Red Flags Rule Compliance Audit Overview Identity Management Institute® (IMI) offers comprehensive Red Flags Rule (“RFR/Rule”) compliance audit services. This document describes the requirements of the Federal regulation and IMI’s compliance audit services. About Identity Management Institute Identity Management Institute (IMI) is considered a nationally recognized leader for Red Flags Rule training, certification and compliance. IMI manages the Certified Red Flag Specialist® (CRFS) program which is the only registered training and certification program for workplace identity theft prevention and compliance. IMI also manages the largest online discussion group for professional networking. Visit http://www.identitymanagementinstitute.org/crfs/ to learn more about CRFS®. Audit Objective The primary objectives of the Red Flags Rule compliance audit conducted by IMI are to give company management, its oversight group or person, and regulators the assurance that their Identity Theft Prevention Program (“Program”) is complete, effective, and compliant with the Rule, or, provide recommendations to improve the Program. Benefits of a Red Flags Rule Audit The Red Flags Rule program audit has many benefits including the independent validation of the Program completeness and effectiveness as well as improvement opportunities in the company’s compliance posture. Other benefits may include: • • • • • • •

Consistency and efficiency Higher compliance confidence with the Rule Improved customer satisfaction and loyalty Reduced fraud costs Increased awareness and focus Increased profitability Enhanced corporate status Copyright by Identity Management Institute All Rights Reserved Page 1 of 7

Red Flags Rule Compliance Audit • • • •

Competitive advantage Lower insurance premiums Lower chance of government audits Preparation for regulatory agency audits

Who Should Consider a Red Flags Rule Audit? A broad classification of companies which must comply with the Rule includes automobile dealers, utility companies, mortgage brokers, telecommunications companies, finance companies, and non-bank financial services. The covered companies typically offer a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account, and, any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. According to the Federal Trade Commission, the Rule likely affects over 11 million creditors. Audit Approach IMI performs the compliance audit using a structured audit program to gather information and request documentation for review and testing. The audit deliverable is an audit report which may include improvement recommendations. The audit is mostly completed remotely but will require onsite visit, personnel inquiries, observation, and testing. Audit Scope The scope of the audit is limited to the requirements of the Red Flags Rule for implementing a workplace identity theft prevention program in connection with the opening of a new covered account or any existing covered account, as well as address change validation and response to address discrepancy notices received from credit reporting agencies. Therefore the audit scope does not include the privacy and protection of personal information collected by the company. Copyright by Identity Management Institute All Rights Reserved Page 2 of 7

Red Flags Rule Compliance Audit Red Flags Rule Audit Components Identity Management Institute (IMI) has listed four general areas which must be assessed during the audit: 1. 2. 3. 4.

PROGRAM ADMINISTRATION RISK ASSESSMENT PROCESS RED FLAG MANAGEMENT PROGRAM MANAGEMENT

Program Administration: The Rule requires the proper administration of the written Program to establish oversight, scope, objectives, responsibilities, reporting and timing. Program administration also requires the designation of a Program manager, periodic updates, independent audits, approval by the Board of Directors (BOD), a committee of the BOD, or senior management, appropriate staff training, and service provider oversight. Risk Assessment Process: An initial risk assessment must be completed to identify the scope such as covered accounts and how identity theft might occur within the organization. Although the regulation identifies certain red flags which need to be addressed, each company must identify identity theft red flags within its own operations based on a comprehensive risk assessment. Subsequent risk assessments are necessary to ensure the Program is updated periodically and reflects changes in identity theft risks facing companies and their customers. Service provider risks must also be assessed. Red Flags Management: Upon discovery of all identity theft red flags in the risk assessment process, necessary policies and procedures must be established, documented and communicated to detect, prevent and mitigate identity theft. Program Management: Program management ensures established plans, policies and procedures are followed to effectively identify, detect, and prevent identity theft. Employee training, monitoring, event logging, lessons learn from internal and external events are addressed when managing the Program. lessons learned: Gathering and analyzing relevant information from all business areas, audit reports, and industry news is part of a comprehensive risk management process which may require Program updates and staff communication. Copyright by Identity Management Institute All Rights Reserved Page 3 of 7

Red Flags Rule Compliance Audit Audit Staff Audit staff are experienced Certified Red Flags Specialist® professionals who are members of IMI and have undergone a comprehensive training and rigorous examination by IMI. Comprehensive Compliance Services IMI offers a variety of compliance services for organizations which might be in various stages of their RFR program: 1) Program Development - For organizations which are in the planning or development stages of their RFR compliance program, IMI will work with company management and staff to guide them through the design, risk assessment, and implementation stages of the Program by providing the necessary checklists, templates and guidance. 2) Program Review - For organizations which have developed a Program but need an independent assessment of their Program before a formal audit is performed, IMI offers a pre-audit service to review the Program documentation and provide management with a list of improvement items to ensure a complete compliance program. A review typically provides feedback regarding the completeness of the Program. 3) Program Audit - Organizations which feel that their Program is fully implemented and ready for an audit, can engage IMI to complete a Red Flag audit. Contact Us To learn more about IMI and our services, please visit us at www.theimi.org or email us at [email protected].

Copyright by Identity Management Institute All Rights Reserved Page 4 of 7

Red Flags Rule Compliance Audit About the Red Flags Rule On October 31, 2007, a joint committee of the OCC, Federal Reserve Board, FDIC, OTS, National Credit Union Administration (NCUA) and the Federal Trade Commission (FTC) passed the final legislation for Section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), also known as the Identity Theft Red Flags and Notices of Address Discrepancy or "Red Flags Rule". The Rule requires that all organizations subject to the legislation must develop and implement a formal, written and updated Identity Theft Prevention Program (Program) to detect, prevent and mitigate identity theft. The final rule became effective on January 1, 2008 and all covered enteritis had to be compliant with the Rule by November 1, 2008. The FTC enforcement date is effective January 1st, 2011. Who must comply with the Red Flags Rule The Red Flags Rule applies to financial institutions and creditors with covered accounts. A financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a transaction account belonging to a consumer. Most of these institutions are regulated by the Federal bank regulatory agencies and the NCUA. Financial institutions under the FTC’s jurisdiction include state-chartered credit unions and certain other entities that hold consumer transaction accounts. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they are also considered creditors. Most creditors, except for those regulated by the Federal bank regulatory agencies and the NCUA, come under the jurisdiction of the FTC. Definitions A covered company is a term used to refer to an organization which must comply with the Rule because they have identified covered accounts in their risk assessment process.

Copyright by Identity Management Institute All Rights Reserved Page 5 of 7

Red Flags Rule Compliance Audit A covered account is an account used mostly for personal, family, or household purposes, which involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft such as small business or sole proprietorship accounts. A financial institution is typically defined as bank, savings and loan association, credit union, or any other entity that holds a transaction account belonging to a consumer. A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts. A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not make an entity a creditor. Red Flag Program Clarification Act of 2010 Following Senate approval of the bill, the House also passed the "Red Flag Program Clarification Act of 2010" on 12/7/2010 which was subsequently approved by the President of the United States to exclude certain entities from the covered entities under the Red Flags rules. The Clarification Act includes the following language regarding the definition of a creditor as one that regularly and in the ordinary course of business: •

Obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction,

•

Furnishes information to consumer reporting agencies in connection with a credit transaction, and

Copyright by Identity Management Institute All Rights Reserved Page 6 of 7

Red Flags Rule Compliance Audit •

Advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person. This excludes creditors who advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.

Auditor Accreditation Interested audit organization may register with IMI and become an accredited body to audit Red Flags Rule compliance programs. Accreditation is a choice and not an obligation. However, accreditation ensures that registered bodies follow a pre-approved audit approach designed by IMI. By joining IMI, registered audit organizations will be listed on IMI website to gain the confidence of their clients and may receive increased referrals. Accreditation requirements include active CRFS® designation by the audit staff and managers, as well as accreditation dues. Accreditation Cost Accreditation and registration of audit organizations is an annual process and related costs depend largely on the size of the audit organization such as the number of employees who will require CRFS® certification. Contact Us To learn more about IMI and our services, please visit us at www.theimi.org or email us at [email protected].

Copyright by Identity Management Institute All Rights Reserved Page 7 of 7