Chapter 3. Identifying Red Flags. 3:1 Overview

Similar documents
Identity Theft Prevention Program

EXHIBIT A IDENTITY THEFT PREVENTION PROGRAM

IDENTITY THEFT RED FLAG POLICY/GUIDELINES JULY 2008

University Identity Theft and Detection Program

POLICY: Identity Theft Red Flag Prevention

TITLE II ADMINISTRATIVE REGULATIONS IDENTITY THEFT PREVENTION PROGRAM

CITY OF ISSAQUAH. Identity Theft Prevention Program

Identity Theft Prevention Program. Approved by the Board of Trustees on February 20, 2009

16 CFR Duties regarding the detection, prevention, and mitigation of identity theft.

Identity Theft Prevention Program

IDENTITY THEFT DETECTION POLICY

WASHTENAW COMMUNITY COLLEGE IDENTITY THEFT DETECTION, PREVENTION, AND MITIGATION PROGRAM

Minnesota State Colleges and Universities Identity Theft Prevention Program

IDENTITY THEFT RED FLAGS AND RESPONSES

Middlebury Institute of International Studies Identity Theft Prevention Program

Policy Statement. Definitions -Covered Account -Identifying Information -Identity Theft -Red Flag

Identity Theft Prevention Program (DRAFT)

WEST VIRGINIA UNIVERSITY BOARD OF GOVERNORS POLICY 54. Rule on Identity Theft Detection and Prevention Program

Middlebury College Identity Theft Prevention Program

Washington Association of Sewer and Water Districts (WASWD) IDENTITY THEFT PREVENTION PROGRAM

NEVADA SYSTEM OF HIGHER EDUCATION PROCEDURES AND GUIDELINES MANUAL CHAPTER 13 IDENTITY THEFT PREVENTION PROGRAM (RED FLAG RULES)

The Interagency Guidelines on Identity Theft Detection, Prevention and. Mitigation, commonly referred to as the Red Flag Rules, require each financial

Identity theft detection, prevention and mitigation policy. (a) : policies and procedure for student records;

IV:07:11 IDENTITY THEFT PREVENTION POLICY SECTION 1: BACKGROUND

Identity Theft Prevention Program Procedure

ORGANIZATIONAL MANUAL

Clarion University Identity Theft Prevention Program

Identity Theft Prevention Program

Attachment to Identity Theft Prevention Service Provider Attestation

University of Connecticut IDENTITY THEFT PREVENTION PROGRAM

Red Flag! Now What? An SME s Guide for FACTA Red Flag Compliance. see} white paper

Eastpointe Community Credit Union Identity Theft and Deterrence Policy

Riverside Community College District Policy No Student Services PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

Illinois Eastern Community Colleges. Frontier Community College Lincoln Trail College Olney Central College Wabash Valley College

Financial Transaction

PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

CoreLogic Credco First American Way Poway, CA (800)

AP 5800 PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

Polson/ Ronan Ambulance Service Identity Theft Prevention Program

Red Flag Rule Procedures Under Princeton University s Identity Theft Prevention Program Effective: December 31, 2010

University of Cincinnati FACTA Red Flag Identity Theft Prevention Program

PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

Identity Theft Prevention. Red Flags. Training Program

Prevention of Identity Theft in Student Financial Transactions

Chapter Five: Student Services and Operations AP 5800 PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

ADMINISTRATIVE PROCEDURE 5800 DESERT COMMUNITY COLLEGE DISTRICT

30.17 Identity Theft Protection Policy October 2018

LexisNexis Developing an Effective Red Flags Rule Program

Christopher Newport University. Policy: Red Flag Identity Theft Identification and Prevention Program Policy Number: 3030

Palomar Community College District Procedure AP 5900 PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

The Federal Identity Theft Red Flag Rules and North Carolina Local Health Departments

Secure Opening Plus Requirements for the Identity Theft Red Flag Program

ADMINISTRATIVE POLICY STATEMENT

Number: Identity Theft Program Procedures and Protocol Responsible Office: Business and Finance

RED FLAG LAW made EASY! HIPAA made EASY. Training, Implementation & Sign-off Sheets

UM Identity Theft Protection Policy

Note: Action items are italicized

RED FLAG RULES ANNUAL REPORT TO MAYOR AND COUNCIL

Identity Theft Prevention: The FTC s Red Flags Rules and Health Care Providers HCCA Physician Practice Compliance Conference October 13, 2009

Fitchburg State College Identity Theft Prevention Program updated 11/17/09

California State University Bakersfield Identity Theft Prevention ( Red Flag ) Implementation Plan

Jack Byrne Ford & Mercury Identity Theft Program (ITPP)

THE COOPER UNION FOR THE ADVANCEMENT OF SCIENCE AND ART. February 24, 2010

PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

Identity Theft Prevention Program Lake Forest College Revision 1.0

AIMS COMMUNITY COLLEGE PROCEDURE IDENTITY THEFT PREVENTION - RED FLAG PROCEDURE

NEW FTC RED FLAG REQUIREMENTS AS APPLICABLE TO CREDITORS AND COVERED ACCOUNTS

AUDIT AND FINANCE COMMITTEE Wednesday, June 17, 2009

Compliance With the Red Flags Rules

UNIVERSITY OF DENVER POLICY MANUAL IDENTITY THEFT PREVENTION

B. The College is considered a "creditor" under the Red Flags Rule because it defers payment for services rendered.

Olivet Nazarene University Identity Theft Prevention Program

DAWSON PUBLIC POWER DISTRICT 300 South Washington Street P. O. Box Lexington, Nebraska Tel. No.- 308/324/2386 Fax No.

Red Flags Rule Identity Theft Training Program

MEMORANDUM. Red Flag Identity Theft Regulations: Implications for Nursing Facilities and Assisted Living Facilities 1

The New England College of Optometry Identity Theft Prevention Program October 30, 2009 _

PROCEDURE. This procedure is intended to identify third party arrangements and red flags involving College activities that will:

Driven. FTC Red Flags and Address Discrepancy Rules: Protecting Against Identity Theft L50 L50

RED FLAGS IDENTITY THEFT PREVENTION PROGRAM. Raleigh Radiology, LLC. Raleigh Radiology Associates. January 21, 2009

The National Association of Community Health Centers, Inc. Issue Brief on. Complying with the FTC s Red Flag Rules. February, 2009

POLICY SUMMARY FORM. Unit(s) Responsible for Policy Implementation: Vice President for Finance and Administration

(2) Detect red flags that have been incorporated into the program;

LOUISIANA COMMUNITY & TECHNICAL COLLEGE SYSTEM Policy # Title: IDENTITY THEFT PREVENTION PROGRAM

MID-CAROLINA ELECTRIC COOPERATIVE, INC. SERVICE RULES AND REGULATIONS

Procedure for Identity Theft Prevention Program

SCOPE AND APPLICABILITY: This policy is applicable to all University faculty and staff.

Medical Identity Theft Prevention Policy

Identity Theft Prevention Program

Identity Theft Prevention Program Red Flag Rule

The FACT Act An Overview

THE CHILDREN'S MERCY HOSPITAL ADMINISTRATIVE POLICY

Templeton Municipal Light and Water Plant

Subject: Identity Theft, G-113 Department: All & Branches References: Part 717, NCUA Rules and Regs, FACT Act, Companion SOP s G-30 (Opening New

FOX VALLEY ORTHOPEDICS. Identity Compliance Program

AHCA Memorandum. Background

by: Stephen King, JD, AMLP

A Step By Step Guide To Dealership Compliance Team One research and Training /Summit Group

Red Flags Identity Theft Plan Bay Equity LLC Table of Contents Section 1 Overview of the Compliance Program... 5 Section 2 Terminology...

ADDENDUM #1 RFP# DBE/ACDBE Consultant January 19, 2015

CENTRAL MICHIGAN UNIVERSITY CHAPTER 13

Transcription:

Chapter 3 Identifying Red Flags 3:1 Overview 3:1.1 Identity Theft 3:1.2 Red Flag 3:2 Conducting an Initial Risk Assessment 3:2.1 Practical Considerations 3:2.2 Risk Factors to Consider 3:2.3 Other Sources to Consider 3:3 Categories of Red Flags 3:4 Requirement to Update Risks Based on New Threats 3:1 Overview Each financial institution or creditor must establish reasonable policies and procedures to identify relevant Red Flags for covered accounts and incorporate those Red Flags into a written Identity Theft Prevention Program. 21

3: Identifying Red Flags When developing a written Program, one size does not fit all. The Agencies have warned that companies must tailor their Program to their own specific practices and procedures. Merely applying existing privacy and data security practices When it comes to Identity Theft Prevention Programs, one size does not fit all. copying another company s homework will not suffice. A company s Program must be specifically tailored to the types of identity theft risks its customers are exposed to by virtue of the company s products or services. 3:1.1 Identity Theft When crafting a Program that is intended to mitigate the risk of identity theft, understanding the scope of the term identity theft is important. Identity theft is defined under section.90(b)(8) of the Red Flag Rules as a fraud committed or attempted using the identifying information of another person without authority. 1 By cross-reference to FCRA, the term identifying information is defined as: [A]ny name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any (1) name, social security number, date of birth, official State or government issued driver s license or identification number, alien registration number, government passport number, employer or taxpayer identification number; (2) unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; 22

A PRACTICAL GUIDE TO THE RED FLAG RULES (3) unique electronic identification number, address, or routing code; or (4) telecommunication identifying information or access device (as defined in 18 U.S.C. 1029(e)). 2 Note that the definition of identity theft under the Rules looks at more than just the opening of a new line of credit or a financial account. It also includes the unauthorized use of an existing account. 3:1.2 Red Flag The Rules define a Red Flag as a pattern, practice, or specific activity that indicates the possible existence of identity theft. 3 Under the Rules, an Identity Theft Prevention Program must reflect the size and complexity of the financial institution or creditor, and the nature and scope of its activities; thus the Red Flags The Rules allow companies the flexibility to adopt policies and procedures that fit their risks. incorporated into a Program must be derived from those very same factors. 4 More specifically, a Program must address financial, operational, compliance, reputation, and litigation risks and must be appropriate to the company s size, complexity, and the nature and scope of its activities. 5 3:2 Conducting an Initial Risk Assessment Before a covered entity can identify relevant Red Flags and adopt an Identity Theft Prevention Program, it must first con- 23

3: Identifying Red Flags duct an initial risk assessment to determine what factors affect the risk of identity theft to customers and the safety and soundness of the financial institution or creditor (financial, operational, compliance, reputation, and litigation risks). Such an assessment will provide a covered entity with a meaningful evaluation of its current identity theft prevention measures; in particular, its shortcomings and risks to its customers. TIP Conducting a thorough risk assessment is one of the most important steps to establishing a sound Identity Theft Prevention Program. A deficient risk assessment could well lead to a deficient and ineffective Program. 3:2.1 Practical Considerations The Rules allow companies the flexibility to adopt policies and procedures that fit their risks. Thus, a risk assessment may not only analyze risk factors, such as the likely circumstances of identity theft, but it also may take into account practical considerations, including the costs and burdens of addressing certain risks. That is not to say that companies may summarily dismiss pertinent Red Flags based on cost. Rather, the Rules provide companies with flexibility to balance costs against risks when determining whether to implement certain Red Flags. Furthermore, as discussed in section 3:4 below, the Rules require that covered entities periodically update their risk assessment to take into account the entity s own experience with identity theft and to consider changes in the ways accounts are opened and maintained. 24

A PRACTICAL GUIDE TO THE RED FLAG RULES 3:2.2 Risk Factors to Consider When conducting a risk assessment to identify relevant Red Flags, financial institutions and creditors must consider the nature of their business and the type of identity theft to which they may be subject. The key for any covered entity is to know the facts that apply to them. A covered entity should consider the following risk factors when identifying relevant Red Flags for its covered accounts: (1) the types of covered accounts it offers or maintains, (2) the methods it provides to open its covered accounts, (3) the methods it provides to access its covered accounts, and (4) its previous experiences with identity theft. 6 A risk assessment will reveal those accounts that would be considered covered accounts under the Rules, which the Program must address. 7 Identifying the types of covered accounts a company offers or maintains allows companies to gauge which of its accounts may be more at risk to identity theft. For example, the threat to deposit accounts likely differs greatly from the threat to credit accounts. Similarly, consumer accounts may be at greater risk than business accounts. Companies also must be aware of whether a business account that it opens or maintains contains any third-party personal information, especially if a business account relates to a sole proprietorship or other small business. The methods available for customers to open and access accounts also affect the level of risk of identity theft. Accounts that can be opened or accessed remotely will be at greater risk than accounts that must be opened through face-to-face contact with the covered entity s representatives, and thus require different Red Flags. 8 25

3: Identifying Red Flags 3:2.3 Other Sources to Consider In addition to the factors mentioned above, the Rules list three other sources of Red Flags that financial institutions and creditors should consider when identifying Red Flags that are relevant to them. The three sources include: (1) incidents of identity theft that the financial institution or creditor has experienced; (2) methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks; and (3) applicable supervisory guidance. 9 First, a financial institution or creditor should recognize as relevant any Red Flags that directly relate to its prior experiences with identity theft. This requirement applies not only to external threats of identity theft, but also to past experiences of internal problems. For example, past suspicious activities by employees, such as the unauthorized reviewing, exporting, or modifying of customer account information could be identified as possible Red Flags. Red Flags could also be based on any experiences of data breaches, hacking, computer fraud, or any other incidents where lost or stolen data was misappropriated through an external source. Although it seems obvious that companies should incorporate their own experiences into a Program, this may be a challenge for companies that are not fully aware of their own historical encounters with identity theft. For that reason, instances of data security breaches should be followed by a root cause analysis and review of existing policies. Companies should also have recording systems in place to ensure that their Programs are effective and up-to-date. As we discuss 26

A PRACTICAL GUIDE TO THE RED FLAG RULES The FTC and the DHS provide timely information on their websites regarding identity theft detection and prevention. below in section 3:4, maintaining an updated Program is required under the Rules. The Rules also refer to applicable supervisory guidance. Applicable supervisory guidance can include alerts or reports distributed by government agencies. The Federal Trade Commission and the Department of Homeland Security provide timely information on their websites regarding identity theft detection and prevention. Government alerts, however, are not the only supervisory guidance available. Trade associations, news reports, and any other public information relating to identity theft trends are a valuable resource, and should be monitored and addressed. 3:3 Categories of Red Flags Once a company has identified risk factors and possible sources of identity theft, it must identify and list the Red Flags relevant to its size, complexity, and the nature of its activities. Red Flags can vary greatly. After all, a Red Flag is defined broadly as a pattern, practice, or specific activity that indicates the possible existence of identity theft. 10 The Rules provide twenty-six examples of Red Flags, which fall into five different categories. (See Figure 3A, on pages 28 29.) Incorporation of the Agencies examples of Red Flags into the Program is not mandatory. Instead, the Rules 27

3: Identifying Red Flags FIGURE 3A: Examples of Red Flags 11 CATEGORY 1: Warnings from Consumer Reporting Agencies A fraud or active duty alert is included with a consumer report. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. A consumer reporting agency provides a notice of address discrepancy. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer. CATEGORY 2: Suspicious Documents Documents provided for identification appear to have been altered or forged. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification. Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification. Other information on the identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled. 28

A PRACTICAL GUIDE TO THE RED FLAG RULES CATEGORY 3: Suspicious Personal Identifying Information Personal identifying information ( PII ) provided is inconsistent when compared against external information sources used by the financial institution or creditor. PII provided by the customer is not consistent with other PII provided by the customer. PII provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. PII is the same as that submitted by other customers or by an unusually large number of other persons opening an account. CATEGORY 4: Unusual Use of Account Account used in a manner that is not consistent with historical patterns of activity. Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for a new, additional, or replacement card or a cell phone, or for the addition of authorized users on the account. A new revolving credit account is used in a manner commonly associated with known patterns of fraud. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer s covered account. A financial institution or creditor is notified that the customer is not receiving paper account statements. CATEGORY 5: Notice from Customers, Law Enforcement or Other Persons Customer notifies financial institution or creditor of unauthorized charges. A financial institution or creditor is notified that it has opened a fraudulent account for a person engaged in identity theft. 29

3: Identifying Red Flags stick to a risk-based, non-prescriptive approach regarding the identification of Red Flags..., cover a wide variety of financial institutions and creditors that offer and maintain many different products and services, and require flexibility to be able to adapt to rapidly changing risks of identity theft. 12 Covered entities, therefore, can adopt certain of the example Red Flags as they deem appropriate. Nevertheless, companies should use the categories provided by the Agencies when identifying and listing relevant Red Flags. The five categories of Red Flags outlined in the Rules are: (1) alerts, notifications, or warnings received from service providers or consumer reporting agencies, (2) presentation of suspicious documents, (3) presentation of suspicious personal identifying information, (4) unusual use of, or suspicious activity related to, a covered account, and (5) notifications or reports from consumers, victims of identity theft, law enforcement authorities, or others. 13 Identifying Red Flags that are not applicable to a particular financial institution or creditor can sometimes be obvious. For instance, if a company does not receive or use consumer reports, then it does not need to list Red Flags for address discrepancy notices received from consumer reporting agencies. If a company does not have face-to-face contact with customers to open or maintain accounts, and does not plan to require face-to-face contact in the future, then the company may not need to incorporate Red Flags related to the presentation of suspicious picture identification documents into its Program. 30

A PRACTICAL GUIDE TO THE RED FLAG RULES Nevertheless, if the company does not require face-to-face contact but requires the production of a copy of identification, then the company may need Red Flags to address that situation. On the other hand, choosing actual relevant Red Flags can be more difficult and requires careful consideration of the information provided through a comprehensive risk assessment. The agencies did not intend for the list of example Red Flags to be an exhaustive list of all the identity theft Red Flags that a financial institution or creditor could experience. Instead, a covered entity is expected to use the risk assessment to develop Red Flags based on the nature, the type, and the complexity of its business. 3:4 Requirement to Update Risks Based on New Threats Each financial institution and creditor will determine which of its accounts will be covered by its Program by conducting a risk assessment as discussed above. As part of the Program, each financial institution and creditor is required to periodically determine by conducting additional risk assessments whether it offers or maintains covered accounts that are subject to the Rules. Companies must also continuously update their list of Red Flags. With changes in technology, some Red Flags that are New types of threats continue to arise as technology changes. Red Flags that are relevant to current industry risks may be obsolete in a few years. 31

3: Identifying Red Flags relevant to current industry risks may be obsolete in a few years as new types of threats arise. Although companies are not required to guess what new threats may be looming over the horizon, the Rules clearly intend for covered entities to be mindful of changes in identity theft risks. For example, companies should look to applicable supervisory guidelines to determine what government agencies or industry associations are identifying as new threats. Also, companies should incorporate their own experiences with potential or actual identity theft to ensure that their Program is up-to-date. 32

A PRACTICAL GUIDE TO THE RED FLAG RULES Endnotes 1. The Rule is cross-referenced with the FTC s rule defining identity theft for the purposes of FCRA. See App. A2 infra. 2. _.90(b)(8); 16 C.F.R. 603.2(b) (2004). 3. _.90(b)(9); see App. A2 infra. 4. 72 Fed. Reg. at 63,724 (commentary to _.90(d)(1)). 5. 72 Fed. Reg. at 63,719 20. 6. Appendix J to Part ; see App. A3 infra. 7. See supra section 2:4 for definition of a covered account. 8. 72 Fed. Reg. at 63,727 (commentary to _.90(d)(2)(i)). 9. Appendix J to Part ; see App. A3 infra. 10. See section 3:1.2 supra. 11. Supplement A to Appendix J to Part ; see App. A4 infra. 12. 72 Fed. Reg. at 63,727 (commentary to _.90(d)(2)(i)). 13. Appendix J to Part ; see App. A3 infra. 33

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback