Banks: Are You in Compliance With ID Theft Red Flags Rule?
Read
As regulatory scrutiny on financial institutions continues to expand, compliance with respect to identity theft red flags is on the minds of many regulators.
Identity theft has become the fastest-growing crime in the United States, and the cost for consumers is rising. There were more than 15.4 million victims with approximately $15.3 billion in losses in 2016, according to the 2017 Identity Fraud Study by Javelin Strategy & Research.
To address this issue, several federal regulatory agencies, including the FTC, SEC, FDIC and OCC created the Red Flags Rule.
Red Flags Rule and Identity Theft Prevention Program
The Red Flags Rule requires financial institutions (and some other organizations) to establish and implement a written Identity Theft Prevention Program (ITPP) designed to detect, prevent and mitigate identity theft in connection with their covered accounts. A covered account, in general, is used for personal, family, or household purposes or any other activity that poses a reasonable risk to a customer’s identity.
The ITTP is intended to be self-prescribed and flexible in nature so that each financial institution can meet the requirements based on its size, complexity and risk.
Each bank’s program is required to include four elements that deal with identity theft:
- Identifying relevant red flags for covered accounts and incorporating those red flags into the program
- Detecting red flags identified by the organization
- Responding appropriately to any red flags that are detected
- Updating the program periodically
Program implementation guidelines for financial institutions
In developing and implementing an effective Identity Theft Prevention Program, below are the 10 key things you should consider.
- Have the board of directors or a committee of the board designate a member of senior management to oversee the ITPP.
- Determine which accounts are deemed “covered accounts” as per the rule. Conduct a risk assessment to identify accounts that pose a reasonably foreseeable risk of identity theft, taking into consideration the methods used to open and access accounts, and the institution’s previous experiences with identity theft.
- Determine how the ITPP relates to your institution’s other programs (e.g., Customer Identification Program and red flags detection under your AML/BSA compliance program).
- Identify relevant red flags for covered accounts.
- Develop procedures for detecting those red flags.
- Develop procedures for responding to relevant red flags detected.
- Confirm that service providers are complying with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft.
- Provide training to all employees on an annual basis.
- Update the ITPP whenever material changes occur.
- Have the board of directors or a committee of the board approve the ITPP on an annual basis.
Although noncompliance with the Red Flags Rule will not directly result in criminal penalties, it could lead to significant civil monetary fines as well as costly legal action. The maximum fines that may be assessed are dependent on the severity of the actionable conduct.
To learn more about how your bank can stay in compliance with this rule, contact me or another member of Kaufman Rossin’s risk advisory services team.
Alexander Smith, CRCM, CFE, is a Risk Advisory Services Senior Manager at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.