ID Theft Red Flags: Two-Thirds of Institutions Unprepared to Comply - Are You?
Many institutions already believe they are compliant because they implemented ID theft-prevention measures from previous regulations, according to a new study by TowerGroup, a Boston-based financial analyst firm. These institutions think they merely have to document current procedures to meet the terms of the ID Theft Red Flags Rule. But TowerGroup asserts that these institutions must do far more than "document documentation."
"Of those institutions asserting that they are fully compliant, I only see about one-third of U.S. financial institutions being ready on November 1," says TowerGroup's George Tubin, Senior Research Director, Delivery Channels and Financial Information Security.
Tubin predicts the smaller community banks will be well-poised to be compliant, as they outsource much of their operations. With a limited number of vendor platforms that are compliant, it's just a matter of identifying red flags across the variety of channels and payment types.
Larger institutions have been working on implementing enterprise-wide fraud detection methods, and they're pretty far along with their efforts. "Prior to this regulation, those banks that have been working to detect cross-channel fraud will be in good shape to be compliant," Tubin says. "But the institutions in the middle tier probably won't be in such good shape."
Tubin says that those banks will look to automate their ID theft red flag programs along the same way the larger institutions have been doing.
Deadline Reprieve for Some
Reaction is mixed to last week's news that the Federal Trade Commission (FTC) will not enforce compliance with the Red Flags Rule until May 1, 2009 for entities under its jurisdiction. (See related story: FTC Won't Enforce ID Theft Red Flags Rule Until May 1)
The six-month reprieve was great news to state-chartered credit unions and non-financial institutions such as mortgage brokers, mortgage lenders, auto dealers, hospitals, utility companies, municipalities and others that fall under FTC's jurisdiction.
But for institutions outside the FTC's jurisdiction, the announcement was received by a chorus of "What about us?"
"[The reprieve] should be applied to all entities, including banks," said one reader responding to the news story.
"Federally-chartered CUs under $25m in assets should be allowed the extension," said another. "We were not big enough to have a Compliance Officer until I was appointed as such due to this regulation. Other small CUs may be in the same boat."
The FTC announcement is a mixed bag for all affected parties, according to one industry observer.
"While this is a bit of good news for these entities, the bad news is that these entities are still exposed if they do not comply by the November 1, 2008 deadline," says Sai Huda, Chairman and CEO of Compliance Coach, a La Jolla, CA-based compliance and training company.
This is because technically the FTC is not pushing back the deadline, Huda says. "They legally can not do that; all they are doing is saying they will not prosecute for non-compliance for six more months." The hitch is that any entity that does not comply by Nov. 1 will still be out of compliance and will be exposed to potential lawsuits from plaintiff attorneys for non-compliance with the ID Theft Red Flags Rule.
"So even though the FTC is providing some leeway, it is in the best interest of these entities to comply by November 1, 2008 or as soon as possible to minimize legal risk," Huda observes.
Self-Check for Compliance
The FTC's policy decision does not affect in any way enforcement by bank, thrift and federal credit union regulators. Banks and thrifts supervised by the FDIC, OCC, Fed or the OTS, as well as credit unions supervised by the NCUA, must comply with the Red Flags Rule by the deadline date of November 1, 2008.
The recent issuance of Red Flags Examination Procedures for agency examiners to follow to examine banks, thrifts and credit unions for compliance starting Nov. 1 reemphasizes the deadline. (See related story: FDIC Announces ID Theft Red Flags Examination Procedures) Examiners are also being currently trained on the Red Flags Rule and the Examination Procedures.
The Red Flags Examination Procedures represent a risk management opportunity for banks, thrifts and credit unions. Why not use the procedures to conduct a self-assessment before the examiners get to the bank? Huda offers some best practices:
- Test -- Use the Red Flags Examination Procedures to perform a self-assessment. Assign the self-assessment to someone objective and not directly involved in developing the ID Theft Prevention Program.
- Analyze -- Document the self-assessment and the work-papers. Provide it to the examiners. They will be impressed and may cut down their scope and time in the examination.
- Resolve -- Be sure to resolve any issues identified from the self-assessment promptly and document the corrective actions. Show it to the examiners. They will attain greater comfort that you are on top of risk management.
Avoid the Pitfalls
The following are some potential pitfalls that analysts see in the Examination Procedures:
Covered Accounts -- In addition to identifying accounts for personal, family and household purposes that permit multiple payments or transactions, did you perform a risk assessment to identify any other accounts that pose a reasonable foreseeable risk of identity theft?
Risk Profile -- Is the ID Theft Prevention Program comprehensive but risk-based and commensurate for the size and complexity of your bank, thrift or credit union, given the nature and scope of its activities? This is a bottom-line question the examiners are directed to formulate an opinion on, and you should be able to clearly answer in the affirmative.
Walking the Walk -- Is your staff actually following your program, and is your institution following suit? "The examiners are directed to test various elements of your program to make sure you are following your procedures," Huda says. "Is your staff looking for the red flags you identified in your program and taking the risk mitigation procedures you outlined? You must ensure your program is not a paper tiger, but in reality is an effective identity theft prevention and risk mitigation program."
Standard or Automatic? -- TowerGroup's Tubin adds that employee training on an institution's ID theft prevention program may be critical, depending on how its program is set up. "The regulation doesn't say whether the program should be automated or manual. For institutions that have manual intervention where people are involved, then training is critically important for the program to be successful," Tubin says. For those institutions relying on automated processes to detect red flags, training will be less of a burden and not as critical.