New Developments

In New Developments, internal auditors will find information about the most recent IT and audit research reports and survey results; new IT, security, and privacy legislation; and other news items of importance to auditors.

FTC Releases Three Reports on Identify Theft

According to the U.S. Federal Trade Commission's (FTC's) 2006 Identity Theft Survey (PDF, 2.19 MB), more than 8 million U.S. residents were the victims of identity theft in 2005. Of the victims, 3.7 million experienced misuse of their existing credit card accounts and 1.8 million found that new accounts were opened or other frauds were committed using their personal identifying information. The study, which summarizes the responses of 4,917 adults, also discusses the costs associated with identity theft and the out-of-pocket expenses of victims whose personal information was compromised.

To calculate the costs associated with identity theft, the survey first looked at the value of the goods or services that the thieves obtained using the victim's personal information. In at least half of the incidents, thieves obtained goods or services worth US $500 or less, while in 10 percent of the cases, thieves received at least US $6,000 worth of goods or services. In terms of their out-of-pocket expenses, more than half of the victims experienced no damages. However, 10 percent of victims did incur substantial expenses of US $1,200 or more.

"No one is immune to identity theft," says Lydia B. Parnes, director of the FTC's Bureau of Consumer Protection. "The important thing is that people learn how to deter identity thieves, detect suspicious activity on their financial records, and defend against the crime, should it happen."

To help consumers become better informed about identity theft and evaluate whether they should initiate fraud alerts, the FTC issued To Buy or Not to Buy: Identity Theft Spawns New Products and Services to Help Minimize Risks. This report also enables consumers to determine if they should initiate credit freezes or invest in identity theft products and services, such as credit monitoring. "Consumers have great tools at their disposal in their fight against identity thieves," Parnes adds. "For example, the law gives every consumer the right to get their credit report for free once every 12 months from each of the three national credit reporting companies."

On the regulatory side, the FTC issued Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003 (PDF, 377 KB), a set of final rules and guidelines on the prevention of identity theft. Completed in partnership with federal financial regulatory agencies, including the U.S. Department of the Treasury, U.S. Federal Deposit Insurance Corp., U.S. Federal Reserve System, and U.S. National Credit Union Administration, the final regulations ask that financial institutions and creditors implement a written identity theft prevention program. In addition, the document also requires that card issuers assess the validity of change of address requests and that consumer report users employ reasonable procedures to verify the subject's identity in the event of an address discrepancy notice.

The regulation and guidelines, which contain a list of 26 red flags that financial institutions and creditors may consider including in their identity theft prevention programs, are effective on Jan. 1, 2008, with mandatory compliance required by Nov. 1, 2008. Red flags include:

  • Using documents for identification purposes that appear altered or forged or that contain a photograph or physical description that is not consistent with the appearance of the applicant or customer presenting the identification.
  • The use of information on identification documents that is not consistent with information provided by the person opening a new account or the customer who is presenting the identification.
  • Presenting an address that does not match any addresses in a consumer report.
  • Providing personal identifying information that is associated with known fraudulent activity as indicated by an internal or third-party source.

When identifying red flags, the guidelines recommend that financial institutions or creditors consider the types of accounts it offers or maintains, the methods it provides to open an account, the way accounts are accessed, and the organization's previous experiences with identity theft. Finally, financial organizations may consider the source of the red flag (i.e., identity theft incidents experienced by the organization, identity theft techniques that the organization has identified as risky, and applicable supervisory guidance) and the type of red flag (i.e., an alert, notification, or warning from a consumer reporting agency; a suspicious document; or suspicious personal identifying information).

For more information about each of these publications, visit the FTP Web site.