Fraud and Identity Theft Prevention and Investigation Procedures.docx

Fraud and Identity Theft Prevention and Investigation Procedure

Document information and change log

Document Information

Header

Information

Next review

Aug  13, 2025

Status

Update

Regional scope & language

Territory of USA in English

Applies to entities

Give Corporation Inc.

Overall responsibility

Loraine Stewart, CCO

Approved by

Joshua Rowley, CEO; Aaron Miller, CRTO

Change log

Date

Version

Reason for version

Sep 01, 2017

1.0

Initial Release

Sep 1, 2018

2.0

Annual Review

Sep 1, 2019

3.0

Annual Review

Sep 1, 2020

4.0

Annual Review

Sep 1, 2021

5.0

Annual Review

Sep 1, 2022

6.0

Annual Review

Aug 12, 2025

7.0

Annual Review


Gender And Entity Neutrality

The masculine form is used solely for the sake of better readability. It always refers to persons of any gender identity (m/f/diverse). This document uses the abbreviation “Give” for all legal entities and subsidiaries.

Table of Contents

Purpose        3

Scope        3

Definitions        3

Prevention        3

Detection        4

Incident Response        4

Incident Identification        4

Initial Containment        4

Gather Evidence        4

Determine Extent of Breach        4

Notification        5

Remediation        5

Recovery        5

Review and Learn        5

Maintain Transparency        5

Merchant Risk Profiling & Monitoring        5

Overview        5

Risk Monitoring        6

Risky Activity Examples        6

Risk Indicators        6

Red Flags        6

Documentation Red Flags        6

Personal Information Red Flags        6

Account Activity Red Flags        7

Suspicious Actions        7

Alerts, Notifications, and Complaints        7

Online/Technology Red Flags        7

Application Red Flags        7

Compliance and Enforcement        7

Purpose

This policy establishes clear guidelines and procedures for preventing, detecting, and addressing fraudulent activities and identity theft. Adherence to these measures protects Give and its customers from financial losses, reputational damage, and legal consequences, while ensuring compliance with applicable laws and regulations.

Scope  

This policy applies to all employees, contractors, and third-party partners who have access to Give’s systems, customer data, or financial resources.

Definitions

Identity Theft

The fraudulent acquisition and use of a person's private identifying information, usually for financial gain.

Red Flag

A pattern, practice, or specific activity that indicates the possible existence of identity theft.

Prevention

Proactive measures are essential to reduce the likelihood of fraud and identity theft incidents.

  • Secure Storage & Transmission: Encrypt all customer and employee PII during storage and transmission.
  • Access Control: Limit access to PII to authorized personnel only.
  • System & Software Maintenance: Patch systems and applications regularly.
  • Continuous Improvement: Refine prevention strategies based on lessons learned from incidents.
  • Employee Training: Provide ongoing training on fraud red flags.
  • Vendor Vetting: Perform due diligence on third-party providers.
  • Automated Monitoring: Deploy systems to detect abnormal account activity.

Detection

Early detection minimizes damage and speeds response.

  • Transaction & Account Monitoring: Identify patterns suggesting unauthorized activity.
  • Employee Awareness: Train staff to recognize identity theft and fraud indicators.
  • Audits & Vulnerability Assessments: Regularly review systems and processes for weaknesses.

Incident Response

 Incident Identification

  • Automated Alerts from IDS, SIEM, and logs.
  • User Reports of suspicious activity.
  • Unusual System Behavior such as unexplained downtime or abnormal performance.

Initial Containment

  • Isolate Affected Systems to stop ongoing attacks.
  • Preserve Evidence before making changes.
  • Maintain Business Continuity using unaffected systems.

Gather Evidence

  • Review application, access, database, and system logs for anomalies.

Determine Extent of Breach

  • Identify affected accounts, compromised data, and the entry point.

Notification

  • Internal: Alert leadership, Legal, Compliance, and PR.
  • External: Inform affected users with clear guidance.
  • Regulatory: Fulfill breach reporting obligations.

Remediation

  • Close vulnerabilities, reset passwords, review permissions.

Recovery

  • Monitor systems post-remediation.
  • Enhance security controls such as MFA and intrusion prevention.

Review and Learn

  • Conduct post-incident reviews, update policies, and train staff.

Maintain Transparency

  • Keep stakeholders informed and maintain thorough documentation.

Merchant Risk Profiling & Monitoring

Overview

Evaluate and classify merchants based on risk to the payment ecosystem.

Risk Monitoring

  • Assign risk profiles with points and color-coded levels.
  • Separate merchant risk profiles from transaction risk profiles.
  • Any risk triggers compliance alerts; high risk may auto-disable processing.

Risky Activity Examples

  • Sales spikes, high chargebacks/refunds, repeated forced transactions, low-value transaction bursts, use of stolen/blocked cards, rounded-dollar transactions, multiple customers sharing the same card.

Risk Indicators

  • Deviations in sales volume, average transaction size, count, chargeback/refund rates, prepaid card usage—compared to both historical and global benchmarks.

Red Flags

Documentation Red Flags

  • Forged, altered, or fake documents.
  • Mismatched descriptions/photos.
  • Signs of tampering such as irregular fonts or seals.

Personal Information Red Flags

  • Discrepancies with existing records, multiple applications, inconsistent spellings, deceased SSNs, fictitious addresses.

Account Activity Red Flags

  • Unexpected account activity, high transaction volumes, large foreign transfers, mismatched billing/shipping.

Suspicious Actions

  • Avoiding in-person interactions, evasive answers, rapid high-value spending, dormant accounts reactivated.

Alerts, Notifications, and Complaints

  • Customer reports, law enforcement alerts, fraudulent account openings, returned mail.

Online/Technology Red Flags

  • Unusual IPs, rapid account changes, unfamiliar devices, IP spoofing, multiple declines.

Application Red Flags

  • Applying for credit after an inquiry, multiple inquiries in short time.

Compliance and Enforcement

Non-compliance with this policy may result in disciplinary action, up to and including termination, and potential legal consequences.

The information contained herein is intended to provide a general overview of the Company’s policies and procedures relating to compliance with this Policy and does not constitute legal advice or a complete description of the laws and regulations relating to this Policy. The Company has made every effort to ensure the accuracy and completeness of this Policy.  This document is intended to provide guidance to employees of Company on how to comply with applicable laws and regulations related to this Policy. Employees should consult with the Legal or Compliance Department if they have any questions about the Policy or how to comply with it. Company reserves the right to modify or update this Policy at any time without notice. Employees are responsible for reviewing the Policy on a regular basis to ensure that they are aware of any changes. This Policy applies to all employees of Company, regardless of their position or location unless stated otherwise in the Policy. Employees are responsible for complying with the Policy and for reporting any suspected violations to their respective supervisor, the Legal Department, AMLCO or respective recipient of such violation as outlined in this Policy.

Copyright © GiveCorporation Inc. All Rights Reserved