Finance Execs React to ID Theft Red Flag RulesSome Work on Solutions; Others Still Have Questions
Now reality sinks in.
See Also: Ransomware: The Look at Future Trends
With last week's long-awaited release of the federal ID Theft Red Flag rules, financial institutions nationwide are starting to figure out "What next?"
Many executives are still absorbing the information. Others are actively working on adding the new requirements to their compliance efforts.
All institutions must comply with the new rules by November 1, 2008. (See the Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy.) These final rules implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003.
Under these new rules, which take effect Jan. 1, 2008, each financial institution's Identity Theft Prevention Program must include reasonable policies and procedures for detecting, preventing and mitigating identity theft. And these systems must enable the financial institution to identify relevant patterns, practices and specific forms of activity that are 'red flags,' signaling possible identity theft, and incorporate those red flags into the institution's program.A Positive Step
"I personally like the new rules," says Brandon Farmer, Vice President & IT Officer at Bank of the James, Lynchburg, VA. "I think that establishing more detailed expectations can only help the customer and our own employees fight ID theft."
Farmer says he plans to incorporate the bank's existing CIP program and ID theft prevention education in the bank's information security program. "We will use those pieces to form the new program."
He is confident that his bank will be able to comply with the new rules, "At this point, I do not see any issues that cannot be handled internally."
Bank of The James already has existing customer and employee education programs. "We have annual customer education via speaking engagements, shredding days or statement stuffers. Also, we train our employees throughout the year on specific topics of Information Security."
Both of these programs and existing items will need an upgrade for the bank's new ID Theft Prevention Program.Already Hard at Work
At the Bank of the West (www.BankoftheWest.com), a $70 billion asset institution with operations in 19 states, compliance preparation efforts have already begun.
"We have a number of relevant programs already in place," says John Stafford, VP of corporate communications at the California-based bank. Details of budget and program changes aren't readily available, but Stafford points to the bank's strong education efforts in ID Theft awareness. (See : Bank of The West's consumer education page)Piecing it Together
The review of the rules and "piecing together a program" has begun at Community South Bank in Parsons, TN, says Jason Bawcum, VP of security.
Bawcum says he doesn't foresee any problems complying with the new rules. Already, the bank has existing education programs for both employees and customers. "For employees we hold monthly security meetings bank wide, with identity theft topics appearing quite frequently," he says.
For bank customers, education efforts include statement stuffers and statement messages, public awareness sessions and regularly distributing ID Theft materials to the bank's commercial customers.Time to Implement
Compliance efforts at the second largest credit union in Indiana have been ongoing since earlier this year, says Carol Minges, Director of Technology Services at Forum Credit Union, Fishers,IN.
"We identified applicable red flags and included the necessary information in our procedure manual back in May," Minges says. "However, we haven't really done much to implement the changes."
The credit union is currently developing a training plan for credit union employees, as well as identifying processes that will need to be changed. As far as a budget to implement this, she says, "We normally do not budget for preparing for and implementing regulatory items."Evaluating Requirements
Keith Gosselin, IT Officer at Biddeford Savings, Biddeford, Maine, says he was not really surprised by the new rules.
"Caught off guard a little, certainly, but we are now evaluating the requirements and trying to determine what additional resources will be needed to become compliant."
Biddeford Savings is a member of the Maine Anti-Phishing Coalition, whose membership includes the majority of the community banks in Maine. Its goal: to help educate customers about phishing and identity theft. "So, this should be beneficial for our customer education department," Gosselin says.
Gosselin says the bank will definitely have a budget line item for this requirement. He didn't have specific numbers, as the bank is currently working on the 2008 budget.
Confident that Biddeford Savings will be able to comply, Gosselin does see some challenges in determining how much is enough on the 'Red Flag' side. "We have some tools in place now to help with the BSA legislation, and I can see some similarities to this," he says. "We already have policies in place at the time of opening an account to verify a person's identity, but I do see these needing to be expanded some."
One major question is about the education requirements. "We spend some time now educating employees and customers on what to look for, but the real question is 'Are we doing enough? And what is enough?'" Gosselin says. "I don't know the answers to those, and of course the document does not really provide much guidance on this point."