying
identity that are enforced• CIP• Authentication• Encryption• Firewalls
©2012 CliftonLarsonAllen LLP23
• Employee background checks• Employee training• Fraud and Identity Theft training• Record retention/disposal of information• Due diligence of service providers
STEP 5: Preventing and Mitigating Red Flags
©2012 CliftonLarsonAllen LLP24
STEP 5: Preventing and Mitigating Red Flags
Responses to Red Flags• The Program must include appropriate responses to
detected Red Flags• The appropriate credit union response will vary
depending on the risk posed by the detected Red Flag
• You probably already have an Incident Response Plan but you may need to expand it
• Keep documentation related to response
©2012 CliftonLarsonAllen LLP25
STEP 5: Preventing and Mitigating Red Flags
Examples of Credit Union responses to detected Red Flags:
• Monitoring a covered account for evidence of identity theft• Contacting the member• Changing any passwords, security codes, or other security devices
that permit access to a covered account• Reopening a covered account with a new account number• Not opening a new covered account• Closing an existing covered account• Not attempting to collect on a covered account or not selling a
covered account to a debt collector• Notifying law enforcement • Determining that no response is warranted under the particular
circumstances
©2012 CliftonLarsonAllen LLP26
STEP 5: Preventing and Mitigating Red Flags
Third Party Providers• Your credit union should have controls in place to ensure
that third party service providers have Red Flag detection procedures in place.
• Take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.
• For example, you could require the service provider by contract to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider’s activities, and either report the Red Flags to the federal credit union, or to take appropriate steps to prevent or mitigate identity theft.
©2012 CliftonLarsonAllen LLP27
STEP 6: Board Approval and Staff Training
• Obtain written approval of the Program from the Board of Directors or an appropriate committee of the Board of Directors
• Train appropriate staff to implement the Program. Staff should be aware of identified Red Flags, controls to detect these Red Flags, and appropriate responses to detection
• Train any staff member who could detect or prevent Identity Theft
• Training should cover your identified Red Flags, policies and procedures, and reporting process for Identity Theft
©2012 CliftonLarsonAllen LLP28
STEP 6: Board Approval and Staff Training
Annual Reporting:
“staff of credit union responsible for development, implementation, and administration of its Program should report to the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management, at least annually, on compliance by the credit union.”
©2012 CliftonLarsonAllen LLP29
STEP 6: Board Approval and Staff Training
Contents of the report: • Material matters related to the Program such as:
– The effectiveness of the policies and procedures in addressing the risk of identity theft;
– Service provider arrangements; – Significant incidents involving identity theft and
management’s response; – Recommendations for material changes to the Program.
©2012 CliftonLarsonAllen LLP30
STEP 7: Updating the Program
The credit union should periodically update its Red Flags based on thefollowing factors:• The experiences of the credit union with identity theft;• Changes in methods of identity theft;• Changes in methods to detect, prevent, and mitigate identity theft;• Changes in the types of accounts the credit union offers or
maintains; and• Changes in the business arrangements of the credit union,
including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.
©2012 CliftonLarsonAllen LLP31
ID Theft Red Flags Today
Risks
• Exams– Potential for larger impact
• Civil suits?
©2012 CliftonLarsonAllen LLP32
ID Theft Trends
FinCEN Report on ID Theft Trends, Patterns and Typologies. – Report issued September 2010– Studied SARs filed 2003-2009
©2012 CliftonLarsonAllen LLP33
ID Theft Trends
• Credit Card ID Theft– Physical theft– Virtual theft– 30% of the time the thief added his/her name as an
authorized user
©2012 CliftonLarsonAllen LLP34
ID Theft Trends
• Deposit Account Fraud– ID thief opens a new joint account with member’s name.– Thief then poses as victim and directs transfer from
existing member’s account into joint account
©2012 CliftonLarsonAllen LLP35
ID Theft Trends
• Other notable trends– 22% of SARs filed involved friends or family members of
the victim– 27% of SARS filed indicated the victim knew the identity
thief– Only 18% of the SAR filings noted the identity theft was
discovered within 1 week of the theft– 37% of the filings noted the theft was discovered 3+
months after the account was compromised
©2012 CliftonLarsonAllen LLP36
ID Theft Trends
• Notable “Red Flags” that aided discovery:– Notification by consumer that a fraudulent account was
opened – Notification by consumer that there are unauthorized
transactions – Incorrect social security number – Change of address requests
©2012 CliftonLarsonAllen LLP37
ID Theft Trends
• Tax Fraud, FinCEN Letter March 2012 (FIN-2012-A005)– Additional Red Flags related to Tax Refund ID Theft
◊ Multiple direct deposit tax refund payments, directed to different individuals
◊ Suspicious or authorized account opening at a depository institution, on behalf of individuals who are not present, with the fraudulent actor being named as having signatory authority. The subsequent source of funds is limited to the direct deposit of tax refunds.
©2012 CliftonLarsonAllen LLP38
Tips
• Use existing risk assessments, policies, procedures and programs
• Create a standard form staff can use to report suspected identity theft
• Designate a centralized person/group to receive all incident reports of identity thefts and other incidents
• Change/improve your response procedures as your system evolves and you learn what does/does not work
• Make your program useable, not difficult to utilize and comprehend
©2012 CliftonLarsonAllen LLP39393939
©20
12 C
lifto
nLar
sonA
llen
LLP
Questions?
Justin RobinsonEngagement DirectorCliftonLarsonAllen LLP