SEGMENT 1 :

Deborah Katz, Senior Counsel, Legislative and Regulatory Activities
Office of the Comptroller of the Currency

- The written identity theft prevention program required by the rules;
- The special provision for card issuers that receive a notice of change of address followed by a
  request for an additional card; and
- The requirements applicable to users of consumer reports that receive notices of address
  discrepancies from a nationwide consumer reporting agency.

SEGMENT 2 :

Pavneet Singh, Attorney, Division of Privacy and Identity Protection, Bureau of Consumer Protection
Federal Trade Commission

- Who must comply with the red flags rules
- Identifying covered accounts and conducting a risk assessment
- The written id theft prevention program required by the rules
- The obligations of users of consumer reports who receive notices of address discrepancies from
   nationwide CRAs

SEGMENT 3 :

William H. Henley, Jr., Director, IT Risk Management, Office of Thrift Supervision
Office of Thrift Supervision

FFIEC agencies and FTC released final rule in November 2007
– Implements sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003
– Defined “red flag” as “a pattern, practice, or specific activity that indicates the possible existence
   of identity theft”
– Agencies received 129 comment letters on proposal
– Complex interagency process with five federal depository institution regulators plus the FTC
– Rule applies to both regulated and non-regulated entities

Outlines steps financial institutions and creditors must take to administer the Program:
- Obtain approval of the initial written Program
- Ensure oversight of the development
- Implementation and overseeing service provider arrangements
- Train staff, as necessary, to effectively implement the Program

Implementation Challenges
- No “Silver Bullet” in Tackling ID Theft
- Flexibility is Important
- Fraudsters constantly change tactics and financial institutions need the flexibility to respond
  to these changes
- A set list of red flags today may not be relevant in the future as fraudsters develop new tactics
- Large, complex financial institutions typically have multiple lines of business with responsibility
  for managing fraud
- Variations in response programs & training programs
- Integration with Existing Programs
- Preamble of rule notes that an institution’s identity theft prevention program may incorporate or
  cross-reference aspects of their security program and that an institution’s customer identification
  program could be incorporated
- No requirement that identity theft program be identical across different lines of business
- Documentation of program
- Current processes already in place although many are not formally documented
- Lines of Business: “we know it when we see it”
- Vendor Management
- Outlining needs
- Negotiating contracts
- Impact on auditing programs (e.g., BITS Shared Assessments)
- Budget/Procurement Cycle
- 11/2008 deadline a challenge for some large firms to incorporate in technology budget cycle
- M&A impact
- Economic pressures
- Securing Board Approval
- Consistency in Regulatory Oversight
- Examination Procedures (in development):
- Impact of consumer compliance vs more risk-based IT driven process


SEGMENT 4 :

Frank Barreca, CEO
GetYourIdentityBack.com, LLC

- The responsibility of consumers in the identity theft crisis.
- Data integrity – Lack of accuracy in public records and credit reporting data.
- Risk Based Data Analysis for Identity Theft.
- Consumer Advocacy Programs for Identity Theft - (Developing Consumer Advocacy Programs).

SEGMENT 5 :

Catherine D. Meyer, Counsel
Pillsbury Winthrop Shaw Pittman LLP

- Vendor management
   • What is required in terms of:
     › Vendor oversight including contracting with vendors
     › Audit of vendors
     › Use of vendors who perform services for other covered companies
     › Detection response issues involving vendors
- Corporate approval of the policies and procedures that are developed, and risk potential issues
   • Availability of enforcement actions by government, consumer, etc.