The Green Sheet Online Edition
September 08, 2008 • Issue 08:09:01
No wiggle room with Red Flag Rule
he Nov. 1, 2008, deadline to comply with the FACTA (Fair and Accurate Credit Transactions Act of 2003) Identity Theft Red Flags Rule is looming. In light of that deadline, the Office of Thrift Supervision (OTS) unveiled new examination procedures Aug. 11, 2008, to determine deficiencies in financial organizations' ability to comply with FACTA's 37 red flags.
Additionally, OTS issued two prescriptive guidelines regarding address changes and discrepancies. Many financial institutions, therefore, are realizing they need to expedite implementation of the necessary policies and procedures.
Countdown for covered accounts
"The red flags apply to anyone that has a covered account," said Adam Elliott, President of ID Insight Inc. "This can be banks, issuers, insurance, retailers that offer credit or even 'bill me' pay options. In essence, anyone that grants credit. From a value chain perspective, this brings the processors into the fold."
Accounts covered under FACTA's Red Flag Rule are at possible risk of identity theft because they are credit card accounts, utility or cell phone bills, and medical insurance accounts that may contain Social Security numbers, driver's license numbers and other types of consumer data information.
"When something like this [Red Flag Rule compliance] comes up, the first thing the credit granters do is reach out to their processors to see what solutions they have that can help, since the processor is usually the one facilitating their fraud and risk services," Elliott added.
Six degrees of examination
Red flags are relevant indicators of a possible risk of identity theft. Section 114 of FACTA specifically explains rules about how to develop and implement a written ID theft prevention program. Red flag guidelines include 15 assessments related to three principal elements of the rule - address discrepancies, card or check requests within 30 days following address changes, and ID theft and red flag conformity.
In addition to overseeing and enforcing the two prescriptive guidelines, OTS examiners will undertake six procedures to test compliance with the 37 red flag guidelines. These procedures include:
- Verifying that financial institutions periodically identify accounts maintained for personal, family and household purposes that permit multiple payments or transactions
- Conducting risk assessments of accounts that may be vulnerable to customer data theft
- Reviewing findings from other areas, including the Bank Secrecy Act, Consumer Identification Program and Customer Information Security Program, to assess any red flag compliance deficiencies
- Reviewing financial institutions' audit reports and annual reports to determine if management adequately addressed red flag deficiencies
- Verifying that financial institutions develop and implement a comprehensive program designed to detect, prevent and mitigate identity theft, then train the appropriate staff - either the chief security officer or legal compliance officer - to effectively implement and administer that program
- Determining whether financial institutions exercised effective oversight of service providers that perform activities related to customer accounts covered under FACTA
Deadline carved in stone
The OTS requires that boards of directors approve their financial institutions' FACTA compliance programs by Nov. 1. The OTS also mandates that financial institutions implement programs to identify, detect and respond to ID theft indicators.
Elliott said this means all system changes, policies, procedures and training programs must be in place by the Nov. 1, 2008, deadline.
"One thing that came out of this OTS thing that caught our ears is that financial organizations are not making this a high priority. They think they can have a tentative plan in place and are counting on some flexibility until they get their first audit in February 2009," Elliott said. "But based on the OTS exam procedures, they want everything in place by November first, period."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.