Main Menu
3 Things Financial Institutions Should Remember About . . . Minimizing Risks from Identity Theft

Identity theft, which involves the stealing of personal identifying information, is a growing crime that impacts thousands of unsuspecting consumers. After an identity thief obtains personal information, it may be used to steal money from the victim’s accounts or make massive purchases on the basis of the victim’s credit. While identity theft clearly harms the victim, a financial institution that inadvertently facilitates a fraudulent transaction may also incur damage to its reputation and economic loss. Financial institutions must develop programs to reduce the risk of identity theft, monitor the effectiveness of these programs and make periodic changes to them to address weaknesses and new challenges.

1.  Develop an identity theft program

In July 2006, banking regulatory authorities issued proposed guidance requiring financial institutions to identify “red flags” that indicate a possible risk of identity theft. The guidance also calls for each financial institution to develop its own identity theft program, using a flexible, risk-based approach. Each program should be based on the financial institution’s risk assessment and appropriate to the size and complexity of the institution and the nature and scope of its activities.

The guidance includes a lengthy list of potential red flags which the regulators believe to be relevant to detecting a risk of identity theft or a threat to the safety and soundness of the institution. At a minimum, an identity theft program should incorporate all relevant suggested red flags. These red flags range from various indications of unusual account activity to inconsistencies in personal or documentary evidence, such as:

  • An unusual number of recently established credit relationships;
  • A material change in the use of credit;
  • A material change in electronic funds transfer patterns;
  • Use of an account that has been inactive for a reasonably lengthy period of time;
  • Identification documentation that appears to have been altered or contains information inconsistent with other information on file;
  • Personal information that is internally inconsistent;
  • Use of the majority of available credit for cash advances or merchandise that is easily converted to cash;
  • Unauthorized charges to the customer’s account;
  • Notice that a customer has provided information to someone who fraudulently claimed to represent the financial institution or to a fraudulent website;
  • An attempt to access a customer’s account by an unauthorized person; or
  • Unusually large or frequent check orders related to a customer’s account.

2.  Monitor the effectiveness of the program

It is not enough to adopt an identity theft program. The board of directors, an appropriate board committee or senior management should exercise continuous oversight with regard to the program. While a financial institution may rely on a third party to perform various services on its behalf, the institution remains responsible for ensuring that the service is being conducted in compliance with its identity theft program. Management must provide effective training to employees to enable them to detect red flags and mitigate identity theft. Staff implementing the program should report to the board or senior management at least annually concerning the status of the program.

3.  Update the program to correct weaknesses and address new risks

The methods employed by criminals to steal identities are continually evolving. Red flags must be regularly updated to address new threats and correct weaknesses identified in the program. New risks may be revealed by the financial institution’s own experiences, regulatory guidance and alerts, or incidents occurring within the financial services industry.

The failure to maintain an effective compliance program may lead to substantial litigation risk and damage to the institution’s reputation. Every financial institution should make the prevention and detection of identity theft a high priority by implementing a program that addresses the institution’s risks, monitoring its effectiveness and strengthening its safeguards in response to developing risks.

To learn more about Ivan M. Diamond and his practice, please visit his profile.

To learn more about June N. King and her practice, please visit her profile.

  • In Memoriam

    1940 - 2013 In Memoriam

    Ivan died at home on June 17, with Penny, his wife of 50 years, at his side, listening to his favorite jazz music. During a five-year battle with cancer, Ivan and Penny completed a lengthy bucket list of trips ...

  • Partner

    June is a member of the Business Services Department. Her practice focuses on U.S. and state securities laws compliance, Sarbanes-Oxley Act and corporate governance issues, and financial institution regulatory matters. She ...



Recent Posts




Back to Page