Copyright© 2010 WeComply, Inc. All rights reserved. 10/10/2015 FACTA Red Flags

Copyright© 2010 WeComply, Inc. All rights reserved. 10/10/2015 FACTA Red Flags

Copyright© 2010 WeComply, Inc. All rights reserved. 3 What Is Identity Theft? Identity theft: "A fraud committed or attempted using the identifying information of another person without authority" Identifying information includes — Names, Social Security numbers, dates of birth, or driver's license, alien-registration and passport numbers Unique biometric data — e.g., fingerprints or retinal scans Unique electronic data — e.g., identification number, address, routing code Identity theft is more prevalent where accounts may be opened/accessed remotely

Copyright© 2010 WeComply, Inc. All rights reserved. 4 Fighting Identity Theft with FACTA This training will help you — Identify, detect and respond appropriately to red flags Ensure that red flags are updated periodically Every organization that handles consumer data should be alert for red flags that apply to its business FACTA — Is a federal consumer-rights law Is intended to lower risk of identity theft Requires organizations to have an Identity Theft Prevention Program

Copyright© 2010 WeComply, Inc. All rights reserved. 5 Identifying and Detecting Red Flags Red flag: Pattern, practice or activity that indicates the possible existence of identity theft Categories of FACTA red flags: Warnings from consumer reporting agencies Suspicious documents Suspicious personal identifying information Suspicious accounts or unusual use of an account Notice or alerts of possible identity theft from customers, law enforcement or other persons

Copyright© 2010 WeComply, Inc. All rights reserved. 6 In the news…

Copyright© 2010 WeComply, Inc. All rights reserved. 7 Identifying and Detecting Red Flags (cont'd) Consider how likely you are to encounter red flags in your work based on — The types of business and personal accounts we offer or maintain The methods we provide for opening these accounts The methods we provide for allowing access to these accounts Our previous experience with identity theft

Copyright© 2010 WeComply, Inc. All rights reserved. 8 Warnings from Consumer Reporting Agencies Red flag may be alert or notification from consumer reporting agency Red flag might also arise if consumer report shows suspicious pattern of activity — Significant increase in volume of inquiries Many recently established credit relationships Material change in the use of credit, especially with new credit relationships Account being closed for cause or flagged for abuse of account privileges

Copyright© 2010 WeComply, Inc. All rights reserved. 9 Suspicious Documents Red flags for suspicious documents: Documents appear to have been altered or forged Photograph, physical description or other information is inconsistent with appearance of applicant/customer Information is not consistent with information on file — e.g., signature card or recent check Application gives appearance of having been destroyed and reassembled Fraudulent documents are much more prevalent — and harder to detect — now that identity thieves use digital methods

Copyright© 2010 WeComply, Inc. All rights reserved. 10 Suspicious Personal Identifying Information Red flags for personal identifying information: Information provided is inconsistent with that obtained from other sources Information provided is inconsistent with other personal identifying information provided by the individual Information provided is associated with known fraudulent activity The individual cannot answer a challenge question correctly

Copyright© 2010 WeComply, Inc. All rights reserved. 11 Suspicious Account Activity Red flags for suspicious account activities: Unauthorized charges or transactions in a customer's account Request for new, additional or replacement materials or to add authorized users Account usage inconsistent with established patterns of activity Mail sent to customer is returned repeatedly, though transactions continue to be conducted

Copyright© 2010 WeComply, Inc. All rights reserved. 12 Pop Quiz! Which of the following is an example of suspicious account activity? A.A significant change in fund-transfer patterns. B.A substantial increase in available credit. C.Nonpayment after a long history of consistent, timely payments. D.An inactive account is used suddenly. E.All of the above.

Copyright© 2010 WeComply, Inc. All rights reserved. 13 Notice or Alert of Identity Theft Red flag may arise if customer, victim, law-enforcement authority or other third party notifies us of possible identity theft or suspicious activity: Customer notifying us of unauthorized charges to his/her account Local police notifying us that we have opened fraudulent account for person engaged in identity theft Internal alert indicating that certain accounts have been accessed by unauthorized users Report by financial institution, creditor or other organization of breach of security involving individuals who are or may be account-holders

Copyright© 2010 WeComply, Inc. All rights reserved. 14 Low-Tech Red Flags There are many low-tech ways — called social engineering — used to gain unauthorized access to confidential information: Impersonating an authorized person online, by phone or even in person Coaxing information out of employees by preying on their trust, charming them or flirting Rigging the system, offering to "fix it," then accessing passwords in the course of repairing it Entering work area and looking over people's shoulders to see passwords Sifting through unshredded documents in trash

Copyright© 2010 WeComply, Inc. All rights reserved. 15 Pop Quiz! Based on what you've learned in this course thus far, which of the following do you think is the most commonly reported form of identity theft? A. Credit-card fraud. B. Utilities fraud. C. Employment fraud. D. Bank fraud.

Copyright© 2010 WeComply, Inc. All rights reserved. 16 Responding to Red Flags If you encounter any red flags, we must assess the risk of identity theft If we conclude that there is not a risk, we have satisfied our responsibilities If we determine that there is a risk of identity theft, we might — Monitor an account Contact the customer Change passwords or security codes Not open a new account or close an existing account Reopen an account with a new account number Notify law enforcement

Copyright© 2010 WeComply, Inc. All rights reserved. 17 Other Information-Security Practices Employees must use responsible information-security practices: Never leaving computers unattended when account information is on screen Disposing of documents properly Using strong passwords and never letting anyone "borrow" them Safeguarding mobile devices that contain personal data Using encryption when transporting confidential information outside office Third-party service providers must have their own Identity Theft Prevention Program in compliance with FACTA

Copyright© 2010 WeComply, Inc. All rights reserved. 18 Address Discrepancies We have special obligations if a credit agency notifies us that address on credit report does not match what we provided for the consumer We must determine whether report belongs to correct consumer by — Verifying consumer's identity in accordance with Customer Information Program (CIP) rules Maintaining our own records — e.g., applications, change-of-address notifications, other consumer account records, retained CIP documentation Obtaining records from third-party sources In lieu of this, we may verify credit-report information with consumer directly

Copyright© 2010 WeComply, Inc. All rights reserved. 19 Change-of-Address Requests Card issuers must validate address change when request for additional/replacement card is within 30 days of address-change request New card may not be issued unless card issuer — Notifies cardholder of address-change request and provides way to report incorrect address change, or Assesses validity of address-change request according to FACTA-compliant procedures Validation may also be performed before request for additional/replacement card

Copyright© 2010 WeComply, Inc. All rights reserved. 20 Identity Theft – a Moving Target FACTA requires us to keep our identity-theft-prevention policies and procedures updated If experience has led you to identify other red flags, share them with your supervisor About half of consumers said they would switch the company they do business with for one that offered better protection against identity theft By improving our ability to identify, detect and respond to red flags, we can — Serve our customers better Increase our customer base Play a valuable role in limiting identity theft

Copyright© 2010 WeComply, Inc. All rights reserved. 10/10/2015 Final Quiz

Copyright© 2010 WeComply, Inc. All rights reserved. 10/10/2015 Questions?

Copyright© 2010 WeComply, Inc. All rights reserved. 10/10/2015 Thank you for participating! This course and the related materials were developed by WeComply, Inc. and the Association of Corporate Counsel.