The deadline for most states to meet compliance was October 1, 2018, although deadlines vary by state. With this deadline come and gone it can be confusing to determine which states are compliant and which are not.

At IDMERIT, we have gathered the latest news about REAL IDs and succinctly compiled it in this post. It is our duty to know the latest in ID trends in order to provide the best and most accurate identity verification services for our clients. With the information outlined in this blog post, you will be able to determine if the ID you are using is compliant with federal standards.

Which States are Compliant

More than half of all US states are compliant with Real ID. This list has grown since we last wrote about the topic since many states have been working diligently to meet requirements. According to the Department of Homeland Security (DHS), the list of compliant states and territories includes:

• Alabama
• Arizona
• Arkansas
• Colorado
• Connecticut
• Delaware
• District of Columbia
• Florida
• Georgia
• Hawaii
• Idaho
• Indiana
• Iowa
• Kansas
• Louisiana
• Maryland
• Massachusetts
• Michigan
• Mississippi
• Minnesota
• Nebraska
• Nevada
• New Hampshire
• New Mexico
• New York
• North Carolina
• North Dakota
• Ohio
• Puerto Rico
• South Carolina
• South Dakota
• Tennessee
• Texas
• Utah
• Vermont
• Virginia
• West Virginia
• Wisconsin
• Wyoming
• Washington

Issues Verifying Identities that Noncompliant States Face

All the states that are currently not compliant with federal regulations have been given an extension. These states all face a variety of different challenges causing them to receive an extension on compliance.

1.Alaska

Alaska is required to meet Real ID requirements by October 1, 2020. The state DMV began issuing Real IDs on January 2, 2019. One of the biggest issues Alaska faces is how they will issue IDs in communities without local DMV offices. They do not have a solution yet, but are actively working on finding a resolution that works towards meeting federal compliance.

2. American Samoa

The American Samoa has an extension for Real ID compliance until October 10, 2019.

3. California

The deadline for Real ID compliance in California has been extended until January 10, 2019. One of the issues California has faced is that its process for producing Real IDs has been deemed federally noncompliant. The state asked residents for one document to prove state residency, while the federal government requires two. This was determined after the state had already produced 2.3 million Real IDs through the noncompliant process. The federal government will allow California residents with a Real ID to be considered in compliance without having to get a new one. When the ID expires, residents will have to show a second residency document in order to renew their Real ID. In April 2019, the state will switch to a new protocol for creating Real IDs that meets federal standards.

4. Guam

Guam has until January 10, 2019, to meet federal Real ID compliance. It began issuing Real IDs to its residents in June 2018. Enforcement for Real IDs will begin October 2020.

5. Illinois

Illinois is required to be compliant with the Real ID Act by June 1, 2019. It will begin issuing Real ID cards to residents in the spring of 2019. The state will begin to be enforced by DHS in October 2020.

6. Kentucky

Kentucky has received an extension for Real ID compliance until August 1, 2019. The state will begin issuing Real ID compliant ID cards in early 2019. Real ID enforcement begins in October 2020.

7. Maine

Main has until October 10, 2019, to meet Real ID compliance. The DHS will not begin enforcing Real ID until October 2020. Main has had difficulty implementing the systems and procedures needed to issue Real IDs. They plan to start issuing the compliant IDs on July 1, 2019.

8. Missouri

Missouri has until August 1, 2019, to become Real ID compliant. The state expects to be fully compliant with Real ID by March 2019. The DHS will begin enforcing Real IDs in October 2020.

9. Montana

The deadline for Real ID compliance in Montana is June 1, 2019. It plans to begin offering Real ID cards to state residents early in 2019. Enforcement for Real IDs begins in October 2020.

10. New Jersey

New Jersey has until October 10, 2019, to become federally compliant with Real ID standards. Nevertheless, the DHS will not enforce the Real ID Act until October 2020. The state will begin issuing the compliant IDs in the spring of 2019.

11. North Mariana Islands

The Northern Mariana Islands have until June 1, 2019 to comply with the Real ID Act.

12. Oklahoma

Oklahoma has until October 10, 2019, to become Real ID compliant. The state is actively working toward full compliance with the Act. States must meet 43 requirements to be considered compliant. Oklahoma is fully compliant with 30 requirements and partially compliant with 12.

13. Oregon

The deadline for compliance is October 10, 2019 in Oregon. The state expects to become fully compliant in July 2020 when their DMV begins using a new internal system.

14. Pennsylvania

Pennsylvania will begin issuing Real ID cards to residents starting in March 2019. The state has spent over $24 million in order to prepare issuing the ID cards. Pennsylvania has allowed residents to pre-register for Real IDs in two ways.

In the first, residents with IDs issued after 2003 will be able to pre-apply for a card since verifying identities of these residents is easy. Their proof of address is already on file with the state Department of Transportation. Over 200,000 Pennsylvania residents have already taken advantage of this opportunity.

In the other, residents with IDs issued before 2003 will be able to pre-register by proving their identity through an original certified copy of their birth certificate, valid passport, social security card, marriage license or order from family court. They will also have to provide two proofs of current address such as a valid driver’s license and a bank statement or utility bill less than 90 days old. 30,000 residents have applied for Real IDs this way so far.

15. Rhode Island

Rhode Island has until May 1, 2019 to become federally compliant with the Real ID Act. It began offering the compliant IDs to state residents in December 2018. Enforcement of the ID will begin on October 2020.

16. US Virgin Islands

The US Virgin Islands must comply with the Real ID Act by April 1, 2019. The DHS will begin enforcing Real IDs in October 2020.

Conclusion

Most states are actively working to meet Real ID compliance by federally mandated deadlines. Furthermore, DHS does not plan to start enforcing Real ID with residents until October 2020. This gives state residents plenty of time to either register for a Real ID or obtain another form of identification to use for travel, enter federal buildings and nuclear power plants, such as a federal passport. Verifying identities is critical for the security of the US. Real ID helps the US do this and protect the US from harm.

The post What is Real ID? Is it a critical means of Verifying Identities? appeared first on IDMERIT.

Data Breaches with Varying Scope

With data breaches, the personal information that is accessed by criminals varies. For example, in the Marriot data breach reported in September 2018, the information accessed included names, mailing addresses, phone numbers, emails, passport numbers, dates of birth, gender, and Starwood account information. In contrast, in the Facebook data breach also reported in September 2018, the information accessed included names, gender, and hometowns.

Criminal Activity After a Data Breach

Criminals can use stolen PII from data breaches for a variety of nefarious purposes. One of the main ways criminals use PII is to create synthetic identities and perform synthetic identity fraud. For example, the hackers from the Marriot data breach can take the information they stole and piece it together with fake identity information to create synthetic identities. From there, they can take these fake identities and use them to open financial accounts and perform nefarious activity such as obtaining loans they do not plan to pay back, money laundering, or terrorist activities.

These days, synthetic fraud is the fastest-growing type of identity theft occurring in the US according to the Federal Trade Commission.

Financial Institutions Must be Vigilant

The types of companies that should be most worried about data breaches are financial institutions. These entities are the ones likely to be targeted for synthetic fraud or identity fraud by cybercriminals who gained access to PII through data breaches. This is because criminals can gain access to valuable financial services if their attacks go unnoticed for a period of time.

Financial institutions have a lot at stake when dealing with fraud attacks. For one, they have to maintain a level of trust with their customers. Customers expect financial institutions to perform due diligence and prevent criminals from using their PII to cause them harm. They also must maintain a level of trust with regulators. Regulators expect financial institutions to perform proper Know Your Customer (KYC) checks prior to customer onboarding. Their failure to do this can lead to severe fines for noncompliance. Trust can also be lost for financial institutions if their fraud and compliance solutions allow criminals to access their services. This can cause severe damage to the financial institutions reputation and even lead to their demise.

The Importance of Comprehensive Identity Verification

Validating PII during onboarding is a key fraud and compliance solution for financial institutions. Proper identity verification services will help financial institutions meet KYC procedures and prevent questionable individuals from gaining access to financial services. With services like ours at IDMERIT, PII from identity documents—drivers licenses, national IDs or passports—is crosschecked with information stored in official databases during the onboarding process at a bank. Real individuals will have their information stored in these types of databases. In contrast, synthetic identities will not have their information stored in these databases. For this reason, this type of identity check determines with certainty if the PII being used to open an account comes from a real or synthetic identity.

Conclusion

Data breaches have compromised the personal information of many individuals. Nevertheless, PII is still a valuable tool for deterring fraud. Criminals have recently been focusing their efforts on performing synthetic identity theft. Synthetic identities will not pass identity verification procedures if they are performed by a financial institution. Banks can benefit greatly from performing comprehensive identity verification during their onboarding process. By crosschecking PII from identity documents with information stored in official databases, they can know with certainty that they are doing business with real individuals. This helps prevent identity theft even though identity information has been stolen by criminals in data breaches. Ultimately, KYC makes the world a little bit safer.

The post Identity Verification in a Post-Data Breach World appeared first on IDMERIT.

The law went into effect January 1, 2019, and has broad-reaching protections, just like GDPR and CCPA. The Vermont law protects the citizens of Vermont, US citizens, and non-US citizens. The goal of the fraud and compliance solution is to stop criminals from using consumer information and making the data trade more transparent.

Why the Vermont Law is an Important Fraud and Compliance Solution

Many US consumers are not aware of how this law serves as a fraud prevention solution. They are also not aware that companies use the data they collect about them from social media visits or website traffic.

Many companies use the data to create “shadow” profiles of consumers. These profiles help determine creditworthiness, favorability of offers from financial institutions, and even which job openings to show people online. For the most part, these “shadow” profiles are unregulated in the US. The Vermont law changes this.

What the Vermont Law Does

Under the guidelines of the new bill, data brokers must register with the Vermont Secretary of State and pay an annual $100 fee. Registering with the state presents new scrutiny for data brokers. Vermont requires brokers to better inform consumers about the data they collect about them. It requires them to provide clear instructions for opting out of data collection. Brokers must be transparent and report information about how they collect, store and sell consumer data to the state. They must also implement a comprehensive data security system that builds a fraud prevention solution. Plus, they must create safeguards to protect consumers’ personal data.

How the Law Defines a Data Broker

The new law in Vermont changes the definition of what a data broker is. It takes a broad approach and defines a data broker as a business or collection of businesses that knowingly collects and sells or licenses personal information from consumers to third parties with whom they do not have a relationship.

Businesses that collect, sell and license their own consumer’s data are not affected by the law, as long as they have a direct relationship with those consumers and the sale of data is merely incidental. This means that companies like Google, who collects data directly from consumers that use their search engine, are not affected by the law while data brokers, who collects data through indirect means, are affected.

Noncompliance is Costly

Data brokers are forbidden from acquiring consumer personally identifiable information (PII) through illegal means. It also prohibits them from using PII to harass, stalk, commit fraud or perform any other illegal activity. If a data broker fails to meet the standards set forth by Vermont or suffers a data breach, they will have to notify authorities about the incident. Previously, they were not required to do so. Regulators within the state will be able to keep tabs on companies through this law. This will allow them to penalize a data broker through legal enforcement actions if they find out they are using consumer data for unethical purposes, such as in the Cambridge Analytica scandal where Facebook users were unaware that their PII was being accessed and used to manipulate the 2016 US election.

Additional Consumer Protections

The Vermont bill adds some benefits to its residents. It waives the $10 fee for freezing a credit report and $5 fee for lifting the freeze. Credit reporting bureaus like Equifax, Experian and Transunion will have to allow Vermont residents to control their accounts without charging those fees. If a consumer feels that their data was sold and led to illegal discrimination, they can now take a data broker to court and hold them responsible for the injustice. This gives Vermont residents the ability to monitor and safeguard their own credit. It will empower them in a way unavailable to most US consumers.

How Does it Compare to GDPR

Overall, GDPR is still a stricter fraud and compliance solution than the Vermont law. Nevertheless, Vermont is paving the way for future consumer privacy legislation in the US. Clearly, the support for consumer data protection is there, especially given the amount of data breaches plaguing US citizens in 2018. California has also followed suit and created their own consumer privacy laws, called CCPA, creating more of a demand for consumer data protection. It seems likely that many more states will follow Vermont and California’s lead and introduce privacy laws to protect consumers in the near future. This could pave the way for federal legislation concerning consumer privacy in the US.

The post Vermont Consumer Privacy Law as a Fraud and Compliance Solution appeared first on IDMERIT.

Any individual who participates in the credit economy has a credit file. They do not have a choice in the matter. A clear majority of adults have credit reports. Because of this, data for credit files is compiled by credit bureaus.

What Systems use Credit Header Data for Identity Verification Checks

The financial sector has used data from credit files to check identities for years. This data is regulated and considered an official data source. Data from credit files provides financial institutions all the information they need to perform an accurate identity check. This is an integral part of the Know Your Customer (KYC) and Anti-money laundering (AML) process aimed at combating financial fraud.

The Erosion of Trust

Credit bureaus have the right to sell the data they compile. Individuals are not given an option to opt-out. This makes header data extremely valuable. It also makes it vulnerable to attack. This has been showcased by the Equifax data breach in 2017. The Equifax data breach affected nearly half of all Americans and has placed their personal information at risk.

With the recent Equifax data breach, it is assumed that criminals can easily access the data from credit files from US victims. This puts the name, address, date of birth and Social Security the victims at risk. Many affected individuals worry that their personally identifiable information (PII) is publicly available. Many consumers state that they expect companies to protect their PII and consumer data yet have lost trust in companies to do this after this data breach. As a result, this has made individuals, especially in the US, more reluctant to provide PII during the identity verification process.

Compliance Laws Aim to Rebuild Trust

New laws are emerging that aim to restore trust between consumers and businesses. They aim to give consumers peace of mind that their PII is being protected from attack. This will make performing KYC and AML checks easier for many companies, especially financial institutions. Laws like PSD2, GDPR, and other regulations aim to provide consumers with data protection. They will do this without requiring additional identity verification investments and will not put additional consumer data at risk.

Financial Institutions will Continue to Rely on Data from Credit Files

Despite the issues associated with the Equifax breach, the financial industry will continue to use data from credit files for identity checks in KYC and AML processes. Most of the US economy has been built on consumer spending and that is unlikely to change. This means consumers can expect banks to crosscheck their PII against data from credit files when applying for credit for at least the next five years.

A Call for Change

The reliance on data from credit files for identity verification is a dangerous game. The Social Security Number has been glorified as the most important piece of PII a person has, yet it can be easily accessed through credit files. Since individuals do not have a choice in sharing this information, it puts all individuals at risk of identity-related fraud. If a criminal gains access to an individual’s Social Security Number, they can wreak havoc on their identity.

In many instances, using public record are a better option for identity verification checks than data from credit files. Even in highly regulated industries, like the financial sector, the use of public record data can reduce cost, complexity, and risk. They can offer a higher return on investment for certain fraud management activities.

Public record data can be obtained from a variety of places: property tax records, the information given voluntarily by customers such as subscriptions, and proprietary information such as utility records or mobile subscriber data. These types of files are separate from credit bureaus and usually do not contain sensitive PII—specifically, Social Security Numbers. Minimizing the use of this sort of data for identity verification checks can increase the effectiveness of a fraud management process.

Overall, there are many pro and cons of using header data from credit report, but in the world of identity verification using multiple and complementary sources will provide robust results.

The post The Pros and Cons of Credit Header Data for Identity Verification Checks appeared first on IDMERIT.