Topic: Identity Theft
-
As part of an internal review of our FCRA practices, we’re being asked if we have policies that address the requirements of 12 CFR 41 and whether the policies include: (a) consumer reporting, (b) consumer reporting disputes, (c) risk based pricing methodology, (d) identity theft prevention and red flags, (e) affiliate marketing, and (f) vendor oversight. Is there guidance that supports the need for procedures on all of these topics? We are also trying to determine if our bank has a marketing affiliate. Is a shared ownership interest required for entities to be affiliates?
—
by
Regulation V, which implements the Fair Credit Reporting Act (FCRA), generally requires banks to implement procedures covering the topics listed in your question. In 2011, the Dodd-Frank Act transferred certain rulemaking authority for the FCRA from the OCC to the CFPB. As a result, the OCC removed its FCRA regulations in 12 CFR 41, and…
-
We recently discovered that fictitious checks were written with the name and address of one of our business customers and our name and routing number, but with an invalid account number. Neither we nor our customer experienced any loss due to the fraud, but when reviewing the matter, we learned that Experian allows businesses to place fraud alerts on their business credit files. We also learned that some states have identity theft laws that protect business entities. Does Illinois have any protections for businesses against identity theft?
—
by
Yes, Illinois recognizes identity theft as a crime against businesses. Under the Illinois Criminal Code, “identity theft” occurs when a person knowingly “uses any personal identifying information or personal identification document of another person to fraudulently obtain credit, money, goods, services, or other property.” “Person” is defined to include a “public or private corporation, government,…
-
An unidentified individual recently cashed several checks totaling about $10,000. The individual used a customer’s ID to cash several forged checks that were drawn on another person’s account. We reimbursed the payor bank for the losses but are not charging the customer. This incident prompted us to review our identity theft policy. When a customer is a victim of identity theft, we generally require them to fill out an ID Theft Affidavit. However, our policy is not clear on whether this incident constituted identity theft. Are there any regulations that would clarify when identity theft occurs? Also, do we need to file a SAR?
—
by
If your institution’s ID Theft Affidavit is used for purposes of fulfilling the FCRA’s obligations to provide certain records to consumers who are victims of identity theft, we recommend using that law’s definition of an identity theft victim: “a consumer whose means of identification or financial information has been used or transferred (or has been…
-
We flag accounts as inactive after certain periods of inactivity, depending on the account type (but long before five years have passed and the accounts are reported and remitted to the state as abandoned). Some at the bank believe that the best approach is to contact those customers in an effort to remove the “inactive” flag. Are there any reasons why we might want to retain the inactive flag to protect the accounts, by helping us recognize potentially fraudulent activity? We do not charge dormancy or inactivity fees.
—
by
Ultimately, this is a business decision for the bank. We agree that it may benefit customers to retain an “inactive” flag on accounts that are infrequently used to help recognize potentially fraudulent activity. The Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation state that the use of an inactive account is a red flag…
-
When we receive returned mail from a customer’s address, and make several attempts to contact the customer for an updated address, do we need to continue mailing account statements?
—
by
No, you are not required to continue mailing periodic statements in this situation. In fact, it may be advisable to discontinue mailing periodic statements to an address that you know to be incorrect, to prevent the statements and the personal financial information contained in them from falling into the wrong hands. We recommend monitoring the…
-
Can we put a stop payment order on a cashier’s check that our bank issued? The customer has been the victim of identity theft and did not order the cashier’s check.
—
by
No, we do not believe you should issue a stop-payment order on the cashier’s check. The Illinois Supreme Court has held that a cashier’s check is the equivalent of cash. As a general rule, once the cashier’s check enters the stream of commerce, the issuer is liable under the UCC if it refuses to honor…
-
Is there a law requiring us to continue mailing deposit account statements after several have been returned to us as undeliverable? The phone number we have on file has been disconnected, but we are seeing continued debit card transactions on the account.
—
by
We are not aware of any law or regulation that would require you to continue mailing periodic statements in this situation. Our recommendation is to place a freeze on the customer’s account, which should cause the customer to contact the bank, at which point you will be able to collect the customer’s updated contact information.…
-
We have been reporting driver’s license discrepancies as red flags on our annual reports, even if they are resolved after obtaining proof of the customer’s current address. However, one of our sister institutions does not report resolved discrepancies on its annual report. Which is the correct approach?
—
by
We do not believe that the Interagency Guidelines on identity theft “red flags” require that your annual board reports include every instance of a discrepancy between the addresses provided on an account application and the applicant’s driver’s license. Of course, this type of instance would be considered a “red flag” under Supplement A to the…