In this Compliance Clip (video), Adam enumerates the requirements for reporting identity theft red flags to the board of directors. In addition, Adam describes an alternative for how small financial institutions can report these requirements in their organization.

Video Transcript

The following is a transcript of this video.

This Compliance Clip is going to talk about the board report requirements for ID Theft Red Flags. This is a question I received recently, so I thought I would turn this into a Compliance Clip. The question I received was: What needs to be included in the annual board report on ID Theft Red Flags?

Well, the answer to this comes from Appendix J to Part 222 of Regulation V, which is in fact the Interagency Guidelines. Part 222 is the Federal Reserve Board's version of Regulation B, not to be confused with the CFPB's version of Regulation V.

There are four key things that we see in Appendix J, which comes from the interagency guidelines from the banking regulators. These are considered material matters related to the ID Theft Red Flags program. To back up a bit, this is a requirement that comes from the FACT Act where we have to provide an ID Theft Red Flags program to prevent and deter identity theft in our organizations and this program is pretty large. It requires a lot of things such as when address changes occurs We cannot reissue debit cards without making sure we know that there's no identity theft going on and different things like that. So this comes from the Fair Credit Reporting Act requirement and what has to happen is we have to provide an annual report to the board. So this board report must contain four main things.

The first thing is, in the report, we have to include a statement on the effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts. Secondly, what we have to do is we have to talk about service provider arrangements and any concerns related to ID theft and red flags. Third, we have to talk about any significant incidents involving identity theft and management’s responses to those incidents. And finally, we have to talk about any recommendations for material changes to the Program.

This is a summary of what has to be in there, and the best way to practically deliver this for this is to create a template memo or a template report to the board that each year you update on a regular basis. This rule has been around for really over a decade so this is something that should not be new in your financial institution. It should be something that you're doing already, but it's a good time to check and make sure that that's still happening because I've seen a few financial institutions that for whatever reason have stopped providing this annual report to the board.

So if you're wondering what has to be in there, these are the four things that's all the guidance that's given to us. And of course, smaller financial institutions are going to have a simpler report, where more larger and complex institutions are going to go into a deeper dive into their report to the board.

Does this technically have to go to the board? Well, here's what Appendix J tells us. ”Staff of the financial institution or creditor responsible for development, implementation, and administration of its Program should report to the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management, at least annually…” So that's what's required.

Generally these reports in smaller midsize financial institutions go to the board but as you can see, it could go to a committee of the board and it also could go to a designated employee at the level of senior management. If you're going to do that, I would write it into your policy to say that that report must go to who specifically and list them by title and make sure that that is approved by the board. I've not actually seen that done in all practicalities. What I've typically seen is the report go to the board of directors.

That's all I have for this Compliance Clip.