QUESTION
We are a non-bank, a mortgage banker, that was recently cited for not
having an Identity Theft Prevention Program. We thought we were covered for it
in our general fraud screening procedures. Apparently, there is a regulatory
requirement for it that requires actions that are far more involved than just
screening for fraud. What rule applies to our type of financial institution?
ANSWER
The Federal Trade Commission established rules regarding an Identity
Theft Prevention Program (“Program”). The procedures must be in a written
format and must be designed to detect, prevent, and mitigate identity theft in
connection with the opening of a covered account or any existing covered
account. Procedurally, the Program is meant to be appropriate for a financial
institution’s size, complexity, and scope of operations. [16 CFR § 681.1(d)(1)]
By “covered account,” the Program means accounts that a financial
institution or creditor offers or maintains, primarily for personal, family, or
household purposes, that involves or is designed to permit multiple payments or
transactions, such as a credit card account, mortgage loan, automobile loan,
margin account, cell phone account, utility account, checking account or
savings account. It also means any other account that the financial institution
or creditor offers or maintains for which there is a reasonably foreseeable
risk to customers or to the safety and soundness of the financial institution
or creditor from identity theft, including financial, operational, compliance,
reputation, or litigation risks. So, clearly, the meaning of “covered account”
is quite broadly applied. [16 CFR § 681.1(b)(3)]
Even more specifically, an “account” is a continuing relationship
established by a person with a financial institution or creditor to obtain a
product or service for personal, family, household or business purposes,
including an extension of credit (i.e., purchase of property or services
involving a deferred payment) and a deposit account. [16 CFR § 681.1(b)(1)]
There are four essential guidelines, each of which usually involves Red
Flags – a marker for a pattern, practice, or specific activity that indicates
the possible existence of identity theft.
- Identify relevant Red Flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those Red Flags into its Program;
- Detect Red Flags that have been incorporated into the Program of the financial institution or creditor;
- Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and
- Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft. [16 CFR 681.1(d)(2)]
There are four administrative components of the Program:
- Obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors;
- Involve the Board of Directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program;
- Train staff, as necessary, to effectively implement the Program; and
- Exercise appropriate and effective oversight of service provider arrangements. [16 CFR 681.1(e)]
Jonathan Foxx
President & Managing Director
Lenders Compliance Group
