NCUA Issues Examination Guidelines for ID Theft Red Flags Rule
No Reprieve for Federal Credit Unions - Exams Begin NowIn the letter to federal credit unions from Chairman Michael Fryzel he states that the new procedures are based on FFIEC guidance requiring financial institutions to have identity theft prevention programs in place to identify, detect and respond to patterns, practices or specific activities that could indicate identity theft. Examiners will use the new checklists to help evaluate the quality and effectiveness of a credit union's written program.
These examination procedures are in line with previous versions released by the Office of Thrift Supervision (OTS), Office of the Comptroller of the Currency (OCC) and Federal Deposit Insurance Corporation (FDIC)
A week before the November 1 deadline, the Federal Trade Commission (FTC) pushed back the date for enforcement of ID Theft Red Flags for state-chartered credit unions until May 1, 2009. Despite this action, federal credit unions are still expected to be in compliance now, says the NCUA.
Federal credit unions under the ID Theft Red Flags guidance are required to:
- Periodically do risk assessment on covered accounts;
- Establish and begin a written program, fitting the credit union's size, complexity and nature and scope of its business;
- Include reasonable policies and procedures to:
a) identify relevant red flags;
b) detect red flags;
c) respond appropriately to detected red flags; and
d) ensure the program is updated periodically to reflect changes in risks; - Provide for continued administration of the program to:
ensure initial proper approval;
ob) ensure senior management involvement;
c) address staff training; and
d) ensure service provider oversight; and - Consider the guidelines in Appendix J.
What should federal credit unions expect during exams? "Credit unions should be prepared to be able to document their compliance with the rules," says John McKechnie, NCUA's media spokesperson. "If not in compliance, they should be able to effectively demonstrate what steps they have initiated to date to get into compliance and provide a documented timeline for eventual compliance."