A comprehensive Red Flags Rule compliance audit is offered by Identity Management Institute® (IMI). This article describes the requirements of the Federal regulation and IMI’s compliance audit services.
The primary objectives of the Red Flag Rule compliance audit conducted by IMI are to give company management, its oversight group or person, and regulators the assurance that their Identity Theft Prevention Program (“Program”) is complete, effective, and compliant with the Rule, or, provide recommendations to improve the Program.
Benefits of a Red Flags Rule Audit
The Red Flags Rule program audit has many benefits including the independent validation of the Program completeness and effectiveness as well as improvement opportunities in the company’s compliance posture. Other benefits may include:
Who Should Consider a Red Flags Rule Compliance Audit
A broad classification of companies which must comply with the Rule includes automobile dealers, utility companies, mortgage brokers, telecommunications companies, finance companies, and non-bank financial services. The covered companies typically offer a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account, and, any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.
According to the Federal Trade Commission, the Rule likely affects over 11 million creditors.
IMI performs the Red Flags Rule compliance audit using a structured audit program to gather information and request documentation for review and testing. The audit deliverable is an audit report which may include improvement recommendations. The audit is mostly completed remotely but will require onsite visit, personnel inquiries, observation, and testing.
The scope of the audit is limited to the requirements of the Red Flags Rule for implementing a workplace identity theft prevention program in connection with the opening of a new covered account or any existing covered account, as well as address change validation and response to address discrepancy notices received from credit reporting agencies. Therefore the audit scope does not include the privacy and protection of personal information collected by the company.
Red Flags Rule Compliance Audit Components
Identity Management Institute (IMI) has listed four general areas which must be assessed during the audit:
Program Administration: The Rule requires the proper administration of the written Program to establish oversight, scope, objectives, responsibilities, reporting and timing. Program administration also requires the designation of a Program manager, periodic updates, independent audits, approval by the Board of Directors (BOD), a committee of the BOD, or senior management, appropriate staff training, and service provider oversight.
Risk Assessment Process: An initial risk assessment must be completed to identify the scope such as covered accounts and how identity theft might occur within the organization. Although the regulation identifies certain red flags which need to be addressed, each company must identify identity theft red flags within its own operations based on a comprehensive risk assessment. Subsequent risk assessments are necessary to ensure the Program is updated periodically and reflects changes in identity theft risks facing companies and their customers. Service provider risks must also be assessed.
Red Flags Management: Upon discovery of all identity theft red flags in the risk assessment process, necessary policies and procedures must be established, documented and communicated to detect, prevent and mitigate identity theft.
Program Management: Program management ensures established plans, policies and procedures are followed to effectively identify, detect, and prevent identity theft. Employee training, monitoring, event logging, lessons learn from internal and external events are addressed when managing the Program.
lessons learned: Gathering and analyzing relevant information from all business areas, audit reports, and industry news is part of a comprehensive risk management process which may require Program updates and staff communication.
Audit staff are experienced Certified Red Flags Specialist® professionals who are members of IMI and have undergone a comprehensive training and rigorous examination by IMI.
Comprehensive Compliance Services
IMI offers a variety of compliance services for organizations which might be in various stages of their RFR program:
1) Program Development - For organizations which are in the planning or development stages of their RFR compliance program, IMI will work with company management and staff to guide them through the design, risk assessment, and implementation stages of the Program by providing the necessary checklists, templates and guidance.
2) Program Review - For organizations which have developed a Program but need an
independent assessment of their Program before a formal audit is performed, IMI offers a pre-audit service to review the Program documentation and provide management with a list of improvement items to ensure a complete compliance program. A review typically provides feedback regarding the completeness of the Program.
3) Program Audit - Organizations which feel that their Program is fully implemented and ready for an audit, can engage IMI to complete a Red Flag audit.
About Identity Management Institute
Identity Management Institute (IMI) is considered a nationally recognized leader for Red Flags Rule training, certification and compliance. IMI manages the Certified Red Flag Specialist® (CRFS) program which is the only registered training and certification program for workplace identity theft prevention and compliance. IMI also manages the largest online discussion group for professional networking. Visit the CRFS® page to learn more.