We are a non-bank, a mortgage banker, that was recently cited for not having an Identity Theft Prevention Program. We thought we were covered for it in our general fraud screening procedures. Apparently, there is a regulatory requirement for it that requires actions that are far more involved than just screening for fraud. What rule applies to our type of financial institution?
The Federal Trade Commission established rules regarding an Identity Theft Prevention Program (“Program”). The procedures must be in a written format and must be designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. Procedurally, the Program is meant to be appropriate for a financial institution’s size, complexity, and scope of operations. [16 CFR § 681.1(d)(1)]
By “covered account,” the Program means accounts that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account or savings account. It also means any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. So, clearly, the meaning of “covered account” is quite broadly applied. [16 CFR § 681.1(b)(3)]
Even more specifically, an “account” is a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes, including an extension of credit (i.e., purchase of property or services involving a deferred payment) and a deposit account. [16 CFR § 681.1(b)(1)]
There are four essential guidelines, each of which usually involves Red Flags – a marker for a pattern, practice, or specific activity that indicates the possible existence of identity theft.
- Identify relevant Red Flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those Red Flags into its Program;
- Detect Red Flags that have been incorporated into the Program of the financial institution or creditor;
- Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and
- Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft. [16 CFR 681.1(d)(2)]
There are four administrative components of the Program:
- Obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors;
- Involve the Board of Directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program;
- Train staff, as necessary, to effectively implement the Program; and
- Exercise appropriate and effective oversight of service provider arrangements. [16 CFR 681.1(e)]
President & Managing Director
Lenders Compliance Group