I have been reading the above Final Rule that was just passed and wanted to know if this needs to be included in the BSA Policy. So far I have not addressed this in our BSA Policy as I felt like it should be addressed in the Branch Operations but the more I see and read about it, the more I think it should be addressed in the BSA Policy also.

This sections is the part that makes me consider adding a section in my policy:

The Final Rule provides the basis for financial institutions to formally prepare to adopt an "Identity Theft Program". The elements included in the Final Rule for establishing this Program require each institution to evaluate the following:
1. Which of its accounts are subject to risk of identity theft;
2. The methods it provides to open these accounts;
3. The methods it provides to access these accounts:
4. Its size, location and customer base; and
5. Its previous experiences with identity theft.

Based on these elements, each financial institution will be expected to conduct a risk assessment.

How has everyone else handled this so far. How does this impact BSA or does it?

We're still analyzing the impact of the rule on our institution, however, I'm not planning on incorporating the ID theft red flag rules into our AML policy. Sure, they might intersect, but I think the regulatory requirements are two different animals.

I talked with someone at Sheshnoff (sp?) & they said it IS going to effect BSA/AML ...

anyother thoughts ?

I was looking for a list of the Red Flags.
Can anyone direct me to that?

Mary Beth Guard and Jack Holzknecht recently did a webinar on the new Red Flag ID Theft and Address Change Guidelines. Copies are available on CD-ROM in the Banker Store.

They are also offering a webinar on Implementing the Guidelines on January 8, 2008.

The agencies included a starter list of Red Flags in Supplement A to Appendix J to Regulation V.

http://www.bankinfosecurity.com had some really great information and all sorts of links for the new requirements.

It seems like a Program monster of it's own (similar to BSA/CIP/OFAC ...etc ... policies).

I'm going to tackle it exactly how I tackled the others. Risk Asses, Train, Board Approve ... etc ...

Is this how everyone else is going about it?

Well, probably not the "Risk Asses" part!

HAH! sorry 'bout that

Did they tell you why? I just don't see it. AML is AML and FCRA is FCRA. If anyone knows something I'm missing, please speak up.

I don't know - he might have been just trying to sell me something ...

but see it as "Identity Theft" is a section on a SAR - so as the BSA Officer, I would need to be tuned in and cross reference a section in my BSA/CIP Policies that would direct you to the Identity Theft Policy.

Am I on the wrong train track?

I don't think it's a matter of being on the right track. If you want to cover it as part of your BSA policies, I don't think that's wrong, but I'd include it under suspicious activity monitoring activities rather than CIP. But if I would mention it in my BSA policy, I think I'd address the red flag monitoring in my FCRA policy and simply cross reference my BSA policy to the FCRA policy.

I'm struggling a little with thinking of red flag monitoring as a CIP issue. CIP is handled when an account is opened. Once it's done, it's done. I do, agree, however, than ID theft issues might cause you to question how well you do know your customer. But that's a problem that can be handled as a problem of it's own, rather than becoming a CIP problem.

It's true that SARs should be filed for suspected cases of ID theft, but I don't think every SAR issue is BSA related. But there's certainly nothing wrong (in my mind) with covering your SAR policy under your overall BSA policies. That's one way to do it.

Again, I'm just thinking this through, so if anyone else has any thoughts, please chime in.