ID Theft Red Flag Rules: Now the Hard Work BeginsCompliance Poses Stiff Challenges to Institutions
See Also: A Toolkit for CISOs
The new regulations state that by November 1, 2008, all financial institutions will be required to develop and implement an Identity Theft Prevention Program to fight the crime in connection with new and existing accounts. (See related article: Agencies Issue Final Rules on ID Theft Red Flags )
Six federal regulatory agencies issued the Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy. These rules implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003.
While individual institutions and financial services associations are just starting to assess what all this means to them, clearly there is no simple "one and done" solution for compliance.
"For most of the financial institutions out there this [Identity Theft Red Flags Regulations] will be something new," says Sanjay Kalra, CEO and principal of Icons Inc., an information systems security services provider in the financial services industry. "They don't have anything in place that would say they're in compliance with this new regulation. These institutions will wait until the federal regulators come in and say they must do this to protect their customers' identities."
Kalra says he sees the new rules as a "major compliance shift" for many institutions.
Rebecca Herold, a noted information security and privacy expert, agrees with Kalra's prediction of a compliance struggle. "Smaller and midsized institutions will have the most challenge meeting the new regulations, only because they have typically smaller budgets and manpower."
Nessa Feddis, Senior Federal Counsel at the American Bankers Association, says the regulatory agencies have made significant improvements in responding to the ABA's previous comment letter. (See the ABA's Commentary Letter on ID Theft Red Flag Rules)
Yet, even so, banking institutions will be challenged to manage the compliance burden.
"Even despite the changes and improvements that the agencies made to the original regulation, there are still uncertainties as to how much documentation and research banks need to perform to satisfy examiners," Feddis says. "And that will be key, what is in the examiner's guidelines."The Challenges Ahead
Compliance efforts will prove to be cumbersome to certain institutions for a variety of reasons, including:
Cost -- The cost to comply has yet to be ascertained accurately. This is why federal regulators have given institutions a full year to comply with these regulations. Because the rules are so "all-encompassing," Doug Johnson, Senior Policy Analyst and the American Bankers Association, expects that the job will surpass in scope many past compliance efforts that banks and other institutions have dealt with, including strong authentication.
Scope - These new rules cover a broad area. Institutions must examine where their customer data exists, and who has access to it - including third-party service providers that have access to customer account information during the course of their work for an institution.
Precedence -- The regulatory agencies are breaking new ground. No one has done it before, so there is no model to follow. The common theme that the regulators have taken with these rules, as with past regulations, is a "risk-based" approach, meaning that individual institutions must better know their own individual risks, and plan their programs accordingly.
Insider Threat -- A portion of the compliance focus must be applied to the insider threat that may cause identity theft or a data breach. "It will be a change in mindset in how institutions think about who they work with, and who they use as vendors," Kalra says. "While they have to trust them, (employees and vendors) the institutions also have to have this program in place to identify when things are happening that should be flagged."
Resources - Staffing issues must be answered at many institutions before compliance work begins. The amount of budget and resources needed to meet compliance with these new regulations isn't known yet, because there is no benchmark. The agencies have estimated the cost and hours burden to comply in the regulation, but according to Feddis, the hours estimated to develop a program "is pretty low," though she wasn't able to offer any immediate estimation of cost from the ABA's perspective.Next Steps Toward Nov. '08
The ABA has put together a group of bankers to study how they will be able to help its membership meet compliance with the new regulations. "We're putting a plan together to help banks leverage items that they have already complied with in terms of the Patriot Act, Gramm-Leach-Bliley Act (GLBA) purposes to fulfill data security and incident response requirements," Johnson says.
Preliminary recommendations are that Institutions should first:
- Perform a self-assessment of what they are doing now re: Identity Theft;
- Compare to the ID Theft Red Flags provisions and guidance;
- Note the gaps and then begin developing a plan to fill them.
Ultimately, of course, compliance with the new regulations will benefit institutions.
"You might also prevent some fraud and identity theft by being compliant with the regulation ahead of the deadline," says Herold. "This is what the regulation was designed to accomplish."
Question: What's your biggest challenge arising from ID Theft Red Flag rules? Share your opinion with Editor Tom Field.