red flags- why this matters to you

©2012 CliftonLarsonAllen LLP1 111

©20

12 C

lifto

nLar

sonA

llen

LLP

Red Flags- Why This Matters to You

An overview of the FACT Act Identity Theft Red Flag Rule and its current impact.

Justin RobinsonEngagement DirectorCliftonLarsonAllen LLP

©2012 CliftonLarsonAllen LLP2

Agenda

• Critical elements of the rule• Red Flag compliance vs. BSA compliance• What does an identity theft red flag risk assessment

look like?• Are 26 red flags appropriate for all credit unions?• Using existing safeguarding member information

program to mitigate and prevent Red Flags• Identification of other means currently utilized that

prevent and mitigate risk• Red Flag Response Matrix


ID Theft Top Consumer Fraud Complaint

• FTC reported the top consumer fraud complaint received in 2011 was identity theft • 12 years in row• 15% of all complaints

• Misuse of government documents fraud was the most common form of reported identity theft (approximately 27% of complaints), followed by credit cards (14%).


Identity Theft Red Flag Requirements

• In October 2007, the Federal Banking Regulators issued final rules implementing the Identity Theft Red Flag Requirements of the FACT Act

• Written program to detect, prevent, and mitigate identity theft

• Overlap of IT and consumer compliance


What is Identity Theft?

• Fraud committed or attempted using, without authority, the identifying information of another person– Name, SSN, TIN, etc. – Very broad


Types of Identity Theft

• Hacking, dumpster diving, insider theft, phishing, shoulder surfing, family members, stealing (laptop, purse), physical break-in

• Shotgunning - the identity thief applies for multiple loans from multiple lenders on the same property within a short period of time. The identity thief then takes advantage of the lag time in recording mortgages as lenders are unable to identify the existence of the other mortgages before funding the loans


Important Point

• The Identity Theft Red Flag Rules are very different from BSA

• BSA – required to report on suspicious transactions and money laundering but not necessarily required to prevent it

• Identity Theft Red Flag Rule – you are required to prevent identity theft and can be held accountable if you do not

• Consequently, you must approach compliance with this rule differently


Four Critical Elements

1. Identify relevant Red Flags for the accounts the credit union offers or maintains, and incorporate those Red Flags into its Program;

2. Detect Red Flags that have been incorporated into the Program of the credit union;

3. Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and

4. Ensure the Program (including the Red Flags determined to be relevant) is updated periodically to reflect changes in risks to members


Seven Step Process

• STEP 1: Identity Theft Program Administrator• STEP 2: Conduct a Risk Assessment• STEP 3: Identify Relevant Red Flags• STEP 4: Detect Red Flags• STEP 5: Preventing and Mitigating Red Flags• STEP 6: Board Approval and Staff Training• STEP 7: Updating the Program


STEP 1: Identity Theft Program Administrator • Select an individual or committee to oversee and

administer the Program. • The Administrator is responsible for the

implementation, oversight, and updating of the program.

• The Administrator will need to be capable of addressing these steps to effectively implement the Program.


STEP 2: Conduct a Risk Assessment

• Conduct a risk assessment to identify all covered accounts for the rule. The rule defines a “covered account” as:– An account that a credit union offers or maintains, primarily for

personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, checking account, or share account; or

– Any other account that the credit union offers or maintains for which there is a reasonably foreseeable risk to members or to the safety and soundness of the federal credit union from identity theft, including financial, operational, compliance, reputation, or litigation risks.



• The credit union should take into consideration all of the following risk factors: – The types of accounts offered or maintained;– Methods provided to open accounts (web site, internet

banking, etc.);– Methods provided to access accounts (bill payment,

telephone banking, internet banking, etc.); and– Previous experiences with identity theft.



• Identify all threats and the potential for harm, determine your existing safeguards, analyze whether you need additional safeguards

• Some threats include:– Scams– Hacking– Trusted Insiders– Physical Break-Ins– Shoulder Surfing

• Do not forget general Fraud– Mortgage, check, appraisal, etc.



• Determine existing safeguards– Policies– Procedures– Automated tools– Training– Testing and monitoring – Authentication process



• Taking all of that into consideration, determine:– Likelihood of identity theft occurring– Potential impact of identity theft

• No mandated format• May be combined with another risk assessment, such

as your member information security risk assessment, but make sure all elements of the Identity Theft rule are met


STEP 3: Identify Relevant Red Flags

The regulators have provided us with five general categories of Red Flags:

• Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;

• The presentation of suspicious documents;• The presentation of suspicious personal identifying information, such as a

suspicious address change;• The unusual use of, or other suspicious activity related to, a covered

account; and• Notice from members, victims of identity theft, law enforcement

authorities, or other persons regarding possible identity theft in connection with covered accounts held by the federal credit union.


STEP 3: Identify Relevant Red Flags

• In addition, the Regulators have provided us with specific examples of Red Flags that fall into these general categories. Supplement A to Appendix J in the rule, includes a list of 26 different Identity Theft Red Flags

• While these specific Red Flags are provided as examples, the list is not meant to be exhaustive


STEP 4: Detect Red Flags

• Develop procedures and controls to detect the identified Red Flags

• The detection requirement is simply a due diligence requirement to utilize sound controls that will help in detecting the Red Flags

• Applies to new and existing accounts



• Use your existing Member Information Security Program and Customer Identification Program.

• You already have these in place. These will be very important going forward and could be the ultimate determining factor in whether you can comply with the rule or not.



Ensure effective detective controls by:• Obtaining identifying information about, and

verifying the identity of, a person opening a covered account – For example, using the policies and procedures regarding

identification and verification set forth in your Customer (Member) Identification Policy (CIP) program.

• Authenticating members• Monitoring transactions, accounts, systems,

dormant accounts, applications



• Penetration testing• Vulnerability assessments• IT audit

– Detect fraudulent activity• Financial audit• Verifying the validity of change of address requests,

in the case of existing covered accounts.• Developing procedures referencing the existing CIP

and security procedures as controls to detect appropriate Red Flags


STEP 5: Preventing and Mitigating Red Flags

• IT audit• Written procedures and policies related to verifying

identity that are enforced• CIP• Authentication• Encryption• Firewalls


• Employee background checks• Employee training• Fraud and Identity Theft training• Record retention/disposal of information• Due diligence of service providers




Responses to Red Flags• The Program must include appropriate responses to

detected Red Flags• The appropriate credit union response will vary

depending on the risk posed by the detected Red Flag

• You probably already have an Incident Response Plan but you may need to expand it

• Keep documentation related to response



Examples of Credit Union responses to detected Red Flags:

• Monitoring a covered account for evidence of identity theft• Contacting the member• Changing any passwords, security codes, or other security devices

that permit access to a covered account• Reopening a covered account with a new account number• Not opening a new covered account• Closing an existing covered account• Not attempting to collect on a covered account or not selling a

covered account to a debt collector• Notifying law enforcement • Determining that no response is warranted under the particular

circumstances



Third Party Providers• Your credit union should have controls in place to ensure

that third party service providers have Red Flag detection procedures in place.

• Take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.

• For example, you could require the service provider by contract to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider’s activities, and either report the Red Flags to the federal credit union, or to take appropriate steps to prevent or mitigate identity theft.


STEP 6: Board Approval and Staff Training

• Obtain written approval of the Program from the Board of Directors or an appropriate committee of the Board of Directors

• Train appropriate staff to implement the Program. Staff should be aware of identified Red Flags, controls to detect these Red Flags, and appropriate responses to detection

• Train any staff member who could detect or prevent Identity Theft

• Training should cover your identified Red Flags, policies and procedures, and reporting process for Identity Theft



Annual Reporting:

“staff of credit union responsible for development, implementation, and administration of its Program should report to the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management, at least annually, on compliance by the credit union.”



Contents of the report: • Material matters related to the Program such as:

– The effectiveness of the policies and procedures in addressing the risk of identity theft;

– Service provider arrangements; – Significant incidents involving identity theft and

management’s response; – Recommendations for material changes to the Program.


STEP 7: Updating the Program

The credit union should periodically update its Red Flags based on thefollowing factors:• The experiences of the credit union with identity theft;• Changes in methods of identity theft;• Changes in methods to detect, prevent, and mitigate identity theft;• Changes in the types of accounts the credit union offers or

maintains; and• Changes in the business arrangements of the credit union,

including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.


ID Theft Red Flags Today

Risks

• Exams– Potential for larger impact

• Civil suits?


ID Theft Trends

FinCEN Report on ID Theft Trends, Patterns and Typologies. – Report issued September 2010– Studied SARs filed 2003-2009


ID Theft Trends

• Credit Card ID Theft– Physical theft– Virtual theft– 30% of the time the thief added his/her name as an

authorized user


ID Theft Trends

• Deposit Account Fraud– ID thief opens a new joint account with member’s name.– Thief then poses as victim and directs transfer from

existing member’s account into joint account


ID Theft Trends

• Other notable trends– 22% of SARs filed involved friends or family members of

the victim– 27% of SARS filed indicated the victim knew the identity

thief– Only 18% of the SAR filings noted the identity theft was

discovered within 1 week of the theft– 37% of the filings noted the theft was discovered 3+

months after the account was compromised


ID Theft Trends

• Notable “Red Flags” that aided discovery:– Notification by consumer that a fraudulent account was

opened – Notification by consumer that there are unauthorized

transactions – Incorrect social security number – Change of address requests


ID Theft Trends

• Tax Fraud, FinCEN Letter March 2012 (FIN-2012-A005)– Additional Red Flags related to Tax Refund ID Theft

◊ Multiple direct deposit tax refund payments, directed to different individuals

◊ Suspicious or authorized account opening at a depository institution, on behalf of individuals who are not present, with the fraudulent actor being named as having signatory authority. The subsequent source of funds is limited to the direct deposit of tax refunds.


Tips

• Use existing risk assessments, policies, procedures and programs

• Create a standard form staff can use to report suspected identity theft

• Designate a centralized person/group to receive all incident reports of identity thefts and other incidents

• Change/improve your response procedures as your system evolves and you learn what does/does not work

• Make your program useable, not difficult to utilize and comprehend


©20

12 C

lifto

nLar

sonA

llen

LLP

Questions?

Justin RobinsonEngagement DirectorCliftonLarsonAllen LLP

[email protected]

red flags- why this matters to you

Documents