Your Institution’s Program for Fighting Identity Theft

Federal regulations issued under the FACT Act require most financial institutions to maintain a program to combat identity theft. This requirement has a mandatory compliance date of November 1, 2008. A financial institution is subject to this requirement if it offers “covered accounts.” The term “covered account” includes most consumer deposit and loan accounts. It also includes any other account, such as a business account, for which there is a “reasonably foreseeable risk” to customers or to the financial institution itself from identity theft.

Financial institutions are required to periodically determine whether or not they offer any covered accounts. If a financial institution offers a covered account, it must have an identity theft program.

In creating its program, an institution must take into account guidelines that are set forth in the federal identity theft regulations. These are guidelines that help an institution to implement the four components listed above. You can find these guidelines as an appendix to the agencies’ regulations. The citations are printed below.

The institution’s board of directors must be involved in the development and implementation of the identity theft program. The board of directors must also approve the program. The board can delegate this responsibility to an appropriate committee.

The institution must also provide for employee training sufficient to implement the program.

Finally, the institution must exercise oversight of service provider arrangements. In other words, the institution must account for the risk of identity theft that would arise through the use of service providers.

Here are the citations to the agencies’ regulations: