OCC Issues ID Theft Red Flags Exam Procedures

The Office of the Comptroller of the Currency (OCC) has issued new Fair Credit Reporting Act (FCRA) examination procedures for rules addressing affiliate marketing, identity theft red flags, and address discrepancies last week. These new examination procedures add to existing FCRA procedures.

OCC examiners performing this portion of the exam have been trained on the manual and exam procedures. "The riskier institutions will get more attention from examiners," says Kevin Mukri, an OCC spokesperson. "There won't be any surprises. We'll be following the exam procedures that other agencies are."

The OCC plans to incorporate the new examination procedures in an update to the OCC Comptroller's Handbook series when all of the FCRA examination procedures have been completed. Until the revised handbook is issued, examiners will be using the FCRA examination procedures, as appropriate, Mukri explained. For OCC regulated institutions the exam for ID Theft Red Flags compliance will come from the Safety & Soundness, IT or Compliance examiners, depending on where the program is situated inside the institution - compliance or information security.

New Sections to Handbook

The sections added include:

  • Section 624 Affiliate Marketing Opt-Out -- This part is about sharing customer information with other businesses, affiliate marketing and a customer's rights to opt-out notices to limit solicitations. The mandatory compliance date for this section is already is in effect since October 1.
  • Section 605(h) -- has been added to existing procedures and is about duties of banks that use credit reports regarding address discrepancies.
  • Section 615(e) -- outlines the bank's duties regarding the detection, prevention, and mitigation of identity theft and duties of card issuers regarding changes of address. The mandatory compliance date for these rules is November 1.

Federal regulators strive for consistency in exam procedures, and the OCC expects to hear feedback from its banks after the exam is completed. On joint examination procedures, examiners are trained on the exam manual, but training is done by each agency, Mukri notes. Banks that may have questions about the Fair Credit Reporting Act and the exam procedures should first contact their supervisory office.

ID Theft Red Flags Examination Procedures

These guidelines are common across all banking regulatory agencies, and have previously been released by the Office of Thrift Supervision (OTS) and Federal Deposit Insurance Corporation (FDIC). To review:

Red Flags Examination Procedures

There are six red flags procedures that examiners will undertake.

1. Covered Accounts -- Examiners will verify the financial institution periodically identifies covered accounts it offers or maintains. As part of this initial procedure in the examination, examiners will verify that the financial institution:

- included accounts for personal, family and household purposes, that permit multiple payments or transactions;

- conducted a risk assessment to identify any other accounts that pose a reasonably foreseeable risk of identity theft, taking into consideration the methods used to open and access accounts, and the institution's previous experiences with identity theft.

2. Other Regulations -- Examiners will review examination findings in other areas (e.g. Bank Secrecy Act, Customer Identification Program and Customer Information Security Program) to determine whether there are deficiencies adversely affecting the financial institution's ability to comply with the Identity Theft Red Flags Rules (Red Flag Rules).

3. Management Oversight -- Examiners will review reports, such as audit reports and annual reports prepared by staff for the board of directors (or an appropriate committee thereof or a designated senior management employee) on compliance with the Red Flag Rules. These include reports that address:

  • Effectiveness of the institution's ID Theft prevention program; /
  • Significant ID Theft incidents and management's response;
  • Oversight of service providers that perform activities related to covered accounts;
  • Recommendations for material changes to the prevention program.

4. Comprehensive Program -- Examiners will verify the financial institution has developed and implemented a comprehensive written Program that is designed to detect, prevent, and mitigate identity theft. The Program must be appropriate to the size and complexity of the financial institution and the nature and scope of its activities. Examiners also will determine whether the institution uses technology to detect red flags; whether the program is updated periodically; and that the board approved and oversees the program.

5. Trained Staff -- Examiners will verify that the financial institution trains appropriate staff to effectively implement and administer the program.

6. Vendor Management -- Examiners will determine whether the financial institution exercises appropriate and effective oversight of service providers that perform activities related to covered accounts. When these procedures are complete, examiners will form a conclusion about whether the financial institution has developed and implemented an effective, comprehensive written program designed to detect, prevent and mitigate identity theft.

Address Discrepancy Procedures
The regulation also requires users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a credit reporting agency. The exam procedures include five steps to assess address discrepancy compliance:

1. Recognition ---
Examiners will determine whether the user of consumer reports has policies and procedures to recognize notices of address discrepancies.

2. Reasonable Belief ---
Examiners will determine whether users have policies and procedures to form a reasonable belief that the consumer report relates to the consumer whose report was requested.

3. Accurate Address ---
Examiners will determine whether users have policies and procedures to furnish to the nationwide consumer reporting agency (NCRA) a consumer address that the users have reasonably determined is accurate.

4. Timing ---
Examiners will determine whether the users' policies and procedures require it to furnish the confirmed address as part of the information it regularly furnishes to the NCRA during the reporting period when it establishes a relationship with the consumer.

5. Sampling ---
If procedural weakness or risks are determined, examiners will obtain a sample of consumer reports requested by the user from an NCRA re: notices of address discrepancies to determine:

  • how the user established reasonable belief that the reports related to the consumer in question;
  • if the consumer relationship was established, then whether the institution furnished a consumer address that was reasonable confirmed, and whether the user furnished the address in the appropriate reporting period.

Change of Address Procedures
The regulation also requires financial institutions to develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. Under these circumstances, the card issuer may not issue an additional or replacement card until the institution:

  • Notifies the cardholder of the request;
  • Provides the cardholder a reasonable means of promptly reporting incorrect address changes;
  • Otherwise assesses the validity of the change of address according to procedures established as part of the ID Theft prevention program.

The exam procedures include four steps to test change of address compliance:

1. Verification ---
Examiners will determine whether the card issuer has policies and procedures to assess the validity of a change of address.

2. Prevention ---
Examiners will determine whether policies and procedures prevent card issuers from issuing additional or replacement cards until they notify the cardholder or use other reasonable means to evaluate the validity of the address change.

3. Special Notice ---
Examiners will determine whether written or electronic notice is sent to cardholders to validate a change of address. This notice must be exclusive from any regular correspondence.

4. Sampling ---
If procedural weaknesses or risks are noted, examiners will obtain a sample of notifications from cardholders to ensure that card issuers complied with regulatory requirements to evaluate the validity of address changes before issuing cards.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.