Identity Theft Red Flags – the reader’s digest version

By: (CISA, CISSP, CRISC)

Publication: The Colorado Banker , March/April 2008

On November 9, 2007 the OCC, Board, FDIC, NCUA and FTC (the Agencies) jointly issued the final rules and guidelines implementing section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) and final rules implementing section 315 of the FACT Act. The rules implementing section 114 require financial institutions or creditors to develop and implement a written Identity Theft Prevention Program (the Program) to detect, prevent, and mitigate identity theft in connection with covered accounts and to establish policies and procedures to assess the validity of a change of address. These rules and guidelines became effective January 1, 2008, and require financial institutions to comply by November 1, 2008.

So, what does this mean to my bank?

Every financial institution or creditor that offers or maintains covered accounts must develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account by November 1, 2008. The Program must involve the Board of Directors or an appropriate committee of the Board, and be updated and approved periodically. Elements of the Program include: reasonable policies and procedures to identify, detect, and respond to appropriate Red Flags. In addition, the program must exercise appropriate and effective oversight of service provider arrangements, and train staff, as necessary, to effectively implement the Program.

What is a covered account?

A covered account is defined as 1.) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, savings account; and 2.) any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.

What is a Red Flag?

A Red Flag refers to a pattern, practice, or specific activity that indicates the possible existence of identity theft. Supplement A to the final rules and guidelines provides 26 examples of Red Flags for consideration when implementing the Program.

What if I cover this territory in my Information Security Program, Fraud Prevention Program or other policies and procedures?

The final ruling does require a new, separate Identity Theft Prevention Program. The Agencies recognized that requiring a new Program would impose some burden, but they stated the benefit of being able to assess compliance with the final rules outweighs the burden imposed by the requirements. The Agencies did make clear that the Program can reference other policies and programs to avoid duplication.

What is the estimated burden?

The FFIEC estimates the total annual burden for banks to be around 41 hours, broken down by:

  • 25 hrs to develop a Program
  • 4 hrs to prepare an annual report
  • 4 hrs for training
  • 4 hrs for developing policies and procedures to assess the validity of changes of address
  • 4 hrs for developing policies and procedures to respond to notices of address discrepancy

Where can I go to get more information?