As I was sitting in yet another airport terminal waiting for aflight home, the TV monitor showed a CNN breaking news story onEliot Spitzer troubles. As evidence that I picked the correctcareer path, I was less interested in the details of what he didthan in how it was initially detected. When the CNN anchormentioned the phrase "structured transaction," the story took on awhole new meaning for me. The same Bank Secrecy Act (BSA)requirement that led to the most shocking scandal of the week isthe same requirement that is all too familiar to credit unions.

For the past couple of years, credit union regulatory compliancehas been dominated by BSA concerns. Whether it is multi-milliondollar penalties assessed against banks or cease and desist ordersand documents of resolutions against credit unions, BSA violationheadlines demand our attention. Credit unions have invested heavilyon bolstering their BSA compliance programs. In this environment,it is easy to think that regulatory compliance is entirely BSAcompliance.

The fact is, even though BSA dominates the headlines, it is onlyone piece of the regulatory compliance pie. In 2008, thatcompliance pie will have slices of Truth in Lending (Regulation Z)changes and fair-lending scrutiny. The biggest piece of all thoughcould be the identity theft red flag requirements of the Fair andAccurate Credit Transaction Act (FACT Act). In October 2007,federal banking regulators issued final rules implementing theidentity theft red flag requirements of the FACT Act. The ruleswere effective Jan. 1, 2008 but compliance is not mandatory untilNov. 1, 2008.

Although compliance is not mandatory until Nov. 1, credit unionsshould start their preparation soon. Included in the requirementsis a written and board-approved ID theft prevention program, riskassessment, identification of red flags, detection system,responses to detected red flags and staff training. Think anyonecan pull all of that together during a single October day? No.However, by starting soon and using your existing ID theftprevention measures (you have some whether you know it or not),your program will be ready for testing as the leaves start changingcolor in the Fall.

First, your credit union must select an individual

or committee to oversee, administer and update the program.

Second, your credit union must conduct a risk assessment toidentify all covered accounts for the rule. Covered account isdefined broadly as an account that a credit union offers ormaintains, primarily for personal, family or household purposes,that involves or is designed to permit multiple payments ortransactions, such as a credit card account, mortgage loan,automobile loan, checking account, or share account. A coveredaccount is also any other account that the credit union offers ormaintains for which there is a reasonably foreseeable risk tomembers or to the safety and soundness of the credit union fromidentity theft, including financial, operational, compliance,reputation or litigation risks. Because of how broad the definitionis, most credit unions tell us that they will treat every accountas a covered account.

In conducting a comprehensive risk assessment, your credit unionshould take into consideration risk factors such as the types ofaccounts offered, methods provided to open accounts, methodsprovided to access accounts and previous experiences with identitytheft. Determine where you are vulnerable and the safeguardsnecessary to address these vulnerabilities.

A List of 21 Red Flags

Third, identify relevant red flags. The regulators provided uswith five general categories of red flags:

-Alerts, notifications or other warnings received from consumerreporting agencies or service providers;

-Presentation of suspicious documents;

-Presentation of suspicious personal identifyinginformation;

-Suspicious activity; and

-Notice from members, victims of identity theft, law enforcementauthorities or other persons regarding possible identity theft.

In addition, supplement A to appendix J of the rule includes alist of 21 identity theft red flags. Definitely include anyadditional red flags based on your own experiences.

Fourth, develop procedures and controls to detect the relevantidentified red flags. The detection requirement is simply a duediligence requirement to utilize sound controls that will help indetecting the red flags. A detection control example is obtainingidentifying information about, and verifying the identity of, aperson opening an account by using the policies and proceduresregarding identification and verification set forth in yourcustomer identification program.

Another example is authenticating members, monitoringtransactions and verifying the validity of change of addressrequests. It is important to note that your procedures mayreference existing customer identification program and securityprocedures as controls to detect appropriate red flags.

Fifth, develop and document controls to prevent and mitigate redflags. Logically, your credit union must appropriately respond todetected red flags. The appropriate credit union response will varydepending on the risk posed by the detected red flag. Theregulators have provided several examples of credit unionresponses, including monitoring a covered account for evidence ofidentity theft, contacting the member, and changing any passwords,security codes or other security devices that permit access to anaccount.

Your credit union must also have controls in place to preventand mitigate red flags related to third-party providers. Examplesinclude requiring the service provider by contract to have policiesand procedures to detect relevant red flags that may arise in theperformance of the service provider's activities.

Sixth, your credit union must obtain written approval of theprogram from the board of directors or an appropriate committee ofthe board of directors. In addition, staff must be trained toimplement the program, including being aware of identified redflags, controls to detect these red flags, and appropriateresponses to detection.

The final step requires your credit union to keep the programupdated based on factors such as experiences with identity theft,types of accounts offered and changes in service providers. Yourprogram administrator must report to the board of directors, anappropriate committee of the board or a designated employee at thelevel of senior management, at least annually, on compliance by thecredit union.