I am very confused as I continue to work on the requirements for Identity Theft. What is everyone doing, as far as names of policies and procedures?
If I have an ID Theft Program that includes all provisions of FACTA, is that enough? Or do I need a FACTA Policy and then an ID Theft Policy and an ID Theft Program?????
Is eveyone putting their ID Theft procedures in their ID Theft Program or is it best to refer from the ID Theft Program to other procedures?

I've entitled my policy as follows: "Fair Credit Reporting Act Policy and The Fair and Accurate Credit Transactions Act Provisions including the Identity Theft Prevention Program."

I didn't want more than one policy but I wanted to make sure that everything was included in the name.

We're just calling it a Program. We will have a generic policy that outlines the requirements and then we are adding specific identification and response procedures as an appendix to the policy.

Policy+Procedures = "Program"

the FDIC In Atlanta had a FACT Act telephone conference and then sent out some Q&A's. This is one of them: Q: For clarification, are we required or are we not required to have a seprate Identity Theft Prevention Program? Are we required to have a seprate policy or can we incorporate a policy statement into existing policies? A: No, the bank is not required to have a stand-alone indentity theft prevention program. It canbe incorporated into other existing documents, such as the Bank Secrecy Act or Information Security policies and programs. Q: Please review the examples of reasonable policies and procedures to verify the identity of the consumer before issuing a card. A: Reasonable policies and procedures include documents already used to verify identity for CIP. ...

To Mary Ann &/or Jack: In your webinar Implementing Red Flags Guidelines and Address Discrepancy Procedures - page 47 ..."each financial institution or creditor may consider incorporating into its Program Red Flags, whether singly or in a combination, from the following illustrative examples..... QUESTION: what does the phrase "singly or in a combination" mean?? Senior Mgt is wondering if we need to utilize the entire Appendix B Red Flag Checklist questions...

I'd be careful about relying on existing policies/procedures - the Reg states — (1) Program requirement. Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.

I could see having a separate section of the FCRA Policy or the AML policy that was specifically titled Identity Theft Prevention Program (just like a lot of bank's BSA policies have separate sections for CIP), and then incorporating specific references to aspects of other programs as mitigating factors or in reference to procedures. I wouldn't wholesale rely on other policies/procedures to cover it, without addressing ITPP specifically somewhere. (I know a bank that has already said that's what they're going to do, and I think that is asking for trouble.)

I agree with Express EGB. If you read the responses to the initial draft of rules and regulations, and the "Agencies" response, it seems clear they require a separate Program, but will allow it to reference existing Programs - see excerpts below:

Reponse from financial institutions to proposed rules:
pg. 8
"Several financial institution commenters objected to what they perceived as a proposed requirement that financial institutions and creditors have a written Program solely to address identity theft. They recommended that the final regulations allow a covered entity to simply maintain or expand its existing fraud prevention and information security programs as long as they included the detection, prevention, and mitigation of identity theft. Some of these commenters stated that requiring a written program would merely focus examiner attention on documentation and cause financial institutions to produce needless paperwork."

The Agencies response:
pg. 8
"Section l.90(d) of the final rules requires each financial institution or creditor that offers or maintains one or more covered accounts to develop and implement a written Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. To signal that the final rules are flexible, and allow smaller financial institutions and creditors to tailor their Programs to their operations, the final rules state that the Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.
The guidelines are appended to the final rules to assist financial institutions and creditors in the formulation and maintenance of a Program that satisfies the requirements of the regulation. Section I of the guidelines, titled ‘‘The Program,’’ makes clear that a covered entity may incorporate into its Program, as appropriate, its existing processes that control reasonably foreseeable risks to customers or to the safety and soundness of the financial institution or creditor from identity theft, such as those already developed in connection with the entity’s fraud prevention program. This will avoid duplication and allow covered entities to benefit from existing policies and procedures."
pg. 9
"The Agencies recognize that requiring a written Program will impose some burden. However, the Agencies believe the benefit of being able to assess a covered entity’s compliance with the final rules by evaluating the adequacy and implementation of its written Program outweighs the burdens imposed by this requirement.
Moreover, although the final rules continue to require a written Program, as detailed below, the Agencies have substantially revised the proposal to focus the final rules and guidelines on reasonably foreseeable risks, make the final rules less prescriptive, and provide financial institutions and creditors with more discretion to develop policies and procedures to detect, prevent, and mitigate identity theft."