FDIC Announces ID Theft Red Flags Examination Procedures

Agency Offers New Details on How Examiners Will Test Red Flags Compliance Starting Nov. 1
FDIC Announces ID Theft Red Flags Examination Procedures
With barely two weeks to go before the Identity Theft Red Flags Rule compliance deadline of Nov. 1, the Federal Deposit Insurance Corporation (FDIC) on Thursday released its examination procedures for the new regulation.

The procedures, which were hammered out and agreed upon by an interagency committee, cover all three aspects of the new rule:

Identity theft red flags;
Address discrepancies;
Changes of address.

In all, there are 15 examination procedures tied to these three elements.

The FDIC, the nation's largest bank regulator, is the second agency to announce the Identity Theft Red Flags Examination Procedures. The Office of Thrift Supervision (OTS) alerted its institutions in an Aug. 11 webinar. These procedures are in the process of being approved by each of the banking regulatory bodies, and will be announced independently by each agency. The FDIC's procedures - particularly as they relate to address discrepancies and changes of address - go into greater detail than the guidelines previously reported.

Quick Overview
These exam procedures are aimed at helping banking institutions to comply with the Identity Theft Red Flags Rule, which was adopted last fall and took effect on Jan. 1. The guidelines require:

Financial institutions and creditors to implement a written identity theft prevention program;
Card issuers to assess the validity of change of address requests;
Users of consumer reports to verify the identity of the subject of a consumer report in the event of a notice of address discrepancy.

In a press release issued on Thursday, the FDIC set these examination expectations for institutions:

Red Flags Compliance - Risk management examiners will test institutions for red flags regulation compliance during risk management exams.
Address Discrepancies/Change of Address -Compliance examiners will test institutions for compliance with these aspects during compliance examinations.

Red Flags Examination Procedures

There are six red flags procedures that examiners will undertake.

1. Covered Accounts -- Examiners will verify the financial institution periodically identifies covered accounts it offers or maintains. As part of this initial procedure in the examination, examiners will verify that the financial institution:

- included accounts for personal, family and household purposes, that permit multiple payments or transactions;

- conducted a risk assessment to identify any other accounts that pose a reasonably foreseeable risk of identity theft, taking into consideration the methods used to open and access accounts, and the institution's previous experiences with identity theft.

2. Other Regulations -- Examiners will review examination findings in other areas (e.g. Bank Secrecy Act, Customer Identification Program and Customer Information Security Program) to determine whether there are deficiencies adversely affecting the financial institution's ability to comply with the Identity Theft Red Flags Rules (Red Flag Rules).

3. Management Oversight -- Examiners will review reports, such as audit reports and annual reports prepared by staff for the board of directors (or an appropriate committee thereof or a designated senior management employee) on compliance with the Red Flag Rules. These include reports that address:

Effectiveness of the institution's ID Theft prevention program;
Significant ID Theft incidents and management's response;
Oversight of service providers that perform activities related to covered accounts;
Recommendations for material changes to the prevention program.

4. Comprehensive Program -- Examiners will verify the financial institution has developed and implemented a comprehensive written Program that is designed to detect, prevent, and mitigate identity theft. The Program must be appropriate to the size and complexity of the financial institution and the nature and scope of its activities. Examiners also will determine whether the institution uses technology to detect red flags; whether the program is updated periodically; and that the board approved and oversees the program.

5. Trained Staff -- Examiners will verify that the financial institution trains appropriate staff to effectively implement and administer the program.

6. Vendor Management -- Examiners will determine whether the financial institution exercises appropriate and effective oversight of service providers that perform activities related to covered accounts.

When these procedures are complete, examiners will form a conclusion about whether the financial institution has developed and implemented an effective, comprehensive written program designed to detect, prevent and mitigate identity theft.

Address Discrepancy Procedures
The regulation also requires users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a credit reporting agency. The exam procedures include five steps to assess address discrepancy compliance:

1. Recognition - Examiners will determine whether the user of consumer reports has policies and procedures to recognize notices of address discrepancies.

2. Reasonable Belief -
Examiners will determine whether users have policies and procedures to form a reasonable belief that the consumer report relates to the consumer whose report was requested.

3. Accurate Address -
Examiners will determine whether users have policies and procedures to furnish to the nationwide consumer reporting agency (NCRA) a consumer address that the users have reasonably determined is accurate.

4. Timing -
Examiners will determine whether the users' policies and procedures require it to furnish the confirmed address as part of the information it regularly furnishes to the NCRA during the reporting period when it establishes a relationship with the consumer.

5. Sampling -
If procedural weakness or risks are determined, examiners will obtain a sample of consumer reports requested by the user from an NCRA re: notices of address discrepancies to determine:

how the user established reasonable belief that the reports related to the consumer in question;
if the consumer relationship was established, then whether the institution furnished a consumer address that was reasonable confirmed, and whether the user furnished the address in the appropriate reporting period.

Change of Address Procedures
The regulation also requires financial institutions to develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. Under these circumstances, the card issuer may not issue an additional or replacement card until the institution:

Notifies the cardholder of the request;
Provides the cardholder a reasonable means of promptly reporting incorrect address changes;
Otherwise assesses the validity of the change of address according to procedures established as part of the ID Theft prevention program.

The exam procedures include four steps to test change of address compliance:

1. Verification - Examiners will determine whether the card issuer has policies and procedures to assess the validity of a change of address.

2. Prevention - Examiners will determine whether policies and procedures prevent card issuers from issuing additional or replacement cards until they notify the cardholder or use other reasonable means to evaluate the validity of the address change.

3. Special Notice - Examiners will determine whether written or electronic notice is sent to cardholders to validate a change of address. This notice must be exclusive from any regular correspondence.

4. Sampling - If procedural weaknesses or risks are noted, examiners will obtain a sample of notifications from cardholders to ensure that card issuers complied with regulatory requirements to evaluate the validity of address changes before issuing cards.


About the Author

Tom Field

Tom Field

Senior Vice President, Editorial, ISMG

Field is responsible for all of ISMG's 28 global media properties and its team of journalists. He also helped to develop and lead ISMG's award-winning summit series that has brought together security practitioners and industry influencers from around the world, as well as ISMG's series of exclusive executive roundtables.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.