The Field Report with Tom Field

Identity Theft Red Flags Rule: A Chance to Take a Stand

Identity Theft Red Flags Rule: A Chance to Take a Stand

I've told this story before about Michael Barrett, CISO of PayPal. When he joined the company, he asked how senior leaders were fighting the phishing problem.

"Technically, we don't have a phishing problem," he was told.

Yes, scores of PayPal customers were inundated daily with fake emails. But the fraud was against PayPal customers - not against PayPal itself. In the mix of risks to the company ... phishing wasn't such a concern.

Yet whenever Barrett went out socially, all he'd hear was "When are you people going to stop sending me those fake emails?"

Judging from the results of our new Identity Theft Red Flags Rule Compliance Survey, we've got a similar situation re: ID Theft.

Asked who is responsible for fighting Identity Theft, 44% of our respondents put the onus on consumers - only 29% say it's the responsibility of banks and businesses.

They've got a point. The best-known data breaches we've seen to date - TJX and Hannaford - weren't the fault of any banking institution.

And yet when banking/security leaders step out socially, what's the common question they hear? "What are you people doing to fight Identity Theft?"

Well, how about Identity Theft Red Flags Rule compliance?

In the wake of the subprime mortgage crisis and its most recent victims -- IndyMac Bank, First National Bank of Nevada and First Heritage Bank, N.A. -- consumer confidence is shaken. Banking customers need reassurance from their institutions. Suddenly, Red Flags Rule compliance - which, let's be honest, has just been a regulatory exercise for many institutions - can be a way to tell customers "This is what we're doing to fight Identity Theft."

And y'know what? It's a lot more than non-regulated industries are doing to mitigate the threat. Casinos and auto dealers also fall under Identity Theft Red Flags Rule jurisdiction, but do you think the Federal Trade Commission will be routinely examining them for compliance after Nov. 1?

Admittedly, customer confidence wasn't top of mind when we initiated this survey. With roughly one-third of the year left for U.S. financial institutions to meet the Nov. 1 compliance date, we wanted to find out how close they truly are. We also asked:

What has been your greatest challenge?
Greatest success?
How will you measure your new program?
How will you manage it?

The responses are enlightening from several angles, revealing new insights on how banking institutions approach Identity Theft Red Flags Rule compliance, what they perceive to be their next big regulatory challenge, and, yes, even their resounding opinion on who ultimately is responsible for fighting identity theft.

But given recent events, it's clear that the next three months are not just about jumping through the right hoops and checking off the box labeled "compliance." This is the banking industry's opportunity to take a stand against identity theft - and make a statement about trust.

Ultimately, perhaps identity theft is a consumer issue. But confidence is the industry's problem, and the Identity Theft Red Flags Rule presents the perfect chance to help strengthen the trust.

About the Author

Tom Field

Tom Field

Senior Vice President, Editorial, ISMG

Field is responsible for all of ISMG's 28 global media properties and its team of journalists. He also helped to develop and lead ISMG's award-winning summit series that has brought together security practitioners and industry influencers from around the world, as well as ISMG's series of exclusive executive roundtables.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.