I don't think it's a matter of being on the right track. If you want to cover it as part of your BSA policies, I don't think that's wrong, but I'd include it under suspicious activity monitoring activities rather than CIP. But if I would mention it in my BSA policy, I think I'd address the red flag monitoring in my FCRA policy and simply cross reference my BSA policy to the FCRA policy.
I'm struggling a little with thinking of red flag monitoring as a CIP issue. CIP is handled when an account is opened. Once it's done, it's done. I do, agree, however, than ID theft issues might cause you to question how well you do know your customer. But that's a problem that can be handled as a problem of it's own, rather than becoming a CIP problem.
It's true that SARs should be filed for suspected cases of ID theft, but I don't think every SAR issue is BSA related. But there's certainly nothing wrong (in my mind) with covering your SAR policy under your overall BSA policies. That's one way to do it.
Again, I'm just thinking this through, so if anyone else has any thoughts, please chime in.