Hello -
I've recently inherited our ID Theft/Red Flags program (w/BOD oversight) - and one of the items in question is that any of the "sample" programs/policies I've found, as well as what we've had in place for a few years says we will notify our regulator (FDIC) in the event of ID Theft.

Is there certain parameters on when our regulator should be notified? I'm guessing they don't want to be notified on every single instance, but larger more significant events - but I can't find any sort of definition on that -yes, I realize I may be searching for a leprechaun here .
I've searched & am coming up empty handed... any pointers?

Thanks - this group's input is always appreciated!

anybody/nobody??

The only time I am aware that the notification of your regulator would be required is in the event of a security breach.

This is the way ours reads, with one small addition in a separate section, our policy states to notify our Regulator if the incident involves a service provider. I can't think of an incident that would involve a service provider that wouldn't be a security breach, so that statement may be overkill, as you would have already been required to notify them of the security breach in the first place.