Western Independent Banker - September/October 2008 - (Page 20)

ID Theft Rule: Automating the Compliance Process IDENTITY THEFT IS a significant concern for U.S. consumers. It violates financial privacy, destroys credit histories, and ruins good names. For financial institutions, it costs time and money and it can create significant risks to safety and soundness, a phrase that has been all but dropped from the vocabulary of bankers and regulators these days. The ID theft red flags rule requires banks, and other financial institutions to be vigilant and proactive in helping to protect their customers from this serious financial crime. The rule requires them to have controls designed to address the risk of identity theft to consumers and to the safety and soundness of the institution. They must implement a risk-based written Identity Theft Prevention Program containing reasonable policies and procedures to address the risk of identity theft. The program must be board approved and staff must be trained on the program. The mandatory compliance date for the rule is November 2008. “Risk-based” means that financial institutions have greater flexibility in implementing the ID theft program appropriate to its own risk profile. The rule provides a significant degree of flexibility to allow institutions to adapt the requirements to their own individual needs and circumstances. The program is not a one size fits all, but depends on size, and complexity of the financial institution. This risk-sensitive approach will also allow the firm to more easily address evolving identity theft risks, and focus on the areas where the risks are the biggest. Earlier detection of potential risks is key. The rule includes guidelines for financial institutions to identify patterns, practices, and specific forms of activity that indicate possible identity theft in connection with the opening of a new account or an existing account. Appendix J of the rule is a list of 26 early warning signals or red flags. A red flag is a warning or a sense that something isn’t right, and should lead the financial institution to take a closer look. The list helps firms know what to look for when identifying possible fraudulent behaviors. In line with the risk based approach, each financial institution has the flexibility to develop policies and procedures to identify which of the red flags are relevant for them. Yet, assessing the risks of customers and transactions, and monitoring for relevant red flags is no easy task. There are transaction monitoring vendors in the market that can offer tools to help financial institutions support their identity theft prevention programs, assess the risk that they face, and comply with the “Red Flags Rule.” Here are a few examples of what transaction monitoring soft ware programs can do to comply: Focus on risky customers: Automated monitoring tools can identify customers that are at risk of becoming a fraud victim based on their characteristics, such as age, account balance and activity of the account. Soft ware can also help proactively identify customers that could be fraudsters based on their characteristics, such as age, employment status, or residence in a highrisk location. Once these customers are identified they can be more closely monitored for suspicious transactions. Unusual transfers: Soft ware programs can trigger an alert when unusual transfers occur. For example, a phishing victim’s ac- count can show a transfer from the savings account to a current account, and later, another amount is transferred out of the current account to a third party. The soft ware tool knows that the activity is unusual because the frequency is higher (more activity than usual), and the amounts are bigger than is common for the victim’s profi le. Furthermore, the customer has never transferred money to this third party’s account before. This means that the so called “B-account” was new for the victim’s “profi le.” Based on this, the soft ware can generate an alert that can be investigated by the fraud team of the financial institution. Unusual address changes combined with a new card request: In an ID theft scheme, the fraudster can submit an address change on behalf of victim, shortly followed by a request for a new card and PIN. The criminal then uses the new card at ATMs to empty the account. Some transaction monitoring soft ware do not only monitor “transactions,” but also monitor so-called “non-fi nancial events” such as address changes and requests for a new card, and generate an alert if unusual address The ID theft red flags rule requires banks and other financial institutions to be vigilant changes and new card requests and proactive in helping to protect their customers from this serious financial crime. occur within a certain period of time. 20 www.wib.org Western Independent Banker http://www.wib.org

Table of Contents Feed for the Digital Edition of Western Independent Banker - September/October 2008

Western Independent Banker - September/October 2008 Contents A Message from the President & CEO What To Do When Good Employees Go Bad! Remote Deposit Capture: What’s Your Target Market? Remote Deposit Capture: Lessons Learned Debit Decoupling: Part of Larger Merchant Funding Trend Debit at the Speed of Life: A Look at Debit Technologies on the Rise ID Theft Rule: Automating the Compliance Process Lose Paper and Gain Audit Trails Data Loss Prevention: A New Package on an Old Idea Securing Data in Transit Margin Management: Get in the Driver’s Seat Shopping for Cyber Insurance WIB Service Corporation Report WIB Calendar Welcome New Members Index to Advertisers advertiser.com

Western Independent Banker - September/October 2008

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.