FACTA Identity Theft Red Flags Rule
FACTA - the Fair and Accurate Credit Transactions Act of 2003 requirement, known as the “Identity Theft Red Flags Rule”, became effective January 1, 2008, with compliance mandatory by November 1, 2008. It requires certain organizations to adopt a written identity theft prevention program approved by the Board of Directors.
The Identity Theft Prevention Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft. The regulation requires an institution to have:
1) An established written Identity Theft Prevention Program approved by the Board
2) Initial Risk Assessment
3) Policies and procedures for detecting, preventing, and mitigating identity theft. This includes identifying patterns of activity that are signals for possible identity theft, monitoring and detecting “red flags”, responding appropriately to any red flags, policies and procedures to verify address changes
4) Regular compliance reporting
5) Oversight of service providers
6) Mandatory staff training
7) Ensure the Program is reviewed and periodically updated to reflect changes
Find out more information on complying with FACTA and the initial risk assessment.