FSA. Auditing FCRA Compliance. Auditing FCRA Compliance. Internal auditors should know the issues surrounding protection of consumer information.



Similar documents
FAIR CREDIT REPORTING ACT

Risk Management Examiners

YEAR END ISSUANCES BY FEDERAL REGULATORS ADDRESS A MULTITUDE OF PRIVACY ISSUES Jane Hils Shea January 23, 2008

Section 10: Fair Credit Reporting Act (FCRA) Policy

Identity Theft Prevention Program

2003 Changes to the Fair Credit Reporting Act: Important Steps Forward at a High Cost

CHAPTER 101: IDENTITY THEFT PREVENTION PROGRAM

New Jersey Department of Children and Families Policy Manual. Date: Chapter: B Self Sufficency Subchapter: 1 Transitional Planning

IDENTITY THEFT RED FLAGS, ADDRESS DISCREPANCIES, AND CHANGE OF ADDRESS REGULATIONS Examination Procedures

An Overview of the Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003 Final Rules

YOUR DUTIES UNDER THE FAIR CREDIT REPORTING ACT

Fair Credit Reporting Act (as amended in 1996): Adverse Action Notices

Number of Pages: 5 Number of Forms: 0 Saved As: X:/Policies & Procedures/13. JCAHO STD s (if applicable): N/A

Module 3. The disclosure requirements are discussed separately below.

Minimizing Legal and Compliance Risk for Credit Furnishers

Selected Text of the Fair Credit Reporting Act (15 U.S.C v) With a special Focus on the Impact to Mortgage Lenders

Identity Theft Red Flags Rule

ACCG Identity Theft Prevention Program. ACCG 50 Hurt Plaza, Suite 1000 Atlanta, Georgia (404) (404)

Questions and Answers About the Identity Theft Red Flag Requirements

Identity Theft Red Flags & Address Discrepancies under the FACT Act of Summary of Final Rule

Fact Act - Risk Based Pricing Notices Loans - All Loans

FAIR CREDIT REPORTING ACT (FCRA)

YOUR GOOD CREDIT The Importance of Your Credit Report and Your Credit Score Maintain Good Credit Combat Identity Theft FACT Act Rights

Frequently Asked Questions: Identity Theft Red Flags and Address Discrepancies

FACTA Identity Theft Red Flags Program.

Identity Theft Prevention Program Red Flag Rules Policy P Issued: May 2009

Identity Theft Prevention Program (FACTA Identity Theft Red Flags Rule)

NOTICE TO USERS OF CONSUMER REPORTS: OBLIGATIONS OF USERS UNDER THE FCRA I. OBLIGATIONS OF ALL USERS OF CONSUMER REPORTS

KANSAS STATE UNIVERISTY

KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting

What follows are various form letters that can be adapted to your

Analysis of the Fair and Accurate Credit Transactions Act of 2003, Pub. L. No (2003). 1

IDENTITY THEFT DETECTION POLICY

DHHS POLICIES AND PROCEDURES

Remedying the Effects of Identity Theft

N a t i o n a l F u n e r a l D i r e c t o r s A s s o c i a t i o n

The FACT Act s Risk-Based Pricing Final Rules

Congress Deals with Credit Reports and Identity Theft: The Fair and Accurate Credit Transactions Act

1. Entities and Accounts Covered by the New Rules Covered Entities

Credit Reporting Issues for Domestic Violence Survivors

Credit Scores. Copyright 2009 How to Gain Wealth. All rights reserved.

Featured Article Federal Red Flag and Related Identity Theft Prevention Rules: Is Your Organization in Compliance?

CENTENARY COLLEGE POLICIES UNDER THE FAIR & ACCURATE CREDIT TRANSACTION ACT S RED FLAG RULES

ORDINANCE NO. Ot ~ft,

Introduction The History of Credit Scoring Why Your Credit Score is So Important

Experian News. around the corner. In this issue. What s around the Legislative Corner! Special edition October 2004

Adverse Action Guide for Employers

Identity Theft Red Flags Procedures

END USER CERTIFICATION

City of Wyoming, Michigan Administrative Policy

Joe Malinowski

IDENTITY THEFT PROCEDURES

Your Credit Score What It Means to You as a Prospective Home Buyer

RANDOLPH COUNTY PUBLIC WORKS. Identity Theft Prevention Program. Adopted September 1, 2009 Effective beginning September 1, 2009

Free Credit Reports CREDIT

FAIR CREDIT REPORTING ACT DISPOSAL RULE AND PROPOSED RULE FOR ADDRESS DISCREPANCIES AND IDENTITY THEFT PREVENTION PROGRAMS. Materials Prepared by:

Your Credit Score What It Means to You as a Prospective Home Buyer

Fair and Accurate Credit Transactions Act: More Protection for Consumers

Ohio Department of Insurance Regulatory Report

Procedures for Compliance with The Fair Credit Reporting Act (FCRA)

NOTES. 12 Your Credit Score Your Credit Score 1 CONTENTS:

A Summary of Your Rights Under the Fair Credit Reporting Act

Table of Contents. Table of Contents Chapter 1 Introduction Sample. Chapter 2 Monitoring and Quality Control... 8

CREDIT REPORTING GUIDE for

Case 2:15-cv Document 1 Filed 10/21/15 Page 1 of 11 UNITED STATES DISTRICT COURT DISTRICT OF KANSAS KANSAS CITY-LEAVENWORTH DIVISION

Disputing Errors on Credit Reports

POLICY PRINCIPLES/STATEMENT

Your Credit Score What It Means to You as a Prospective Home Buyer

RE: Interagency Advance Notice of Proposed Rulemaking: Procedures to Enhance the

Lake Havasu City. Identity Theft Prevention Program

Deer Park Independent School District. Identity Theft Policy and Board of Trustees Resolution

IDENTITY THEFT PREVENTION PROGRAM

[date] Federal Trade Commission Project No. R Board of the Governors of the Federal Reserve System Docket No. R 1300

Identity Theft Prevention Policy and Procedure

Webinar #3: Effective Credit and Debt Management

Introduction. The History of Credit Scoring

12 Your Credit Score Your Credit Score 1

REINVESTIGATION REQUEST INSTRUCTIONS

Red Flag Rules and Aging Services: What You Need to Know

University of Nebraska - Lincoln Identity Theft Prevention Program

Global Privacy Japan Sets its Rules for Personal Data

Spotting ID Theft Red Flags A Guide for FACTA Compliance. An IDology, Inc. Whitepaper

Credit Reporting and Repair for Domestic Violence Survivors

RED FLAG RULES FREQUENTLY ASKED QUESTIONS

FTC Facts. For Consumers Federal Trade Commission. The Fair Credit Reporting Act (FCRA) requires. Your Access to Free Credit Reports

Xavier University. Fair & Accurate Credit Transactions Act (Red Flags Rule) Policy and Procedures

Your Credit Score What It Means to You as a Prospective Home Buyer

MOTLOW STATE COMMUNITY COLLEGE

Most frequently asked questions and the answers about free credit reports:

Castle Branch Guide to the Fair Credit Reporting Act

Checking and Clearing Credit History for Young People

A Summary of Your Rights Under the Fair Credit Reporting Act

Consumer Guides to Credit Reporting and Credit Scores (Appropriate for General Distribution)

Identity Theft Prevention Program

MIB Responds to Misleading Statements by AnnualMedicalReport.com

I S S U E B R I E F PUBLIC POLICY INSTITUTE PPI THE FAIR CREDIT REPORTING ACT: ISSUES AND POLICY OPTIONS. Introduction. Background

Agent Appointment Application Transamerica Life Insurance Company Partner: Munich Re Stop Loss, Inc.

NCUA LETTER TO CREDIT UNIONS

RANDOLPH COUNTY EMERGENCY SERVICES & TAX DEPARTMENT. Identity Theft Prevention Program. Adopted August 3, 2009 Effective beginning August 1, 2009

Validating Third Party Software Erica M. Torres, CRCM

Transcription:

FSA PRINT CLOSE Auditing FCRA Compliance Auditing FCRA Compliance Internal auditors should know the issues surrounding protection of consumer information. Steven Stachowicz, CFA, CRCM Senior Manager, Protiviti The accuracy, integrity, and security of consumer credit information have become highly significant consumer and regulatory concerns. Various public and private studies highlight that a sizable percentage of consumer reports contain errors serious enough to affect consumers applications for credit, insurance, and employment. Further, millions of Americans become victims of identity theft annually at a cost of tens of billions of dollars to businesses and consumers, not to mention the very personal, and often frustrating, experience for the victims. The Federal Trade Commission (FTC) regularly lists identity theft as a top category of consumer complaints. These concerns have prompted additional regulatory obligations on furnishers and users of consumer report information. Furnishers include banks and other providers of credit, such as automobile dealers, utility companies, mortgage brokers, telecommunications companies, finance companies, and certain nonbank financial services companies. Institutions that furnish consumer report information or otherwise extend credit to consumers must be aware of key regulations that impact these activities. Internal auditors should be familiar with these regulatory changes, and validate that their institutions have implemented appropriate policies, procedures, and internal controls to ensure compliance with these requirements. THE FCRA The Fair Credit Reporting Act (FCRA) establishes rules regarding the collection, communication, and use of consumer report information. This includes information that reflects a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is used or expected to be used or collected in whole or in part as a factor in determining a consumer's eligibility for credit or insurance for personal, family, or household purposes; for employment purposes; or any other permissible purpose as defined by the regulation. The most familiar type of consumer report is a credit report, compiled by a consumer reporting agency (CRA) such as TransUnion, Equifax, and Experian. These credit reports contain demographic and account-specific information for an individual consumer, as well as a credit score. In response to concerns regarding the accuracy and integrity of consumer report information and to improve resolution of consumer disputes and prevent identity theft, the United States Congress enacted the Fair and Accurate Credit Transactions Act (FACTA) in 2003. Specific requirements of FACTA have since been implemented in pieces by specific regulations promulgated by the federal banking agencies and the FTC, including three new requirements that became effective in 2010 and one that will become effective in 2011. These new requirements are summarized below: Consumer Reporting On July 1, 2010, new regulations regarding the accuracy and integrity of consumer reports became effective. These regulations require companies that furnish consumer report information to develop and implement reasonable written policies and procedures regarding the accuracy and integrity of the information furnished to CRAs. Specifically, furnishers should establish standards to: Provide information accurately and with integrity about accounts or other relationships with a consumer. Update the information it furnishes, as necessary, to reflect the current status of the consumer s account or other relationship. This article was reprinted with permission from the 1st Quarter, 2011 issue of FSA Times, published by The Institute of Internal Auditors, Inc., www.theiia.org.

Companies must implement procedures to identify any practices that can compromise the accuracy or integrity of information furnished to CRAs. Additionally, they must evaluate the effectiveness of existing policies and procedures of the furnisher regarding the accuracy and integrity of information furnished to CRAs and the efficacy of specific methods used to provide information to agencies. Written procedures should address, among other items: Using standard data reporting formats and standards for compiling and transmitting the data. Furnishing sufficient identifying information about each consumer for whom information is furnished to CRAs to avoid erroneous association of information with another consumer. Training of staff responsible for furnishing information to CRAs. Conducting reasonable investigations of disputes related to the accuracy and completeness of consumer report information. Implementing appropriate internal controls to ensure the accuracy and integrity of the information furnished Companies must be familiar with and document specifically how consumer report information is furnished from their systems. Companies also should disseminate this information to their consumer dispute response and internal monitoring functions to enable internal consistency, as well as to detect and respond to deficiencies when they occur. Consumer Reporting Disputes Historically, companies that provided consumer report information to CRAs were not obligated to respond to consumer report-related disputes received directly from consumers, though many did for customer service purposes. However, effective July 1, 2010, consumers now have the right to dispute consumer report information directly with the company supplying that information, and companies now have an affirmative obligation to respond to such disputes. Furnishers must conduct reasonable investigations upon receipt of these disputes received and must: Establish a mechanism to receive such disputes from consumers. Develop standards for evaluating the sufficiency of information received from a consumer, including classification of disputes as frivolous or irrelevant. Implement a process to investigate and respond to such disputes and make updates to information furnished previously to CRAs, as necessary. Although the volume of disputes received directly from customers is far less than that received from customers via CRAs, the same care is required of companies to investigate these disputes. Risk-based Pricing Effective Jan. 1, 2011, new rules issued jointly by the Federal Reserve Board and the FTC to implement risk-based pricing notice requirements of FACTA became effective. Subject to some exceptions, businesses that extend credit to consumers primarily for personal, household, or family purposes will be required to provide a risk-based pricing notice to consumers in the following circumstances: A consumer report is used in connection with providing credit with terms that are materially less favorable than the most favorable terms available to a substantial proportion of consumers. When, in the course of an account review, the creditor increases a consumer's annual percentage rate based on a deteriorated credit report. Among other considerations, the required risk-based pricing notices must contain statements that the terms offered have been set based on information from a consumer report, that the terms offered may be less favorable than those offered to consumers with better credit histories, and that the consumer is encouraged to verify the accuracy of the information contained in the credit report. The final rule includes a model form that creditors may use to make the notice and affords safe harbor to creditors that use the form. As an alternative to providing risk-based pricing notices, creditors may provide consumers who apply for credit with a free credit score and information about their score. Creditors will need to develop and implement policies and procedures to address the risk-based pricing notice requirements and will need to ensure that employees are trained on the new requirements.

Identity Theft Prevention Programs One of the better-known provisions of FACTA is the requirement that creditors develop identity theft red flag programs. Compliance with the federal banking agencies regulations implementing this provision was mandatory on Nov. 1, 2008, although the effective date of compliance for other creditors has been delayed several times. The red flag regulations require creditors to develop written identity theft prevention programs that enable them to detect, prevent, and mitigate identity theft in connection with the opening and servicing of consumer credit accounts. Companies are expected to: Conduct a risk assessment to identify credit accounts subject to this rule and applicable identity theft red flags. Detect and respond to identity theft red flags. Monitor identity theft red flags activity to determine whether the red flags are resolved timely and appropriately, and determine whether controls operate as intended. Develop and present regular reports to senior management and their boards of directors regarding the effectiveness of their programs. Provide training to employees. Oversee third-party service providers used as part of their programs. Update their programs as necessary to reflect their operating environments. Since compliance for banking organizations became mandatory in 2008, most financial institutions have implemented written programs, deployed training, and developed monitoring routines and management reporting. However, companies have found that the regulations are not fully prescriptive. As a result, they have had to sort through many operational details to implement the requirements. Further, because financial institution operations are not static and external factors also may affect their programs, updates to the programs initially developed have been mandated to meet the regulatory requirements. The new FCRA regulations pose significant operational challenges to creditors. Companies should take care to implement programs that meet both the letter and spirit of these regulations. However, forward-thinking companies will view consumer reporting, dispute response, and identity theft prevention programs as opportunities to enhance their customer service and differentiate themselves in the marketplace. ROLE OF INTERNAL AUDITING Although the scope of an FCRA audit will vary depending on the nature, size, and complexity of a company, there are certain basic steps that internal auditors should take to validate that a company has effectively and efficiently implemented the FCRA requirements. Consumer Reporting Review the company s documented consumer reporting methodology, including the technological logic by which customers are selected from the institution s system(s) for reporting and how specific information is selected, manipulated, compiled, and ultimately furnished in accordance with industry standards. Auditors well-versed in the company s operations and systems are critical to assessing the accuracy and completeness of this documentation. Evaluate the company s regular monitoring of consumer reporting processes for its consistency with the documented consumer reporting program as well as how effectively potential irregularities are detected and resolved. Monitoring performed by the company also should incorporate feedback from CRAs, the company s personnel, and the disputes resolution processes. Determine if the consumer reporting process has been incorporated into the company s change management processes to ensure that changes in systems and processes do not adversely affect the accuracy and integrity of information furnished. Assess how the company provides adequate oversight of third-party vendors responsible for consumer reporting. Although data may be furnished on the company s behalf by its vendor, the company is ultimately responsible for validating the accuracy and completeness of the data, as it will be held accountable by its regulators and customers if deficiencies occur.

Consumer Reporting Disputes Document how the company identifies and tracks the receipt of written disputes from its customers and determines that the correspondence is, in fact, a dispute and is complete. Understand what constitutes a reasonable investigation and what systems and/or documents the institution reviews. Reliance only upon an institution s systems should be questioned; such a review may not be sufficient when other documentation might more strongly support the dispute investigation. Determine how the company has incorporated the consumer reporting methodology documentation into the institution s detailed consumer reporting dispute resolution procedures for consistency purposes. Inquire if and how the company assesses the root cause of disputes received, particularly when inaccuracies are noted and require correction. The company should take steps to avoid refurnishing ( re-polluting ) inaccurate information. Risk-based Pricing If the company provides a risk-based pricing notice, validate the methodology selected by the company to provide the notice, specifically how products, product categories, and material terms have been defined; how the company has identified terms that are materially less favorable; and if the company has established appropriate procedures to review periodically these determinations for ongoing appropriateness. If the company provides a credit score disclosure as an alternative to the risk-based pricing notice and relies upon the CRA (or third-party reseller of consumer report information) to generate the credit score disclosure, validate that the notice meets the content requirements of the regulation. Confirm that the company has incorporated the risk-based pricing notice (or the alternative credit score disclosure) content and delivery requirements into its ongoing monitoring and review procedures. Determine if management has trained employees appropriately regarding the new disclosure requirements, particularly those employees with front-line credit originations, servicing account review, and customer service responsibilities. Identity Theft Prevention Programs Validate that the institution has conducted a risk assessment, identifying appropriately covered accounts and relevant identity theft red flags. Determine that the company reasonably executes procedures to respond to identity theft red flags (e.g., escalating the referral of red flags for further investigation; validating customer address changes and preventing the issuance of replacement cards until recent address change requests are validated; and taking appropriate action upon the identification of fraud, active duty, or extended alerts noted on a consumer report). Internal auditors should consider reperforming the work performed to validate that procedures were followed appropriately. Assess management and/or board-level reporting. Many companies prepare lengthy reports for the board covering every aspect of the program, rather than focusing primarily on the effectiveness of the institution s identity theft prevention program. Internal auditing should determine if reports call attention to key metrics (e.g., number of red flags detected by account type or line of business or dollar amount of losses avoided or incurred due to identity theft) and significant incidents involving identity theft and material changes to the program. Evaluate the identity theft program training to determine if management provides employees with specific awareness of the company s identity theft prevention program, what accounts are subject to the requirements, and how the company addresses identity theft operationally. Internal auditing should determine if the training provides employees with guidance regarding how to comply in practice with program requirements. Example-based training, such as highlighting specific instances of identity theft and potential losses, may be an effective way to demonstrate the company s program.

It is important for internal auditors to verify the effectiveness of the company s implementation of the regulatory requirements and perform independent testing to validate transaction-level compliance with internal procedures and standards. However, internal auditors also can provide added value by evaluating how these programs assist their organizations in achieving their customer service and risk management objectives. STEVEN STACHOWICZ, CFA, CRCM, IS A SENIOR MANAGER, REGULATORY RISK CONSULTING, WITH PROTIVITI IN CHICAGO. TO COMMENT ON THIS ARTICLE, E-MAIL THE FSA TIMES EDITOR AT SHANNON.STEFFEE@THEIIA.ORG. FSA 247 maitland Ave., Altamonte Springs FL, 12345 Tel. 1234567890 Web: http://www.theiia.org/fsa, Email: online@theiia.org

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information