Identity Management Institute offers an Identity Theft Prevention Program certification service as part of its global and independent solutions. Due to the rise in identity theft cases which affect businesses as well as their customers and partners, many businesses are required by law to have a formal Identity Theft Prevention Program (“Program”) to identify, detect, and prevent identity theft in their day to day business operations. By instituting and enforcing identity theft prevention laws, the regulators intend to protect consumers from the consequences of identity theft which mainly affect their credit score and credit worthiness for obtaining loans on a timely basis. In the United States (“US”), the law requiring businesses to design and implement an identity theft prevention program is the Red Flags Rule.
The Identity Theft Prevention Program certification and audit is designed to provide businesses a reasonable assurance that their Program is in place and operating effectively. The Program certification also allows businesses to display their readiness for protecting their customers from the rising risks of identity theft and compliance with regulatory requirements. Many organizations require their business partners and third party vendors to provide evidence of their compliance with identity theft laws. The independent certificate of compliance issued by Identity Management Institute can be used by businesses to provide the necessary compliance evidence to their customers, business partners, and regulators.
A complete and effective Program is designed to detect, prevent, and mitigate identity theft activity in connection with the opening of new accounts or with existing accounts. The Program must be consistent with various laws, rules, and regulations. In the US, rules and regulations covering identity theft include:
- Fair and Accurate Credit Transactions Act of 2003 (“FACTA”) of the Fair Credit Reporting Act (“FCRA”) – Sections 114 and 315
- Provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act (amended section 615(e) of the FACTA)
- The Securities and Exchange Commission (“SEC”) [17 Code of Federal Regulations (“CFR”) – Part 248, subpart C “Regulation S-ID: Identity Theft Red Flags”].
- Commodity Futures Trading Commission (“CFTC”) [17 CFR Part 162, subpart C “Identity Theft Red Flags”].
- Section 326 of the United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (“USA PATRIOT Act”) requiring verification of the identity of persons opening new accounts through a Customer Identification Program (“CIP”) [31 CFR Part 103.122].
- Federal Financial Institutions Examination Council (FFIEC) guidance entitled
Authentication in an Internet Banking Environment requiring financial institution offering Internet-based products and services to their customers to use effective methods to authenticate the identity of customers.
- A written and comprehensive Program which reflects changes in risk to customers or to the safety and soundness of the organization;
- Program approval by the Board of Directors or its committee and senior management;
- The designation of an Identity Theft Program Administrator;
- Existence of a Customer Identification Program “CIP”;
- Procedures for monitoring, detecting, and mitigating identity theft red flag during new account opening and ongoing account activities;
- Authenticating account access and transactions for new and existing accounts;
- Providing employee training concerning the Program and the procedures to review suspicious activities relevant to identity theft;
- Providing customer identity theft awareness and education including techniques to help mitigate identity theft risks;
- Oversight of service providers; and
- Filing the necessary reports with governmental agencies.