24 August 2008

FACTA: Red Flags & eCrime...

The "Red Flags" rule has some banks and financial institutions scrambling to get compliant by the upcoming November deadline. The corporate governance and compliance teams are working hard to make sure the Operational Risks associated with the rule are being addressed in a timely and prudent manner:

Federal Trade Commission (FTC) and five Federal financial regulatory agencies published a series of final rules and guidelines entitled "Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act (FACTA) of 2003." Red Flags are relevant indicators of a possible risk of identity theft and Section 114 of FACTA specifically explains rules about the development and implementation of a written identity theft prevention program. The provision recommends that both financial institutions and creditors in the United States assess the likelihood that their customers' accounts are prone to identity theft, and mandates that they then implement a program to identify, detect and respond to its indicators.

Organizations who have many of the Information Security and Enterprise Risk functions under the CISO or CIO will have to make sure that they are communicating effectively with the Board of Directors, just as they did with SOX. Senior management is on the line when it comes to the security and safety of the vital information on clients and customers.

"Financial institutions or creditors could look at this as a governance strategy to get the Operational Risk objectives on the Board Room agenda," said Peter L. Higgins, Managing Director and Chief Risk Officer of 1SecureAudit. "When Board Members themselves are having their own personal identities compromised by Transnational eCrime Syndicates, senior management can bet that they will have to have their house in order, especially by November 1st." "Our advisory teams are recommending integrated enterprise solutions alongside software tools such as Norkom Technologies, Memento and Actimize to mitigate these specific compliance and eCrime business problems," Higgins said.

And just when the financial institutions have their hands full with ID Theft, so do the health care and medical sectors:

To be sure, the most recent data available suggests medical ID theft affects a relatively small number of people. In 2005, more than 8 million Americans were victims of identity theft, and 3% of them, or about 249,000, had their personal information misused for the purpose of obtaining medical treatment, supplies or services, according to a 2006 study from the Federal Trade Commission.

But state and national lawmakers are beginning to take notice. Starting this year, California extended its security breach law to require companies that handle medical and health-insurance information to notify people when the security of their medical data has been compromised.

In May, the U.S. Health and Human Services Department's Office of the National Coordinator for Health Information Technology awarded a $450,000 contract to Booz Allen Hamilton to study the extent of the nation's medical identity theft problem.

The last to know?

Victims often realize they have a problem when they receive their insurer's explanation of benefits for services they never received, collections companies come calling for charges they didn't incur or their credit report shows changes, Dixon said.

"Right now where we are with medical identity theft is where we were at the beginning of financial identity theft," she said. "We're starting at square one with this crime. The good news here is financial identity theft laws are going to help these victims for debt collection and credit report issues."

No comments:

Post a Comment