For most financial institutions, the deadline to get your Identity Theft Red Flag Program in place has come and gone.
Many institutions have their programs in place, but questions may linger. Is my program complete? Did I do it right? What will my examiners expect?
The reality is this is not a one-time requirement; it involves a comprehensive, continuing program. Like Bank Secrecy Act and information security programs, this one will come up again, year after year, with evolving examiner expectations.
It's difficult to determine exactly what examiners will want to see in the future, but we do have some practical recommendations for developing and reviewing your program.
First, be sure to use and update what you have. The requirements overlap those for a number of programs you probably already have, including information security, customer identification, and fraud programs. Do not reinvent the wheel. Where you already have policies and procedures that help you in dealing with a red flag, use them.
Many of the sample red flags in the guidance for this program arise when employees are identifying your customers. You may be requiring your staff to perform the relevant procedures only when opening accounts for new customers, since that is the only time BSA regulations require it. However, since your red flag risk assessment probably highlights account opening as a risk, you may want to update your customer ID program so that the procedures are performed more frequently, included when accounts are opened for current customers.
If you decide to use existing procedures to meet the red flag requirements, make sure any weaknesses or enforcement problems have been addressed. If you have been criticized by examiners or auditors for violations in customer ID or fraud programs, it is important to improve those procedures before you rely on them for red flag purposes.
In addition, you may be able to rely on your current automation to meet your requirements. Many institutions have a lot of functionality in their software they don't understand, don't use, or simply haven't thought about using for identity theft prevention.
For example, most core systems allow you to flag a customer's identification record when something about that person, such as a fraud or extended duty alert, has raised an alarm. This is a great way to document that a red flag has been triggered. Further, if your system can generate reports showing where those fields have been used, you can use the reports as part of the review.
Many systems generate error messages when Social Security numbers are used more than once. This was designed to prevent duplication of customer identification records and other data, but it can serve just as well to identify different people using the same Social Security number.
You can supplement this control with taxpayer identification number error reports that may be available in your system, as well as free resources such as the Internal Revenue Service's TIN Matching Program, which lets you to match names with Social Security or taxpayer ID numbers.
Anti-laundering and report-writing systems are also excellent tools in the hunt for red flags. If the systems are flexible, you may be able to set new reporting parameters to look for some of the more difficult red flags, such as unusual use of a line of credit.
The creative use of your software, combined with free resources from the IRS, can be extremely powerful and cost-effective ways to meet your requirements.
Another important thing to remember is to stay practical. Many parts of the guidance are vague at best. When considering your requirements, give thought not just to which flags may apply to you, but also to which ones you can handle without too much extra effort.
You do not have to do more than what is required, and your efforts should be tailored to doing what is most effective and efficient for your organization.
Finally, once your program is in place, don't forget about it. This is expected to be an ongoing process, which undoubtedly will grow and change as identity theft techniques, technology, and examiner expectations change. In particular, you have annual reporting requirements, which are very specific under the regulation. You will probably have to start having an annual independent review performed on your program at some point, and ongoing training is a must.
If your program is too generic and does not adequately reflect your practices and risks, your examiner may expect you to take another cut at it. So regardless where you are in your program, keep in mind that developing your program was just the first step in the journey, not the last.
