Compliance Insight with David Schneier

ID Theft Red Flags Compliance Will Impact Examinations for Years to Come

The OTS released their examination procedures this past week for the looming ID Theft Red Flags requirements due to go into effect in 75 days (not that I'm counting). In discussing this both with members of our management team and fellow practitioners, I'm finding that there's a decided split as to what the impact is going to be for the financial institutions needing to comply.

Some think this will have a minor impact based upon the assumption that much of what's needed is already in place and simply needs to be coordinated better. Others think it will require some effort upfront, including strengthening related control activities and creation of appropriate documentation (a.k.a. policies and procedures). Personally, I think this is going to have a dramatic impact on the institutions we work with; only it will take time for events to unfold.

My thinking is based largely on the fact that much of what will serve as the foundation for Red Flags, the elements that are supposed to already be in place and functioning, are going to receive greater scrutiny and be found to be flawed. Incident response plans, risk assessment approaches and capabilities, as well as the ability to coordinate and track activities across functional lines are all going to be cast out into the spotlight. And from what I've seen first-hand in the field, I think they will reveal themselves to be less than what management is expecting and, more importantly, less than what the examiners consider acceptable.

Much like what's happening now with Vendor Management, once the examiners start scratching at the surface of existing practices, they'll find disconnects between policies and their related procedures and insufficient evidence to prove compliance with either. I know this because I see it all the time when conducting audits and assessments or reviewing reports from my team.

As to why I think the issues will take time to unfold, it's simply a matter of basic arithmetic. There are only so many examiners conducting fieldwork with so many cycles to spend conducting exams. During year one of Red Flags, they're going to check for the programs existence and design and offer an opinion as to its completeness. In year two, they're going to look for evidence of compliance with the program, and that's when they're going to start digging deeper. That's when I'm predicting the impact takes a decided turn from little more than minimal to being tap-dead center on the Board of Directors tracking radar.

My guess is that in somewhere between nine and 15 months this will become the hottest compliance topic and hold that position for a while.

Of course only time will tell how this plays out. I'm hopeful that many institutions will make the necessary adjustments in advance of needing to, but I'm not expecting it.

About the Author

David Schneier

David Schneier

Director of Professional Services

David Schneier is Director of Professional Services for Icons Inc., an information security consultancy focused on helping financial institutions meet regulatory compliance with respect to GLBA 501(b) and NCUA Part 748 A and B. He has over 20 years' experience in Information Technology, including application development, infrastructure management, software quality assurance and IT audit and compliance.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.