ID Theft Red Flags Rule Examination Procedures Unveiled

OTS is First Agency to Detail How Examiners Will Measure Compliance After Nov. 1
ID Theft Red Flags Rule Examination Procedures Unveiled
With fewer than three months to go before the ID Theft Red Flags Rule compliance deadline, banking regulatory agencies this week are starting to unveil their new examination procedures.

The Office of Thrift Supervision (OTS) is the first agency to announce its exam procedures, presenting them today (Aug. 11) in a 2 p.m. (eastern) webinar. These procedures include 15 separate examination steps related to three principle elements of the new rule:

Identity Theft/Red Flags;
Change of Address;
Address Discrepancies.

The exam procedures, which were hammered out and agreed upon by an interagency committee, are in the process of being approved by each of the banking regulatory bodies, and will be announced independently by each agency.

William Henley, Director, IT Risk Management at the OTS, says that the exam procedures show what institutions can expect post-Nov. 1 during an ID Theft Red Flag examination. The accompanying examination manual for examiners is being updated and "should be out shortly," Henley says.

Identity Theft/Red Flags Procedures
For many institutions, Henley says, compliance with the Identity Theft Red Flags guidance is not as much about developing and implementing new controls, but about applying more consistency around existing controls and formalizing these into a written program.

He adds that OTS-regulated institutions that are already in compliance with Interagency Security Guidelines likely will meet Red Flags Compliance on November 1, 2008.

The first step in the examination procedure will be a scoping process that examiners will undertake. "During the scoping process, we'll ask where this is coming from, wherever they have it slotted, we'll examine it accordingly" Henley says. If the program is under the institution's information security program, then either the Safety and Soundness examiner or IT examiners will perform the ID theft exam. Should the program be designed and integrated within the institution's compliance program, then compliance examiners will take on the task, he explains.

There are six Identity Theft/Red Flags procedures that examiners will undertake.

Covered Accounts -- Examiners will verify the financial institution periodically identifies covered accounts it offers or maintains. As part of this initial procedure in the examination, examiners will verify that the financial institution:

- included accounts for personal, family and household purposes, that permit multiple payments or transactions;

- conducted a risk assessment to identify any other accounts that pose a reasonably foreseeable risk of identity theft, taking into consideration the methods used to open and access accounts, and the institution's previous experiences with identity theft.
Other Regulations -- Examiners will review examination findings in other areas (e.g. Bank Secrecy Act, Customer Identification Program and Customer Information Security Program) to assess whether there are deficiencies adversely affecting the financial institution's ability to comply with the Identity Theft Red Flags Rules (Red Flag Rules).
Management Oversight -- Examiners will review reports, such as audit reports and annual reports prepared by staff for the board of directors (or an appropriate committee thereof or a designated senior management employee) on compliance with the Red Flag Rules. Examiners will determine whether management adequately addressed any deficiencies.
Comprehensive Program -- Examiners will verify the financial institution has developed and implemented a comprehensive written Program that is designed to detect, prevent, and mitigate identity theft. The Program must be appropriate to the size and complexity of the financial institution and the nature and scope of its activities.
Trained Staff -- Examiners will verify that the financial institution trains appropriate staff to effectively implement and administer the Program. Specifically, Henley says one of the things OTS examiners will look for "is a coordinated effort between the different areas of the institution." The training should be provided to entire enterprise and have clear support and direction from board of directors. "The board doesn't have to develop the program, but needs to show their participation and support of it," Henley says.
Vendor Management -- Examiners will determine whether the financial institution exercises appropriate and effective oversight of service providers that perform activities related to covered accounts.

When these procedures are complete, examiners will form a conclusion about whether the financial institution has developed and implemented an effective, comprehensive written program designed to detect, prevent and mitigate identity theft.

Although the Identity Theft exam procedures will be performed by both compliance and safety and soundness and IT examiners, there are two examination procedures that will be handled only by compliance examiners - validity of change of address requests and notice of address discrepancy.

Change of Address Procedures
The regulation also requires financial institutions to develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. Under these circumstances, the card issuer may not issue an additional or replacement card until the institution:

Notifies the cardholder of the request, or
Otherwise assesses the validity of the change of address.

The exam procedures include four steps to test Change of Address compliance:

Can the card issuer assess the validity of a change of address;
Does its policies and procedures prohibit issuance of a card until it verifies the change of address;
Are electronic notices sent for verification clear and conspicuous;
Perform sampling, if needed.

Address Discrepancy Procedures
The regulation also requires users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a credit reporting agency. The exam procedures include five steps to assess Address Discrepancy compliance:

Does the institution recognize the address discrepancy;
Does it confirm that it relates to the consumer;
Does it furnish the correct address for the consumer to the credit reporting agency;
Does it report during the appropriate reporting period;
Perform sampling, if needed.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.