Can someone point me to the right place?
An examiner tells me that we should have an annual independent audit of our ID Theft/Red Flags prevention Program. However, I can not find where that requirement is. I'm sure its there, but where?

Please help
Thank you

If someone can point to it, I'd appreciate it too. There is nowhere that I could find that says that. I had this same argument with an examiner in the past. She (FDIC examiner) tried to prove her point, but she couldn't find the requirement anywhere either. It was comical though because she'd say "well, it's in the federal register", and then I'd say, "well, I couldn't find it there, can you show me?". So she'd try and then say. "Oh, it's in the FDIC IT theft exam procedures", so I'd say, "oh, I couldn't find it there, can you show me?" this went on and on. She still insisted that it was required. My response was that it's on our audit risk assessment and will be conducted on whatever frequency we've determined. She ended up noting in our report that we hadn't fully complied with the regulation. This was in June 2009, and the program hadn't even been in place for a year yet. I've heard this once again since 2009 from the FDIC, but it had been covered in an audit within the past year, so I didn't press the issue at the time.

We have been "written up" or notified that we also did not comply with this regulatory requirement. Yet, no one (FDIC Examiners) have been able to point to a "Thus saith the reg."
So, now our new auditor is trying to comply with management's instruction to him that this matter needs to be addressed.

So during his audit he has noticed that our ID Theft Prevention Program does not specify that an audit must be done. He's wanting to write us up for that. I would glading have that put into our program, but I am going to have to find out what requirements are stipulated before I nose-dive into such a policy change.
Does anyone have a clue?
Please help us both....

Thank you friends

I don't believe that an annual, independent audit is a requirement; however, this topic should some how be included in your risk-based audit schedule (be prepared to support your reasoning for the frequency).

Are you sure that you aren't confusing it with this - from Appendix J of Reg V:

VI. Methods for Administering the Program
(a) Oversight of Program. Oversight by the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management should include:
(1) Assigning specific responsibility for the Program’s implementation;
(2) Reviewing reports prepared by staff regarding compliance by the financial institution or creditor with § 222.90 of this part; and
(3) Approving material changes to the Program as necessary to address changing identity theft risks.

(b) Reports. (1) In general. Staff of the financial institution or creditor responsible for development, implementation, and administration of its Program should report to the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management, at least annually, on compliance by the financial institution or creditor with § 222.90 of this part. (2) Contents of report. The report should address material matters related to the Program and evaluate issues such as: the effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and management’s response; and recommendations for material changes to the Program.

(b) Reports...

Actually, we had those reports ready for the examiner. I figured he would ask for those. And, he found ours be be in good ordered with few eeptions.

He specifically said we were REQUIRED to have an independent audit, annually.
However, I fully agree that the risk-base audit schedule should certainly address it and if for no other reason conduct periodic audits as a best-practice.
The problem I face is that the examiner told our CFO that we would be "cited" next year if no audit was conducted and now I have the auditor telling me that he's going to write me up for not having in our policy that an annual audit is to be performed.
IMO, If it's not required, it doesn't need to be in our policy.

I sent you a PM...

Mr. A_G-DDD - I think this is could be where they're trying to state that an annual audit is required, from our exam report last year "the bank should annually assess is's compliance with the regulation". We complete our annual report and the examiners don't have a any issues with our program at all, except to keep commenting that an annual audit is required. We have ID Theft as it's own line item on our Audit Risk Assessment, and I've tacked this onto our last IT audit as a scope item, but they are really dead set that the regulation requires an annual audit, which it does not state anywhere that I've been able to find, nor has the FDIC. And I'm not going to commit to an annual audit. So I just keep stating that it's on our risk assessment and we'll schedule audits based upon that.

Imo, as it says "Staff of the financial institution or creditor responsible for development, implementation, and administration of its Program should report to the board of directors..." then by definition this isn't an audit.

Audit staff should have nothing to do with the development, implementation, and administration of operational stuff. An audit provides an independent assessment of the above.

On a related note, where are the exam procedures for Red Flags portion of FACTA? FDIC's Exam Manual last updated 6/11 and it doesn't address this section of FACTA. Exam procedures would normally be a good audit tool, but if they don't even have any procedures. Point me in the right direction if someone is aware of any.

Here are the Red Flag Interagency Exam Procedures issued in 2008: http://www.federalreserve.gov/boarddocs/srletters/2008/SR0807a2.pdf