Overview
The Federal Trade Commission (FTC) and other federally financed regulatory agencies published their final rules and guidelines for regulating the fraudulent attempt to use private information without authority. The new regulations implemented Section 114 (Red Flag Guidelines) and Section 315 (Reconciling Address Discrepancies) of the Fair and Accurate Credit Transactions Act. The final rule became effective on January 1, 2008, and required financial institutions and creditors to develop and implement an identity theft prevention program by November 1, 2008.
The Identity Theft Red Flags Rule applies to any covered financial institution, credit and debit card issuers, users of consumer reports, and creditors that:
- Collect and use consumer confidential personal information
- Interact with a credit reporting bureau
- Maintain “covered” accounts for individuals or businesses
The identity theft prevention program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft. The regulations require an institution to have:
- An established, written identity theft prevention program
- Policies and procedures
- Initial risk assessment
- Regular compliance reporting
- Oversight of third-party service providers
- Mandatory staff training
- Periodic reviews and updates of the program to reflect any changes
Key Benefits
Compliance with the Identity Theft Red Flags Rule is mandatory, but implementing an identity theft prevention program can lead to other positive results for your organization.
- Improved security posture
The Identity Theft Red Flags Rule forces ID theft controls within the organization, enhancing the overall security position and reducing the likelihood of unauthorized individuals gaining access to sensitive information. - Limited information exposure
Identifying attempts at criminal activity reduces the probability of a successful breach. - Prevention of damage to image and reputation
The cost of correcting fraudulent activities may be minimal, but the damage to an organization’s image and reputation is immeasurable. - Increased comfort level among senior management
Becoming compliant assures senior management that proper security safeguards have been implemented, allowing them to concentrate on other critical business issues.
Methodology
The objective of the Identity Theft Red Flags Rule is to establish, implement, and document an identity theft prevention program. The motivation is to achieve a common minimum-security level that protects account information. Foundstone Professional Services offers five services to assist you in achieving compliance:
- Data flow analysis
- Preliminary gap analysis
- Risk assessment
- Policies and procedures development
- Identity theft prevention program development
Meeting the Identity Theft Red Flags Rule requirements could necessitate additional resources. With the help of Foundstone Professional Services, compliance will lead to a distinctly controlled environment, yielding the addition of several security controls within an organization.