What should an identity thief mitigation program contain?
Each program must have four essential features:
- Identify applicable Red Flags — the Red Flag Rules list 26 Red Flags.
- Detect red flags in customers’ transactions.
- Respond appropriately when a Red Flag is detected. (See the Red Flag guidelines to learn how, who needs to know and in what order, and proactive measures to mitigate loss.)
- Update the program periodically to respond to new risks, changes in program elements or if new products and services are offered.
- Be in writing.
- Be incorporated into the creditor’s existing risk policies and procedures.
- Be approved by the Board of Directors or an appropriate committee of the board.
- Involve the board of directors or a committee of the board management empowered to oversee the plan’s implementation, administration and updating.
- Train staff in order to effectively implement the program and provide necessary tech support.
- Be assessed at least annually and a report be made. Ensure effective oversight of activities of third-party and service providers to ensure their compliance with the law. (Using a third party vendor does not relieve the creditor from the obligation to comply with the regulations.)