Red Flag Rule
Lucy Griffin, BOL Guru
Editor, Compliance Action
Almost four years after the passage of the FACT Act, the bank regulatory agencies have issued a joint rule on identity theft red flags. The final rule accommodates programs already in place, such as CIP, but imposes new standards of care with respect to identity theft and also requires institutions to develop a written red flag program.
The Identity Theft Prevention Program (ITPP) must be risk-based. The risk analysis performed for the BSA program could provide a strong basis for the red flag program. In fact, the Red Flag rule would accommodate a combination of the two programs as long as appropriate attention is given to each issue.
The regulation covers all consumer accounts - including loans - and any other account which could expose the institution or the consumer to identity theft risk. Effectively this means that business accounts are also covered.
The ITPP must include a risk assessment based on the methods used to open accounts, access accounts and the institution's previous experience with identity theft. As a practical matter don't limit the "experience" provision to the institution itself. Include your vendors and service provides as they are part of the risk that you face.
The program should establish how the institution will identify, detect and respond to any Red Flags. Needless to say, the program must be Board-approved and updated regularly to accommodate changes in risk presented by the bank's products, the market and identity theft techniques.. It should also include provision for training of staff and appropriate oversight of service providers.
The regulation includes a list, prepared by the agencies, of various types of red flags that could indicate some form of identity theft. The bank's program must include a review and consideration of each method on the list but should also anticipate new theft techniques as they evolve.
Security methods for confirming customer identification may prove to be the core of any Identity Theft Prevention Program. Security methods should include how customer identities and addresses will be verified, how accounts will be monitored, and how the bank will work with law enforcement if identity theft occurs.
Did you know that you can receive announcements about new Executive Briefings via email? We have a special Executive Briefing email list. It's free! Click here to subscribe.
Don't miss a single issue of Executive Briefing. Click the Archive link below.
--Executive Briefing Archive--
First published on BankersOnline.com 1/8/2008
Privacy Policy Disclaimer Recommend This Site ! Contact Us
BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.
|
|
Print Friendly!
Email This Article!
Discuss NOW!