ID Theft Red Flags Rule: 3 Keys to Successful Awareness Programs

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

We all know that employee and customer awareness are a big part of Identity Theft Red Flags Rule compliance. But what exactly is missing from banking institutions' current awareness programs, which must meet the new standards by Nov. 1?

We recently caught up with representatives of banking regulatory agencies to gain their insights on:

The Three Keys
Board involvement, documentation and consistency -- the same elements that make a financial institution's information security awareness and education program a success are the keys to effectively training employees on ID Theft Red Flags, and institutions should be ready to be examined for them, say federal regulators.

Below, we focus on each of these elements in terms of what's currently missing and what will be sought.

Board Involvement -- Making an understandable, repeatable education and awareness program first needs the support of the board of directors of an institution.

"Ultimately, the behavior and priorities of senior management heavily influence the level of employee awareness and policy compliance, so training and the commitment to security should start with senior management," says Aida Plaza Carter, Director, Bank Information Technology of the Office of The Comptroller of the Currency (OCC).

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Board involvement has always been a challenge for financial institutions, and so it is a major component of ID Theft Red Flags Rule compliance. This need for board level involvement spills over to training programs in an institution's ID Theft Red Flag examination. In these examinations federal regulators will verify that a financial institution trains appropriate staff to effectively implement and administer the program.

William Henley Director, IT Risk Management at the Office of Thrift Supervision (OTS) says that among the things OTS examiners will look for is a coordinated effort between the different areas of the institution. The training should be provided to the entire enterprise and have clear support and direction from board of directors. "The board doesn't have to develop the program, but needs to show their participation and support of it," Henley says.

Documentation -- Proper documentation of the institution's information security program is often not complete or up to date, say regulators, and this will also be applicable to ID Theft Red Flags Rule compliance. Institutions need to prepare their Identity Theft program documentation, as well as the training and awareness of employees and customers. The regulation says the identity theft prevention program and the training program must be written, so there has to be a document that they can show the examiner that summarizes and encapsulates the program. It cannot be merely a mission statement or strategy.

Consistency -- While examiners want to see security training on at least an annual basis, institutions aren't always consistent with their training programs. OCC's recommendations say training should include issues such as desktop security, log-on requirements, password administration guidelines, etc. Training should also address social engineering and the policies and procedures that protect against social engineering attacks. Training should support security awareness and strengthen compliance with security policies, standards and procedures, says Carter.

The National Credit Union Administration's Office of Examination and Insurance department says the NCUA expects credit unions to ensure their training program is sufficient to keep their employees knowledgeable about their credit union's security policies, procedures, and practices. Credit unions should ensure they conduct training at least annually and update their materials for any new threats, fraud schemes, or changes in the credit union's security stance or processes," says the NCUA's Office of Examination and Insurance.

With the inclusion of ID Theft Red Flags guidance requirements, examiners will be looking at a credit union's existing education program, as part of NCUA's risk-based examination program, examiners review significant changes in policies and procedures.

Credit unions may expect their examiner to inquire about the credit union's compliance with the ID Theft Red Flags rule as well as the type and frequency of training provided to their employees.