FACTA Red Flags 2010

1,133 views

Published on

Covers red flag provisions of the Fair and Accurate Credit Transactions Act of 2003.

Published in: Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,133
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

FACTA Red Flags 2010

  1. 1. Fair and Accurate Credit Transactions Act of 2003 Red Flag Provisions Brenda Terreault, Esq. NACM Oregon January 14, 2010
  2. 2. <ul><li>SO WHAT IS THE RED FLAGS RULE? </li></ul>
  3. 3. BACKGROUND <ul><li>Joint Rulemaking </li></ul><ul><li>Final rules published Nov 9, 2007 </li></ul><ul><li>Compliance required Nov 1, 2008, but enforcement forbearance for the Red Flag Rules until June 1, 2010, for entities under FTC jurisdiction. </li></ul>
  4. 4. Red Flag Provisions <ul><li>RULES: 72 Fed. Reg. 63718 (November 9, 2007) </li></ul><ul><li>www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf </li></ul><ul><li>(FTC Rules p.63771-63773, Guidelines p. 63773-63774, Supplement p. 63774) </li></ul><ul><li>FACT Act section 114 </li></ul><ul><li>FCRA section 615 (e) </li></ul><ul><li>16 CFR section 681.2 </li></ul><ul><li>http://www.ftc.gov/bcp/edu/microsites/redflagsrule/get-started.shtm </li></ul>
  5. 5. What is a Red Flag? <ul><li>A “Red Flag” is a pattern, practice, or specific activity that could indicate identity theft. </li></ul>
  6. 6. STRUCTURE OF THE RED FLAGS RULE <ul><li>Risk-based Rule </li></ul><ul><li>Guidelines (Appendix A) </li></ul><ul><li>Supplement A - 26 examples of red flags located within the link: www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf </li></ul>
  7. 7. PURPOSE OF THE RED FLAGS RULE <ul><li>To ensure that your business or organization is on the lookout for the signs that a crook is using someone else’s information, typically to get your products and services with no intention of paying. </li></ul><ul><li>Not just another Data Security regulation </li></ul>
  8. 8. <ul><li>WHO’S COVERED BY </li></ul><ul><li>THE RED FLAGS RULE? </li></ul>
  9. 9. WHO’S COVERED? <ul><li>Financial Institutions </li></ul><ul><li>Creditors </li></ul>
  10. 10. WHO’S COVERED? <ul><li>From the FCRA, a “financial institution” is: </li></ul><ul><li>A state or national bank </li></ul><ul><li>A state or federal savings and loan association </li></ul><ul><li>A mutual savings bank </li></ul><ul><li>A state or federal credit union, </li></ul><ul><li>Or any other person that directly or indirectly holds a transaction account belonging to a consumer. </li></ul>
  11. 11. DEFINITION OF “TRANSACTION ACCOUNT” <ul><li>From Federal Reserve Act, Section 19(b) – an Account that allows withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or similar items to make payments or transfers to third persons or others. </li></ul>
  12. 12. FTC Definition of “Creditors” <ul><li>H aving &quot;the same meaning as in 15 U.S.C. 1681a(r)(5), and includes lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.&quot;   </li></ul>
  13. 13. FTC Definition of “Creditors” <ul><li>15 U.S.C. 1681a(r)(5) </li></ul><ul><li>Having &quot;the same meaning as in Section 702 of  the Equal Credit Opportunity Act.&quot; </li></ul>
  14. 14. FTC Definition of “Creditors” <ul><li>Section 702(e) of  the Equal Credit Opportunity Act – 15 U.S.C. 1691a(e) </li></ul><ul><li>“ The term &quot;creditor&quot; means any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.” </li></ul>
  15. 15. FTC Definition of “Creditors” <ul><li>Any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit and includes lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. </li></ul>
  16. 16. RECAP - WHO’S COVERED? <ul><ul><li>Any person who regularly extends, renews or continues credit </li></ul></ul><ul><ul><li>Any person who regularly arranges for extension, renewal or continuation of credit </li></ul></ul><ul><ul><li>Any assignee of an original creditor and who participates in the decision to extend, renew or continue credit. </li></ul></ul>
  17. 17. WHO’S NOT COVERED? <ul><li>New stuff </li></ul><ul><li>Businesses at low risk of ID theft </li></ul><ul><ul><li>Know all their customers personally </li></ul></ul><ul><ul><li>Provide services at customers’ homes </li></ul></ul><ul><ul><li>Previous experience with ID theft </li></ul></ul><ul><ul><li>Industry where ID theft is common </li></ul></ul><ul><li>Attorney firms and Accountant firms </li></ul><ul><ul><li>Court opinion </li></ul></ul><ul><ul><li>Amendment </li></ul></ul>
  18. 18. <ul><li>IF WE’RE COVERED BY THE RED FLAGS RULE, WHAT DO WE NEED TO DO? </li></ul>
  19. 19. WHAT DO WE NEED TO DO? <ul><li>Conduct a periodic risk assessment to determine if “covered accounts” exist </li></ul><ul><li>If covered accounts exist: </li></ul><ul><ul><li>develop, implement and administer </li></ul></ul><ul><ul><li>a written Identity Theft Prevention Program </li></ul></ul><ul><ul><li>to detect, prevent and mitigate identity theft in connections with: </li></ul></ul><ul><ul><ul><li>The opening of a covered account or </li></ul></ul></ul><ul><ul><ul><li>Transactions in any existing covered account </li></ul></ul></ul>
  20. 20. WHAT IS AN “ACCOUNT”? <ul><li>An “account” is: </li></ul><ul><li>A continuing relationship </li></ul><ul><li>established by a person with a financial institution or creditor </li></ul><ul><li>to obtain a product or service for </li></ul><ul><ul><li>personal, </li></ul></ul><ul><ul><li>household or </li></ul></ul><ul><ul><li>business purpose. </li></ul></ul>
  21. 21. WHAT IS A “COVERED ACCOUNT”? <ul><li>A “covered account” includes: </li></ul><ul><li>A consumer account </li></ul><ul><ul><li>Designed to permit multiple payments or transactions </li></ul></ul><ul><ul><li>Offered or maintained by creditor </li></ul></ul><ul><ul><li>Primarily for personal, household or family purposes. </li></ul></ul><ul><li>(Regulation subsection 3i – consumer accounts) </li></ul>
  22. 22. WHAT IS A “COVERED ACCOUNT”? <ul><li>A “covered account” includes: </li></ul><ul><li>Any other accounts that </li></ul><ul><ul><li>based on a reasonably foreseeable risk of ID theft </li></ul></ul><ul><ul><li>creditor has designated as a covered account </li></ul></ul><ul><ul><li>(Regulation subsection 3ii – catch-all regulation) </li></ul></ul>
  23. 23. Risk Assessment of Covered Accounts <ul><li>Creditor must conduct initial risk assessment and consider, among other things : </li></ul><ul><ul><li>Methods used to open accounts </li></ul></ul><ul><ul><li>Methods to access accounts </li></ul></ul><ul><ul><li>Previous experiences with ID theft </li></ul></ul><ul><li>All creditors must periodically reassess, even if no initial covered accounts, to consider changes in: </li></ul><ul><ul><li>Account offerings </li></ul></ul><ul><ul><li>Regulatory changes and </li></ul></ul><ul><ul><li>Changes in methods and patterns of ID theft </li></ul></ul>
  24. 24. <ul><li>HOW DO WE DESIGN AN IDENTITY THEFT PREVENTION PROGRAM? </li></ul>
  25. 25. A Brief Outline of What’s Expected <ul><li>Incorporating existing policies and procedures </li></ul><ul><li>Identify relevant red flags </li></ul><ul><li>Set up procedures to detect red flags </li></ul><ul><li>Respond appropriately to red flags </li></ul><ul><li>Update your program periodically </li></ul><ul><li>Administer your program </li></ul><ul><li>Consider other legal requirements </li></ul>
  26. 26. <ul><li>DESIGNING AN IDENTITY THEFT PREVENTION PROGRAM </li></ul><ul><li>STEP BY STEP </li></ul>
  27. 27. DESIGNING YOUR PROGRAM <ul><li>The program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of activities </li></ul><ul><li>The rules require you to consider the guidelines and incorporate appropriate guidelines into your program. </li></ul>
  28. 28. Things to Remember <ul><li>Must be in writing </li></ul><ul><li>No one-size-fits-all formula </li></ul><ul><ul><li>Tailored to creditor’s size and complexity </li></ul></ul><ul><ul><li>Tailored to nature and scope of business activities </li></ul></ul><ul><li>Based on results of risk assessments </li></ul>
  29. 29. Things to Remember <ul><li>Minimally contain reasonable policies/procedures to: </li></ul><ul><ul><li>Identify what “Red Flags” might be for covered accounts </li></ul></ul><ul><ul><li>Detect “Red Flags” when they occur </li></ul></ul><ul><ul><li>Respond to mitigate and prevent ID theft </li></ul></ul><ul><ul><li>Update program periodically . </li></ul></ul>
  30. 30. DESIGNING YOUR PROGRAM <ul><li>Develop reasonable processes and procedures: </li></ul><ul><li>Step #1 – Identify relevant red flags likely in your business that indicates a crook is using someone else’s information to get your products or services with no intention of paying </li></ul>
  31. 31. Incorporating existing policies and procedures <ul><li>Evaluate your existing anti-fraud programs </li></ul><ul><li>Evaluate your information security programs </li></ul><ul><li>Evaluate your credit policy </li></ul>
  32. 32. Identify relevant red flags <ul><li>Identify red flags according to risk posed to creditor’s business </li></ul><ul><li>Types of covered accounts offered or maintained </li></ul><ul><li>Methods provided to open those accounts </li></ul><ul><li>Methods provided to access those accounts </li></ul><ul><li>Previous experience with ID theft </li></ul>
  33. 33. Identify relevant red flags <ul><li>Five categories of red flags: </li></ul><ul><li>Alerts, notifications or other warnings received from credit reporting agencies or service providers </li></ul><ul><li>Suspicious documents </li></ul><ul><li>Suspicious personal identifying information </li></ul><ul><li>Unusual use of or other suspicious activity related to a covered account </li></ul><ul><li>Notice from customers, victims of identity theft or law enforcement authorities </li></ul>
  34. 34. EXAMPLES OF RED FLAGS (SUPP. A) <ul><li>Warning from credit reporting agencies </li></ul><ul><li>Inconsistent with external information sources </li></ul><ul><li>Suspicious documents </li></ul><ul><li>Documents provided for identification appear to be altered </li></ul><ul><li>Suspicious personal information </li></ul><ul><li>Fraud or active duty alert included in consumer report </li></ul>
  35. 35. EXAMPLES OF RED FLAGS (SUPP. A) <ul><li>Unusual use of account </li></ul><ul><li>Account used in a way inconsistent with historical patterns of activity </li></ul><ul><li>Notice from customers </li></ul><ul><li>Customer notifies you about identity theft </li></ul>
  36. 36. DESIGNING YOUR PROGRAM <ul><li>Develop reasonable processes and procedures: </li></ul><ul><li>Step #2 – Detect red flags – Set up procedures to detect them in your day-to-day operations </li></ul>
  37. 37. Detecting relevant red flags <ul><li>Two specific times for detecting red flags </li></ul><ul><ul><li>When Creditor obtains and verifies identifying information on customer who is opening the account, and </li></ul></ul><ul><ul><li>When Creditor authenticates and verifies customer identity when customer makes a change on the account and monitors account transactions afterwards. </li></ul></ul><ul><li>There may be other times when a red flag may be identified – every industry is different </li></ul>
  38. 38. Detecting relevant red flags <ul><li>Verify identity </li></ul><ul><li>Authenticate customers </li></ul><ul><li>Monitor transactions </li></ul><ul><li>Verify validity of address changes </li></ul>
  39. 39. DESIGNING YOUR PROGRAM <ul><li>Develop reasonable processes and procedures: </li></ul><ul><li>Step #3- Prevent and mitigate identity theft. When you spot a red flag that you’ve identified, respond appropriately to prevent and mitigate harm </li></ul>
  40. 40. Responding to relevant red flags <ul><li>Reasonable policies and procedures </li></ul><ul><li>Appropriate response </li></ul><ul><li>Responses must be commensurate with risk posed </li></ul><ul><ul><li>Aggravating factors, early warning signs </li></ul></ul><ul><ul><li>Different account types may have different red flags associated with it. </li></ul></ul>
  41. 41. Respond appropriately to red flags <ul><li>Monitor accounts </li></ul><ul><li>Contact customers </li></ul><ul><li>Change passwords </li></ul><ul><li>Close and reopen account </li></ul><ul><li>Refuse to open account </li></ul><ul><li>Don’t sell the account or collect on it against the identify theft victim </li></ul><ul><li>Notify law enforcement </li></ul><ul><li>In some cases, no response may be warranted </li></ul>
  42. 42. DESIGNING YOUR PROGRAM <ul><li>Develop reasonable processes and procedures: </li></ul><ul><li>Step #4 – Update your program. The risks of identity theft can change rapidly, so keep your plan current and educate your staff. </li></ul>
  43. 43. Updating for new red flags <ul><li>Sources of Red flags: </li></ul><ul><li>Episodes of identity theft that have already happened </li></ul><ul><li>Changes in how crooks are committing identity theft </li></ul><ul><li>Applicable supervisory guidance </li></ul>
  44. 44. Updating for new red flags <ul><li>Periodically review and evaluate red flags previously incorporated to verify each remains relevant to operation </li></ul><ul><li>NOTE: Neither regulations, nor guidelines, define the term “periodically” or provide timeframes for conducting updates. </li></ul><ul><li>Objective: to be responsive to changing risks </li></ul>
  45. 45. Updating for new red flags <ul><li>Periodic updating required, should consider: </li></ul><ul><li>Experiences with ID theft </li></ul><ul><li>Changes in ID theft methods </li></ul><ul><li>Changes in ID theft detection, prevention and mitigation methods </li></ul><ul><li>Changes in creditor’s business – growth, mergers, and other business arrangements </li></ul><ul><li>Changes in types of account creditor offers or maintains </li></ul>
  46. 46. <ul><li>WHAT ABOUT </li></ul><ul><li>THE ADDRESS DISCREPANCY RULE? </li></ul>
  47. 47. ADDRESS DISCREPANCY RULE <ul><li>FACT Act Section 315 </li></ul><ul><li>FCRA Section 605(h) </li></ul><ul><li>16 CFR section 681.1 </li></ul>
  48. 48. WHO’S COVERED? <ul><li>Users of credit reports </li></ul><ul><li>Term to know - “Nationwide Credit Reporting Agency” (NCRA) as defined in FCRA </li></ul>
  49. 49. CONFIRMING ADDRESS <ul><li>Regulatory requirement: The user must have reasonable policies and procedures to furnish a confirmed address for the consumer to the NCRA when the user: </li></ul><ul><li>Can form a reasonable belief that the report relates to the consumer </li></ul><ul><li>Establishes a continuing relationship with the consumer </li></ul><ul><li>Regularly furnishes information to the NCRA </li></ul>
  50. 50. NOTICE OF ADDRESS DISCREPANCY <ul><li>Notice of address discrepancy comes from a nationwide credit reporting agency and notifies the user of a substantial difference between: </li></ul><ul><ul><li>Address the user provided and </li></ul></ul><ul><ul><li>Address in the credit reporting company’s files </li></ul></ul>
  51. 51. ENSURING ACCURACY <ul><li>Regulatory requirement: </li></ul><ul><li>The user must have reasonable policies and procedures to establish a reasonable belief that the credit report relates to the consumer about whom the report was requested </li></ul>
  52. 52. REASONABLE BELIEF <ul><li>Establishing a “reasonable belief” </li></ul><ul><li>Examples: </li></ul><ul><li>Compare information in the credit report to information that user: </li></ul><ul><ul><li>Maintains in its records </li></ul></ul><ul><ul><li>Gets from third party sources </li></ul></ul><ul><ul><li>Gets to comply with CIP rules </li></ul></ul><ul><li>Verify information in the credit report with the consumer </li></ul>
  53. 53. PROGRAM ADMINISTRATION OVERVIEW <ul><li>Red flag rule’s requirements for program administration consists of five elements: </li></ul><ul><li>Board approval </li></ul><ul><li>High-level oversight </li></ul><ul><li>Reporting </li></ul><ul><li>Staff training </li></ul><ul><li>Service Provider oversight, if any service provider is hired </li></ul>
  54. 54. PROGRAM ADMINISTRATION ELEMENTS BOARD APPROVAL <ul><li>Initial written program must be approved by Board of Directors or a committee of the Board </li></ul><ul><li>Once program is established, the Board may designate a senior management employee to oversee: </li></ul><ul><ul><li>Development, implementation and administration of the program </li></ul></ul><ul><ul><li>Training of appropriate staff’ </li></ul></ul><ul><ul><li>Arrangements with Service Providers </li></ul></ul>
  55. 55. PROGRAM ADMINISTRATION ELEMENTS REPORTING <ul><li>At least once a year, creditor staff must report on effectiveness of program to the Board, Committee or senior management employee. </li></ul><ul><li>Report should cover material aspects of Program, or at minimum </li></ul><ul><ul><li>Effectiveness of the program policies and procedures </li></ul></ul><ul><ul><li>Service Provider arrangements if any </li></ul></ul><ul><ul><li>Identity theft incidents and responses </li></ul></ul><ul><ul><li>Recommendations for changes in program </li></ul></ul>
  56. 56. PROGRAM ADMINISTRATION ELEMENTS TRAINING <ul><li>Train relevant staff as necessary to </li></ul><ul><ul><li>Implement program effectively </li></ul></ul><ul><ul><li>Identify and respond appropriately </li></ul></ul><ul><li>NOTE: There is no prescription that ALL staff be trained. </li></ul><ul><li>Deciding which staff members need training is up to creditor. Consider whether job duties may allow employee to identify, detect, prevent and mitigate ID theft risk </li></ul>
  57. 57. PROGRAM ADMINISTRATION ELEMENTS SERVICE PROVIDER OVERSIGHT <ul><li>Who is a Service Provider? </li></ul><ul><li>Ensuring their activities are conducted in accordance with </li></ul><ul><ul><li>Reasonable policies and procedures designed </li></ul></ul><ul><ul><li>To detect, prevent and mitigate the risk of ID theft. </li></ul></ul>
  58. 58. PROGRAM ADMINISTRATION ELEMENTS SERVICE PROVIDER OVERSIGHT <ul><li>One method - Require written agreement from service provider that provider will detect and respond to ID theft red flags appropriately </li></ul><ul><li>Service providers are not required to apply each client’s particular program </li></ul><ul><li>Creditor retains accountability and cannot reduce or eliminate responsibility by outsourcing tasks </li></ul>
  59. 59. CONSEQUENCES OF NON-COMPLIANCE <ul><li>Customer loses confidence </li></ul><ul><ul><li>Take business elsewhere </li></ul></ul><ul><ul><li>No private right of action for 16 CFR 681.2 </li></ul></ul><ul><li>State Attorneys General </li></ul><ul><ul><li>Can sue - Usually highly publicized and damaging to business even if creditor wins </li></ul></ul><ul><li>Federal and state regulators can </li></ul><ul><ul><li>Assess money damages-$2,500 per violation </li></ul></ul><ul><ul><li>Issue cease and desist orders </li></ul></ul><ul><ul><li>Take other legal actions </li></ul></ul>
  60. 60. ENFORCEMENT OF RULES <ul><li>Administrative enforcement under 15 USC 1681s (Section 621 of the FCRA) </li></ul><ul><li>State Attorneys General </li></ul><ul><li>No criminal penalties </li></ul>
  61. 61. Advice <ul><li>Don’t Panic! </li></ul><ul><li>Start with what policies you already have </li></ul><ul><li>Ask yourself “what if” </li></ul><ul><li>It’s meant to be a risk-based, flexible rule </li></ul><ul><li>Think in terms of what is reasonable, practical and works for you in your business. </li></ul>
  62. 62. Where to go for templates <ul><li>Remember that templates are just starting points-no one-size-fits-all! </li></ul><ul><li>http://www.ftc.gov/bcp/edu/microsites/redflagsrule/diy-template.shtm </li></ul><ul><ul><li>Click on the “get started” at the bottom middle of the page </li></ul></ul><ul><ul><li>FTC anticipates that every business will have at least one red flag because they wrote it in for us. </li></ul></ul><ul><ul><li>“ Notice from customer, a victim of ID theft, law enforcement agency or someone else that an account has been opened or used fraudulently” </li></ul></ul>
  63. 63. Where to go for templates <ul><li>Remember that templates are just starting points-no one-size-fits-all! </li></ul><ul><li>Business Credit Magazine, March 2009 </li></ul><ul><ul><li>Article on page 62 </li></ul></ul><ul><ul><li>Model plan on page 65 to 68 </li></ul></ul>
  64. 64. Questions? [email_address] www.ftc.gov Thank you!

×