The Securities Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) adopted joint rules addressing identify theft as required under the Dodd-Frank Wall Street Reform and Consumer Protection Act.

Although we have written articles in previous issues of the Quarterly Report and discussed ITPP at many quarterly meetings, we felt that in light of the new rules adopted by the SEC and the CFTC, the regulators' increased focus on identity theft prevention programs (ITPP), and the requirement that a bank's ITPP be updated periodically, it might be a good time to revisit the Red Flags Rule.

Every bank's ITPP requires continuing administration of the bank's program which includes involvement of the board of directors, a committee thereof, or an appropriate senior management official. Board involvement is very important component of an ITPP and is an indication of the importance of identity theft prevention. During an annual review, the board, senior management official or committee should review the bank's ITPP, based on its risk assessment, to ensure that the program is effective and fully compliant. All third party service provider arrangements and management's response to any problems should also be reviewed. Recommendations for updates to the program should be provided by specifically taking new products or specific incidents of identity theft into consideration. Every bank's ITPP should be updated based upon such factors as the experience of the institution with identity theft, changes in methods of identity theft, changes in methods to detect or mitigate identity theft, changes in the type of accounts offered, and changes to the bank's business.

The five categories of Red Flags are as follows: (1) alerts, notifications or other warnings received from consumer reporting agencies; (2) the presentation of suspicious documents by an applicant; (3) the presentation of suspicious personal identifying information, such as a suspicious address change; (4) the unusual use of, or other suspicious activity related to, a covered account; and (5) notice from customers, victims of identity theft, law enforcement authorities and others.

Supplement A to Appendix J provides twenty-six examples of possible Red Flags that could be grouped under the aforementioned categories. While revisiting its ITPP, your bank should review these examples while being mindful that these are simply examples and other red flags likely exist. When identifying additional red flags, consider the bank's previous experiences and new technologies and incorporate the following information into the bank's program: types of accounts, methods for accessing and opening accounts, existing Information Security Program, existing CIP policy, experiences with identity theft, experience with SARs, security procedures in place to monitor fraudulent activity, an analysis of the types of covered accounts that the bank currently has, and a mechanism for incorporating new products and services into the ITPP as they are offered.

The bank's policies and procedures should also provide for appropriate responses to Red Flags, taking into account possible aggravating factors such as a data security breach or notice of a fraudulent attempt to obtain a customer's identifying information. Appropriate responses to these situations may include: monitoring a covered account for evidence of identity theft; contacting the customer; changing any passwords, security codes, etc.; reopening a covered account with a new account number; not opening a new covered account; not attempting to collect on a covered account; notifying law enforcement; or determining that no response is warranted.

Since we first began discussing ITPP in 2007, there have been many changes and advances in technology resulting in an increase in sophistication of the methods used for identity theft, so be mindful of these changes as you take a fresh look and revisit your bank's ITPP.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.