As I was sitting in yet another airport terminal waiting for a flight home, the TV monitor showed a CNN breaking news story on Eliot Spitzer troubles. As evidence that I picked the correct career path, I was less interested in the details of what he did than in how it was initially detected. When the CNN anchor mentioned the phrase "structured transaction," the story took on a whole new meaning for me. The same Bank Secrecy Act (BSA) requirement that led to the most shocking scandal of the week is the same requirement that is all too familiar to credit unions.

For the past couple of years, credit union regulatory compliance has been dominated by BSA concerns. Whether it is multi-million dollar penalties assessed against banks or cease and desist orders and documents of resolutions against credit unions, BSA violation headlines demand our attention. Credit unions have invested heavily on bolstering their BSA compliance programs. In this environment, it is easy to think that regulatory compliance is entirely BSA compliance.

The fact is, even though BSA dominates the headlines, it is only one piece of the regulatory compliance pie. In 2008, that compliance pie will have slices of Truth in Lending (Regulation Z) changes and fair-lending scrutiny. The biggest piece of all though could be the identity theft red flag requirements of the Fair and Accurate Credit Transaction Act (FACT Act). In October 2007, federal banking regulators issued final rules implementing the identity theft red flag requirements of the FACT Act. The rules were effective Jan. 1, 2008 but compliance is not mandatory until Nov. 1, 2008.

Although compliance is not mandatory until Nov. 1, credit unions should start their preparation soon. Included in the requirements is a written and board-approved ID theft prevention program, risk assessment, identification of red flags, detection system, responses to detected red flags and staff training. Think anyone can pull all of that together during a single October day? No. However, by starting soon and using your existing ID theft prevention measures (you have some whether you know it or not), your program will be ready for testing as the leaves start changing color in the Fall.

First, your credit union must select an individual

or committee to oversee, administer and update the program.

Second, your credit union must conduct a risk assessment to identify all covered accounts for the rule. Covered account is defined broadly as an account that a credit union offers or maintains, primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, checking account, or share account. A covered account is also any other account that the credit union offers or maintains for which there is a reasonably foreseeable risk to members or to the safety and soundness of the credit union from identity theft, including financial, operational, compliance, reputation or litigation risks. Because of how broad the definition is, most credit unions tell us that they will treat every account as a covered account.

In conducting a comprehensive risk assessment, your credit union should take into consideration risk factors such as the types of accounts offered, methods provided to open accounts, methods provided to access accounts and previous experiences with identity theft. Determine where you are vulnerable and the safeguards necessary to address these vulnerabilities.

A List of 21 Red Flags

Third, identify relevant red flags. The regulators provided us with five general categories of red flags:

-Alerts, notifications or other warnings received from consumer reporting agencies or service providers;

-Presentation of suspicious documents;

-Presentation of suspicious personal identifying information;

-Suspicious activity; and

-Notice from members, victims of identity theft, law enforcement authorities or other persons regarding possible identity theft.

In addition, supplement A to appendix J of the rule includes a list of 21 identity theft red flags. Definitely include any additional red flags based on your own experiences.

Fourth, develop procedures and controls to detect the relevant identified red flags. The detection requirement is simply a due diligence requirement to utilize sound controls that will help in detecting the red flags. A detection control example is obtaining identifying information about, and verifying the identity of, a person opening an account by using the policies and procedures regarding identification and verification set forth in your customer identification program.

Another example is authenticating members, monitoring transactions and verifying the validity of change of address requests. It is important to note that your procedures may reference existing customer identification program and security procedures as controls to detect appropriate red flags.

Fifth, develop and document controls to prevent and mitigate red flags. Logically, your credit union must appropriately respond to detected red flags. The appropriate credit union response will vary depending on the risk posed by the detected red flag. The regulators have provided several examples of credit union responses, including monitoring a covered account for evidence of identity theft, contacting the member, and changing any passwords, security codes or other security devices that permit access to an account.

Your credit union must also have controls in place to prevent and mitigate red flags related to third-party providers. Examples include requiring the service provider by contract to have policies and procedures to detect relevant red flags that may arise in the performance of the service provider's activities.

Sixth, your credit union must obtain written approval of the program from the board of directors or an appropriate committee of the board of directors. In addition, staff must be trained to implement the program, including being aware of identified red flags, controls to detect these red flags, and appropriate responses to detection.

The final step requires your credit union to keep the program updated based on factors such as experiences with identity theft, types of accounts offered and changes in service providers. Your program administrator must report to the board of directors, an appropriate committee of the board or a designated employee at the level of senior management, at least annually, on compliance by the credit union.

Instant Insights /

It's Not Too Early to Start Preparing for Identity Theft Red Flag Requirements

Related Stories

Recommended For You