Upload
nathaniel-martin
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
© 2009.May not be reproduced by any means. All rights reserved
Designing and Implementing an Effective Red Flags SolutionKurt Roussell
© 2009.May not be reproduced by any means. All rights reserved
What is the problem? Utilities are closing
their local community offices Loss of face to face
interaction with customers
Loss of viewing personal identification
Loss of “local intelligence”
Reps typically learned which customers are “up to something”
Customers have learned it is easy to
Provide false information on the phone
Pretend to be someone else to establish service
Pretend to be the owner of the property
Put children on service Shop around for the less
diligent phone agents
© 2009.May not be reproduced by any means. All rights reserved
The End Result Increase in fraudulent applications for
service Name Personal Identification characteristics
Social security number Date of birth
Name switching Establishing accounts in names of the other
residents to avoid bill payment or to have service restored
© 2009.May not be reproduced by any means. All rights reserved
The End Result Increase in Identity
Theft What is identity theft?
Identity theft occurs when someone uses your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes.
© 2009.May not be reproduced by any means. All rights reserved
Scope of the Problem
© 2009.May not be reproduced by any means. All rights reserved
Time Spent Resolving Problems2006 Identity Theft Survey Report - FTC
This graph shows the estimated hours spent by victims in resolving problems stemming from ID theft. It does not refer to the amount of time that passed from when the victims discovered the crime to when their problems were resolved.
© 2009.May not be reproduced by any means. All rights reserved
Out of Pocket Payments by Victims2006 Identity Theft Survey Report - FTC
Estimated total out-of-pocket expenses, which include lost wages, legal fees, and payments of any fraudulent debts, as well as miscellaneous expenses such as postage and notarization fees
© 2009.May not be reproduced by any means. All rights reserved
Background The Federal Banking Agencies and the Federal Trade
Commission (FTC) jointly issued rules to the Fair and Accurate Credit Transaction Act of 2003 (FACT). These new laws are referred to as the Red Flag Rules
These rules require financial institutions and creditors to: Develop and implement a written Identity Theft Prevention
Program, Train ‘relevant’ staff to implement the Program, and Report to the Board of Directors, a committee thereof, or senior
management on compliance with the regulations The original deadline for implementation was November 1,
2008, but has been moved back to November 1, 2009! Definition of Identity Theft
A fraud committed or attempted using the identifying information of another person without authority, or,
The creation of a fictitious identity using any single piece of information belonging to a real person because it involves “using the identifying information of another person without authority.”
© 2009.May not be reproduced by any means. All rights reserved
Red Flags The regulation identifies 5 categories of red flags
Alerts, Notifications, or Warnings from a Consumer Reporting Agency, Frauds Address discrepancies
The Presentation of Suspicious Documents alterations Forgeries inconsistencies
Suspicious Personal Identifying Information Inconsistencies from external sources Inconsistent with other information Association to fraudulent activity
Unusual use of, or Suspicious Activity, and Address changes Unusual activity patterns
Notifications or reports from consumers, victims, law enforcement, or others
By a customer A victim of identity theft A law enforcement authority, Any other person (ex. Employee) that has opened a fraudulent account for a
person engaged in identity theft
© 2009.May not be reproduced by any means. All rights reserved
Scope of the Problem
© 2009.May not be reproduced by any means. All rights reserved
What processes do you have in place? Do you have an established written Identity Theft Program?
If not, you will need one by May 2009! Do you have an established training program for your front line
staff? All telephone Consultants have to be trained to perform validations at
the opening of any new account Do you have an established customer authentication program for
every call? Do you validate each caller?
Name Address Social Security number Account number
Do you have a good relationship with your local law enforcement agency? They will refer to you and include you in their identity theft
investigations They will respond to your requests for investigations
Do you have the capability of conducting field visits on suspect applications? We’ve identified $453K YTD in fraudulent applications for service.
© 2009.May not be reproduced by any means. All rights reserved
What is Identity Theft? The Wisconsin Definition 943.201 Unauthorized use of an individual’s
personal identifying information or documents.
(1) In this section: (a) “Personal identification document” means
any of the following: 1. A document containing personal identifying
information. 2. An individual’s card or plate, if it can be used, alone
or in conjunction with another access device, to obtain money, goods, services, or any other thing of value or benefit, or if it can be used to initiate a transfer of funds.
3. Any other device that is unique to, assigned to, or belongs to an individual and that is intended to be used to access services, funds, or benefits of any kind to which the individual is entitled.
© 2009.May not be reproduced by any means. All rights reserved
What is Identity Theft? The Wisconsin Definition (b) “Personal identifying information” means any of
the following information: 1. An individual’s name. 2. An individual’s address. 3. An individual’s telephone number. 4. The unique identifying driver number assigned to the
individual by the department of transportation under s. 343.17 (3) (a)
5. An individual’s social security number. 6. An individual’s employer or place of employment. 7. An identification number assigned to an individual by
his or her employer. 8. The maiden name of an individual’s mother. 9. The identifying number of a depository account, as
defined in s. 815.18 (2) (e), of an individual. 10. An individual’s taxpayer identification number. 11. An individual’s deoxyribonucleic acid profile, as
defined in s. 939.74 (2d) (a).
© 2009.May not be reproduced by any means. All rights reserved
What is Identity Theft? The Wisconsin Definition
12. Any of the following, if it can be used, alone or in conjunction with any access device, to obtain money, goods, services, or any other thing of value or benefit, or if it can be used to initiate transfer of funds:
a. An individual’s code or account number. b. An individual’s electronic serial number, mobile
identification number, personal identification number, or other telecommunications service, equipment, or instrument identifier.
c. Any other means of account access. 13. An individual’s unique biometric data, including
fingerprint, voice print, retina or iris image, or any other unique physical representation.
14. Any other information or data that is unique to, assigned to, or belongs to an individual and that is intended to be used to access services, funds, or benefits of any kind to which the individual is entitled.
15. Any other information that can be associated with a particular individual through one or more identifiers or other information or circumstances.
© 2009.May not be reproduced by any means. All rights reserved
What is Identity Theft? The Wisconsin Definition (2) Whoever, for any of the following purposes, intentionally
uses, attempts to use, or possesses with intent to use any personal identifying information or personal identification document of an individual, including a deceased individual, without the authorization or consent of the individual and by representing that he or she is the individual, that he or she is acting with the authorization or consent of the individual, or that the information or document belongs to him or her is guilty of a Class H felony: (a) To obtain credit, money, goods, services, employment, or any
other thing of value or benefit. (b) To avoid civil or criminal process or penalty. (c) To harm the reputation, property, person, or estate of the
individual. (3) It is an affirmative defense to a prosecution under this
section that the defendant was authorized by law to engage in the conduct that is the subject of the prosecution. A defendant who raises this affirmative defense has the burden of proving the defense by a preponderance of the evidence.
© 2009.May not be reproduced by any means. All rights reserved
What is Identity Theft? The Wisconsin Definition
(4) If an individual reports to a law enforcement agency for the jurisdiction which is the individual’s residence that personal identifying information or a personal identifying document belonging to the individual reasonably appears to be in the possession of another in violation of this section or that another has used or has attempted to use it in violation of this section, the agency shall prepare a report on the alleged violation. If the law enforcement agency concludes that it appears not to have jurisdiction to investigate the violation, it shall inform the individual which law enforcement agency may have jurisdiction. A copy of a report prepared under this subsection shall be furnished upon request to the individual who made the request, subject to payment of any reasonable fee for the copy.
© 2009.May not be reproduced by any means. All rights reserved
What is Identity Theft? Responsibility of a Public Utility 196.23 Utility service for victims of misappropriated
identifying information. (1) If an individual uses personal identifying information of
another individual, without the authorization or consent of the other individual, to apply for and receive service from a public utility and, as a result, the individual whose personal identifying information was used without authorization or consent is unable to obtain service from the public utility, the utility shall provide service to that individual if all of the following apply:
(a) The individual furnishes the public utility an affidavit indicating that to the best of the individual's knowledge his or her personal identifying information was used by another individual, without the authorization or consent of the affiant, to obtain the utility service.
(b) The individual furnishes the public utility a copy of a law enforcement agency report, based on the individual's report to the law enforcement agency of the use by another individual of his or her personal identifying information without authorization or consent to obtain utility service.
(c) The individual otherwise qualifies to receive the service from the utility.
© 2009.May not be reproduced by any means. All rights reserved
What is Identity Theft? Responsibility of a Public Utility
(2) A public utility may contest the accuracy of an affidavit or report furnished by an individual under sub. (1) (a) or (b) by petitioning for a summary investigation under s. 196.28 (1). If a petition is filed, the commission shall conduct a summary investigation. If a hearing is held under s. 196.28 (2) and the commission determines that the conditions of sub. (1) (intro.) have not been met, the public utility is not required to provide utility service under this section to the individual.
© 2009.May not be reproduced by any means. All rights reserved
What are your Red Flags? Alerts, Notifications, Warnings
Do you check for fraud alerts in credit bureau files?
Presentation of suspicious documents Do you validate lease agreements?
Driver's Licenses? Social Security cards? Social Security numbers?
How far do you follow up? Suspicious personal identification information
Inconsistencies with external source info. Do you validate information via credit reports, information providers, skip tracing tools, etc.?
© 2009.May not be reproduced by any means. All rights reserved
What are your Red Flags? Unusual us of, or suspicious activities
How do you handle address changes? What if it is for an additional account at
a new location? Notifications or reports from
consumers, victims, law enforcement, or others?
Is your process written? Is it adhered to and/or consistently
applied?
© 2009.May not be reproduced by any means. All rights reserved
What Red Flags should you be looking for? Repetitive multiple applicants at a disconnected (or
facing disconnection) account. Use of stolen credit cards or checking account
information to prevent disconnection or for a restoration of service.
Inconsistent or fraudulent lease agreements Customer ambiguity on personal identification
information Callers pretending to be property owner (ask probing
questions) The establishment of a new account for an existing
customer who is not cancelling service on their current account, and the bill is being sent to the service address. Our billing system sends a Thank You letter to the original
address thanking them for opening a new account elsewhere. Tenants will pretend to be the owner and place the service in
the owner’s name.
© 2009.May not be reproduced by any means. All rights reserved
What should you validate? Name, address, and social security number
Available through a variety of sources Credit Bureaus
Trans Union, Experian, Equifax Lexis Nexis
Accurint, Choicepoint Acxiom
All changes in tenancy You may have a new person, but the old person
is still there in 40% of the time. Social Security cards and numbers
Work with your local office, they have free tools available to assist you in determining the validity of a social security number
Validate new LLC’s via State websites (if available)
© 2009.May not be reproduced by any means. All rights reserved
Existing Program Review
Review your Start Service process Do you credit check all new applicants? Do you require deposits? Do you accept identification via telephone?
How do you handle existing customers?
How do you handle new applicants to your company?
Do you verify information? Via information providers
(LexisNexis, Acxiom, Accurint, etc.) Any identified gaps/weaknesses?
© 2009.May not be reproduced by any means. All rights reserved
Existing Program Review Identity Theft notifications
Do you have a written process? Has your staff been trained? Who follows up? If so, when? Do you require a written affidavit and
police report? Allegation follow-up
What happens next? Do you immediately remove negative
credit reporting? Do you immediately recall the account(s)
from outside collection agencies?
© 2009.May not be reproduced by any means. All rights reserved
Existing Program Review
Fraudulent transactions Do you track credit card charge backs?
Fraudulent credit card transactions frequently are identity thefts.
What actions do you take? How do you monitor current performance?
Valid metrics to measure fraud and/or fraud attempts
Valid metrics regarding identity theft and/or fraud related losses
How do you train your front-line staff?
© 2009.May not be reproduced by any means. All rights reserved
Customer Validation – Ensuring Your Customer is Who They Claim to Be.
© 2009.May not be reproduced by any means. All rights reserved
Customer Validation Process
© 2009.May not be reproduced by any means. All rights reserved
Positive ID Referral Process Online
form created for Customer Consultants to make referrals to the Positive ID Department for follow-up
© 2009.May not be reproduced by any means. All rights reserved
Positive ID Referral Process The online
form provides all the necessary information to process an applicant
© 2009.May not be reproduced by any means. All rights reserved
How Q&A works Q&A uses a knowledge based authentication
system that utilizes a combination of information from private sources, public records and credit bureaus
It generates questions that the customer should know
Will generate red herring questions Certain questions will “time out” if not answered
quickly enough E.g.: What color is your car?
Configurable parameters Questions asked Pass/Fail ratio Number of allowable attempts over how long a time
period.
© 2009.May not be reproduced by any means. All rights reserved
Improvements to Customer Verification Process Verification is performed on a wider range of
customers Any new customer (never had service with We
Energies) Any additional Y-designation customer (including
spouses) Under Wisconsin Law, any person can present a current
utility bill as proof of residency for the issuance of a State ID or drivers license
Noted exponential increase in the addition of an additional customer on the bill so an ID card can be obtained
© 2009.May not be reproduced by any means. All rights reserved
Data Entry View
© 2009.May not be reproduced by any means. All rights reserved
Accept - results
© 2009.May not be reproduced by any means. All rights reserved
Fail - Results
© 2009.May not be reproduced by any means. All rights reserved
Fail - Detail
© 2009.May not be reproduced by any means. All rights reserved
Customer Fails
An applicant score of 30 or less is cause for concern and further review/investigation.
Low scoring applicants should be referred to a Positive ID location for an in-person application.
Scores of 0 to 20 are ineligible for Instant ID Q&A
© 2009.May not be reproduced by any means. All rights reserved
Live Demo – Instant ID Volunteers Wanted!
© 2009.May not be reproduced by any means. All rights reserved
Q&A Process
© 2009.May not be reproduced by any means. All rights reserved
Implementation of Instant ID Q&A New process developed
Locations where Positive ID indicators exist (recent stop service w/large balance, disconnected for non-payment, meter locked due to owner agreement) the customer is given the option of reporting to a PosID site to complete a written application.
Customers who pass, PosID staff is notified, and the conduct change in tenant investigation
Customers who fail are referred to an agency to complete a written application and provide proof of identification, lease agreement, social security card, etc.
© 2009.May not be reproduced by any means. All rights reserved
How Q&A works Q&A uses a combination of information from
private sources, public records and credit bureaus It generates questions that the customer should
know Will generate red herring questions Certain questions will “time out” if not answered
quickly enough E.g.: What color is your car?
Configurable parameters Questions asked Pass/Fail ratio Number of allowable attempts over how long a time
period.
© 2009.May not be reproduced by any means. All rights reserved
Instant ID Q&A
Highly suspicious customer calls!
© 2009.May not be reproduced by any means. All rights reserved
Instant ID Q&A Question
generated about my ex-wife! I did
answer all questions correctly
© 2009.May not be reproduced by any means. All rights reserved
Instant ID Q&A Passed
test!
© 2009.May not be reproduced by any means. All rights reserved
Instant ID Q&A I used
my ex-wife’s address and fake social security number
© 2009.May not be reproduced by any means. All rights reserved
Instant ID Q&A It knows
I haven’t lived there in years, and the social security number did not match up.
© 2009.May not be reproduced by any means. All rights reserved
Instant ID Q&A Real
name, old address
© 2009.May not be reproduced by any means. All rights reserved
Instant ID Q&A Generate
d questions regarding my son and previously owned vehicle
© 2009.May not be reproduced by any means. All rights reserved
Instant ID Q&A I lied
about son and vehicle
© 2009.May not be reproduced by any means. All rights reserved
Instant ID Q&A I failed –
off to complete a written application I go!
© 2009.May not be reproduced by any means. All rights reserved
Behind the scenes You can
check to find out why a person failed.
This is useful if they escalate a complaint to the Public Service Commission.
© 2009.May not be reproduced by any means. All rights reserved
Live Demo – Instant ID Q&AVolunteers Wanted!
© 2009.May not be reproduced by any means. All rights reserved
Resolving Identity Theft Complaints
© 2009.May not be reproduced by any means. All rights reserved
Identity Theft Procedure
© 2009.May not be reproduced by any means. All rights reserved
Identity Theft Referral Online form was
created for our Customer Contact Centers to refer accounts/situations to our Revenue Protection Department
Revenue Protection awaits forms from victim and will contact victim if not received in a timely manner
© 2009.May not be reproduced by any means. All rights reserved
Identity Theft Allegation
A claim of Identity Theft is not a claim until Customer has submitted a signed and
notarized affidavit A police report alleging the offense
The affidavit Can be created in-house or the
downloaded affidavit from the FTC website Provides you with the authorization to
investigate and validate the information provided
© 2009.May not be reproduced by any means. All rights reserved
Identity Theft Affidavit
© 2009.May not be reproduced by any means. All rights reserved
Identity Theft Affidavit
© 2009.May not be reproduced by any means. All rights reserved
Law enforcement inquiry - Subpoena
© 2009.May not be reproduced by any means. All rights reserved
Release of account information Victim
Has the right to all information regarding the account in their name. Law enforcement will be requiring the victim for copies of all billing information for evidence. Be willing to provide this information.
Do not release the information to any other person or agency unless you have a signed consent form from the victim. Frequently, Police Departments will have the victim sign an authorization to get the information. Keep a copy on file.
Law enforcement inquiries If the account is not in the name of the victim
and the suspect used a credit card, you should require the agency to subpoena the records because the account is in a different name.
© 2009.May not be reproduced by any means. All rights reserved
Investigating ID Theft allegation Law enforcement needs all of the information in the
account including customer and dates of service Customer identification information
Any additional customers on the account Payment and billing information Relevant customer contacts related to the offense.
Frequently, the motive was the disconnection of service and our requiring a payment.
Any proof the payment was provided to you. In regular “identity theft” cases, any documentation
provided to establish service All notes added to the account by the employee
regarding the transaction All proof that payment was received by an outside
vendor (if appropriate)
© 2009.May not be reproduced by any means. All rights reserved
Investigating ID Theft allegation
Any phone recordings and any Caller ID information if available
© 2009.May not be reproduced by any means. All rights reserved
Monitoring Program Compliance
© 2009.May not be reproduced by any means. All rights reserved
Where do we need to be? Developed Key Performance
Indicators (KPI) to evaluate program performance and effectiveness
Percentage customers passed/failed Number of red flags detected Number of new accounts denied Number of fraudulent transactions
detected Losses attributed to identity theft Evidence that your plan actually
works!
© 2009.May not be reproduced by any means. All rights reserved
Identity Theft Statistics
© 2009.May not be reproduced by any means. All rights reserved
Positive ID Monthly Statistics
© 2009.May not be reproduced by any means. All rights reserved
Positive ID Financial Impact
© 2009.May not be reproduced by any means. All rights reserved
Instant ID Q&A Statistics
© 2009.May not be reproduced by any means. All rights reserved
Thank you! Questions & AnswersKurt W. Roussell
Manager – Revenue Protection
We Energies
333 W. Everett St A132A
Milwaukee, WI 53203
414-221-3634