On January 1, 2008, the final rules propounded by the OCC, Board of Governors, FDIC, OTS, NCUA and FTC requiring financial institutions and creditors to develop an Identity Theft Prevention Program finally became effective.
Under these guidelines, an Identity Theft Prevention Program must identify those accounts where identity theft is most likely to occur. Only financial institutions and creditors that offer or maintain “covered accounts” must develop such a program. A “covered account” is an account used for personal, family, or household purposes involving multiple payments or transactions or any other account for which there is a reasonably foreseeable risk of identity theft to customers or to the safety and soundness of the institution. The program must also be designed to detect, prevent, and mitigate identity theft and should be tailored to the size, complexity and nature of each financial institution.
Under the rules, the four basic elements that must be included in the program include: 1) identifying red flags for covered accounts and incorporating those red flags into the program; 2) detecting those red flags; 3) responding to the red flags; and 4) ensuring the program is updated periodically to reflect any changes in the risks to the customer or to the institution.
There are also certain steps that must be taken to administer the program including obtaining approval of the written program by the board of directors or committee of the board, ensuring oversight of the program, training staff, and overseeing service provider relationships.
Financial institutions and creditors should take note – the mandatory compliance date for these rules is November 1, 2008.
Comments