The FTC announced in late October that the enforcement deadline for the Identity Theft “Red Flags” Rule would be extended to June 1, 2010. This extension should be viewed as an indication of the time required for financial institutions and creditors to implement identity theft programs in compliance with the Red Flags Rule, rather than a license to procrastinate. The announcement of the deadline extension came amid discoveries by federal regulators and examiners that a handful of institutions still had not implemented or formalized their identity theft programs, just days before the previous deadline of November 1, 2009. The Identify Theft Red Flags Rule was adopted two years ago by the OCC, the Board of Governors, the FDIC, the OTS, NCUA and the FTC. The original mandatory compliance deadline was November 1, 2008.
The Red Flags guidelines require that financial institutions and creditors offering or maintaining “covered accounts” must develop an identity theft prevention program designed to: 1) identify red flags for covered accounts and incorporate those red flags into the program; 2) detect those red flags; 3) respond to the red flags; and 4) ensure the program is updated periodically to reflect any changes in the risks to the customer or to the institution.
To administer the program, steps must be taken to address misidentified covered accounts, a lack of security training for employees, and insufficient oversight of third-party service providers’ compliance with the rules.
The OTS, which has incorporated this program into its safety and soundness exam process, is reporting that some institutions have not performed a risk assessment, established a written program, or updated their program and materials. OTS safety and soundness examinations typically occur once every 12-18 months, so it is anticipated that by the middle of next year all OTS institutions will have been examined for their compliance with the Red Flags Rule.
NUCA has identified 55 credit unions that have had violations, with a majority of those violations having to do with the failure to establish and implement an identity theft prevention program.
If you have questions regarding the Red Flags Rule, please contact Mary Zambreno at 515-246-4512 or mzambreno@dickinsonlaw.com.
Comments