ID Theft Red Flags Rule Examination Procedures UnveiledOTS is First Agency to Detail How Examiners Will Measure Compliance After Nov. 1
The Office of Thrift Supervision (OTS) is the first agency to announce its exam procedures, presenting them today (Aug. 11) in a 2 p.m. (eastern) webinar. These procedures include 15 separate examination steps related to three principle elements of the new rule:
The exam procedures, which were hammered out and agreed upon by an interagency committee, are in the process of being approved by each of the banking regulatory bodies, and will be announced independently by each agency.
William Henley, Director, IT Risk Management at the OTS, says that the exam procedures show what institutions can expect post-Nov. 1 during an ID Theft Red Flag examination. The accompanying examination manual for examiners is being updated and "should be out shortly," Henley says.
Identity Theft/Red Flags Procedures
For many institutions, Henley says, compliance with the Identity Theft Red Flags guidance is not as much about developing and implementing new controls, but about applying more consistency around existing controls and formalizing these into a written program.
He adds that OTS-regulated institutions that are already in compliance with Interagency Security Guidelines likely will meet Red Flags Compliance on November 1, 2008.
The first step in the examination procedure will be a scoping process that examiners will undertake. "During the scoping process, we'll ask where this is coming from, wherever they have it slotted, we'll examine it accordingly" Henley says. If the program is under the institution's information security program, then either the Safety and Soundness examiner or IT examiners will perform the ID theft exam. Should the program be designed and integrated within the institution's compliance program, then compliance examiners will take on the task, he explains.
There are six Identity Theft/Red Flags procedures that examiners will undertake.
- included accounts for personal, family and household purposes, that permit multiple payments or transactions;
- conducted a risk assessment to identify any other accounts that pose a reasonably foreseeable risk of identity theft, taking into consideration the methods used to open and access accounts, and the institution's previous experiences with identity theft.
When these procedures are complete, examiners will form a conclusion about whether the financial institution has developed and implemented an effective, comprehensive written program designed to detect, prevent and mitigate identity theft.
Although the Identity Theft exam procedures will be performed by both compliance and safety and soundness and IT examiners, there are two examination procedures that will be handled only by compliance examiners - validity of change of address requests and notice of address discrepancy.
Change of Address Procedures
The regulation also requires financial institutions to develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. Under these circumstances, the card issuer may not issue an additional or replacement card until the institution:
The exam procedures include four steps to test Change of Address compliance:
Address Discrepancy Procedures
The regulation also requires users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a credit reporting agency. The exam procedures include five steps to assess Address Discrepancy compliance: