Develop and Implement an Identity Theft Prevention Program
Exerpted from an article by
Lyn Farrell, Manager of Risk Management Services
Sheshunoff Consulting + Technology
Austin, Texas
These exerpts expand on the overview provided by Bryan Ansley, CEO of Secure Identity Systems, in the August 11, 2008, issue of Bankers Digest.
[After assessing the bank’s level of risk...] The second step in complying with the new regulation is to design and put into practice an Identity Theft Prevention Program. This program should be the framework by which the bank can effectively detect, prevent, and mitigate identity theft. This step comprises the bulk of the work involved in fulfilling the bank’s regulatory duties for identity theft prevention.
The program must be commensurate with the size and complexity of the organization, and it should be risked-based. Thus, having a complete risk assessment is a prerequisite to completing the program development.
Some of the necessary steps to develop an effective program are:
1. Identify the players within the bank
Identify representatives from the bank’s lines of business and operational areas who will be responsible for identity theft prevention in their part of the bank. These people should form a task force responsible to develop and begin implementation of the entire program.
2. Identify a program administrator
Someone in the bank should have overall responsibility for the program as a whole. This job involves coordinating the program’s oversight, updating and reporting.
3. Involve the board and/or senior management
This is a regulatory requirement. The board or a member of senior management must be involved in the program development. If a senior manager is chosen, there should be documentation in the board minutes of this delegation. The board should stay involved in the process to the extent that it approves the program once it’s complete.
4. Identify the required “Covered Accounts”
Although you will already have determined what the bank’s Covered Accounts are during the risk assessment process, they should be documented in the program.
5. Document the process for the program development and operations
This is important for the bank’s auditors, regulatory examiners, and board of directors.
6. Determine the specific responsibilities for each part of the program implementation, updating, maintenance, and reporting
While the program administrator will coordinate these functions, it will usually fall to various departments and lines of business managers to implement, maintain, and update their parts of the program. In any event, every part of the program should be assigned to responsible managers or employees. None should be unassigned or left to “all employees”.
7. Identify the relevant red flags
There are several potential sources of red flags that the bank should consider. Supplement A to Appendix J of the regulatory guidelines lists 26 examples of red flags in five different categories. In addition, the bank should both consider its own identity theft experience and other known methods of identity theft. The bank should consider each red flag and decide whether it is relevant to any type of Covered Account within the institution.
8. Determine how to detect and mitigate red flags across each line of business
If a red flag is relevant to the bank, the method of detection and mitigation should also be identified and described in the program documentation. This process will involve an evaluation of the current fraud detection and prevention systems at work in the bank, including both manual and electronic systems. A gap analysis should be completed for all red flags to determine the need for additional procedures that may be necessary to make the bank compliant.
9. Determine how the bank will respond to evidence of identity theft
Responses should be categorized by type of identity theft, by type of account, or by type of product. Aggravating factors such as data breaches should be considered and discussed where appropriate. The bank should devise a system to document the responses.
10. Identify all other bank policies that relate to this process
There will likely be existing bank policies, such as Information Security, Customer Identification Policy, and EFT error resolution policies that will need to mesh with the Identity Theft Prevention program. It’s a good idea to incorporate such policies by reference into this program.
11. Incorporate policies for address changes for debit/credit cards and for receiving address discrepancy warnings from consumer reporting agencies
The best practice is to include them in the Identity Theft Prevention Program. If no other bank policy addresses it, include the updating and correction of consumer reports in this program.
12. Determine the mechanism for program reviews and updates
The program should specify who is responsible for its review and periodic updating. This section should prescribe how frequently the program is updated and the triggering factors for updates.
13.Service Provider Oversight
The regulation requires the bank to exercise oversight of any service providers. This is especially important for those who have access to customer information. The program should address the methods the bank will use to oversee these vendors for identity theft prevention purposes. This oversight function can be added to this policy and referenced in the Identity Theft Prevention program.
14. Develop management reports
A key factor in making the Identity Theft Prevention Program effective will be the quality and timeliness of its management reports. Reporting to the board of directors and senior management is a necessity.
15. Develop a staff training plan
Staff training is required by the regulation and should include all applicable bank staff. Since identity theft could involve every line of business and back office operations, most bank personnel will need to receive some form of training. The training described in the program should include both the training involved in the initial program implementation as well as the ongoing training, such as for new employees. The program should specify who receives training, the depth of the training to be received, and its frequency.
16. Obtain board of director approval
Once the program is complete, the bank must obtain the approval of the board. Such approval should be documented in the board minutes.
Make Changes to Existing Policies and Procedures
Once the program development phase is complete the bank should make sure that its Identity Theft Prevention Program integrates well with its existing information security policy, CIP, EFT error resolution policy, and other fraud prevention policies and procedures.
Validate the program
Once the program is written, processes changed, and policy and procedure updates finished, the bank should validate the program with an audit. The program should be operational before the audit is conducted. The program administrator or initial task force that oversaw the program development should review and respond to all weaknesses or deficiencies found in the audit. Any necessary changes made to the program as well as to applicable policies and procedures should be documented.
About the Author: Lyn Farrell, a licensed attorney with 30 years experience in banking, has been selected as a member of the advisory board for the ABA’s Regulatory Compliance Conference. 512/472-4000, www.smslp.com.
