WASHINGTON (11/26/07)--New interagency “red flag” regulations and guidelines have credit unions asking if they must start from scratch or can they incorporate current fraud prevention procedures into ID theft prevention programs? According to CUNA’s monthly Compliance Challenge
, when appropriate to address identity theft, a credit union may incorporate existing fraud prevention policies and procedures into its ID Theft Prevention Program. The National Credit Union Administration (NCUA), Federal Trade Commission (FTC) and the federal banking agencies issued final guidelines and regulations to implement Section 114 of the Fair and Accurate Credit Transaction Act (FACTA). Section 114 defines the identity theft “red flags,” and in this case:
* NCUA’s regulations will apply to federal credit unions; * FTC’s regulations will apply to state chartered credit unions.
The rules are substantially similar and have a mandatory compliance date of Nov. 1, 2008, reports Compliance Challenge
. The interagency “red flag” regulations require institutions to develop and implement a written “Identity Theft Prevention Program,” which is designed to “detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.” The regulation defines “covered accounts” as those:
* Offered or maintained primarily for personal, family, or household purposes that involve or are designed to permit multiple payments or transactions such as a credit card account, mortgage, loan, automobile loan, checking account or share account; and * Any other account the credit union offers or maintains for which there is a reasonably foreseeable risk to members or to the safety and soundness of the federal credit union from ID theft, including financial, operational, compliance, reputation, or litigation risks.
The regulations’ accompanying guidelines make clear that “a credit union may incorporate existing fraud prevention policies and procedures into the ID Theft Prevention Program, as appropriate,” says the Challenge
. According to the supplemental information, “this will avoid duplication and allow covered entities to benefit from existing policies and procedures.” However, the credit union may only incorporate existing policies, procedures, and arrangements “that control reasonable foreseeable risks to members or to the safety and soundness of the credit union from identity theft,” it concludes. Use the resource link below to learn more in this month’s Compliance Challenge