I agree with Express EGB. If you read the responses to the initial draft of rules and regulations, and the "Agencies" response, it seems clear they require a separate Program, but will allow it to reference existing Programs - see excerpts below:
Reponse from financial institutions to proposed rules:
pg. 8
"Several financial institution commenters objected to what they perceived as a proposed requirement that financial institutions and creditors have a written Program solely to address identity theft. They recommended that the final regulations allow a covered entity to simply maintain or expand its existing fraud prevention and information security programs as long as they included the detection, prevention, and mitigation of identity theft. Some of these commenters stated that requiring a written program would merely focus examiner attention on documentation and cause financial institutions to produce needless paperwork."
The Agencies response:
pg. 8
"Section l.90(d) of the final rules requires each financial institution or creditor that offers or maintains one or more covered accounts to develop and implement a written Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. To signal that the final rules are flexible, and allow smaller financial institutions and creditors to tailor their Programs to their operations, the final rules state that the Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.
The guidelines are appended to the final rules to assist financial institutions and creditors in the formulation and maintenance of a Program that satisfies the requirements of the regulation. Section I of the guidelines, titled ‘‘The Program,’’ makes clear that a covered entity may incorporate into its Program, as appropriate, its existing processes that control reasonably foreseeable risks to customers or to the safety and soundness of the financial institution or creditor from identity theft, such as those already developed in connection with the entity’s fraud prevention program. This will avoid duplication and allow covered entities to benefit from existing policies and procedures."
pg. 9
"The Agencies recognize that requiring a written Program will impose some burden. However, the Agencies believe the benefit of being able to assess a covered entity’s compliance with the final rules by evaluating the adequacy and implementation of its written Program outweighs the burdens imposed by this requirement.
Moreover, although the final rules continue to require a written Program, as detailed below, the Agencies have substantially revised the proposal to focus the final rules and guidelines on reasonably foreseeable risks, make the final rules less prescriptive, and provide financial institutions and creditors with more discretion to develop policies and procedures to detect, prevent, and mitigate identity theft."