No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

Substantial Support from State Attorneys General on Identity Theft Rules

AGs Champion a More Modern Approach to Authentication

by Michael Magrath
April 9, 2019
in Featured, Financial Services
thief stealing facial profile from fingerprint

In February, 31 State Attorneys signed a letter endorsing the identify theft rules and acknowledging the need for more secure authentication practices. OneSpan’s Michael Magrath discusses.

It is not every day that 62 percent of the state Attorneys General collaborate and present a unified response to the federal government. On February 11, 2019 31 AGs signed a letter to Donald Clark, Secretary of the Federal Trade Commission (FTC) in response to the FTC’s December 4 request for comment on the Identity Theft Rules, 16 C.F.R. Part 681 Project No. 188402.

The Identity Theft Rules (“the Rules”), known as the “Red Flags Rule” and the “Card Issuers Rule,” “require financial institutions and some creditors to implement a written identity theft prevention program designed to detect the “red flags” of identity theft in their day-to-day operations, take steps to prevent it and mitigate its damage.” Only these entities have the ability to stop a fraudulent account from being opened at their own place of business or to notify a consumer of a change of address in conjunction with a request for an additional or replacement card, which is a strong indicator that the account may have been taken over by an identity thief.

The AGs note that “the Rules complement the laws of states that have enacted laws requiring entities to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of personal information.”

The Aging Practice of Knowledge-Based Authentication

It is refreshing to read that AGs know there are more secure ways to protect consumer identities. After numerous complaints filed by citizens, the AGs are well aware of the common practice of knowledge-based authentication – answering a series of questions based on information contained in one’s credit report.

KBA used to be an effective method to verify the identity of individuals online. In order to pass, an individual must correctly answer the questions presented and must provide answers within a given amount of time to prevent fraudsters from conducting online research on to find one’s pet’s name, for example.

With so many large-scale breaches spanning multiple vertical markets, millions of consumers have been victimized in at least one of them, leaving personally identifiable information exposed and for sale on the dark web.  

Shifting to More Secure Practices

As banks, financial services and health care organizations and other entities move to streamline and secure the customer onboarding experience, many have dropped KBA altogether and have migrated to the latest digital onboarding technologies. Last May, the president signed the Economic Growth, Regulatory Relief and Consumer Protections Act into law. The law removes some of the regulatory red tape that financial institutions must navigate to ensure compliance. Key language in the act includes the use of a driver’s license or personal identity card. As the law states, “when an individual initiates a request through an online service to open an account with a financial institution or obtain a financial product or service from a financial institution, the financial institution may record personal information from a scan of the driver’s license or personal identification card of the individual, or make a copy or receive an image of the driver’s license or personal identification card of the individual, and store or retain such information in any electronic format.”

By leveraging the numerous capabilities built in to the latest smartphones, individuals can open a bank account via an app that captures their driver’s license and validates its authenticity combined with a “selfie” to begin the process. Using advanced facial recognition to ensure that the photo on the driver’s license matches the selfie, the bank has high confidence that the individual is the person he or she claims to be.

This approach addresses several of the items listed in the “Suspicious Documents” section of the current Rules including:

  • Documents provided for identification appear to have been altered or forged.
  • The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.
  • Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification.
  • Other information on the identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check.

The AGs also note that “with information gleaned from data breaches or publicly available on social media sites, identity thieves can be better than consumers at answering knowledge-based authentication questions because they have the data in front of them, whereas consumers need to try to recollect events that happened years prior. Thus, even if a person can provide some authenticating information, identity thieves may not be sufficiently screened from opening or accessing an account. Therefore, we would delete example number #18 [see below] and instead encourage more modern forms of authentication, such as multi-factor authentication.”

Example #18
For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.

Multi-Factor Authentication

To clarify, multi-factor authentication (MFA) will certainly be effective to prevent account takeover, but for multi-factor authentication to be effective, it must be bound to a verified identity, thus creating a “trusted user;” for the security of the transaction, the authentication event needs to be performed on a trusted device. Many but not all organizations have deployed MFA to replace passwords to authenticate users. MFA comes in many forms, with each offering varying levels of friction and security. 

Complementing identity verification and MFA is real-time risk analysis, which delivers dynamic protection against fraudulent activities across multiple channels – identifying risk at critical steps, predicting risk levels and taking quick action when fraud patterns are identified. The risk analysis works silently in the background to collect and score activities and operations based on intelligent analysis of behavioral, contextual, qualitative and quantitative data, as well as by challenging unusual patterns and stepping up security where required.

All too often, federal agencies do not share information or try to reinvent the wheel. As the FTC updates the Red Flag Rules, they ideally should include the provisions noted in the Economic Growth, Regulatory Relief and Consumer Protections Act to enable organizations to digitally onboard consumers via scans of a driver’s license. As a consumer, I certainly hope the FTC embraces the comments provided by 62 percent of the state Attorneys General, which include multi-factor authentication.


Tags: Banking
Previous Post

Using the New NYDFS Cybersecurity Regulation to “Lock the Data Vault” for Financial Institutions

Next Post

How Does a Compliance Officer Blow the Whistle – And What Happens Then?

Michael Magrath

Michael Magrath

Michael Magrath is vice president of global standards and regulations at OneSpan and is responsible for aligning OneSpan’s solution roadmap with standards and regulatory requirements globally. He is co-chair of the FIDO Alliance’s government deployment working group and is on the board of directors of the Electronic Signature and Records Association (ESRA). He also served as a member of the board of directors for the Identity Ecosystem Steering Group’s (IDESG) and was chair of the Health Information Management Systems Society (HIMSS) identity management task force. Prior to OneSpan, he served as director for identity solutions for DrFirst, a leading U.S. health IT solution provider and focused on streamlining and securing the identity management process for healthcare providers nationwide and increasing the adoption of electronically prescribing controlled substances (EPCS).

Related Posts

NEW Nacha Rule – Third-Party Sender (TPS) Roles and Responsibilities

NEW Nacha Rule – Third-Party Sender (TPS) Roles and Responsibilities

by Aarti Maharaj
February 24, 2023

Recent updates to the Nacha Operating Rules are further clarifying the Roles and Responsibilities of Third-Party Senders (TPSs) who use...

North American – 14th Third Party Risk Management And Oversight For Financial Institutions

North American – 14th Third Party Risk Management And Oversight For Financial Institutions

by Aarti Maharaj
November 28, 2022

This marcus evans conference will showcase best practices to strengthen third party risk management frameworks, through procurement of new vendors,...

amazon web services

Dark Clouds: Capital One Proves Financial Institutions Can’t Rely on Providers for Security

by Michael Volkov
September 7, 2022

Going by the online handle “erratic,” a former Amazon software engineer conducted an extensive hacking scheme that gave her access...

boats stuck at low tide

Lifting All Boats in the Investment Banking Ecosystem Means Scaling the Trust Layer

by Federico Baradello
August 17, 2022

The U.S. government places extensive regulations on investment banking and related activities, including the use of technology. And while this...

Next Post
black and white image of man blowing a whistle

How Does a Compliance Officer Blow the Whistle – And What Happens Then?

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT