FACT Act Training for StaffIdentity Theft “Red Flags”

WHAT IS IDENTITY THEFT?

Under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), Identity Theft means:

“A fraud committed or attempted using the identifying information of another person without authority”

Identity Theft Statistics

One study found that ID theft cost US businesses and consumers $56.6 billion in 2005

Dept. of Justice reports that ID theft is now passing up drug trafficking as the number one crime in the nation

In 2006, 15 million people were victims of identity theft

Identity Theft Statistics

ITRC* found in 2007 that 78% of respondents reported financial identity theft crimes

Check fraud and debit card fraud are increasing (based on 2007 study)

50% of respondents said that personal info had been used to open a new line of credit

*Identity Theft Resource Center

How at risk are you? Yes or No? I receive several offers of pre-approved credit every week. I do not shred credit card offers before placing them in the trash. I carry my Social Security card in my wallet. I do not use “Verified by VISA” on my VISA debit and credit

cards. I do not have a PO Box or locked secured mailbox. I use an unlocked, open box at work or at my home to drop off

my outgoing mail. I have not copied every item in my wallet front and back. I do not have information and instructions if I become a victim of

identity theft. I provide my SSN whenever asked, without asking questions as

to how that information will be safeguarded.

Yes or No?

I provide personal information orally without checking to see who might be listening.

I am required to use my SSN at work as an employee ID or at college as a student ID number.

I write checks to pay all my bills and/or as a method of payment at retail stores.

I have my SSN and/or driver’s license number printed on my personal checks.

I do not use a “cross cut” shredder to shred any sensitive documents or information at home.

My pin numbers are the last 4 digits of my house number, phone number, birth date, or Social Security number.

I have not ordered a copy of my credit report for at least 2 years. I do not believe that people would root around in my trash for

information.

If you answered yes…

Then you could be at risk for identity theft.

Read more at www.privacyrights.org for information on consumer risk and more quizzes about ID theft.

As a financial institution, how do we respond?

Fair Credit Reporting Act and FACT Act FACT Act amended FCRA in 2003 to require

guidelines for ID Theft and address discrepancies

Final rules issued in November 2007 Mandatory compliance date: November 1,

2008 NCUA rules apply to federal credit unions;

FTC rules apply to state-chartered credit unions

“Red Flags” “Red flags” are patterns, practices, or activities that indicate the

possible existence of identity theft. Examples

A fraud or active duty alert is included with a consumer report Personal identifying information is inconsistent when compared

against external sources (address does not match the address in consumer report)

The phone number is invalid, or is associated with a pager or answering service

An account is used in a manner inconsistent with established patterns (nonpayment when no history of late payments)

Examples of Red Flags

Photograph is inconsistent with consumer.

Examples of Red Flags

Documents appear to be altered.

Examples of Red Flags

Mail is returned even though transactions continue to occur on account.

Examples of Red Flags

Multiple names associated with social security number (credit reports):

Credit report:Joe Doe DOB 2-7-67SSN: 294-12-1234

Your records indicate that you have:John Doe DOB 4-15-68

SSN: 294-12-1234

Program

Written program that is designed to detect, prevent, and mitigate identity theft when opening accounts or for existing accounts

Risk-based program Contains policies and procedures to:

1. Identify red flags2. Detect incorporated red flags3. Respond to red flags to prevent and mitigate identity

theft4. Update the program periodically

Identifying Red Flags When identifying red flags, the following is considered:

Types of accounts offered and maintained Methods to open accounts Methods to access accounts Previous experience with identity theft

Incorporate red flags from sources such as: Incidents of identity theft experienced by the CU Methods of identity theft the CU has identified that reflects

changes in identity theft risk Applicable supervisory guidance

Must consider nature of credit union’s business and types of identity theft might be subject to

Detecting Red Flags

Credit union must detect red flags that are incorporated into the program.

Opening new accounts: look to CIP rules that CU already has in place-verify identity of person opening account

Existing accounts: authenticate customers, monitor transactions, and verify change of address requests

BHFCU Credit Union’s Detection Procedures BHFCU Credit union utilizes account checklists to

detect red flags at account opening A separate checklist is available for credit cards,

loans and lines of credit, and deposit accounts Staff should complete the checklist when any

possible red flag is detected If any red flags are indicated on the checklist, staff

should refer to the Red Flag Procedures to determine the credit union’s response

The Training Coordinator shall receive a completed copy of the checklist when a red flag has been detected

Responding to Red Flags

Policies and procedures to respond to red flags to prevent and mitigate identity theft

Response is based on risk Procedures for response include:

Assessment of whether red flags detected evidence a risk of identity theft; document reasonable basis for conclusion

Consideration of aggravating factors that may heighten the risk of identity theft

BHFCU’s Responses BHFCU’s Red Flag Procedures detail responses for red

flags The response will depend on the circumstances Management should be contacted if the staff member

concludes that the account should not be opened based on the red flag

If staff is unsure how to respond to the red flag, the Training Coordinator shall be contacted

Response to a Significant Incident A significant incident and the credit union’s

response shall be documented in the designated logbook.

The credit union Training Coordinator shall determine when the incident warrants documentation in the logbook.

The logbook should only contain incidents that are likely to or did have a major effect on the credit union or the member.

The logbook should provide the Board with a meaningful compilation of significant red flag incidents.

Updating the Program

The credit union will update the program periodically depending on: The experiences of the CU with identity theft Changes in methods of identity theft Changes in methods to detect, prevent, and

mitigate identity theft Changes in the types of accounts offered Changes in the structure of the CU, including

mergers or service provider arrangements

FACT Act Change of Address and Address Discrepancies

Change of Address

The credit union may not issue an additional or replacement debit or credit card if a request is received during at least the first 30 days after receiving notification of a change of address for that account, unless the credit union assesses the validity of the change of address request.

Working on a warning in Symitar and a letter in Connections to help with this.

Validating Change of Address Request

To determine the validity of the request, the credit union must: Notify the cardholder of the request at the cardholder’s former

address or by any other means of communication previously agreed to, and provide the cardholder with a means to promptly report an incorrect address; or

Use other means of evaluating the validity of the address change, in accordance with the credit union’s policies and procedures outlined in its Red Flag Program.

Any written or electronic notice must be clear and conspicuous and provided separately from the CU’s regular correspondence with the cardholder

Consumer Reports Address Discrepancies

If the credit union receives a notice of address discrepancy, it must form a reasonable belief that the consumer report relates to the person for whom it was requested

Can form reasonable belief by comparing CRA information with CIP information Information in application, change of address notification,

account record or retained CIP documentation Information from 3rd party sources The consumer

If can’t form reasonable belief, don’t use the report

Address Policy Changes

We will no longer accept post office returns for address changes

If a card request is received in the first 30 days after an address change on the account, we must assess the validity of the change before ordering the card.

Members will be receiving a generated letter stating that there has been an address change on the account and to contact the CU if they didn’t request the change.

Thank you!

We can help secure our members’ identities by doing these steps.

Questions? Contact me anytime.