Red Flags Compliance: 3 Common Deficiencies - Jeff Kopchik, FDIC
Jeff Kopchik, senior policy analyst with the Federal Deposit Insurance Corporation (FDIC), discusses:
Kopchik was the Team Leader of the FDIC's 2004 study "Putting an End to Account-Hijacking Identity Theft." He was the FDIC's primary representative on the FFIEC staff working group that drafted the 2005 guidance on Authentication in an Internet Banking Environment. Kopchik was also involved in interagency rulemaking efforts to comply with the Fair and Accurate Credit Transactions (FACT) Act, and was involved in the creation and implementation of the Gramm-Leach-Bliley Act (GLBA) interagency information security guidelines, supervisory guidance on customer notice, FFIEC Business Continuity Planning Booklet, and FDIC guidance on wireless networks.
TOM FIELD: It has been a year now since the identify theft Red Flags Rule went into effect. How are banking institutions complying?
Hi, this is Tom Field, Editorial Director with Information Security Media Group. I am talking today with Jeff Kopchik, Senior Policy Analyst with the FDIC. Jeff, thanks so much for joining me.
JEFF KOPCHIK: You are very welcome, Tom.
FIELD: What would you say is the state of compliance among banking institutions?
KOPCHIK: Well, Tom, while I can't give you specific numbers, what I can tell you is that a very significant percentage of the banks that the FDIC supervises have been found to be in substantial compliance with the regulation, and that is based on, as you noted, a little more than a year of us doing exams for Red Flags compliance.
FIELD: So, Jeff, you can't get into numbers I understand, but with institutions that have not been in compliance, what would you say the common deficiencies have been?
KOPCHIK: I think there have been three. Far and away the most common deficiency is that there is a portion of the regulation that says under certain circumstances, certain types of commercial accounts, as opposed to consumer accounts, should be included in the identity theft prevention program, and in some cases banks that should have included those commercial accounts did not do so, and that is far and away the most common deficiency that examiners are talking about.
There are two more. The second one is that the regulation also requires that banks basically exercise oversight over service providers, and we have found, in some cases, that banks have not been doing this with regard to Red Flags.
And the third one is the regulation also requires that the bank needs to train its staff for Red Flags compliance, and in some cases banks really haven't gotten around to that yet. It is like they spent a lot of time and effort getting the plan together, getting it up and running, and sort of staff training is often one of the last things that happens and some of the examiners have noted that the bank hasn't done that yet and have told the bank that they need to make sure to include that. But those are the three top deficiencies.
FIELD: So Jeff, about six months ago the FDIC and other regulators issued the FAQ's about Red Flags compliance, addressing some of the common issues that examiners were finding. What would you say six months later the impact of the FAQ's has been?
KOPCHIK: Well, I think that the FAQ's have gone a long way to clarify the regulation and to answer a lot of the very detailed questions that financial institutions raised once the regulation came out. The regulation is fairly detailed and complex in certain ways, and it was really impossible for the agencies to try to address every contingency in the regulation itself, so I have gotten a lot of feedback from bankers that they found the FAQ's very, very helpful in terms of answering very, very specific questions that they had after they read the regulation.
FIELD: Well, that is good. So when you think about it, banks have had roughly two years to be implementing Red Flags compliance programs, they have been examined for about a year. What would you say are the key areas that the institutions still have to work on regarding their Red Flags compliance?
KOPCHIK: Well, I think the three key areas are the three things I mentioned before. One to make sure that they have included the correct covered accounts in their ID Theft Prevention Programs, because examiners have noted that in certain cases they are not doing that; to make sure that they have appropriate oversight of technology service providers to the extent that they are using them; and three to make sure that they are doing the appropriate amount of staff training. And then four, just to make sure that whatever deficiencies the examiners may have noted in the exam, even if the institution was found to be in substantial compliance, that they go back and they correct that deficiency before the next exam comes along.
FIELD: So of course when you first started discussing the Red Flags Rule some years ago, the aim obviously is to defeat identity theft. How would you see that the Rule in compliance have impacted the fight against identity theft?
KOPCHIK: Well let me give you a caveat. I just want to make it clear: I don't have precise numbers or statistics. What I do have and what I am happy to talk about is anecdotal evidence that I have received from bankers directly and from examiners. The anecdotal evidence I am hearing from the field is that the regulation and institutions complying with it has had a positive impact on reducing the amount of identity theft out there. Bankers and examiners have told me of instances where the banks' identity theft prevention program has caught things that may not have been caught if the program had not have been into effect. So I would say, anecdotally again, it has been a positive effect in terms of reducing identity theft.
FIELD: Good. Now of course examiners and banks alike were sort of getting used to compliance in year one and feeling one another out. How would you say examiners are going to approach compliance and examinations differently in this second year of examination?
KOPCHIK: Well, I think, Tom -- and this is very common when you have a new regulation -- during the second year and when the second exam comes up, what the examiners will start looking for is basically a more well-developed plan.
In other words, initially they are looking for compliance with the regulation, substantial compliance with the regulation, but they understand that questions come up and the institution may not have all of the i's dotted and the t's crossed. and there may be things noted in the report of examination where the examiner will say, 'I expect you to do this, this and this.' So the second year when the examiner goes back, what they are going to check to see is whether or not the bank corrected those deficiencies. Did they do what they promised to do to basically make the plan more well developed and to basically raise the level of compliance even more?
FIELD: Given that then ,Jeff, what advice would you offer to institutions that are looking to improve their Red Flags compliance and do well on their examinations in 2010?
KOPCHIK: Well, I would give them two pieces of advice Tom. I would say first of all take a look at the three primary deficiencies that you and I discussed a moment ago and make sure that to the extent that they have any of those deficiencies that they correct them, because those are the three most common ones that keep coming up.
The second point I would make is to go back and look at the report of examination that you received from the FDIC or any of the other federal banking regulators, and make sure that any deficiencies or comments that were put in the report of examination or given to you separately by the examiner, you have addressed and corrected before the examiner's return, either for the next exam or if they come back sooner for what we refer to as an interim visit, because examiners are going to look to check those things off the list.
FIELD: Excellent. Jeff, as always I appreciate your time and your insight.
KOPCHIK: You are very welcome Tom.
FIELD: We have been talking with Jeff Kopchik, Senior Policy Analyst with the FDIC. For Information Security Media Group, I'm Tom Field. Thank you very much.