ID Theft Red Flags Rule: 3 Keys to Successful Awareness ProgramsRegulators Discuss What's Missing Now, What Will Be Sought in Future Exams
We recently caught up with representatives of banking regulatory agencies to gain their insights on:
The Three Keys
Board involvement, documentation and consistency -- the same elements that make a financial institution's information security awareness and education program a success are the keys to effectively training employees on ID Theft Red Flags, and institutions should be ready to be examined for them, say federal regulators.
Below, we focus on each of these elements in terms of what's currently missing and what will be sought.
Board Involvement -- Making an understandable, repeatable education and awareness program first needs the support of the board of directors of an institution.
"Ultimately, the behavior and priorities of senior management heavily influence the level of employee awareness and policy compliance, so training and the commitment to security should start with senior management," says Aida Plaza Carter, Director, Bank Information Technology of the Office of The Comptroller of the Currency (OCC).
Board involvement has always been a challenge for financial institutions, and so it is a major component of ID Theft Red Flags Rule compliance. This need for board level involvement spills over to training programs in an institution's ID Theft Red Flag examination. In these examinations federal regulators will verify that a financial institution trains appropriate staff to effectively implement and administer the program.
William Henley Director, IT Risk Management at the Office of Thrift Supervision (OTS) says that among the things OTS examiners will look for is a coordinated effort between the different areas of the institution. The training should be provided to the entire enterprise and have clear support and direction from board of directors. "The board doesn't have to develop the program, but needs to show their participation and support of it," Henley says.
Documentation -- Proper documentation of the institution's information security program is often not complete or up to date, say regulators, and this will also be applicable to ID Theft Red Flags Rule compliance. Institutions need to prepare their Identity Theft program documentation, as well as the training and awareness of employees and customers. The regulation says the identity theft prevention program and the training program must be written, so there has to be a document that they can show the examiner that summarizes and encapsulates the program. It cannot be merely a mission statement or strategy.
Consistency -- While examiners want to see security training on at least an annual basis, institutions aren't always consistent with their training programs. OCC's recommendations say training should include issues such as desktop security, log-on requirements, password administration guidelines, etc. Training should also address social engineering and the policies and procedures that protect against social engineering attacks. Training should support security awareness and strengthen compliance with security policies, standards and procedures, says Carter.
The National Credit Union Administration's Office of Examination and Insurance department says the NCUA expects credit unions to ensure their training program is sufficient to keep their employees knowledgeable about their credit union's security policies, procedures, and practices. Credit unions should ensure they conduct training at least annually and update their materials for any new threats, fraud schemes, or changes in the credit union's security stance or processes," says the NCUA's Office of Examination and Insurance.
With the inclusion of ID Theft Red Flags guidance requirements, examiners will be looking at a credit union's existing education program, as part of NCUA's risk-based examination program, examiners review significant changes in policies and procedures.
Credit unions may expect their examiner to inquire about the credit union's compliance with the ID Theft Red Flags rule as well as the type and frequency of training provided to their employees.
Examination procedures determine whether management and department heads are adequately trained and sufficiently accountable for the security of their personnel, information and systems, says OCC's Carter. And that job starts before employees even are hired. "Financial institutions should mitigate the risks posed by users by performing appropriate background checks and screening of new employees," Carter says.
For more about Identity Theft Red Flags Rule examination procedures, see: ID Theft Red Flags Rule Examination Procedures Unveiled