If your organization is a financial institution or creditor with covered accounts, identity theft program implementation must be on your mind and you may be wondering how you can comply with the requirements of the Red Flags Rule. In this article, we will discuss at a high level the areas that you need to address while implementing your identity theft prevention program. In general, your identity theft prevention program must include policies and procedures which are designed to identify, detect and respond to identity theft red flags or patterns and practices of identity theft. In other words, a company must be proactive in identifying current threats from identity theft criminals, train the employees to identify and detect identity theft red flags in the course of the business operations, and appropriately respond to identity theft warning signs to prevent the occurrence of identity theft. The key words used here are “current threats” which means that your organization must perform periodic risk assessments to identify the latest identity theft patterns and practices.
As we mentioned above, a risk assessment is a proactive process to identify current threats posed by the latest identity theft practices, as well as gaps in the company’s internal control environment such as its policies and procedures designed to mitigate the risks. Based on the findings of the risk assessments, management must then develop plans to improve its internal control environment and reduce identity theft risks facing the organization and its customers. The risk assessment process must be performed periodically to ensure all latest threats posed by identity thieves are considered.
After a risk assessment is completed, an identity theft prevention program must be documented in writing and implemented to reduce the identity theft risks. Depending on the size of the organization and its amount or type of private data, the program may vary in complexity; however, there are program components which are applicable to all programs including the appointment of a program manager, program approval by senior management or the Board, vendor oversight and management, policies and procedures to identify, detect and mitigate identity theft red flags, technical, physical and administrative security considerations, address verification, employee training, access authorization, and secure disposal of private information.
In order for an identity theft program implementation to be successful, the program manager must review the program and its components at least annually to ensure all necessary controls are in place to address the latest identity theft threats. The program manager must also revise the program as necessary including any lessons learned from identity theft incidents. One key point that we must stress is the importance of employee training for making the identity theft program implementation effective. Key employees are the ones who must design, implement and enforce the internal controls after risk assessments are completed and without their effective knowledge, all plans to prevent identity theft and comply with the Red Flags Rule may fail.