Implementing a Red Flags Rule compliance program within an organization has many benefits and can be challenging if the company lacks purpose, vision and skilled professionals. Although an effective identity theft prevention program will also satisfy the compliance needs of an organization with other identity theft related laws such as the USA Patriot Act provision requiring the implementation of a Customer Identification Program (CIP) which is also an important and integrated part of a financial institution’s Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) compliance programs, an organization will primarily reduce its fraud costs and maintain customer confidence and loyalty when it takes proactive actions to prevent identity theft. When executive management of the organization accepts the identity theft risks and believes in the benefits of an effective identity theft prevention program, then and only then, the program will have a chance to exist, survive, and be embraced by all employees.
This article highlights 8 considerations for implementing an effective Red Flags Rule compliance program. These steps will also help companies facing identity theft risks regardless of their regulatory environment to reduce their overall risk including fraud costs, lost customers, reduced revenues, and bad reputation. Although designing a Red Flags Rule compliance program is a straightforward process, its implementation is somewhat challenging as it relates to enforcement and user compliance with the program. Therefore, a special attention must be placed on user training and monitoring to ensure a successful and effective identity theft prevention program.
Below are 8 steps that you must consider when implementing a Red Flags Rule compliance program:
1. Assign a program manager – The program manager is responsible for all aspects of program design and implementation including risk assessments, delegation, monitoring and enforcement, policies and procedures, training, periodic program updates, and reporting program status to designated oversight entity.
2. Engage the Board of Directors - The Board of Directors or one of its sub-committees must approve the initial program and subsequent updates, and review compliance reports submitted by the program manager. If your company lacks a Board, assign a senior employee for compliance oversight.
3. Document the program - The program must be in writing including all of the policies and procedures and periodically updated.
4. Perform risk assessments – Initial and periodic risk assessments must be performed to identify scope at the organization and account levels as well as threats facing the organization.
5. Remediation and response – Upon completion of the risk assessments, the program manager must ensure appropriate actions are taken to remediate control weaknesses and determine company response to threats as they occur.
6. Develop Policies and procedures – Upon completion of the risk assessment and determination of the appropriate response, policies and procedures must be developed and communicated to all appropriate parties to ensure the organization collectively addresses active threats facing the company and prevent identity fraud before it occurs.
7. Train employees preferably annually and when:
a. the Program is considered for updates,
b. prior period risk assessments are reviewed for completeness,
c. lessons learned are considered.
8. Consider vendor risks – Service providers must be required by contract to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider's activities, and either report the Red Flags to the company, or to take appropriate steps to prevent and mitigate identity theft.