ID Theft Red Flags Update

Customer, Employee Education a Priority
ID Theft Red Flags Update
More ID Theft Red Flags Survey Resources You already know that by this time next year, your financial institution will need to have a written identity theft prevention program. But have you considered that part of that program should include what your institution is doing to increase identity theft awareness among your customers?

Financial institutions need to continue to educate the public about identity theft. And their leaders can expect to do more, not less of it, in the coming years, according to the banking regulatory agencies that released "Identity Theft Red Flags" guidance at the end of October. Banks and credit unions have until November 1, 2008 to become compliant with the new regulation.

See Also: Simplifying Microsoft Azure Deployments with Cloud-Friendly Security

"Under the Section 114 proposal, financial institutions (national banks, state banks, savings associations and credit unions) and 'creditors' must adopt a written identity theft prevention program," says Amy Friend, Assistant Chief Counsel at the Office of the Comptroller of the Currency. (See Related Article: Agencies Issue Final Rules on ID Theft Red Flags: Banking Institutions Have One Year to Comply )

That not withstanding, what can you as a financial institution do now to show your customers and members that your institution is aware of their concerns about identity theft -- and, more importantly, share those concerns?

Having a privacy policy posted on your institution's website, and allowing customers to choose how they receive information from your institution, are a great place to begin showing your increased vigilance about data protection. The right spin will make your institution look proactive, rather than reactive, when it comes to protecting customer information.

"Banks and credit unions will want to read through the ID Theft Red Flag regulation and guideline carefully," says Rebecca Herold, a noted expert in information security and privacy issues.

Some of the items covered under the regulation point to the need for a strong awareness training program to detect identity theft. One example of the area where awareness training is needed: Customized training for call center personnel who receive those calls for a new card after a change of address request.

"Targeted training such as this has traditionally not been done very well at most organizations," Herold says. "But this regulation helps point out that any area that handles this type of information, or keys in information that changes an account's information, needs to have the training and procedures need to be in place to spot those red flags."

Institutions need to think of their own unique risk situation, "And this is something that should be included in their training and awareness program," she adds. Institutions could take small parts out of the guideline "and make them part of the institution's ID Theft training and awareness program. It will help your personnel recognize the things they need to do, and you can build upon it with your institution's own unique examples."

Last year, Biddeford Savings in Biddeford, Maine, used a Web-based training product to teach its 70-plus employees how to identify elder abuse. "It worked out really well," says Keith Gosselin, the bank's Information Technology Officer.

Gosselin notes that four years ago his job was primarily to prevent hackers from gaining entry into the system. Now it's teaching staff about the risks inside the network, including from mobile technologies such as memory sticks.

At Biddeford Savings, the IT staff has a hands-on approach to employee training. The IT staff addresses groups of 15-20 employees at a time to explain annual changes to the bank's security policies. "I don't mind going out and talking to them," Gosselin says.

Ingrain Security -- Train Staff

Data protection and privacy can't be implemented by simply publishing rules. It has to become part of the institution's way of doing business, starting at the Board of Director level down to the junior teller, says Herold. Every institution needs to consider increased training in their data protection responsibilities and perform regular inspections to verify compliance.

Consider adding institution and customer data protection as an element to employee performance reviews. Ask managers to assess their staff on compliance with security policies.

Customer Education Works

Customer education efforts pay off when customers learn what to do, says Regina Gilley, Chief Audit Executive at Farmers and Miners Bank, Pennington Gap, VA. "When phishing initially became a problem in our service area, we ran ads in local newspapers servicing our area warning about phishing," Gilley says. "We posted messages on our website, online banking site, and on customers' statements and provide printed brochures at account opening warning our customers about phishing."

Through this information, customers understood what phishing is, and let them know,"We will never solicit information from our customers via e-mails that seek to have them 'verify' their username, password, account information, or other personal information," she adds. Every email coming from the bank's employees also re-emphasizes this point with a footer at the end of the email. "We never send emails requesting personal information. We will never ask you to 'verify' information. We will never ask you to click on a special link to do so. While emails of this nature may look like they are from us, and even use our logo, they are most likely a 'phishing' scam. Do not answer them. If you receive an email purporting to be from us, do not hesitate to call us to confirm it."

Data Protection -- Make It Crystal Clear
At your institution you will want to demonstrate to your customers that you are protecting their data as an integral part of your daily operations, Herold notes.
  • Place the paper shredders where customers can see them.
  • Customer data is always out of view by others. This includes the computer screens in offices with windows. Privacy screens placed over the computer screens are a start.
  • All computer screens aren't left unattended without 'locking' the screen with a password.
  • Bank account numbers, social security numbers and all other data are spoken in a volume where other staff or customers nearby can't hear them. (This rule should also include call center staff that may be located away from customers.)
  • Access to sensitive customer data is tightly controlled on a "need-to-know" basis. Any access to this type of information should also be recorded as to who accessed it, and when they looked at it.
  • Forms and applications don't request sensitive data that is not required.
  • Access to sensitive data is controlled. Do you know where all sensitive data is stored at your institution?

Information about identity theft prevention is available through brochures, company web site and institution representatives at public speaking engagements. (Look at the Federal Trade Commission's website for a plethora of support materials, video, and brochures on Identity Theft prevention and reporting:

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network