How do the requirements for an [b]Identity Theft Policy fit with the requirement to have an Infromation Security Policy? It seems that the Identity Theft Policy would now incorporate the bank's information security policy. Do these need to remain separate?

Yes, they need to remain separate. They are established for entirely different reasons. When you are doing your risk assessment for Identity Theft Prevention Policy (ITPP), it would be helpful to put your information security risk assessment and your BSA risk assessment into the mix. Some issues will be very similar, others may augment the ITPP.

Your identity theft policy could be incorporated into your bank's Security Program. Since the security program ties to the overall operation of the financial institution, you can add a separate section on identity theft/consumer fraud. That is what I am going to do and based on discussions with regulators, they are fine with it as the security officer will be responsible for program monitoring.