eGuide

IDENTITY THEFT
Copyright © 2002, CUNA Regulatory Affairs

SUMMARY

Last reviewed by CUNA Staff: May, 2004

Coverage: all credit unions

Citation to the law: The Identity Theft and Assumption Deterrence Act of 1998, 18 USC 1028

Citation to the regulation: NCUA Rules and Regulations, Part 748: Guidelines for Safeguarding Member Information, 12 CFR 748

Effective Date: On-going

TABLE OF CONTENTS

• What is Identity Theft?
• Laws Addressing Identity Theft
• NCUA’s Privacy & Security Regulations
• Pretexting (obtaining personal information under false pretenses)
• Identity Theft Prevention
• Helping the Victims of Identity Theft

WHAT IS IDENTITY THEFT?

Identity theft occurs when someone appropriates another individual’s personal information without that person’s knowledge to commit fraud or theft. An identity thief co-opts another person’s name, Social Security number, credit card number, or some other piece of personal information for their own use. Identity thieves may obtain personal information through a number of means, including:

• Stealing wallets that contain personal identification information, credit cards, ATM cards, etc.;
• Stealing financial statements from the mail;
• Diverting mail from its intended recipients by submitting a change of address form;
• Rummaging through trash for personal data;
• Stealing personal information from workplace records; and/or
• Intercepting personal information transmitted electronically.

Identity theft can take many forms, from “account takeovers” (where a thief uses someone’s existing account as his or her own), to opening new accounts, obtaining loans and buying merchandise in another person’s name.

LAWS ADDRESSING IDENTITY THEFT

Identity theft was officially named a crime by an Act of Congress in 1998. The Identity Theft and Assumption Deterrence Act, which became effective October 30, 1998, makes it a Federal crime to knowingly use, without lawful authority, a means of identification of another person with the intent to commit a crime, among other things. The Act imposes penalties of up to 15 years imprisonment, and a maximum fine of $250,000.

The law enables the Secret Service, the Federal Bureau of Investigation, and other law enforcement agencies to combat identity theft; allows for the identity theft victim to seek restitution if there is a conviction; and establishes the Federal Trade Commission as a central agency to act as a clearinghouse for complaints, referrals, and resources for assisting victims of identity theft.

Depending upon the circumstances, identity theft may also violate a number of other federal statutes, such as:

• the prohibition against fraudulent tax refund claims (18 USC 287)
• credit card fraud (18 USC 1029)
• computer fraud (18 USC 1030)
• mail fraud (18 USC 1341)
• wire fraud (18 USC 1343)
• bank (“financial institution”) fraud (18 USC 1344)

A number of states have also passed laws to address identity theft.

In addition, the Gramm-Leach-Bliley Financial Modernization Act (G-L-B) of 2000 prohibits the making of false or fraudulent statements or representations to an officer, employee or agent of a financial institution, or to a customer of a financial institution to obtain customer/member information.(15 USC 6821) –see Pretexting below.

NCUA’s PRIVACY & SECURITY REGULATIONS

There are no “identity theft” regulations, per se. However, two NCUA regulations do address protection of members’ personal financial information: Parts 716 and 748 of NCUA’s Rules and Regulations, which are applicable to all federally-insured credit unions.

Part 716 of NCUA’s Rules and Regulations implements the privacy provisions of the G-L-B Act. The regulation requires all federally insured credit unions to have a privacy policy and provide certain disclosures and notices to individuals about whom credit unions collect non-public personal information. It also restricts a credit union's ability to disclose non-public personal information, including giving individuals in some cases an opportunity to opt out of the disclosure.

Federally-insured credit unions are required by Part 748 of NCUA’s Rules and Regulations to establish a security program addressing the safeguards for customer records and information. The safeguards are intended to: insure the security and confidentiality of customer records and information; protect against any anticipated threats or hazards to the security or integrity of such records; and protect against any unauthorized access to or use of such records or information that would result in substantial harm or inconvenience to any customer.

PRETEXTING

There are a number of ways thieves obtain information on consumers. One is the practice of “pretexting” or “pretext calling,” i.e., obtaining personal information under false pretenses. A pretext caller will contact the credit union, posing as the member, in order to obtain access to the member’s personal account information. Identity thieves may use the information themselves, or sell the information to others. The information is sometimes sold to debt collection services, private investigators, or attorneys for use in court proceedings.

Pretexting violates the Fair Credit Reporting Act, and the Gramm-Leach-Bliley Financial Modernization Act (G-L-B) of 2000. Section 521of G-L-B, specifically prohibits the following information when used to obtain customer/member information from a financial institution:

• Making, or attempting to make, a false representation or statement to an officer or employee of a financial institution;
• Making, or attempting to make, a false representation or statement to a customer of a financial institution; and
• Providing, or attempting to provide, a forged or fictitious document to an officer or employee of a financial institution.

Operation Detect Pretext. In January of 2001, the FTC’s Division of Financial Practices rolled out “Operation Detect Pretext” in an effort to protect consumers from businesses that obtain their customer information under false pretenses. As part of the operation, FTC staff monitor Web sites and print media advertisements offering financial searches to ensure compliance with Gramm-Leach-Bliley’s privacy provisions, as well as other applicable federal laws. For more information, refer to the FTC Web site at www.ftc.gov.

IDENTITY THEFT PREVENTION

There are a number of steps credit unions can take to detect and prevent identity theft. NCUA’s Letter to Credit Unions No. 00-CU-02, “Identity Theft Prevention,” suggests the following:

• Develop a comprehensive written privacy protection policy that includes responsible information handling practices. The privacy policy should address privacy and information handling for all the sensitive data held by the credit union, including data gathered from a website. The policy should cover all staff and officials of the credit union and their dealings with persons outside the credit union.
• Display your credit union’s Privacy Protection Policy in your literature and on your Web site.
• All staff, including credit union volunteers, should be trained on the credit union’s security measures and privacy protection policies. Review and update the policies routinely and provide follow-up training. Even temporary and part-time employees, independent consultants, and vendors should have information on, and be subject to, the written policies.
• Conduct criminal and civil background checks before hiring employees who will have access to sensitive personal information. This includes screening services and temporary firms that the credit union uses, such as after hours cleaning companies.
• Limit the credit union’s data collection to the information that is necessary for the stated purpose, and nothing more.
• Limit data disclosure. Restrict the addition of unnecessary data on printed documents. For example, social security numbers printed on documents such as pay or loan distribution checks, parking permits, staff badges, time sheets, mailing labels, account statements, etc.
• Prohibit using birth dates, social security, or driver’s license numbers as account or personal identifier numbers.
• Restrict sensitive personal data to only those who have a legitimate need to know. Implement electronic audit trails and impose strict penalties for browsing and illegitimate access.
• Conduct better identity verification for instant credit, especially when an address is recently changed or is different from the credit report. Don’t rely solely on social security numbers. Supplement with utility bills, tax records, etc.
• Train your staff to recognize and address incidents in which identify thieves use persuasive social engineering skills to obtain necessary pieces of information to enable them to complete identify theft.
• Put photographs on credit cards and staff business cards.
• Truncate digits on account numbers printed on transactions slips at point of sale terminals.
• Use account profiling systems to detect unusual activity. Notify members of potential fraudulent activity.
• Avoid mass mailing pre-approved offers of credit.
• Keep all information about employees locked in cabinets or encrypted data files. Establish data security procedures for those with legitimate access to the files.
• Encrypt sensitive personal and confidential information. Conduct “systems penetration tests” to determine if systems are “hacker proof.”
• Ensure the credit union protects itself from “business identity theft, ” such as mimic Web sites that entice your members to believe they are interacting online with the credit union.
• Adopt secure methods of disposing of sensitive personal information. Consider industrial shredders, locked garbage bins, etc. If disposal is outsourced, assure such companies have strict security procedures. Consider shredding software to delete confidential information from electronic data files.
• Train designated staff about security procedures in sending sensitive personal information via fax. Such faxes should have a confidential cover letter (prohibiting re-disclosure), and the recipient should be called before sending, and called after, to confirm receipt.
• Prohibit the transmission of sensitive personal information by voicemail, cellular phones, pagers, answering machines, or e- mail, unless encrypted or sent via a secure network. None of these means of transmission is private or secure.
• Train customer service or fraud department staff how to work with identity theft victims. By helping the victim clear their record, you will limit your legal exposure to the victim.
• Don’t share, sell, or transmit data about members without their permission. Guarding that information will limit your legal exposure if that information subjects your member to identity theft.
• Allow your members to inspect and correct their personal information. This practice will not only increase member’s trust in your information handling practices, it will improve the accuracy of your files.
• Take every opportunity to become informed about financial fraud and identity theft. Join a local financial crimes group. Your local police or sheriff’s department can inform you of such groups.

For a copy of the letter, click here.

HELPING THE VICTIMS OF IDENTITY THEFT

Credit unions with experience in dealing with identity theft have utilized the following procedures to help the victims of this crime:

• If you suspect that someone is attempting to obtain information concerning a member’s identity for fraudulent purposes, be sure to report the matter to the appropriate authorities and file a Suspicious Activity Report (SAR).
• Advise the member to file a report with the local police department, or the police department where the identity theft took place. Embers should obtain a copy of the report in case creditors or others need proof of the crime later on.
• Close the member’s accounts, including share and share draft accounts, and any credit cards. Open these accounts using new account numbers, and password-protect them so that only the member can obtain credit, gain access to the account, etc.
• Follow the procedures in Regulation E (electronic fund transfers) and Regulation Z (credit cards) for unauthorized transactions. (See Regulation E, Section 205.11 and Regulation Z, Section 226.13).
• Advise the member to get his or her credit report from all three credit reporting agencies and begin the process of contacting each creditor with whom the member believes his or her identity may have been fraudulently used. Also, have the credit reporting agencies put a memo on the member’s file that requires a password for anyone applying for credit using his or her identity.
• Provide members with the Federal Trade Commission’s Identity Theft Toll-Free Hotline at 1-877-ID-THEFT (438-4338); TDD: 202-326-2502 or Web address, available here; and information on the “ID Theft Survival Kit,” available here. The FTC also conducts Victim Assistance Workshops from time to time that may be of use to the member.

Copyright © 2009 - Credit Union National Association, Inc.