I have detected a Red Flag in connection with a credit application. Am I prohibited from opening the account? You must assess whether the Red Flag evidences a risk of identity theft, and your response must be commensurate with the degree of risk posed. You generally are not prohibited from opening the account, unless the only appropriate response in light of the degree of risk posed by the Red Flag would be not to open the account. In some instances, for example, you may be able to contact the applicant directly to verify that the application is legitimate.
Would the regulators expect to see a log of detected activity and resulting mitigation? The Rule does not require you to maintain a log, nor do the Guidelines suggest that a log should be maintained. You are, however, required to prepare regular reports on the effectiveness of your Program, and you also are required to incorporate your own experiences with identity theft when you review and update your Program.
Administering and updating the Program
A Program must be written, must be approved and implemented by the board of directors or senior management, and must include staff training and oversight of service providers. The board of directors or senior management should assign specific responsibility for implementation of the Program, should review reports by staff and should approve material changes to the Program. Staff should report to the board of directors or senior management at least annually on (1) the effectiveness of the Program’s policies, (2) service provider arrangements, (3) significant security incidents and (4) any recommendations for material changes.
Does the Program have to be approved by the board annually? No, but the board (or a committee of the board) or senior management must annually review reports prepared by staff regarding your Program and must approve any material changes to that Program.
Can I tie this in with the bank’s Customer Identification Program (CIP) so as not to overburden our staff with more rules to follow? You may incorporate your CIP procedures into your Program to the extent that it is appropriate. For example, your CIP procedures likely would assist you in detecting relevant Red Flags in connection with new covered accounts but not with respect to existing accounts.