ID Theft Red Flags: 4 High Risk AreasWhat You Might Not Know About Staying in Compliance -- and Secure There are four "high risk" areas that aren't getting the attention they deserve as financial institutions work toward complying with the ID Theft Red Flags Rule, says a leading industry compliance expert.
Many institutions have already complied with the regulation and have done their risk assessment to identify covered accounts and determined what red flags they need to be monitoring. But there are areas that should be considered "high risk" and aren't getting the attention they deserve from institutions, says Sai Huda, CEO of Compliance Coach.
The Red Flags Rule is a risk-based regulation. As such, Huda says, compliance should be approached from a risk management and not a purely technical perspective, and institutions should ask these questions:
- Which accounts are more at risk to identity theft?
- Which red flags represent higher risk?
- Which detection and response procedures are commensurate with the risks?
- Which service providers pose greater risk?
- What controls exist to mitigate the risks?
The big question that most institutions have at top of mind is "What about enforcement?" Huda says the federal banking regulators are taking a risk-based, top-down approach when assessing institutions.
"They are first assessing whether the [institution] has implemented a risk-based program and how it is overseeing compliance," he says. "If the program is risk-based and sound, they will limit their scope. If not, then they will dig deeper."
The recent release of a FFIEC guidance document on Frequently Asked Questions about ID Theft Red Flags (https://www.bankinfosecurity.com/articles.php?art_id=1538) also shows where regulators are hearing the most questions on the regulation.
There are four areas Huda says that are "high risk" that many financial institutions have not paid enough attention to are:
- Service Providers. Many have not conducted an inventory, risk-ranking or assessment done on service providers. This may be the weakest link in the chain.
- Business accounts. Many have focused only on consumer accounts. The rule applies to any account with a reasonably foreseeable risk of identity theft, not just consumer accounts. Small business accounts in particular are susceptible to identity theft and must be analyzed for risk.
- Training. Many have not provided proper training to staff. The training does not cover what the written, board-approved program deems to be the red flags one should be on the look out for, nor what one should do to respond. The training is very general and does not cover how to comply. How can identity theft actually be prevented if one does not know what to look for and what to do if one finds a red flag?
- Updates. Many have put their program on the bookshelf, forgetting to update it to address new risks or changes in operations. For example, if a new line of business is opened, a new service provider added or new products or services are rolled out, or identity theft is attempted or perpetrated, the Program must be updated.