Identity Theft Red Flags Rule: The Road to Compliance
With institutions now racing to meet or beat the deadline, Information Security Media Group is launching a new webinar, ID Theft Red Flags Roundtable - Tips from Regulators and Practitioners on How to Meet Nov. 1 Compliance.
As a sneak preview of this webinar, we caught up with participant Evelyn Royer, VP Risk Management/Support Services, Purdue Employees FCU, to discuss:
TOM FIELD: Hi, this is Tom Field, Editorial Director for Information Security Media Group. The topic today is the Identify Theft Red Flags Rule, and we are talking with Evelyn Royer, Vice President, Risk Management and Support Services with Purdue Employees Federal Credit Union in West Lafayette, Indiana. Evelyn, thanks so much for joining me today.
EVELYN ROYER: It's my pleasure to join you today.
FIELD: Let me just start out by asking you: How prepared were you and your credit union for the Red Flags Rule when it came out?
ROYER: I feel that we were pretty well prepared for the Red Flags Rule because we had been watching the FACT Act regulations for several years, ever since I think, even with the PATRIOT Act and the BSA compliance aspects. So it was just another step towards full compliance to the aspects of FACT Act that were passed in 2003.
FIELD: So, given that this is something that you had your eye on, when the Rule came down what were your first steps towards the compliance deadline of November 1?
ROYER: Well, we actually did an evaluation of what our environment was like and then determined where we had holes in our processes to be able to address the issues. We gathered all the requirements, and we determined what actions were necessary and then we actually looked at our processes and said, okay, we have this covered, the CIP (the Customer Identification Process) covered, how do we integrate that process and the member identification process into regular day to day transactions as well. I think it's been, I think, you know, several of the Red Flag Rules are pointing towards the credit reporting agencies. So that was quite an education for all of our staff that review credit bureau reports along with our originating areas.
FIELD: Evelyn, can you give me a sense of how large your staff is and how many people you have that are focused on Red Flags?
ROYER: Well, our staff is about 170 employees total for our entire credit union. I would say that 50% of our staff is what I would consider member contact that does member transactions on a day-to-day basis. So, therefore I would say that they are the ones going to be affected by the Red Flag Rules. As far as individuals who have been looking at the rules, we probably only have a handful of staff. And in determining, while we our doing assessment and reviewing our requirements, we were looking at all that and determining how do we incorporate this.
FIELD: Now, of all the things that you have to do, including your documenting your identify theft prevention program, doing security awareness for staff, doing awareness for customers, what have you found to be the biggest obstacles for your institution to overcome?
ROYER: There are a couple of obstacles I think I would want to describe here. It would probably be as number one, our systems. As a small institution, we have to rely on our systems in order to have us alert of the little flags that are involved here, so our data processing system has to have some aspects to it that would tell us or alter us of a possible Red Flag issue. And then the second obstacle I would say is training. We will have to train our staff to be able to recognize these flags and respond to them and adequately forward that information to the right department so that it can be investigated appropriately and if there is anything that has to be done, reported appropriately.
FIELD: Now Evelyn, how about the customer awareness aspect? Is that an obstacle for you? Is that something that the credit union has been doing a pretty good job of?
ROYER: I think the credit union overall has done a pretty good job of alerting our customers or our members about the issues just because all of this, from my opinion, came down from the PATRIOT Act, from BSA, anti-money laundering, all initiating with 9/11, so our members have been well aware that we have a customer identification process.
Now we are also very big on education in our credit unions so member education programs as far as identify theft has been a focus for our credit union for I would say three or four years. So we have had members and we have been alerting members of possible theft issues for several years. So I think all along we have been educating our members as to what they need to be aware of and steps to take in the event that their identity is stolen or is compromised.
FIELD: That's good. It sounds like you are ahead of the curve in a lot of ways. Now, upcoming we've got a webinar that we are putting together, and of course you are going to be a panelist on that, and we are going to be talking with you and with other practitioners as well as regulators about expectations of Red Flags, best practices and such. From your perspective, what are some of the areas that you hope to cover in your portion of that webinar?
ROYER: Well, in my portion of the webinar we are going to cover what I did, the assessment itself, as well as where we are at today. So hopefully to kind of share with other institutions out there where they should be. Right now we are our staff education phase, but we are currently designing the training session so that our staff is well aware of what the rules are and how to identify and protect and prevent so that we are well covered with the Rule itself.
So I think my webinar itself will focus on the assessment as far as what our challenges were, what we are doing and where we are at today, and what our next steps would be. So that is what my side of the session would focus on.
FIELD: Very good, I look forward to it. Now when you get out and talk with your peers from other credit unions, from banking institutions, what is your sense of how prepared they are for the Red Flags Rule?
ROYER: From my perspective, it's been coming and it was just a matter of time when the implementation date for compliance would be. So, as far as my peers were concerned, the people I have communicated with over the years, we have done the majority of the work. It had been a couple of years ago when we had to have CIP in place, so this is just an addition as far as to what is going to happen. So, in my opinion, I think my peers in general have been pretty well prepared.
They key is really the education of staff and really bringing it down to the member contact level and making sure that they are aware of all 26 of these red flags that are out there, along with a re-education per se of why it is important why we have a customer identification program.
FIELD: Evelyn, I appreciate your time and your insight today and I very much look forward to the webinar you will be participating in.
ROYER: Well thank you. I look forward to doing it myself.
FIELD: We've been talking with Evelyn Royer with the Purdue Employees Federal Credit Union. The topic has been identity theft Red Flags Rule. For Information Security Media Group, I'm Tom Field. Thank you very much.