The US government audit of a company’s compliance with the Red Flags Rule may be inevitable as the number of identity theft cases increases affecting more people and their credit worthiness. A government audit of a company’s identity theft prevention program as agreed by an inter-agency committee will cover three major aspects of the Red Flags Rule.
These major Red Flags Rule compliance audit areas are as follows:
- Identity theft red flags,
- Address discrepancies, and
- Changes of address.
The above identity theft prevention compliance areas will be audited using 15 identity theft red flags rule examination procedures during a Red Flags Rule compliance audit by a government agency. Whether your company is audited by the FDIC, NCUA, Federal Trade Commission (FTC) or any other regulatory body, the following identity theft compliance audit procedures will be followed by the examiners to assess the completeness and effectiveness of your company’s identity theft prevention program. Therefore, these audit procedures must be considered by all financial institutions and creditors to comply with the identity theft Red Flags Rule regulation, which has been adopted and is currently enforced. Government risk management examiners are also instructed to test institutions for Red Flags Rule compliance as well as address discrepancy and change management during risk management audits.
Specifically, the Red Flags Rule requires the following:
- Financial institutions and creditors to implement a written identity theft prevention program,
- Institutions to assess the validity of change of address requests, and
- Users of consumer reports to verify the identity of the subject of a consumer report in the event of a notice of address discrepancy.
Government Identity Theft Red Flags Rule Examination Procedures
The following list of identity theft compliance audit procedures will be followed by government examiners and can be used by all covered entities to determine their compliance level and preparedness for a government audit:
1. Covered Accounts – Government Red Flags Rule audit examiners will verify that the institution periodically identifies covered accounts it offers or maintains. As part of this initial procedure in the examination, examiners will verify that the institution:
- included accounts for personal, family and household purposes, that permit multiple payments or transactions;
- conducted a risk assessment to identify any other accounts that pose a reasonably foreseeable risk of identity theft, taking into consideration the methods used to open and access accounts, and the institution’s previous experiences with identity theft.
2. Other Regulations – Examiners will review examination findings in other areas (e.g. Bank Secrecy Act, Customer Identification Program and Customer Information Security Program) to determine whether there are deficiencies adversely affecting the institution’s ability to comply with the identity theft Red Flags Rules .
3. Management Oversight – Government auditors will review reports, such as audit reports and annual reports prepared by staff for the board of directors (or an appropriate committee thereof or a designated senior management employee) on compliance with the Red Flags Rule. These include reports that address:
- Effectiveness of the institution’s ID Theft prevention program,
- Significant ID Theft incidents and management’s response,
- Oversight of service providers that perform activities related to covered accounts, and
- Recommendations for material changes to the prevention program.
4. Comprehensive Program – Examiners will verify the institution has developed and implemented a comprehensive written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft. The program must be appropriate to the size and complexity of the institution and the nature and scope of its activities. Examiners also will determine whether the institution uses technology to detect red flags; whether the program is updated periodically; and that the board approved and oversees the program.
5. Trained Staff – Examiners will verify that the institution trains appropriate staff to effectively implement and administer the program.
6. Vendor Management – Examiners will determine whether the institution exercises appropriate and effective oversight of service providers that perform activities related to covered accounts.
When these procedures are complete, examiners will form a conclusion about whether the institution has developed and implemented an effective and comprehensive written program designed to detect, prevent and mitigate identity theft.
Address Discrepancy Audit Procedures
The regulation also requires users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a credit reporting agency. The government identity theft red flags rule examination procedures include five steps to assess address discrepancy compliance:
7. Recognition – Examiners will determine whether the user of consumer reports has policies and procedures to recognize notices of address discrepancies.
8. Reasonable Belief – Examiners will determine whether users have policies and procedures to form a reasonable belief that the consumer report relates to the consumer whose report was requested.
9. Accurate Address – Examiners will determine whether users have policies and procedures to furnish to the nationwide consumer reporting agency a consumer address that the users have reasonably determined is accurate.
10. Timing – Examiners will determine whether the users’ policies and procedures require it to furnish the confirmed address as part of the information it regularly furnishes to the credit reporting agencies during the reporting period when it establishes a relationship with the consumer.
11. Sampling – If procedural weakness or risks are determined, examiners will obtain a sample of consumer reports requested by the user from a credit reporting agency regarding notices of address discrepancies to determine:
- how the user established reasonable belief that the reports related to the consumer in question,
- if the consumer relationship was established,
- whether the institution furnished a consumer address that was reasonably confirmed, and
- whether the user furnished the address in the appropriate reporting period.
Change of Address Audit Procedures
The regulation also requires institutions to develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. Under these circumstances, the card issuer may not issue an additional or replacement card until the institution:
- Notifies the cardholder of the address change request and provides the customer a communication means to report unauthorized address changes,
- Notifies the customer with a previously agreed upon means of communication, or
- Assesses the validity of the change of address according to procedures established as part of the ID Theft prevention program.
A government identity theft prevention compliance audit will include four steps to test change of address compliance:
12. Verification – Examiners will determine whether the card issuer has policies and procedures to assess the validity of a change of address.
13. Prevention – Examiners will determine whether policies and procedures prevent card issuers from issuing additional or replacement cards until they notify the cardholder or use other reasonable means to evaluate the validity of the address change.
14. Special Notice – Examiners will determine whether written or electronic notice is sent to cardholders to validate a change of address. This notice must be exclusive from any regular correspondence.
15. Sampling – If procedural weaknesses or risks are noted, examiners will obtain a sample of notifications from cardholders to ensure that card issuers complied with regulatory requirements to evaluate the validity of address changes before issuing cards.