ID Theft Red Flags Compliance: What the Examination Guidelines Tell us
OK, with less than two weeks to go, banking regulatory agencies are getting busy. Busier, I should say.
Last week saw both the OCC andFDIC release their approaches to the Identity Theft Red Flags Rule examination procedures.
No huge surprises here. These are high-level issues that agencies have spoken about for months, and we all got a sneak preview when the OTS produced a webinar detailing the guidelines in August.
What's interesting is when you review the somewhat understated aspects of the guidelines:
- Who's Your Examiner? - While the examination guidelines are common across all banking regulatory agencies, including the NCUA, the examination process differs agency to agency. In other words, if you're an OTS-regulated institution, then your Red Flags compliance will be examined by the Safety & Soundness, IT or Compliance examiners, depending on where in your institution the program falls - information security or compliance. If you're an FDIC-regulated institution, Safety & Soundness examiners will test red flags regulation programs, while Compliance examiners will test for change of address/address discrepancies.
- Where's Your Board? - We all knew board oversight would be a significant component of demonstrating compliance, and there it is, spelled out front and center under guidelines for measuring Red Flags Regulation compliance. "Examiners will review reports, such as audit reports and annual reports prepared by staff for the board of directors on compliance with the Red Flag Rules. These include reports that address: Effectiveness of the institution's ID Theft prevention program; significant ID Theft incidents and management's response; oversight of service providers that perform activities related to covered accounts; recommendations for material changes to the prevention program."
- Automated Solution/Response? - Slipped into the guideline about a Comprehensive Program is this one significant line: "Examiners also will determine whether the institution uses technology to detect red flags ..." In other words they want to know 1) Are you using an automated solution, and 2) What steps do you have in place to properly respond to when that solution raises a red flag? That's a big statement. Not only do you need to have a documented program, but you also have to prove it works.
There's plenty more to discuss re: ID Theft Red Flags Rule compliance, but I'd like to hear your thoughts now that you've had the chance to review the examination guidelines.
Are you ready for Nov. 1?