Part 4 of a four-part Process for Setting-up a Red Flag Rules Compliance Policy
UPDATING THE PROGRAM
The regulatory language includes a final section aimed at making sure that the an organization's Red Flag program maintains its level of relevancy. The regulation requires that you have in place "policies and procedures to ensure the program is updated periodically to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft."
The intent of this section of the regulation can be understood by focusing on certain key phrases used. The terms "policies" and "procedures" indicates that there needs to be a documented method for monitoring, assessing, and adopting additional measures to detect, prevent and mitigate new ways of committing identity theft as they are discovered.
The use of the word "ensure" stresses how important it is to make sure that this requirement is not treated lightly. Key criterion that should be included in your program include (1) How identity theft trend data is collected and analyzed, (2) Who will be assigned the duties of tracking and recording this information, and (3) What is the process that will be used to continuously assess and adopt new measures into the program.
The term "periodically" should be considered to indicate that such assessments ought to be performed more than once per year.
Administration of the Program
Covered entities must administer their Red Flag Program in a manner that meets the following requirements:
1. Adoption of the Initial Plan by the Board. Each financial institution or creditor must obtain initial approval of the Identity Theft Prevention Plan by its board of directors or committee of the board, or if there is no board, then by a designated Senior Manager.
2. Assign Specific Responsibility for the Program. The regulation specifically states that you should involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the program.
3. Reporting to the Board or Senior Manager. At least annually, the person or committee responsible for the Program must provide a report to the board of directors or senior manager that does the following:
(a) Shows the effectiveness of the Program for covered accounts
(b) Explains "significant events" involving identity theft and management's response to the incidents
(c) Provides recommendations for material changes to the Program due to evolving risks and methods of identity theft
The final rules provide that a covered entity must train staff, as necessary, to effectively implement the program. While there is no corresponding section, the Agencies stressed the importance of this requirement by stating that they continue to believe that proper training will enable the staff to address the risk of identity theft.