The Dodd-Frank Act and the Red Flag Rule Explored

SEGMENT 1 (items 1-4 below):Nancy L. Perkins, Counsel,Arnold & Porter LLP
SEGMENT 2 (items 5-6 below): Erin E. Morrow, Principal, Advisory Services,Grant Thornton LLP

• 1. Who is affected by the Red Flags Rule?

   

   

   

  1. Which entities are “financial institutions” for purposes of the Rule?
  2. Which entities are “creditors”
  3. What is the meaning of a “covered account”?
• 2. What do entities that are covered by the Rule have to do to comply?

   

  1. Establishing an ID-theft prevention program
  2. Individuals and entities that must be involved
  3. Elements of the program
• 3. How can entities tailor their programs to their particular circumstances?

   

  1. Explanation of Red Flag examples
  2. Scalable risk-assessments
• 4. What are the penalties and enforcement mechanisms associated with the Rule?
• 5. What are the steps to put a program in place (may mix this with Nancy’s items 2- 3 below)

   

  1. Put the appropriate governance in place over your red flag reporting (executive sponsorship, board updates, policies and procedures, etc.)
  2. Document notices to customers (e.g., initial and annual privacy and opt-out notices)
  3. Identify relevant red flags
  4. Develop a program to detect these red flags and to follow up on alerts
  5. Ensure this is all thoroughly documented in your written identity theft prevention program.
  6. Conduct employee training on identity theft awareness, prevention and reporting.
  7. Periodic trend analysis to help you shore up your security policies and identify theft prevention program.
• 6. Simple Dos and Don’ts when putting your program in place

   

  1. Do remember to update your plan when you have a significant change in your business.
  2. Do get your board and internal controls team up to speed on compliance requirements.
  3. Do use people with appropriate skills. Your plan will likely incorporate legal, security, fraud, technology and business process expertise.
  4. Do perform an assessment before you build your program. There’s no need to put controls over accounts that aren’t covered.
  5. Do talk to peers in your industry. Chances are many of your risks are similar.
  6. Don’t expect the Red Flags Rule to just go away. The public demand for identity theft protection is too great.
  7. Don’t put something together hastily. Your plan may have to withstand the scrutiny of an investigator.
  8. Don’t over-engineer your program. The bad guys are coming up with new ideas faster than you can update a too-detailed plan.
  9. Don’t forget to get Red Flags assurances from internal audit or another independent source.
  10. Don’t underestimate training efforts. Keeping skilled identity thieves at bay requires

      - IT Auditors and Managers
      – Information Security Managers and Practitioners
      – Data Security Professionals
      – Compliance Officers
      – Chief Information Officers
      – Chief Security or Privacy Officers 
      – Risk Managers

      people who know what to look for and what to do when they see it.
  11. Don’t ignore the rule. In today’s world, active denial of a federal regulation is a very bad idea.