Identity Theft Red Flags Procedures

Dear Board of Directors:  

The purpose of this letter is to provide credit unions a copy of the new: 

1. Identity Theft Red Flags Examination Procedures AIRES Questionnaire which is based upon the Federal Financial Institutions Examination Council¹ (FFIEC) Interagency Consumer Alerts and Identity Theft Protections, and 
2. Consumer Reports Address Discrepancies & Records Disposal Procedures AIRES Questionnaire which is based upon the FFIEC Interagency Duties of Users of Consumer Reports and Furnishers of Consumer Report Information Examination Procedures. 

Identity Theft Red Flags.  Financial institutions and creditors are now required to develop and implement written identity theft prevention programs under the new "Red Flags Rules." The Red Flags Rules are part of the Fair and Accurate Credit Transactions Act (FACTA) of 2003. Under these Rules, financial institutions and creditors with covered accounts must have identity theft prevention programs in place to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. Examiners will use the new questionnaire to help evaluate the quality and effectiveness of a credit union’s written Identity Theft Prevention Program (Program). 

For federal credit unions, NCUA incorporated the Red Flags Rules into NCUA Rules and Regulations, Part 717, Subpart J (Identity Theft Red Flags) and Appendix J (Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation). NCUA created two sections to implement Subpart J: §717.90 (Duties regarding the detection, prevention, and mitigation of identity theft) and §717.91 (Duties of card issuers regarding changes of address). For state chartered credit unions, the Federal Trade Commission has enforcement power and added Part 681 (Identity Theft Rules) §681.2 (Duties regarding the detection, prevention, and mitigation of identity theft) and §681.3 (Duties of card issuers regarding changes of address) to Title 16 of the Code of Federal Regulations (16 CFR 681). 

The key provisions of Part 717, Subpart J, §717.90 are that each federal credit union must: 

1. periodically conduct a risk assessment to determine whether it offers or maintains covered accounts; 
2. establish and implement a written Program, appropriate to the federal credit union’s size and complexity and the nature and scope of its activities; 
3. include reasonable policies and procedures to: 
   a) identify relevant red flags; 
   b) detect red flags; 
   c) respond appropriately to detected red flags; and
   d) ensure the Program is updated periodically to reflect changes in risks; 
4. provide for continued administration of the Program: 
   a) ensure initial proper approval; 
   b) ensure senior management involvement; 
   c) address staff training; and 
   d) ensure service provider oversight; and 
5. consider the guidelines in Appendix J. 

Consumer Reports Address Discrepancies & Records Disposal. The revised FACTA also requires users of credit reports to implement reasonable policies and procedures to employ when the user receives a notice of address discrepancy from a credit reporting agency (CRA). 

For federal credit unions, NCUA incorporated the address discrepancy rule into NCUA Rules and Regulations, Part 717, Subpart I (Duties of Users of Consumer Reports Regarding Address Discrepancies and Records Disposal) §717.82 (Duties of users regarding address discrepancies).  For state chartered credit unions, the Federal Trade Commission has enforcement power and added Part 681 (Identity Theft Rules), §681.1 (Duties of users of consumer reports regarding address discrepancies) to Title 16 of the Code of Federal Regulations (16 CFR 681). 

The key provisions of Part 717, Subpart I, §717.82 are that each federal credit union must develop and implement reasonable policies and procedures: 

1. designed to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report; and 
2. for furnishing an address for the consumer, that the user has reasonably confirmed is accurate, to the CRA from whom it received the notice of address discrepancy. 

Both the Identity Theft Red Flags and Address Discrepancies Rules under the Fair and Accurate Credit Transactions Act of 2003 have an effective date of January 1, 2008 and compliance date of November 1, 2008. As part of NCUA’s normal examination process, examiners will be reviewing your credit union’s compliance with the requirements of these rules. For those credit unions not in compliance, examiners will consider the credit union’s progress and compliance efforts to date when developing appropriate plans for corrective action. 

If you have questions concerning the Red Flags Rules and/or Consumer Reports Address Discrepancies requirements, contact your NCUA Regional Office or State Supervisory Authority.