If you had Googled “red flag” six months ago, it would have returned page after page of links to sites selling flags or discussing martial law. Today, the term “red flag” has become synonymous with the new identity theft red flag rules and guidelines. These new rules require financial institutions or creditors to have a written identity theft prevention program in place to detect, prevent and mitigate identity theft in connection with opening or accessing certain accounts by Nov. 1, 2008.
Q: What are my requirements under the new rules?
A: Each financial institution or creditor that offers or maintains covered accounts must develop a program to detect, prevent and mitigate identity theft. The program must be updated regularly, include risk management, training, service provider oversight and be reported to the board of directors or a committee of the board at least annually.
The final ruling clearly states you must have a separate identity theft prevention program; however, you can incorporate into it existing policies and procedures, such as those already developed in connection with your information security program, customer identification program or fraud prevention program.
Q: What is a covered account?
A: For the purposed of the program, a covered account is:
“(1) An account that a financial institution or creditor offers or maintains, primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account or savings account; and (2) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.”
Q: What must be included in the risk assessment?
A: The risk assessment is possibly the most talked about component of the ruling; however, it receives perhaps the least amount of attention with the guidelines. In fact, the term “risk assessment” is only used one time in the final regulation:
“Each financial institution or creditor must periodically determine whether it offers or maintains covered accounts. As a part of this determination, a financial institution or creditor must conduct a risk assessment to determine whether it offers or maintains covered accounts described in paragraph (b)(3)(ii) of this section . . .”
However, with any successful program, risk management is key. We recommend approaching the risk assessment from a risk mitigation standpoint.
First, consider the risk levels. At a minimum, consider the likelihood of identity theft, the potential damage associated with identity theft and, finally, the overall risk of identity theft. Banks should probably break this down by account type because one account may have a higher risk of identity theft than another. For example, the risk of identity theft could be greater for a credit account than a safe deposit account.
Second, define the threats associated with identity theft. If you boil the threat of identity theft down to its basics, you uncover two threats: fraudulently opening an account and hijacking an account (or unauthorized access). So, consider each of these threats for each covered account.
Next, determine the methods used to open and access the accounts. This may increase or decrease the risk. For example, the risk associated with opening a credit account in person may be less than the risk associated with opening a credit account via the Internet.
Finally, consider previous experiences with identity theft. These trends can help determine and define higher risk areas. For example, you may be able to determine from prior experience that the risk of unauthorized access to deposit accounts is greater than the risk of unauthorized access to lending accounts.
Once you have completed the risk assessment for opening and accessing each covered account, you will have the information you need to ensure your controls (red flags) are appropriate to mitigate the risk.
Q: Do I have to incorporate all 26 red flags from Supplement A into my program?
A: No, the 26 red flags listed in Supplement A to Appendix J are only illustrative examples. In addition, you are not limited to use only the 26 example red flags. You can also create your own. If you choose not to use one of the examples, we do recommend you document why. This will be helpful once you begin the examination phase.
Q: The final rules require a financial institution to “exercise appropriate and effective oversight of service provider arrangements,” which raises the question, what is the definition of a service provider?
A: The term “service provider” used in the final ruling was based on the definition of “service provider” in the Information Security Standards: “service provider means a person that provides a service directly to the financial institution or creditor.”
The greatest risk is associated with service providers that perform activities in connection with one or more of your institution’s covered accounts — for example, a service provider that is opening loan or lending accounts on your behalf. Many banks are simply managing the service providers through contractual requirements; however, some banks are going so far as to audit the service providers to ensure customer data is protected.
Q: What does the annual report to the board of directors need to include?
A: Each financial institution must report to the board of directors, an appropriate committee of the board or a designated employee at the level of senior management at least annually. The report should include:
•Effectiveness of policies and procedures in addressing the risk of identity theft in connection with the opening or accessing covered accounts.
•Service provider arrangements.
•Significant incidents involving identity theft and management’s responses.
•Recommendations for material changes to the program.
To view the entire final ruling, visit http://www.conetrix.com/files/ITPP_Regulation.pdf.
Russ Horn is the chief operating officer for CoNetrix. Horn can be reached at 800-356-6568 or www.conetrix.com.
Copyright © September 2008 BankNews Publications