FDIC Announces ID Theft Red Flags Examination Procedures
Agency Offers New Details on How Examiners Will Test Red Flags Compliance Starting Nov. 1The procedures, which were hammered out and agreed upon by an interagency committee, cover all three aspects of the new rule:
In all, there are 15 examination procedures tied to these three elements.
The FDIC, the nation's largest bank regulator, is the second agency to announce the Identity Theft Red Flags Examination Procedures. The Office of Thrift Supervision (OTS) alerted its institutions in an Aug. 11 webinar. These procedures are in the process of being approved by each of the banking regulatory bodies, and will be announced independently by each agency. The FDIC's procedures - particularly as they relate to address discrepancies and changes of address - go into greater detail than the guidelines previously reported.
Quick Overview
These exam procedures are aimed at helping banking institutions to comply with the Identity Theft Red Flags Rule, which was adopted last fall and took effect on Jan. 1. The guidelines require:
In a press release issued on Thursday, the FDIC set these examination expectations for institutions:
Red Flags Examination Procedures
There are six red flags procedures that examiners will undertake.
1. Covered Accounts -- Examiners will verify the financial institution periodically identifies covered accounts it offers or maintains. As part of this initial procedure in the examination, examiners will verify that the financial institution:
- included accounts for personal, family and household purposes, that permit multiple payments or transactions;
- conducted a risk assessment to identify any other accounts that pose a reasonably foreseeable risk of identity theft, taking into consideration the methods used to open and access accounts, and the institution's previous experiences with identity theft.
2. Other Regulations -- Examiners will review examination findings in other areas (e.g. Bank Secrecy Act, Customer Identification Program and Customer Information Security Program) to determine whether there are deficiencies adversely affecting the financial institution's ability to comply with the Identity Theft Red Flags Rules (Red Flag Rules).
3. Management Oversight -- Examiners will review reports, such as audit reports and annual reports prepared by staff for the board of directors (or an appropriate committee thereof or a designated senior management employee) on compliance with the Red Flag Rules. These include reports that address:
4. Comprehensive Program -- Examiners will verify the financial institution has developed and implemented a comprehensive written Program that is designed to detect, prevent, and mitigate identity theft. The Program must be appropriate to the size and complexity of the financial institution and the nature and scope of its activities. Examiners also will determine whether the institution uses technology to detect red flags; whether the program is updated periodically; and that the board approved and oversees the program.
5. Trained Staff -- Examiners will verify that the financial institution trains appropriate staff to effectively implement and administer the program.
6. Vendor Management -- Examiners will determine whether the financial institution exercises appropriate and effective oversight of service providers that perform activities related to covered accounts.
When these procedures are complete, examiners will form a conclusion about whether the financial institution has developed and implemented an effective, comprehensive written program designed to detect, prevent and mitigate identity theft.
Address Discrepancy Procedures
The regulation also requires users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a credit reporting agency. The exam procedures include five steps to assess address discrepancy compliance:
1. Recognition - Examiners will determine whether the user of consumer reports has policies and procedures to recognize notices of address discrepancies.
2. Reasonable Belief -
Examiners will determine whether users have policies and procedures to form a reasonable belief that the consumer report relates to the consumer whose report was requested.
3. Accurate Address -
Examiners will determine whether users have policies and procedures to furnish to the nationwide consumer reporting agency (NCRA) a consumer address that the users have reasonably determined is accurate.
4. Timing -
Examiners will determine whether the users' policies and procedures require it to furnish the confirmed address as part of the information it regularly furnishes to the NCRA during the reporting period when it establishes a relationship with the consumer.
5. Sampling -
If procedural weakness or risks are determined, examiners will obtain a sample of consumer reports requested by the user from an NCRA re: notices of address discrepancies to determine:
Change of Address Procedures
The regulation also requires financial institutions to develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. Under these circumstances, the card issuer may not issue an additional or replacement card until the institution:
The exam procedures include four steps to test change of address compliance:
1. Verification - Examiners will determine whether the card issuer has policies and procedures to assess the validity of a change of address.
2. Prevention - Examiners will determine whether policies and procedures prevent card issuers from issuing additional or replacement cards until they notify the cardholder or use other reasonable means to evaluate the validity of the address change.
3. Special Notice - Examiners will determine whether written or electronic notice is sent to cardholders to validate a change of address. This notice must be exclusive from any regular correspondence.
4. Sampling - If procedural weaknesses or risks are noted, examiners will obtain a sample of notifications from cardholders to ensure that card issuers complied with regulatory requirements to evaluate the validity of address changes before issuing cards.