One such evolving legislative act is the Fair and Accurate Credit Transactions Act (FACTA), which itself was an outgrowth of the Fair Credit Reporting Act. Created during the strong growth in credit lending, as banks became increasingly reliant on measures of creditworthiness in granting loans, the FCRA set out to standardize the customer creditworthiness checks and provided a method by which consumers could challenge some of the findings on those reports.
The FCRA still recognized the identity theft was a serious issue, and provided a way victims could erase any negative marks on their credit report that arose from identity theft. But it did nothing to stem the tide of identity theft cases -- until the addition of the FACTA rule.
It was on the last day of October of 2007 that Section 114 of FACTA was finalized; and a week later until was published. A testament to the newfound urgency in deterring identity theft, the section was developed in a joint effort between the Federal Trade Commission and five different Federal financial regulatory agencies, including the Office of the Comptroller of Currency and Federal Deposit Insurance Corporation.
Its Red Flag Rules explicitly mandated specific programs to identify weak points in creditor’s business models, as well as programs to quickly detect possible exploitations of these weaknesses. Finally, the rules called for developing a program which, by means of the first two would prevent and deter identity theft.
At the same time, realizing the identity theft expanded from just a few localized industries to penetrate just about every economic sector, the new statutes broadened the definition of covered creditors to include even non-financial ones: car and boat dealerships, telecommunications firms (think cellphone contracts), medical care providers and many others.
Several delays have pushed back the effective date of the Red Flags Rule, giving more times for businesses to prepare, but they are finally coming into force. That means if you haven’t paid attention to it before, and If your business provides covered accounts - “covering” the cost of a product or service until the buyer can pay back over time - these rules apply to you. You are now required to:
- Understand the risks specific to your industry or business sector.
Consider what kind of covered accounts does your business provides. How do the account holders open and access them? If, for instance, you run medical practice, your vulnerabilities lie in individuals seeking advice or treatment under false identities. They may present a social security card with a fake number (SSN ranges typically correlate to year of birth), or a document showing a different address than stated on their form. Employees handling such documents must be sufficiently trained in verifying them.
- Detecting possible “Red Flags” of Identity Theft
Once you have identified where the vulnerabilities to identity theft in your business lie, you can devote extra resources to plugging them. Returning to the case of the hypothetical medical practice, a patient presenting an obviously fake identity document would certainly raise some questions, as would the more subtle red flags such as medical histories inconsistent with treatment given, or a patient presenting bills for medical services they did not receive.
- Respond to Identity Theft
Long before uncovering possible incidents of identity theft, institutions must have in place a procedure to deal with them. This can include monitoring, and when appropriate closing or freezing questionable accounts, changing passwords of other security barriers associated with it, and notifying the customer of the potential breach.
While only you, as the most familar with your business, can figure out its potential vulnerabilities, you do have help with detection and response. Key to both, and highlighted by the FTC itself is reliable identity verification. This doesn’t just mean checking the document bearer’s name against the ID document, but mechanically checking the authenticity of that ID.
“Extremely troubling,” is how one Arizona public safety officer described the small items in front of him.“Better than we’ve ever seen” was the reaction of Assistant U.S. Attorney for New Hampshire Al Rubega. And Charles Shumer, Senator from the state of New York minced no words when announcing a need to to “strangle their source of funding” of its purveyors, “and put them out of business.” The object of their alarm? An innocuous-looking laminated card, with an photo, name address and basic demographics of its owner.
By all appearances, a genuine driver’s license. But nevertheless a fake.
An emerging concern for legislators, law enforcement and even ordinary shopkeepers is the level of sophistication built into these IDs, as well as their source -- China. First cropping up on high high school and college campuses, the fake IDs could be ordered through an anonymous email address of a “Chinese guy”: buyers supply the name, address, birth-date and other basic information which appears on their driver's licenses, wire several hundred dollars to a bank account, and in several weeks’ time receive their card from China, hidden in between the packaging of some small item.
Set next to a genuine driver’s license from that state, the two cards look virtually indistinguishable. But these fakes go one step further and imitate many of the hidden security features featured on the cards. Put them under UV light, as do the TSA security screeners, and the proper logo appears. Tilt the ID back and forth and just as in the genuine one, under the text will appear a hologram. Swipe the magnetic stripe on the reverse side into a handheld device, as would the bouncers at many bars, and all your information would be displayed just as on the card.
In fact the only way to trace the card’s origin is to scan the bar code on the back - the resulting readout will have “PARTiTek” appended to the end. The name corresponds to a bar code-encoding firm based in Nanjing, China.
Word of these super-IDs got around to several to several local TV stations, who decided to test them out on several local bars. The results were disconcerting: most of the doormen checking IDs were completely fooled by the fakes. And these are people trained to detect them.
For now, the “Chinese guy” appears more popular among teenagers looking to buy alcohol or enter a club than with terrorists looking to wreak havoc. But the implications of a fake ID sophisticated enough to pass even cursory TSA inspections should give us all pause.
To their credit, some businesses are already taking steps to detect these Chinese counterfeits - investing in better ID readers, which automatically check for all document security features, for instance. State and federal agencies are also fighting back by issuing more and harder to duplicate security features. This makes the need for reliable ID readers all the stronger, as the sheer amount and diversity of the new features will make them nigh impossible to verify with any confidence with the naked eye. Unfortunately, counterfeiters have gotten too good at creating the authentic look of the documents, and are now moving on to duplicating some of the under-the-surface parts. Businesses must develop a way to reliably verify the authenticity of these documents -- or a few teenagers sneaking in will be the least of their worries.
If you have followed the news at all lately, you have likely heard that financial institutions of all stripes are coming under greater scrutiny, with proposals for ever-tighter regulation still on the horizon. This includes not only bank lending and deposit activities, but also the manner in which all institutions vet their clients - former, current and future. In large part this is an attempt to mitigate identity theft. Creative identity thieves have been able to steal personal identification information from thousands of accounts. Creating false identities and fake ID Documents to open new lines of credit has become easier than ever.
It is perhaps a sign of the times when the annual convention of anti-money laundering professionals draws a record attendance. This year, the Association of Certified Anti-Money Laundering Specialists (ACAMS) met for the 10th year straight, covering financial fraud from both a global and a organization-focused perspective, and celebrating both a record turnout for the convention and a new high in membership.
One of the biggest concerns of any financial institution – that is, any institution that routes payments between individuals / organizations, or which accepts payments over time – is money laundering. Profits obtained from some nefarious activity need to be 'washed' through the system to remove any trace of their origin; and individuals have found no shortage of ways to wash them – creating shell companies, giving out loans to themselves, buying and selling casino chips, or simply paying for everything in cash. Indeed, as our previous article about the depth and breadth of the practice showed, laundering comes in a variety of creative shapes and sizes, with some more apparent than others.
The last several weeks have seen a number of noteworthy arrests for money laundering. A fugitive American, who pled guilty to money laundering charges eight years ago but disappeared while out on bail, was finally returned to the U.S. after being apprehended in Mexico last year. And a Jamaican national was sentenced to 30 years in prison in the U.S. for money laundering, and ordered to pay $55 million in restitution to his victims – after he finishes out his 6 ½ year term for a prior conviction in Jamaica.
The last decade brought about a tumultuous change in financial institution regulations. Many pre-2000 “suggestions” or “guidelines” became hard rules enforced by stiff fines. The new regulations were long overdue – the terrorist attacks of 2001, and the string of large corporate scandals a few years later proved once again we aren't in Kansas anymore – but they did significantly complicate compliance procedures. There is first an alphabet soup of overlapping legislation under the PATRIOT Act, Bank Secrecy Act, the Financial Anti-Terrorism Act, FINRA and “know your customer” requirements, Sarbanes Oxley and a fair amount of other stringent regulations. In short, financial institution executives are quite burdened familiarizing themselves with dozens of potentially applicable rules and regulations.