3 Common Challenges of ID Theft Red Flags Rule ComplianceRegulators Speak Out on Issues that Led to Creation of FAQs
The Red Flags and Address Discrepancy Rules, part of the Fair and Accurate Credit Transaction Act of 2003 (FACT Act), issued in November 2007, apply to all financial institutions regulated by the Board of Governors of the Federal Reserve System (FRB), FDIC, National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS) and FTC.
Representatives from each agency met to whittle down the list of questions that began coming in to federal regulators almost immediately after the regulation was issued, says Jeff Kopchik, Senior Policy Analyst at the Federal Deposit Insurance Corporation (FDIC). Kopchik and other regulators distilled the questions down to those included in the 14-page document.
Here are the three most common challenges covered in the FAQs.
Common Challenge #1: Covered Accounts
"Institutions are still struggling with what a covered account is," says April Breslaw, Director of Consumer Regulation in the OTS Division of Compliance and Consumer Protection. "While we have the basic definition and some universal accounts can be readily identified, it's the second prong that causes a reasonably foreseeable risk of identity theft, to either the institution or the consumer."
A number of questions in the document deal with these questions about covered accounts, including examples of what types of accounts might be covered. "Every institution has to do its own risk assessment to figure out the second prong of covered accounts, and figure out what accounts within their institution may pose a risk of identity theft," Breslaw says.
One of the examination's points is to verify that the institution is going back and assessing its accounts and the types of accounts it has to make sure that all covered accounts are identified. Breslaw recommends institutions should go by their own experiences, where they've had problems. "Payroll cards and other prepaid cards are a good example of a covered account that some institutions may not be thinking of as a covered account," she says.
Common Challenge #2: Vendor Management
All agencies have been trying to raise awareness about third party relationships. Again, one of the exam steps is built in to ask if the institution has oversight to the service provider's steps to protect the data, says Breslaw.
Kopchik also sees the technology service provider question as critical. It was a very common question raised by many institutions, he says. "Both the institutions and the service providers were coming up with the wrong answer on that, which was the technology service provider wasn't covered under the regulation."
Kopchik explains what the regulators found was some banks and service providers they thought the regulation only covered those technology service providers that provided fraud detection services. "Which was simply incorrect. If a service provider touches information from a covered account, they fall under this regulation," Kopchik notes.
Common Challenge #3: Address Discrepancies
The issue of address discrepancies also seems to have many questions around it, notes Breslaw. In addition to issuing a press release, the OTS also issued CEO Letter, 306 wherein the agency provides information in respect to furnishing confirmed addresses to consumer reporting agencies.
Breslaw stresses institutions need to have policies and procedures in place to handle these discrepancies. "You need to have a process for dealing with the consumer, confirming with them and reporting back to consumer reporting agency," she says. "There are common situations where institutions are not reporting back discrepancies back, including those on deposit accounts, or pre-paid cards."
Other Weak Points
Kopchik says the FDIC's examinations show that most banks are doing a pretty good job in meeting the requirements of the new regulation. "There is usually a learning curve on new exams. There are some areas of weakness we are noticing," he notes.
Among the areas where banks need to improve upon is in the area of supervising service providers. "It may include a wider circle of service providers than they were first identifying."
The training portion of the regulation may be an area that institutions haven't gotten around to yet, Kopchik says. "While we understand that, examiners are reminding institutions that they can't forget about the training piece of it, because it is required."
The third area that examiners are finding banks needing more diligence in concerns the covered accounts question, he notes. Examiners were finding that some institutions didn't have the right number of accounts in the purview of their program.
Kopchik sees the FAQs filling in those unanswered questions for institutions. "Very simply -- anything that clears up ambiguity is good for the industry and good for us," he says.