Trick or Treat? Identity Theft Red Flags Examination Procedures

October 2008

Trick or Treat? There are no more tricks in the regulatory bag when it comes to your Identity Theft Prevention Program. The examination procedures have finally been issued. Most institutions, however, will be hard-pressed to view these procedures, or the preparation of an identity theft prevention program, as a treat.

Let's be clear - there are only a few good and helpful pieces of information in the nine pages of examination procedures. It's technically ten pages but we only have four lines on page ten. So you can guess how much more clarity and guidance was provided for purposes of knowing what to put in your programs. So what do we know now that we didn't know then?

For starters, we now know when regulated financial institutions can expect to get run through the ringer. For the bulk of your identity theft prevention program, you can expect your examination through safety and soundness. Your address discrepancy procedures as well as your change of address procedures will be examined separately in your compliance exam. While they seem to go hand in hand, you ultimately have three different exam procedures with two different exam periods. But don't rush right out and separate them from each other if you have them combined into one. Just know where your procedures are for each area within your overall program.

The first few pages are a regurgitation of the regulation but there are a few helpful hints. The regulation requires the implementation of an identity theft prevention program. Check. Consideration of the guidance found in Appendix J to the regulation, is also mandatory. Check. Then it states that the red flag examples located in Supplement A to Appendix J (that's at the end of the guidelines found in Appendix J) are not mandatory. Check. According to the procedures, a financial institution is not required to use the examples listed and doesn't have to justify any "failure to include" any of the specific red flags. Huh? But an institution must be able to account for an overall effectiveness in its program appropriate to the size and complexity of its activities. While these examples are not required to be incorporated within an institution's program, what would an institution use, especially one that has never had identity theft? Create your own? While that may be feasible in some institutions, unless you have a magic formula, consider evaluating all of the red flag examples to create your program, and then determine whether you have the means to detect them. Your examiners will not be pleased with do-it-yourself efforts that fall short of the mark. It sure sounds like the agencies are talking from both sides of their mouths - you don't have to use our examples and it's ok to let me fish around to determine that your red flags are adequate! That's a scary thought! They've already vetted the sample red flags. Use them.

They've also defined "periodically" for us, sort of. The regulation says that an institution should conduct its risk assessment and identification of covered accounts periodically. But periodically, according to the procedures, does not mean annual. It means "as needed." If you are an institution that keeps the same types of accounts year after year, and your marketing department isn't developing new products, then based on what the exam procedures say, theoretically, you may never have to identify your covered accounts again or conduct a risk assessment since it is on an as needed basis. (If you are that type of institution, fire your marketing department. For the rest of you, chances are that you will do this annually considering that is a part of your overall program which must be updated annually!) Keep in mind you are required to update your program annually for new threats and any advances in identity theft methods. So it's fair to say that this footnote in the procedures doesn't make much sense.

The rest of the procedures evaluate whether an institution has followed the regulation word for word. Procedure number four requires an evaluation of whether the institution has developed a comprehensive written program designed to detect, prevent and mitigate identity theft. This is likely where most institutions will fail. Some institutions decided early on that they were going to acquire some software and that would be how they handled identity theft. Software is all well and good but it isn't a written program that includes a risk assessment, policy and procedures appropriate to the size and complexity of the institution. Those institutions will miss the mark by not having a written program.

Some institutions acquired a one-size-fits-all program where, after you enter information about your products, it would produce something that was called a risk assessment and procedure but which was nothing more than a restatement of your obligations under the regulation. That's where comprehensive comes in. You must have procedures appropriate to the size and complexity of your institution. The regulators encouraged institutions to pull from already existing programs within each institution - your Bank Secrecy Act and information security programs to name two. But that doesn't mean you can leave your identity theft prevention programs there. You must have something separate and apart from all of your other programs and procedures. Just like those programs which weren't created by a computer, your identity theft prevention program shouldn't be either - it must be a comprehensive program appropriate to the size and complexity of the institution. Will yours be?

For the compliance portion of your exam with regard to address discrepancy and address change examination procedures, there is nothing new to digest other than you have to have these procedures in your programs. The rest of the procedures seem to take a wait-and-see approach. The procedures do not tie examiners down to any specific rules. Examiners, however, will be forced to reckon with institutions that haven't completed their programs at all, to institutions where programs aren't written, to institutions that have a program in writing but that don't meet the comprehensiveness requirement for the size and complexity of the institution. Hopefully, your neighbor isn't one of those institutions that has the most outstanding program the examiner has ever seen because it is likely that it is the standard by which you will be judged. History has shown us that the first time out of the box you may get lucky. Maybe you are the first institution the examiner sees and there is no other standard. Maybe your exam will fall on the heels of mediocrity and your program is an improvement from the one the examiner just saw. One thing is for certain - your examiner is required to conclude whether your financial institution has developed and implemented an effective comprehensive written program designed to detect, prevent and mitigate identity theft. Do you want to hinge your safety and soundness rating on it?

There will be some relief for other financial institutions and creditors that are regulated by the Federal Trade Commission. Those entities include, but are not limited to, finance companies, automobile dealers, mortgage brokers, utility companies, telecommunications companies, and non-profit and government entities that defer payment for goods or services. The FTC announced an enforcement delay until May 1, 2009 for those institutions that fall under its jurisdiction for the implementation of an identity theft prevention program. However, all regulated financial institutions (those regulated by the Federal Reserve, the FDIC, the OTS, and the OCC, and those credit unions regulated by the NCUA) have no such luck. Your mandatory implementation date is still November 1, 2008. We will keep you posted should that change. In the meantime, you can find the exam procedures at: www.fdic.gov.

Many institutions will fall into the wrong category. Remember, that Metavante is here to help put your identity theft prevention program together even if it is after the November 1, 2008 deadline. We can also review your existing program to make recommendations for improvement or conduct the independent annual review. Metavante also offers a menu of training resources for your staff and management on this topic. Contact us today at (800) 547-2462 x3638 for information on how we can help.

Request More Information
Operational Risk Management Special Offer