Subject: Identity Theft, G-113 Department: All & Branches References: Part 717, NCUA Rules and Regs, FACT Act, Companion SOP s G-30 (Opening New Accounts), G-38 (E-Commerce), G-40 (Issuance of Visa Cards), G-43 (Access/Use of Phone Facts& Branch @Home), G-80 (Automated Teller Machines), G-55 (Addition of Names to Share/Share Draft Accounts), G-60 (Bank Secrecy Act-Currency Transaction Reports), G-95 (Information Security), G- 102 (Telephonic Release of Member Information), G-104(Member Privacy), G-106 (Foreign Asset Control), G-66 Vendor Oversight, Board Act 19Jun2008 Background In November 2007, it was determined through the update of the Fair and Accurate Credit Transactions Act of 2003 that all regulatory agencies meet new rules on identity theft. These new rules are referred to as the Red Flag rules. A Red Flag is a pattern, practice, or a specific activity that indicates the possibility of identity theft. Every federal institution is required to develop and implement a written program that will help detect, prevent, and mitigate identity theft. Policy 1. The credit union s Identity Theft Program will be developed in accordance with NCUA Rules and Regulations as promulgated on 9 November 2007 (12 CFR Part 717). 2. The heart of the Program will be the risk assessment performed against identity theft red flags. This initial assessment will be presented to the Board for approval. Thereafter, only new and/or significant changes will be brought to the Board for approval. 3. Senior Management will keep the Board informed of any notable trend in identity theft and any incident which may cause material damage to the credit union. 4. Senior management will submit an annual report to the Board covering the effectiveness of the credit union s Identity Theft Program. Format for report is at the discretion of Senior Management. 5. The credit union s Identity Theft Program will be implemented no later than 1 November 2008. Staff Policy 1. Identity theft is defined as the use of identifying information (e.g. Social Security Number, name, etc.) without permission in order to commit crimes or fraud. Account takeover is the compromise of one account or access device for financial gain. Each employee will know the difference between identity theft and account takeover and what actions need to be taken depending on the member s situation. Actions will be detailed at links on both the internet and intranet. 2. The Compliance Specialist will be the primary point of contact for any matter pertaining to identity theft. The Compliance Officer will be the secondary contact. 3. The Compliance Office will: a. Provide training to all relevant staff on an annual basis or more frequently, if desired or necessary. b. Provide annual reports to Senior Management on effectiveness of identity theft program. This report will contain any trends. Any significant trend of identity theft will be brought to the immediate attention of Senior Management. c. File report under BSA if applicable. 4. Branch Managers will: a. Include identity theft (red flags) in their quarterly Security Training Programs. b. Record each incident of identity theft/account takeover on LAN in I-Drive folder titled ID Theft.
5. VP Marketing will provide a link on FKFCU s internet site for employees and members to access which contains detailed information on identity theft. VP Information Services will provide a link on the intranet for employee access. 6. Delinquent Control Manager will adjudicate any member claim of fraudulent loan. If substantiated, loan reporting to credit bureaus will cease and loan will be removed from credit report. 7. Employees responsible for ordering plastics, whether new or replacement card will check the account to see if an address change has been made within the last 30 days. See procedure for required action in such cases. 8. Employees who transact business with members via telephone, e-mail, or fax will carefully follow instructions as listed in the SOP G-102. This will allow the employee to verify the identity of the person they are in contact with, and help ensure transaction is with the correct member. Procedure 1. The following steps will be taken to help ensure the person opening an account or applying for a loan is who they purport to be: a. Review identifying documents or applications to ensure they have not been altered, forged, or appear to have been fabricated. b. Review identifying documents to ensure that the picture and description on the card are consistent with the appearance of the person presenting that document. c. Review information provided on identifying documents to ensure consistency with information provided by member; that is, that information corresponds with information possibly already on file with the credit union, or with information obtained by third party sources. (e.g., OFAC, CIP procedures, SSN checked against social security administration s master death file, etc.) d. Check Social Security Number against credit union database to ensure there is no existing account with that number under a different name. e. Suspend account opening/loan processing if identity is in question and resume only when verifiable proof of the requesting person s identity is provided. 2. Prior to ordering a replacement credit or debit card, the member s account will be reviewed to determine if a change of address has been made within the last 30 days. If a change of address has been made, then no credit or debit card shall be ordered until this change has been verified with the member. Member not present at branch will be contacted and asked to verify change of address. If determined that address change is valid, then card will be ordered. No cards will be ordered if unable to verify address change. 3. Debit and credit cards will be monitored for unusual or abnormal transactions. This is done by third party vendor neural networking and made known to the credit union by phone calls, reports, or account suspensions. Members will be contacted for verification of transaction. If transaction is indeed fraudulent, card will be permanently closed. 4. When taking loan application, information on the credit report will be compared against information provided by the member and information already on the credit union s system. Also, employees will look for the presence of a fraud or active duty alert. If there is an address discrepancy or an alert present, employee will take extra precautions to ensure the person applying for a loan is who he/she purports to be. The three credit reporting bureaus will be updated on a monthly basis with address data that the credit union has on file for all members with active loans.
The credit union does not require credit reports to be pulled prior to granting membership and establishing an account, and thus address discrepancy cannot be determined at that time. 5. All third party vendors who have access to sensitive member information will be required to strictly follow policies and procedures to also detect, prevent, and mitigate identity theft. These vendors will be monitored by the credit union. Refer to policies and procedures in SOP G-66. 6. If a member believes that they have been a victim of identity theft or account takeover, employee will: a. Review situation with member and close account if deemed necessary. If closed, a new account may be opened. Offer account password protection if deemed appropriate. b. Provide and assist member with paperwork necessary to file identity theft claim. c. Advise member to report incident to law enforcement and retain a copy. d. Advise member to check credit report and place fraud alert if appropriate. e. Give member FTC web site to report identity theft. f. Give member listing of other helpful web sites/telephone numbers as follows to ensure he/she takes all proper post identity theft action. Informative Web Sites/Telephone Numbers: www.ftc.gov/idtheft or 1-877-ID-Theft www.annualcreditreport.com or 1-877-322-8228 www.experian.com or 1-888-experian www.transunion.com or 1-800-680-7289 www.equifax.com or 1-800-525-6285 1 Attachment: Identity Theft Program Red Flags
Date: Prepared By: Approved By: Supersedes: Identify Theft Program Risk Analysis--- Red Flags 1. Information contained on Consumer Reporting Agency Report points to possible identity theft such as: A fraud or active duty alert is on report. A notice of credit freeze is received instead of report. An address discrepancy notice is received. Credit use is unusual; e.g., many new inquiries, many recent new credit relationships, accounts closed for abuse, etc. Rating: Low Risk. Loan officers/processors are trained to conduct detailed review of each credit report prior to taking any action on a loan request. Particular attention is given to the above credit report items. Action: Confront/notify applicant of concern and sort out. Employee will not process an application for any product/service until matter is favorably resolved and so noted on application. 2. Documents used to open account are questionable such as: Appear to be altered. Photo and physical description on ID don t correspond with personal appearance. Other information on ID source does not agree with ID data such as date of birth, SSN when checked against 3 rd Party massive data base. Rating: Low Risk. Staff with account opening authority are trained not to open any account with questionable identification sources. All new accounts are checked through third party processor to ensure name, SSN DOB, etc. match as part of CIP in Bank Secrecy Program. Action: Do not open account. Bring discrepancy to attention of Branch Manager for adjudication. 3. Personal information does not match external information such as: Address given on application/signature card does not match credit report. Social Security Number does not pass 3 rd Party records check. Social Security Number range does not appear to correlate with DOB. Address/phone number provided corresponds with known fraudulent address/phone number. Address provided is fictitious (mail drop/prison/etc.) Phone number is invalid or associated with a pager or answering service. Address/SSN/home and/or cell phone provided is same as another member. Person fails or refuses to complete all information on an application. Information provided is not consistent with information already on file. Rating: Medium Risk. Systems are in place to address these red flags, but some reviews may not be detailed enough to spot discrepancy human error could be a factor. Action: Bring any such detected inconsistency to attention of Supervisor and/or Management. Do not act on application for membership, loan, etc. without consultation. 3. Address changes which may be suspicious, especially involving plastics such as:
Shortly after receiving notice of address change (normally within 30 days), request for new, additional or replacement cards, checks, etc. is received. Or, within this same period, a request is received to add another authorized user. Member s mail is returned but transactions continue on account. Rating: High Risk. Systems are in place to help disclose such suspicious actions, but employees may not detect primarily due to volume (as of this risk assessment, credit union has over 48,000 active debit and credit cards and over 51,000 checking accounts). Attention to detail varies from employee to employee. Action: Take immediate action to contact member establish proof positive identity get right address on file. If member cannot be reached, status account as Bad Address and place note in member profile not to send any information to member at this address. Do not send any cards, statements, etc. to questionable address no exceptions. 4. Activity on new credit card appears suspicious such as: Majority of available credit is used for cash advances or for merchandise that can be readily converted to cash. Member makes first payment and contact is then lost. Good paying member all of a sudden starts paying late or not at all. Member all of a sudden delves heavily into available credit. Members spending habits change appreciably. An inactive account is suddenly activated and used extensively. Rating: Medium Risk. Several reports are available to help detect these flags. But, some of these flags just simply are not detectable at the outset. Unfortunately, these flags become visible after some damage has been caused. Action: When flag becomes visible, contact member to determine reason for apparent suspicious activity. Place card on hold until issue is favorably resolved. Aggressive action is required to minimize loss. 4. Notice(s) is received by member or other competent authority suggesting unauthorized activity such as: Member reports unauthorized transactions on account. Competent authority advises that we have opened an account for a person engaged in identity theft. Member advises that he/she is not receiving statements. Member states he/she gave information in response to a phish. Member states he s getting communications from us that we are not sending and/or we are getting communications from member that he/she is not sending. Rating: Low Risk. Communications with members are open at all times, 24/7. While the risk is rated low, the potential for member loss is high because when we receive reports, some damage has normally already occurred. We employ neural networking technology and myriad reports to help detect these flags before they become apparent, but oftentimes it takes the affected member to notify us of the problem. Action: Immediately contact member to sort out difficulties; close or ice account as necessary; etc. Upon member notice or report detection, aggressive action is a MUST to help Mitigate losses to member and/or credit union time and precise action are of utmost importance. 5. Other kinds of identity theft indicators such as: Employee has been added to non-related member s account. Employee has accessed a large number of member accounts for no apparent reason. Credit Union detects that a member s account is being accessed by someone other than the member.
Member or credit union detects that personal information has been accessed by unauthorized individual/entity. Unusual and frequent large check orders are received. Member trying to open an account can t lift a credit freeze on credit report. Application for credit appears to be altered or is missing key information. Rating: Medium Risk. Some of these red flags may be detected before damage has occurred, but most are not until detected and reported by fellow employee/member. Action: Immediately notify Compliance Officer or Internal Auditor of any such above indicator of questionable activity. Use fraud hotline (6101) if wish to remain anonymous. Red flag = pattern, practice or specific activity that indicates the possible existence of identity theft. Other: The Credit Union has a legal/regulatory requirement to help ensure consumer reporting agencies have the member s correct address on file. When the credit union receives a notice of address discrepancy, it will take one or more of the following actions to help determine address accuracy: 1. Compare discrepancy to what it has on file as obtained during its Customer Identification Program. 2. Compare the discrepancy to other records on file such as loan application. 3. Discuss discrepancy with member. If the credit union has confirmed the existence of a new address, it will send such to the consumer reporting agency as part of the information it regularly furnishes.