FACT Act Training for Staff Identity Theft “Red Flags”

WHAT IS IDENTITY THEFT? Under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), Identity Theft means: “A fraud committed or attempted using the identifying information of another person without authority”

Identity Theft Statistics One study found that ID theft cost US businesses and consumers $56.6 billion in 2005 Dept. of Justice reports that ID theft is now passing up drug trafficking as the number one crime in the nation In 2006, 15 million people were victims of identity theft

Identity Theft Statistics ITRC* found in 2007 that 78% of respondents reported financial identity theft crimes Check fraud and debit card fraud are increasing (based on 2007 study) 50% of respondents said that personal info had been used to open a new line of credit *Identity Theft Resource Center Add Washington Post article about prosecurtors

How at risk are you? Yes or No? I receive several offers of pre-approved credit every week. I do not shred credit card offers before placing them in the trash. I carry my Social Security card in my wallet. I do not use “Verified by VISA” on my VISA debit and credit cards. I do not have a PO Box or locked secured mailbox. I use an unlocked, open box at work or at my home to drop off my outgoing mail. I have not copied every item in my wallet front and back. I do not have information and instructions if I become a victim of identity theft. I provide my SSN whenever asked, without asking questions as to how that information will be safeguarded.

Yes or No? I provide personal information orally without checking to see who might be listening. I am required to use my SSN at work as an employee ID or at college as a student ID number. I write checks to pay all my bills and/or as a method of payment at retail stores. I have my SSN and/or driver’s license number printed on my personal checks. I do not use a “cross cut” shredder to shred any sensitive documents or information at home. My pin numbers are the last 4 digits of my house number, phone number, birth date, or Social Security number. I have not ordered a copy of my credit report for at least 2 years. I do not believe that people would root around in my trash for information.

If you answered yes… Then you could be at risk for identity theft. Read more at www.privacyrights.org for information on consumer risk and more quizzes about ID theft. As a financial institution, how do we respond?

Fair Credit Reporting Act and FACT Act FACT Act amended FCRA in 2003 to require guidelines for ID Theft and address discrepancies Final rules issued in November 2007 Mandatory compliance date: November 1, 2008 NCUA rules apply to federal credit unions; FTC rules apply to state-chartered credit unions

“Red Flags” “Red flags” are patterns, practices, or activities that indicate the possible existence of identity theft. Examples A fraud or active duty alert is included with a consumer report Personal identifying information is inconsistent when compared against external sources (address does not match the address in consumer report) The phone number is invalid, or is associated with a pager or answering service An account is used in a manner inconsistent with established patterns (nonpayment when no history of late payments) Given the changing nature of ID theft, credit unions must also implement policies and procedures to identify any additional red flags relevant to detecting a possible risk of identity theft.

Examples of Red Flags Photograph is inconsistent with consumer.

Examples of Red Flags Documents appear to be altered.

Examples of Red Flags Mail is returned even though transactions continue to occur on account.

Examples of Red Flags Multiple names associated with social security number (credit reports): Credit report: Joe Doe DOB 2-7-67 SSN: 294-12-1234 Your records indicate that you have: John Doe DOB 4-15-68 SSN: 294-12-1234

Program Written program that is designed to detect, prevent, and mitigate identity theft when opening accounts or for existing accounts Risk-based program Contains policies and procedures to: 1. Identify red flags 2. Detect incorporated red flags 3. Respond to red flags to prevent and mitigate identity theft 4. Update the program periodically Risk based: appropriate to size and complexity and nature and scope of activities

Identifying Red Flags Types of accounts offered and maintained When identifying red flags, the following is considered: Types of accounts offered and maintained Methods to open accounts Methods to access accounts Previous experience with identity theft Incorporate red flags from sources such as: Incidents of identity theft experienced by the CU Methods of identity theft the CU has identified that reflects changes in identity theft risk Applicable supervisory guidance Must consider nature of credit union’s business and types of identity theft might be subject to Red flags for deposit accounts may differ from those for credit accounts, and those for consumer accounts may differ from those for business accounts. Red flags for accounts opened on the internet will differ from in person accounts.

Detecting Red Flags Credit union must detect red flags that are incorporated into the program. Opening new accounts: look to CIP rules that CU already has in place-verify identity of person opening account Existing accounts: authenticate customers, monitor transactions, and verify change of address requests CIP allow accounts to be opened before identity is verified in some cases; should only be using CIP to a limited extent

BHFCU Credit Union’s Detection Procedures BHFCU Credit union utilizes account checklists to detect red flags at account opening A separate checklist is available for credit cards, loans and lines of credit, and deposit accounts Staff should complete the checklist when any possible red flag is detected If any red flags are indicated on the checklist, staff should refer to the Red Flag Procedures to determine the credit union’s response The Training Coordinator shall receive a completed copy of the checklist when a red flag has been detected

Responding to Red Flags Policies and procedures to respond to red flags to prevent and mitigate identity theft Response is based on risk Procedures for response include: Assessment of whether red flags detected evidence a risk of identity theft; document reasonable basis for conclusion Consideration of aggravating factors that may heighten the risk of identity theft Aggravating factors: i.e. a data security incident that results in unauthorized access to a member’s account records or notice that a member has provided information related to an account to someone fraudulently claiming to represent the CU or to a fraudulent website

BHFCU’s Responses BHFCU’s Red Flag Procedures detail responses for red flags The response will depend on the circumstances Management should be contacted if the staff member concludes that the account should not be opened based on the red flag If staff is unsure how to respond to the red flag, the Training Coordinator shall be contacted

Response to a Significant Incident A significant incident and the credit union’s response shall be documented in the designated logbook. The credit union Training Coordinator shall determine when the incident warrants documentation in the logbook. The logbook should only contain incidents that are likely to or did have a major effect on the credit union or the member. The logbook should provide the Board with a meaningful compilation of significant red flag incidents.

Updating the Program The credit union will update the program periodically depending on: The experiences of the CU with identity theft Changes in methods of identity theft Changes in methods to detect, prevent, and mitigate identity theft Changes in the types of accounts offered Changes in the structure of the CU, including mergers or service provider arrangements

FACT Act Change of Address and Address Discrepancies

Change of Address The credit union may not issue an additional or replacement debit or credit card if a request is received during at least the first 30 days after receiving notification of a change of address for that account, unless the credit union assesses the validity of the change of address request. Working on a warning in Symitar and a letter in Connections to help with this. Can satisfy the validity of the change of address request if CU validates an address as described on next slide when it receives an address change, before it receives a request for an additional or replacement card

Validating Change of Address Request To determine the validity of the request, the credit union must: Notify the cardholder of the request at the cardholder’s former address or by any other means of communication previously agreed to, and provide the cardholder with a means to promptly report an incorrect address; or Use other means of evaluating the validity of the address change, in accordance with the credit union’s policies and procedures outlined in its Red Flag Program. Any written or electronic notice must be clear and conspicuous and provided separately from the CU’s regular correspondence with the cardholder

Consumer Reports Address Discrepancies If the credit union receives a notice of address discrepancy, it must form a reasonable belief that the consumer report relates to the person for whom it was requested Can form reasonable belief by comparing CRA information with CIP information Information in application, change of address notification, account record or retained CIP documentation Information from 3rd party sources The consumer If can’t form reasonable belief, don’t use the report

Address Policy Changes We will no longer accept post office returns for address changes If a card request is received in the first 30 days after an address change on the account, we must assess the validity of the change before ordering the card. Members will be receiving a generated letter stating that there has been an address change on the account and to contact the CU if they didn’t request the change.

Thank you! We can help secure our members’ identities by doing these steps. Questions? Contact me anytime.