Survey Analysis: Is Red Flags Rule the Key to Rebuilding Customer Confidence?
New Awareness Programs Have Power to Educate Consumers on Banking, Security - But Only if Institutions Hit Compliance Benchmarks
Tom Field (SecurityEditor) •
July 30, 2008
Only half of U.S. banking institutions will beat the Nov. 1 deadline for compliance with the Identity Theft Red Flags Rule.
This is the key finding of this survey aimed at gauging the success of institutions' efforts to meet the terms of the new regulatory mandate. The survey, administered electronically in June, drew 300 responses from financial institutions of all sizes.
With roughly three months to go before the Identity Theft Red Flags deadline, an even 50% of institutions surveyed say they are close to compliance and will beat the Nov. 1 date. A combined 47% say they either will barely meet the deadline, won't make it or don't know. Only 3% of respondents say they are already completely compliant.
The challenge is even more profound for large institutions (those with $2 billion or more in assets under management), where 61% say they will barely meet the deadline.
But as important as Nov. 1 is to banking institutions, it's not the sole focus of this survey, which reveals four additional storylines:
Identity Theft is a Consumer Issue, but Consumer Confidence is in the Banks' Hands - asked who ultimately is responsible for fighting Identity Theft, 44% of all respondents put the onus on consumers - just 29% say it's the responsibility of banks and businesses. The gulf widens with large institutions, which assess ownership at 54% consumers and 18% banks and businesses. This isn't necessarily a surprising result, given that the most publicized cases of Identity Theft - TJX and Hannaford - have not resulted from breaches of banking institutions. And yet at a time when consumer confidence is shaken in the wake of the subprime mortgage crisis and the latest bank failures, banking institutions now have an opportunity to bolster that confidence by meeting their compliance deadline and making a statement about Identity Theft prevention. Customer awareness is a significant aspect of Red Flags compliance, and it also can be banking institutions' best chance to reach out and rebuild customer trust - which ultimately is their most important asset under management.
Compliance won't have a huge impact on current ID Theft programs -- Only 20% of respondents say their new program will offer a very effective, new level of defense. More than two-thirds say it only codifies what they already should have been doing. Large institutions are more inclined (86%) to say new program will be only moderately effective. Key phrase here: "... what they already should have been doing." This doesn't mean that banking institutions did have effective Identity Theft prevention programs pre-Red Flags Rule. Given the mandate, institutions have channeled great resources - people and money - toward meeting compliance, but there appears to be little confidence that these efforts will make a significant difference. This response ties back to respondents' opinions about responsibility for fighting Identity Theft. The threat is one that manifests itself largely outside of banking institutions, so strengthening the institutions' defenses is only a partial solution. But compliance also gives institutions the opportunity to communicate the strength of their prevention efforts, as well as what customers can do to protect themselves.
Success will not be gauged by fewer ID Theft incidents -- Only 20% say they will gauge success of their Identity Theft prevention programs by monitoring a decline of incidents; 56% say they'll measure success by positive feedback from regulators or passing external audits. No surprise here. Red Flags is a regulatory mandate, so it makes sense that institutions will claim success when their regulators tell them they've been successful. Again, here is where large institutions differ, with 36% of them saying they will measure success by a decline in ID Theft-related incidents, 29% by regulatory feedback. This may tie back to the perception that larger institutions are more targeted by identity thieves. (See: Top Banks Named in New Identity Theft Study) But fair question in the face of recent headlines: Are there any institutions willing to measure success by the amount of banking confidence they can engender in customers? The customer awareness element of the rule gives institutions that opportunity.
Vendor Management is next big hurdle --
Nearly two-thirds (65%) of respondents either don't know how compliant their vendors are (where applicable), or they've seen no progress. No surprise, then: 36% of respondents say vendor management is their next big regulatory challenge. This is a significant issue that speaks to more than the Identity Theft Red Flags Rule. First, yes, the regulatory agencies have made it clear that whether banking institutions insource or outsource their key processes that involve sensitive data, they will be held responsible for Identity Theft Red Flags Rule compliance. They must ensure that their third-party service providers meet the same standards of data protection. With less than one-third of the year to go before the compliance deadline, it's a little alarming to see a majority of institutions either seeing no progress toward vendor compliance or not knowing if there has been any. Which underscores why banking regulators recently have issued new guidance on vendor management (see:Vendor Management: New Guidance Pressures Institutions to Improve Outsourcing Practices
). Because even though the push for stronger vendor management extends back at least to the key information security tenets of GLBA compliance, examiners aren't seeing significant progress.
Clearly, Nov. 1 marks an opportunity not just for banking institutions to make a statement about regulatory compliance, but to take a stand against Identity Theft and for customer confidence.
To see the full results of the Identity Theft Red Flags Rule Survey, see Identity Theft Red Flags Rule Compliance Survey