OK, So You Detect a Red Flag. Now What?
Hard to believe that November 1 is already upon us, bringing the onset of the Identity Theft Red Flags Rule compliance. We've been reading about and discussing it for so long that it almost seemed as if though it would always remain six months away, but even a watched regulation eventually transitions into effect. And so here we are with my kids eagerly anticipating Halloween candy and me anxiously waiting for the first formal examiner's review of a Red Flags program.
However, I'm in a better position to forecast how it's likely to go down. We've started seeing final draft versions of Red Flags programs from our clients, and combined with the availability of the agencies' related examination procedures I'm developing a perspective not previously possible. I've detected a very real commitment across the boards to get this one right, right out of the gate, in everything I've reviewed thus far. Some have spent considerable time in building out their program from scratch, whereas others have leveraged heavily off existing artifacts. They've all displayed careful attention to the details of the regulation, and it's obvious. What's most interesting to me at this point is in how much they have in common despite being authored by different sized institutions and management profiles.
Across the board, they've all decided to avoid spending time on identifying covered accounts. All programs reviewed have stated that all current accounts are to be included in monitoring activities. This eliminates the need to conduct an annual risk assessment of accounts to identify those to be covered, and removes a degree of complexity from the mix.
All have demonstrated a clear line from their Board of Directors to the program. All have specifically addressed the need to train employees and distribute the program. All of them have broken out the three distinct sections of Red Flags (Address Change, Address Discrepancy, Unusual Account Activity) to show proper alignment with the regulation.
And sadly they all have one other thing in common: None of them can answer one simple question via either documentation or interview. Once a Red Flag condition is identified how do you manage it?
One program was about a half-inch thick in printed form, and there wasn't one sentence included that described what happens once a Red Flag is raised. Nothing about filling out a form, call the auditor/compliance analyst/security specialist, create an entry in a spreadsheet/database/document. Nothing about alerting other departments to raise awareness of suspicious activity.
Another program described how to fill out a suspicious activity report (SAR) and submit to the compliance officer for their review. But there was nothing beyond that one line, and the compliance officer could not explain what would happen beyond keeping the completed form on file for one year. Oh, and there wasn't even a blank SAR template included in the final document for an employee to use. That's sort of like instructing someone to put out a fire by using a fire extinguisher, but not actually providing a fire extinguisher. I asked the compliance officer how the process would help prevent identify theft, and the reply was that if multiple forms were filed for a single account a determination would be made as to what actions should be taken, if any. That wasn't specified anywhere. Also, how does that allow Branch A to alert Branch B that there may be something inappropriate going on with an account? And what about linked accounts?
And so this is my gift to the BIS audience for the week. Beyond documenting your Red Flag policy, beyond describing Red Flag conditions, beyond distributing and training your employees ask yourself this one question: What does my institution do to manage a Red Flag condition once it occurs? If you don't have an answer that rings true, make sense or even exist you have more work to do. If I'm noticing this critical gap, you can be certain the examiners will as well.