ID Theft

Agencies Issue Final Rules on ID Theft Red Flags

Banking Institutions Have One Year to Comply
Agencies Issue Final Rules on ID Theft Red Flags
More ID Theft Red Flags Survey Resources By this time next year, all U.S. financial institutions will be required to have implemented an Identity Theft Prevention Program.

This is the mandate from Washington, D.C., where six federal agencies this week issued the Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy. These final rules implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003.

Under these new rules, which take effect Jan. 1, 2008, each financial institution's Identity Theft Prevention Program must include: reasonable policies and procedures for detecting, preventing and mitigating identity theft and enable the financial institution to identify relevant patterns, practices, and specific forms of activity that are 'red flags' signaling possible identity theft and incorporate those red flags into the institution's program.

Deadline for compliance is Nov. 1, 2008.

The final document is 256 pages. (Identity Theft Red Flags and Address Discrepancies). The agencies responsible for the issuance include the Federal Reserve Board, Federal Deposit Insurance Corporation, Federal Trade Commission, National Credit Union Administration, Office of the Comptroller of the Currency and the Office of Thrift Supervision.

What it All Means - And to Whom

Banks and credit unions aren't the only businesses impacted by these new rules.

"This regulation and guidelines really apply quite broadly," says Amy Friend, assistant chief counsel at the OCC. "Not only does it apply to banks and credit unions, but basically to any entity extending credit, from finance companies down to the local hardware store that offers its customers credit by signing their 'good name' onto a ledger book and paying over time."

Not every company will have to have an identity theft prevention program. "To determine if your institution will be one of those companies you'll have to assess if you have ongoing consumer accounts, such as mortgages, car loans, credit card accounts, or repeat transactions," Friend says. If so, "you will fall into the category of an entity that needs to have an identity theft prevention program."

The agencies also issued guidelines to assist financial institutions and creditors in developing and implementing a program, including a supplement that provides examples of red flags.

"We know that institutions are already doing many of the things required by the regulation and guidelines to fight identity theft," says Jeff Kopchik, Senior Policy Analyst at the FDIC. But Kopchik explains that from the FACT act, "there were a lot of provisions that were enacted into law to prevent and combat identity theft. We as bank regulators were obligated to promulgate regulations and guidelines to implement the sections of the statute."

The final rules also require credit and debit card issuers to develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. In addition, the rules require users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a consumer reporting agency.

"The change of address provision was something that Congress specifically included in FACTA," Kopchik says. The reason: It is a well-known fact that fraudsters try to commit identity theft with credit cards, and by changing the address the credit card bill is mailed to, and then asking for a new card to be sent to the new address, the fraudster then goes out and maxes out the credit limit.

"Congress wanted to say to credit card and debit card issuers (including banks and credit unions) -- when you get this change of address request, and then you get a request for another card, you may not issue that other card until you go back and verify that the change of address was legitimate and was put in by the real card holder," Kopchik says.

The message from regulators to financial institutions: Get started.

"Don't wait until the last minute to begin building your program," Kopchik says. "This is one of the reasons for the delayed effective date, to give institutions a chance to go and review what they're doing, and figure out what they need to do to bring themselves into compliance."

Question: How prepared is your institution to comply with these new rules? Share your thoughts with Editor Tom Field.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network