Consumer Credit Application - Sample

Document Sample
Consumer Credit Application - Sample Powered By Docstoc
					Red Flags Risk Assessment Menu
        Risk Assessment Matrix

        Red Flags Testing Menu
        Red Flags Testing Menu

Deposit Testing (Checking, Savings and Safe Deposit Boxes)

       Lending Testing (Consumer and Commercial)

               Premier Finance Co. Testing

                   Bank Cards Testing

                  Investment Co. Testing

              Mortgage Department Testing
Back to Main Menu

  Jump to Matrix
                                                           Deposit Products - Including all Checking and Savings Accounts and Safe Deposit Boxes
                                                                         Red Flag                                            Detection   Mitigation   Response Policy/Procedures         Gap Analysis

                                              1   A fraud or active duty alert is included with a consumer report.
Alerts, Notifications or Warnings From a




                                                  A consumer reporting Agency porvides a notice of credit freeze in
                                              2
                                                  response to a request for a consumer report.
      Consumer Reporting Agency




                                                  A consumer reporting agency porvides a notice of address
                                              3
                                                  discrepency, as defined in 334.82(b) of this part.

                                                  A consumer report indicates a pattern of activity that is inconsistent
                                                  with the history and usual pattern of activity of an applicant or
                                                  customer, such as:
                                                      A       A recent and significant increase in the volume of inquiries
                                              4               An unusual number of recently established credit
                                                      B      relationships
                                                             A material change in the use of credit, especially with
                                                      C
                                                             respect to recently established credit relationships
                                                             An account that was closed for cause or identified for abuse
                                                      D
                                                             of account privileges by a financial institution or creditor.

                                              5 Documents provided for identification appear to have been altered or                                               Bank Secrecy Act
                                                forged
                                                The photograph or physical description on the identification is not             X            X           X        Program, Section 140
         Suspicious Documents




                                                consistent with the appearance of the applicant or customer presenting                                             Bank Secrecy Act
                                              6
                                                the identification                                                              X            X           X        Program, Section 140
                                                Other information on the identification is not consistent with information
                                                                                                                                                                   Bank Secrecy Act
                                              7 provided by the person opening a new covered account or customer                X            X           X
                                                                                                                                                                  Program, Section 140
                                                presenting the identification

                                                Other information on the identification is not consistent with readily
                                                                                                                                                                   Bank Secrecy Act
                                              8 accessible information that is on file with the financial institution or        X            X           X
                                                                                                                                                                  Program, Section 140
                                                creditor, such as a signature card or a recent check

                                                  An application appears to have been altered or forged, or gives the                                              Bank Secrecy Act
                                              9                                                                                 X            X           X
                                                  appearance of having been destroyed and reassembled                                                             Program, Section 140




                                           Available from BankersOnline.com/tools 09-08-08
                                                     Personal identifying information provided is inconsistent when
                                                     compared against external information sources used by the financial
                                                     institution or creditor. For example:
                                                                 The address does not match any address in the consumer                         Bank Secrecy Act
                                                10       A                                                                         X   X   X
                                                                 report;                                                                       Program, Section 140
                                                                 The Social Security Number (SSN) has not been issued, or
                                                                                                                                                                      This Red Flag was not addressed in
                                                         B       is listed on the Social Security Administration’s Death
                                                                                                                                                                            the information provided
Suspicious Personal Identifying Information



                                                                 Master File
                                                   Personal identifying information provided by the customer is not
                                                   consistent with other personal identifying information provided by the                       Bank Secrecy Act
                                                11                                                                                 X   X   X
                                                   customer. For example, there is a lack of correlation between the SSN                       Program, Section 140
                                                   range and date of birth
                                                     Personal identifying information provided is associated with known
                                                     fraudulent activity as indicated by internal or third-party sources used
                                                     by the financial institution or creditor. For example:
                                                12               The address on an application is the same as the address                                             This Red Flag was not addressed in
                                                         A
                                                                 provided on a fraudulent application;                                                                      the information provided

                                                                 The phone number on an application is the same as the                                                This Red Flag was not addressed in
                                                         B
                                                                 number provided on a fraudulent application.                                                               the information provided

                                                     Personal identifying information provided is of a type commonly
                                                                                                                                                                      This Red Flag was not addressed in
                                                     associated with fraudulent activity as indicated by internal or third-party
                                                                                                                                                                            the information provided
                                                     sources used by the financial institution or creditor. For example:

                                                13               The address on an application is fictitious, a mail drop, or                                         This Red Flag was not addressed in
                                                         A
                                                                 prison                                                                                                     the information provided

                                                                 The phone number is invalid, or is associated with a pager                                           This Red Flag was not addressed in
                                                         B
                                                                 or answering service                                                                                       the information provided

                                                     The SSN provided is the same as that submitted by other persons                                                  This Red Flag was not addressed in
                                                14
                                                     opening an account or other customers                                                                                  the information provided

                                                   The address or telephone number provided is the same as or similar to
                                                                                                                                                                      This Red Flag was not addressed in
                                                15 the account number or telephone number submitted by an unusually
                                                                                                                                                                            the information provided
                                                   large number of other persons opening accounts or other customers

                                                   The person opening the covered account or the customer fails to
                                                                                                                                                                      This Red Flag was not addressed in
                                                16 provide all required personal identifying information on an application
                                                                                                                                                                            the information provided
                                                   or in response to notification that the application is incomplete
                                                   Personal identifying information provided is not consistent with
                                                                                                                                                Bank Secrecy Act
                                                17 personal identifying information that is on file with the financial             X   X   X
                                                                                                                                               Program, Section 140
                                                   institution or creditor.
                                                   For financial institutions and creditors that use challenge questions, the
                                                   person opening the covered account or the customer cannot provide                                                  This Red Flag was not addressed in
                                                18
                                                   authenticating information beyond that which generally would be                                                          the information provided
                                                   available from a wallet or consumer report.




                                              Available from BankersOnline.com/tools 09-08-08
                                                                               Shortly following the notice of a change of address for a covered
                                                                               account, the institution or creditor receives a request for new,                                                  This Red Flag was not addressed in
                                                                            19
  Unusual Use of, or Suspicious Activity Related to the Covered Account

                                                                               additional, or replacement cards or a cell phone, or for the addition of                                                the information provided
                                                                               authorized users on the account
                                                                                 A new revolving credit account is used in a manner commonly                                                     This Red Flag was not addressed in
                                                                                 associated with known patterns of fraud patterns. For example:                                                        the information provided
                                                                                              The majority of available credit is used for cash advances
                                                                                                                                                                                                 This Red Flag was not addressed in
                                                                            20       A       or merchandise that is easily convertible to cash (e.g.,
                                                                                                                                                                                                       the information provided
                                                                                             electronics equipment or jewelry)
                                                                                             The customer fails to make the first payment or makes an                                            This Red Flag was not addressed in
                                                                                     B
                                                                                             initial payment but no subsequent payments                                                                the information provided
                                                                                   A covered account is used in a manner that is not consistent with                                             This Red Flag was not addressed in
                                                                                  established patterns of activity on the account. There is, for example:                                              the information provided
                                                                                             Nonpayment when there is no history of late or missed                                               This Red Flag was not addressed in
                                                                                     A
                                                                                             payments                                                                                                  the information provided
                                                                                                                                                                                                 This Red Flag was not addressed in
                                                                                     B       A material increase in the use of available credit
                                                                                                                                                                                                       the information provided
                                                                            21                                                                                                                   This Red Flag was not addressed in
                                                                                     C       A material change in purchasing or spending patterns
                                                                                                                                                                                                       the information provided

                                                                                             A material change in electronic fund transfer patterns in                                           This Red Flag was not addressed in
                                                                                     D
                                                                                             connection with a deposit account                                                                         the information provided

                                                                                             A material change in telephone call patterns in connection                                          This Red Flag was not addressed in
                                                                                     E
                                                                                             with a cellular phone account                                                                             the information provided
                                                                                  A covered account that has been inactive for a reasonably lengthy
                                                                                                                                                                                                 This Red Flag was not addressed in
                                                                            22 period of time is used (taking into consideration the type of account, the
                                                                                                                                                                                                       the information provided
                                                                                         expected pattern of usage and other relevant factors)
                                                                               Mail sent to the customer is returned repeatedly as undeliverable
                                                                                                                                                                                                 This Red Flag was not addressed in
                                                                            23 although transactions continue to be conducted in connection with the
                                                                                                                                                                                                       the information provided
                                                                               customer’s covered account
                                                                                 The financial institution or creditor is notified that the customer is not                                      This Red Flag was not addressed in
                                                                            24
                                                                                 receiving paper account statements                                                                                    the information provided

                                                                                 The financial institution or creditor is notified of unauthorized charges                                       This Red Flag was not addressed in
                                                                            25
                                                                                 or transactions in connection with a customer’s covered account                                                       the information provided
From Others




                                                                               The financial institution or creditor is notified by a customer, a victim of
   Notice




                                                                                                                                                                          OPM - Identity Theft
                                                                            26 identity theft, a law enforcement authority, or any other person that it       X   X   X
                                                                                                                                                                             Procedures
                                                                               has opened a fraudulent account for a person engaged in identity theft.




                                                                          Available from BankersOnline.com/tools 09-08-08
                                                                                Lending Products - Including all Consumer and Commercial Loans
                                                                           Red Flag                                                Detection   Mitigation   Response   Policy/Procedures                    Gap Analysis


                                               1     A fraud or active duty alert is included with a consumer report.                 X            X           X              LAM, Part VIII

                                                     A consumer reporting Agency porvides a notice of credit freeze in
Alerts, Notifications or Warnings From a




                                               2                                                                                      X            X           X              LAM, Part VIII
                                                     response to a request for a consumer report.
                                                     A consumer reporting agency porvides a notice of address discrepency,
      Consumer Reporting Agency




                                               3                                                                                      X            X           X              LAM, Part VIII
                                                     as defined in 334.82(b) of this part.
                                                     A consumer report indicates a pattern of activity that is inconsistent with
                                                     the history and usual pattern of activity of an applicant or customer,
                                                     such as:

                                                                                                                                                                                                   This Red Flag was not addressed in the
                                                         A       A recent and significant increase in the volume of inquiries                                                                               information provided

                                               4                 An unusual number of recently established credit                                                                                  This Red Flag was not addressed in the
                                                         B                                                                                                                                                  information provided
                                                                relationships
                                                                A material change in the use of credit, especially with respect                                                                    This Red Flag was not addressed in the
                                                         C                                                                                                                                                  information provided
                                                                to recently established credit relationships
                                                                An account that was closed for cause or identified for abuse                                                                       This Red Flag was not addressed in the
                                                         D                                                                                                                                                  information provided
                                                                of account privileges by a financial institution or creditor.
                                                                                                                                                                        Bank Secrecy Act Program
                                               5     Documents provided for identification appear to have been altered or             X            X           X         Procedures, Section 140
                                                     forged                                                                                                                   LAM, Part VIII

                                                     The photograph or physical description on the identification is not                                                Bank Secrecy Act Program
          Suspicious Documents




                                               6     consistent with the appearance of the applicant or customer presenting           X            X           X         Procedures, Section 140
                                                     the identification                                                                                                       LAM, Part VIII

                                                     Other information on the identification is not consistent with information                                         Bank Secrecy Act Program
                                               7     provided by the person opening a new covered account or customer                 X            X           X         Procedures, Section 140
                                                     presenting the identification                                                                                            LAM, Part VIII


                                                     Other information on the identification is not consistent with readily                                             Bank Secrecy Act Program
                                               8     accessible information that is on file with the financial institution or         X            X           X         Procedures, Section 140
                                                     creditor, such as a signature card or a recent check                                                                     LAM, Part VIII


                                                                                                                                                                        Bank Secrecy Act Program
                                                     An application appears to have been altered or forged, or gives the
                                               9                                                                                      X            X           X         Procedures, Section 140
                                                     appearance of having been destroyed and reassembled                                                                      LAM, Part VIII




                                           Available on Bankersonline.com/tools 09-08-08
                                                        Personal identifying information provided is inconsistent when
                                                        compared against external information sources used by the financial
                                                        institution or creditor. For example:

                                                                   The address does not match any address in the consumer                         Bank Secrecy Act Program
                                                  10        A                                                                         X   X   X    Procedures, Section 140
                                                                   report;                                                                              LAM, Part VIII

                                                                   The Social Security Number (SSN) has not been issued, or is                                                  This Red Flag was not
                                                            B      listed on the Social Security Administration’s Death Master                                                addressed in the information
                                                                   File                                                                                                                provided
                                                        Personal identifying information provided by the customer is not
                                                                                                                                                  Bank Secrecy Act Program
                                                        consistent with other personal identifying information provided by the
Suspicious Personal Identifying Information




                                                  11                                                                                  X   X   X    Procedures, Section 140
                                                        customer. For example, there is a lack of correlation between the SSN                           LAM, Part VIII
                                                        range and date of birth

                                                        Personal identifying information provided is associated with known
                                                        fraudulent activity as indicated by internal or third-party sources used by
                                                        the financial institution or creditor. For example:


                                                  12               The address on an application is the same as the address                                                     This Red Flag was not
                                                            A                                                                                                                 addressed in the information
                                                                   provided on a fraudulent application;
                                                                                                                                                                                       provided

                                                                   The phone number on an application is the same as the                                                        This Red Flag was not
                                                            B                                                                                                                 addressed in the information
                                                                   number provided on a fraudulent application.
                                                                                                                                                                                       provided

                                                        Personal identifying information provided is of a type commonly
                                                                                                                                                                             This Red Flag was not addressed in the
                                                        associated with fraudulent activity as indicated by internal or third-party                                                   information provided
                                                        sources used by the financial institution or creditor. For example:

                                                  13
                                                                   The address on an application is fictitious, a mail drop, or                                              This Red Flag was not addressed in the
                                                            A                                                                                                                         information provided
                                                                   prison

                                                                   The phone number is invalid, or is associated with a pager or                                             This Red Flag was not addressed in the
                                                            B                                                                                                                         information provided
                                                                   answering service

                                                        The SSN provided is the same as that submitted by other persons                                                      This Red Flag was not addressed in the
                                                  14                                                                                                                                  information provided
                                                        opening an account or other customers

                                                        The address or telephone number provided is the same as or similar to
                                                                                                                                                                             This Red Flag was not addressed in the
                                                  15    the account number or telephone number submitted by an unusually                                                              information provided
                                                        large number of other persons opening accounts or other customers


                                                        The person opening the covered account or the customer fails to
                                                                                                                                                                             This Red Flag was not addressed in the
                                                  16    provide all required personal identifying information on an application or                                                    information provided
                                                        in response to notification that the application is incomplete

                                                        Personal identifying information provided is not consistent with personal                 Bank Secrecy Act Program
                                                  17    identifying information that is on file with the financial institution or     X   X   X    Procedures, Section 140
                                                        creditor.                                                                                       LAM, Part VIII


                                                        For financial institutions and creditors that use challenge questions, the
                                                        person opening the covered account or the customer cannot provide
                                                  18                                                                                                                            This Red Flag was not
                                                        authenticating information beyond that which generally would be
                                                                                                                                                                              addressed in the information
                                                        available from a wallet or consumer report.
                                                                                                                                                                                       provided


                                              Available on Bankersonline.com/tools 09-08-08
                                                                                   Shortly following the notice of a change of address for a covered
                                                                                   account, the institution or creditor receives a request for new, additional,
                                                                             19                                                                                                                         This Red Flag was not
                                                                                   or replacement cards or a cell phone, or for the addition of authorized
                                                                                                                                                                                                      addressed in the information
                                                                                   users on the account
                                                                                                                                                                                                               provided
 Unusual Use of, or Suspicious Activity Related to the Covered Account


                                                                                   A new revolving credit account is used in a manner commonly                                                          This Red Flag was not
                                                                                   associated with known patterns of fraud patterns. For example:                                                     addressed in the information
                                                                                                                                                                                                               provided
                                                                                              The majority of available credit is used for cash advances or
                                                                             20        A      merchandise that is easily convertible to cash (e.g.,                                                     This Red Flag was not
                                                                                              electronics equipment or jewelry)                                                                       addressed in the information
                                                                                                                                                                                                               provided

                                                                                              The customer fails to make the first payment or makes an                                                  This Red Flag was not
                                                                                       B                                                                                                              addressed in the information
                                                                                              initial payment but no subsequent payments
                                                                                                                                                                                                               provided
                                                                                   A covered account is used in a manner that is not consistent with                                                    This Red Flag was not
                                                                                   established patterns of activity on the account. There is, for example:                                            addressed in the information
                                                                                                                                                                                                               provided
                                                                                              Nonpayment when there is no history of late or missed                                                  This Red Flag was not addressed in the
                                                                                       A                                                                                                                      information provided
                                                                                              payments
                                                                                                                                                                                                     This Red Flag was not addressed in the
                                                                                       B      A material increase in the use of available credit                                                              information provided
                                                                             21
                                                                                                                                                                                                     This Red Flag was not addressed in the
                                                                                       C      A material change in purchasing or spending patterns                                                            information provided

                                                                                              A material change in electronic fund transfer patterns in                                              This Red Flag was not addressed in the
                                                                                       D                                                                                                                      information provided
                                                                                              connection with a deposit account

                                                                                              A material change in telephone call patterns in connection                                             This Red Flag was not addressed in the
                                                                                       E                                                                                                                      information provided
                                                                                              with a cellular phone account

                                                                                   A covered account that has been inactive for a reasonably lengthy                                                    This Red Flag was not
                                                                             22    period of time is used (taking into consideration the type of account, the                                         addressed in the information
                                                                                   expected pattern of usage and other relevant factors)                                                                       provided

                                                                                   Mail sent to the customer is returned repeatedly as undeliverable                                                    This Red Flag was not
                                                                             23    although transactions continue to be conducted in connection with the                                              addressed in the information
                                                                                   customer’s covered account                                                                                                  provided
                                                                                                                                                                                                        This Red Flag was not
                                                                                   The financial institution or creditor is notified that the customer is not
                                                                             24                                                                                                                       addressed in the information
                                                                                   receiving paper account statements
                                                                                                                                                                                                               provided
                                                                                                                                                                                                        This Red Flag was not
                                                                                   The financial institution or creditor is notified of unauthorized charges or
                                                                             25                                                                                                                       addressed in the information
                                                                                   transactions in connection with a customer’s covered account
                                                                                                                                                                                                               provided
                                                                                   The financial institution or creditor is notified by a customer, a victim of
Others
Notice




                                                                                                                                                                              OPM - Identity Theft
From




                                                                             26    identity theft, a law enforcement authority, or any other person that it       X   X   X      Procedures
                                                                                   has opened a fraudulent account for a person engaged in identity theft.




                                                                         Available on Bankersonline.com/tools 09-08-08
                                                                         XYZ Finance - Including all XYZ Co. Loans (i.e. RE Secured, Unsecured, Dealer)
                                                                              Red Flag                                                      Detection   Mitigation   Response Policy/Procedures                       Gap Analysis

                                                                                                                                                                                                              This Red Flag was not addressed in the
                                                  1     A fraud or active duty alert is included with a consumer report.                                                                                               information provided
Alerts, Notifications or Warnings From a




                                                       A consumer reporting Agency porvides a notice of credit freeze in response                                                                             This Red Flag was not addressed in the
                                                  2                                                                                                                                                                    information provided
                                                       to a request for a consumer report.
      Consumer Reporting Agency




                                                       A consumer reporting agency porvides a notice of address discrepency, as                                                  Premier Finance Policies     This Red Flag was not addressed in the
                                                  3                                                                                            X           X            X                                              information provided
                                                       defined in 334.82(b) of this part.                                                                                       and Procedures, Section III

                                                       A consumer report indicates a pattern of activity that is inconsistent with the
                                                       history and usual pattern of activity of an applicant or customer, such as:

                                                                                                                                                                                                              This Red Flag was not addressed in the
                                                                  A recent and significant increase in the volume of inquiries
                                                           A                                                                                                                                                           information provided
                                                  4               An unusual number of recently established credit relationships
                                                                                                                                                                                                              This Red Flag was not addressed in the
                                                           B                                                                                                                                                           information provided
                                                                 A material change in the use of credit, especially with respect to                                                                           This Red Flag was not addressed in the
                                                           C                                                                                                                                                           information provided
                                                                 recently established credit relationships
                                                                 An account that was closed for cause or identified for abuse of                                                                              This Red Flag was not addressed in the
                                                           D                                                                                                                                                           information provided
                                                                 account privileges by a financial institution or creditor.
                                                                                                                                                                                Premier Finance Policies
                                                  5    Documents provided for identification appear to have been altered or forged             X           X            X
                                                                                                                                                                                and Procedures, Section II
          Suspicious Documents




                                                       The photograph or physical description on the identification is not consistent                                           Premier Finance Policies
                                                  6                                                                                            X           X            X
                                                       with the appearance of the applicant or customer presenting the identification                                           and Procedures, Section II

                                                       Other information on the identification is not consistent with information
                                                                                                                                                                                Premier Finance Policies
                                                  7    provided by the person opening a new covered account or customer                        X           X            X
                                                                                                                                                                                and Procedures, Section II
                                                       presenting the identification

                                                       Other information on the identification is not consistent with readily
                                                                                                                                                                                Premier Finance Policies
                                                  8    accessible information that is on file with the financial institution or creditor,      X           X            X
                                                                                                                                                                                and Procedures, Section II
                                                       such as a signature card or a recent check

                                                       An application appears to have been altered or forged, or gives the                                                      Premier Finance Policies
                                                  9                                                                                            X           X            X
                                                       appearance of having been destroyed and reassembled                                                                      and Procedures, Section II




                                           Available on Bankersonline.com/tools 09-08-08
                                                          Personal identifying information provided is inconsistent when compared
                                                          against external information sources used by the financial institution or
                                                          creditor. For example:
                                                                                                                                                            Premier Finance Policies
                                                              A     The address does not match any address in the consumer report;              X   X   X
                                                    10                                                                                                      and Procedures, Section II

                                                                    The Social Security Number (SSN) has not been issued, or is listed                                                   This Red Flag was not addressed in the
Suspicious Personal Identifying Information

                                                              B
                                                                    on the Social Security Administration’s Death Master File                                                                     information provided


                                                          Personal identifying information provided by the customer is not consistent
                                                          with other personal identifying information provided by the customer. For                         Premier Finance Policies
                                                    11                                                                                          X   X   X
                                                          example, there is a lack of correlation between the SSN range and date of                         and Procedures, Section II
                                                          birth
                                                          Personal identifying information provided is associated with known
                                                          fraudulent activity as indicated by internal or third-party sources used by the
                                                          financial institution or creditor. For example:

                                                    12              The address on an application is the same as the address provided                                                    This Red Flag was not addressed in the
                                                              A                                                                                                                                   information provided
                                                                    on a fraudulent application;

                                                                    The phone number on an application is the same as the number                                                         This Red Flag was not addressed in the
                                                              B                                                                                                                                   information provided
                                                                    provided on a fraudulent application.

                                                          Personal identifying information provided is of a type commonly associated
                                                                                                                                                                                         This Red Flag was not addressed in the
                                                          with fraudulent activity as indicated by internal or third-party sources used by                                                        information provided
                                                          the financial institution or creditor. For example:
                                                    13
                                                                                                                                                                                         This Red Flag was not addressed in the
                                                              A     The address on an application is fictitious, a mail drop, or prison                                                           information provided

                                                                  The phone number is invalid, or is associated with a pager or                                                          This Red Flag was not addressed in the
                                                              B                                                                                                                                   information provided
                                                                  answering service
                                                          The SSN provided is the same as that submitted by other persons opening                                                        This Red Flag was not addressed in the
                                                    14                                                                                                                                            information provided
                                                          an account or other customers
                                                          The address or telephone number provided is the same as or similar to the
                                                                                                                                                                                         This Red Flag was not addressed in the
                                                       15 account number or telephone number submitted by an unusually large                                                                      information provided
                                                          number of other persons opening accounts or other customers

                                                          The person opening the covered account or the customer fails to provide all
                                                                                                                                                                                         This Red Flag was not addressed in the
                                                    16    required personal identifying information on an application or in response to                                                           information provided
                                                          notification that the application is incomplete

                                                          Personal identifying information provided is not consistent with personal                         Premier Finance Policies
                                                    17                                                                                          X   X   X
                                                          identifying information that is on file with the financial institution or creditor.               and Procedures, Section II

                                                          For financial institutions and creditors that use challenge questions, the
                                                          person opening the covered account or the customer cannot provide                                                              This Red Flag was not addressed in the
                                                    18                                                                                                                                            information provided
                                                          authenticating information beyond that which generally would be available
                                                          from a wallet or consumer report.




                                              Available on Bankersonline.com/tools 09-08-08
                                                                                     Shortly following the notice of a change of address for a covered account,
                                                                                     the institution or creditor receives a request for new, additional, or           This Red Flag was not addressed in the
                                                                               19
 Unusual Use of, or Suspicious Activity Related to the Covered Account               replacement cards or a cell phone, or for the addition of authorized users on             information provided
                                                                                     the account
                                                                                     A new revolving credit account is used in a manner commonly associated           This Red Flag was not addressed in the
                                                                                     with known patterns of fraud patterns. For example:                                       information provided


                                                                                                The majority of available credit is used for cash advances or
                                                                                                                                                                      This Red Flag was not addressed in the
                                                                                         A     merchandise that is easily convertible to cash (e.g., electronics
                                                                               20                                                                                              information provided
                                                                                               equipment or jewelry)

                                                                                               The customer fails to make the first payment or makes an initial       This Red Flag was not addressed in the
                                                                                         B                                                                                     information provided
                                                                                               payment but no subsequent payments

                                                                                           A covered account is used in a manner that is not consistent with          This Red Flag was not addressed in the
                                                                                          established patterns of activity on the account. There is, for example:              information provided

                                                                                                                                                                      This Red Flag was not addressed in the
                                                                                         A     Nonpayment when there is no history of late or missed payments                  information provided

                                                                                                                                                                      This Red Flag was not addressed in the
                                                                                         B     A material increase in the use of available credit                              information provided
                                                                               21
                                                                                                                                                                      This Red Flag was not addressed in the
                                                                                         C     A material change in purchasing or spending patterns                            information provided

                                                                                               A material change in electronic fund transfer patterns in connection   This Red Flag was not addressed in the
                                                                                         D                                                                                     information provided
                                                                                               with a deposit account
                                                                                               A material change in telephone call patterns in connection with a      This Red Flag was not addressed in the
                                                                                         E                                                                                     information provided
                                                                                               cellular phone account
                                                                                     A covered account that has been inactive for a reasonably lengthy period of
                                                                                                                                                                      This Red Flag was not addressed in the
                                                                               22    time is used (taking into consideration the type of account, the expected                 information provided
                                                                                     pattern of usage and other relevant factors)
                                                                                     Mail sent to the customer is returned repeatedly as undeliverable although
                                                                                                                                                                      This Red Flag was not addressed in the
                                                                               23    transactions continue to be conducted in connection with the customer’s                   information provided
                                                                                     covered account
                                                                                     The financial institution or creditor is notified that the customer is not       This Red Flag was not addressed in the
                                                                               24                                                                                              information provided
                                                                                     receiving paper account statements
                                                                                     The financial institution or creditor is notified of unauthorized charges or     This Red Flag was not addressed in the
                                                                               25
                                                                                     transactions in connection with a customer’s covered account                              information provided

                                                                                     The financial institution or creditor is notified by a customer, a victim of
Others
Notice
From




                                                                                                                                                                      This Red Flag was not addressed in the
                                                                               26    identity theft, a law enforcement authority, or any other person that it has              information provided
                                                                                     opened a fraudulent account for a person engaged in identity theft.




                                                                         Available on Bankersonline.com/tools 09-08-08
                                                                                                                 Bank Cards (Stockman's Bank)
                                                                         Red Flag                                               Detection   Mitigation   Response Policy/Procedures   Gap Analysis

                                              1   A fraud or active duty alert is included with a consumer report.
Alerts, Notifications or Warnings From a




                                                  A consumer reporting Agency porvides a notice of credit freeze in
                                              2
                                                  response to a request for a consumer report.
      Consumer Reporting Agency




                                                  A consumer reporting agency porvides a notice of address discrepency,
                                              3
                                                  as defined in 334.82(b) of this part.
                                                  A consumer report indicates a pattern of activity that is inconsistent with
                                                  the history and usual pattern of activity of an applicant or customer, such
                                                  as:
                                                              A recent and significant increase in the volume of inquiries
                                                      A
                                                              An unusual number of recently established credit
                                              4       B      relationships

                                                      C      A material change in the use of credit, especially with respect
                                                             to recently established credit relationships
                                                             An account that was closed for cause or identified for abuse
                                                      D
                                                             of account privileges by a financial institution or creditor.

                                              5 Documents provided for identification appear to have been altered or
                                                forged
          Suspicious Documents




                                                The photograph or physical description on the identification is not
                                              6 consistent with the appearance of the applicant or customer presenting
                                                the identification
                                                Other information on the identification is not consistent with information
                                              7 provided by the person opening a new covered account or customer
                                                presenting the identification
                                                Other information on the identification is not consistent with readily
                                              8 accessible information that is on file with the financial institution or
                                                creditor, such as a signature card or a recent check
                                                  An application appears to have been altered or forged, or gives the
                                              9
                                                  appearance of having been destroyed and reassembled




                                           Available on Bankersonline.com/tools 09-08-08
                                                     Personal identifying information provided is inconsistent when compared
                                                     against external information sources used by the financial institution or
                                                     creditor. For example:
                                                                The address does not match any address in the consumer
                                                10       A
                                                                report;
                                                                The Social Security Number (SSN) has not been issued, or is
                                                         B      listed on the Social Security Administration’s Death Master
                                                                File
Suspicious Personal Identifying Information



                                                     Personal identifying information provided by the customer is not
                                                     consistent with other personal identifying information provided by the
                                                11
                                                     customer. For example, there is a lack of correlation between the SSN
                                                     range and date of birth
                                                     Personal identifying information provided is associated with known
                                                     fraudulent activity as indicated by internal or third-party sources used by
                                                     the financial institution or creditor. For example:
                                                12              The address on an application is the same as the address
                                                         A
                                                                provided on a fraudulent application;
                                                                The phone number on an application is the same as the
                                                         B
                                                                number provided on a fraudulent application.

                                                     Personal identifying information provided is of a type commonly
                                                     associated with fraudulent activity as indicated by internal or third-party
                                                     sources used by the financial institution or creditor. For example:

                                                13              The address on an application is fictitious, a mail drop, or
                                                         A
                                                                prison

                                                                The phone number is invalid, or is associated with a pager or
                                                         B
                                                                answering service

                                                     The SSN provided is the same as that submitted by other persons
                                                14
                                                     opening an account or other customers

                                                    The address or telephone number provided is the same as or similar to
                                                 15 the account number or telephone number submitted by an unusually
                                                    large number of other persons opening accounts or other customers

                                                   The person opening the covered account or the customer fails to
                                                16 provide all required personal identifying information on an application or
                                                   in response to notification that the application is incomplete
                                                   Personal identifying information provided is not consistent with personal
                                                17 identifying information that is on file with the financial institution or
                                                   creditor.
                                                   For financial institutions and creditors that use challenge questions, the
                                                   person opening the covered account or the customer cannot provide
                                                18
                                                   authenticating information beyond that which generally would be
                                                   available from a wallet or consumer report.




                                              Available on Bankersonline.com/tools 09-08-08
                                                                              Shortly following the notice of a change of address for a covered
                                                                              account, the institution or creditor receives a request for new, additional,
 Unusual Use of, or Suspicious Activity Related to the Covered Account     19
                                                                              or replacement cards or a cell phone, or for the addition of authorized
                                                                              users on the account
                                                                                A new revolving credit account is used in a manner commonly
                                                                                associated with known patterns of fraud patterns. For example:
                                                                                             The majority of available credit is used for cash advances or
                                                                           20       A       merchandise that is easily convertible to cash (e.g.,
                                                                                            electronics equipment or jewelry)
                                                                                            The customer fails to make the first payment or makes an
                                                                                    B
                                                                                            initial payment but no subsequent payments
                                                                                   A covered account is used in a manner that is not consistent with
                                                                                  established patterns of activity on the account. There is, for example:
                                                                                           Nonpayment when there is no history of late or missed
                                                                                    A
                                                                                           payments

                                                                                    B       A material increase in the use of available credit

                                                                           21       C       A material change in purchasing or spending patterns

                                                                                            A material change in electronic fund transfer patterns in
                                                                                    D
                                                                                            connection with a deposit account

                                                                                            A material change in telephone call patterns in connection
                                                                                    E
                                                                                            with a cellular phone account
                                                                                  A covered account that has been inactive for a reasonably lengthy
                                                                           22 period of time is used (taking into consideration the type of account, the
                                                                                         expected pattern of usage and other relevant factors)
                                                                              Mail sent to the customer is returned repeatedly as undeliverable
                                                                           23 although transactions continue to be conducted in connection with the
                                                                              customer’s covered account
                                                                                The financial institution or creditor is notified that the customer is not
                                                                           24
                                                                                receiving paper account statements

                                                                                The financial institution or creditor is notified of unauthorized charges or
                                                                           25
                                                                                transactions in connection with a customer’s covered account

                                                                              The financial institution or creditor is notified by a customer, a victim of
Others
Notice
From




                                                                           26 identity theft, a law enforcement authority, or any other person that it has
                                                                              opened a fraudulent account for a person engaged in identity theft.




                                                                         Available on Bankersonline.com/tools 09-08-08
                                                                                                                                Investment Co.
                                                                         Red Flag                                                Detection   Mitigation   Response Policy/Procedures            Gap Analysis

                                              1   A fraud or active duty alert is included with a consumer report.
Alerts, Notifications or Warnings From a




                                                  A consumer reporting Agency porvides a notice of credit freeze in
                                              2
                                                  response to a request for a consumer report.
      Consumer Reporting Agency




                                                  A consumer reporting agency porvides a notice of address discrepency,
                                              3
                                                  as defined in 334.82(b) of this part.
                                                  A consumer report indicates a pattern of activity that is inconsistent with
                                                  the history and usual pattern of activity of an applicant or customer, such
                                                  as:
                                                              A recent and significant increase in the volume of inquiries
                                                      A
                                                              An unusual number of recently established credit
                                              4       B      relationships

                                                      C      A material change in the use of credit, especially with respect
                                                             to recently established credit relationships
                                                             An account that was closed for cause or identified for abuse
                                                      D
                                                             of account privileges by a financial institution or creditor.

                                              5 Documents provided for identification appear to have been altered or
                                                                                                                                                                                       This Red Flag was not addressed in the
                                                forged                                                                                                                                          information provided
          Suspicious Documents




                                                The photograph or physical description on the identification is not                                                                    This Red Flag was not addressed in the
                                              6 consistent with the appearance of the applicant or customer presenting                                                                          information provided
                                                the identification
                                                Other information on the identification is not consistent with information
                                                                                                                                                                                       This Red Flag was not addressed in the
                                              7 provided by the person opening a new covered account or customer                                                                                information provided
                                                presenting the identification
                                                Other information on the identification is not consistent with readily
                                                                                                                                                                                       This Red Flag was not addressed in the
                                              8 accessible information that is on file with the financial institution or                                                                        information provided
                                                creditor, such as a signature card or a recent check
                                                  An application appears to have been altered or forged, or gives the                                                                  This Red Flag was not addressed in the
                                              9                                                                                                                                                 information provided
                                                  appearance of having been destroyed and reassembled




                                           Available on Bankersonline.com/tools 09-08-08
                                                     Personal identifying information provided is inconsistent when compared
                                                     against external information sources used by the financial institution or
                                                     creditor. For example:
                                                                The address does not match any address in the consumer             This Red Flag was not addressed in the
                                                10       A
                                                                report;                                                                     information provided

                                                                The Social Security Number (SSN) has not been issued, or is
                                                                                                                                   This Red Flag was not addressed in the
                                                         B      listed on the Social Security Administration’s Death Master                 information provided
                                                                File
Suspicious Personal Identifying Information



                                                     Personal identifying information provided by the customer is not
                                                     consistent with other personal identifying information provided by the        This Red Flag was not addressed in the
                                                11                                                                                          information provided
                                                     customer. For example, there is a lack of correlation between the SSN
                                                     range and date of birth
                                                     Personal identifying information provided is associated with known
                                                     fraudulent activity as indicated by internal or third-party sources used by
                                                     the financial institution or creditor. For example:
                                                12              The address on an application is the same as the address           This Red Flag was not addressed in the
                                                         A                                                                                  information provided
                                                                provided on a fraudulent application;
                                                                The phone number on an application is the same as the              This Red Flag was not addressed in the
                                                         B                                                                                  information provided
                                                                number provided on a fraudulent application.

                                                     Personal identifying information provided is of a type commonly
                                                                                                                                   This Red Flag was not addressed in the
                                                     associated with fraudulent activity as indicated by internal or third-party            information provided
                                                     sources used by the financial institution or creditor. For example:

                                                13              The address on an application is fictitious, a mail drop, or       This Red Flag was not addressed in the
                                                         A                                                                                  information provided
                                                                prison

                                                                The phone number is invalid, or is associated with a pager or      This Red Flag was not addressed in the
                                                         B                                                                                  information provided
                                                                answering service

                                                     The SSN provided is the same as that submitted by other persons               This Red Flag was not addressed in the
                                                14                                                                                          information provided
                                                     opening an account or other customers

                                                    The address or telephone number provided is the same as or similar to
                                                                                                                                   This Red Flag was not addressed in the
                                                 15 the account number or telephone number submitted by an unusually                        information provided
                                                    large number of other persons opening accounts or other customers

                                                   The person opening the covered account or the customer fails to
                                                                                                                                   This Red Flag was not addressed in the
                                                16 provide all required personal identifying information on an application or               information provided
                                                   in response to notification that the application is incomplete
                                                   Personal identifying information provided is not consistent with personal
                                                                                                                                   This Red Flag was not addressed in the
                                                17 identifying information that is on file with the financial institution or                information provided
                                                   creditor.
                                                   For financial institutions and creditors that use challenge questions, the
                                                   person opening the covered account or the customer cannot provide               This Red Flag was not addressed in the
                                                18                                                                                          information provided
                                                   authenticating information beyond that which generally would be
                                                   available from a wallet or consumer report.




                                              Available on Bankersonline.com/tools 09-08-08
                                                                              Shortly following the notice of a change of address for a covered
                                                                              account, the institution or creditor receives a request for new, additional,     This Red Flag was not addressed in the
 Unusual Use of, or Suspicious Activity Related to the Covered Account     19                                                                                           information provided
                                                                              or replacement cards or a cell phone, or for the addition of authorized
                                                                              users on the account
                                                                                A new revolving credit account is used in a manner commonly                    This Red Flag was not addressed in the
                                                                                associated with known patterns of fraud patterns. For example:                          information provided

                                                                                             The majority of available credit is used for cash advances or
                                                                                                                                                               This Red Flag was not addressed in the
                                                                           20       A       merchandise that is easily convertible to cash (e.g.,                       information provided
                                                                                            electronics equipment or jewelry)
                                                                                            The customer fails to make the first payment or makes an           This Red Flag was not addressed in the
                                                                                    B                                                                                   information provided
                                                                                            initial payment but no subsequent payments
                                                                                   A covered account is used in a manner that is not consistent with           This Red Flag was not addressed in the
                                                                                  established patterns of activity on the account. There is, for example:               information provided

                                                                                           Nonpayment when there is no history of late or missed               This Red Flag was not addressed in the
                                                                                    A                                                                                   information provided
                                                                                           payments
                                                                                                                                                               This Red Flag was not addressed in the
                                                                                    B       A material increase in the use of available credit                          information provided

                                                                           21                                                                                  This Red Flag was not addressed in the
                                                                                    C       A material change in purchasing or spending patterns                        information provided

                                                                                            A material change in electronic fund transfer patterns in          This Red Flag was not addressed in the
                                                                                    D                                                                                   information provided
                                                                                            connection with a deposit account

                                                                                            A material change in telephone call patterns in connection         This Red Flag was not addressed in the
                                                                                    E                                                                                   information provided
                                                                                            with a cellular phone account
                                                                                  A covered account that has been inactive for a reasonably lengthy
                                                                                                                                                               This Red Flag was not addressed in the
                                                                           22 period of time is used (taking into consideration the type of account, the                information provided
                                                                                         expected pattern of usage and other relevant factors)
                                                                              Mail sent to the customer is returned repeatedly as undeliverable
                                                                                                                                                               This Red Flag was not addressed in the
                                                                           23 although transactions continue to be conducted in connection with the                     information provided
                                                                              customer’s covered account
                                                                                The financial institution or creditor is notified that the customer is not     This Red Flag was not addressed in the
                                                                           24                                                                                           information provided
                                                                                receiving paper account statements

                                                                                The financial institution or creditor is notified of unauthorized charges or   This Red Flag was not addressed in the
                                                                           25
                                                                                transactions in connection with a customer’s covered account                            information provided


                                                                              The financial institution or creditor is notified by a customer, a victim of
Others
Notice
From




                                                                                                                                                               This Red Flag was not addressed in the
                                                                           26 identity theft, a law enforcement authority, or any other person that it has              information provided
                                                                              opened a fraudulent account for a person engaged in identity theft.




                                                                         Available on Bankersonline.com/tools 09-08-08
                                                                                                                           Mortgage Department
                                                                         Red Flag                                               Detection   Mitigation   Response Policy/Procedures              Gap Analysis

                                                                                                                                                                      PHH Procedures,
                                              1   A fraud or active duty alert is included with a consumer report.                 X            X           X
                                                                                                                                                                        Appendix B
Alerts, Notifications or Warnings From a




                                                  A consumer reporting Agency porvides a notice of credit freeze in                                                   PHH Procedures,
                                              2                                                                                    X            X           X
                                                  response to a request for a consumer report.                                                                          Appendix B
      Consumer Reporting Agency




                                                  A consumer reporting agency porvides a notice of address discrepency,                                               PHH Procedures,
                                              3                                                                                    X            X           X
                                                  as defined in 334.82(b) of this part.                                                                                 Appendix B
                                                  A consumer report indicates a pattern of activity that is inconsistent with
                                                  the history and usual pattern of activity of an applicant or customer, such
                                                  as:
                                                                                                                                                                                        This Red Flag was not addressed in
                                                              A recent and significant increase in the volume of inquiries
                                                      A                                                                                                                                       the information provided
                                                              An unusual number of recently established credit                                                                          This Red Flag was not addressed in
                                              4       B      relationships                                                                                                                    the information provided
                                                             A material change in the use of credit, especially with respect                                                            This Red Flag was not addressed in
                                                      C
                                                             to recently established credit relationships                                                                                     the information provided
                                                             An account that was closed for cause or identified for abuse                                                               This Red Flag was not addressed in
                                                      D
                                                             of account privileges by a financial institution or creditor.                                                                    the information provided
                                                                                                                                                                      PHH Procedures,
                                              5 Documents provided for identification appear to have been altered or               X            X           X
                                                forged                                                                                                                 Appendix D-6
          Suspicious Documents




                                                The photograph or physical description on the identification is not                                                   PHH Procedures,
                                              6 consistent with the appearance of the applicant or customer presenting             X            X           X
                                                                                                                                                                       Appendix D-6
                                                the identification
                                                Other information on the identification is not consistent with information
                                                                                                                                                                      PHH Procedures,
                                              7 provided by the person opening a new covered account or customer                   X            X           X
                                                                                                                                                                       Appendix D-6
                                                presenting the identification
                                                Other information on the identification is not consistent with readily
                                                                                                                                                                      PHH Procedures,
                                              8 accessible information that is on file with the financial institution or           X            X           X
                                                                                                                                                                       Appendix D-6
                                                creditor, such as a signature card or a recent check
                                                  An application appears to have been altered or forged, or gives the                                                 PHH Procedures,
                                              9                                                                                    X            X           X
                                                  appearance of having been destroyed and reassembled                                                                  Appendix D-6




                                           Available on Bankersonline.com/tools 09-08-08
                                                     Personal identifying information provided is inconsistent when compared
                                                     against external information sources used by the financial institution or
                                                     creditor. For example:
                                                                The address does not match any address in the consumer                         PHH Procedures,
                                                10       A                                                                         X   X   X
                                                                report;                                                                          Appendix D
                                                                The Social Security Number (SSN) has not been issued, or is
                                                                                                                                                                 This Red Flag was not addressed in
                                                         B      listed on the Social Security Administration’s Death Master
                                                                                                                                                                       the information provided
                                                                File
Suspicious Personal Identifying Information



                                                     Personal identifying information provided by the customer is not
                                                     consistent with other personal identifying information provided by the                    PHH Procedures,
                                                11                                                                                 X   X   X
                                                     customer. For example, there is a lack of correlation between the SSN                      Appendix D-6
                                                     range and date of birth
                                                     Personal identifying information provided is associated with known
                                                     fraudulent activity as indicated by internal or third-party sources used by
                                                     the financial institution or creditor. For example:
                                                12              The address on an application is the same as the address                                           This Red Flag was not addressed in the
                                                         A                                                                                                                  information provided
                                                                provided on a fraudulent application;
                                                                The phone number on an application is the same as the                                              This Red Flag was not addressed in the
                                                         B                                                                                                                  information provided
                                                                number provided on a fraudulent application.

                                                     Personal identifying information provided is of a type commonly
                                                                                                                                                                   This Red Flag was not addressed in the
                                                     associated with fraudulent activity as indicated by internal or third-party                                            information provided
                                                     sources used by the financial institution or creditor. For example:

                                                13              The address on an application is fictitious, a mail drop, or                                       This Red Flag was not addressed in the
                                                         A                                                                                                                  information provided
                                                                prison

                                                                The phone number is invalid, or is associated with a pager or                                      This Red Flag was not addressed in the
                                                         B                                                                                                                  information provided
                                                                answering service

                                                     The SSN provided is the same as that submitted by other persons                                               This Red Flag was not addressed in the
                                                14                                                                                                                          information provided
                                                     opening an account or other customers

                                                    The address or telephone number provided is the same as or similar to
                                                                                                                                                                   This Red Flag was not addressed in the
                                                 15 the account number or telephone number submitted by an unusually                                                        information provided
                                                    large number of other persons opening accounts or other customers

                                                   The person opening the covered account or the customer fails to
                                                                                                                                               PHH Procedures,
                                                16 provide all required personal identifying information on an application or      X   X   X
                                                                                                                                                Appendix D-6
                                                   in response to notification that the application is incomplete
                                                   Personal identifying information provided is not consistent with personal
                                                                                                                                                                   This Red Flag was not addressed in the
                                                17 identifying information that is on file with the financial institution or                                                information provided
                                                   creditor.
                                                   For financial institutions and creditors that use challenge questions, the
                                                   person opening the covered account or the customer cannot provide
                                                18
                                                   authenticating information beyond that which generally would be
                                                   available from a wallet or consumer report.




                                              Available on Bankersonline.com/tools 09-08-08
                                                                              Shortly following the notice of a change of address for a covered
                                                                              account, the institution or creditor receives a request for new, additional,     This Red Flag was not addressed in the
 Unusual Use of, or Suspicious Activity Related to the Covered Account     19                                                                                           information provided
                                                                              or replacement cards or a cell phone, or for the addition of authorized
                                                                              users on the account
                                                                                A new revolving credit account is used in a manner commonly                    This Red Flag was not addressed in the
                                                                                associated with known patterns of fraud patterns. For example:                          information provided

                                                                                             The majority of available credit is used for cash advances or
                                                                                                                                                               This Red Flag was not addressed in the
                                                                           20       A       merchandise that is easily convertible to cash (e.g.,                       information provided
                                                                                            electronics equipment or jewelry)
                                                                                            The customer fails to make the first payment or makes an           This Red Flag was not addressed in the
                                                                                    B                                                                                   information provided
                                                                                            initial payment but no subsequent payments
                                                                                   A covered account is used in a manner that is not consistent with           This Red Flag was not addressed in the
                                                                                  established patterns of activity on the account. There is, for example:               information provided

                                                                                           Nonpayment when there is no history of late or missed               This Red Flag was not addressed in the
                                                                                    A                                                                                   information provided
                                                                                           payments
                                                                                                                                                               This Red Flag was not addressed in the
                                                                                    B       A material increase in the use of available credit                          information provided

                                                                           21                                                                                  This Red Flag was not addressed in the
                                                                                    C       A material change in purchasing or spending patterns                        information provided

                                                                                            A material change in electronic fund transfer patterns in          This Red Flag was not addressed in the
                                                                                    D                                                                                   information provided
                                                                                            connection with a deposit account

                                                                                            A material change in telephone call patterns in connection         This Red Flag was not addressed in the
                                                                                    E                                                                                   information provided
                                                                                            with a cellular phone account
                                                                                  A covered account that has been inactive for a reasonably lengthy
                                                                                                                                                               This Red Flag was not addressed in the
                                                                           22 period of time is used (taking into consideration the type of account, the                information provided
                                                                                         expected pattern of usage and other relevant factors)
                                                                              Mail sent to the customer is returned repeatedly as undeliverable
                                                                                                                                                               This Red Flag was not addressed in the
                                                                           23 although transactions continue to be conducted in connection with the                     information provided
                                                                              customer’s covered account
                                                                                The financial institution or creditor is notified that the customer is not     This Red Flag was not addressed in the
                                                                           24                                                                                           information provided
                                                                                receiving paper account statements

                                                                                The financial institution or creditor is notified of unauthorized charges or   This Red Flag was not addressed in the
                                                                           25
                                                                                transactions in connection with a customer’s covered account                            information provided


                                                                              The financial institution or creditor is notified by a customer, a victim of
Others
Notice
From




                                                                                                                                                               This Red Flag was not addressed in the
                                                                           26 identity theft, a law enforcement authority, or any other person that it has              information provided
                                                                              opened a fraudulent account for a person engaged in identity theft.




                                                                         Available on Bankersonline.com/tools 09-08-08
                                                    Red Flags Risk Assessment Matrix (Overview)

 Product / Area               Inherent Inherent                                                            Residual     Residual                                                         Completion
                    Impact                                               Controls                                                             Status                 Responsible Party
    Affected                 Likelihood  Risk                                                              Likelihood     Risk                                                             Date

Deposit Ops
                                                    Policies and procedures backed by HR accountability,                           Will remain on watch list until
                                                      PRWT is looking into electronic solutions(i.e. Net
 Checking                                                                                                                               decisions are made
                                                       Economy, BANKDetect) - Currently using PPO,
                      5          5          25      Employee Training, Job Functions - Exception Report        3          15           concerning RDC and
 Accounts                                               Monitoring, Vendor Management policies and                                 upgrades are completed of e-
                                                                         procedures                                                   Funds (Chex Systems)

                                                    Policies and procedures backed by HR accountability,
                                                      PRWT is looking into electronic solutions(i.e. Net
  Savings                                              Economy, BANKDetect) - Currently using PPO,                                                                       Jean Doe
                      5          5          25      Employee Training, Job Functions - Exception Report        1           5
  Accounts                                              Monitoring, Vendor Management policies and
                                                                         procedures
                                                    Policies and procedures backed by HR accountability,
                                                      PRWT is looking into electronic solutions(i.e. Net
Safe Deposit                                           Economy, BANKDetect) - Currently using PPO,
                      5          5          25      Employee Training, Job Functions - Exception Report        1           5
   Boxes                                                Monitoring, Vendor Management policies and
                                                                         procedures

Consumer Lending
                                                      Controls: Policies and Procedures backed by HR
                                                    Accountability, Employee Training, Job Functions and
Term Loans            5          5          25       Exception Report Monitoring, Vendor Management            1           5
                                                                    policies and procedures.
                                                                                                                                                                         Jack Doe
                                                      Controls: Policies and Procedures backed by HR
  Lines of                                          Accountability, Employee Training, Job Functions and
                      5          5          25       Exception Report Monitoring, Vendor Management            2          10
   Credit                                                           policies and procedures.

                                                      Controls: Policies and Procedures backed by HR
 Consumer                                           Accountability, Employee Training, Job Functions and                            Decisions are being made in
                      5          5          25       Exception Report Monitoring, Vendor Management            5          25
 Bank Cards                                                         policies and procedures.
                                                                                                                                   regards to Bank Cards. These
                                                                                                                                    will be under the care of Joe        Joe Doe
                                                      Controls: Policies and Procedures backed by HR                                 Doe until the changes are
Commercial                                          Accountability, Employee Training, Job Functions and                                      finalized.
Bank Cards
                      5          5          25       Exception Report Monitoring, Vendor Management            5          25
                                                                    policies and procedures.

Credit Administration
                                                      Controls: Policies and Procedures backed by HR
Commercial                                          Accountability, Employee Training, Job Functions and                              07/30/08 - Joe Doe is
                      5          5          25       Exception Report Monitoring, Vendor Management            1           5        verifying that he indeed is
Term Loans                                                          policies and procedures.
                                                                                                                                   the appropriate responsible
                                                                                                                                                                         Joe Doe
Commercial                                            Controls: Policies and Procedures backed by HR                                   party for this area in
                                                    Accountability, Employee Training, Job Functions and                              regards to Red Flags.
 Lines of             5          5          25       Exception Report Monitoring, Vendor Management            2          10        Follow up at next meeting
  Credit                                                            policies and procedures.

Investment Company
    Available on BankersOnline.com/tools 09-08-08
Investment                                        Controls: Policies and Procedures backed by HR
                    5          3          15      accountability, Employee Training, Job Functions and   2   10   Roger Doe
  Products                                        Exception Report Monitoring, LPL Compliance




  Available on BankersOnline.com/tools 09-08-08
Premier Finance Company
                                                   Controls: Policies and Procedures backed by HR
                                                   accountability, Employee Training, Job Functions and
Dealer Loans         5          5         25       Exception Report Monitoring, Dealer Due Diligence,     2   10
                                                   Vendor Management policies and procedures.

                                                   Controls: Policies and Procedures backed by HR
  Non RE                                           Accountability, Employee Training, Job Functions and            Joe Doe / Jeff Doe
   Loans
                     5          5         25       Exception Report Monitoring, Vendor Management         1   5
                                                   policies and procedures.
                                                   Controls: Policies and Procedures backed by HR
                                                   Accountability, Employee Training, Job Functions and
 RE Loans            5          5         25       Exception Report Monitoring, Vendor Management         1   5
                                                   policies and procedures.

Premier Mortgage Division
                                                   Controls: Policies and Procedures backed by HR
 Mortgage                                          Accountability, Employee Training, Job Functions and
  Loans
                     5          5         25       Exception Report Monitoring, Vendor Management         1   5    Joe Doe / Jeff Doe
                                                   policies and procedures.




                    Back to Main Menu




   Available on BankersOnline.com/tools 09-08-08
                                                Back to Main Menu




Available on BankersOnline.com/tools 09-08-08
Available on BankersOnline.com/tools 09-08-08
Available on BankersOnline.com/tools 09-08-08
                           Risk Assessment Process Chart
               Product: Checking Accounts (Includes all checking accounts offered by PRWT)

    Area Affected:                     Deposit Ops                     Author:                                   Jean Doe

                                                        Obtaining Product
       Face to Face                       On-Line                        Phone                                      Mail
                X
                                                       Accessing Product
       Face to Face                        Online                        Wires                          Telephone Transfers
                X                              X                             X                                         X
             EFT                    ATM/Debit Card                         Mail                                    Check
                X                              X                             X                                         X
                                                   Third Party Arrangements
                 Service Providers                                 Joint Ventures                                  Other
 5th 3rd Bank, S1 & Check Free, Deluxe/Harland,
    Chex Systems, Precision Credit LLC, V-Soft

                                                                 Threats
                                     False - Incomplete
  Counterfeit or Altered ID                                          Pretext Calling                         Forged Signature
                                             Info
                X                              X                             X                                        X

    Incorrect or Fictitious
                                         Bogus SSN                   Bogus Phone #               Phishing for user name and password
           Address

                X                              X                             X                                        X
                                   Obtaining user name
Pharming for customer login
                                    and password via               Address Changes             Hacking into your online banking software
       information
                                         spyware
                X                              X                             X                                        X

Guessing Login info - do not         Employees tricked           Obtaining passwords
                                                                                                Social engineering your employees into
   require complex and                 into resetting          through lack of customer
                                                                                                  deviating from normal procedures
   changing passwords                    passwords                    safeguards

                X                              X                             X                                        X
                                                     Red Flags Addressed
Alerts, Notifications or Warnings from a Consumer Reporting Agency 1. A fraud or active duty alert is included with a consumer
report. 2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. 3. A consumer
reporting agency provides a notice of address discrepancy, as defined in §334.82(b) of this part. 4. A consumer report indicates a
pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as: a. A recent and
significant increase in the volume of inquiries; b. An unusual number of recently established credit relationships; c. A material change in
the use of credit, especially with respect to recently established credit relationships; or d. An account that was closed for cause or
identified for abuse of account privileges by a financial institution or creditor.

Controls: Policies and procedures backed by HR Accountability - Vendor Management Policies and Procedures
PRWT is looking into electronic solutions (i.e. Net Economy, BANKDetect) - Currently using PPO
Employee Training
Job Funtions - Exception Report Monitoring
Suspicious Documents 5. Documents provided for identification appear to have been altered or forged. 6. The photograph or physical
description on the identification is not consistent with the appearance of the applicant or customer presenting the identification. 7. Other
information on the identification is not consistent with information provided by the person opening a new covered account or customer
presenting the identification. 8. Other information on the identification is not consistent with readily accessible information that is on file
with the financial institution or creditor, such as a signature card or a recent check. 9. An application appears to have been altered or
forged, or gives the appearance of having been destroyed and reassembled.
Controls: Policies and procedures backed by HR Accountability - Vendor Management Policies and Procedures
PRWT is looking into electronic solutions (i.e. Net Economy, BANKDetect) - Currently using PPO
Employee Training
Job Funtions - Exception Report Monitoring
Suspicious Personal Identifying Information 10. Personal identifying information provided is inconsistent when compared against
external information sources used by the financial institution or creditor. For example: a. The address does not match any address in
the consumer report; or b.The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration’s
Death Master File. 11. Personal identifying information provided by the customer is not consistent with other personal identifying
information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth. 12. Personal
identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the
financial institution or creditor. For example: a. The address on an application is the same as the address provided on a fraudulent
application; or b. The phone number on an application is the same as the number provided on a fraudulent application.
13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-
party sources used by the financial institution or creditor. For example: a. The address on an application is fictitious, a mail drop, or
prison; or b. The phone number is invalid, or is associated with a pager or answering service. 14. The SSN provided is the same as that
submitted by other persons opening an account or other customers. 15. The address or telephone number provided is the same as or
similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other
customers. 16. The person opening the covered account or the customer fails to provide all required personal identifying information on
an application or in response to notification that the application is incomplete. 17. Personal identifying information provided is not
consistent with personal identifying information that is on file with the financial institution or creditor.
18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot
provide authenticating information beyond that which generally would be available from a wallet or consumer report.
Controls: Policies and procedures backed by HR Accountability - Vendor Management Policies and Procedures
PRWT is looking into electronic solutions (i.e. Net Economy, BANKDetect) - Currently using PPO
Employee Training
Job Funtions - Exception Report Monitoring
Unusual Use of, or Suspicious Activity Related to, the Covered Account 19. Shortly following the notice of a change of address for
a covered account, the institution or creditor receives a request for new, additional, or replacement cards or a cell phone, or for the
addition of authorized users on the account. 20. A new revolving credit account is used in a manner commonly associated with known
patterns of fraud patterns. For example: a. The majority of available credit is used for cash advances or merchandise that is easily
convertible to cash (e.g., electronics equipment or jewelry); or b. The customer fails to make the first payment or makes an initial
payment but no subsequent payments.
21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for
example a. Nonpayment when there is no history of late or missed payments; b. A material increase in the use of available credit; c. A
material change in purchasing or spending patterns; d. A material change in electronic fund transfer patterns in connection with a
deposit account; or e. A material change in telephone call patterns in connection with a cellular phone account. 22. A covered account
that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern
of usage and other relevant factors). 23. Mail sent to the customer is returned repeatedly as undeliverable although transactions
continue to be conducted in connection with the customer’s covered account. 24. The financial institution or creditor is notified that the
customer is not receiving paper account statements. 25. The financial institution or creditor is notified of unauthorized charges or
transactions in connection with a customer’s covered account.
Controls: Policies and procedures backed by HR Accountability - Vendor Management Policies and Procedures
PRWT is looking into electronic solutions (i.e. Net Economy, BANKDetect) - Currently using PPO
Employee Training
Job Funtions - Exception Report Monitoring
Notice from Customers, Victims of Identity Theft, law Enforcement Authorities or Other Personas Regarding Possible Identity
Theft in Connection with Covered Account held by the financial institution or creditor 26. The financial institution or creditor is
notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account
for a person engaged in identity theft.
Controls: Policies and procedures backed by HR Accountability - Vendor Management Policies and Procedures
PRWT is looking into electronic solutions (i.e. Net Economy, BANKDetect) - Currently using PPO
Employee Training
Job Funtions - Exception Report Monitoring

                                                       Risk Assessment
Impact:                            5        Residual Likelihood:                  3
Inherent Likelihood:               5        Residual Risk:                       15
Inherent Risk:                    25
Gap Analysis - Action Plan - Comments:
Residuals are due to controls in place, upcoming upgrades to e-Funds through Chex Systems to
mitigate risk - Remote Deposit Capture service adds to increased risk
                                  Risk Assessment Process Chart
                       Product: Savings Accounts (Includes all savings accounts offered by PRWT)
         Area Affected:                                Deposit Ops              Author:                                               Jean Mickson
                                                                    Obtaining Product
            Face to Face                                  On-Line                              Phone                                          Mail
                      X
                                                                    Accessing Product
            Face to Face                                    Online                              Wires                          Telephone Transfers
                      X                                         X                                   X                                           X
                    EFT                            ATM/Debit Card                                Mail                              Withdrawal Slips
                      X                                         X                                   X                                           X
                                                            Third Party Arrangements
                          Service Providers                                             Joint Ventures                                      Other
                 5th 3rd Bank, S1 and Chex Systems

                                                                              Threats
       Counterfeit or Altered ID                  False - Incomplete Info                  Pretext Calling                            Forged Signature
                   X                                         X                                   X                                           X
    Incorrect or Fictitious Address                      Bogus SSN                        Bogus Phone #                 Phishing for user name and password
                      X                                      X                                      X                                           X
                                                   Obtaining user name
    Pharming for customer login                                                                                            Hacking into your online banking
                                                    and password via                     Address Changes
           information                                                                                                                 software
                                                         spyware
                      X                                      X                                      X                                           X
    Guessing Login info - do not                                                      Obtaining passwords
                                                  Employees tricked into                                                  Social engineering your employees
   require complex and changing                                                     through lack of customer
                                                   resetting passwords                                                  into deviating from normal procedures
             passwords                                                                     safeguards
                      X                                         X                                   X                                           X
                                                                Red Flags Addressed
Alerts, Notifications or Warnings from a Consumer Reporting Agency
 1. A fraud or active duty alert is included with a consumer report. 2. A consumer reporting agency provides a notice of credit freeze in response to a request for
a consumer report. 3. A consumer reporting agency provides a notice of address discrepancy, as defined in §334.82(b) of this part. 4. A consumer report
indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as: a. A recent and significant
increase in the volume of inquiries; b. An unusual number of recently established credit relationships; c. A material change in the use of credit, especially with
respect to recently established credit relationships; or d. An account that was closed for cause or identified for abuse of account privileges by a financial
institution or creditor.

Controls: Policies and procedures backed by HR Accountability - Vender Management Policies and Procedures
PRWT is looking into electronic solutions (i.e. Net Economy, BANKDetect) - Currently using PPO
Employee Training
Job Funtions - Exception Report Monitoring
Suspicious Documents 5. Documents provided for identification appear to have been altered or forged. 6. The photograph or physical description on the
identification is not consistent with the appearance of the applicant or customer presenting the identification. 7. Other information on the identification is not
consistent with information provided by the person opening a new covered account or customer presenting the identification. 8. Other information on the
identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent
check. 9. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.

Controls: Policies and procedures backed by HR Accountability - Vender Management Policies and Procedures
PRWT is looking into electronic solutions (i.e. Net Economy, BANKDetect) - Currently using PPO
Employee Training
Job Funtions - Exception Report Monitoring
Suspicious Personal Identifying Information
10. Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor.
For example: a. The address does not match any address in the consumer report; or b.The Social Security Number (SSN) has not been issued, or is listed on

identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth. 12. Personal identifying
information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For
example: a. The address on an application is the same as the address provided on a fraudulent application; or b. The phone number on an application is the
same as the number provided on a fraudulent application.
13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the
financial institution or creditor. For example: a. The address on an application is fictitious, a mail drop, or prison; or b. The phone number is invalid, or is
associated with a pager or answering service. 14. The SSN provided is the same as that submitted by other persons opening an account or other customers.
15. The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of
other persons opening accounts or other customers. 16. The person opening the covered account or the customer fails to provide all required personal
identifying information on an application or in response to notification that the application is incomplete. 17. Personal identifying information provided is not
consistent with personal identifying information that is on file with the financial institution or creditor.
18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide authenticating
information beyond that which generally would be available from a wallet or consumer report.

Controls: Policies and procedures backed by HR Accountability - Vender Management Policies and Procedures
PRWT is looking into electronic solutions (i.e. Net Economy, BANKDetect) - Currently using PPO
Employee Training
Job Funtions - Exception Report Monitoring
Unusual Use of, or Suspicious Activity Related to, the Covered Account
 19. Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for new, additional, or replacement
cards or a cell phone, or for the addition of authorized users on the account. 20. A new revolving credit account is used in a manner commonly associated with
known patterns of fraud patterns. For example: a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash
(e.g., electronics equipment or jewelry); or b. The customer fails to make the first payment or makes an initial payment but no subsequent payments.

21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example a. Nonpayment
when there is no history of late or missed payments; b. A material increase in the use of available credit; c. A material change in purchasing or spending
patterns; d. A material change in electronic fund transfer patterns in connection with a deposit account; or e. A material change in telephone call patterns in
connection with a cellular phone account. 22. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration
the type of account, the expected pattern of usage and other relevant factors). 23. Mail sent to the customer is returned repeatedly as undeliverable although


not receiving paper account statements. 25. The financial institution or creditor is notified of unauthorized charges or transactions in connection with a


Controls: Policies and procedures backed by HR Accountability - Vender Management Policies and Procedures
PRWT is looking into electronic solutions (i.e. Net Economy, BANKDetect) - Currently using PPO
Employee Training
Job Funtions - Exception Report Monitoring
Notice from Customers, Victims of Identity Theft, law Enforcement Authorities or Other Personas Regarding Possible Identity Theft in
Connection with Covered Account held by the financial institution or creditor 26. The financial institution or creditor is notified by a
customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged
in identity theft.
Controls: Policies and procedures backed by HR Accountability - Vender Management Policies and Procedures
PRWT is looking into electronic solutions (i.e. Net Economy, BANKDetect) - Currently using PPO
Employee Training
Job Funtions - Exception Report Monitoring

                                                                   Risk Assessment
Impact:                                                        5                 Residual Likelihood:                                        1
Inherent Likelihood:                5                                            Residual Risk:                                              5
Inherent Risk:                     25
Gap Analysis - Action Plan - Comments:
Residuals are due to controls in place, lack of Bank experiences with ID theft on savings accounts, limited card access(ATM only),
future upgrade of e-Funds through Chex Systems
                       Risk Assessment Process Chart
                                                  Product: Safe Deposit
  Area Affected:                   Deposit Ops              Author:                                       Jean Doe
                                                    Obtaining Product
     Face to Face                    On-Line                        Phone                                     Mail
              X
                                                   Accessing Product
     Face to Face                      Online                        Wires                       Telephone Transfers
              X
           EFT                 ATM/Debit Card                         Mail                                  Check

                                              Third Party Arrangements
 Service Providers               Joint Ventures                                             Other
  Precision Credit LLC
                                                             Threats
                                False - Incomplete
Counterfeit or Altered ID                                        Pretext Calling                       Forged Signature
                                        Info
            X                             X                             X                                       X
  Incorrect or Fictitious
                                     Bogus SSN                  Bogus Phone #              Phishing for user name and password
         Address
            X                             X                             X
                               Obtaining user name
 Pharming for customer                                                                       Hacking into your online banking
                                and password via               Address Changes
    login information                                                                                    software
                                     spyware
                                                                        X
Guessing Login info - do        Employees tricked           Obtaining passwords
                                                                                             Social engineering your employees
not require complex and           into resetting          through lack of customer
                                                                                           into deviating from normal procedures
  changing passwords                passwords                    safeguards
                                                                                                                X
                                                 Red Flags Addressed
Alerts, Notifications or Warnings from a Consumer Reporting Agency 1. A fraud or active duty alert is included with a
consumer report. 2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer
report. 3. A consumer reporting agency provides a notice of address discrepancy, as defined in §334.82(b) of this part. 4. A
consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or
customer, such as: a. A recent and significant increase in the volume of inquiries; b. An unusual number of recently established
credit relationships; c. A material change in the use of credit, especially with respect to recently established credit relationships;
or d. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.

Controls: Policies and Procedures, Employee Training, Vendor Management Policies and Procedures

Suspicious Documents 5. Documents provided for identification appear to have been altered or forged. 6. The photograph or
physical description on the identification is not consistent with the appearance of the applicant or customer presenting the
identification. 7. Other information on the identification is not consistent with information provided by the person opening a new
covered account or customer presenting the identification. 8. Other information on the identification is not consistent with readily
accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check. 9. An
application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.

Controls: Policies and Procedures, Employee Training, Vendor Management Policies and Procedures
Suspicious Personal Identifying Information 10. Personal identifying information provided is inconsistent when compared
against external information sources used by the financial institution or creditor. For example: a. The address does not match
any address in the consumer report; or b.The Social Security Number (SSN) has not been issued, or is listed on the Social
Security Administration’s Death Master File. 11. Personal identifying information provided by the customer is not consistent with
other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN
range and date of birth. 12. Personal identifying information provided is associated with known fraudulent activity as indicated
by internal or third-party sources used by the financial institution or creditor. For example: a. The address on an application is the
same as the address provided on a fraudulent application; or b. The phone number on an application is the same as the number
provided on a fraudulent application.
13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or
third-party sources used by the financial institution or creditor. For example: a. The address on an application is fictitious, a mail
drop, or prison; or b. The phone number is invalid, or is associated with a pager or answering service. 14. The SSN provided is
the same as that submitted by other persons opening an account or other customers. 15. The address or telephone number
provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other
persons opening accounts or other customers. 16. The person opening the covered account or the customer fails to provide all
required personal identifying information on an application or in response to notification that the application is incomplete. 17.
Personal identifying information provided is not consistent with personal identifying information that is on file with the financial
institution or creditor.

18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer
cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.

Controls: Policies and Procedures, Employee Training, Vendor Management Policies and Procedures

Unusual Use of, or Suspicious Activity Related to, the Covered Account 19. Shortly following the notice of a change of
address for a covered account, the institution or creditor receives a request for new, additional, or replacement cards or a cell
phone, or for the addition of authorized users on the account. 20. A new revolving credit account is used in a manner commonly
associated with known patterns of fraud patterns. For example: a. The majority of available credit is used for cash advances or
merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or b. The customer fails to make the first
payment or makes an initial payment but no subsequent payments.
21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is,
for example a. Nonpayment when there is no history of late or missed payments; b. A material increase in the use of available
credit; c. A material change in purchasing or spending patterns; d. A material change in electronic fund transfer patterns in
connection with a deposit account; or e. A material change in telephone call patterns in connection with a cellular phone
account. 22. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration
the type of account, the expected pattern of usage and other relevant factors). 23. Mail sent to the customer is returned
repeatedly as undeliverable although transactions continue to be conducted in connection with the customer’s covered account.
24. The financial institution or creditor is notified that the customer is not receiving paper account statements. 25. The financial
institution or creditor is notified of unauthorized charges or transactions in connection with a customer’s covered account.

Controls: Policies and Procedures, Employee Training, Vendor Management Policies and Procedures

Notice from Customers, Victims of Identity Theft, law Enforcement Authorities or Other Personas Regarding Possible
Identity Theft in Connection with Covered Account held by the financial institution or creditor 26. The financial institution
or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened
a fraudulent account for a person engaged in identity theft.

Controls: Policies and Procedures, Employee Training, Vendor Management Policies and Procedures

                                                    Risk Assessment
Impact:                        5           Residual Likelihood:                1
Inherent Likelihood:           5           Residual Risk:                      5
Inherent Risk:                25
Gap Analysis - Action Plan - Comments:
Residuals are due to controls in place, future upgrade to e-Funds through Chex Systems,
minimal fraud involving safe deposit boxes.
                               Risk Assessment Process Chart
               Product: Consumer Term Loans (Includes all consumer term loans offered by PRWT)
                                        Consumer
    Area Affected:                       Lending
                                                                              Author:                                       Jack Doe

                                                            Obtaining Product
       Face to Face                       On-Line                              Phone                                           Mail
                X                                                                  X                                             X
                                                            Accessing Product
       Face to Face                        Online                               Wires                             Telephone Transfers
                X                              X                                   X
             EFT                    ATM/Debit Card                               Mail                                        Check
                                                                                   X
                                                      Third Party Arrangements
                 Service Providers                                       Joint Ventures                                       Other
   Appraisers, Title Companies, Credit Bureau's,
            Collection Agencies, DMV

                                                                      Threats
                                     False - Incomplete
  Counterfeit or Altered ID                                                 Pretext Calling                             Forged Signature
                                             Info
                X                              X                                   X                                             X

    Incorrect or Fictitious
                                         Bogus SSN                         Bogus Phone #                    Phishing for user name and password
           Address

                X                              X                                   X                                             X
                                   Obtaining user name
Pharming for customer login                                                                                    Hacking into your online banking
                                    and password via                      Address Changes
       information                                                                                                         software
                                         spyware
                X                              X                                   X                                             X

Guessing Login info - do not         Employees tricked
                                                              Obtaining passwords through lack of            Social engineering your employees
   require complex and                 into resetting
                                                                      customer safeguards                   into deviating from normal procedures
   changing passwords                    passwords

                X                              X                                   X                                             X
                                                          Red Flags Addressed
Alerts, Notifications or Warnings from a Consumer Reporting Agency 1. A fraud or active duty alert is included with a consumer report. 2. A
consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. 3. A consumer reporting agency
provides a notice of address discrepancy, as defined in §334.82(b) of this part. 4. A consumer report indicates a pattern of activity that is
inconsistent with the history and usual pattern of activity of an applicant or customer, such as: a. A recent and significant increase in the volume of
inquiries; b. An unusual number of recently established credit relationships; c. A material change in the use of credit, especially with respect to
recently established credit relationships; or d. An account that was closed for cause or identified for abuse of account privileges by a financial
institution or creditor.

Controls: Policies and Procedures backed by HR Accountability, Vendor Management Policies and Procedures, Employee Training, Job
Functions and Exception Report Monitoring
Suspicious Documents 5. Documents provided for identification appear to have been altered or forged. 6. The photograph or physical
description on the identification is not consistent with the appearance of the applicant or customer presenting the identification. 7. Other
information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting
the identification. 8. Other information on the identification is not consistent with readily accessible information that is on file with the financial
institution or creditor, such as a signature card or a recent check. 9. An application appears to have been altered or forged, or gives the
appearance of having been destroyed and reassembled.

Controls: Policies and Procedures backed by HR Accountability, Vendor Management Policies and Procedures, Employee Training, Job
Functions and Exception Report Monitoring
Suspicious Personal Identifying Information 10. Personal identifying information provided is inconsistent when compared against external
information sources used by the financial institution or creditor. For example: a. The address does not match any address in the consumer report;
or b.The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration’s Death Master File. 11. Personal
identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For
example, there is a lack of correlation between the SSN range and date of birth. 12. Personal identifying information provided is associated with
known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example: a. The address
on an application is the same as the address provided on a fraudulent application; or b. The phone number on an application is the same as the
number provided on a fraudulent application.

13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party
sources used by the financial institution or creditor. For example: a. The address on an application is fictitious, a mail drop, or prison; or b. The
phone number is invalid, or is associated with a pager or answering service. 14. The SSN provided is the same as that submitted by other persons
opening an account or other customers. 15. The address or telephone number provided is the same as or similar to the account number or
telephone number submitted by an unusually large number of other persons opening accounts or other customers. 16. The person opening the
covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that
the application is incomplete. 17. Personal identifying information provided is not consistent with personal identifying information that is on file with
the financial institution or creditor.


18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide
authenticating information beyond that which generally would be available from a wallet or consumer report.
Controls: Policies and Procedures backed by HR Accountability, Vendor Management Policies and Procedures, Employee Training, Job
Functions and Exception Report Monitoring
Unusual Use of, or Suspicious Activity Related to, the Covered Account 19. Shortly following the notice of a change of address for a covered
account, the institution or creditor receives a request for new, additional, or replacement cards or a cell phone, or for the addition of authorized
users on the account. 20. A new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns. For
example: a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics
equipment or jewelry); or b. The customer fails to make the first payment or makes an initial payment but no subsequent payments.

21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example a.
Nonpayment when there is no history of late or missed payments; b. A material increase in the use of available credit; c. A material change in
purchasing or spending patterns; d. A material change in electronic fund transfer patterns in connection with a deposit account; or e. A material
change in telephone call patterns in connection with a cellular phone account. 22. A covered account that has been inactive for a reasonably
lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors). 23. Mail
sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer’s
covered account. 24. The financial institution or creditor is notified that the customer is not receiving paper account statements. 25. The financial
institution or creditor is notified of unauthorized charges or transactions in connection with a customer’s covered account.


Controls: Policies and Procedures backed by HR Accountability, Vendor Management Policies and Procedures, Employee Training, Job
Functions and Exception Report Monitoring
Notice from Customers, Victims of Identity Theft, law Enforcement Authorities or Other Personas Regarding Possible Identity Theft in
Connection with Covered Account held by the financial institution or creditor 26. The financial institution or creditor is notified by a
customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged
in identity theft.

Controls: Policies and Procedures backed by HR Accountability, Vendor Management Policies and Procedures, Employee Training, Job
Functions and Exception Report Monitoring

                                                             Risk Assessment
Impact:                                        5              Residual Likelihood:                                                1
Inherent Likelihood:           5        Residual Risk:                                                                            5
Inherent Risk:                 25
Gap Analysis - Action Plans - Comments:
Residuals are due to strict policies and procedures backed by HR accountability as well as strong CIP and upfront credit
procedures including annual CIP training
                         Risk Assessment Process Chart
   Product: Consumer Lines of Credit (Includes all consumer lines of credit offered by PRWT)
                                             Consumer
     Area Affected:                           Lending
                                                                             Author:                                   Jack Doe

                                                          Obtaining Product
        Face to Face                           On-Line                         Phone                                       Mail
                  X                                                                 X                                         X
                                                          Accessing Product
        Face to Face                            Online                          Wires                        Telephone Transfers
                  X                                  X                              X                                         X
               EFT                      ATM/Debit Card                           Mail                                    Check
                  X                                  X                              X                                         X
                                                   Third Party Arrangements
                   Service Providers                                     Joint Ventures                                   Other
     S1 & Check Free, Deluxe/Harland, Various
  collection agencies, Credit Bureau's, Appraisers,
                Title Companies, DMV
                                                                     Threats
                                         False - Incomplete
   Counterfeit or Altered ID                                               Pretext Calling                         Forged Signature
                                                 Info
                  X                                X                                X                                         X

     Incorrect or Fictitious
                                              Bogus SSN                    Bogus Phone #              Phishing for user name and password
            Address

                  X                                  X                              X                                         X
                                        Obtaining user name
Pharming for customer login                                                                              Hacking into your online banking
                                         and password via                Address Changes
       information                                                                                                   software
                                              spyware
                  X                                  X                              X                                         X

Guessing Login info - do not             Employees tricked             Obtaining passwords
                                                                                                        Social engineering your employees
   require complex and                     into resetting                through lack of
                                                                                                      into deviating from normal procedures
   changing passwords                        passwords                 customer safeguards

                  X                                  X                              X                                         X
                                                         Red Flags Addressed
Alerts, Notifications or Warnings from a Consumer Reporting Agency 1. A fraud or active duty alert is included with a consumer report. 2. A
consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. 3. A consumer reporting agency
provides a notice of address discrepancy, as defined in §334.82(b) of this part. 4. A consumer report indicates a pattern of activity that is
inconsistent with the history and usual pattern of activity of an applicant or customer, such as: a. A recent and significant increase in the volume
of inquiries; b. An unusual number of recently established credit relationships; c. A material change in the use of credit, especially with respect
to recently established credit relationships; or d. An account that was closed for cause or identified for abuse of account privileges by a financial
institution or creditor.


     Controls: Policies and Procedures backed by HR accountability, Employee Training, Vendor Management Policies and
                                                       Procedures

Suspicious Documents 5. Documents provided for identification appear to have been altered or forged. 6. The photograph or physical
description on the identification is not consistent with the appearance of the applicant or customer presenting the identification. 7. Other
information on the identification is not consistent with information provided by the person opening a new covered account or customer
presenting the identification. 8. Other information on the identification is not consistent with readily accessible information that is on file with the
financial institution or creditor, such as a signature card or a recent check. 9. An application appears to have been altered or forged, or gives the
appearance of having been destroyed and reassembled.


     Controls: Policies and Procedures backed by HR accountability, Employee Training, Vendor Management Policies and
                                                       Procedures
Suspicious Personal Identifying Information 10. Personal identifying information provided is inconsistent when compared against external
information sources used by the financial institution or creditor. For example: a. The address does not match any address in the consumer

Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer.
For example, there is a lack of correlation between the SSN range and date of birth. 12. Personal identifying information provided is associated
with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example: a. The
address on an application is the same as the address provided on a fraudulent application; or b. The phone number on an application is the
same as the number provided on a fraudulent application.

13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party
sources used by the financial institution or creditor. For example: a. The address on an application is fictitious, a mail drop, or prison; or b. The
phone number is invalid, or is associated with a pager or answering service. 14. The SSN provided is the same as that submitted by other
persons opening an account or other customers. 15. The address or telephone number provided is the same as or similar to the account
number or telephone number submitted by an unusually large number of other persons opening accounts or other customers. 16. The person
opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to
notification that the application is incomplete. 17. Personal identifying information provided is not consistent with personal identifying information
that is on file with the financial institution or creditor.

18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide
authenticating information beyond that which generally would be available from a wallet or consumer report.

     Controls: Policies and Procedures backed by HR accountability, Employee Training, Vendor Management Policies and
                                                       Procedures
Unusual Use of, or Suspicious Activity Related to, the Covered Account 19. Shortly following the notice of a change of address for a
covered account, the institution or creditor receives a request for new, additional, or replacement cards or a cell phone, or for the addition of
authorized users on the account. 20. A new revolving credit account is used in a manner commonly associated with known patterns of fraud
patterns. For example: a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g.,
electronics equipment or jewelry); or b. The customer fails to make the first payment or makes an initial payment but no subsequent payments.


21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example a.
Nonpayment when there is no history of late or missed payments; b. A material increase in the use of available credit; c. A material change in
purchasing or spending patterns; d. A material change in electronic fund transfer patterns in connection with a deposit account; or e. A material
change in telephone call patterns in connection with a cellular phone account. 22. A covered account that has been inactive for a reasonably
lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors). 23. Mail

covered account. 24. The financial institution or creditor is notified that the customer is not receiving paper account statements. 25. The financial




     Controls: Policies and Procedures backed by HR accountability, Employee Training, Vendor Management Policies and
                                                       Procedures
Notice from Customers, Victims of Identity Theft, law Enforcement Authorities or Other Personas Regarding Possible
Identity Theft in Connection with Covered Account held by the financial institution or creditor 26. The financial institution
or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened
a fraudulent account for a person engaged in identity theft.

     Controls: Policies and Procedures backed by HR accountability, Employee Training, Vendor Management Policies and
                                                       Procedures

                                                           Risk Assessment
                                                                     Residual
Impact:                                             5                                                                        2
                                                                     Likelihood:
Inherent Likelihood:                               5                 Residual Risk:                                         10
Inherent Risk:                                     25



Gap Analysis - Action Plan - Comments:
 Residuals are due to the constant access to the LOC's and system monitoring through the life of
the loan
                         Risk Assessment Process Chart
                                    Product: Consumer Bank Cards (Stockman's)
                                Stockman's existing
  Area Affected:                    customers
                                                                       Author:                                  Joe Doe

                                                      Obtaining Product
     Face to Face                       On-Line                          Phone                                     Mail
              X                                                              X                                       X
                                                     Accessing Product
     Face to Face                        Online                           Wires                       Telephone Transfers
              X                              X                               X                                       X
            EFT                           ATM                              Mail                                  Check
              X                              X                               X                                       X
                                                 Third Party Arrangements
  Service Providers                Joint Ventures                                                Other
 Fidelity, Credit Bureau's
                                                               Threats
 Counterfeit or Altered ID       False - Incomplete Info             Pretext Calling                        Forged Signature

              X                              X                               X                                       X
  Incorrect or Fictitious
                                       Bogus SSN                     Bogus Phone #              Phishing for user name and password
         Address
              X                            X                                 X                                       X
                                 Obtaining user name
 Pharming for customer                                                                            Hacking into your online banking
                                  and password via                 Address Changes
    login information                                                                                         software
                                       spyware
              X                            X                                 X                                       X
Guessing Login info - do                                         Obtaining passwords
                                Employees tricked into                                            Social engineering your employees
not require complex and                                        through lack of customer
                                 resetting passwords                                            into deviating from normal procedures
  changing passwords                                                  safeguards
              X                              X                               X                                       X
                                                   Red Flags Addressed
Alerts, Notifications or Warnings from a Consumer Reporting Agency 1. A fraud or active duty alert is included with a consumer
report. 2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. 3. A
consumer reporting agency provides a notice of address discrepancy, as defined in §334.82(b) of this part. 4. A consumer report
indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as: a.
A recent and significant increase in the volume of inquiries; b. An unusual number of recently established credit relationships; c. A
material change in the use of credit, especially with respect to recently established credit relationships; or d. An account that was
closed for cause or identified for abuse of account privileges by a financial institution or creditor.

Controls: Policies and Procedures backed by HR accountability, Employee Training, Vendor Management Policies and Procedures,
Job Functions and Exception Report Monitoring

Suspicious Documents 5. Documents provided for identification appear to have been altered or forged. 6. The photograph or
physical description on the identification is not consistent with the appearance of the applicant or customer presenting the
identification. 7. Other information on the identification is not consistent with information provided by the person opening a new
covered account or customer presenting the identification. 8. Other information on the identification is not consistent with readily
accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check. 9. An
application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
Controls: Policies and Procedures backed by HR accountability, Employee Training, Vendor Management Policies and Procedures,
Job Functions and Exception Report Monitoring
Suspicious Personal Identifying Information 10. Personal identifying information provided is inconsistent when compared against
external information sources used by the financial institution or creditor. For example: a. The address does not match any address
in the consumer report; or b.The Social Security Number (SSN) has not been issued, or is listed on the Social Security
Administration’s Death Master File. 11. Personal identifying information provided by the customer is not consistent with other
personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and
date of birth. 12. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or
third-party sources used by the financial institution or creditor. For example: a. The address on an application is the same as the
address provided on a fraudulent application; or b. The phone number on an application is the same as the number provided on a
13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or
third-party sources used by the financial institution or creditor. For example: a. The address on an application is fictitious, a mail
drop, or prison; or b. The phone number is invalid, or is associated with a pager or answering service. 14. The SSN provided is the
same as that submitted by other persons opening an account or other customers. 15. The address or telephone number provided is
the same as or similar to the account number or telephone number submitted by an unusually large number of other persons
opening accounts or other customers. 16. The person opening the covered account or the customer fails to provide all required
personal identifying information on an application or in response to notification that the application is incomplete. 17. Personal
identifying information provided is not consistent with personal identifying information that is on file with the financial institution or
18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer
cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.

Controls: Policies and Procedures backed by HR accountability, Employee Training, Vendor Management Policies and Procedures,
Job Functions and Exception Report Monitoring

Unusual Use of, or Suspicious Activity Related to, the Covered Account 19. Shortly following the notice of a change of address
for a covered account, the institution or creditor receives a request for new, additional, or replacement cards or a cell phone, or for
the addition of authorized users on the account. 20. A new revolving credit account is used in a manner commonly associated with
known patterns of fraud patterns. For example: a. The majority of available credit is used for cash advances or merchandise that is
easily convertible to cash (e.g., electronics equipment or jewelry); or b. The customer fails to make the first payment or makes an
initial payment but no subsequent payments.
21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for
example a. Nonpayment when there is no history of late or missed payments; b. A material increase in the use of available credit; c.
A material change in purchasing or spending patterns; d. A material change in electronic fund transfer patterns in connection with a
deposit account; or e. A material change in telephone call patterns in connection with a cellular phone account. 22. A covered
account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the
expected pattern of usage and other relevant factors). 23. Mail sent to the customer is returned repeatedly as undeliverable
although transactions continue to be conducted in connection with the customer’s covered account. 24. The financial institution or
creditor is notified that the customer is not receiving paper account statements. 25. The financial institution or creditor is notified of
unauthorized charges or transactions in connection with a customer’s covered account.
Controls: Policies and Procedures backed by HR accountability, Employee Training, Vendor Management Policies and Procedures,
Job Functions and Exception Report Monitoring
Notice from Customers, Victims of Identity Theft, law Enforcement Authorities or Other Personas Regarding Possible
Identity Theft in Connection with Covered Account held by the financial institution or creditor 26. The financial institution or
creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a
fraudulent account for a person engaged in identity theft.

Controls: Policies and Procedures backed by HR accountability, Employee Training, Vendor Management Policies and Procedures,
Job Functions and Exception Report Monitoring

                                                      Risk Assessment
Impact:                           5           Residual Likelihood:                   5
Inherent Likelihood:              5           Residual Risk:                        25
Inherent Risk:                   25
Gap Analysis - Action Plan - Comments:
 Residuals are due to controls in place - Original P & P were grandfathered in from the Stockman's
merger but are being improved to include stricter CIP rules
07/30/08 meeting - This product is under review and will remain on watch status until final
decisions are made
                            Risk Assessment Process Chart
                                      Product: Commercial Bank Cards (Stockman's)
                                   Stockman's existing
   Area Affected:                      customers
                                                                            Author:                                  Joe Doe

                                                         Obtaining Product
      Face to Face                          On-Line                           Phone                                     Mail
               X                                                                  X                                       X
                                                        Accessing Product
      Face to Face                           Online                            Wires                       Telephone Transfers
               X                                 X                                X                                       X
             EFT                              ATM                               Mail                                  Check
               X                                 X                                X                                       X
                                                  Third Party Arrangements
   Service Providers                   Joint Ventures                                                 Other
  Fidelity, Credit Bureau's
                                                                  Threats
  Counterfeit or Altered ID         False - Incomplete Info               Pretext Calling                        Forged Signature
              X                                X                                X                                       X

   Incorrect or Fictitious
                                           Bogus SSN                      Bogus Phone #              Phishing for user name and password
          Address

               X                                 X                                X                                       X
  Pharming for customer            Obtaining user name and                                              Hacking into your online banking
                                                                        Address Changes
     login information              password via spyware                                                            software
               X                                 X                                X                                       X

 Guessing Login info - do                                             Obtaining passwords
                                    Employees tricked into                                             Social engineering your employees
 not require complex and                                            through lack of customer
                                     resetting passwords                                             into deviating from normal procedures
   changing passwords                                                      safeguards

               X                                 X                                X                                       X
                                                      Red Flags Addressed
Alerts, Notifications or Warnings from a Consumer Reporting Agency 1. A fraud or active duty alert is included with a consumer
report. 2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. 3. A consumer
reporting agency provides a notice of address discrepancy, as defined in §334.82(b) of this part. 4. A consumer report indicates a pattern
of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as: a. A recent and significant
increase in the volume of inquiries; b. An unusual number of recently established credit relationships; c. A material change in the use of
credit, especially with respect to recently established credit relationships; or d. An account that was closed for cause or identified for
abuse of account privileges by a financial institution or creditor.

Controls: Policies and Procedures backed by HR accountability, Employee Training, Vendor Management Policies and Procedures, Job
Functions and Exception Report Monitoring
Suspicious Documents 5. Documents provided for identification appear to have been altered or forged. 6. The photograph or physical
description on the identification is not consistent with the appearance of the applicant or customer presenting the identification. 7. Other
information on the identification is not consistent with information provided by the person opening a new covered account or customer
presenting the identification. 8. Other information on the identification is not consistent with readily accessible information that is on file
with the financial institution or creditor, such as a signature card or a recent check. 9. An application appears to have been altered or
forged, or gives the appearance of having been destroyed and reassembled.
Controls: Policies and Procedures backed by HR accountability, Employee Training, Vendor Management Policies and Procedures, Job
Functions and Exception Report Monitoring
Suspicious Personal Identifying Information 10. Personal identifying information provided is inconsistent when compared against
external information sources used by the financial institution or creditor. For example: a. The address does not match any address in the
consumer report; or b.The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration’s Death
Master File. 11. Personal identifying information provided by the customer is not consistent with other personal identifying information
provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth. 12. Personal identifying
information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial
institution or creditor. For example: a. The address on an application is the same as the address provided on a fraudulent application; or
b. The phone number on an application is the same as the number provided on a fraudulent application.

13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-
party sources used by the financial institution or creditor. For example: a. The address on an application is fictitious, a mail drop, or
prison; or b. The phone number is invalid, or is associated with a pager or answering service. 14. The SSN provided is the same as that
submitted by other persons opening an account or other customers. 15. The address or telephone number provided is the same as or
similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other
customers. 16. The person opening the covered account or the customer fails to provide all required personal identifying information on
an application or in response to notification that the application is incomplete. 17. Personal identifying information provided is not
consistent with personal identifying information that is on file with the financial institution or creditor.


18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot
provide authenticating information beyond that which generally would be available from a wallet or consumer report.
Controls: Policies and Procedures backed by HR accountability, Employee Training, Vendor Management Policies and Procedures, Job
Functions and Exception Report Monitoring
Unusual Use of, or Suspicious Activity Related to, the Covered Account 19. Shortly following the notice of a change of address for a
covered account, the institution or creditor receives a request for new, additional, or replacement cards or a cell phone, or for the addition
of authorized users on the account. 20. A new revolving credit account is used in a manner commonly associated with known patterns of
fraud patterns. For example: a. The majority of available credit is used for cash advances or merchandise that is easily convertible to
cash (e.g., electronics equipment or jewelry); or b. The customer fails to make the first payment or makes an initial payment but no
subsequent payments.
21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for
example a. Nonpayment when there is no history of late or missed payments; b. A material increase in the use of available credit; c. A
material change in purchasing or spending patterns; d. A material change in electronic fund transfer patterns in connection with a deposit
account; or e. A material change in telephone call patterns in connection with a cellular phone account. 22. A covered account that has
been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage
and other relevant factors). 23. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be
conducted in connection with the customer’s covered account. 24. The financial institution or creditor is notified that the customer is not
receiving paper account statements. 25. The financial institution or creditor is notified of unauthorized charges or transactions in
connection with a customer’s covered account.

Controls: Policies and Procedures backed by HR accountability, Employee Training, Vendor Management Policies and Procedures, Job
Functions and Exception Report Monitoring
Notice from Customers, Victims of Identity Theft, law Enforcement Authorities or Other Personas Regarding Possible Identity
Theft in Connection with Covered Account held by the financial institution or creditor 26. The financial institution or creditor is
notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account
for a person engaged in identity theft.
Controls: Policies and Procedures backed by HR accountability, Employee Training, Vendor Management Policies and Procedures, Job
Functions and Exception Report Monitoring
                                                        Risk Assessment
Impact:                              5           Residual Likelihood:                    5
Inherent Likelihood:                 5           Residual Risk:                         25
Inherent Risk:                      25
Gap Analysis - Action Plan - Comments:
 Residuals are due to controls in place - Original P & P were grandfathered in from the Stockman's
merger but are being improved to include stricter CIP rules
07/30/08 meeting - This product is under review and will remain on watch status until final decisions are
made
                             Risk Assessment Process Chart
         Product: Commercial Term Loans (Includes all commercial term loans offered by PRWT)

   Area Affected:                  Credit Administration                      Author:                                  Joe Doe

                                                         Obtaining Product
      Face to Face                         On-Line                              Phone                                     Mail
               X                                                                    X                                       X
                                                        Accessing Product
      Face to Face                           Online                              Wires                       Telephone Transfers
               X                                 X                                  X
            EFT                      ATM/Debit Card                               Mail                                  Check
                                                                                    X
                                                     Third Party Arrangements
                    Service Providers                                     Joint Ventures                                 Other
 Various Attorneys, Various Collection Agencies, Credit
                                                                       Participation Notes with
  Bureau's, Appraisers, Title Companies, Government
                                                                            various banks
                 Agencies(SBA), DMV
                                                                   Threats
 Counterfeit or Altered ID          False - Incomplete Info                 Pretext Calling                        Forged Signature
             X                                 X                                  X                                       X

   Incorrect or Fictitious                                                                                  Phishing for user name and
                                           Bogus SSN                        Bogus Phone #
          Address                                                                                                    password

              X                               X                                     X                                     X
  Pharming for customer           Obtaining user name and                                                 Hacking into your online banking
                                                                          Address Changes
     login information             password via spyware                                                               software
              X                               X                                     X                                     X

 Guessing Login info - do                                               Obtaining passwords             Social engineering your employees
                                    Employees tricked into
 not require complex and                                              through lack of customer              into deviating from normal
                                     resetting passwords
   changing passwords                                                        safeguards                             procedures

               X                                 X                                  X                                       X
                                                       Red Flags Addressed
Alerts, Notifications or Warnings from a Consumer Reporting Agency 1. A fraud or active duty alert is included with a consumer
report. 2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. 3. A consumer
reporting agency provides a notice of address discrepancy, as defined in §334.82(b) of this part. 4. A consumer report indicates a pattern
of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as: a. A recent and significant
increase in the volume of inquiries; b. An unusual number of recently established credit relationships; c. A material change in the use of
credit, especially with respect to recently established credit relationships; or d. An account that was closed for cause or identified for
abuse of account privileges by a financial institution or creditor.

Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report Monitoring,
Vendor Management Policies and Procedures
Suspicious Documents 5. Documents provided for identification appear to have been altered or forged. 6. The photograph or physical
description on the identification is not consistent with the appearance of the applicant or customer presenting the identification. 7. Other
information on the identification is not consistent with information provided by the person opening a new covered account or customer
presenting the identification. 8. Other information on the identification is not consistent with readily accessible information that is on file
with the financial institution or creditor, such as a signature card or a recent check. 9. An application appears to have been altered or
forged, or gives the appearance of having been destroyed and reassembled.

Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report Monitoring,
Vendor Management Policies and Procedures
Suspicious Personal Identifying Information 10. Personal identifying information provided is inconsistent when compared against
external information sources used by the financial institution or creditor. For example: a. The address does not match any address in the
consumer report; or b.The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration’s Death
Master File. 11. Personal identifying information provided by the customer is not consistent with other personal identifying information
provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth. 12. Personal identifying
information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial
institution or creditor. For example: a. The address on an application is the same as the address provided on a fraudulent application; or
b. The phone number on an application is the same as the number provided on a fraudulent application.

13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-
party sources used by the financial institution or creditor. For example: a. The address on an application is fictitious, a mail drop, or prison;
or b. The phone number is invalid, or is associated with a pager or answering service. 14. The SSN provided is the same as that
submitted by other persons opening an account or other customers. 15. The address or telephone number provided is the same as or
similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other
customers. 16. The person opening the covered account or the customer fails to provide all required personal identifying information on
an application or in response to notification that the application is incomplete. 17. Personal identifying information provided is not
consistent with personal identifying information that is on file with the financial institution or creditor.

18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot
provide authenticating information beyond that which generally would be available from a wallet or consumer report.

Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report Monitoring,
Vendor Management Policies and Procedures
Unusual Use of, or Suspicious Activity Related to, the Covered Account 19. Shortly following the notice of a change of address for a
covered account, the institution or creditor receives a request for new, additional, or replacement cards or a cell phone, or for the addition
of authorized users on the account. 20. A new revolving credit account is used in a manner commonly associated with known patterns of
fraud patterns. For example: a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash
(e.g., electronics equipment or jewelry); or b. The customer fails to make the first payment or makes an initial payment but no subsequent
payments.
21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for
example a. Nonpayment when there is no history of late or missed payments; b. A material increase in the use of available credit; c. A
material change in purchasing or spending patterns; d. A material change in electronic fund transfer patterns in connection with a deposit
account; or e. A material change in telephone call patterns in connection with a cellular phone account. 22. A covered account that has
been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage
and other relevant factors). 23. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be
conducted in connection with the customer’s covered account. 24. The financial institution or creditor is notified that the customer is not
receiving paper account statements. 25. The financial institution or creditor is notified of unauthorized charges or transactions in
connection with a customer’s covered account.
Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report Monitoring,
Vendor Management Policies and Procedures
Notice from Customers, Victims of Identity Theft, law Enforcement Authorities or Other Personas Regarding Possible Identity
Theft in Connection with Covered Account held by the financial institution or creditor 26. The financial institution or creditor is
notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account
for a person engaged in identity theft.

Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report Monitoring,
Vendor Management Policies and Procedures

                                                         Risk Assessment
Impact:                              5           Residual Likelihood:                   1
Inherent Likelihood:                 5           Residual Risk:                         5
Inherent Risk:                      25
Gap Analysis - Action Plan - Comments:
Residuals are due to strict policies and procedures backed by HR accountability as well as strong CIP
and upfront credit procedures including annual CIP training
                          Risk Assessment Process Chart
   Product: Commercial Lines of Credit (Includes all commercial lines of credit offered by PRWT)

    Area Affected:                Credit Administration                     Author:                                Joe Doe
                                                       Obtaining Product
      Face to Face                         On-Line                           Phone                                    Mail
               X                                                                  X                                     X
                                                      Accessing Product
      Face to Face                          Online                            Wires                      Telephone Transfers
               X                                X                                 X                                     X
             EFT                     ATM/Debit Card                            Mail                                 Check
               X                                X                                 X                                     X
                                                Third Party Arrangements
                   Service Providers                                   Joint Ventures                                Other
 S1 & Check Free, Deluxe/Harland, Various collection
     agencies, Credit Bureau's, Appraisers, Title
                 Companies, DMV
                                                                Threats
  Counterfeit or Altered ID         False - Incomplete Info               Pretext Calling                      Forged Signature
              X                                X                                X                                     X
   Incorrect or Fictitious                                                                              Phishing for user name and
                                          Bogus SSN                      Bogus Phone #
          Address                                                                                                password
               X                                X                                X                                      X
  Pharming for customer           Obtaining user name and                                            Hacking into your online banking
                                                                        Address Changes
     login information             password via spyware                                                          software
               X                                X                                X                                      X

 Guessing Login info - do                                            Obtaining passwords            Social engineering your employees
                                   Employees tricked into
 not require complex and                                           through lack of customer             into deviating from normal
                                    resetting passwords
   changing passwords                                                     safeguards                            procedures

               X                                X                                X                                      X
                                                    Red Flags Addressed
Alerts, Notifications or Warnings from a Consumer Reporting Agency 1. A fraud or active duty alert is included with a consumer
report. 2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. 3. A consumer
reporting agency provides a notice of address discrepancy, as defined in §334.82(b) of this part. 4. A consumer report indicates a
pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as: a. A recent and
significant increase in the volume of inquiries; b. An unusual number of recently established credit relationships; c. A material change in
the use of credit, especially with respect to recently established credit relationships; or d. An account that was closed for cause or
identified for abuse of account privileges by a financial institution or creditor.




Controls: Policies and Procedures backed by HR accountability, Employee Training, Vendor Management Policies and Procedures

Suspicious Documents 5. Documents provided for identification appear to have been altered or forged. 6. The photograph or
physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.
7. Other information on the identification is not consistent with information provided by the person opening a new covered account or
customer presenting the identification. 8. Other information on the identification is not consistent with readily accessible information that
is on file with the financial institution or creditor, such as a signature card or a recent check. 9. An application appears to have been
altered or forged, or gives the appearance of having been destroyed and reassembled.



Controls: Policies and Procedures backed by HR accountability, Employee Training, Vendor Management Policies and Procedures
Suspicious Personal Identifying Information 10. Personal identifying information provided is inconsistent when compared against
external information sources used by the financial institution or creditor. For example: a. The address does not match any address in
the consumer report; or b.The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration’s
Death Master File. 11. Personal identifying information provided by the customer is not consistent with other personal identifying
information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth. 12.
Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources
used by the financial institution or creditor. For example: a. The address on an application is the same as the address provided on a
fraudulent application; or b. The phone number on an application is the same as the number provided on a fraudulent application.

13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-
party sources used by the financial institution or creditor. For example: a. The address on an application is fictitious, a mail drop, or
prison; or b. The phone number is invalid, or is associated with a pager or answering service. 14. The SSN provided is the same as that
submitted by other persons opening an account or other customers. 15. The address or telephone number provided is the same as or
similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other
customers. 16. The person opening the covered account or the customer fails to provide all required personal identifying information on
an application or in response to notification that the application is incomplete. 17. Personal identifying information provided is not
consistent with personal identifying information that is on file with the financial institution or creditor.


18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer
cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.


Controls: Policies and Procedures backed by HR accountability, Employee Training, Vendor Management Policies and Procedures

Unusual Use of, or Suspicious Activity Related to, the Covered Account 19. Shortly following the notice of a change of address for
a covered account, the institution or creditor receives a request for new, additional, or replacement cards or a cell phone, or for the
addition of authorized users on the account. 20. A new revolving credit account is used in a manner commonly associated with known
patterns of fraud patterns. For example: a. The majority of available credit is used for cash advances or merchandise that is easily
convertible to cash (e.g., electronics equipment or jewelry); or b. The customer fails to make the first payment or makes an initial
payment but no subsequent payments.
21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for
example a. Nonpayment when there is no history of late or missed payments; b. A material increase in the use of available credit; c. A
material change in purchasing or spending patterns; d. A material change in electronic fund transfer patterns in connection with a
deposit account; or e. A material change in telephone call patterns in connection with a cellular phone account. 22. A covered account
that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected
pattern of usage and other relevant factors). 23. Mail sent to the customer is returned repeatedly as undeliverable although
transactions continue to be conducted in connection with the customer’s covered account. 24. The financial institution or creditor is
notified that the customer is not receiving paper account statements. 25. The financial institution or creditor is notified of unauthorized
charges or transactions in connection with a customer’s covered account.



Controls: Policies and Procedures backed by HR accountability, Employee Training, Vendor Management Policies and Procedures

Notice from Customers, Victims of Identity Theft, law Enforcement Authorities or Other Personas Regarding Possible Identity
Theft in Connection with Covered Account held by the financial institution or creditor 26. The financial institution or creditor is
notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent
account for a person engaged in identity theft.

Controls: Policies and Procedures backed by HR accountability, Employee Training, Vendor Management Policies and Procedures

                                                       Risk Assessment
Impact:                            5           Residual Likelihood:                 2
Inherent Likelihood:               5           Residual Risk:                      10
Inherent Risk:                    25
Gap Analysis - Action Plan - Comments:
 Residuals are due to the constant access to the LOC's and system monitoring through the life of the
loan - Com'l LOC's are subject to annual financial reviews
                               Risk Assessment Process Chart
                                              Product: Investment Company Products
        Area Affected:                         Investment Co.            Author:                                          Roger Doe
                                                             Obtaining Product
           Face to Face                             On-Line                          Phone                                    Mail
                    X
                                                             Accessing Product
           Face to Face                              Online                          Wires                        Telephone Transfers
                    X                                    X                               X                                       X
                 EFT                          ATM/Debit Card                           Mail                                  Check
                    X                                    X                               X                                       X
                                                     Third Party Arrangements
                        Service Providers                                      Joint Ventures                                Other
                                  LPL
                                                                     Threats
      Counterfeit or Altered ID              False - Incomplete Info             Pretext Calling                       Forged Signature
                  X                                     X                              X                                      X

   Incorrect or Fictitious Address                 Bogus SSN                     Bogus Phone #             Phishing for user name and password

                    X                                    X                               X
    Pharming for customer login            Obtaining user name and                                            Hacking into your online banking
                                                                               Address Changes
           information                      password via spyware                                                          software
                                                                                       X
    Guessing Login info - do not                                             Obtaining passwords
                                            Employees tricked into                                           Social engineering your employees
   require complex and changing                                            through lack of customer
                                             resetting passwords                                           into deviating from normal procedures
             passwords                                                            safeguards
                 X                                                                                                               X
                                                         Red Flags Addressed
Alerts, Notifications or Warnings from a Consumer Reporting Agency 1. A fraud or active duty alert is included with a consumer report. 2. A
consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. 3. A consumer reporting agency
provides a notice of address discrepancy, as defined in §334.82(b) of this part. 4. A consumer report indicates a pattern of activity that is
inconsistent with the history and usual pattern of activity of an applicant or customer, such as: a. A recent and significant increase in the volume of
inquiries; b. An unusual number of recently established credit relationships; c. A material change in the use of credit, especially with respect to
recently established credit relationships; or d. An account that was closed for cause or identified for abuse of account privileges by a financial
institution or creditor.

Controls: Does not apply to the Investment Co. per Roger Graves

Suspicious Documents 5. Documents provided for identification appear to have been altered or forged. 6. The photograph or physical
description on the identification is not consistent with the appearance of the applicant or customer presenting the identification. 7. Other
information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting
the identification. 8. Other information on the identification is not consistent with readily accessible information that is on file with the financial
institution or creditor, such as a signature card or a recent check. 9. An application appears to have been altered or forged, or gives the
appearance of having been destroyed and reassembled.
Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report Monitoring, LPL
Compliance, Vendor Management Policies and Procedures
Suspicious Personal Identifying Information 10. Personal identifying information provided is inconsistent when compared against external
information sources used by the financial institution or creditor. For example: a. The address does not match any address in the consumer report;

identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For
example, there is a lack of correlation between the SSN range and date of birth. 12. Personal identifying information provided is associated with
known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example: a. The address
on an application is the same as the address provided on a fraudulent application; or b. The phone number on an application is the same as the
number provided on a fraudulent application.


13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party
sources used by the financial institution or creditor. For example: a. The address on an application is fictitious, a mail drop, or prison; or b. The
phone number is invalid, or is associated with a pager or answering service. 14. The SSN provided is the same as that submitted by other
persons opening an account or other customers. 15. The address or telephone number provided is the same as or similar to the account number
or telephone number submitted by an unusually large number of other persons opening accounts or other customers. 16. The person opening the
covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that
the application is incomplete. 17. Personal identifying information provided is not consistent with personal identifying information that is on file with
the financial institution or creditor.

18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide
authenticating information beyond that which generally would be available from a wallet or consumer report.
Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report Monitoring, LPL
Compliance, Vendor Management Policies and Procedures

Unusual Use of, or Suspicious Activity Related to, the Covered Account 19. Shortly following the notice of a change of address for a covered
account, the institution or creditor receives a request for new, additional, or replacement cards or a cell phone, or for the addition of authorized
users on the account. 20. A new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns. For
example: a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics
equipment or jewelry); or b. The customer fails to make the first payment or makes an initial payment but no subsequent payments.


21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example a.
Nonpayment when there is no history of late or missed payments; b. A material increase in the use of available credit; c. A material change in
purchasing or spending patterns; d. A material change in electronic fund transfer patterns in connection with a deposit account; or e. A material
change in telephone call patterns in connection with a cellular phone account. 22. A covered account that has been inactive for a reasonably
lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors). 23. Mail

covered account. 24. The financial institution or creditor is notified that the customer is not receiving paper account statements. 25. The financial



Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report Monitoring, LPL
Compliance, Vendor Management Policies and Procedures

Notice from Customers, Victims of Identity Theft, law Enforcement Authorities or Other Personas Regarding Possible Identity Theft in
Connection with Covered Account held by the financial institution or creditor 26. The financial institution or creditor is notified by a
customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged
in identity theft.
Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report Monitoring, LPL
Compliance, Vendor Management Policies and Procedures

                                                             Risk Assessment
Impact:                                   5          Residual Likelihood:                  2
Inherent Likelihood:                      3          Residual Risk:                       10
Inherent Risk:                           15
Gap Analysis - Action Plan - Comments:
Residuals are due to controls in place and minimal fraud acitivity on investment accounts
                       Risk Assessment Process Chart
                          Product: Premier Finance Co. Real Estate Secured Loans

    Area Affected:                   Premier Finance                  Author:                               Jeff Doe

                                                    Obtaining Product
       Face to Face                       On-Line                      Phone                                   Mail
                X                                                           X                                    X
                                                    Accessing Product
       Face to Face                        Online                       Wires                     Telephone Transfers
                X                                                           X                                    X
              EFT                   ATM/Debit Card                       Mail                                Check
                X                                                           X                                    X
                                             Third Party Arrangements
                 Service Providers                               Joint Ventures                               Other
    Various collection agencies, appraisers, title
    companies, various brokers, Credit Bureau's

                                                              Threats
                                     False - Incomplete
  Counterfeit or Altered ID                                         Pretext Calling                     Forged Signature
                                             Info
                X                              X                           X                                     X

    Incorrect or Fictitious
                                         Bogus SSN                 Bogus Phone #           Phishing for user name and password
           Address

                X                              X                           X
                                   Obtaining user name
   Pharming for customer                                                                      Hacking into your online banking
                                    and password via             Address Changes
      login information                                                                                   software
                                         spyware
                                               X                           X

  Guessing Login info - do           Employees tricked         Obtaining passwords
                                                                                    Social engineering your employees
  not require complex and              into resetting            through lack of
                                                                                   into deviating from normal procedures
    changing passwords                   passwords             customer safeguards

                                                                           X                                     X
                                                   Red Flags Addressed
Alerts, Notifications or Warnings from a Consumer Reporting Agency 1. A fraud or active duty alert is included with a
consumer report. 2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer
report. 3. A consumer reporting agency provides a notice of address discrepancy, as defined in §334.82(b) of this part. 4. A
consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or
customer, such as: a. A recent and significant increase in the volume of inquiries; b. An unusual number of recently established
credit relationships; c. A material change in the use of credit, especially with respect to recently established credit relationships; or
d. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.

Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report
Monitoring, Vendor Management Policies and Procedures

Suspicious Documents 5. Documents provided for identification appear to have been altered or forged. 6. The photograph or
physical description on the identification is not consistent with the appearance of the applicant or customer presenting the
identification. 7. Other information on the identification is not consistent with information provided by the person opening a new
covered account or customer presenting the identification. 8. Other information on the identification is not consistent with readily
accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check. 9. An
application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.

Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report
Monitoring, Vendor Management Policies and Procedures
Suspicious Personal Identifying Information 10. Personal identifying information provided is inconsistent when compared
against external information sources used by the financial institution or creditor. For example: a. The address does not match any
address in the consumer report; or b.The Social Security Number (SSN) has not been issued, or is listed on the Social Security
Administration’s Death Master File. 11. Personal identifying information provided by the customer is not consistent with other
personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and
date of birth. 12. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or
third-party sources used by the financial institution or creditor. For example: a. The address on an application is the same as the
address provided on a fraudulent application; or b. The phone number on an application is the same as the number provided on a
fraudulent application.
13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or
third-party sources used by the financial institution or creditor. For example: a. The address on an application is fictitious, a mail
drop, or prison; or b. The phone number is invalid, or is associated with a pager or answering service. 14. The SSN provided is
the same as that submitted by other persons opening an account or other customers. 15. The address or telephone number
provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other
persons opening accounts or other customers. 16. The person opening the covered account or the customer fails to provide all
required personal identifying information on an application or in response to notification that the application is incomplete. 17.
Personal identifying information provided is not consistent with personal identifying information that is on file with the financial
institution or creditor.

18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer
cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.
Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report
Monitoring, Vendor Management Policies and Procedures
Unusual Use of, or Suspicious Activity Related to, the Covered Account 19. Shortly following the notice of a change of
address for a covered account, the institution or creditor receives a request for new, additional, or replacement cards or a cell
phone, or for the addition of authorized users on the account. 20. A new revolving credit account is used in a manner commonly
associated with known patterns of fraud patterns. For example: a. The majority of available credit is used for cash advances or
merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or b. The customer fails to make the first
payment or makes an initial payment but no subsequent payments.
21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for
example a. Nonpayment when there is no history of late or missed payments; b. A material increase in the use of available credit;
c. A material change in purchasing or spending patterns; d. A material change in electronic fund transfer patterns in connection
with a deposit account; or e. A material change in telephone call patterns in connection with a cellular phone account. 22. A
covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of
account, the expected pattern of usage and other relevant factors). 23. Mail sent to the customer is returned repeatedly as
undeliverable although transactions continue to be conducted in connection with the customer’s covered account. 24. The
financial institution or creditor is notified that the customer is not receiving paper account statements. 25. The financial institution
or creditor is notified of unauthorized charges or transactions in connection with a customer’s covered account.

Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report
Monitoring, Vendor Management Policies and Procedures
Notice from Customers, Victims of Identity Theft, law Enforcement Authorities or Other Personas Regarding Possible
Identity Theft in Connection with Covered Account held by the financial institution or creditor 26. The financial institution
or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a
fraudulent account for a person engaged in identity theft.
Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report
Monitoring, Vendor Management Policies and Procedures

                                                     Risk Assessment
                                                               Residual
Impact:                                        5                                                                 1
                                                               Likelihood:
Inherent Likelihood:               5                           Residual Risk:                                    5
Inherent Risk:                    25
Gap Analysis - Action Plan - Comments:
 Residuals are due to the controls in place and initial CIP
                                             Risk Assessment Process Chart
                                                         Product: Premier Finance Co. Dealer Loans

         Area Affected:                             Premier Finance Co.                                   Author:                                      Jeff Doe

                                                                          Obtaining Product
            Face to Face                                     On-Line                               Phone           /   Fax                                Mail
                     X                                                                                                  X                                    X
                                                                         Accessing Product
            Face to Face                                      Online                                        Wires                             Telephone Transfers
                     X                                                                                         X                                             X
                   EFT                                 ATM/Debit Card                                        Mail                                        Check
                     X                                                                                         X                                             X
                                                                   Third Party Arrangements
                               Service Providers                                                     Joint Ventures                                      Other
                                                                                                       Various Dealers

                                                                                   Threats
        Counterfeit or Altered ID                     False - Incomplete Info                           Pretext Calling                            Forged Signature
                    X                                            X                                            X                                           X

    Incorrect or Fictitious Address                         Bogus SSN                                  Bogus Phone #                   Phishing for user name and password

                  X                                            X                                               X
     Pharming for customer login              Obtaining user name and password                                                            Hacking into your online banking
                                                                                                      Address Changes
            information                                   via spyware                                                                                 software
                                                                                                               X


 Guessing Login info - do not require           Employees tricked into resetting           Obtaining passwords through lack of           Social engineering your employees
  complex and changing passwords                         passwords                                 customer safeguards                 into deviating from normal procedures


                                                                  X                                            X                                            X
                                                                       Red Flags Addressed
Alerts, Notifications or Warnings from a Consumer Reporting Agency 1. A fraud or active duty alert is included with a consumer report. 2. A consumer reporting agency
provides a notice of credit freeze in response to a request for a consumer report. 3. A consumer reporting agency provides a notice of address discrepancy, as defined in
§334.82(b) of this part. 4. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such
as: a. A recent and significant increase in the volume of inquiries; b. An unusual number of recently established credit relationships; c. A material change in the use of credit,
especially with respect to recently established credit relationships; or d. An account that was closed for cause or identified for abuse of account privileges by a financial
institution or creditor.


Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report Monitoring, Dealer Due Diligence, Vendor
Management Policies and Procedures
Suspicious Documents 5. Documents provided for identification appear to have been altered or forged. 6. The photograph or physical description on the identification is
not consistent with the appearance of the applicant or customer presenting the identification. 7. Other information on the identification is not consistent with information
provided by the person opening a new covered account or customer presenting the identification. 8. Other information on the identification is not consistent with readily
accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check. 9. An application appears to have been altered or
forged, or gives the appearance of having been destroyed and reassembled.


Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report Monitoring, Dealer Due Diligence, Vendor
Management Policies and Procedures
Suspicious Personal Identifying Information 10. Personal identifying information provided is inconsistent when compared against external information sources used by
the financial institution or creditor. For example: a. The address does not match any address in the consumer report; or b.The Social Security Number (SSN) has not been

personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth. 12. Personal identifying
information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example: a.
The address on an application is the same as the address provided on a fraudulent application; or b. The phone number on an application is the same as the number
provided on a fraudulent application.


13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the financial
institution or creditor. For example: a. The address on an application is fictitious, a mail drop, or prison; or b. The phone number is invalid, or is associated with a pager or
answering service. 14. The SSN provided is the same as that submitted by other persons opening an account or other customers. 15. The address or telephone number
provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other
customers. 16. The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to
notification that the application is incomplete. 17. Personal identifying information provided is not consistent with personal identifying information that is on file with the
financial institution or creditor.



18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information
beyond that which generally would be available from a wallet or consumer report.
Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report Monitoring, Dealer Due Diligence, Vendor
Management Policies and Procedures
Unusual Use of, or Suspicious Activity Related to, the Covered Account 19. Shortly following the notice of a change of address for a covered account, the institution or
creditor receives a request for new, additional, or replacement cards or a cell phone, or for the addition of authorized users on the account. 20. A new revolving credit
account is used in a manner commonly associated with known patterns of fraud patterns. For example: a. The majority of available credit is used for cash advances or
merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or b. The customer fails to make the first payment or makes an initial payment but no
subsequent payments.

21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example a. Nonpayment when there is no
history of late or missed payments; b. A material increase in the use of available credit; c. A material change in purchasing or spending patterns; d. A material change in
electronic fund transfer patterns in connection with a deposit account; or e. A material change in telephone call patterns in connection with a cellular phone account. 22. A
covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other

covered account. 24. The financial institution or creditor is notified that the customer is not receiving paper account statements. 25. The financial institution or creditor is




Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report Monitoring, Dealer Due Diligence, Vendor
Management Policies and Procedures
Notice from Customers, Victims of Identity Theft, law Enforcement Authorities or Other Personas Regarding Possible Identity Theft in Connection with Covered
Account held by the financial institution or creditor 26. The financial institution or creditor is notified by a customer, a victim of identity theft, a law enforcement authority,
or any other person that it has opened a fraudulent account for a person engaged in identity theft.

Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report Monitoring, Dealer Due Diligence, Vendor
Management Policies and Procedures
                                                                            Risk Assessment
Impact:                                          5               Residual Likelihood:                                                                         2
Inherent Likelihood:                             5               Residual Risk:                                                                               10
Inherent Risk:                                  25
Gap Analysis - Action Plan - Comments:
 Residuals are due to controls in place, Dealer Due Diligence and initial CIP
                        Risk Assessment Process Chart
                              Product: Premier Finance Co. Non Real Estate Loans
                                    Premier Finance
    Area Affected:                                                     Author:                                 Jeff Doe
                                          Co.
                                                      Obtaining Product
       Face to Face                       On-Line                        Phone                                    Mail
                X                                                            X                                      X
                                                     Accessing Product
       Face to Face                        Online                        Wires                       Telephone Transfers
                X                                                            X                                      X
              EFT                   ATM/Debit Card                         Mail                                 Check
                X                               X                                                                   X
                                               Third Party Arrangements
                 Service Providers                                 Joint Ventures                                Other
 Various collection agencies, DMV, Credit Bureau's

                                                               Threats
                                     False - Incomplete
  Counterfeit or Altered ID                                          Pretext Calling                       Forged Signature
                                             Info
                X                              X                             X                                      X

    Incorrect or Fictitious
                                         Bogus SSN                   Bogus Phone #            Phishing for user name and password
           Address

                X                              X                             X
                                   Obtaining user name
   Pharming for customer                                                                         Hacking into your online banking
                                    and password via               Address Changes
      login information                                                                                      software
                                         spyware
                                                                             X

Guessing Login info - do not         Employees tricked           Obtaining passwords
                                                                                                Social engineering your employees
   require complex and                 into resetting              through lack of
                                                                                              into deviating from normal procedures
   changing passwords                    passwords               customer safeguards

                                               X                             X                                      X
                                                    Red Flags Addressed
Alerts, Notifications or Warnings from a Consumer Reporting Agency 1. A fraud or active duty alert is included with a
consumer report. 2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report.
3. A consumer reporting agency provides a notice of address discrepancy, as defined in §334.82(b) of this part. 4. A consumer
report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such
as: a. A recent and significant increase in the volume of inquiries; b. An unusual number of recently established credit relationships;
c. A material change in the use of credit, especially with respect to recently established credit relationships; or d. An account that
was closed for cause or identified for abuse of account privileges by a financial institution or creditor.

Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report
Monitoring, Vendor management Policies and Procedures
Suspicious Documents 5. Documents provided for identification appear to have been altered or forged. 6. The photograph or
physical description on the identification is not consistent with the appearance of the applicant or customer presenting the
identification. 7. Other information on the identification is not consistent with information provided by the person opening a new
covered account or customer presenting the identification. 8. Other information on the identification is not consistent with readily
accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check. 9. An
application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report
Monitoring, Vendor management Policies and Procedures
Suspicious Personal Identifying Information 10. Personal identifying information provided is inconsistent when compared against
external information sources used by the financial institution or creditor. For example: a. The address does not match any address
in the consumer report; or b.The Social Security Number (SSN) has not been issued, or is listed on the Social Security
Administration’s Death Master File. 11. Personal identifying information provided by the customer is not consistent with other
personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and
date of birth. 12. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or
third-party sources used by the financial institution or creditor. For example: a. The address on an application is the same as the
address provided on a fraudulent application; or b. The phone number on an application is the same as the number provided on a
fraudulent application.
13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or
third-party sources used by the financial institution or creditor. For example: a. The address on an application is fictitious, a mail
drop, or prison; or b. The phone number is invalid, or is associated with a pager or answering service. 14. The SSN provided is the
same as that submitted by other persons opening an account or other customers. 15. The address or telephone number provided is
the same as or similar to the account number or telephone number submitted by an unusually large number of other persons
opening accounts or other customers. 16. The person opening the covered account or the customer fails to provide all required
personal identifying information on an application or in response to notification that the application is incomplete. 17. Personal
identifying information provided is not consistent with personal identifying information that is on file with the financial institution or
creditor.
18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer
cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.
Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report
Monitoring, Vendor management Policies and Procedures
Unusual Use of, or Suspicious Activity Related to, the Covered Account 19. Shortly following the notice of a change of address
for a covered account, the institution or creditor receives a request for new, additional, or replacement cards or a cell phone, or for
the addition of authorized users on the account. 20. A new revolving credit account is used in a manner commonly associated with
known patterns of fraud patterns. For example: a. The majority of available credit is used for cash advances or merchandise that is
easily convertible to cash (e.g., electronics equipment or jewelry); or b. The customer fails to make the first payment or makes an
initial payment but no subsequent payments.
21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for
example a. Nonpayment when there is no history of late or missed payments; b. A material increase in the use of available credit; c.
A material change in purchasing or spending patterns; d. A material change in electronic fund transfer patterns in connection with a
deposit account; or e. A material change in telephone call patterns in connection with a cellular phone account. 22. A covered
account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the
expected pattern of usage and other relevant factors). 23. Mail sent to the customer is returned repeatedly as undeliverable
although transactions continue to be conducted in connection with the customer’s covered account. 24. The financial institution or
creditor is notified that the customer is not receiving paper account statements. 25. The financial institution or creditor is notified of
unauthorized charges or transactions in connection with a customer’s covered account.

Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report
Monitoring, Vendor management Policies and Procedures
Notice from Customers, Victims of Identity Theft, law Enforcement Authorities or Other Personas Regarding Possible
Identity Theft in Connection with Covered Account held by the financial institution or creditor 26. The financial institution or
creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a
fraudulent account for a person engaged in identity theft.
Controls: Policies and Procedures backed by HR accountability, Employee Training, Job Functions and Exception Report
Monitoring, Vendor management Policies and Procedures
                                                      Risk Assessment
Impact:                           5          Residual Likelihood:                                                  1
Inherent Likelihood:              5          Residual Risk:                                                        5
Inherent Risk:                    25
Gap Analysis - Action Plan - Comments:
Residuals are due to controls in place and initial CIP
                         Risk Assessment Process Chart
                                                  Product: Mortgage L oans

  Area Affected:                 Mortgage Division                     Author:                                 Jeff Doe

                                                      Obtaining Product
     Face to Face                      On-Line                          Phone                                     Mail

                                                     Accessing Product
     Face to Face                        Online                          Wires                       Telephone Transfers

           EFT                   ATM/Debit Card                           Mail                                  Check

                                                Third Party Arrangements
 Service Providers                Joint Ventures                                                 Other
            PHH
                                                               Threats
Counterfeit or Altered ID       False - Incomplete Info              Pretext Calling                       Forged Signature
              X                             X                               X                                       X

  Incorrect or Fictitious
                                       Bogus SSN                    Bogus Phone #              Phishing for user name and password
         Address

              X                            X                                X
                                 Obtaining user name
 Pharming for customer                                                                            Hacking into your online banking
                                  and password via                 Address Changes
    login information                                                                                         software
                                       spyware
                                                                            X

Guessing Login info - do                                        Obtaining passwords
                                Employees tricked into                                          Social engineering your employees
not require complex and                                       through lack of customer
                                 resetting passwords                                           into deviating from normal procedures
  changing passwords                                                 safeguards

                                            X                               X                                       X
                                                   Red Flags Addressed
Alerts, Notifications or Warnings from a Consumer Reporting Agency 1. A fraud or active duty alert is included with a consumer
report. 2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. 3. A
consumer reporting agency provides a notice of address discrepancy, as defined in §334.82(b) of this part. 4. A consumer report
indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as: a.
A recent and significant increase in the volume of inquiries; b. An unusual number of recently established credit relationships; c. A
material change in the use of credit, especially with respect to recently established credit relationships; or d. An account that was
closed for cause or identified for abuse of account privileges by a financial institution or creditor.

Controls: Policies and Procedures backed by HR accountibility, Employee Training, Vendor Due Diligence - Vendor Policies and
Procedures
Suspicious Documents 5. Documents provided for identification appear to have been altered or forged. 6. The photograph or
physical description on the identification is not consistent with the appearance of the applicant or customer presenting the
identification. 7. Other information on the identification is not consistent with information provided by the person opening a new
covered account or customer presenting the identification. 8. Other information on the identification is not consistent with readily
accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check. 9. An
application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
Controls: Policies and Procedures backed by HR accountibility, Employee Training, Vendor Due Diligence - Vendor Policies and
Procedures
Suspicious Personal Identifying Information 10. Personal identifying information provided is inconsistent when compared against
external information sources used by the financial institution or creditor. For example: a. The address does not match any address
in the consumer report; or b.The Social Security Number (SSN) has not been issued, or is listed on the Social Security
Administration’s Death Master File. 11. Personal identifying information provided by the customer is not consistent with other
personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and
date of birth. 12. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or
third-party sources used by the financial institution or creditor. For example: a. The address on an application is the same as the
address provided on a fraudulent application; or b. The phone number on an application is the same as the number provided on a
fraudulent application.
13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-
party sources used by the financial institution or creditor. For example: a. The address on an application is fictitious, a mail drop, or
prison; or b. The phone number is invalid, or is associated with a pager or answering service. 14. The SSN provided is the same as
that submitted by other persons opening an account or other customers. 15. The address or telephone number provided is the same
as or similar to the account number or telephone number submitted by an unusually large number of other persons opening
accounts or other customers. 16. The person opening the covered account or the customer fails to provide all required personal
identifying information on an application or in response to notification that the application is incomplete. 17. Personal identifying
information provided is not consistent with personal identifying information that is on file with the financial institution or creditor.


18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer
cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.
Controls: Policies and Procedures backed by HR accountibility, Employee Training, Vendor Due Diligence - Vendor Policies and
Procedures
Unusual Use of, or Suspicious Activity Related to, the Covered Account 19. Shortly following the notice of a change of address
for a covered account, the institution or creditor receives a request for new, additional, or replacement cards or a cell phone, or for
the addition of authorized users on the account. 20. A new revolving credit account is used in a manner commonly associated with
known patterns of fraud patterns. For example: a. The majority of available credit is used for cash advances or merchandise that is
easily convertible to cash (e.g., electronics equipment or jewelry); or b. The customer fails to make the first payment or makes an
initial payment but no subsequent payments.
21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for
example a. Nonpayment when there is no history of late or missed payments; b. A material increase in the use of available credit; c.
A material change in purchasing or spending patterns; d. A material change in electronic fund transfer patterns in connection with a
deposit account; or e. A material change in telephone call patterns in connection with a cellular phone account. 22. A covered
account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the
expected pattern of usage and other relevant factors). 23. Mail sent to the customer is returned repeatedly as undeliverable
although transactions continue to be conducted in connection with the customer’s covered account. 24. The financial institution or
creditor is notified that the customer is not receiving paper account statements. 25. The financial institution or creditor is notified of
unauthorized charges or transactions in connection with a customer’s covered account.

Controls: Policies and Procedures backed by HR accountibility, Employee Training, Vendor Due Diligence - Vendor Policies and
Procedures
Notice from Customers, Victims of Identity Theft, law Enforcement Authorities or Other Personas Regarding Possible
Identity Theft in Connection with Covered Account held by the financial institution or creditor 26. The financial institution or
creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a
fraudulent account for a person engaged in identity theft.
Controls: Policies and Procedures backed by HR accountibility, Employee Training, Vendor Due Diligence - Vendor Policies and
Procedures

                                                      Risk Assessment
Impact:                          5          Residual Likelihood:                  1
Inherent Likelihood:             5          Residual Risk:                        5
Inherent Risk:                  25
Gap Analysis - Action Plan - Comments:
Residuals are due to controls in place, PHH assuming the customer fraud risk and reviews every 3
years
                       Risk Assessment Process Chart
                                                      Product:
   Area Affected:                                            Author:
                                                  Obtaining Product
      Face to Face                       On-Line                       Phone                              Mail

                                                  Accessing Product
      Face to Face                        Online                        Wires                 Telephone Transfers

            EFT                    ATM/Debit Card                        Mail                            Check

                                            Third Party Arrangements
   Service Providers                 Joint Ventures                                          Other

                                                           Threats
 Counterfeit or Altered ID         False - Incomplete Info          Pretext Calling                 Forged Signature


   Incorrect or Fictitious               Bogus SSN                  Bogus Phone #        Phishing for user name and password
          Address

  Pharming for customer          Obtaining user name and                                  Hacking into your online banking
                                                                   Address Changes
    login information             password via spyware                                                software

                                                                     Obtaining
 Guessing Login info - do                                                                 Social engineering your employees
                                  Employees tricked into         passwords through
 not require complex and                                                                     into deviating from normal
                                   resetting passwords            lack of customer
   changing passwords                                                                                 procedures
                                                                      safeguards

                                                Red Flags Addressed
Alerts, Notifications or Warnings from a Consumer Reporting Agency 1. A fraud or active duty alert is included with a
Controls:
Suspicious Documents 5. Documents provided for identification appear to have been altered or forged. 6. The photograph or
Controls:
Suspicious Personal Identifying Information 10. Personal identifying information provided is inconsistent when compared
13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal
18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer
Controls:
Unusual Use of, or Suspicious Activity Related to, the Covered Account 19. Shortly following the notice of a change of
21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is,
Controls:
Notice from Customers, Victims of Identity Theft, law Enforcement Authorities or Other Personas Regarding Possible
Identity Theft in Connection with Covered Account held by the financial institution or creditor 26. The financial institution or
Controls:
                                                    Risk Assessment
                                                                 Residual
Impact:
                                                                 Likelihood:
Inherent Likelihood:        Residual Risk:
Inherent Risk:




Notes:




             Back to Menu

				
DOCUMENT INFO
Description: Consumer Credit Application - Sample document sample