Identity Theft and FACT Act:Can Your Program Handle the Next

Data Breach?Brian J. Crow, EVP & CAMS

Thomas Compliance Associates, Inc.

(800)-934-7347

Independent Community Bankers of America

© 2018 TCA®

Agenda

•Purpose & History

•Updates from S. 2155

•Red Flags Risk Assessment

• ID Theft Prevention Procedures

•Board Reporting and Governance

•Vendor Management

© 2018 TCA®

Purpose and history

•Amended the Fair Credit Reporting Act (FCRA) in 2003• Implemented by Regulation V (now split between CFPB and Fed)•Allow consumers free access to credit reports•Allow consumers to make direct disputes•Require furnishers to establish ID Theft Programs

© 2018 TCA®

Responding to consumer questions

•Not all ID theft is the Bank’s fault!•Merchant breaches•Phishing/SmiShing/Spoofing

•Customer will likely ask the bank for help•www.ftc.gov• Fraud alerts/credit freezes*

• *S.2155 Update•Account passphrases

© 2018 TCA®

Additional consumer advice

•Social media use – Be careful•Quizzes & surveys• “How well do you know me?”• “What is your Star Wars name?”

• Birth month = First Name• Favorite color = Last Name

© 2018 TCA®

Additional consumer advice

•www.annualcreditreport.com

•Discuss right to place fraud alert or credit freeze

•S.2155 provides right to place credit freeze• Loan processors expect to see uptick in these when

pulling consumer credit•Procedures should address what to do next

© 2018 TCA®

Rule Requirements

• Identify “Covered Accounts”•Accounts that could be subject to ID Theft•Regulation targets consumer accounts•What about “Corporate Account Takeover?”

© 2017 TCA®

Identity Theft Definition

•A fraud committed or attempted using the identifying information of another person without authority.

•The term “identifying information” means any name or number that may be used alone or in conjunction with other information to identify a specific person.

© 2017 TCA®

Identity Theft Risk Assessment

• Identify covered accounts.

• Identify methods to open and access accounts.

•Evaluate previous experiences with ID Theft.

•Assign a risk rating.

© 2017 TCA®

Identity Theft Prevention Program

•Risk-based according to size and complexity of activities•Flexible to address changing fraud patterns, products and services•Document resolution to address discrepancies•Procedures for return mail/dormant accounts•Annual Board Reporting

© 2017 TCA®

ID Theft Red Flags Category 1

•Alerts, notifications or other warnings from consumer reporting agencies and service providers• Fraud or active duty alerts•Notice of credit freeze•Notice of address discrepancy

© 2017 TCA®

ID Theft Red Flags Category 2

•Suspicious documents and suspicious personal identifying information •Photograph or physical description is not consistent

with the appearance of the applicant.• ID documents that appear forged or altered.•Other information on the ID is not consistent with

information readily available on file.

© 2017 TCA®

ID Theft Red Flags Category 3

•Unusual or suspicious activity related to the account•Request for new or additional credit/debit card

shortly after notice of change of address.•Majority of available credit on account used for

merchandise easily convertible to cash.•Missed first payment or initial payment with no

subsequent payments.•Material increase in the use of available credit.

© 2017 TCA®

ID Theft Red Flags Category 4

•Notices from Customers of Law Enforcement•The bank receives notice that it has opened a

fraudulent account for a person engaged in identity theft. •The bank receives a request for information on

a covered account. from law enforcement or a victim investigating identity theft.

© 2017 TCA®

FACT Act Risk Assessment Findings

•Didn’t customize for bank

•Products, services, delivery channel changes

•Emerging risks

•Findings from independent review

• Impact on small businesses

© 2017 TCA®

Identity Theft Prevention Program (cont.)

•Program includes policies and procedures to•Detect•Prevent•Mitigate

•Account opening

•Existing accounts

© 2017 TCA®

Identity Theft Prevention Program (cont.)

• Identify patterns that identify ID Theft

•Monitor red flags

•Respond to identified risk

•Take steps to safeguard customers

•Revise program based on ID Theft experiences and changing fraud patterns

© 2017 TCA®

Identity Theft Prevention Program (cont.)

•Procedures for responding to direct claims•Don’t get suckered!

• ID Theft Affidavit and instructions•www.ftc.gov

© 2017 TCA®

Direct Disputes

•Can require the claim be in writing

•Must resolve within 30 days or remove entry from credit report

•Non-proliferation – suspend reporting during investigation

© 2018 TCA®

Frivolous Direct Disputes

•Form letter from “credit repair service”

•Generic “dispute entire credit file”

•May respond with letter stating the dispute is frivolous without an investigation

© 2018 TCA®

FACT Act Common Findings

•Lack of (or inadequate) Independent Testing

•Undocumented “alerts” and warnings

•Lack of (or inadequate) Report to the Board

•Lack of training (especially new employees)

© 2017 TCA®

Annual Board Report

•ID Theft Risk Assessment

•ID Theft Policy

•Information regarding ID theft occurrences in the last year

•Effectiveness of vendor management

© 2017 TCA®

Vendor Management

•Guidance on Third Party Risk• FIL-44-2008 •OCC Bulletin 2013-29• Fed SR 13-19

•Bank retains compliance risk even when we outsource!

© 2017 TCA®

Vendor Contract

•Vendor usage and retention of data

•Safeguard standards

•Information sharing provisions

•Right to audit

•Cyber Insurance

© 2017 TCA®

© 2018 TCA®

TCA®1-800-934-REGS

www.tcaregs.com