Red Flag! Now What? An SME s Guide for FACTA Red Flag Compliance. see} white paper

Transcription

1 Red Flag! Now What? An SME s Guide for FACTA Red Flag Compliance see} white paper

2 see} white paper Red Flag! Now What? If you are a large bank, credit union or credit card issuer, you are well aware of the looming November 1 deadline to comply with Sections 114 and 315 of the Fair and Accurate Transactions Act of 2003 (FACTA), better known as the Red Flag Regulations. But if you are like many small and medium sized businesses, you are just waking up to Red Flags and the fact that your business must have an Identity Theft Prevention Program by November 1, 2008 (a Red Flags Program ). A Red Flag is a pattern, practice, or specific activity that indicates the possible risk of identity theft. There are 26 specific Red Flag examples that the Federal Trade Commission (FTC) has set forth in its guidelines, but depending on your business, the FTC says the number of Red Flags could be more or less. Is My Business subject to Red Flags? Your business is required to comply with FACTA if you maintain financial information on consumers. Under the Red Flag Regulations, businesses that offer and maintain covered accounts must develop and implement a Red Flags Program. A covered account is an account primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions; (e.g. checking account, credit card, mortgage or auto loan, phone or utility bill etc.) or any other account where there is a reasonably foreseeable risk to customers or the safety and soundness of the business from identity theft. Examples of businesses subject to Red Flags: BANKS CREDIT UNIONS MORTGAGE BROKERS EQUIPMENT LEASING DEALERS AUTO DEALERS MOTORCYCLE DEALERS RECREATIONAL VEHICLE DEALERS SUPPLIERS DEBT COLLECTORS CREDIT CARD ISSUERS UTILITY COMPANIES TELECOMMUNICATIONS COMPANIES HEALTHCARE COMPANIES Besides auto dealers, businesses subject to FACTA include debt collectors, mortgage brokers and even someone who uses a credit report in employment screenings. "Whether someone hiring a nanny is aware [of FACTA], I don't think there are, obviously. But I think financial institutions are aware of it and they have to be," said Mary Monahan, senior analyst with Javelin Strategy & Research, which focuses on the financial services industry.1 1 Robert Mullins Contributor, FACTA s red flags of identity theft, Compliance and Governance Digest, February

3 see} white paper Red Flag! Now What do I do? So you are an auto dealer and you re ready to make a sale. The prospective buyer needs credit to complete the purchase, but you detect a Red Flag: His date of birth and Social Security number don t match up; or There is a discrepancy between the address on the application and the credit report; or The customer does not seem to match the physical description on his driver s license S o I d etected a Red Fla g Ho w d o I d etermin e th e Risk o f Id en tity Th eft? Understanding the Basic Elements of Red Flags The Red Flag Regulations list four basic elements your business must include in your Red Flags Program. These are: 1. Identify the relevant Red Flags for your business, incorporate these into your Red Flags Program, adopt them by vote of your Board of Directors and then train your employees. 2. Detect Red Flags that you have set forth in your Red Flags Program. 3. Respond appropriately to any Red Flags that are detected. 4. Update your Red Flags Program periodically to reflect changes in Identity Theft risk to your customers or to the safety and soundness of your business. Does every Red Flag I detect mean I lose the Sale? 4 Steps to Compliance Step 1: Identify Red Flags The FTC is clear that a Red Flags Program should be tailored to the size, complexity, and nature of your business operations and should incorporate the Red Flags that are relevant to your business. It is pretty clear that a large bank has a heavier compliance burden than most auto dealers or building suppliers. How much? The Red Flag Regulations leave the decision up to you. The FTC is also clear that your Red Flag Program must be written and approved by your board of directors. Further, you must have a plan to train your employees as part of your Red Flags Program. What does a written Red Flags Program look like? The Red Flag Regulations leave that up to you to decide as well. 3

4 see} white paper Step 2: Detect Red Flags Your written Red Flags Program sets forth your procedure for detecting Red Flags. So once it has been approved by your Board of Directors, you have to train your staff on how to detect Red Flags. Along with setting forth 26 specific Red Flags in its guidelines, there are five categories of Red Flags that the FTC has stated that your business needs to consider: 1. Suspicious Documents 2. Suspicious Account Activity 3. Inconsistencies between Credit Reports and Application Data 4. Inconsistencies between Personal ID Data and Outside Data Sources 5. Notice of Fraud on an Account When you detect a Red Flag, then you must respond appropriately. Step 3: Respond to a Detected Red Flag Since Red Flag Programs will differ for each business, you are only required to respond appropriately based on the degree of risk posed. Appropriate responses may include: Monitoring an account Contacting the customer Declining the business or new business Changing access to an account Closing or suspending an account Stopping collections on an account Notifying law enforcement. But No response to a Red Flag is also an appropriate response 2. Step 4: Update Your Red Flags Program The last step of your Red Flags Program is the regular updating of your Program. Your business needs to be informed and flexible to stay ahead of the identity theft criminals to protect both consumers and your business. Red Flags! Now What? So you are a business owner that uses consumer credit and other FCRA data to run your business. You are now realizing that since there is a reasonably foreseeable risk of Identity Theft in your business, the Red Flags Regulations apply to you. You are probably also asking yourself a number of obvious questions: 1. How do I create a Red Flags Program for my business that will control the reasonably foreseeable risks of Identity Theft? 2 Page 63729, Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 4

5 see} white paper 2. How do I decide which Red Flags are relevant to my business? 3. More importantly, how do I, as a business owner, assess whether a Red Flag detected is evidence of a risk of identity theft and then determine whether I have a reasonable basis for concluding that a Red Flag, or combination of Red Flags, does not evidence a risk of Identity Theft? 4. How do I know how to respond appropriately? 5. And probably most important, when is it appropriate for me to proceed with the sale or transaction? Tough questions even if you have your own compliance experts on staff. But, if you are like most businesses, you are probably just learning about the Red Flags Regulations, let alone coming to grips with how you implement a Red Flags Program and beginning to sort out how you would respond to detection of a Red Flag. The MicroBilt Red Shield Solution: MicroBilt has created a unique Red Flag solution that is ideal for small and medium sized businesses for all types of transactions where credit data and other FCRA data is used including auto and other vehicle sales, debt collection, new account openings, background screening, and offering of trade credit. With Red Shield, your business is not required to independently assess the foreseeable risk of Identity Theft. Honestly, we don t think many businesses have the expertise and resources to do so. The MicroBilt Red Shield Solution gives your business a definitive Pass or Fail simultaneously with the return of the consumer s credit report. If we are wrong: o We guarantee your business up to $25,000 in loan losses. o We provide the affected consumer with $25,000 of Identity Theft coverage including credit restoration services. And, you can proceed with the sale or transaction with piece of mind. The MicroBilt Red Shield Solution uses proven fraud analytics developed by Fair Isaac to detect fraud; fraud analytics that have been used for more than a decade to protect 65% of the world s credit cards from fraud. Part of Your Red Flags Program MicroBilt Red Shield is part of your Red Flags Program. Your business must still have a written, board approved Red Flags Program which addresses all five categories of Red Flags (the sample written policy we provide our customers is an appendix to this White Paper). The five categories of Red Flags are: 5

6 see} white paper 1. Inconsistencies between Credit Reports and Application Data 2. Inconsistencies between Personal Identification Data and Outside Sources (Independent 3rd party data bases) 3. Suspicious Documents 4. Suspicious Account Activity 5. Receipt of a Notice of Fraud The Red Flags in Categories 3, 4, and a few Red Flags in Category 2 require physical inspection of identification documents and review of existing accounts. The detection process for Red Flags in these categories should be an internal process or checklist you should follow before proceeding with a transaction ( Red Flags Checklist ). And obviously with Category 5 Receipt Notice of Fraud, you need to respond in accordance with the notice. The remaining Red Flags that require detection of Red Flags from comparison of application information and the consumer credit reports (Category 1) and other independent data sources (Category 2), are satisfied by MicroBilt Red Shield. So, your Red Flags Program, including the MicroBilt s Red Shield Solution would look like: Run through your Red Flags Checklist for suspicious documents and account activity Run ID Verification (Optional - For Financial Institutions that pre-screen before pulling credit) Run MicroBilt Red Shield (includes credit report and all independent data) If Pass Proceed with Transaction If Fail Run ID Authenticate (optional but recommended) If Fail Possible Responses are: o Monitor an account for evidence of identity theft; o Contact the customer; o Change any passwords, security codes, or other security devices that permit access to a customer s o Reopen an account with a new account number; o Not open a new o Close an existing o Notify law enforcement o For those that are subject to Bank Secrecy Act (31 U.S.C. 5318(g)), filing a Suspicious Activity Report in accordance with applicable law and regulation And of course, MicroBilt provides extensive user training to complete your requirements for a complete Red Flags Program. So without a solution like the MicroBilt Red Shield, you have to ask yourself: How can I, as the owner a small business, reasonably predict the likelihood of Identity Theft in a transaction and then determine a reasonable response to that risk of Identity Theft? 6

7 Exhibit 1 - Sample Written Policy Establishment of an Identity Theft Prevention Program. 1. Program requirement. Each business subject to Red Flags Regulations must develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a Covered Account or any existing Covered Account. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities. Elements of the Program. 2. The Program must include reasonable policies and procedures to: a. Identify relevant Red Flags for the covered accounts that the business offers or maintains, and incorporate those Red Flags into its Program; b. Detect Red Flags that have been incorporated into the Program of the business; c. Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and d. Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the business from identity theft. Administration of the Program. 3. Each business must: a. Have a written Red Flags Policy approved by its board of directors (or appropriate committee) or the business owner (or appropriate designate of the owner); b. Involve the board of directors (or committee thereof), owner, or a senior management employee in the oversight, development, implementation and administration of the Program; c. Train staff, as necessary, to effectively implement the Program; and d. Exercise appropriate and effective oversight of service provider arrangements. e. Review and report to the board of directors or owner at least annually i. The effectiveness of the procedures and policies, ii. Specific incidents of Identity Theft, iii. The Company s response and iv. Any recommendations for changes to the Program The Red Flags Sample Policy is being provided to you at your request for example purposes only and is not to be construed as or relied upon as legal advice. Users should consult with their own independent legal counsel for review and/or edit prior to implementation and failure to do so shall be at User s sole decision and risk.

8 CATEGORY OF DETECTION POSSIBLE RESPONSES A fraud or active duty alert is included with a consumer report. Check Credit Report for Fraud Alert or Active Duty Alert Follow the Credit Bureau s Procedures for Consumer Credit Report Fraud Alert or Active Duty Alert A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. 1. MicroBilt Red Flags Passed Proceed with Transaction if other Red Flags requirements satisfied Alerts, notifications, or other warnings received from Consumer Credit Reporting Agencies, or Service providers, such as fraud detection services; A consumer reporting agency provides a notice of address discrepancy. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as: A recent and significant increase in the volume of inquiries; An unusual number of recently established credit relationships; A material change in the use of credit, especially with respect to recently established credit relationships; or An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor. MicroBilt Red Flags Solution 2. MicroBilt Red Flags Failed Run ID Authenticate 3. If Applicant fails ID Authenticate Monitor an account for evidence of identity theft; Change any passwords, security codes, or other security devices that permit access to a customer s Reopen an account with a new account number; Not open a new Close an existing For those that are subject to Bank Secrecy Act (31 U.S.C. 5318(g)), filing a Suspicious Activity Report in accordance with applicable law and regulation;

9 CATEGORY OF DETECTION POSSIBLE RESPONSES Presentation of Suspicious Personal Identifying Information Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor. For example: The address does not match any address in the consumer s data file; or The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration s Death Master File. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example: The address on an application is the same as the address provided on a fraudulent application; or The phone number on an application is the same as the number provided on a fraudulent application. MicroBilt Red Flags Solution 1. MicroBilt Red Flags Passed Proceed with Transaction if other Red Flags requirements satisfied 2. MicroBilt Red Flags Failed Run ID Authenticate 3. If Applicant fails ID Authenticate Monitor an account for evidence of identity theft; Change any passwords, security codes, or other security devices that permit access to a customer s Reopen an account with a new account number; Not open a new Close an existing For those that are subject to Bank Secrecy Act (31 U.S.C. 5318(g)), filing a Suspicious Activity Report in accordance with applicable law and regulation;

10 CATEGORY OF DETECTION POSSIBLE RESPONSES Presentation of Suspicious Personal Identifying Information Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example: The address on an application is fictitious, a mail drop, or a prison; or The phone number is invalid, or is associated with a pager or answering service. The SSN provided is the same as that submitted by other persons opening an account or other customers. The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other customers. MicroBilt Red Flags Solution 1. MicroBilt Red Flags Passed Proceed with Transaction if other Red Flags requirements satisfied 2. MicroBilt Red Flags Failed Run ID Authenticate 3. If Applicant fails ID Authenticate Monitor an account for evidence of identity theft; Change any passwords, security codes, or other security devices that permit access to a customer s Reopen an account with a new account number; Not open a new Close an existing For those that are subject to Bank Secrecy Act (31 U.S.C. 5318(g)), filing a Suspicious Activity Report in accordance with applicable law and regulation; The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete. Personal identifying information provided is not consistent with personal identifying information that is on file with the financial institution or creditor. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report. Check Application for required personal information. Is the applicant unable to provide all required personal identifying information for an application? Check personal identifying information on application or other documents against personal identifying information currently on file. Is it consistent with personal identifying information that is currently on file? Applies if your Business uses Challenge (Outof-Wallet) questions Check account if the person opening the covered account or the customer fails to answer challenge questions such as questions about places they have lived or people they know. 1. Run ID Authenticate 2. If Applicant fails ID Authenticate Monitor an account for evidence of identity theft; Change any passwords, security codes, or other security devices that permit access to a customer s Reopen an account with a new account number; Not open a new Close an existing For those that are subject to Bank Secrecy Act (31 U.S.C. 5318(g)), filing a Suspicious Activity Report in accordance with applicable law and regulation;

11 CATEGORY OF DETECTION POSSIBLE RESPONSES Documents provided for identification appear to have been altered or forged. Presentation of Suspicious Documents Photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification. Other information on the identification is not consistent with information provided by the person opening a new account or customer presenting the identification. Other information on the identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check. Inspect Driver s License or other documents provided for personal identification. Does it appear to have been altered or forged upon physical inspection? Inspect photograph and physical description on the Driver s License or other personal identification. Is it consistent with the appearance of the applicant or customer presenting the identification? Review other information on the identification, such as the address, social security number, and date of birth. Is that information consistent with information provided by the person opening a new account or customer presenting the identification? Review other information on the identification. Is that information consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check? Inspect the application presented. Does it appear to be have altered or forged, or does it give the appearance of having been destroyed and reassembled? 1. Run ID Authenticate 2. If Applicant fails ID Authenticate Monitor an account for evidence of identity theft; Change any passwords, security codes, or other security devices that permit access to a customer s Reopen an account with a new account number; Not open a new Close an existing For those that are subject to Bank Secrecy Act (31 U.S.C. 5318(g)), filing a Suspicious Activity Report in accordance with applicable law and regulation; An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.

12 CATEGORY OF DETECTION POSSIBLE RESPONSES Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for a new, additional, or replacement card or a cell phone, or for the addition of authorized users on the account. A new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns. For example: Check when receiving a request for a new, additional, or replacement card or a cell phone, or for the addition of authorized users on the account. Has there been a recent notice of a change of address? Applies to Revolving Credit Accounts - Inspect revolving accounts to detect when a majority of available credit on a revolving account is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry). 1. Run ID Authenticate Red Flag based on unusual use of, or suspicious activity related to, the covered account The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or The customer fails to make the first payment or makes an initial payment but no subsequent payments. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example: Nonpayment when there is no history of late or missed payments; A material increase in the use of available credit; A material change in purchasing or spending patterns; A material change in electronic fund transfer patterns in connection with a deposit or A material change in telephone call patterns in connection with a cellular phone account. Applies to Revolving Credit Accounts - Inspect revolving accounts to detect when the customer fails to make the first payment or makes an initial payment but no subsequent payments. Check covered accounts that are delinquent when there is no history of late or missed payments. Applies to Revolving Credit Accounts, Checking Accounts etc. Check covered accounts where there is a material increase in the use of available credit on a covered account. Applies to Revolving Credit Accounts, Checking Accounts etc. - Check covered accounts where there is a material change in purchasing or spending patterns by a customer on a covered account. Applies to Deposit and Checking Accounts - Check covered accounts where there is a material change in electronic fund transfer patterns in connection with a deposit account. Applies to Cellular Phone Accounts - Check covered accounts where there is a material change in telephone call patterns in connection with a cellular phone account. 2. If Applicant fails ID Authenticate Monitor an account for evidence of identity theft; Change any passwords, security codes, or other security devices that permit access to a customer s Reopen an account with a new account number; Not open a new Close an existing For those that are subject to Bank Secrecy Act (31 U.S.C. 5318(g)), filing a Suspicious Activity Report in accordance with applicable law and regulation;

13 CATEGORY OF DETECTION POSSIBLE RESPONSES The Unusual Use of, or Suspicious Activity related to, a Covered Account A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors). Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer s covered account. The financial institution or creditor is notified that the customer is not receiving paper account statements. The financial institution or creditor is notified of unauthorized charges or transactions in connection with a customer s covered account. Applies to Revolving Credit Accounts, Checking Accounts etc. Inspect usage of a covered account (such as a revolving account) that has been inactive for a reasonably lengthy period of time (taking into account the expected pattern of usage and other relevant factors). Check covered accounts where mail that has have been sent to the customer is returned repeatedly as undeliverable. Have transactions continued to be conducted in connection with the customer s covered account. Check a covered account upon receiving notice by the customer that the customer is not receiving paper account statements. Check a covered account upon receiving notice of unauthorized charges or transactions in connection with a customer s covered account. 1. Run ID Authenticate 2. If Applicant fails ID Authenticate Monitor an account for evidence of identity theft; Change any passwords, security codes, or other security devices that permit access to a customer s Reopen an account with a new account number; Not open a new Close an existing For those that are subject to Bank Secrecy Act (31 U.S.C. 5318(g)), filing a Suspicious Activity Report in accordance with applicable law and regulation; CATEGORY OF DETECTION POSSIBLE RESPONSES Receipt of Notice from: Customers, Victims of Identity Theft Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection with Covered Accounts held by your Financial Institution or Business Your business has been notified by: a Customer a Victim of Identity Theft a Law Enforcement Authority, or any other person that Your Business has opened a fraudulent account for a person engaged in identity theft. Receipt of Notice Monitor an account for evidence of identity theft; Change any passwords, security codes, or other security devices that permit access to a customer s Reopen an account with a new account number; Not open a new Closing an existing and, for those subject to the Bank Secrecy Act (31 U.S.C. 5318(g)), filing a Suspicious Activity Report in accordance with applicable law and regulation;