ID Theft Red Flags Rule: What to Expect Now from ExaminersRisk Assessment, Board Approval Key for First Exams
This past Saturday, Nov. 1, marked the compliance deadline for the Identity Theft Red Flags Rule. After nearly a year of waiting and preparation, financial institutions now are subject to examination by their regulators on their newly-enhanced ID theft prevention programs. So what should they expect?
Ann Jaedicke, Deputy Comptroller for Compliance Policy at the Office of the Comptroller of the Currency (OCC), which regulates and supervises all national banks, says exams for OCC-regulated institutions will begin in November, and banks should expect no big surprises. Examiners will go by the regulation's examination procedures.
Examiners will start by assessing the bank's written ID theft prevention program, interviewing the officers in charge. "OCC-regulated banks can choose anyone at the bank they want to handle the program," Jaedicke explains. But most will choose either the information security officer or the bank's compliance officer.
The examiners will look at how the bank identified the covered accounts they are required to identify, and review with the program officer what kind of experience the bank has had with identity theft. She notes if it's a smaller bank in a rural setting, the bank may not have as much experience with an identity thief trying to establish (or change) an account. "The smaller, local bank has a natural advantage in this particular area because they will be likely to have greater knowledge of whom they're doing business with, and know the customers by name," Jaedicke says. Those banks are more likely to have a simpler program than those of a very large national bank.
But for all banks, Jaedicke stresses, examiners will be looking at the context in which they're working. "Whether it is a big or small bank and whether they've experienced little identity theft or a high percentage of identity theft, [examiners] will weigh the bank's program against those criteria."
Should a bank have problems in other examination areas such as Bank Secrecy Act (BSA) or its Customer Identification Program (CIP), this may lead examiners to look more closely at that institution's ID Theft Red Flags Rule compliance. "We also encourage banks to leverage off of their existing CIP programs that they've already been required to have in place," Jaedicke says. "Because the CIP programs require the bank to establish a reasonable belief that they know the identity of the person they're doing business with, and that they're opening the account for, there's no reason that the bank can't leverage that information and make use of it."
How Prepared Are Institutions?
Despite the challenges presented to institutions in meeting compliance with the ID Theft Red Flags Rule, Debra Geister, Director of Fraud Prevention and Compliance Solutions at Lexis-Nexis, and information services provider, agrees with Jaedicke's assertion that institutions could leverage existing programs such as CIP and BSA programs. "Much of this will be covered already in the institution's fraud programs. It boils down to a matter of pulling it together."
However, Geister notes she has serious doubts that all institutions will be that far along. "It is a much bigger task than what the federal regulators put into the guidance," Geister says. The regulation estimates an average institution would take 20 to 40 hours to meet the compliance requirements. "What it is really adding up to is more like 20 to 40 hours per week for most institutions." In recent engagements with industry banks, Geister says that a full 25 percent of them tell her they won't be compliant as of Nov. 1. [One recent study claims that as many as two-thirds of institutions aren't ready for compliance.]
Realistically, Geister believes that examiners aren't expecting immediate perfection. "Bank regulators are going to be looking for institutions that are doing the basic blocking and tackling efforts to meet the regulation's requirements," she says.
That said, Geister notes that examiners will expect to see realistic timelines for compliance, and that a risk assessment has been performed to make sure that institutions have identified all the covered accounts. "They're going to be looking for those written procedures that actually work, so that any red flag that pops up is responded to appropriately," she says. "They want to see that the program spans all the business silos and the board of director involvement."
In the first round of examinations, Jaedicke says OCC examiners "will be basically checking for compliance with the regulation as they're written."
If a bank is not found compliant, Jaedicke warns, "We will take action, depending on how serious the non-compliance is. This could be anywhere from citing the bank for a violation of law to making a recommendation for improvement to the program, to taking some kind of enforcement action if we felt it was necessary."
Jaedicke says she sees OCC-regulated institutions have done a lot of work to get in compliance and adds she hopes this is found to be true by examiners. "It doesn't end on November 1," she reminds. "It begins on November 1."