ABA Bank Compliance - January/February 2014

a regulator why certain red flags may not be applicable (i.e. don’t use credit reports, don’t issue cards, etc.);

■ ■ ■ Contemplate any other red flags and incorporate them into the risk assessment;

■ ■ ■ Ensure the effectiveness and documentation of controls, which should be evident through data analysis, reporting, testing, and validation; and

■ ■ ■ Initiate control enhancement efforts as needed (gap remediation).

Maintain a Written
Identity theft Prevention Program

Unless you belong to a brand new bank, you should be able to leverage an existing program and control environment as something to build off of. This program should be re-evaluated annually (or more often as necessary) and updated based on the risk assessment described above and include some key components to meet the various provisions of the rule, including:

■ ■ ■ Detection of red flags at all points of vulnerability, including processes to detect red flags at account origination and for existing accounts (ongoing).

■ ■ ■ Responses to red flags in order to prevent and mitigate the occurrence of identity theft.

These efforts should be driven by a goal of minimizing consumer impact, as well as the risk exposure to your institution. For consumers that become victims, provide tools and assistance to help restore their identity, accounts, and creditworthiness. Appropriate responses to red flags include:

• Monitoring an impacted account;

• Contacting the customer;

• Changing passwords or other access controls;

• Changing account numbers;

• Declining an application;

• Closing an account;

• Not collecting on or selling a debt;

• Notifying law enforcement; and

• Determining that no response is warranted under particular circumstances.

■ ■ ■ Prevent identity theft and losses by maintaining strong authentication and Know Your Customer (KYC) controls, educating customers and staff, and staying on top of fraud trends with an adaptable and learning program.

■ ■ ■ Service Provider Oversight is a significant
requirement for the program. It involves
identifying each service provider that handles
relevant processing of covered accounts and
ensuring appropriate oversight. For this, con-
sider vendors that manage customer interac-
tions and points of vulnerabilities, vendors
that provide red flag detection services, and
affiliates that act in a service provider capac-
ity. Also consider business partners, brokers,
and dealers where there is a hand-off of the
customer application or relationship. The
guidelines indicate an example of compli-
ance with this provision would be to update
contracts to ensure that each service provider
maintains its own ITPP and/or participates
in your bank’s program. Either way, use the
risk assessment to ensure that each service
provider’s program is aligned with the inter-
nal program. Also, develop reporting from
each relevant service provider to support the
ongoing risk assessment and board reporting.

When challenged by an auditor or examiner, the program owner should be able to readily describe red flag expectations for any given service provider and provide evidence of any monitoring or testing controls.

■ ■ ■ Board of Directors Involvement is required and indicates the priority that regulators have placed on combating identity theft and the level of accountability that is expected. Very few regulations are board-reportable and this regulation should be near the very top of your compliance priorities. That said, an appropriate committee of the board or a designated senior manager is permissible for ownership of the program, which shows some flexibility. The board must personally approve the initial program, but the designated committee or senior manager is appropriate for ongoing oversight. The board or designee is responsible for ensuring an independent review of the program, though the compliance or audit department can be called upon to handle this function. Also, the board (or designee) must receive, review, and approve annual reporting which covers:

• Compliance with the Red Flags Rule;

• Effectiveness of the program;

• Service provider arrangements;

• Management response to significant incidents; and

• Recommendations for updating the program.

■ ■ ■ Program Development should include ef-
fective training for relevant employees (not
just another CBT), but minimally ensure that
all employees have top of mind knowledge
of the program’s existence. A CBT may be
appropriate for enterprise-level awareness,
but something more rigorous is needed for
customer facing staff and fraud operations.
Comprehensive reporting should support
the annual risk assessments, board reporting,
and drive updates to the program. When the
risk assessment is conducted, consider new
business units, portfolios, joint ventures, ser-
vice providers, origination channels, access
points, and types of accounts. Reassess red
flag relevancy, considering new fraud experi-
ences and trends and techniques. Continue to
adapt, identify, and incorporate new red flags.
The program must be appropriate in scale
proportionate to the size and complexity of
the financial institution.

So, if your program has been gathering dust, it’s time to make it a priority. The requirements clearly outline that there’s expectation for an annual review and the board oversight requirements emphasize the high-profile nature of this regulation. Data breaches, suspicious activity reports (SARs), and complaint activity may steer regulatory attention towards your bank. Be ready with a bullet-proof program. Besides, having a strong and adaptive program is the right thing to do for your customers and to protect your institution. ■

ABOUT THE AUTHOR:

MATT s TOReR is a privacy compliance manager for Capital One. He has more than 18 years of industry experience, mostly in the area of general compliance and the privacy discipline. Storer holds a United States’ Certified Information Privacy Professional (CIPP/US) certification from the International Association of Privacy Professionals, a bachelor’s degree in business from Eastern Oregon University, and a master’s degree in management and organizational leadership from Warner Pacific College. Storer is based in the Portland, Ore. area. Reach him at matthew.storer@capitalone.com.

Endnotes

1 FTC Frequently Asked Questions: Identity Theft Red Flags and Address Discrepancies, http://www.ftc.gov/ os/2009/06/090611redflagsfaq.pdf

2 SEC Speech: Promulgating Rules to Prevent Identity Theft, SEC Open Meeting, (April 10, 2013), http://www. sec.gov/News/Speech/Detail/Speech/1365171515326 3 FDIC report: Examining the Fraud Landscape, BITS Fraud Working Group conference call, (July, 30, 2013)