SlideShare a Scribd company logo

Red Flag Rules Compliant? Maybe Not...!

P
pdallen

The Red Flag Rule requires all “financial institutions” and creditors to implement an Identity Theft Prevention Program to detect, prevent and mitigate identify theft for covered accounts. Coverage has also been extended to Hospitals and other Health Care organizations because of the extreme negative effect it can have on a person’s medical history.

EducationTechnology
1 of 4
Download to read offline
Is Your Company Compliant... Do You Need To Be…? FACT Act Red Flag Rules ITPP Who needs to be compliant with the 2008 FACT Act “Red Retail/Online Banks and Credit Unions Telecommunications Mortgage Lenders / Mortgage Brokers Hospitals & Health Care Companies Auto Dealers Debt Collectors Check Cashers Insurance Equities Brokerage / Notary Credit/Debit Card Issuers Utility Companies Foreign Bank Branches Phil Allen (909) 376-8750 or Richard O’Gorman (951) 316-3356 phil@warranty-guys.com or richard@warranty-guys.com http://www.warranty-guys.com
Red Flag Compliance Simplified…! FACT Act Do you have a written Identity Theft Prevention Program? Red Flag Rules Do you have a clearly defined written process for the relevant staff to follow that is based on your organizations particular needs? ITPP Does the process take into consideration both manual detection processes and the use of a third party electronic ID verification service? NOTE: If you use an electronic verification service and it was not Identity Theft Prevention Program available is your staff trained well enough for you to know without a doubt they could detect a red flag? The final regulations list the four basic elements Have you completed a risk assessment that includes - work flow, that must be included in the Program of a financial past history of ID theft issues, current organization structure and institution or creditor. determination of relevant staff? The Program must contain ‘‘reasonable policies Have your relevant staff and management been trained on all and procedures’’ to: Red Flags and those specific to your industry and organization?  Identify relevant Red Flags for covered Have they signed a training log and agreement to comply with accounts and incorporate those Red Flags into Red Flag Rules to protect your organization? the Program; If you are using a third party or are relying on a automated third  Detect Red Flags that have been incorporated party provider such as electronic ID verification services to into the Program; detect customer Red Flags and the provider was no longer available - Is the process you are using and support material  Respond appropriately to any Red Flags that good enough that you could still manually detect Red Flags and are detected to prevent and mitigate identity still be compliant with Red Flag legislation on your own? theft; and Would you be considered a low, medium, or high risk  Ensure the Program is updated periodically, to organization based on a risk assessment? reflect changes in risks to customers or to the safety and soundness of the financial institution or (DEPENDING ON HOW YOUR SALES PROCESS WORKS YOU creditor from identity theft. COULD BE ANY ONE OF THOSE.) The regulations also enumerate certain steps For example; Most automotive dealers would be considered high risk that financial institutions and creditors must take - yet in a small 4 store group - 2 were considered low risk and 2 were to administer the Program. still high risk. Same dealer group. Same management. Virtually all major providers of Red Flag programs are template based that re- These steps include; quire you to follow their lead and make your own risk assessment, provide your own training or listen to a canned general training on- Obtaining approval of the initial written Program line. by the board of directors or a committee of the board A financial institution or creditor is ultimately responsible for complying with the final rules and guidelines even if it out- Ensuring oversight of the development, implemen- sources an activity to a third-party service provider. Thus, a fi- tation and administration of the Program. nancial institution or creditor that uses a service provider to open accounts will need to provide for the detection, prevention, Training staff, and and mitigation of identity theft in connection with this activity, even when the service provider has access to the information of Overseeing service provider arrangements. a person who is not yet, and may not become, a ‘‘customer.’’
Red Flag Rules Compliant…? Maybe — Maybe Not! Let me ask you a question. Are you compliant? Before you answer that … If you haven’t tested, updated and trained and retrained your staff, the odds are that your Information Security Program isn’t up to date. Statically the odds at this moment are 94% that your organization isn’t compliant with GLB Safeguards. Red Flag Rules pick up where GLB Safeguards left off. It takes both processes done properly, working together, to protect customer nonpublic personal information. Dealerships are more a target today than ever before. In the ten years from 1999 to 2008 Identity Theft and Fraud has grown more than 1400% and has reached epidemic proportions. Identity Theft has been the #1 concern of consumers for the last 9 years. Let me give you the good news first. The odds of you ever having an FTC audit or receiving an audit letter are slim to none (and Slim done left town). Let me give you the bad news … It is a virtually certainty that if someone files a complaint directly with the FTC you will be contacted and secondly – if it gets on the local news, the FTC will come a-calling. Let me ask you again! Are you absolutely certain that all customer information is properly secured and protected in accor- dance with your Information Security Plan (ISP)? Is your ISP in writing, does it contain a risk assessment, have you made the corrections the risk assessment found and did you document them and has it been updated on a periodic basis? Has your staff been trained? Have you been testing the processes you put in place? When the Red Flag audits take place they will look at GLB Safeguards compliance for “financial institutions” and HIPAA compliance for Healthcare. The odds are you are using a privacy statement and it states that you don’t share customer infor- mation with other than necessary staff and that you maintain physical, electronic, and procedural safeguards. If you are, it is a “legal time bomb” for you. Not a matter of if it will happen – only when it will happen. (Or as we have discovered many times – it has already happened and you didn’t know it.) Your thinking – this guy is full of bull. He is just trying to scare me into compliance and to spend money I don’t want to spend right now. You are 100% right and 110% wrong. Every word and every statistic you have read is correct. These are the facts – there is no sugar coating in this mes- sage for you. As a third party vendor – it is my only job to protect you. Not a second, third or fourth job descrip- tion. I have no problem playing favorites or letting someone slide. I am the guy that tells it like it is – who pulls customer information out of drawers and unlocked file cabinets and can hack your computers and find the weakness in your physical, electronic and procedural security. But I do it FOR you. I do it TO protect you. I am your unbiased, independent, get-you-compliant-now guy. In Star Wars – Yoda said, “Do it or not, there is no try.” Compliance is an always thing – not just when you feel like it. Even if you do it right you are at risk – but a far less risk than if you are not compliant and making the effort to stay there. With the new Red Flag Rule – there will be audits and they will look at both Red Flag and GLB Safeguards. Red Flags pick up where GLB Safeguards leave off … to have effective systems you must have both compliance rules working together. Lee Holden Compliance Coach, Consultant, & Trainer Allen O’Gorman Consulting, LLC “Don’t Settle for Anything Less”
Red Flag Rules Compliant? Maybe Not...!

Recommended

Catelas Webinar Session I 3rd Party Compliance & Risk Oversight 31 Oc...
Catelas Webinar Session I 3rd Party Compliance & Risk Oversight 31 Oc...Catelas Webinar Session I 3rd Party Compliance & Risk Oversight 31 Oc...
Catelas Webinar Session I 3rd Party Compliance & Risk Oversight 31 Oc...
Eddie Cogan
 
Riskpro legal and compliance audits 2013
Riskpro legal and compliance audits 2013Riskpro legal and compliance audits 2013
Riskpro legal and compliance audits 2013
Rahul Bhan (CA, CIA, MBA)
 
Sophisticated Solutions to Complex Workplace Issues
Sophisticated Solutions to Complex Workplace IssuesSophisticated Solutions to Complex Workplace Issues
Sophisticated Solutions to Complex Workplace Issues
Business Controls, Inc.
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...
Security B-Sides
 
Fraud risk services 2013
Fraud risk services 2013Fraud risk services 2013
Fraud risk services 2013
Rahul Bhan (CA, CIA, MBA)
 
Fraud risk services 2013
Fraud risk services 2013Fraud risk services 2013
Fraud risk services 2013
Rahul Bhan (CA, CIA, MBA)
 
Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)
NAFCU Services Corporation
 
Data Breach Response Guide (Whitepaper))
Data Breach Response Guide (Whitepaper))Data Breach Response Guide (Whitepaper))
Data Breach Response Guide (Whitepaper))
NAFCU Services Corporation
 

Recommended

Catelas Webinar Session I 3rd Party Compliance & Risk Oversight 31 Oc...
Catelas Webinar Session I 3rd Party Compliance & Risk Oversight 31 Oc...Catelas Webinar Session I 3rd Party Compliance & Risk Oversight 31 Oc...
Catelas Webinar Session I 3rd Party Compliance & Risk Oversight 31 Oc...
Eddie Cogan
 
Riskpro legal and compliance audits 2013
Riskpro legal and compliance audits 2013Riskpro legal and compliance audits 2013
Riskpro legal and compliance audits 2013
Rahul Bhan (CA, CIA, MBA)
 
Sophisticated Solutions to Complex Workplace Issues
Sophisticated Solutions to Complex Workplace IssuesSophisticated Solutions to Complex Workplace Issues
Sophisticated Solutions to Complex Workplace Issues
Business Controls, Inc.
 
How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...How really to prepare for a credit card compromise (PCI) forensics investigat...
How really to prepare for a credit card compromise (PCI) forensics investigat...
Security B-Sides
 
Fraud risk services 2013
Fraud risk services 2013Fraud risk services 2013
Fraud risk services 2013
Rahul Bhan (CA, CIA, MBA)
 
Fraud risk services 2013
Fraud risk services 2013Fraud risk services 2013
Fraud risk services 2013
Rahul Bhan (CA, CIA, MBA)
 
Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)
NAFCU Services Corporation
 
Data Breach Response Guide (Whitepaper))
Data Breach Response Guide (Whitepaper))Data Breach Response Guide (Whitepaper))
Data Breach Response Guide (Whitepaper))
NAFCU Services Corporation
 
Fraud risk services 2013
Fraud risk services 2013Fraud risk services 2013
Fraud risk services 2013
Rahul Bhan (CA, CIA, MBA)
 
Fraud Risk Services Brochure
Fraud Risk Services BrochureFraud Risk Services Brochure
Fraud Risk Services Brochure
Rahul Bhan (CA, CIA, MBA)
 
Legal risk advisory services 2013
Legal risk advisory services 2013Legal risk advisory services 2013
Legal risk advisory services 2013
Rahul Bhan (CA, CIA, MBA)
 
What Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" TheftWhat Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" Theft
CBIZ, Inc.
 
Fraud Risk Services Brochure
Fraud Risk Services BrochureFraud Risk Services Brochure
Fraud Risk Services Brochure
Rahul Bhan (CA, CIA, MBA)
 
Pp 03-new
Pp 03-newPp 03-new
Pp 03-new
Sri Apriyanti Husain
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliant
Divya Kothari
 
Vendor Master File Fraud Detection and Prevention Using Data Analytics
Vendor Master File Fraud Detection and Prevention Using Data Analytics Vendor Master File Fraud Detection and Prevention Using Data Analytics
Vendor Master File Fraud Detection and Prevention Using Data Analytics
FraudBusters
 
Affinion Secuirty Center - BreachShield Overview
Affinion Secuirty Center - BreachShield OverviewAffinion Secuirty Center - BreachShield Overview
Affinion Secuirty Center - BreachShield Overview
haynormania
 
Using Data Analytics to Find and Deter Procure to Pay Fraud
Using Data Analytics to Find and Deter Procure to Pay FraudUsing Data Analytics to Find and Deter Procure to Pay Fraud
Using Data Analytics to Find and Deter Procure to Pay Fraud
FraudBusters
 
Technology: maintaining a cutting edge
Technology: maintaining a cutting edgeTechnology: maintaining a cutting edge
Technology: maintaining a cutting edge
LSG
 
Business Controls, Inc. Overview
Business Controls, Inc. Overview Business Controls, Inc. Overview
Business Controls, Inc. Overview
Business Controls, Inc.
 
Riskpro legal and compliance audits 2013
Riskpro legal and compliance audits 2013Riskpro legal and compliance audits 2013
Riskpro legal and compliance audits 2013
Rahul Bhan (CA, CIA, MBA)
 
Pporquets De Plastilina
Pporquets De PlastilinaPporquets De Plastilina
Pporquets De Plastilina
Encarna Molons Puig
 
ESCRIPTURA MEDIEVAL
ESCRIPTURA MEDIEVALESCRIPTURA MEDIEVAL
ESCRIPTURA MEDIEVAL
Encarna Molons Puig
 
Using the NTA Application for Reporting
Using the NTA Application for ReportingUsing the NTA Application for Reporting
Using the NTA Application for Reporting
Brian Rivera
 
Afric Alive Presentation
Afric Alive PresentationAfric Alive Presentation
Afric Alive Presentation
doritthies
 
Els nens i nenes de la classe de
Els nens i nenes de la classe deEls nens i nenes de la classe de
Els nens i nenes de la classe de
Encarna Molons Puig
 
tauró martell: dentadura
tauró martell: dentaduratauró martell: dentadura
tauró martell: dentadura
Encarna Molons Puig
 
Electronic Grading
Electronic GradingElectronic Grading
Electronic Grading
smarkbarnes
 
Setting Up and Managing an Anonymous Fraud Hotline
Setting Up and Managing an Anonymous Fraud HotlineSetting Up and Managing an Anonymous Fraud Hotline
Setting Up and Managing an Anonymous Fraud Hotline
FraudBusters
 
ICFE Fraud Risk Management Programme Infosheet
ICFE Fraud Risk Management Programme InfosheetICFE Fraud Risk Management Programme Infosheet
ICFE Fraud Risk Management Programme Infosheet
ICFE Group of Companies
 

More Related Content

What's hot

Fraud Risk Services Brochure
Fraud Risk Services BrochureFraud Risk Services Brochure
Fraud Risk Services Brochure
Rahul Bhan (CA, CIA, MBA)
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliant
Divya Kothari
 
Vendor Master File Fraud Detection and Prevention Using Data Analytics
Vendor Master File Fraud Detection and Prevention Using Data Analytics Vendor Master File Fraud Detection and Prevention Using Data Analytics
Vendor Master File Fraud Detection and Prevention Using Data Analytics
FraudBusters
 
Using Data Analytics to Find and Deter Procure to Pay Fraud
Using Data Analytics to Find and Deter Procure to Pay FraudUsing Data Analytics to Find and Deter Procure to Pay Fraud
Using Data Analytics to Find and Deter Procure to Pay Fraud
FraudBusters
 

What's hot (13)

Fraud risk services 2013
Fraud risk services 2013Fraud risk services 2013
Fraud risk services 2013
 
Fraud Risk Services Brochure
Fraud Risk Services BrochureFraud Risk Services Brochure
Fraud Risk Services Brochure
 
Legal risk advisory services 2013
Legal risk advisory services 2013Legal risk advisory services 2013
Legal risk advisory services 2013
 
What Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" TheftWhat Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" Theft
 
Fraud Risk Services Brochure
Fraud Risk Services BrochureFraud Risk Services Brochure
Fraud Risk Services Brochure
 
Pp 03-new
Pp 03-newPp 03-new
Pp 03-new
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliant
 
Vendor Master File Fraud Detection and Prevention Using Data Analytics
Vendor Master File Fraud Detection and Prevention Using Data Analytics Vendor Master File Fraud Detection and Prevention Using Data Analytics
Vendor Master File Fraud Detection and Prevention Using Data Analytics
 
Affinion Secuirty Center - BreachShield Overview
Affinion Secuirty Center - BreachShield OverviewAffinion Secuirty Center - BreachShield Overview
Affinion Secuirty Center - BreachShield Overview
 
Using Data Analytics to Find and Deter Procure to Pay Fraud
Using Data Analytics to Find and Deter Procure to Pay FraudUsing Data Analytics to Find and Deter Procure to Pay Fraud
Using Data Analytics to Find and Deter Procure to Pay Fraud
 
Technology: maintaining a cutting edge
Technology: maintaining a cutting edgeTechnology: maintaining a cutting edge
Technology: maintaining a cutting edge
 
Business Controls, Inc. Overview
Business Controls, Inc. Overview Business Controls, Inc. Overview
Business Controls, Inc. Overview
 
Riskpro legal and compliance audits 2013
Riskpro legal and compliance audits 2013Riskpro legal and compliance audits 2013
Riskpro legal and compliance audits 2013
 

Viewers also liked

Using the NTA Application for Reporting
Using the NTA Application for ReportingUsing the NTA Application for Reporting
Using the NTA Application for Reporting
Brian Rivera
 

Viewers also liked (7)

Pporquets De Plastilina
Pporquets De PlastilinaPporquets De Plastilina
Pporquets De Plastilina
 
ESCRIPTURA MEDIEVAL
ESCRIPTURA MEDIEVALESCRIPTURA MEDIEVAL
ESCRIPTURA MEDIEVAL
 
Using the NTA Application for Reporting
Using the NTA Application for ReportingUsing the NTA Application for Reporting
Using the NTA Application for Reporting
 
Afric Alive Presentation
Afric Alive PresentationAfric Alive Presentation
Afric Alive Presentation
 
Els nens i nenes de la classe de
Els nens i nenes de la classe deEls nens i nenes de la classe de
Els nens i nenes de la classe de
 
tauró martell: dentadura
tauró martell: dentaduratauró martell: dentadura
tauró martell: dentadura
 
Electronic Grading
Electronic GradingElectronic Grading
Electronic Grading
 

Similar to Red Flag Rules Compliant? Maybe Not...!

Vetting Solutions Brochure
Vetting Solutions BrochureVetting Solutions Brochure
Vetting Solutions Brochure
Ryan Jones-Ralph
 
ComplianceOnline PPT Format 2015 Developing an Effective Fraud Risk Managemen...
ComplianceOnline PPT Format 2015 Developing an Effective Fraud Risk Managemen...ComplianceOnline PPT Format 2015 Developing an Effective Fraud Risk Managemen...
ComplianceOnline PPT Format 2015 Developing an Effective Fraud Risk Managemen...
Craig Taggart MBA
 
Kroll. Red Flags Applicability. Think Again.
Kroll. Red Flags Applicability. Think Again.Kroll. Red Flags Applicability. Think Again.
Kroll. Red Flags Applicability. Think Again.
Andres Baytelman
 
Synthetic ID Fraud DetectionFINAL
Synthetic ID Fraud DetectionFINALSynthetic ID Fraud DetectionFINAL
Synthetic ID Fraud DetectionFINAL
Sally Ewalt
 
Vetting Solutions Brochure (1)
Vetting Solutions Brochure (1)Vetting Solutions Brochure (1)
Vetting Solutions Brochure (1)
Matt Mealey
 

Similar to Red Flag Rules Compliant? Maybe Not...! (20)

Setting Up and Managing an Anonymous Fraud Hotline
Setting Up and Managing an Anonymous Fraud HotlineSetting Up and Managing an Anonymous Fraud Hotline
Setting Up and Managing an Anonymous Fraud Hotline
 
ICFE Fraud Risk Management Programme Infosheet
ICFE Fraud Risk Management Programme InfosheetICFE Fraud Risk Management Programme Infosheet
ICFE Fraud Risk Management Programme Infosheet
 
idBUSINESS Red Flag Rules Overview
idBUSINESS Red Flag Rules OverviewidBUSINESS Red Flag Rules Overview
idBUSINESS Red Flag Rules Overview
 
Smart devine-act now before its too late-0313-v6
Smart devine-act now before its too late-0313-v6Smart devine-act now before its too late-0313-v6
Smart devine-act now before its too late-0313-v6
 
How to conduct an AML risk assessment
How to conduct an AML risk assessmentHow to conduct an AML risk assessment
How to conduct an AML risk assessment
 
Anti-Bribery and Corruption Compliance for Third Parties
Anti-Bribery and Corruption Compliance for Third PartiesAnti-Bribery and Corruption Compliance for Third Parties
Anti-Bribery and Corruption Compliance for Third Parties
 
idBUSINESS Red Flag Rules For Dentists
idBUSINESS Red Flag Rules For DentistsidBUSINESS Red Flag Rules For Dentists
idBUSINESS Red Flag Rules For Dentists
 
INITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTES
INITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTESINITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTES
INITIAL COMPLIANCE APPROVAL IN JUST 2 MINUTES
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management Workshop
 
Vetting Solutions Brochure
Vetting Solutions BrochureVetting Solutions Brochure
Vetting Solutions Brochure
 
AML and OFAC Compliance for the Insurance Industry
AML and OFAC Compliance for the Insurance IndustryAML and OFAC Compliance for the Insurance Industry
AML and OFAC Compliance for the Insurance Industry
 
Fraud Training for Auditees (1).pptx
Fraud Training for Auditees (1).pptxFraud Training for Auditees (1).pptx
Fraud Training for Auditees (1).pptx
 
ComplianceOnline PPT Format 2015 Developing an Effective Fraud Risk Managemen...
ComplianceOnline PPT Format 2015 Developing an Effective Fraud Risk Managemen...ComplianceOnline PPT Format 2015 Developing an Effective Fraud Risk Managemen...
ComplianceOnline PPT Format 2015 Developing an Effective Fraud Risk Managemen...
 
Kroll. Red Flags Applicability. Think Again.
Kroll. Red Flags Applicability. Think Again.Kroll. Red Flags Applicability. Think Again.
Kroll. Red Flags Applicability. Think Again.
 
Synthetic ID Fraud DetectionFINAL
Synthetic ID Fraud DetectionFINALSynthetic ID Fraud DetectionFINAL
Synthetic ID Fraud DetectionFINAL
 
Roadmap to SAP® Security and Compliance | Symmetry
Roadmap to SAP® Security and Compliance | SymmetryRoadmap to SAP® Security and Compliance | Symmetry
Roadmap to SAP® Security and Compliance | Symmetry
 
Fraud Risk Assessment_Notes
Fraud Risk Assessment_NotesFraud Risk Assessment_Notes
Fraud Risk Assessment_Notes
 
Vetting Solutions Brochure (1)
Vetting Solutions Brochure (1)Vetting Solutions Brochure (1)
Vetting Solutions Brochure (1)
 
Fraud Risk Assessment- detection and prevention- Part- 2,
Fraud Risk Assessment- detection and prevention- Part- 2, Fraud Risk Assessment- detection and prevention- Part- 2,
Fraud Risk Assessment- detection and prevention- Part- 2,
 
Data protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceData protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure compliance
 

Recently uploaded

Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
MateoGardella
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
Chris Hunter
 
An Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdfAn Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdf
SanaAli374401
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 

Recently uploaded (20)

Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
An Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdfAn Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdf
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 

Red Flag Rules Compliant? Maybe Not...!

  • 1. Is Your Company Compliant... Do You Need To Be…? FACT Act Red Flag Rules ITPP Who needs to be compliant with the 2008 FACT Act “Red Retail/Online Banks and Credit Unions Telecommunications Mortgage Lenders / Mortgage Brokers Hospitals & Health Care Companies Auto Dealers Debt Collectors Check Cashers Insurance Equities Brokerage / Notary Credit/Debit Card Issuers Utility Companies Foreign Bank Branches Phil Allen (909) 376-8750 or Richard O’Gorman (951) 316-3356 phil@warranty-guys.com or richard@warranty-guys.com http://www.warranty-guys.com
  • 2. Red Flag Compliance Simplified…! FACT Act Do you have a written Identity Theft Prevention Program? Red Flag Rules Do you have a clearly defined written process for the relevant staff to follow that is based on your organizations particular needs? ITPP Does the process take into consideration both manual detection processes and the use of a third party electronic ID verification service? NOTE: If you use an electronic verification service and it was not Identity Theft Prevention Program available is your staff trained well enough for you to know without a doubt they could detect a red flag? The final regulations list the four basic elements Have you completed a risk assessment that includes - work flow, that must be included in the Program of a financial past history of ID theft issues, current organization structure and institution or creditor. determination of relevant staff? The Program must contain ‘‘reasonable policies Have your relevant staff and management been trained on all and procedures’’ to: Red Flags and those specific to your industry and organization?  Identify relevant Red Flags for covered Have they signed a training log and agreement to comply with accounts and incorporate those Red Flags into Red Flag Rules to protect your organization? the Program; If you are using a third party or are relying on a automated third  Detect Red Flags that have been incorporated party provider such as electronic ID verification services to into the Program; detect customer Red Flags and the provider was no longer available - Is the process you are using and support material  Respond appropriately to any Red Flags that good enough that you could still manually detect Red Flags and are detected to prevent and mitigate identity still be compliant with Red Flag legislation on your own? theft; and Would you be considered a low, medium, or high risk  Ensure the Program is updated periodically, to organization based on a risk assessment? reflect changes in risks to customers or to the safety and soundness of the financial institution or (DEPENDING ON HOW YOUR SALES PROCESS WORKS YOU creditor from identity theft. COULD BE ANY ONE OF THOSE.) The regulations also enumerate certain steps For example; Most automotive dealers would be considered high risk that financial institutions and creditors must take - yet in a small 4 store group - 2 were considered low risk and 2 were to administer the Program. still high risk. Same dealer group. Same management. Virtually all major providers of Red Flag programs are template based that re- These steps include; quire you to follow their lead and make your own risk assessment, provide your own training or listen to a canned general training on- Obtaining approval of the initial written Program line. by the board of directors or a committee of the board A financial institution or creditor is ultimately responsible for complying with the final rules and guidelines even if it out- Ensuring oversight of the development, implemen- sources an activity to a third-party service provider. Thus, a fi- tation and administration of the Program. nancial institution or creditor that uses a service provider to open accounts will need to provide for the detection, prevention, Training staff, and and mitigation of identity theft in connection with this activity, even when the service provider has access to the information of Overseeing service provider arrangements. a person who is not yet, and may not become, a ‘‘customer.’’
  • 3. Red Flag Rules Compliant…? Maybe — Maybe Not! Let me ask you a question. Are you compliant? Before you answer that … If you haven’t tested, updated and trained and retrained your staff, the odds are that your Information Security Program isn’t up to date. Statically the odds at this moment are 94% that your organization isn’t compliant with GLB Safeguards. Red Flag Rules pick up where GLB Safeguards left off. It takes both processes done properly, working together, to protect customer nonpublic personal information. Dealerships are more a target today than ever before. In the ten years from 1999 to 2008 Identity Theft and Fraud has grown more than 1400% and has reached epidemic proportions. Identity Theft has been the #1 concern of consumers for the last 9 years. Let me give you the good news first. The odds of you ever having an FTC audit or receiving an audit letter are slim to none (and Slim done left town). Let me give you the bad news … It is a virtually certainty that if someone files a complaint directly with the FTC you will be contacted and secondly – if it gets on the local news, the FTC will come a-calling. Let me ask you again! Are you absolutely certain that all customer information is properly secured and protected in accor- dance with your Information Security Plan (ISP)? Is your ISP in writing, does it contain a risk assessment, have you made the corrections the risk assessment found and did you document them and has it been updated on a periodic basis? Has your staff been trained? Have you been testing the processes you put in place? When the Red Flag audits take place they will look at GLB Safeguards compliance for “financial institutions” and HIPAA compliance for Healthcare. The odds are you are using a privacy statement and it states that you don’t share customer infor- mation with other than necessary staff and that you maintain physical, electronic, and procedural safeguards. If you are, it is a “legal time bomb” for you. Not a matter of if it will happen – only when it will happen. (Or as we have discovered many times – it has already happened and you didn’t know it.) Your thinking – this guy is full of bull. He is just trying to scare me into compliance and to spend money I don’t want to spend right now. You are 100% right and 110% wrong. Every word and every statistic you have read is correct. These are the facts – there is no sugar coating in this mes- sage for you. As a third party vendor – it is my only job to protect you. Not a second, third or fourth job descrip- tion. I have no problem playing favorites or letting someone slide. I am the guy that tells it like it is – who pulls customer information out of drawers and unlocked file cabinets and can hack your computers and find the weakness in your physical, electronic and procedural security. But I do it FOR you. I do it TO protect you. I am your unbiased, independent, get-you-compliant-now guy. In Star Wars – Yoda said, “Do it or not, there is no try.” Compliance is an always thing – not just when you feel like it. Even if you do it right you are at risk – but a far less risk than if you are not compliant and making the effort to stay there. With the new Red Flag Rule – there will be audits and they will look at both Red Flag and GLB Safeguards. Red Flags pick up where GLB Safeguards leave off … to have effective systems you must have both compliance rules working together. Lee Holden Compliance Coach, Consultant, & Trainer Allen O’Gorman Consulting, LLC “Don’t Settle for Anything Less”