FDIC’s Identity Theft Supervisory Letter – What Banks Need to Do

When it comes to compliance with the FDIC’s recent Supervisory Letter on Identity Theft, financial institutions need to “beef up” their consumer education programs, along with looking more closely at their existing risk assessment programs to mitigate current and potential areas of vulnerabilities.

These comments come from Michael L. Jackson, Associate Director at the FDIC’s Division of Supervision and Consumer Protection and Technology Supervision Branch.

The FDIC’s Supervisory Letter on Identity Theft issued on April 11 outlined several actions which will be taken by the FDIC to streamline and share information between the different examination disciplines. “What we’re doing with our different disciplines, risk management, safety and soundness, information technology, compliance and BSA, we will begin to share information and resources and look for ways to increase efficiencies between the exam disciplines,” Jackson explained. The letter noted that IT examiners will consult with BSA examiners during the course of an examination to ensure that the procedures institutions employ to verify the identity of new customers are consistent with existing laws and regulations to prevent financial fraud, including identity theft.

Financial institutions will also need to review their customer education program, and ensure it is has the latest information available for its customers. The FDIC, along with other federal banking agencies has offered consumer education on identity theft, and the financial industry also has offered education to its customers, “As a whole, the industry needs to do more. If you look at some of the major players, and even some of the smaller ones are doing this already, and are doing a good job educating their customers,” Jackson noted.

“The industry needs to beef up their efforts in consumer education, one of the biggest components of, and a positive step toward actually securing the data is mitigating identity theft by teaching consumers to protect their personal and financial information, Jackson explained. The FDIC’s role in education spans several years, and he pointed to the beginning of the FDIC’s symposiums, with the first identity theft symposium taking place in 2005. The FDIC works in conjunction with large financial institutions, and smaller ones, trade associations, and law enforcement to share the best practices that consumers should be using to protect their identities.

Banking information security professionals said they feel they are in compliance with the supervisory letter’s outlined actions, especially where consumer education is concerned. “I would hope that TD Banknorth N.A. would be in compliance with the identity theft supervisory letter. I am confident we will be,” said Kirk McGee, AVP, Regional Security Officer at TD Banknorth, N.A.

“We have a very active consumer education program at the bank. The one thing we don’t do is send out email to our customers, it’s kind of self defeating with all the phishing that is out there. However, we place educational information on webpages, fliers, pamphlets at the branches, and reminders in statement stuffers, we also have disclaimers all over the place, reminding our customers about identity theft,” McGee explained.

At NorthWest Bancorp, a $6.5 billion bank with locations in five states, the bank’s Risk Management officer, Rick Seibel said, “I think we serve that very well, we are strong on the protection side, and having recently completed an examination, it was positive in the area of consumer education.”

However, Seibel was critical of merchants who aren’t protecting the customer’s information, “The problems we are facing come from the outside of our bank. We felt the losses from the Office Max breach and more recently the TJX breach, which are through no fault of our own.” There is good coming out of such data breaches, he noted. “I’ve already seen the increased due diligence of credit card companies, like our partner VISA, who are now actively following up on suspicious transactions.”

At NorthWest, Seibel said the approach is to guard the bank with the right people, the right vendors, and the bank only selects vendors who monitor and protect the bank’s data and processing at the same level the bank does. “That’s our first step to stem fraud and identity theft. In fact, we weigh this very heavily in deciding what vendors to use, because we’re placing our whole reliance on them when we give them sensitive data,” he noted.

How would banks look to comply with the items noted in the Identity Theft supervisory letter, FDIC’s Jackson said that one of the best ways to comply is to look at the institution’s risk assessments. “They need to take a look at risk assessments and do the assessment to find potential areas of vulnerabilities and study the areas of current vulnerabilities,” he said. By doing a risk assessment, this will let the bank know where major assets are, and identify where they think they need increased security measures and controls should be placed.

Included in the supervisory letter was a reference to the FFIEC Authentication guidelines, and Jackson noted that financial institutions are complying “very favorably” with the guidance. Next steps seen by Jackson include mutual authentication. “Mutual authentication is seen in the industry as a positive step to further mitigate the issues surrounding protecting consumer data against identity theft in the online banking arena. But there’s no silver bullet out there,” he noted.

As for the authentication guidance, Jackson noted, “We want to see banks doing what our guidance talks about on authentication for online banking, and making sure they have the strongest solutions available. Keep an eye on the solutions, make sure they work well for them, and take a continual improvement approach.”

Jackson said one of the monumental tasks for the industry as a whole is consumer education. “The information has to get out there, and it is a slow process, we work through consumer groups, trade associations, with financial institutions, state and federal government agencies to get the information out there. But to get to each individual consumer is a long process.” The need for this education is increasing, he pointed to the constant growth of online consumers coming into the market. “Consumers continue to buy computers and go on the internet, and the numbers of online banking consumers also is rising.”


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network