There are many recently enacted statutes that require that regulated lenders take action to protect confidential information of the customer/borrower. Further obligations have been imposed to mandate that covered lenders take action to ensure that their “service providers”/vendors also do so. Failure to comply can result in fines, penalties and lawsuits.
Identity theft claims are becoming an epidemic and result in a variety of responses that have to be satisfied under state and federal law in order for the lender to obtain protection to continue to collect on a debt, report to credit reporting agencies or to avoid claims for misuse of information by their customer/borrower.
Many covered lenders do not realize that recently passed regulations requiring that they implement a specific security program to respond to identify theft issues, and that they monitor their service providers to ensure compliance. The following is a brief outline of the requirements. Banks and mortgage companies are governed by the FTC and the regulations are contained in 16 CFR 681. Federal credit unions are regulated by the NCUA and the regulations are contained in 12 CFR 717.90. The following citations are to the credit union regulations. However, the same regulations apply to regulated banks and mortgage companies.
The failure to comply will provide evidence that you have not adequately protected confidential information allowing consumer claims, and will allow more room for false identify theft claims. There is still time to prepare, as the requirements are not mandatory until November of this year.
Updated Regulations re Identify Theft (Effective January 2008 -Mandatory-November 2008). The regulations mandate that Lenders monitor Vendors
Guidelines that require that specified financial institutions develop security programs to protect consumer information were updated by the NCUA in November of 2007. Mandatory compliance is required effective November 1, 2008. The updated regulations provide specific guidelines to prevent and respond to identity theft issues. The new guidelines are contained in 12 CFR ~717.90-91.
Establish an Identity Theft Prevention Program for covered accounts.  In addition, the program must include reasonable policies and procedures for detecting, preventing and mitigating identity theft, which is relative to the size and complexity of the financial institution and nature and scope of its activities. The program must include policies and procedures to:
– Identify relevant Red Flags for covered accounts;
– Detect Red Flags that are incorporated into the Program;
– Respond appropriately to any Red Flags that are detected;
– Ensure the Program (including Red Flags) is updated periodically to reflect changes in risks;
– Provide for continued administration of the Program. (See 12 CFR ~717.90 (d) (2).
Each regulated institution must also provide for continued administration of the Program by:
– Obtaining approval of the initial Program from its Board of Directors, or appropriate committee of the Board of Directors;
– Involve the Board or committee or a designated employee at senior management level in the oversight, development and administration of the Program;
– Train staff appropriately;
– Exercise appropriate oversight of service provider arrangements (See 12 CFR ~717.90 (e).
Guidelines for implementation of the Program are included in Appendix A of the regulation and must be considered (See 12 CFR ~717.90 (f)). There are also special rules for credit card issuers (See 12 CFR ~717.91).
 See 16 CFR 681.2 provides in pertinent part that a regulated institution must do the following: “(d): Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities”
“(i) An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account: and
(ii) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.”
Fields Marked With An “*” Are Required