We do not believe that the Interagency Guidelines on identity theft “red flags” require that your annual board reports include every instance of a discrepancy between the addresses provided on an account application and the applicant’s driver’s license. Of course, this type of instance would be considered a “red flag” under Supplement A to the Guidelines, which includes the following in its illustrative examples of red flags: “information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification” (Example 7 in the Supplement, under “Suspicious Documents”).
However, the Guidelines do not require that your annual board reports include every instance of a red flag. The Guidelines state that the annual board reports should “address material matters related to the Program and evaluate issues such as . . . the effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft . . . [and] significant incidents involving identity theft and management’s response . . . .” (paragraph VI(b)(2) of the Guidelines). We do not believe that a red flag that is resolved by verifying an applicant’s address would be considered a “significant incident” requiring inclusion on the annual board report. But you may want to include this information on your reports, because statistics about the resolution of those red flags could be helpful in demonstrating the effectiveness of your policies and procedures.
Of course, additional requirements apply when your institution receives a notice of address discrepancy from a credit reporting agency (under 12 CFR 1022.82) or a change in address request from a debit or credit card customer (under 12 CFR 222.91). In addition, the customer identification program (CIP) rules require that your CIP records include “a description of the resolution of any substantive discrepancy discovered when verifying the identifying information obtained.” 31 CFR 1020.220(a)(3)(i)(D). Because the CIP rules require you to obtain each customer’s address, any substantive address discrepancies should be included in your CIP records.