Regulation Awareness

In December 2003, the FACT Act (FACTA) became law, adding several new provisions to the Fair Credit Reporting Act of 1970 (FCRA). One of which directed the Federal Financial Institutions Examination Council Agencies (Agencies) to issue joint regulations and guidelines regarding the detection, prevention, and mitigation of identity theft. In July 2006, the Agencies published a joint notice of proposed rulemaking and, in 2007, the Agencies published the final rules and guidance with an effective date of January 1, 2008 and a compliance date of November 1, 2008. The Agencies are currently drafting the examination procedures, which should be available in the near future. NCUA plans to incorporate those procedures into its Automated Integrated Regulatory Examination System.

For federal credit unions, NCUA incorporated the FACTA changes into NCUA Rules and Regulations, including Identity Theft Red Flags, Interagency Guidelines on Identity Theft Detection, Prevention and Mitigation, Duties of Users of Consumer Reports Regarding Address Discrepancies and Records Disposal. NCUA then created two sections to implement Subpart J, 717.90, (Duties regarding the detection, prevention, and mitigation of identity theft) and 717.91 (Duties of card issuers regarding changes of address). For state chartered credit unions, the Federal Trade Commission has enforcement power and added Identity Theft Rules to title 16 of the Code of Federal Regulations.

The Identity Theft Red Flags rule requires those federal credit unions, which offer or maintain covered accounts, to develop and implement a written Identity Theft Program. A covered account is one that a federal credit union offers or maintains, primarily for personal, family, or household purposes, that involves, or is designed to permit, multiple payments or transactions; or any other account that the federal credit union offers or maintains for which there is a reasonably foreseeable risk to members, or to the safety and soundness of the federal credit union from identity theft, including financial, operational, compliance, reputation, or litigation risks. In order to determine whether a federal credit union offers or maintains a covered account, each federal credit union must periodically conduct a risk assessment, which takes into consideration:

• the methods it provides to open its accounts;
• the method it provides to access its accounts;
• its previous experiences with identity theft.

Federal credit unions should conduct a risk assessment at least annually to identify changes in risks to members or to the safety and soundness of the federal credit union from identity theft, based on factors such as the experiences of the federal credit union with identity theft, changes in methods of identity theft, changes in methods to detect, prevent, and mitigate identity theft, changes in the types of accounts that the federal credit union offers or maintains and changes in the business arrangements of the federal credit union.

The rule states that the program must be designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. In addition, the program must be tailored to the federal credit union’s size, complexity, and the nature and scope of its activities. The rule requires the program to include reasonable policies and procedures that contain four basic elements:

Identify relevant Red Flags for covered accounts and incorporate those Red Flags into the program;

Detect Red Flags that have been incorporated into the program;

Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft;

Ensure the Program is updated periodically, to reflect changes in risks or protect the federal credit union from identity theft.

In addition to the four elements, the rule requires federal credit unions to properly administer the program by obtaining approval of the initial written program by the board of directors or a committee of the board, ensuring oversight of the development, implementation and administration of the program, by training staff and overseeing service provider arrangements.

To assist federal credit unions in developing their Program, NCUA issued detailed guidance where each federal credit union that is required to implement a program must consider these guidelines and include those guidelines where appropriate. The guidelines provide policies and procedures for use by federal credit unions, to satisfy the requirements of the final rule, including the four elements listed above. While a federal credit union may determine that particular guidelines are not appropriate to incorporate into its program, it must nonetheless contain reasonable policies and procedures to meet the specific requirements of the final rule.

The guidance also includes the requirement to determine sources of Red Flags, as well as categories of Red Flags. Sources federal credit unions should consider and incorporate into the program are incidents of identity theft that the federal credit union has experienced, methods of identity theft that the federal credit union has identified that reflect changes in identity theft risks and applicable supervisory guidance.

Categories of Red Flags federal credit unions should consider and incorporate into the Program are alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services; the presentation of suspicious documents; the presentation of suspicious personal identifying information, such as a suspicious address change; the unusual use of a covered account; and notices from members, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts.

The supplement to this guidance provides a detailed list of Red Flag examples that fall within the five categories for a total of 26 Red Flag examples. Federal credit unions should consider all 26 examples, but are not required to incorporate them all into their program. In addition, federal credit unions should incorporate additional Red Flag examples that are relevant or unique to their operations and services. Not specifically addressed in the Identity Theft Red Flags rule, but which has been addressed in previous NCUA guidance, is the need to educate members on the actions they can take to reduce the chance of them becoming a victim of identity theft.

Members should not click on links embedded in emails, even if the email appears to be from an entity with which they have a previously had contact with. Instead, the member should type the known URL in the web browsers address window to access that entity’s webpage. Members should be told that staff would never initiate contact to ask for information that the credit union should already have. Members should not believe anyone who claims to be with a credit union asking for this type of information. In these instances, the member should contact the credit union. A methodology should be implemented to provide members with updates on recent and emerging identity theft schemes so they can easily recognize and avoid these. Members should also be advised to access and conduct transactions only on trusted computers, such as their own computer, which have up-to-date security applications.

Lastly, the guidelines also included requirements for the duties of card issuers regarding changes of address. Key provisions of this section are that a card issuer must establish reasonable policies and procedures to assess the validity of a change of address if it receives notification and, within a short period of time afterwards this, the card issuer receives a further request for an additional or replacement card for the same account.

Under the above circumstances, the card issuer may not issue an additional or replacement card, until, in accordance with its policies, the issuer notifies the cardholder of the request or otherwise assesses the validity of the change of address.

The Identity Theft Red Flags rule provides the avenue for federal credit unions to implement processes to minimize the threat that members may become a victim of identity theft. It is equally important to ensure that members are an active part of that process with timely guidance and advice provided by their federal credit union.

Outside the scope of this article, but a part of FACTA, is Subpart I, which delineates the requirements relative to users of consumer reports regarding address discrepancies and records disposal. Federal credit unions need to ensure they implement reasonable policies and procedures to implement this section.