3 Common Challenges of ID Theft Red Flags Rule Compliance

Regulators Speak Out on Issues that Led to Creation of FAQs
3 Common Challenges of ID Theft Red Flags Rule Compliance
The Frequently Asked Questions on the ID Theft Red Flags released last week have great value and reveal common challenges faced by banking institutions, say federal regulators who helped put together the FAQs.

The Red Flags and Address Discrepancy Rules, part of the Fair and Accurate Credit Transaction Act of 2003 (FACT Act), issued in November 2007, apply to all financial institutions regulated by the Board of Governors of the Federal Reserve System (FRB), FDIC, National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS) and FTC.

Representatives from each agency met to whittle down the list of questions that began coming in to federal regulators almost immediately after the regulation was issued, says Jeff Kopchik, Senior Policy Analyst at the Federal Deposit Insurance Corporation (FDIC). Kopchik and other regulators distilled the questions down to those included in the 14-page document.

Here are the three most common challenges covered in the FAQs.

Common Challenge #1: Covered Accounts

"Institutions are still struggling with what a covered account is," says April Breslaw, Director of Consumer Regulation in the OTS Division of Compliance and Consumer Protection. "While we have the basic definition and some universal accounts can be readily identified, it's the second prong that causes a reasonably foreseeable risk of identity theft, to either the institution or the consumer."

A number of questions in the document deal with these questions about covered accounts, including examples of what types of accounts might be covered. "Every institution has to do its own risk assessment to figure out the second prong of covered accounts, and figure out what accounts within their institution may pose a risk of identity theft," Breslaw says.

One of the examination's points is to verify that the institution is going back and assessing its accounts and the types of accounts it has to make sure that all covered accounts are identified. Breslaw recommends institutions should go by their own experiences, where they've had problems. "Payroll cards and other prepaid cards are a good example of a covered account that some institutions may not be thinking of as a covered account," she says.

Common Challenge #2: Vendor Management

All agencies have been trying to raise awareness about third party relationships. Again, one of the exam steps is built in to ask if the institution has oversight to the service provider's steps to protect the data, says Breslaw.

Kopchik also sees the technology service provider question as critical. It was a very common question raised by many institutions, he says. "Both the institutions and the service providers were coming up with the wrong answer on that, which was the technology service provider wasn't covered under the regulation."

Kopchik explains what the regulators found was some banks and service providers they thought the regulation only covered those technology service providers that provided fraud detection services. "Which was simply incorrect. If a service provider touches information from a covered account, they fall under this regulation," Kopchik notes.

Common Challenge #3: Address Discrepancies

The issue of address discrepancies also seems to have many questions around it, notes Breslaw. In addition to issuing a press release, the OTS also issued CEO Letter, 306 wherein the agency provides information in respect to furnishing confirmed addresses to consumer reporting agencies.

Breslaw stresses institutions need to have policies and procedures in place to handle these discrepancies. "You need to have a process for dealing with the consumer, confirming with them and reporting back to consumer reporting agency," she says. "There are common situations where institutions are not reporting back discrepancies back, including those on deposit accounts, or pre-paid cards."

Other Weak Points

Kopchik says the FDIC's examinations show that most banks are doing a pretty good job in meeting the requirements of the new regulation. "There is usually a learning curve on new exams. There are some areas of weakness we are noticing," he notes.

Among the areas where banks need to improve upon is in the area of supervising service providers. "It may include a wider circle of service providers than they were first identifying."

The training portion of the regulation may be an area that institutions haven't gotten around to yet, Kopchik says. "While we understand that, examiners are reminding institutions that they can't forget about the training piece of it, because it is required."

The third area that examiners are finding banks needing more diligence in concerns the covered accounts question, he notes. Examiners were finding that some institutions didn't have the right number of accounts in the purview of their program.

Kopchik sees the FAQs filling in those unanswered questions for institutions. "Very simply -- anything that clears up ambiguity is good for the industry and good for us," he says.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.