Red Flags Compliance: 3 Common Deficiencies - Jeff Kopchik, FDIC

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

It's been over a year now since banking regulators began examining institutions for compliance with the Identity Theft Red Flags Rule. What have been the common deficiencies, and what will examiners be expected in year two?

Jeff Kopchik, senior policy analyst with the Federal Deposit Insurance Corporation (FDIC), discusses:

Kopchik was the Team Leader of the FDIC's 2004 study "Putting an End to Account-Hijacking Identity Theft." He was the FDIC's primary representative on the FFIEC staff working group that drafted the 2005 guidance on Authentication in an Internet Banking Environment. Kopchik was also involved in interagency rulemaking efforts to comply with the Fair and Accurate Credit Transactions (FACT) Act, and was involved in the creation and implementation of the Gramm-Leach-Bliley Act (GLBA) interagency information security guidelines, supervisory guidance on customer notice, FFIEC Business Continuity Planning Booklet, and FDIC guidance on wireless networks.

TOM FIELD: It has been a year now since the identify theft Red Flags Rule went into effect. How are banking institutions complying?

Hi, this is Tom Field, Editorial Director with Information Security Media Group. I am talking today with Jeff Kopchik, Senior Policy Analyst with the FDIC. Jeff, thanks so much for joining me.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

JEFF KOPCHIK: You are very welcome, Tom.

FIELD: What would you say is the state of compliance among banking institutions?

KOPCHIK: Well, Tom, while I can't give you specific numbers, what I can tell you is that a very significant percentage of the banks that the FDIC supervises have been found to be in substantial compliance with the regulation, and that is based on, as you noted, a little more than a year of us doing exams for Red Flags compliance.

FIELD: So, Jeff, you can't get into numbers I understand, but with institutions that have not been in compliance, what would you say the common deficiencies have been?

KOPCHIK: I think there have been three. Far and away the most common deficiency is that there is a portion of the regulation that says under certain circumstances, certain types of commercial accounts, as opposed to consumer accounts, should be included in the identity theft prevention program, and in some cases banks that should have included those commercial accounts did not do so, and that is far and away the most common deficiency that examiners are talking about.

There are two more. The second one is that the regulation also requires that banks basically exercise oversight over service providers, and we have found, in some cases, that banks have not been doing this with regard to Red Flags.

And the third one is the regulation also requires that the bank needs to train its staff for Red Flags compliance, and in some cases banks really haven't gotten around to that yet. It is like they spent a lot of time and effort getting the plan together, getting it up and running, and sort of staff training is often one of the last things that happens and some of the examiners have noted that the bank hasn't done that yet and have told the bank that they need to make sure to include that. But those are the three top deficiencies.

FIELD: So Jeff, about six months ago the FDIC and other regulators issued the FAQ's about Red Flags compliance, addressing some of the common issues that examiners were finding. What would you say six months later the impact of the FAQ's has been?

KOPCHIK: Well, I think that the FAQ's have gone a long way to clarify the regulation and to answer a lot of the very detailed questions that financial institutions raised once the regulation came out. The regulation is fairly detailed and complex in certain ways, and it was really impossible for the agencies to try to address every contingency in the regulation itself, so I have gotten a lot of feedback from bankers that they found the FAQ's very, very helpful in terms of answering very, very specific questions that they had after they read the regulation.

FIELD: Well, that is good. So when you think about it, banks have had roughly two years to be implementing Red Flags compliance programs, they have been examined for about a year. What would you say are the key areas that the institutions still have to work on regarding their Red Flags compliance?