Featured Article

Featured Article 

Sign up for our free BSA/AML Webinar

Click Here

 

Newsletter Signup

 

Comp Survey
 

2011 Independent Bank Compensation Survey


Have A Question?

We'll get right back to you.

Name:
Company:
Email:
Phone:
Interest:
Question:
TypeCode:* Security Image
Follow Us:
Home > Library > IT and Security > Annual GLBA Report Red Flag Report Checklists
Bookmark and Share

Annual GLBA and Red Flag Report Requirements

8/5/2010

Banks are required to provide an Annual Report to the Board of Directors in two separate areas – safeguarding customer information and identity theft prevention.

Safeguarding Customer Information

The first being the Annual Gramm-Leach-Bliley (GLBA) Report on Safeguarding Customer Information.

This Annual Report must be presented by the Information (Data) Security Officer and must address the following areas or items:

  •  Overall status of the program;
  • Material risk issues such as introduction of smartphones and Microsoft’s Outlook Web Access;
  • Bank-wide and GLBA/IT Risk Assessments;
  • Risk management and control decisions like new technology risk acceptance;
  • Vendor oversight, including a vendor risk assessment and program acceptance testing;
  • Results of testing which can include either independent tests, internal testing results, or both;
  • Security breaches, if any (if none, document there were none in the minutes); and
  • Recommendations for program changes.

Consider naming the report “Annual Report to the Board on Safeguarding Customer Information.” This will avoid any confusion as to the intent of the Report. If the bank has not formally appointed an Information (Data) Security Officer, do so at the Board level.

Identity Theft Prevention

The second report addresses the bank’s FACTA and Identity Theft Prevention Program (the Red Flag Rules). This Annual Report must be presented by the Red Flag Compliance Officer and must address the following areas or items:

  • Overall status of the program;
  • Material risk issues including introduction of core red flag markers or new accounts;
  • Red Flag Risk Assessment;
  • Risk management and control decisions (e.g. commercial versus customer accounts and red flag assignment);
  • Red flag software analysis (Core banking – 30-day address or email address change);
  • Results of testing which can include either independent tests, internal testing results, or both;
  • Staff compliance, including such items as FACTA training, red flag identification and identity theft training;
  • Policy changes;
  • Management’s response to any identified issues; and
  • Recommendations for program changes.

This report should be named something along the lines of “Annual Report to the Board on Red Flag Compliance and the Identity Theft Prevention Program,” again to avoid any confusion as to the intent of the Report. If the bank has not appointed a Red Flag Compliance Officer, this should be completed at the Board level.

There are a number of different controls that a bank can test to determine if it is displaying a strong “Tone at the Top” appearance. So during your next IT exam, insist that these controls are included in the scope of the assessment.