The Fair and Accurate Credit Transactions Act's new Red Flag Rules, which require an institution to establish a comprehensive identity theft prevention program, will soon take effect.
With the exception of the Federal Trade Commission, which recently pushed its enforcement deadline out another six months, regulators will begin evaluating institutions for compliance with the rules during examinations that start after Nov. 1.
Despite the impending deadline, many federal agencies have not issued examination procedures. That could lead institutions to take a wait-and-see approach and think regulators may go easy on them in the first exam.
Given the recent turmoil in the financial services market, regulators will likely take noncompliance very seriously. They may not impose substantial penalties initially, but you can be sure they won't hesitate to make examples of institutions whose excuse was not understanding the rules.
Compliance with the requirements for address and card changes is key. While most institutions are primarily focusing on the requirement that they have a comprehensive identity theft prevention program in place, they should also zero in on the mandate they authenticate customer address changes, as well as requests for new debit or credit cards, shortly following the changes. Having a stringent process for verifying the legitimacy of such updates is paramount.
A financial institution should also coordinate its Red Flag Rules compliance program with its Bank Secrecy Act program. Since the rules are designed to help combat identity theft, which is a federal offense, the rules and the BSA are complimentary regulations. If identity theft is suspected, an institution may be required to file a suspicious activity report, depending on the amount of money or the people involved in a transaction.
A customer identification program, required by Section 326 of the USA Patriot Act, serves a purpose similar to the Red Flag Rules, so coordinating the account opening and identity verification procedures for both makes sense. Many banks will be able to modify their customer identification processes and technology to help them address the rules as well.
Staff training should play a key role in the development and maintenance of a Red Flag Rules program. Every member of a bank's staff needs to know how to identify and understand the meaning of the various red flags. They then need to know how to act upon them, track them appropriately, and report them to management and the authorities.
Though the rules do not require an institution to document what it has done to comply with them, regulators will likely expect institutions to do so.
A bank should first document the development of its compliance program and keep copies of the risk assessment for covered accounts and the determination of what red flags are relevant for each account. Next, the bank should document its ongoing compliance process. By doing so, it can produce annual reports illustrating the effectiveness of the compliance program for the directors, as required by the rules.
Such documentation also allows an institution to standardize its training process to make it easier and more consistent across the institution.
Look outside your institution and evaluate your third-party service providers for compliance. The rules require institutions to ensure that third-party providers have policies and procedures in place that allow them to detect red flags and report them to the institution, so the appropriate steps can be taken.
If the service provider is a "creditor" under the Federal Trade Commission's version of the rules, it may already be required to have such a program. Otherwise, you will need to ensure the provider implements such a program. Some institutions already have agreements with providers relating to information security; these should be reviewed and supplemented if necessary.
The effective date for complying with the Red Flag Rules is approaching. But there is likely still time to take a second look at the requirements and your compliance program to make sure you will be ready for the regulator's review before your next exam.
