Is there an annual reporting requirement to the Board for the FACTA/ID Theft Protection Program?

There is a reporting requirement under Section VI(b) of the Guidelines. You must report on compliance not less than annually to either the board, a committee of the board or a designated senior management employee.

Yes, below are a few quotes from the regs (note, this is under section VI (Methods for Administreing the Program):

"(b) Reports. (1) In general. Staff of the financial institution or creditor responsible for development, implementation, and administration of its Program should report to the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management, at least annually, on compliance..."

"(2) Contents of report. The report should address material matters related to the Program and evaluate issues such as: the effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and management's response; and recommendations for material changes to the Program."