1 / 15

A Presentation to Shareholder Services Association

Red Flags Identity Theft Program. Michael Sawyer Director, Privacy and Data Protection Officer Pershing LLC. March 18, 2010. A Presentation to Shareholder Services Association. Introduction.

joshwa
Télécharger la présentation

A Presentation to Shareholder Services Association

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Red Flags Identity Theft Program Michael Sawyer Director, Privacy and Data Protection Officer Pershing LLC March 18, 2010 A Presentation to Shareholder Services Association

  2. Introduction • At the end of 2007, the Federal Trade Commission (FTC) and five federal bank regulatory agencies (FDIC, OCC, Federal Reserve, OTS and NCUA) jointly issued the final rules and guidelines implementing sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACT Act). • Under these regulations, the “Red Flag Rule” was adopted which requires the development, implementation, and maintenance of an Identity Theft Prevention Program by covered companies that hold any customer accounts. • These requirements were effective January 1, 2008 with a mandatory compliance date of June 1, 2010.

  3. Introduction - Key Points Developing, Implementing, and Updating an Identify Theft Prevention Program • Mandatory compliance date: June 1, 2010. • Written, board-approved Identity Theft Prevention Program is required. • Existing policies and practices can and should be leveraged to satisfy requirements including those related to: • Customer Identification Procedures (“CIP”) • Data Protection • Fraud Protection • Privacy • “Covered accounts” are applicable under this rule for “Financial Institutions” and “Creditors” • Staff must be trained. • Program must be updated periodically. • Annual reports on compliance are required.

  4. Red Flag Rule Definitions • Covered Account: • The Rule defines “covered accounts” as: 1) consumer accounts designed to permit multiple payments or transactions, or 2) any other account that presents a reasonably foreseeable risk from identity theft. • Financial institution: • The Red Flags Rules provide that a “Financial Institution” is: 1) a state or national bank, 2) a state or federal savings and loan association, 3) a mutual savings bank, 4) a state or federal credit union, or 5) any other entity that directly or indirectly holds a transaction account belonging to a customer. • Creditor: • “Creditors” can include businesses or organizations that regularly provide goods or services first and allow customers to pay later. Source: http://www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm

  5. General Scope of the Red Flag Rule • The Red Flag Rule requires all Financial Institutions and creditors to implement an Identity Theft Prevention Program to detect, prevent and mitigate identity theft for covered accounts. • The Program must be documented and updated periodically. Updates must reflect changes in risks to customers or to the safety and soundness of the Financial Institution or creditor from identity theft. • The Program must also have the approval of the Board of Directors or a designated Senior Management employee by June 1, 2010. • The Board of Directors shall also have supervision of the implementation of the Program as well as training of the staff and oversight of service providers.

  6. General Scope of the Red Flag Rule (cont’d) • The four general elements that the Program must contain are “reasonable policies and procedures” to: • Identify and incorporate Red Flags for covered accounts • Detect Red Flags that are included in the Program • Respond to those Red Flags appropriately • Update the Program periodically to reflect the risk to the customer or to the safety of the Financial Institution or creditor from identity theft

  7. Identifying Red Flags Each Financial Institution or creditor is responsible for creating the list of its own Red Flags. There are no qualifications or mandates for certain Red Flags to be included in this list. The regulation does offer general guidelines and categories in identifying Red Flags but in essence, a Financial Institution or creditor must include every possible situation in which a Red Flag may occur. The regulation includes five broad Red Flag categories, included in the following table. Also included are examples of each category.

  8. Detecting Red Flags After creating the exhaustive list of possible Red Flags the more challenging aspect is determining the process and procedure for their detection. Financial Institutions or creditors that are subject to the new and changing regulations should view Red Flag detection as a means to an end of achieving overall enhanced information security and IT security governance. A holistic view of information security and Red Flag detection helps align IT investment with business objectives – securing customer data, transactions, and identities, thus improving customer confidence. There are several broad requirements for detecting Red Flags. The Red Flag requirements do not require a degree in which technology should be used but is a recommendation that technology should be leveraged to optimize detection. • Obtaining and verifying information of a person opening a covered account. • Authenticating existing covered accounts. • Monitoring transactions of existing covered accounts. • Verifying change of address requests for existing covered accounts are valid. • Conducting regular information risk assessments throughout the firm.

  9. Preventing and Mitigating Identity Theft • The regulation states that the Program established by the Financial Institution or creditor must be commensurate with the degree of the risk posed and also should consider aggravating factors that might elevate the identity theft risk. An example given in the regulation is when a Financial Institution or creditor becomes aware that a customer inadvertently provided account information to someone fraudulently claiming to represent that Financial Institution or creditor in the form of a fraudulent website. • In such a scenario, appropriate responses can include: • Monitoring a covered account for evidence of identity theft. • Contacting the customer. • Changing any passwords, security codes, or other security devices that permit access to a covered account. • Re-opening a covered account with a new account number. • Not opening a new covered account. • Closing an existing covered account. • Not attempting to collect on a covered account or not selling a covered account to a debt collector. • Notifying law enforcement. • Determining that no response is warranted under the particular circumstances.

  10. Summary • While many Financial Institutions and creditors have put processes in place to deal with identity theft, the overwhelming majority may not have an actual written program. • The Red Flag Rule is now mandating that such processes be formalized into an Identity Theft Program to detect, prevent, and mitigate identity theft for covered accounts. • Next Steps?

  11. Information Life Cycle Collection Destruction Storage Retention Use Information Transfer Access Sharing

  12. Aspects of Data Protection Physical Security Information Security Operations Vendor Management Compliance Technology Data Protection Regulation Human Resources Process People Governance Legal Administration Physical Privacy Data Leakage Prevention Identity Theft Risk Management Competitors Insider Threats Cyber Security

  13. Information Security Policies and Procedures Data Privacy Program CIP (Customer Identification Program) Data Protection Guidelines and Recommendations Red Flags Training Materials / Communications Red Flags Written Supervisory Procedures Surveillance Software Red Flags Steering Committee Stronger Authentication Testing and Verification Department Compliance Manual Audit Functions Incident Management Process Information Security Fraud Response Group Account Takeover Response Procedures Data Protection Projects Data Leakage Prevention Examples of Controls to Implement

  14. Project Initiation Form a Red Flags Steering Committee Project Kick-off meeting Determine responsibilities Confirm goals, scope, and priorities Establish a project plan Current State Analysis Create and deliver risk assessment Identification of gaps Remediation of critical gaps Identify and review possible controls Document current state Gap Analysis and Findings Document gaps: current/desired state Document short and long term controls Recommendations Implementation of controls Creation of executive presentation Documentation Gather and package applicable materials Policy and Procedure development Training materials created Internal communication plan Executive presentation Implementation Include any updates to the roadmap or plan Confirm administration responsibilities Distribution of applicable materials Committee confirmation Implement and memorialize PostImplementation/maintenance Continued updating of the Program Test and verification of controls Improvement opportunities/recommendations Committee confirmation Program update (annual or as needed) Next Steps

  15. QUESTIONS?

More Related