Identity Theft Red Flags Progress Report: How Does Your Institution Stack up?

Compliance Clock Ticks Down as Nov. 1 Deadline Nears

By Linda McGlasson, May 6, 2008.
Identity Theft Red Flags Progress Report: How Does Your Institution Stack up?

<

See Also: Identity, Security and Risk Requirements for a New IAM Architecture

a href="/survey_idred.php">More ID Theft Red Flags Survey Resources Let the countdown begin.

As of May 1, U.S. financial institutions have just six months left to comply with the new Identity Theft Red Flag Rules, which (among other things) mandate new levels of documentation, training and awareness.

Red Flags is one of the top regulatory priorities of the year, and for many institutions it is also a major undertaking. A check-in with institutions of various sizes shows that progress toward compliance is being made, but there is still plenty of work to be done.

Rob Rowe, Senior Regulatory Counsel at the Independent Community Bankers of America, describes how banking/security leaders have responded to this new mandate since it was first issued last Halloween. "The first reaction was 'we've got to recreate the wheel to meet these requirements and build a new program,'" he says. "But now institutions have realized ... this regulation builds on existing requirements," including the Patriot Act and Gramm-Leach-Bliley Act (GLBA). "It is now more a matter of coordinating and 'connecting the dots' with policies and procedures they should already have in place," Rowe says.

What Regulators Expect To See
The Red Flags Rule is divided into three parts:

Definition of the rule;
Guidance for compliance;
Appendix of 26 possible red flags with examples.

With six months to go before compliance is mandatory, banking examiners "hopefully" are now seeing compliance teams in place at institutions, says Jeff Kopchik, Senior Policy Analyst and the FDIC representative on the President's Task Force on Identity Theft. Kopchik is also a member of the FFIEC working group writing the examiners' guide to the regulation. "If an examiner sees that an institution has not even assembled its team at this point, then they'd be a little bit behind the curve," he says.

Assuming the team is in place, the institution should be fairly well into its risk assessment, he says. This includes determining which accounts are covered accounts under the regulation.

Institutions by now also should be drawing help from other existing programs and systems that could be part of the identity theft prevention program. "For example, any fraud detection program that is already running could be a big portion of the identity theft prevention program," Kopchik says. "The GLBA security guidelines that banks have been required to have in place since 2001 could also be a pretty big part of the identity theft prevention program."

Finally, institutions need to be preparing their Identity Theft program documentation, as well as the training and awareness of employees and customers. "What the regulation says is the identity theft prevention program must be written, so there has to be a document that they can show the examiner that summarizes and encapsulates what their program is composed of," Kopchik says.

Progress Report: How Far Along Are Institutions?
The Fremont Bank in the San Francisco bay area hasn't completed its projected work to meet the compliance requirements of the ID Theft Red Flags guidance yet, "however we are on track to have the program completed prior to November 1," says Leslie Zaremba, Compliance Manager at Fremont Bank. The bank ($1.9 billion in assets and 24 branches) has identified its covered accounts and is currently completing the risk assessments. Additionally Zaremba says the bank has compiled historical data for each covered account, including the number of past ID theft incidents with average dollar amounts and actual losses. "Once the risk assessments are complete, we will identify the red flags applicable to each covered account and the corresponding detection and response methods," Zaremba explains.

Fremont's training for its employees will be two-pronged. In-person training and a computer-based training module will be implemented to train associates. Customer awareness and education will be done through statement inserts, direct mail, website postings and posters in the bank's branches.

Other institutions are nearing the completion of assessment work.

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Cybersecurity: Whose Job Is It?

Most organizations are still doing poor jobs of adequately communicating threat information, even...

Latest Tweets and Mentions

ARTICLE Cybersecurity: Whose Job Is It?

Most organizations are still doing poor jobs of adequately communicating threat information, even...

The ISMG Network