Banking Regulators on Identity Theft Red Flags Rule Compliance
This is an excerpt of that Q&A session. To hear the entire dialogue, please register for the Identity Theft Red Flags Rule webinar, which also features practitioners' perspectives on compliance, as well as our own new survey results on where banking institutions stand in their efforts to meet the Nov. 1 compliance deadline.
TOM FIELD: Jeff, I want to throw this first question out to you, and then William, you can pick up afterwards. You both have spent a lot of time among financial institutions of late. What do you find to be the two or three most frequently asked questions you are receiving regarding Identity Theft Red Flags Rule compliance?
JEFF KOPCHIK: Well sure, Tom, there are two that bankers seem to be asking me a lot. And the first one is, are business accounts covered accounts under the Red Flags Regulation? And there seems to be sort of some confusion about how an institution goes about determining whether business accounts should be considered covered accounts. And as you know, they are not automatically covered by the reg, but if a bank determines that they are the type of account for which there is a reasonably foreseeable risk of identity theft, either to customers or to the financial institution, then they should be considered covered accounts and they should be included in the institution's identity theft prevention program. So that's the first one.
And the second one I would say is basically institutions are probably a little bit concerned about what kind of shape they are going to be in on November 1st of this year, and they are asking the regulators what are the consequences if I am not in compliance at that point in time. So we have had a lot of discussions about the tactics that the regulators are going to be taking and what we are going to be looking for in exams starting on or after November 1st of this year.
FIELD: And William, how about from your perspective? What are the questions that you keep hearing?
WILLIAM HENLEY: Well, we hear the same two that Jeff has mentioned, but in addition to that we have received the question of which examiners will be reviewing compliance. And what they mean by that is, will they be included in the safety and soundness examination or the information technology examination or the compliance examination? And our response to that is, well, it depends on the institution and how they have implemented their compliance program with the Red Flags Rule, because they were encouraged to leverage off of their existing fraud programs, and depending on how they have implemented it is how we'll approach it, at least at the OTS. And I think each agency is still trying to work that out totally, but it definitely will not just totally be in the hands of any one disciplinary set of examiners, but we are going to try and approach it with flexibility so that we can match how they've implemented it with the examination expertise of our staff.
And then the other question is will examining for compliance begin absolutely on November 1st as Jeff kind of mentioned, or will there be a phase in period? And likewise at OTS as well as the other agencies, I think we are all considering that or addressing that, or how that phase in period will be handled.
And then finally the third point would be can we use existing programs for fraud or CIP or information security? And the answer to that is absolutely. We encourage the institutions to leverage off of their existing programs in the developing of their compliance programs for the Red Flags Rule.
FIELD: Well, it sounds like there has been no shortage of questions. William, let me start with you: In your experience with the institutions, what do you find to be most misunderstood about compliance with the new Rule?
HENLEY: I would say that November 1st means November 1st; that we do expect compliance on November 1st.
As Jeff and I both mentioned with the questions we received that they've asked that and then others have just assumed that there would be some type of a phase in period, but I wouldn't--if I were an institution, I wouldn't approach it as such. I would be approaching it to try and have my program in place and complete by November 1st.
FIELD: And Jeff, from the FDIC perspective, what do you see as being most misunderstood about compliance?
KOPCHIK: Well, I think the one that has hit me that I've gotten a lot is that the rule is a little bit unusual in the sense that there are three distinct sections to it. You know, there is the Identity Theft Red Flags part, there is the Address Discrepancies part, and there is the Change of Address part, and what is a little bit different about this is that the scope section of each part of the rule is different in terms of who it applies to.
And actually, each section applies to different types of entities, and I've noticed that some institutions are sort of confused about, well, you know do all three sections apply to me, does only one section apply to me, and how do they figure that out. And I have spent some time sort of explaining to institutions that for the Red Flags piece of the Rule, it applies to financial institutions -- they are obviously regulated by the federal banking agencies plus creditors. But then there will be other financial institutions that are slightly different and may be regulated by the FTC, but when you get to the Address Discrepancies part of the Rule, that applies to anyone who uses consumer reports, which may or may not be a financial institution, and then the Change of Address section applies even differently to anyone who issues credit or debit cards.
So you really have to look at each rule individually and figure out whether or not it applies to your entity.
FIELD: William, I want to come back with something you said in your presentation. You spoke about some of the implementation challenges. Which do you find to be the biggest for institutions that you've seen, these implementation challenges?
HENLEY: Well, from speaking with representatives from our institutions, it seems like resources, both personnel and dollars have been the biggest challenge. The development of the program has required a lot of hours during a time in the economic cycle that there are few available to be found.
And there are some that say regulators underestimated the burden, and to that we say maybe or maybe not, but we gave credit to the institutions for what they have already done to authenticate online banking customers, detect fraud, protect consumer information, so our estimations were based on institutions being ahead of the game or having a head start in developing their compliance programs.
Also, funds for the development of the program may not have been included in the fiscal year 2008 budget, and once again, given where we are in the economic cycle, dollars seem to be hard to find for some institutions to devote to their compliance programs.
FIELD: Well that makes sense. Jeff, how about from your perspective? What have you seen to be biggest implementation challenges?
KOPCHIK: I think from what I've heard from bankers, it's the coordination aspect of it. Again, an interesting thing about this regulation is that it is sort of overlaps different areas of expertise in the bank. So in other words, in order, in my view, for a bank to really do a good job of complying, they have to get people with different skills involved. So you probably need some fraud prevention people, you probably need some IT security people, you probably need some risk management people, you need some business people, and of course the more areas of expertise and people you have involved you just have a larger coordination problem. And I think that is a bit unique to this Rule the way it sort of overlaps different areas.
FIELD: Now Jeff, we talked about November 1 as sort of the big date, but it seems to me that post-November 1 is a particularly big date too. What do you see to be the institutions biggest challenges once that date hits us?
KOPCHIK: I think, Tom, it's probably keeping the programs and procedures up to date. You know I think what is sort of a natural progression here is that institutions work very hard over this year building up to November 1st and they get their Identity Theft Prevention Program in place, they get their procedures in place to conform with the other two parts of the rule if that applies to them, and then there is sort of this sigh of relief and they think they are done. And they are in the sense that they've got the initial program, but you know fraud and identity theft keeps changing, it keeps morphing, and as the reg makes very clear, the institution has to stay up to date, and to the extent that threats change or the business plan in the bank changes, those programs and procedures have to be modified and changed to take into account new risks and new threats. And I think that is something that institutions need to keep in mind.
FIELD: William, the same question for you. We've looked at the deadline as sort of a be all and end all, but there is a whole lot more after November 1st. What do you see as being the institutions biggest challenge?
HENLEY: Once again, keeping the momentum going. The annual report compliance doesn't mean just getting to November 1st, but it is an ongoing accountability requiring continuing updates to the risk assessment, annual board involvement, reporting, staff training and service provider oversight, including contract updates, and all of these updates required for the day to day compliance beyond November 1st.