Banking Regulators on Identity Theft Red Flags Rule Compliance

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

In conjunction with the recent Identity Theft Red Flags Rule Roundtable webinar, we conducted an interview session with William Henley of OTS and Jeff Kopchik of FDIC. Topics ranged from:

This is an excerpt of that Q&A session. To hear the entire dialogue, please register for the Identity Theft Red Flags Rule webinar, which also features practitioners' perspectives on compliance, as well as our own new survey results on where banking institutions stand in their efforts to meet the Nov. 1 compliance deadline.

TOM FIELD: Jeff, I want to throw this first question out to you, and then William, you can pick up afterwards. You both have spent a lot of time among financial institutions of late. What do you find to be the two or three most frequently asked questions you are receiving regarding Identity Theft Red Flags Rule compliance?

JEFF KOPCHIK: Well sure, Tom, there are two that bankers seem to be asking me a lot. And the first one is, are business accounts covered accounts under the Red Flags Regulation? And there seems to be sort of some confusion about how an institution goes about determining whether business accounts should be considered covered accounts. And as you know, they are not automatically covered by the reg, but if a bank determines that they are the type of account for which there is a reasonably foreseeable risk of identity theft, either to customers or to the financial institution, then they should be considered covered accounts and they should be included in the institution's identity theft prevention program. So that's the first one.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

And the second one I would say is basically institutions are probably a little bit concerned about what kind of shape they are going to be in on November 1st of this year, and they are asking the regulators what are the consequences if I am not in compliance at that point in time. So we have had a lot of discussions about the tactics that the regulators are going to be taking and what we are going to be looking for in exams starting on or after November 1st of this year.

FIELD: And William, how about from your perspective? What are the questions that you keep hearing?

WILLIAM HENLEY: Well, we hear the same two that Jeff has mentioned, but in addition to that we have received the question of which examiners will be reviewing compliance. And what they mean by that is, will they be included in the safety and soundness examination or the information technology examination or the compliance examination? And our response to that is, well, it depends on the institution and how they have implemented their compliance program with the Red Flags Rule, because they were encouraged to leverage off of their existing fraud programs, and depending on how they have implemented it is how we'll approach it, at least at the OTS. And I think each agency is still trying to work that out totally, but it definitely will not just totally be in the hands of any one disciplinary set of examiners, but we are going to try and approach it with flexibility so that we can match how they've implemented it with the examination expertise of our staff.

And then the other question is will examining for compliance begin absolutely on November 1st as Jeff kind of mentioned, or will there be a phase in period? And likewise at OTS as well as the other agencies, I think we are all considering that or addressing that, or how that phase in period will be handled.

And then finally the third point would be can we use existing programs for fraud or CIP or information security? And the answer to that is absolutely. We encourage the institutions to leverage off of their existing programs in the developing of their compliance programs for the Red Flags Rule.

FIELD: Well, it sounds like there has been no shortage of questions. William, let me start with you: In your experience with the institutions, what do you find to be most misunderstood about compliance with the new Rule?

HENLEY: I would say that November 1st means November 1st; that we do expect compliance on November 1st.

As Jeff and I both mentioned with the questions we received that they've asked that and then others have just assumed that there would be some type of a phase in period, but I wouldn't--if I were an institution, I wouldn't approach it as such. I would be approaching it to try and have my program in place and complete by November 1st.

FIELD: And Jeff, from the FDIC perspective, what do you see as being most misunderstood about compliance?