ID Theft Red Flags Rule: 3 Keys to Successful Awareness Programs

Regulators Discuss What's Missing Now, What Will Be Sought in Future Exams
ID Theft Red Flags Rule: 3 Keys to Successful Awareness Programs
We all know that employee and customer awareness are a big part of Identity Theft Red Flags Rule compliance. But what exactly is missing from banking institutions' current awareness programs, which must meet the new standards by Nov. 1?

We recently caught up with representatives of banking regulatory agencies to gain their insights on:

What's missing from current identity theft awareness programs;
Which key elements examiners will be looking for post-Nov. 1.

The Three Keys
Board involvement, documentation and consistency -- the same elements that make a financial institution's information security awareness and education program a success are the keys to effectively training employees on ID Theft Red Flags, and institutions should be ready to be examined for them, say federal regulators.

Below, we focus on each of these elements in terms of what's currently missing and what will be sought.

Board Involvement -- Making an understandable, repeatable education and awareness program first needs the support of the board of directors of an institution.

"Ultimately, the behavior and priorities of senior management heavily influence the level of employee awareness and policy compliance, so training and the commitment to security should start with senior management," says Aida Plaza Carter, Director, Bank Information Technology of the Office of The Comptroller of the Currency (OCC).

Board involvement has always been a challenge for financial institutions, and so it is a major component of ID Theft Red Flags Rule compliance. This need for board level involvement spills over to training programs in an institution's ID Theft Red Flag examination. In these examinations federal regulators will verify that a financial institution trains appropriate staff to effectively implement and administer the program.

William Henley Director, IT Risk Management at the Office of Thrift Supervision (OTS) says that among the things OTS examiners will look for is a coordinated effort between the different areas of the institution. The training should be provided to the entire enterprise and have clear support and direction from board of directors. "The board doesn't have to develop the program, but needs to show their participation and support of it," Henley says.

Documentation -- Proper documentation of the institution's information security program is often not complete or up to date, say regulators, and this will also be applicable to ID Theft Red Flags Rule compliance. Institutions need to prepare their Identity Theft program documentation, as well as the training and awareness of employees and customers. The regulation says the identity theft prevention program and the training program must be written, so there has to be a document that they can show the examiner that summarizes and encapsulates the program. It cannot be merely a mission statement or strategy.

Consistency -- While examiners want to see security training on at least an annual basis, institutions aren't always consistent with their training programs. OCC's recommendations say training should include issues such as desktop security, log-on requirements, password administration guidelines, etc. Training should also address social engineering and the policies and procedures that protect against social engineering attacks. Training should support security awareness and strengthen compliance with security policies, standards and procedures, says Carter.

The National Credit Union Administration's Office of Examination and Insurance department says the NCUA expects credit unions to ensure their training program is sufficient to keep their employees knowledgeable about their credit union's security policies, procedures, and practices. Credit unions should ensure they conduct training at least annually and update their materials for any new threats, fraud schemes, or changes in the credit union's security stance or processes," says the NCUA's Office of Examination and Insurance.

With the inclusion of ID Theft Red Flags guidance requirements, examiners will be looking at a credit union's existing education program, as part of NCUA's risk-based examination program, examiners review significant changes in policies and procedures.

Credit unions may expect their examiner to inquire about the credit union's compliance with the ID Theft Red Flags rule as well as the type and frequency of training provided to their employees.

Examination procedures determine whether management and department heads are adequately trained and sufficiently accountable for the security of their personnel, information and systems, says OCC's Carter. And that job starts before employees even are hired. "Financial institutions should mitigate the risks posed by users by performing appropriate background checks and screening of new employees," Carter says.

For more about Identity Theft Red Flags Rule examination procedures, see: ID Theft Red Flags Rule Examination Procedures Unveiled

See also: Best Practices in Building Security Awareness

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.