Banking Practitioners on Identity Theft Red Flags Rule ComplianceInterview with Evelyn Royer of Purdue Employees Federal Credit Union and Steven Jones of Synovus Financial Corp. In conjunction with the recent Identity Theft Red Flags Rule Roundtable webinar, we conducted an interview session with Evelyn Royer of Purdue Employees Federal Credit Union and Steven Jones of Synovus Financial Corp. Topics ranged from:
- How has your institution tackled ID Theft red Flags Rule compliance?
- What have been your biggest compliance challenges?
- What advice do you offer other institutions re: Identity Theft Red Flags?
This is an excerpt of that Q&A session. To hear the entire dialogue, please register for the Identity Theft Red Flags Rule webinar, which also features banking regulators' perspectives on compliance, as well as our own new survey results on where banking institutions stand in their efforts to meet the Nov. 1 compliance deadline.
TOM FIELD: Evelyn, let me start with you. The both of you have been knee-deep in Red Flags for months now. What, Evelyn, has been the biggest challenge for your institution?
EVELYN ROYER: Tom, as I stated in my presentation, our biggest challenge, I feel, is our technology challenge -- getting our systems to be able to produce the information for us so that we are able to detect the red flags appropriately, and then actually being able to work those flags so that we are following the identity theft prevention guidelines that we set out for ourselves.
FIELD: Now Steven, you've got a bit of a larger organization there with all the institutions that fall under Synovus. What have you found to be the biggest challenge for your member institutions?
STEVEN JONES: Yeah, Tom, I think you hit right on it. Our greatest challenge is certainly organizational structure. With 36 individual charters and a variety of call centers both in-sourced and out-sourced, you know that puts us in terms of meeting the requirements of the mandatory training and making sure that we have consistent procedures across the call centers. That is probably one of our greatest challenges.
And, in terms of identification of all of the channels we want to get as part of our risk assessment, we wanted to make sure that we had identified all the possible channels where customer information could be changed and so forth, and we wanted to ensure that we had identified all of those. So, probably organizational structure and then ensuring that we had all of the technology channels and procedural channels identified.
FIELD: Let me ask you both about awareness programs. This always come up that it is a challenge to build an awareness program. Steven, for you which is harder to do, to develop this program for employees or for customers, and why?
JONES: From our experience, the employee awareness programs have been more effective because of really a couple of reasons. One, existing frameworks are already in place. We have a center for people development that we used to help educate our employee force around all sorts of issues -- security awareness, compliance and so forth -- so you already have that framework in place. Also, we have a greater accountability with those employees in terms of incorporating these into performance improvement plans or regular performance assessments, so there is a greater accountability with employees that you don't really get with the customers.
FIELD: Evelyn, again this is a topic that you and I have discussed, so I know you have got pretty good awareness programs for your customers. What have you found to be more challenging to develop the program for the employees or for your members?
ROYER: I think awareness programs in general, Steven is correct, and there is more accountability for employees themselves. The challenge with that is the amount of awareness programs we have to build for them and having to put all of it together, which means security, compliance, BSA, SIPS, and all of that. I think it has been pretty challenging as well as an opportunity for us because it will allow us to put it together and give it a bigger picture.
And as far as the customers are concerned, yes, we have had awareness programs for our members for several years. However, I am not--you know, it is very tough to judge how effective they are. So, in that the challenge is what you are giving them actually; are they actually able to take it all in, and one would hope so, but judging by the number of calls that we get related to issues and then other times of the year we think 'Did we not ever tell them about this issue before?' So, I think both sides have their own challenges. But, you know, depending on how you look at it, either the employees or the customers would be tougher.
FIELD: Sure. Let me ask you about board involvement. I've talked to a lot of people that say that getting a board involved with the Red Flags Rule is going to be one of the big stumbling blocks. How has that proven for you Evelyn?
ROYER: Our board is very educated, and they ask very pertinent questions as far as our organization is concerned. At the same time, they let us run our shop, so in my opinion we really have not had any big stumbling blocks with our board because they trust that what we are doing to comply with these guidelines is the right thing, and they are trusting our professional opinion in making sure that we are in compliance.
FIELD: Steven, how about Synovus? How have you managed the board involvement there?
JONES: I would agree with Evelyn. I mean we have had--at Synovus, we use the audit committee, and basically their function is kind of risk oversight, so they are accustomed to getting regular reports and presentations from both risk and compliance, so it is really kind of business as usual in terms of providing this kind of information, acknowledgement and understanding and awareness for these issues to the board or the audit committee.
FIELD: Now in a lot of ways, Red Flags compliance came along as maybe an unbudgeted item. What sort of resources, Steven, have you had to throw at this project, whether in-house, contracted, software, what have you used?
JONES: That is interesting, I actually had a conversation with some folks at the SEC about this topic just recently, and I think they were surprised that I had seen some estimates that had come out regarding this, and they were pretty low. I think to your point, the resources required for this have been probably greater than what we had expected in terms of just bringing all the stakeholders together and making sure that we understand the existing processes, adapting those processes to fit the needs, and then communicating those changes and then even testing and incorporating those into the regular awareness programs that we talked about earlier. So, all of those certainly have required probably more resources than we had expected.
We have a core processor that is integral to some of the technology implications that we have incorporated as part of this guidance, so we have both used in-house as well as contracted resources in terms of using our core processor. We haven't brought any consulting in per se, but certainly the resource requirements have been more than we had expected.
FIELD: Evelyn, how about at Purdue? What sort of resources have you thrown at the project?
ROYER: Well, until most recently it has been internal resources, in-house resources -- basically the time and effort that our staff has been putting in from the awareness assessment aspect down to figuring out what the guidelines or the program would be for our institution.
So, like I said in my presentation, we decided in the last week on a vendor to help us with compliance with this guideline, and we are throwing in an incredible amount of monetary resources in order to buy that software so that we can continue to comply, as well as the amount of time that my staff will have to spend in working that software once it is implemented. So this has been a very expensive process for us.
FIELD: Steven, how ultimately do you think we are going to measure the success of the Identity Theft Red Flags Rule?
JONES: Well, I think there will be a variety of--you know, obviously the bank exams, the regulatory exams will be one measure of effectiveness. Clearly, we will have internal audit measuring the effectiveness of these controls and so forth, and we would do our own risk assessments and regular reports to the audit committee, and compliance will do their work as well to ensure effectiveness.
But I think another one would be one we haven't really talked about much is the customer impact and the customer feedback. Clearly one of our objectives within this program is to obviously convey to the customer that privacy and confidential customer information are extremely important to us and then to ensure that they are not negatively impacted by some of the procedures that we put in place to ensure proper identification. Because there is a perception of a tradeoff there between convenience and proper security controls. So I think a great measure of success for us will be to minimize the customer feedback and gauge the customer experience.
FIELD: Evelyn, the same question for you: How ultimately at Purdue are you going to measure the success of this program?
ROYER: I would say we would measure this by loss prevention. Will we be able to mitigate the number of identity theft issues that we deal with? We don't have very many today, so will more identity theft type of issues come up because we have this process in place and will we or are we going to be able to prevent losses by having this program in place.
FIELD: Steven, what advice would you give to institutions that are struggling with their Red Flags compliance now? And, if you could give one piece of advice to them, where would you start?
JONES: I would just say to make sure you engage the right stakeholders and get executive sponsorship. Obviously, there are requirements around getting board involvement, but there are so many different elements, and I think Evelyn hit on this earlier. There are so many different elements to this guidance that in our organization it is led by compliance, but there are so many folks -- loss prevention, marketing, legal, security, IT -- there are so many different aspects of this that you just need to make sure that you have got all the right stakeholders engaged.
FIELD: Evelyn, I'm going to give you the last word from this Q&A here. If you could boil it down to a single piece of advice that you would offer to an institution that might be struggling with compliance, what would it be?
ROYER: You know, I have to agree with Steven, I think in involving all the stakeholders. if you are struggling today, and they are not involved now, you would be in trouble. But the fact that it is a centralized -- make sure it is a centralized type of compliance involvement with this, because it helps in making sure that things happen the way they are supposed to and when they are supposed to, if somebody is responsible and there is an executive sponsor.
Having an executive sponsor in this process helps in relaying to all staff involved the rules that are necessary for the entire organization to follow. It may not be a revenue generator, but it certainly is going to help us keep our doors open.