11/28/07

Laura Pringle Partner, Pringle and Pringle Law Firm

Introduction

In a flurry of activity, the federal regulators have adopted additional proposed and final rules to implement several of the required regulations under the Fair and Accurate Credit Transactions Act (“FACT Act”) amendments to the Fair Credit Reporting Act.  One of the final rules which has been adopted has been referred to as the “Red Flags Rule” and includes the requirements for the development and implementation of an Identity Theft Program.  The FDIC was the first of the agencies in October to approve the final rules to be jointly published by the FDIC, OCC, Federal Reserve, OTS and NCUA, to implement the following sections of the FACT Act:  Sections 114 and 315 (addressing red flags, identity theft, address discrepancies in credit reports, and debit and credit card address changes).  The requirements under Sections 114 and 315 were published on November 9, 2007, and will have an effective date of January 1, 2008, and a mandatory compliance date of November 1, 2008.  The FDIC included a cross reference to these provisions in its Safety & Soundness Standards regulation.

Proposed and Final “Red Flags”

Many financial institutions have already adopted an Identity Theft Policy to address those provisions of the FACT Act itself which specifically deal with identity theft and impose responsibilities on financial institutions.  Also, the proposed “Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation to be considered to establish an Identity Theft Program” have been used in training and in identifying potential identity theft and suspicious activity by many financial institutions.  New “Red Flag” issues which have been incorporated into this final issuance by the regulators include the following:

• A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report;
• An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled;
• The SSN provided is the same as that submitted by other persons opening an account or other customers;
• The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other customers; and
• The financial institution or creditor is notified that the customer is not receiving account statements.

Now financial institutions are preparing to adopt an “Identity Theft Program” which incorporates the work already completed in identity theft policies and training using the “Red Flags” to fully establish and implement an Identity Theft Program prior to November 1, 2008. 

Elements of an Identity Theft Program

The Final Rule provides the basis for financial institutions to formally prepare to adopt an “Identity Theft Program.”  The elements included in the Final Rule for establishing this Program require each institution to evaluate the following:

• Which of its accounts are subject to risk of identity theft;
• The methods it provides to open these accounts;
• The methods it provides to access these accounts;
• Its size, location and customer base; and
• Its previous experiences with identity theft.

Based on these elements, each financial institution will be expected to conduct a risk assessment.

Other Identity Theft Program Requirements

The Identity Theft Program requirements incorporate Customer Identification Program (“CIP”) identification and verification issues.  In addition to CIP issues, authentication monitoring, and verification of existing customers’ access are readdressed in the Final Rule.  Changes of address for cardholders and address discrepancies are also required to be handled in accordance with specific requirements in the Final Rule. 

There also are specific steps in the Final Rule to be delineated in Identity Theft Programs to respond appropriately to “Red Flags” and risks of identity theft.  Similar to response programs for identity theft in the past, a data security incident will require a response to protect against identity theft and potential losses.  Appropriate responses are to be incorporated into Identity Theft Programs including such steps as monitoring accounts and contacting customers.

The new “Red Flags Rule” requires each institution to conduct ongoing and appropriate updating to its Identity Theft Program.  Also, specific assignment of responsibility for implementation of the Program, as well as approval of the Program by the Board of Directors, is required.  This implementation must include the oversight of service provider arrangements in a manner which is comparable to the proper handling of third party risk management issues in each institution’s information security program. 

Conclusion

The newly published “Red Flags Rule” is most expeditiously addressed by an incorporation of steps already taken to adopt identity theft policies and review the red flags for identity theft identified by the regulators.  The new requirements can be appropriately handled by considering the elements of an Identity Theft Program, and addressing the factors and requirements presented by the regulators in the Final Rule, well in advance of the mandatory compliance dates.

PRINGLE® Compliance Policies & Audit Procedures and PRINGLE® Safety & Soundness Policies & Audit Procedures include policies and audit procedures to comply with the FACT Act including a sample Identity Theft Program.