Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2007, Integrated Compliance Solutions, LLC FACT Act Red Flags Bank Compliance Association of Connecticut September 3, 2008 Copyright 2007, Integrated.

Published byChristopher Jennings Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright 2007, Integrated Compliance Solutions, LLC FACT Act Red Flags Bank Compliance Association of Connecticut September 3, 2008 Copyright 2007, Integrated."— Presentation transcript:

1 Copyright 2007, Integrated Compliance Solutions, LLC FACT Act Red Flags Bank Compliance Association of Connecticut September 3, 2008 Copyright 2007, Integrated Compliance Solutions, LLC 1

2 Agenda  Conducting a Risk Assessment for ID Theft Red Flags (Michele)  Developing an ID Theft Prevention Program (John)  Break  Auditing for Compliance (Steve)  Roundtable Questions and Answers  Lunch  Regulatory expectations (FDIC)  Questions and Answers 2

3 Copyright 2007, Integrated Compliance Solutions, LLC 3 In A Perfect World... TIMELINE: 1/08: Read regulation 2/08: Assign responsibility 3/08: Attend a Webinar; update the Board 4/08: Do the Risk Assessment 5/08: Modify Procedures 6/08: Draft Program (Policy) 7/08: Go on vacation 8/08: Finalize Procedures and Program 9/08: Board training 10/08: Staff training; Board approval 11/1/08: Go live!

4 Copyright 2007, Integrated Compliance Solutions, LLC 4 In the Real World...

5 Copyright 2007, Integrated Compliance Solutions, LLC 5 TIMELINE: 1/08: 2/08: 3/08: Attend a Webinar 4/08: System problem 5/08: New product roll out 6/08: Read a white paper 7/08: Do the Risk Assessment 8/08: Assign responsibility 9/08: Modify procedures; Draft the Program; 10/08: Board training, Board approval, staff training 11/1/08: Go live!!... here is how it goes sometimes...

6 Copyright 2007, Integrated Compliance Solutions, LLC ID Theft Provisions  Existing FCRA Requirements:  Correct or update inaccurate or incomplete information and not report information which is inaccurate  Do not sell, transfer and placement for collection of debt  Credit agency must “block” information as it relates to any alleged identity theft  Handle alerts  Process notification of claims of ID theft  Circumstances under which credit may not be extended when fraud or active duty alert is detected:  Lender may not extend credit to individuals with identity theft alerts, unless lender correctly identifies the consumer  ECOA prohibits discrimination against any person for exercising rights under Federal Consumer Credit Protection Act (this includes FCRA) … avoid this fair lending violation.  Existing Connecticut Law:  ID theft is a crime (Section 53a-129)  So what’s new? 6

7 Copyright 2007, Integrated Compliance Solutions, LLC 2008 FACT Act Changes 7

8 Copyright 2007, Integrated Compliance Solutions, LLC Definitions  Identity Theft - a fraud committed or attempted using the identifying information of another person without authority.  Red Flag - a pattern, practice, or specific activity that indicates the possible risk of identity theft. This definition is expansive enough to include activities which, in a given circumstance, constitute such a possible precursor to identity theft as to pose a risk of identity theft to the Institution and its customers. 8

9 Copyright 2007, Integrated Compliance Solutions, LLC 9 The Red Flags Refer to the job aid in the handouts for a list of the 26 red flags. Provide job aid to all employees for easy reference when they are detecting red flags and completing the Red Flag Detection Report form (refer to sample in handout).

10 Copyright 2007, Integrated Compliance Solutions, LLC Risk Assessment  The Program must be developed using a risk-based approach to the threat of identity theft  Written Procedures should be designed to focus the Institution’s resources on those potential incidents of identity theft that present the greatest risk to the Institution. 10

11 Copyright 2007, Integrated Compliance Solutions, LLC Risk Assessment Methodology 1. Identify the “covered accounts”: a.All consumer accounts b.Business accounts if sole proprietor c.Any other accounts (such as all business/commercial accounts) Document your process!! (collect product descriptions, brochures, rate sheets, or system product listings to support your conclusions) 11

12 Copyright 2007, Integrated Compliance Solutions, LLC 12 2.Evaluate the methods to open and to access each “covered account” and risk rate by account type: Highest Risk: consumer accounts, open-end accounts, and accounts opened over the internet Lowest Risk: commercial, closed-end, and accounts opened face-to-face

13 Copyright 2007, Integrated Compliance Solutions, LLC 13 3.Perform a risk analysis based on the Institution’s characteristics to identify the “institution risk” level. Characteristics include: size, location, demographics of communities served, stability of work force, and previous experience with identity theft).

14 Copyright 2007, Integrated Compliance Solutions, LLC 14 4.Risk rate each account type to develop an overall inherent “account type” risk level. This takes into account the previously mentioned methods to open, methods to access, and the Institution’s risk levels.

15 Copyright 2007, Integrated Compliance Solutions, LLC 15 5.Determine “model controls” that would be necessary to mitigate the risk posed by each Red Flag.

16 Copyright 2007, Integrated Compliance Solutions, LLC 16 6.Each account type must then be analyzed in relation to the actual controls existing within the Institution to determine weaknesses. Examples of “model controls”--Does the Institution have any of the following controls in place addressing each Red Flag?: Policies Written procedures Reports to Board or Compliance Committee Automation Monitoring Auditing Training

17 Copyright 2007, Integrated Compliance Solutions, LLC 17 7.The resulting residual risk per account type within each Red Flag would then been calculated taking into account controls that are or are not in place. So what?? What is the next step??

18 Copyright 2007, Integrated Compliance Solutions, LLC 18 8.An aggregate residual risk for each Red Flag is determined by totaling the residual risk score by account type. Then, an overall risk rating for the Institution is calculated. Covered Accounts Institution Risk Account Type Risk Controls Overall Risk

19 Copyright 2007, Integrated Compliance Solutions, LLC 19 The result of the Risk Assessment process is that the Institution knows its: “covered accounts” “account type” risks by Red Flag “institution risk” level “Red Flag” risks and the controls that need to be put into place by account and by Red Flag in order to “detect, prevent, and mitigate” the risk of identity theft, as required by the FACT Act.

20 Copyright 2007, Integrated Compliance Solutions, LLC Risk Assessment as a Procedural Tool  The Institution is also responsible for keeping abreast of any regulatory publications identifying any new Red Flags and for updating the Risk Assessment when a new Flag is identified by the regulators or the Institution.  The Risk Assessment should be updated at least annually (good idea to do continually when new products or services are developed or other factors change). 20

21 Copyright 2007, Integrated Compliance Solutions, LLC 21 When Red Flags are detected, staff should complete a Red Flags Detection Report form and forward to the senior official overseeing the program, or designee, particularly if the Flag cannot be resolved. (See sample in handouts.) This will enable the official to maintain a record, such as on a log, and evaluate the effectiveness of the Program and whether new Red Flags have presented themselves. The official will then be able to provide effective reports to the Board indicating whether the Risk Assessment should be updated.

22 Copyright 2007, Integrated Compliance Solutions, LLC 22 In many instances, the Institution will be able to resolve discrepancies or otherwise determine that risk of identity theft does not exist, even though the Red Flag presented itself. For example, an address discrepancy notice on a credit report is usually resolved by following the CIP and other procedures. Complete the Detection Report form and indicate “does not constitute a risk of identity theft” and explain why. This proves that the Institution detected the Red Flag and followed its Identity Theft Prevention Program, including CIP.

23 Copyright 2007, Integrated Compliance Solutions, LLC Red Flag is Detected; Incidents  If a Red Flag is detected or when incidents occur, appropriate Responses include: Monitor an account for evidence of identity theft; Contact the customer; Change any passwords, security codes, or other security devices that permit access to a customer’s account; Reopen an account with a new account number; Not open a new account; Close an existing account; Not attempt to collect on a covered account or not sell a covered account to a debt collector; Notify law enforcement and file a Suspicious Activity Report in accordance with applicable law and regulation; Determine that no response is warranted under the particular circumstances  Update the Risk Assessment if a new Flag is identified. 23

24 Copyright 2007, Integrated Compliance Solutions, LLC FCRA Liability for Institutions  Administrative  Cease and Desist Orders  Other procedural actions  Civil Liability  Willful violations, including “users” of credit:  Actual and punitive damages  Costs and reasonable attorney’s fees  Negligent violations  Actual damages  Costs and reasonable attorney’s fees  Criminal Liability  Criminal fines  Imprisonment 24

25 Copyright 2007, Integrated Compliance Solutions, LLC 25 Contact Information Michele A. Johnson, CRCM Assistant Director Integrated Compliance Solutions mjohnson@icscompliance.com 203-526-1589

26 Copyright 2007, Integrated Compliance Solutions, LLC 26 Notes ID Theft Notes

Download ppt "Copyright 2007, Integrated Compliance Solutions, LLC FACT Act Red Flags Bank Compliance Association of Connecticut September 3, 2008 Copyright 2007, Integrated."

Similar presentations

Red-Flag Identity Theft Requirements February 19th 2009 Cathy Casagrande, Privacy Officer.

Red-Flag Identity Theft Requirements February 19th 2009 Cathy Casagrande, Privacy Officer.
The Compliance & Risk Functions In Credit Unions What Supervisors need to know? Michael Mullen ILCU Learning Advisor.

The Compliance & Risk Functions In Credit Unions What Supervisors need to know? Michael Mullen ILCU Learning Advisor.
Fair Credit Reporting Act You must be told if information in your file has been used against you You can find out what is in your file You can dispute.

Fair Credit Reporting Act You must be told if information in your file has been used against you You can find out what is in your file You can dispute.
UNDERSTANDING RED FLAG REGULATIONS AND ENSURING COMPLIANCE University of Washington Red Flag Rules Protecting Against Identity Fraud.

UNDERSTANDING RED FLAG REGULATIONS AND ENSURING COMPLIANCE University of Washington Red Flag Rules Protecting Against Identity Fraud.
Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.

Red Flags Compliance BANKERS ADVISORY 1 Red Flags Compliance Fair & Accurate Credit Transactions Act (FACTA) Identity Theft Prevention.
Compliance with Federal Trade Commission’s “Red Flag Rule”

Compliance with Federal Trade Commission’s “Red Flag Rule”
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Detecting, Preventing and Mitigating Identity Theft Presented by the Bursar’s Office.

Detecting, Preventing and Mitigating Identity Theft Presented by the Bursar’s Office.
1 Identity Theft Program Procedures Viewing RED FLAGS in the MEDITECH System.

1 Identity Theft Program Procedures Viewing RED FLAGS in the MEDITECH System.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
Protecting Personal Information Guidance for Business.

Protecting Personal Information Guidance for Business.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.

Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.
Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A. 2618 Centennial.

Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A Centennial.
1 FACTA ID Theft Programs Auditing for Compliance Steven Nyren, CRCM Sheshunoff Consulting & Solutions BCAC Program – September 2008.

1 FACTA ID Theft Programs Auditing for Compliance Steven Nyren, CRCM Sheshunoff Consulting & Solutions BCAC Program – September 2008.
©2012 CliftonLarsonAllen LLP 1 111 Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact.

©2012 CliftonLarsonAllen LLP Red Flags- Why This Matters to You An overview of the FACT Act Identity Theft Red Flag Rule and its current impact.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.

RMG:Red Flags Rule 1 Regal Medical Group Red Flags Rule Identify Theft Training.
Red Flags Rule & Municipal Utilities

Red Flags Rule & Municipal Utilities
IDENTITY THEFT & THE RED FLAGS RULE Presented by Brady Keith, Assistant General Counsel CREDIT MANAGEMENT SERVICES, INC.

IDENTITY THEFT & THE RED FLAGS RULE Presented by Brady Keith, Assistant General Counsel CREDIT MANAGEMENT SERVICES, INC.

Similar presentations

Ads by Google