ID Theft Red Flags: The 3 Questions You Must Answer by Nov. 1

It's the 11th Hour; Do You Have Your Board's Approval Yet?
ID Theft Red Flags: The 3 Questions You Must Answer by Nov. 1
It's officially the 11th hour.

The deadline for compliance with the Identity Theft Red Flags Rule is less than one month away, and financial institutions are scrambling to meet it.

Yet, a new study from Tower Group, the financial services research firm, predicts that less than one-third of institutions will be compliant by Nov. 1. And even those institutions that are confident in their compliance will end up finding some minor areas to improvement when examined, says George Tubin, Senior Analyst at Tower Group.

For all institutions, the open question remains: How will they know if they are fully compliant? The answer: When banking regulators examine them. And yet, with less than a month to go, the regulatory agencies have only begun to release their ID Theft Red Flags Rule examination procedures.

As institutions await Nov. 1 and further clarity from their regulators, here are three key compliance questions they must answer for themselves:

1. Have we performed a risk assessment, mapped covered accounts to red flags, detection and response procedures and developed a risk-based, written Identity Theft Prevention Program?

2. Have we obtained the board of directors' approval of the written Identity Theft Prevention Program?

3. Have we trained appropriate staff?

The Cost for Non-Compliance
So, what should financial institutions be worried about if they don't meet the Nov. 1 deadline?

"Non-compliance will lead to cease and desist orders and civil money penalties," says Sai Huda, Chairman & CEO of Compliance Coach, a San Diego-based banking consultancy. He adds that plaintiff attorneys will be on the prowl and will sue based on unfair deceptive acts and practices violations. "Negative publicity is the last thing banks and credit unions need right now, with consumers wondering if both their money and information are safe with their bank or credit union," Huda says.

Huda offers suggestions for ensuring compliance:

Map Your Program to Your Risk Profile. Whether you use an automated tool or work manually, get a committee together to delegate the risk assessment and mapping tasks, Huda says. Make sure your program is risk-based, and you focus on higher-risk accounts and areas -- don't overkill on lower risk items, wasting time and resources. "You must be able to demonstrate to the examiners that your program is commensurate for your risk profile," Huda says.

Get Your Board's Ear. If you've not received approval yet, and your board of directors will not meet before the deadline, see if you can have a committee of the board review and approve your identity theft prevention program (e.g. the Audit Committee) via a conference call or webinar meeting. "The Rule allows flexibility here," Huda says. "It can be the entire board or a designated committee of the board. The Rule does not mandate an in-person meeting to approve. Just be sure to document formal approval for the examiners." He also recommends that institutions take the opportunity to educate the board or its committee on why this rule exits, what are the risks, and how the new program mitigates the risks. "Don't make this a rubber-stamp session, but a risk management discussion at the highest level so you will have the board's full understanding and support," Huda says.

Train Appropriate Staff. Although identity theft prevention training is a huge component of compliance, the rule allows flexibility -- you do not have to train every single employee, Huda notes. Train only appropriate staff. This will save you time and money. However, be sure you train all appropriate staff at the front line, as well as in the back office. Be sure to train on your specific program, not just the rule. "This way, the staff will fully understand what identity theft is, what are the relevant red flags they should be on the lookout for, and what to do if they detect it," Huda says. Institutions should consider using e-learning or webinars to roll out the training to save time and money, and to make the training consistent and documented for the examiners.

Post-Compliance Updates
Upon meeting compliance, institutions will still need to periodically update their programs. Analysts suggest these factors as the triggers to an update:

If there are any breaches or new identity theft risks to your institution;
If your institution offers new covered accounts or gets into new lines of business;
If your institution has new service providers or business partners;
Also, at least annually, institutions must report on the adequacy of their program to the board of directors or a designated committee - a perfect opportunity to update as necessary.

The bottom-line, says Huda, is that the ID Theft Red Flags Rule is really about managing the risk of identity theft. "If you think of this as another risk management issue and make it an integral part of your overall banking risk management process, you will approach it proactively and dynamically, and will succeed in mitigating the risk," Huda says.

And remember the cliché: This is a journey, not a destination. "Your obligations do not end on Nov. 1, but really just begin."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.