ABA Banking Journal - July 2008 - (Page 48)
COMPLIANCE CLINIC Suspicious personal identifying information. When compared against external information sources, is personal identifying information inconsistent? Some examples include cases where the address does not match any address in the credit report, the Social Security Number has not been issued, or the Social Security Number is listed on the Social Security Administration’s Death Master File. Another example would be failure to provide all the information required on an application, even when asked twice. If the phone number provided by an applicant is invalid, or is an answering service or a pager, this could raise suspicion. 3. Basics of the new rules The new federal “red flag” rules require three actions: 1. Every organization that extends credit must develop and implement a written program to detect, prevent, and mitigate identity theft. This includes not only banks, but also nonbank mortgage lenders, credit card issuers, auto lenders, utilities, cell phone companies, and more. 2. Credit and debit card issuers must assess the validity of notifications of changes of address in conjunction with requests for new cards, a common indicator of possible attempted identity theft. 3. Any user of consumer credit reports must implement reasonable policies and procedures when a consumer reporting agency sends a notice of address discrepancy. Unusual use of the covered 4. account, or suspicious activity. This category highlights known patterns of fraud. For a new revolving credit account, for example, this would include using the majority of available credit for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry), failing to make the first payment, or making the initial payment but no subsequent payments. Another indicator here is when mail sent to the customer is returned repeatedly as undeliverable, although transactions continue to be conducted in connection with the account. A request for an additional or replacement card shortly following the notice of an address change is another pattern that frequently indicates fraud. Notice of possible identity theft. This notice can come from customers, victims, or law enforcement authorities, indicating that the financial institution has opened a fraudulent account. number; ✔ monitoring the account for evidence of identity theft; ✔ contacting the customer; ✔ changing passwords, security codes, or other security devices that permit access to the account; ✔ notifying law enforcement, or ✔ no response, if the risk is low. For example, if a financial institution was aware that a data security incident had resulted in unauthorized access to a customer’s account records, seeing one of the key indicators would warrant stronger action. If a customer had provided information relating to his or her account to someone fraudulently claiming to represent the financial institution, or to a fraudulent website, this would be another aggravating factor. When determining the level of response required, risk factors might include the company’s previous experience with identity theft. 5. Responding to red flags In the event that red flags are detected, the response applied should be commensurate with the degree of risk posed. Depending on the risk level, responses might include: ✔ closing an existing account, or not opening a new account; ✔ reopening an account with a new 48 JULY 2008/ABA BANKING JOURNAL Program oversight and administration In addition to establishing the identity theft prevention program, the regulations require credit issuers to provide for the program’s continued administration. The organization must: ✔ have the program approved by the board of directors or senior management; ✔ involve the board, an appropriate committee, or a designated member of senior management in program development, implementation and administration; ✔ train staff to implement the program effectively, and ✔ exercise effective oversight of service providers. Oversight includes assigning specific responsibility for implementation, including approving material changes necessary to address changing identity theft risks, and reviewing reports prepared by staff regarding compliance. These reports should be presented at least once a year, and should address and evaluate issues such as the effectiveness of the policies and procedures; service provider arrangements; significant incidents involving identity theft and management’s response; and recommendations for material changes to the program. Organizations should update the program (including the red flags determined to be relevant) periodically, to reflect changes in risks to customers or to the safety and soundness of the institution. These updates might be based on experiences with identify theft, changes in methods of identity theft, or changes in measures to detect, prevent, and mitigate identity theft. They could also be based on business changes, such as changes in the types of accounts offered, or other activities like mergers, acquisitions, alliances, joint ventures, or service provider arrangements. Particular attention should be paid when an outside service provider is engaged. The institution should ensure the service provider maintains controls to detect, prevent, and mitigate ID theft. Fighting the usual suspects In addition to the implementation of a program, the new regulations specifically require organizations that extend credit to address two very common indicators Subscribe at www.ababj.com
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.