As of May 1, U.S. financial institutions have just six months left to comply with the new Identity Theft Red Flag Rules, which (among other things) mandate new levels of documentation, training and awareness.
Red Flags is one of the top regulatory priorities of the year, and for many institutions it is also a major undertaking. A check-in with institutions of various sizes shows that progress toward compliance is being made, but there is still plenty of work to be done.
Rob Rowe, Senior Regulatory Counsel at the Independent Community Bankers of America, describes how banking/security leaders have responded to this new mandate since it was first issued last Halloween. "The first reaction was 'we've got to recreate the wheel to meet these requirements and build a new program,'" he says. "But now institutions have realized ... this regulation builds on existing requirements," including the Patriot Act and Gramm-Leach-Bliley Act (GLBA). "It is now more a matter of coordinating and 'connecting the dots' with policies and procedures they should already have in place," Rowe says.
What Regulators Expect To See
The Red Flags Rule is divided into three parts:
With six months to go before compliance is mandatory, banking examiners "hopefully" are now seeing compliance teams in place at institutions, says Jeff Kopchik, Senior Policy Analyst and the FDIC representative on the President's Task Force on Identity Theft. Kopchik is also a member of the FFIEC working group writing the examiners' guide to the regulation. "If an examiner sees that an institution has not even assembled its team at this point, then they'd be a little bit behind the curve," he says.
Assuming the team is in place, the institution should be fairly well into its risk assessment, he says. This includes determining which accounts are covered accounts under the regulation.
Institutions by now also should be drawing help from other existing programs and systems that could be part of the identity theft prevention program. "For example, any fraud detection program that is already running could be a big portion of the identity theft prevention program," Kopchik says. "The GLBA security guidelines that banks have been required to have in place since 2001 could also be a pretty big part of the identity theft prevention program."
Finally, institutions need to be preparing their Identity Theft program documentation, as well as the training and awareness of employees and customers. "What the regulation says is the identity theft prevention program must be written, so there has to be a document that they can show the examiner that summarizes and encapsulates what their program is composed of," Kopchik says.
Progress Report: How Far Along Are Institutions?
The Fremont Bank in the San Francisco bay area hasn't completed its projected work to meet the compliance requirements of the ID Theft Red Flags guidance yet, "however we are on track to have the program completed prior to November 1," says Leslie Zaremba, Compliance Manager at Fremont Bank. The bank ($1.9 billion in assets and 24 branches) has identified its covered accounts and is currently completing the risk assessments. Additionally Zaremba says the bank has compiled historical data for each covered account, including the number of past ID theft incidents with average dollar amounts and actual losses. "Once the risk assessments are complete, we will identify the red flags applicable to each covered account and the corresponding detection and response methods," Zaremba explains.
Fremont's training for its employees will be two-pronged. In-person training and a computer-based training module will be implemented to train associates. Customer awareness and education will be done through statement inserts, direct mail, website postings and posters in the bank's branches.
Other institutions are nearing the completion of assessment work.
The Bank of Elmwood in Racine, WI ($336 million and five branches) has completed its ID Theft Red Flags risk assessment. A committee made up of representatives from deposit operations, loan operations, lenders, compliance, IT, the bank's call center, retail banking and information security will be looking at each Red Flag to determine if it is applicable. and then will define the procedures for handling them, says Mary Jean Blaha, the bank's Information Security Officer and Software Administrator. "We've identified the covered accounts, identified how they are opened or accessed. which provided areas of vulnerability. I have also begun aligning the appropriate Red Flag with each area of vulnerability," Blaha says. "We also need to determine which ones we can identify with our current procedures and which ones will require new procedures or software. That should all be documented by the end of May."
Should new software be required, the process may take longer, but the bank plans to have any decisions made before August 1. Once the program is documented, then training of Elmwood's employees will begin, and the committee is looking to include either a speaker or film to complement the ID Theft Red Flags training. The bank's quarterly security newsletter will also be used to keep the topic in front of employees.
Elmwood's customer training consists "primarily of statement stuffers, on-hold messages, and information on the security link on our Bank's website," Blaha adds. Recently the bank discovered that the Wisconsin State Banking Association provides customer training information, "So we will also be looking into that option."
Small, hometown, independent banks are also diligently working toward compliance with the ID Theft Red Flags guidance. Among them: First Sentry Bank in Huntington, WV, which has only 50 employees and assets of $268 million. "We are still small enough where we have different 'hats' we wear with our various jobs," says Tom Ellis, who handles personal lending, IT security and physical security for the bank.
First Sentry held a planning session specifically about the ID Theft Red Flags earlier this month. Ellis, wearing his IT security hat, was joined by the bank's full-time compliance officer and the vice president of finance and operations. Immediately after the meeting, the bank's state and federal examiners were at the bank for a scheduled exam. "So we've not completed any of the plan," says Ellis. The bank's ID Theft Red Flags compliance team plans to complete its tasks before the deadline.
The Purdue Employees Federal Credit Union in West Lafayette, IN is actively working on compliance with this regulation, says Bill Arnold, vice president of information technology for the credit union. The core processor for the credit union has made modifications to its systems to accommodate the act, but hasn't released them yet.
"We have already updated our policies to include our ID Theft Prevention Program. We have defined the Red Flags for our credit union and have the systems in place to verify the information and ways to detect Red Flags. We have defined our response. The only thing we need to do is train our staff adequately, so they are able to perform the steps," says Evelyn Royer, vice president of risk management and support services for the credit union. The credit union plans to create a training module for its staff to be completed prior to the Nov. 1 deadline.
Donald Britnell at First Arkansas Bank and Trust in Jacksonville, AR., expressed confidence that his bank will be ready before the deadline. As the bank's BSA and security officer Britnell offers "We're in the process of addressing this new requirement now and will be in compliance before the due date."
In Sundance, WY, the Sundance State Bank hasn't done anything about employee or customer education yet. "We are still in the process of investigating the products of a couple of companies that would help us comply," says Roger Jones, IT manager at the bank.
The bigger the institution, the more work it requires to meet the requirements of the Act. "But overall this is good news for the consumer with the increase in identity theft, financial crimeware and financial fraud," says Steven Jones, Director of Information Security at Synovus Financial Corp., Columbus, GA. Synovus is a financial services holding company with $33 billion in assets that operates 36 banks across five states in the southeast. "Cross-channel fraud takes advantage of gaps in 'red flag' alerts across payment channels and business units; this guidance will help to close some of those gaps,"
In many cases with ID Theft Red Flags compliance, "It's not so much about putting new controls in place, but applying more consistency around existing controls and formalizing the program," Jones adds.
Many financial institutions already notify their customer upon address or phone number changes and are already taking steps to arm their customers with information and services to guard their identities. "The financial industry has and will continue to be at the forefront of consumer privacy initiatives," predicts Jones.
ICBA's Rowe says he hopes there aren't banks that are waiting until the last minute, "like procrastinating college students with their term papers," to begin work on compliance with ID Theft Red Flags. "There are always ones out there that will wait until a month before their examination is scheduled to begin work on it.
The Federal Trade Commission will regulate non-financial companies - automobile dealerships, for instance -- that fall under the ID Theft Red Flags guidance. "But financial institutions will be more prepared to meet this -- the federal agencies have been very clear that this is not a new regulatory burden. It is meant for the institutions to help their customers," says Rowe. Institutions needing help can certainly look to trade associations to provide guidance, tools and resources. "Even vendors are out talking about compliance with this guidance," Rowe notes. Based on the number of webinars and educational whitepapers issued by vendors and industry websites, "if an institution wants information on this guidance, they'll find plenty of resources," Rowe adds. The ICBA did an audio conference in December 2007 for its members with representation from all of the regulatory agencies to comment on the new rule.
Most institutions are taking compliance with this guidance seriously. Rowe divides institutions into three groups. "First there are those who want to get compliant the minute it was published, then there are those that 'take their time' and end up waiting until the last minute to respond and make the needed changes. At the tail end there are institutions that wait until the exam is pending and see questions that weren't answered or don't realize they're not covered until a customer asks a question."
Questions and Clarification on Covered Accounts
One question that the FDIC staff in Washington is receiving from bankers and examiners is about clarification on determining covered accounts. "That seems to be a fairly universal question," Kopchik says. "Because the guidance leaves it open to the institution, a business account is not automatically covered. The institution has to make a determination whether business accounts or certain types of business accounts are covered accounts, meaning they have a foreseeable risk of identity theft."
The guidelines lay out certain factors, so the FDIC is trying to give them more guidelines on what kind of analysis they should go through to determine if a business account should be covered.
Until the FFIEC interagency exam procedures for ID Theft Red Flags are issued, federal regulatory bodies will be answering questions, but not examining for compliance with the rule, according to the agencies. The interagency guidelines for examinations working group is working to finish the guidelines in late July. "We're well along in the process," says Kopchik. Once the final set of guidelines for examinations is approved by the FFIEC, they will be released, so institutions and examiners will have time to check them out.
"Until the trigger date (November 1) we're not 'officially' looking at it," says William Henley, Director of IT Risk Management for the Office of Thrift Supervision (OTS). Henley adds if institutions do have questions they should be asking their examiners now. "We have received questions about the guidance, and institutions are working on it. They're definitely attended and interested in the guidance."