If you must comply with the Red Flags Rule, which is a rule that falls under the umbrella of the Fair and Accurate Credit Transactions Act (FACTA), which most organizations in the U.S. who process payments from their customers must comply with, for which compliance is required by November 1 of this year, then you should review the recently released guidance documents that will be used by the government oversight examiners…
On October 10 the Federal Reserve released “Interagency Examination Procedures for the Identity Theft Red Flags and Other Regulations under the Fair Credit Reporting Act”
Three very important links are provided within this memo:
1** Interagency Examination Procedures for Section 605(h), Duties of Users Regarding Address Discrepancies (12 CFR 222.82)
The third page of this 4-page document contains the real meat for practitioners to use.
“Examination Procedures
1. Determine whether a user of consumer reports has policies and procedures to recognize notices of address discrepancy that it receives from a nationwide consumer reporting agency (NCRA) [Footnote1 – An NCRA compiles and maintains files on consumers on a nationwide basis. As of the effective date of the rule (January 1, 2008), there were three such consumer reporting agencies: Experian, Equifax, and TransUnion (Section 603(p) of FCRA (15 USC 1681a)). End of Footnote 1.] in connection with consumer reports.
2. Determine whether a user that receives notices of address discrepancy has policies and procedures to form a reasonable belief that the consumer report relates to the consumer whose report was requested (12 CFR 222.82(c)).See examples of reasonable policies and procedures “to form a reasonable belief” in 12 CFR 222.82(c)(2).
3. Determine whether a user that receives notices of address discrepancy has policies and procedures to furnish to the NCRA an address for the consumer that the user has reasonably confirmed is accurate, if the user:
a. Can form a reasonable belief that the report relates to the consumer;
b. Establishes a continuing relationship with the consumer; and
c. Regularly, and in the ordinary course of business, furnishes information to the NCRA (12 CFR 222.82(d)(1)). See examples of reasonable confirmation methods in 12 CFR 222.82(d)(2).
4. Determine whether the user’s policies and procedures require it to furnish the confirmed address as part of the information it regularly furnishes to an NCRA during the reporting period when it establishes a relationship with the consumer (12 CFR 222.82(d)(3)).
5. If procedural weaknesses or other risks requiring further information are noted, obtain a sample of consumer reports requested by the user from an NCRA that included notices of address discrepancy and determine:
a. How the user established a reasonable belief that the consumer reports related to the consumers whose reports were requested; and
b. If a consumer relationship was established:
i. Whether the institution furnished a consumer’s address that it reasonably confirmed to the NCRA from which it received the notice of address discrepancy; and
ii. Whether it furnished the address in the reporting period during which it established the relationship.”
2** Interagency Examination Procedures for Section 615(e), Duties Regarding the Detection, Prevention, and Mitigation of Identity Theft (12 CFR 222.90)
The 4th and 5th pages of this 5-page document contains the meat here; the actual examiners’ procedures.
“Examination Procedures
1. Verify that the financial institution periodically [Footnote2 – The risk assessment and identification of covered accounts is not required to be done on an annual basis. This should be done periodically, as needed. End of Footnote 2.] identifies covered accounts it offers or maintains. [Footnote3 – A “covered account” includes: (i) an account primarily for personal, family, or household purposes, such as a credit card account, mortgage loan, auto loan, checking account, or savings account that permits multiple payments or transactions; and (ii) any other account that the institution offers or maintains for which there is a reasonable foreseeable risk to customers or the safety and soundness of the institution from identity theft (12 CFR 222.90(b)(3)). End of Footnote 3.] Verify that the financial institution:
• Included accounts for personal, family, and household purposes that permit multiple payments or transactions; and
• Conducted a risk assessment to identify any other accounts that pose a reasonably foreseeable risk of identity theft, taking into consideration the methods used to open and access accounts, and the institution’s previous experiences with identity theft (12 CFR 222.90(c)).
2. Review examination findings in other areas (e.g. Bank Secrecy Act, Customer Identification Program and Customer Information Security Program) to determine whether there are deficiencies that adversely affect the financial institution’s ability to comply with the Identity Theft Red Flags Rules (red flag rules).
3. Review any reports, such as audit reports and annual reports prepared by staff for the board of directors [Footnote4 – The term board of directors includes: (i) in the case of a branch or agency of a foreign bank, the managing official in charge of the branch or agency, and (ii) in the case of any other creditor that does not have a board of directors, a designated employee at the level of senior management. End of Footnote 4.] (or an appropriate committee thereof or a designated senior management employee) on compliance with the red flag rules, including reports that address:
• The effectiveness of the financial institution’s Identity Theft Prevention Program (Program);
• Significant incidents of identity theft and management’s response;
• Oversight of service providers that perform activities related to covered accounts; and
• Recommendations for material changes to the Program.
Determine whether management adequately addressed any deficiencies (12 CFR 222.90(f); Guidelines, Section VI).
4. Verify that the financial institution has developed and implemented a comprehensive written Program designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or an existing covered account. The Program must be appropriate to the size and complexity of the financial institution and the nature and scope of its activities (12 CFR 222.90(d)(1)).
3** Interagency Examination Procedures for Section 615(e), Duties of Card Issuers Regarding Changes of Address (12 CFR 222.91)
The third page of this 3-page document contains the examiners’ procedures.
“Examination Procedures
1. Verify that the card issuer has policies and procedures to assess the validity of a change of address if:
• It receives notification of a change of address for a consumer’s debit or credit card account; and
• Within a short period of time afterwards (during at least the first 30 days after it receives such notification), the card issuer receives a request for an additional or replacement card for the same account (12 CFR 222.91(c)).
2. Determine whether the policies and procedures prevent the card issuer from issuing additional or replacement cards until it:
• Notifies the cardholder at the cardholder’s former address or by any other means previously agreed to and provides the cardholder a reasonable means to promptly report an incorrect address change (12 CFR 222.91(c)(1)(i)-(ii)); or
• Assesses the validity of the address change in accordance with its procedures established under its Identity Theft Prevention Program (12 CFR 222.91(c)(2)). In the alternative, a card issuer may validate a change of address request when it is received, using the above methods, prior to receiving any request for an additional or replacement card (12 CFR 222.91(d)).
3. Determine whether any written or electronic notice sent to cardholders for purposes of validating a change of address request is clear and conspicuous and is provided separately from any regular correspondence with the cardholder (12 CFR 222.91(e)).
4. If procedural weaknesses or other risks requiring further information are noted, obtain a sample of notifications from cardholders of changes of address and requests for additional or replacement cards to determine whether the card issuer complied with the regulatory requirement to evaluate the validity of the notice of address change before issuing additional or replacement cards.
Conclusion: On the basis of examination procedures completed, form a conclusion about whether a card issuer’s policies and procedures effectively meet regulatory requirements for evaluating the validity of change of address requests received in connection with credit or debit card accounts.”
It is important to note that the bulk of what is being reviewed for compliance are policies, procedures and related documentation. Looking at the Red Flags Rule regulatory text, along with the other guidance documents on the FDIC and Federal Reserve sites, you will also see the emphasis placed upon the importance of providing training to personnel for these policies and procedures.
Tags: awareness and training, FDIC, federal reserve, identity theft, Information Security, IT compliance, IT training, policies and procedures, privacy law, privacy training, Red Flags rule, risk management, security training