Many companies must consider implementing an Identity Theft Prevention Program (“Program”) for a variety of reasons. First, companies which face a higher risk of identity theft because of their business nature must take serious steps to reduce their fraud losses. Such companies typically collect and use consumer personal information as part of their business model. Second, these companies must also comply with a multitude of identity theft, fraud and privacy laws which can be devastating if they fail to do so. Last but not least, companies must develop an identity theft program to protect their business reputation before it is too late.
Each country may have its own laws for identity theft prevention, however, the Red Flags Rule also knows as the "RFR" in the United States is the main Federal law which requires high risk companies with covered accounts to effectively implement an identity theft prevention program to identify, detect and mitigate identity theft red flags or warning signs within their business cycle. You can read this Red Flags Rule compliance article for additional information about covered entities and types of accounts which must comply with this law if they do business in the US.
The RFR requires covered creditors and organizations to document and administer the components of an identity theft prevention program including management oversight, approval of the Board of Directors (BOD), committee of the BOD or senior management, scope, objectives, responsibilities, reporting and timing. The Program must also specify plans for identity theft risk assessments, policies and procedures, document updates, staff training and third party service provider oversight.
An initial risk assessment must be completed to identify whether the company is a covered entity and subsequent identity theft risk assessments must be completed to identify the identity theft threats. Although regulations identify certain identity theft red flags which need to be addressed, each company must identify identity theft red flags within its own operations based on a comprehensive risk assessment. Subsequent risk assessments are necessary to ensure the Program is updated periodically and reflects changes in identity theft risks facing creditors and their customers.
Upon discovery and documentation of all identity theft red flags in the risk assessment process, necessary policies and procedures must be documented to prevent, detect and respond to red flags. Such documentation must be updated and communicated following the risk assessments to ensure threats and countermeasures are properly identified, documented and communicated.
One of the best ways companies can improve their management of the identity theft prevention program is by properly leveraging lessons learned either from their own operations or from cases occurred in other related companies. Such identity fraud cases must be analyzed and reflected in the Program documentation in order to properly communicate the improved and updated policies and procedures.
In addition, for the Program to be properly executed and ensure established plans, policies and procedures are followed to effectively identify, detect, and prevent identity theft as it occurs, employees and third party service providers must be trained. Also, other identity theft or privacy related regulations must be identified and understood in order to avoid any gap in the identity theft risk management process. For example, such laws may pertain to Customer Identification Program, and online authentication.