The following is an abstract from a newsletter sent to me by The Institute of Fraud Risk Management. This is not my research and full credit for this post is given to them. This is the organization that certified me as an "Identity Theft Risk Management Specialist." They have a wealth of information and if you are a security professional, their designation is one you MUST have. For more information, please visit www.tifrm.com
------------------------------------------------------------------------------------------------
Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003
(aka Identity Theft Red Flags Rule)
Background:
The issuance of the final rule of the Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003 rule implements sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003, an amendment to the Fair Credit Reporting Act. The purpose of the Rule is to attempt to minimize incidents of Identity Theft and fraud in the opening and maintenance of covered accounts by financial institutions and creditors, as well as addressing issues of address discrepancies by users of consumer reports (credit reports and specialty consumer reports) and debit or credit card issuers.
Summary of Key Requirements:
The final rules requires each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement a written Identity Theft Prevention Program for combating identity theft in connection with the opening of new accounts and the maintenance of existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft of its customers and enable a financial institution or creditor to specifically:
- Identify relevant patterns, practices, and specific forms of activity that are "red flags" signaling possible identity theft and incorporate those red flags into the Program;
- Detect red flags that have been incorporated into the Program;
- Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
- Ensure the Program is updated periodically to reflect changes in risks from identity theft.
The agencies also issued guidelines to assist financial institutions and creditors in developing and implementing a Program, including a supplement that provides examples of red flags.
The final rules also require credit and debit card issuers to develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. In addition, the final rules require users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a consumer reporting agency.
It is important to note that, as with the Disposal Rule, the Red Flags Rule does NOT automatically apply to every business. Under the final rule, only those financial institutions and creditors that offer or maintain "covered accounts" must develop and implement a written Program. For example, a restaurant that accepts credit cards as a means of one-time payment in full by a customer who purchases a meal is not impacted; whereas, a utility company that opens and maintains accounts for its customers is impacted.
Administration and Oversight of the Program:
Each financial institution or creditor that is required to implement a Program must provide for the continued administration and oversight of the Program and must:
1. Obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors; and
2. Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program; and
3. Train staff, as necessary, to effectively implement the Program; and
4. Exercise appropriate and effective oversight of service provider arrangements.
Oversight by the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management should include:
1. Assigning specific responsibility for the Program's implementation;
2. Reviewing reports prepared by staff regarding compliance by the financial institution or creditor; and
3. Approving material changes to the Program as necessary to address changing identity theft risks.
Staff of the financial institution or creditor responsible for development, implementation, and administration of its Program should report to the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management, at least annually, on compliance by the financial institution or creditor. The report should address material matters related to the Program and evaluate issues such as: the effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and management's response; and recommendations for material changes to the Program.
Flexibility for Small Entities:
The final requirements of the Red Flags Rule were drafted in a flexible manner intended to limit the burden on a substantial majority of low-risk entities, allowing these entities to conduct periodic risk assessments for covered accounts and allowing the remaining minority of low-risk entities to develop and implement different types of programs based upon their size, complexity, and the nature and scope of their activities.
Final Rule Effective Date: 1 January, 2008
Date of Mandatory Compliance by Covered Institutions and Creditors: 1 November, 2008
Regulatory Agencies:(Applicable regulatory agency determined by the business' industry or nature of business / statutory regulator)
· Office of the Comptroller of the Currency
· Federal Reserve
· Federal Deposit Insurance Corporation
· Office of Thrift Supervision
· National Credit Union Administration
· Federal Trade Commission
