Part II of a Four-Part Procedure for Compliance with Identity Theft Prevention Requirements
If your organization is involved in the financial services industry, or in any way has a regular practice of "extending, renewing or continuing credit" to your customers, then June 1st, 2010 is an important deadline for you.
The Joint Committee of the OCC, Federal Reserve Board, FDIC, OTS, NCUA and the Federal Trade Commission passed the final legislation for Section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). The specific parts of FACTA which relates to preventing identity theft are known as the "Red Flag Rules".
This Red Flag Rules require that organizations handling "covered" transactions must develop and implement a written "Identity Theft Prevention Program" to DETECT, PREVENT and MITIGATE identity theft.
Enforcement for organizations subject to oversight by the Federal Trade Commission has been extended four times and is now pushed forward to June 1st, 2010.
Part 2: DETECT RED FLAGS
In Part I, organizations are required to review their operations and try to identify and list the areas where Red Flags may be detected. Part II requires organizations to have a written description of how they will detect each Red Flag in every circumstance where it may occur. There are several very broad requirements for this objective. A closer look at these may reveal deficiencies or gaps in companies' current programs and processes.
1. Obtaining Identifying Information and Verifying Identity
This step is specifically targeted at the process of verifying the identity of any individual who has approached your organization regarding the opening of a new account. Many companies may already have an identity verification solution in place based on the requirements of the Patriot Act. However, the new Red Flag Rules impose more stringent burdens. Under the new guidelines organizations' detection process must detect the Red Flag BEFORE the account is opened. The Customer Identification Program (CIP) requirements have been made tougher under the Red Flag Rules since organizations are now responsible for verifying identity in a "real time" environment.
2. Authenticating Transactions for Existing Customers
The term "authentication" typically implies a method of ensuring that the person who is making a transaction is, in fact, the owner of the personal information set that we call an identity. Traditionally, validating an identity has been achieved by obtaining a drivers license or government ID and comparing the picture on the ID to the person who has presented it. However, with recent advances and widespread access to digital printing and graphics technologies, this method can no longer be completely trusted. An authentication process must be put in place that conducts an actual validation of the person's identity before a transaction is allowed. The Red Flag regulation does not specify the degree to which organizations must deploy technology to detect Red Flags. It only stresses the need to be "effective" and to prove the effectiveness of your program to your board of directors on at least an annual basis.
3. Monitoring Transactions (Activity) Of Customers
Monitoring activity of your current customers can be an even bigger challenge. An example used in the regulation is a change of address request that closely follows a request for a new credit or debit card. Another is a material change in a customer's use of credit, especially with respect to recently established relationships. This means that not only do you need to track specific types of activities but you must track those activities in relation to the timing of certain other events or transactions and in some cases compare it to a "norm" that may be different for each customer. There are rules-based database scanning technologies that can look for patterns of behavior and anomalies in your existing customer transaction data and provide an alert. But whether you employ a technology solution or not, it is the responsibility of the financial institution to make sure that all of the rules are established, maintained and are followed accurately.
4. Verifying the Validity of Change of Address
There is a great deal of emphasis that is placed on the monitoring of change of address for covered accounts. Identity thieves commonly attempt to manipulate an account before initiating fraudulent activity so that their activities will not be discovered quickly. This can be achieved by changing the address on an existing account to divert the statements and notifications so the real owner of the identity remains unaware. The longer a thief can go undetected the more damage they can do. A change of address request should be treated in the same cautious manner as a request for a withdrawal, using the same level of authentication required for other types of transactions.
My next article will deal with Part III of the four-part procedure for setting up a Red Flags Rules compliancemethodology - Prevent and Mitigate ID Theft
UVeritech, established in 2000, is a leader in multi-layer fraud prevention and counterfeit money detection solutions such as UV Scanners, Automated Currency Detection, Image Capture, Verification and Authentication, pioneered POS counterfeit fraud detection scanners in enterprise accounts such as Wells Fargo, Bank of America, JPMC, Bank One, Regions, Compass, Citizens, PNC, and over 1000 credit unions. UVeritech is also a leader in government, hospitality, rental and the retail industries. For more information, call: 800.883.8822.