EMC Corporation (NYSE: EMC), the world leader in information infrastructure solutions, today announced a new solution designed to help financial institutions and creditors in the United States develop and implement an identity theft prevention program in compliance with the FACTA Identity Theft Red Flags guidelines Section 114 and related regulations. Composed of professional services from EMC Consulting and information-centric security technologies from RSA, The Security Division of EMC, the FACTA Red Flags solution will help financial institutions and creditors meet the November 1, 2008 deadline set by federal bank regulatory agencies to implement a program. The FACTA Red Flags solution from EMC is designed to help organizations build additional customer trust and loyalty, and protect and mitigate risk to information throughout its lifecycle.

"Financial institutions or creditors that are subject to new and changing regulations should view Red Flags detection as a means to an end of achieving overall enhanced information security and IT security governance," said Ken Herbert, Vice President, Global Financial Services Group, Frost & Sullivan. "A holistic view of information security and Red Flag detection helps align IT investment with business objectives — securing customer data, transactions, and identities — and improve customer confidence."

About FACTA Red Flags

• Background: On November 9, 2007, the Federal Trade Commission (FTC) and five Federal financial regulatory agencies published a series of final rules and guidelines entitled "Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act (FACTA) of 2003." Red Flags are relevant indicators of a possible risk of identity theft and Section 114 of FACTA specifically explains rules about the development and implementation of a written identity theft prevention program. The provision recommends that both financial institutions and creditors in the United States assess the likelihood that their customers' accounts are prone to identity theft, and mandates that they then implement a program to identify, detect and respond to its indicators.
• Prevention & Mitigation: The regulators explicitly state that, in order to prevent and mitigate identity theft, a compliance program must include policies and procedures that address the risk of identity theft in a manner commensurate with the degree of risk posed. It also states that organizations should respond to Red Flags according to the level of risk by taking into account a variety of "aggravating factors," which include data security incidents, suspicious activity, and reports of fraudulent use.
• Examination Procedures: On August 11, 2008, the Office of Thrift Supervision (OTS) issued Red Flags Industry Guidance and Compliance Procedures to those organizations working to meet the November 1, 2008 deadline under the FACTA regulations. OTS has added FACTA compliance to its examination procedures for regulated entities to determine deficiencies in an organization's ability to comply with Red Flags, reviews of audit reports, and verification of a comprehensive, written Red Flags program and a staff trained to implement it.

The EMC FACTA Red Flags Solution

EMC Global Services has created an accelerated process designed to help businesses meet the deadline to comply with FACTA Red Flags guidelines. This new program includes:

• Risk Assessment: Determines how FACTA impacts an organization from a regulatory view and identifies what parts of the organization have the greatest exposure to identity theft;
• FACTA Policies and Procedures: Brings existing fraud, privacy and customer identification procedures together and models changes to account opening processes, authentication checking, transaction monitoring and the reporting of discrepancies back to the consumer reporting agencies;
• Roadmap and Requirements: Helps identify and socialize the needs of the business using a 'current state to future state' roadmap and detailed business requirement documentation;
• Technology Design and Deployment of Red Flags Detection Software: Automates the business requirements across multiple customer channels;
• Identity Theft Prevention Reporting: Includes metrics that measure the effectiveness of an organization's mitigation program and provides summary reports to the customer's management team and Board of Directors;
• Integration: Utilizes third-party customer reporting agency data within existing front- and back-office systems to prevent and detect identity theft;
• Program Management Office: Helps clients establish and maintain a management office for the FACTA program; and
• Quality Assurance: Provides evidence that FACTA business requirements and controls are implemented and performing effectively

"While most companies have some form of fraud prevention or data security in place, the FACTA Red Flags guidelines require financial institutions and creditors in the United States to do more by making senior management accountable to its Board of Directors for implementing measures that prevent, detect and respond to identity theft events occurring within their organization," said Denis Mayer, Solutions Partner, Enterprise Compliance and Risk Management Practice, EMC Consulting. "EMC's full spectrum of consulting and product offerings for FACTA compliance provides organizations and senior management with whatever solutions best fit their needs — all from a single provider — to help them meet the upcoming FACTA Red Flags deadline."

In addition, RSA's information-centric security products can be implemented to help organizations meet FACTA Red Flags identity theft prevention requirements in four specific ways:

• Verifying Identities without a Prior Relationship: RSA^® Identity Verification is a knowledge-based authentication system that presents a user with a series of top-of-mind questions utilizing relevant facts about the individual obtained by scanning dozens of public-record databases.
• Authenticating Customers: RSA^® Adaptive Authentication provides monitoring and authentication capabilities based on user activities and risk levels, institutional policies, and customer segmentation. It is deployed at over 8,000 organizations worldwide.
• Monitoring Transactions: RSA^® Transaction Monitoring is an invisible back-end fraud monitoring and detection system that identifies fraud without impacting end-users or disrupting existing processes, systems and authentication mechanisms.
• Preventing Phishing: RSA^® FraudAction^SM is a real-time fraud protection system against phishing, pharming and Trojan attacks — including 24x7 monitoring and detection, real-time alerts and reporting, forensics and countermeasures, and site blocking and shutdown. At the core of the service is the exclusive RSA 24x7 Anti-Fraud Command Center that has shut down over 97,000 phishing attacks to date and is a key industry source of information on phishing and emerging online threats.

"Our FACTA solutions help spur a broader corporate governance strategy that enables businesses to comply with future regulations and protect information throughout its lifecycle — wherever it is across the organization, said Steve Preston, Senior Director, Compliance Solutions at RSA. "Using our solutions, customers can gain more visibility into their organizations, be better positioned to use that information for heightened business intelligence, and ultimately map their IT security investments directly to business objectives."