The Field Report with Tom Field

ID Theft Red Flags Compliance: What the Examination Guidelines Tell us

ID Theft Red Flags Compliance: What the Examination Guidelines Tell us

Last week saw both the OCC andFDIC release their approaches to the Identity Theft Red Flags Rule examination procedures.

No huge surprises here. These are high-level issues that agencies have spoken about for months, and we all got a sneak preview when the OTS produced a webinar detailing the guidelines in August.

Not only do you need to have a documented program, but you also have to prove it works. 

What's interesting is when you review the somewhat understated aspects of the guidelines:

  • Who's Your Examiner? - While the examination guidelines are common across all banking regulatory agencies, including the NCUA, the examination process differs agency to agency. In other words, if you're an OTS-regulated institution, then your Red Flags compliance will be examined by the Safety & Soundness, IT or Compliance examiners, depending on where in your institution the program falls - information security or compliance. If you're an FDIC-regulated institution, Safety & Soundness examiners will test red flags regulation programs, while Compliance examiners will test for change of address/address discrepancies.
  • Where's Your Board? - We all knew board oversight would be a significant component of demonstrating compliance, and there it is, spelled out front and center under guidelines for measuring Red Flags Regulation compliance. "Examiners will review reports, such as audit reports and annual reports prepared by staff for the board of directors on compliance with the Red Flag Rules. These include reports that address: Effectiveness of the institution's ID Theft prevention program; significant ID Theft incidents and management's response; oversight of service providers that perform activities related to covered accounts; recommendations for material changes to the prevention program."
  • Automated Solution/Response? - Slipped into the guideline about a Comprehensive Program is this one significant line: "Examiners also will determine whether the institution uses technology to detect red flags ..." In other words they want to know 1) Are you using an automated solution, and 2) What steps do you have in place to properly respond to when that solution raises a red flag? That's a big statement. Not only do you need to have a documented program, but you also have to prove it works.

There's plenty more to discuss re: ID Theft Red Flags Rule compliance, but I'd like to hear your thoughts now that you've had the chance to review the examination guidelines.

Are you ready for Nov. 1?



About the Author

Tom Field

Tom Field

Senior Vice President, Editorial, ISMG

Field is responsible for all of ISMG's 28 global media properties and its team of journalists. He also helped to develop and lead ISMG's award-winning summit series that has brought together security practitioners and industry influencers from around the world, as well as ISMG's series of exclusive executive roundtables.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.