ID Theft Red Flags: The Only Compliance Initiative Your Customers Care About
Your customers may not even know your institution is examined for security compliance by the banking regulatory agencies, and so most likely will have never even heard about the ID Theft Red Flags Rule and the impending November 1 compliance date. That being said, the resulting preparedness by financial institutions to adhere to the Red Flags Rule and strengthen their position against identity thieves will hopefully have a resounding effect on said customers.
I'm convinced that if you asked the majority of people how their bank operates -- more specifically, how their bank operates in a "secure" manner -- they would be clueless. I have no caveats saying the general public has no concept of how their private information is kept private, and the steps financial institutions go through to secure their sensitive data. Some would tell me that the general public doesn't have to know, they shouldn't care how it is done, just that it ("security") is getting done and everything is being done to keep their sensitive data private. I think I would agree, however there is one ultimate security concern that consumers have. I'll explain below...
Insider Threat? Is that something mob-related?
We all know the main compliance topics within the industry: vendor management, business continuity and disaster recovery, anti-money laundering/BSA, GLBA/PCI/SOX, etc. All designed to help minimize your institution from financial loss and protect the sensitive data of your customers. Your customers? They may not care so much about all of these regulatory compliance initiatives. Why should they? They are paying you to take care of their money, and just like everything else a consumer pays for, it (banking) is expected to work!
So financial institutions seem to have a large burden removed from their shoulders - they don't and are not expected (at this point) by consumers to reveal much about how they keep their sensitive data secure. Until now, institutions have largely been able to use the "trust me" approach. This has worked and continues to work. It's not as if financial institutions are engaged in a marketing war with each other, touting their vendor management programs or employee identity and access management systems in order to entice more customers to sign up. Instead it seems as if financial institutions take the "less is more" approach to security, only revealing what they "have to" reveal to their customers about the steps they are taking to ensure customer privacy and data security. This is fine, however beware that there is one thing consumers will not stand for, and that is identity theft.
My contact information gets sold to a telemarketing company by a conniving employee? Happens all the time. Someone gets my social security number by hacking into the bank's server? Alright, I'm a bit concerned. Someone withdraws money from my bank account after they convince you that they are me? Now that is just absurd!
I've already stated my contentions that Generation Y, an emerging market for financial institutions (the younger generation just now graduating high school and college), has conceded some privacy, and so in a long stretch might be willing to deal with someone finding out how much money they have in their account, or someone possibly obtaining their social security number in the event of a data breach. You can be sure though, that no consumer will stand for identity theft and watch as their bank allows money to be withdrawn from their account by someone who is not really who they say they are. A consumer's bank is ultimately the one responsible for allowing any kind of deposit, withdrawal or transaction, and so the bank is ultimately responsible for being absolutely, positively, 100% sure I am who I say I am.
I would never try to minimize any compliance initiative for financial institutions. I'm thinking everyone can see benefit in the rules and guidelines issued by the banking regulatory agencies concerning information security and risk management. But when you're preparing for your first round of exams, which will undoubtedly focus in part on the ID Theft Red Flags Rule, prepare as though you are also getting ready to answer to your customers and prospects who will increasingly be asking, "How can I be sure you won't let an imposter access my finances?"
Question: Which of your compliance initiatives do you think benefits your customers the most in the end?