ID Theft Red Flags Update

Customer, Employee Education a Priority

By Linda McGlasson, November 16, 2007.
ID Theft Red Flags Update

<

See Also: CEO Bob Carr on EMV & Payments Security

a href="/survey_idred.php">More ID Theft Red Flags Survey Resources You already know that by this time next year, your financial institution will need to have a written identity theft prevention program. But have you considered that part of that program should include what your institution is doing to increase identity theft awareness among your customers?

Financial institutions need to continue to educate the public about identity theft. And their leaders can expect to do more, not less of it, in the coming years, according to the banking regulatory agencies that released "Identity Theft Red Flags" guidance at the end of October. Banks and credit unions have until November 1, 2008 to become compliant with the new regulation.

"Under the Section 114 proposal, financial institutions (national banks, state banks, savings associations and credit unions) and 'creditors' must adopt a written identity theft prevention program," says Amy Friend, Assistant Chief Counsel at the Office of the Comptroller of the Currency. (See Related Article: Agencies Issue Final Rules on ID Theft Red Flags: Banking Institutions Have One Year to Comply )

That not withstanding, what can you as a financial institution do now to show your customers and members that your institution is aware of their concerns about identity theft -- and, more importantly, share those concerns?

Having a privacy policy posted on your institution's website, and allowing customers to choose how they receive information from your institution, are a great place to begin showing your increased vigilance about data protection. The right spin will make your institution look proactive, rather than reactive, when it comes to protecting customer information.

"Banks and credit unions will want to read through the ID Theft Red Flag regulation and guideline carefully," says Rebecca Herold, a noted expert in information security and privacy issues.

Some of the items covered under the regulation point to the need for a strong awareness training program to detect identity theft. One example of the area where awareness training is needed: Customized training for call center personnel who receive those calls for a new card after a change of address request.

"Targeted training such as this has traditionally not been done very well at most organizations," Herold says. "But this regulation helps point out that any area that handles this type of information, or keys in information that changes an account's information, needs to have the training and procedures need to be in place to spot those red flags."

Institutions need to think of their own unique risk situation, "And this is something that should be included in their training and awareness program," she adds. Institutions could take small parts out of the guideline "and make them part of the institution's ID Theft training and awareness program. It will help your personnel recognize the things they need to do, and you can build upon it with your institution's own unique examples."

Last year, Biddeford Savings in Biddeford, Maine, used a Web-based training product to teach its 70-plus employees how to identify elder abuse. "It worked out really well," says Keith Gosselin, the bank's Information Technology Officer.

Gosselin notes that four years ago his job was primarily to prevent hackers from gaining entry into the system. Now it's teaching staff about the risks inside the network, including from mobile technologies such as memory sticks.

At Biddeford Savings, the IT staff has a hands-on approach to employee training. The IT staff addresses groups of 15-20 employees at a time to explain annual changes to the bank's security policies. "I don't mind going out and talking to them," Gosselin says.

Ingrain Security -- Train Staff

Data protection and privacy can't be implemented by simply publishing rules. It has to become part of the institution's way of doing business, starting at the Board of Director level down to the junior teller, says Herold. Every institution needs to consider increased training in their data protection responsibilities and perform regular inspections to verify compliance.

Consider adding institution and customer data protection as an element to employee performance reviews. Ask managers to assess their staff on compliance with security policies.

Customer Education Works
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Industry News: Alert Logic Launches ActiveWatch

Leading this week's industry news roundup, Alert Logic launches ActiveWatch for Log Manager, a...

Latest Tweets and Mentions

ARTICLE Industry News: Alert Logic Launches ActiveWatch

Leading this week's industry news roundup, Alert Logic launches ActiveWatch for Log Manager, a...

The ISMG Network