tiffany george attorney, division of privacy & identity protection federal trade commission...
Post on 11-Jan-2016
216 Views
Preview:
TRANSCRIPT
Tiffany GeorgeAttorney, Division of Privacy & Identity ProtectionFederal Trade Commission
COMPLYING WITHTHE RED FLAGS RULE
&ADDRESS
DISCREPANCY RULE
WHAT’S ON YOUR MIND
So what So what isis the Red Flags Rule? the Red Flags Rule?
Who’s covered by the Red Flags Rule?Who’s covered by the Red Flags Rule?
If we’re covered by the Red Flags If we’re covered by the Red Flags Rule, what do we need to do?Rule, what do we need to do?
How do we design an Identity Theft How do we design an Identity Theft Prevention Program?Prevention Program?
What are the Red Flag Guidelines?What are the Red Flag Guidelines?
What about the Address Discrepancy What about the Address Discrepancy Rule?Rule?
THE FACT ACTTHE FACT ACT
FFair andair and
AAccurateccurate
CCreditredit
TTransactions Act of ransactions Act of 20032003 amending theamending the
Fair Credit Reporting Act (FCRA)Fair Credit Reporting Act (FCRA)
RULES: 72 Fed. Reg. 63718 (November 9, 2007)www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf
(FTC Rules p.63771-63773, Guidelines p. 63773-63774, Supplement p. 63774)
BACKGROUND
Joint rulemakingJoint rulemaking
Final rules published November Final rules published November 9, 20079, 2007
Compliance required by Compliance required by November 1, 2008, but November 1, 2008, but enforcement forbearance for the enforcement forbearance for the Red Flags Rule until May 1, 2009, Red Flags Rule until May 1, 2009, for entities under FTC jurisdictionfor entities under FTC jurisdiction
SO WHAT IS THERED FLAGS RULE?
RedFlagsRule
RED FLAGS RULE
FACT Act Section 114FACT Act Section 114
FCRA Section 615(e)FCRA Section 615(e)
16 C.F.R. § 681.216 C.F.R. § 681.2
A “red flag” is a pattern, A “red flag” is a pattern, practice, or specific activity that practice, or specific activity that could indicate identity theftcould indicate identity theft
STRUCTURE OF THERED FLAGS RULE
Risk-based ruleRisk-based rule
Guidelines (Appendix A)Guidelines (Appendix A)
Supplement A – 26 examples of Supplement A – 26 examples of red flagsred flags
PURPOSE OF THERED FLAGS RULE
To ensure To ensure that your business or organization is on the lookout for the signs that a crook is using someone else’s information, typically to get your products or services with no intention of paying.
It’s not just another data security It’s not just another data security regulation.regulation.
WHO’S COVERED BY THE
RED FLAGS RULE?RedFlagsRule
WHO’S COVERED BY THE
RED FLAGS RULE? Financial institutionsFinancial institutions
CreditorsCreditors
WHO’S COVERED BY THERED FLAGS RULE?
From the FCRA, a “From the FCRA, a “financial institutionfinancial institution” is:” is: A state or national bank A state or national bank A state or federal savings and loan association A state or federal savings and loan association A mutual savings bank A mutual savings bank A state or federal credit union, or A state or federal credit union, or Any other person that directly or indirectly Any other person that directly or indirectly
holds a transaction account* belonging to a holds a transaction account* belonging to a consumerconsumer
* From the Federal Reserve Act, Section 19(b) – an account * From the Federal Reserve Act, Section 19(b) – an account that allows withdrawals by negotiable or transferable that allows withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone instrument, payment orders of withdrawal, telephone transfers, or similar items to make payments or transfers to transfers, or similar items to make payments or transfers to third persons or othersthird persons or others
WHO’S COVERED BY THERED FLAGS RULE?
From the ECOA, a “From the ECOA, a “creditorcreditor” is:” is:
Any person who regularly extends, renews, or Any person who regularly extends, renews, or continues creditcontinues credit
Any person who regularly arranges for the Any person who regularly arranges for the extension, renewal, or continuation of credit, extension, renewal, or continuation of credit, oror
Any assignee of an original creditor who Any assignee of an original creditor who participates in the decision to extend, renew, participates in the decision to extend, renew, or continue credit or continue credit
RedFlagsRule
IF WE’RE COVEREDBY THE RED FLAGS RULE,
WHAT DO WE NEED TO DO?
IF WE’RE COVEREDBY THE RED FLAGS RULE,
WHAT DO WE NEED TO DO? Financial institutions and creditors Financial institutions and creditors
must conduct a periodic risk must conduct a periodic risk assessment to determine if they have assessment to determine if they have “covered accounts.”“covered accounts.”
If they do, they must develop, If they do, they must develop, implement, and administer a written implement, and administer a written Identity Theft Prevention Program to Identity Theft Prevention Program to detect, prevent, and mitigate identity detect, prevent, and mitigate identity theft in connection with:theft in connection with:
• the opening of a covered account, orthe opening of a covered account, or
• any existing covered account.any existing covered account.
An “An “accountaccount” is:” is:
A continuing relationship established A continuing relationship established by a person with an FI or creditor to by a person with an FI or creditor to obtain a product or service for obtain a product or service for personal, household, or business personal, household, or business purposes. purposes.
IF WE’RE COVEREDBY THE RED FLAGS RULE,
WHAT DO WE NEED TO DO?
A “A “covered accountcovered account” is:” is: A consumer account designed to permit A consumer account designed to permit
multiple payments or transactions, andmultiple payments or transactions, and
Any other account for which there is a Any other account for which there is a reasonably foreseeable risk from identity reasonably foreseeable risk from identity thefttheft
* * Risk factorsRisk factors1.1.Methods provided to open the accountMethods provided to open the account
2.2.Methods provided to access the accountMethods provided to access the account
3.3.Previous experiences with identity theftPrevious experiences with identity theft
IF WE’RE COVEREDBY THE RED FLAGS RULE,
WHAT DO WE HAVE TO DO?
RedFlagsRule
HOW DO WE DESIGN AN IDENTITY THEFT
PREVENTION PROGRAM?
DESIGNING YOUR PROGRAM
Develop reasonable processes and procedures for :Develop reasonable processes and procedures for :
STEP #1STEP #1 – – Identify relevant red flagsIdentify relevant red flags. Identify the . Identify the red flagsred flagsyou’re likely to come across in your business that you’re likely to come across in your business that indicate aindicate acrook is using someone else’s information to get your crook is using someone else’s information to get your productsproductsor services with no intention of paying.or services with no intention of paying.STEP #2 – – Detect red flagsDetect red flags. Set up procedures to . Set up procedures to detect them indetect them inyour day-to-day operations.your day-to-day operations.STEP #3 – – Prevent and mitigate identity theftPrevent and mitigate identity theft. When . When you spotyou spotthe red flags you’ve identified, respond appropriately the red flags you’ve identified, respond appropriately to preventto preventand mitigate harm.and mitigate harm.STEP #4STEP #4 – – Update your ProgramUpdate your Program. The risks of . The risks of identity theft can change rapidly, so identity theft can change rapidly, so keep your Program current and keep your Program current and educate your staff.educate your staff.
The Program must be appropriate The Program must be appropriate to the size and complexity of the to the size and complexity of the financial institution or creditor financial institution or creditor and the nature and scope of its and the nature and scope of its activities.activities.
DESIGNING YOUR PROGRAM
USING THE GUIDELINES
Consider the GuidelinesConsider the Guidelines
Incorporate appropriate Guidelines into your Incorporate appropriate Guidelines into your ProgramProgram
The Rules require you to:The Rules require you to:
ADMINISTERING YOUR PROGRAM
Get approval of the initial Program from your Get approval of the initial Program from your Board of Directors or from a committee of Board of Directors or from a committee of the Boardthe Board
After that, the Board may designate a senior After that, the Board may designate a senior management employee to oversee:management employee to oversee:
Development, implementation, and Development, implementation, and administration of the Programadministration of the Program
Training of appropriate staff Training of appropriate staff
Arrangements with service providersArrangements with service providers
WHAT ARE THE IDENTITY THEFT RED FLAGS GUIDELINES?
RedFlagsRule
RED FLAGS GUIDELINES
1.1. Incorporate existing policies and Incorporate existing policies and procedures.procedures.
2.2. Identify relevant red flags.Identify relevant red flags.
3.3. Set up procedures to detect red flags.Set up procedures to detect red flags.
4.4. Respond appropriately to red flags.Respond appropriately to red flags.
5.5. Update your Program periodically.Update your Program periodically.
6.6. Administer your Program.Administer your Program.
7.7. Consider other legal requirements.Consider other legal requirements.
Incorporate existingpolicies and procedures
Evaluate your existing anti-fraud Evaluate your existing anti-fraud programsprograms
Evaluate your information security Evaluate your information security programsprograms
Identify relevant red flags Risk factors:Risk factors:
• Types of covered accounts you offer or Types of covered accounts you offer or maintainmaintain
• Methods for opening or accessing covered Methods for opening or accessing covered accountsaccounts
• Previous experience with identity theftPrevious experience with identity theft Sources of red flags:Sources of red flags:
• Episodes of identity theft that have Episodes of identity theft that have already happenedalready happened
• Changes in how crooks are committing Changes in how crooks are committing identity theftidentity theft
• Applicable supervisory guidanceApplicable supervisory guidance
Identify relevant red flags Five categories of red flags*:Five categories of red flags*:
• Alerts, notifications, or other warnings Alerts, notifications, or other warnings received from credit reporting agencies or received from credit reporting agencies or service providersservice providers
• Suspicious documentsSuspicious documents
• Suspicious personal identifying Suspicious personal identifying informationinformation
• Unusual use of or other suspicious activity Unusual use of or other suspicious activity related to a covered accountrelated to a covered account
• Notice from customers, victims of identity Notice from customers, victims of identity theft, or law enforcement authoritiestheft, or law enforcement authorities
* 26 examples are found in Supplement A* 26 examples are found in Supplement A
Set up proceduresto detect red flags
Verify identityVerify identity
Authenticate customersAuthenticate customers
Monitor transactionsMonitor transactions
Verify validity of address changesVerify validity of address changes
Respond appropriatelyto red flags
Monitor accountsMonitor accounts Contact customerContact customer Change passwordsChange passwords Close and reopen accountClose and reopen account Refuse to open accountRefuse to open account Don’t sell the account or collect on it Don’t sell the account or collect on it
against the identity theft victimagainst the identity theft victim Notify law enforcement Notify law enforcement In some cases, no response may be In some cases, no response may be
warrantedwarranted
Update your Program periodicallyin light of:
Experience with identity theftExperience with identity theft
Changes in methods of identity theftChanges in methods of identity theft
Changes in methods to detect, Changes in methods to detect, prevent, and mitigate identity theftprevent, and mitigate identity theft
Changes in types of accounts offeredChanges in types of accounts offered
Changes in business arrangementsChanges in business arrangements
Administer your Program Oversight of the Program by your Oversight of the Program by your
Board or a senior manager involves:Board or a senior manager involves:• Assigning specific responsibility for Assigning specific responsibility for
implementationimplementation
• Reviewing reportsReviewing reports
• Approving materials changes to your Approving materials changes to your Program.Program.
Administer your Program At least once a year, the Board or the At least once a year, the Board or the
senior manager should get a report senior manager should get a report addressing material matters like:addressing material matters like:
• Service provider arrangementsService provider arrangements
• Whether your policies and procedures Whether your policies and procedures have been effective in addressing the risk have been effective in addressing the risk of identity theft in connection with of identity theft in connection with covered accountscovered accounts
• Significant incidents involving identity Significant incidents involving identity theft and management’s responsetheft and management’s response
• Recommendations for changes to the Recommendations for changes to the ProgramProgram
Administer your Program Oversight of your service providers Oversight of your service providers
involves ensuring their activities are involves ensuring their activities are conducted in accordance with conducted in accordance with reasonable policies and procedures reasonable policies and procedures designed to detect, prevent, and designed to detect, prevent, and mitigate the risk of identity theft.mitigate the risk of identity theft.
Other legal requirements
Other FCRA provisions – for example, Other FCRA provisions – for example, information furnisher duties to update information furnisher duties to update or correct inaccurate information, and or correct inaccurate information, and not report inaccurate information (15 not report inaccurate information (15 U.S.C. 1681s-2)U.S.C. 1681s-2)
WHAT ABOUT THEADDRESS DISCREPANCY
RULE?
AddressDiscrepancies
ADDRESS DISCREPANCY RULE
FACT Act Section 315FACT Act Section 315
FCRA Section 605(h)FCRA Section 605(h)
16 CFR16 CFR § § 681.1681.1
Users of credit reportsUsers of credit reports
WHO’S COVERED?
NOTICE OF ADDRESS DISCREPANCY
Address the user provided, andAddress the user provided, and
Address in the credit reporting Address in the credit reporting company’s files company’s files
““Nationwide credit reporting agency” Nationwide credit reporting agency” (NCRA) – as defined in FCRA(NCRA) – as defined in FCRA
““Notice of address discrepancy” comes Notice of address discrepancy” comes from a nationwide credit reporting from a nationwide credit reporting agency and notifies the user of a agency and notifies the user of a substantial difference between:substantial difference between:
Regulatory RequirementRegulatory Requirement: The : The user must have reasonable user must have reasonable policies and procedures to policies and procedures to establish a reasonable belief establish a reasonable belief that the credit report relates that the credit report relates to the consumer about whom to the consumer about whom the report was requestedthe report was requested
ENSURING ACCURACY
REASONABLE BELIEF
Compare information in the credit Compare information in the credit report to information the user:report to information the user:
• Maintains in its recordsMaintains in its records
• Gets from third-party sourcesGets from third-party sources
• Gets to comply with CIP rulesGets to comply with CIP rules
Verify information in the credit Verify information in the credit report with the consumerreport with the consumer
Establishing a “reasonable belief” Establishing a “reasonable belief” ― examples― examples
CONFIRMING ADDRESS
Can form a reasonable belief that the Can form a reasonable belief that the report relates to the consumerreport relates to the consumer
Establishes a continuing relationship Establishes a continuing relationship with the consumerwith the consumer
Regularly furnishes information to Regularly furnishes information to the NCRA the NCRA
Regulatory requirementRegulatory requirement: The user : The user must have reasonable policies and must have reasonable policies and procedures to furnish a confirmed procedures to furnish a confirmed address for the consumer to the address for the consumer to the NCRA when the user:NCRA when the user:
ENFORCEMENT OF RULES
Administrative enforcement Administrative enforcement under 15 U.S.C. 1681s (Section under 15 U.S.C. 1681s (Section 621 of the FCRA).621 of the FCRA).
No private right of action for 16 No private right of action for 16 C.F.R. 681.2C.F.R. 681.2
State Attorneys GeneralState Attorneys General
No criminal penaltiesNo criminal penalties
QUESTIONS?
RedFlags@ftc.govwww.ftc.gov
top related