WASHINGTON -- Credit unions should be putting the final touches on their plans for protecting their members' accounts from identity theft.
Federally chartered credit have until Nov. 1 to finish their plans to protect themselves and their members from identity theft. They must come up with a program and have it approved by their board by their next examination.
State-chartered CUs got a reprieve late last week when the Federal Trade Commission moved back its deadline for compliance to May 1, 2009.
There are 26 warning signs--or Red Flags--that these prevention programs are targeting, including forged or altered applications, Social Security numbers supplied by applicants that are similar to someone else opening an account, and when a financial institution is notified that the customer is not receiving account statements.
"This is a risk-based program. Every credit union must determine what their risks are and then act accordingly," said Anthony Demangone, NAFCU's director of regulatory compliance.
The rules, which were developed by the Federal Trade Commission, NCUA and other regulators as a result of a law passed by Congress in 2002, state that the plans designed by the financial institution must be "appropriate to their size and complexity."
CUNA Director of Compliance Information Valerie Moss advised credit unions not to think that their job is finished on Nov. 1.
"It's not a one-time deal, and processes and procedures will change over time," she said. "Staff members and credit union members need to learn how to nip things in the bud, before they become a problem. Members need to be reminded to check monthly statements regularly and carefully."
Both CUNA and NAFCU have set up programs in which members can exchange information on developing these plans. CUNA has a listserv on the subject and NAFCU has used its compliance blog.
Plans developed by credit unions must outline what steps are being taken to prevent security breaches. Some of it can be quite simple--such as not using an account number or Social Security number as a password. Other solutions can be more complicated.
"You should use secure channels for communicating information, don't use e-mail to send out passwords; those can be intercepted very easily," said Mitchell Savage, executive vice president of Vidoop, a Portland, Ore.-based company that designs secure identity and authentication software.
"Be sure you truncate numbers on your Web site and if you invest money in more secure login procedures, don't make it optional for your members. Even though they may find the new procedures difficult at first it will be worthwhile for the credit union and member," he added.
The plans should also include appropriate response procedures, which can include changing passwords, notifying law enforcement officials or sometimes, doing nothing.
Implementing the programs should involve employees from all departments of the credit union with ongoing training, suggested Jenny Champagne, NASCUS' vice president of regulatory development and education.
Credit unions also have to ensure that their third-party providers that deal with member account information are also in compliance with the plan.
Federal credit unions found to be in violation are subject to a range of penalties by the NCUA, depending on the severity of the situation. These can range from orders to amend the plan to a fine to a cease and desist order.
Violations by state-chartered credit unions can lead to Federal Trade Commission enforcement actions with a penalty of $2,500 for each violation.