Risk Assessment Best Practices
Vendor Management Best Practices
Red Flags
Best Practices
Controls Audit
Best Practices

Reduce ID theft and meet new regulatory requirements

The Identity Theft Red Flags Regulations are part of the Fair and Accurate Credit Transactions Act (FACTA), an amendment to the Fair Credit Reporting Act. These rules are jointly issued by the Federal Trade Commission and other regulatory agencies, and became active in 2008.

Red Flags rules require creditors to take action to prevent identity theft. The rules are clearly applicable to all financial institutions and require you to do the following:

  • Conduct a risk assessment to identify covered accounts.
  • Identify issues that indicate a possible identity theft (the rules provide 26 red flags as a starting point).
  • Develop a detection and response procedure for each.
  • Create a written program that’s been approved by the board of directors.
  • Train employees in implementation.
  • Update the program as necessary.
  • Review effectiveness at least once annually.

Take Red Flags seriously and develop a comprehensive approach

One important area in which some institutions are falling short is identifying and tracking identify theft instances experienced by their customers, regardless of whether the institution was directly involved. If any identity theft instance is reported to your institution, you are required to track and analyze it. Many institutions are familiar with these requirements but have yet to develop processes for tracking this information. One reason is that FACTA is a complex piece of legislation and this important requirement sometimes gets overlooked.

Report in the right ways

FACTA requires you report annually to your board on your identity theft tracking and mitigation activities. As with other types of risk management activities, little guidance is available to compliance officers when it comes to the right way to do this. But a basic rule of thumb applies: Shorter is better. Don’t burden boards with eye-glazing spreadsheets and page after page of lists. Instead, provide them with a short summary of how you’ve been maintaining you identity theft program. Show them:

  • You have a process in place.
  • How you tracked accounts.
  • A summary of your analysis of all ID theft events reported by customers.
  • How you plan to reduce these events.
We love Scout – it allows us to keep all of our risk assessments in one location. We don’t have to go spreadsheet to spreadsheet trying to manage everything and ensure it gets in all the right places. The audit controls ensure we are getting the proper scope in our external audits. I definitely feel this program is worth the money; it has made my life much easier in managing examiner required risk assessments. As a bonus, it is actually helpful to management instead of just being something we do because examiners require it. I would definitely recommend this to others.
Jennifer Spartz,
EVP/COO
Woodland Bank
Remer, Minnesota
Supernal Software, LLC ©2009-2010
HyperLink HyperLink HyperLink