ID Theft Red Flags UpdateCustomer, Employee Education a Priority
Financial institutions need to continue to educate the public about identity theft. And their leaders can expect to do more, not less of it, in the coming years, according to the banking regulatory agencies that released "Identity Theft Red Flags" guidance at the end of October. Banks and credit unions have until November 1, 2008 to become compliant with the new regulation.
See Also: Proactive Malware Hunting
"Under the Section 114 proposal, financial institutions (national banks, state banks, savings associations and credit unions) and 'creditors' must adopt a written identity theft prevention program," says Amy Friend, Assistant Chief Counsel at the Office of the Comptroller of the Currency. (See Related Article: Agencies Issue Final Rules on ID Theft Red Flags: Banking Institutions Have One Year to Comply )
That not withstanding, what can you as a financial institution do now to show your customers and members that your institution is aware of their concerns about identity theft -- and, more importantly, share those concerns?
"Banks and credit unions will want to read through the ID Theft Red Flag regulation and guideline carefully," says Rebecca Herold, a noted expert in information security and privacy issues.
Some of the items covered under the regulation point to the need for a strong awareness training program to detect identity theft. One example of the area where awareness training is needed: Customized training for call center personnel who receive those calls for a new card after a change of address request.
"Targeted training such as this has traditionally not been done very well at most organizations," Herold says. "But this regulation helps point out that any area that handles this type of information, or keys in information that changes an account's information, needs to have the training and procedures need to be in place to spot those red flags."
Institutions need to think of their own unique risk situation, "And this is something that should be included in their training and awareness program," she adds. Institutions could take small parts out of the guideline "and make them part of the institution's ID Theft training and awareness program. It will help your personnel recognize the things they need to do, and you can build upon it with your institution's own unique examples."
Last year, Biddeford Savings in Biddeford, Maine, used a Web-based training product to teach its 70-plus employees how to identify elder abuse. "It worked out really well," says Keith Gosselin, the bank's Information Technology Officer.
Gosselin notes that four years ago his job was primarily to prevent hackers from gaining entry into the system. Now it's teaching staff about the risks inside the network, including from mobile technologies such as memory sticks.
At Biddeford Savings, the IT staff has a hands-on approach to employee training. The IT staff addresses groups of 15-20 employees at a time to explain annual changes to the bank's security policies. "I don't mind going out and talking to them," Gosselin says.Ingrain Security -- Train Staff
Data protection and privacy can't be implemented by simply publishing rules. It has to become part of the institution's way of doing business, starting at the Board of Director level down to the junior teller, says Herold. Every institution needs to consider increased training in their data protection responsibilities and perform regular inspections to verify compliance.
Consider adding institution and customer data protection as an element to employee performance reviews. Ask managers to assess their staff on compliance with security policies.Customer Education Works
Customer education efforts pay off when customers learn what to do, says Regina Gilley, Chief Audit Executive at Farmers and Miners Bank, Pennington Gap, VA. "When phishing initially became a problem in our service area, we ran ads in local newspapers servicing our area warning about phishing," Gilley says. "We posted messages on our website, online banking site, and on customers' statements and provide printed brochures at account opening warning our customers about phishing."
Through this information, customers understood what phishing is, and let them know,"We will never solicit information from our customers via e-mails that seek to have them 'verify' their username, password, account information, or other personal information," she adds. Every email coming from the bank's employees also re-emphasizes this point with a footer at the end of the email. "We never send emails requesting personal information. We will never ask you to 'verify' information. We will never ask you to click on a special link to do so. While emails of this nature may look like they are from us, and even use our logo, they are most likely a 'phishing' scam. Do not answer them. If you receive an email purporting to be from us, do not hesitate to call us to confirm it."Data Protection -- Make It Crystal Clear
At your institution you will want to demonstrate to your customers that you are protecting their data as an integral part of your daily operations, Herold notes.
- Place the paper shredders where customers can see them.
- Customer data is always out of view by others. This includes the computer screens in offices with windows. Privacy screens placed over the computer screens are a start.
- All computer screens aren't left unattended without 'locking' the screen with a password.
- Bank account numbers, social security numbers and all other data are spoken in a volume where other staff or customers nearby can't hear them. (This rule should also include call center staff that may be located away from customers.)
- Access to sensitive customer data is tightly controlled on a "need-to-know" basis. Any access to this type of information should also be recorded as to who accessed it, and when they looked at it.
- Forms and applications don't request sensitive data that is not required.
- Access to sensitive data is controlled. Do you know where all sensitive data is stored at your institution?
Information about identity theft prevention is available through brochures, company web site and institution representatives at public speaking engagements. (Look at the Federal Trade Commission's website for a plethora of support materials, video, and brochures on Identity Theft prevention and reporting: www.FTC.gov).