Continuing with our project of helping our community weed through the new legislation, this week we turn our focus to “What is the right approach to the Red Flags Rule?”
At its core, the Red Flags Rule requires a risk-based approach. Each financial institution or creditor must conduct a risk assessment in order to develop and implement a program that is appropriate to the size and intricacy of the organization and the nature and scope of its activities. In addition, the Program must allow the organization to address changing identity theft risks. The risk assessment should document a complete analysis of the identity theft risks in a succinct manner so that it can be easily shared and communicated across the organization, including to the board of directors, management, and appropriate staff. Examples of risk factors that should be used to identify red flags include:
- Types of covered accounts the organization offers or maintains;
- Methods the organization offers to open covered accounts;
- Methods the organization provides to access covered accounts;
- Previous experiences with identity theft
The program must incorporate oversight of third-party service providers to ensure regulatory compliance on their part as well. Guidelines issued by the FTC are helpful.
Keep heart everyone–we will get through navigating this new legislation together.
For more information on identity theft prevention visit www.hvshred.com