counter free hit unique web
Home Company Solutions Markets Partners News and Events Client Login Knowledge Center Contact

Knowledge Center

Security Bulletins
The Perimeter EDGE

 

NewsLetter Sign Up button

How the Red Flag regulations drive requirements for financial institutions identity theft programs. 

Compliance Corner is a monthly column focused on addressing security trends and market changes that affect your regulatory compliance initiatives.  The topics discussed and questions answered in this column are intended to help guide the management of your compliance program and security risk management practices. If you would like to submit a compliance related question for consideration in next month’s newsletter, please email your question to marketing@perimeterusa.com

What are the Red Flag Provisions?
In this months newsletter we will explore the new red flag provisions within the FACT (Fair and Accurate Credit Transaction) Act.  The “red flag” regulations require the government agencies to jointly issue guidelines for financial institutions and creditors regarding identity theft with respect to their account holders and customers. Under the new regulations, financial institutions will be required to create “Identity Theft Prevention Programs” which will help detect, prevent, and alleviate identity theft on all new and existing accounts.
 
In October of 2007, the FDIC was the first of the agencies to approve the final rules to be jointly published by the FDIC, OCC, Federal Reserve, OTS and NCUA.   The initial requirements, found under Sections 114 and 315 of the FACT Act, were published on November 9, 2007.  The final requirements went into effect on January 1, 2008, with a mandatory compliance date of November 1, 2008.  The requirements mandate that individual financial institutions offering “covered accounts” to establish a program to identify possible risk to account holders and to the safety and soundness of the institution. A “covered account” is defined as an account used primarily for personal, family, or household purposes and designed to permit multiple payments or transactions.  The program must be appropriate for the entity’s size, complexity and nature of its operations, and be designed to detect, prevent, and mitigate identity theft of a covered account.

Identity Theft and Financial Institutions
ID theft is defined as the act of stealing someone’s personal identifying information and using it in a crime.  Information such as Social Security numbers, driver's license numbers, credit card account numbers, or passwords are all examples of personal data. Thieves can use this data to masquerade as a customer to access their financial accounts, withdraw cash, make credit purchases, and open additional accounts in their name.

Financial institutions are usually the last resort to detect this type of fraud and the reason why they are required to have controls in place to raise red flags for unusual activity.

Some of the “red flag” guidelines which have been incorporated into this final issuance by the regulators include the following:

  • Alerts, Notifications or Warnings coming from a Consumer Reporting Agency
  • Descriptions of Suspicious Documentation
  • Examples of Suspicious Personal Identifying Information 
  • Unusual Use of, or Suspicious Activity Related to, the Covered Account
  • Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection with Covered Accounts Held by the Financial Institution or Creditor

Financial Intuition Requirements
The clock is ticking for financial institutions to start implementing the “red flag” requirements as part of a comprehensive identity theft program.  As we draw closer to the mandated compliance deadline, regulators are starting to explore the “red flag” provisions as part of their examination scope.  

The published rules for compliance with the “red flag” provisions call for each institution to conduct a risk assessment to evaluate the following:

  • Which of its accounts are subject to risk of identity theft;
  • The methods it provides to open these accounts; 
  • The methods it provides to access these accounts;  
  • Its size, location and customer base; and 
  • Its previous experiences with identity theft.

Among other new “red flag” requirements, each institution is required to conduct ongoing and appropriate updating to its identity theft program.  Specific assignment of responsibility for implementation of the program, as well as approval of the program by the Board of Directors, is also required.  The program must include the oversight of service provider arrangements in a manner which is comparable to the proper handling of third party risk management issues in each institution’s information security program.

Conclusion
With the deadline to comply with the regulations rapidly approaching financial institutions must take immediate action to comply. As a first step, financial institutions should review their current program and perform a gap analysis against the newly imposed regulations in order to identify gaps within the program.  Once these gaps have been identified, the institutions should implement a program that aligns with security and risk management best practices as well as the requirements presented by the regulators in the final rule.

 


© 2008 Perimeter eSecurity™ All Rights Reserved. | Privacy Policy