Red flags rule: last-minute strategies to ensure compliance

By LexisNexis

Some organizations are still breathing a sigh of relief following the FTC’s announcement suspending its enforcement of the new “Identity Theft Red Flags Rules” until May 1, 2009. However, most financial institutions are not subject to FTC oversight. Instead, they are regulated by federal functional regulators (e.g., FDIC, Federal Reserve, OTS, OCC, NCUA) and are still subject to the original November 1, 2008, deadline.

The Red Flags regulation is groundbreaking in a couple of ways. First, it mandates identity theft prevention programs, which are fraud prevention programs. This is the first time we’ve seen fraud prevention of this type required by law, and it establishes a formal intersection between compliance and fraud. For some organizations, this forces a paradigm shift. The compliance officer drives program development in some organizations, while the fraud specialist drives it in others. What we’ve seen in nearly all organizations is a collaborative approach between teams.

Second, it is a much more principles-based than rules-based regulation. For example, the CIP[1]  regulations specify that certain actions be taken in specific situations (when a customer opens a new account). Similarly, the FFIEC published specific guidelines regarding online banking. By contrast, compliance with the Identity Theft Red Flags regulation will involve looking across your entire organization and bringing together efforts to mitigate risk in any situation where risk is identified.

Fortunately, there are several strategies to help ensure your organization is fully compliant with the regulation when the examiners arrive at your doorstep.

Note:
[1] CIP = Customer Identification Programs as required under §326 of the USA PATRIOT Act and related regulations

Implement a Cross-Channel Approach
Identity theft occurs in many industries—in any type of organization, in many departments and at any time during the customer lifecycle. In fact, fraud, and identity theft in particular, often involve multiple channels.  This helps explain why a cross-channel approach is expected: addressing identity fraud only in Internet banking may fail to address identity theft in credit card fraud or mortgage fraud. A cross-channel approach should help drive programs at your institution to better protect the customer—which is simply good business. A good program will extend beyond a single channel to include branches, stores, telephone and mail communication, and ATMs. It will extend beyond pure banking to bring in other lines of business.

There is good news. The push for cross-channel analysis will ultimately lead to lower risk for the organization and its customers. We know this because there are a number of financial institutions both in the United States and abroad that have already started to make this move. The result is a much greater level of protection for an organization’s customers from the risk of fraud and identity theft.

The other good news is that financial institutions should not have to start from scratch. You should be able to leverage current programs—CIP, credit card fraud prevention, data privacy, multi-factor authentication and online banking, among others—to meet these new requirements. Certain obligations, particularly around account opening, will be relatively new to some organizations, but for many, existing efforts will cover a significant portion of the Red Flags requirements. The best have done this informally, creating ways to get a complete view across the organization, but the regulation mandates that the enterprise work together in a more formal way to fight identity theft.

The burden is placed on financial institutions and creditors to keep up with emerging risks and evolving identity theft methods. This includes everything from new activity around the mobile channel as adoption increases to the risks associated with prepaid cards, which are new and different from the risks associated with credit cards and other forms of accounts. An effective solution will augment what you already have in place to help you protect your business and your customers against the growing danger of identity theft and fraudulent activity.

Review Service Providers
One aspect of the Identity Theft Red Flags Rule that has generated much interest—as well as confusion—is its requirement concerning service providers. In many cases, service providers have access to customer information in order to execute the task they were hired to do. A core systems provider, which performs many transactions on behalf of financial institutions, is a good example of a service provider that has access to your customers’ private information and could seriously compromise your program. They need access to complete their task, but that access can introduce a weakness in your overall effort to protect customer information.

It’s up to you to understand the risks your service providers pose to your organization. Even if you outsource your operations to one or more service providers, you remain ultimately responsible for compliance with the rules. Since service providers can compromise your identity theft prevention program, you should audit your service providers to determine whether they have policies and procedures in place to adequately guard against identity theft. A smart approach is to look at each and every service provider you work with and determine how much data they handle and any points of weakness. A thoughtful examination of your service providers should be part and parcel of the due diligence process completed in your risk assessment.

When you review your service providers, consider the following actions:

• Clarify policies and procedures for handling consumer data by asking the following questions:
  • Do you have an identity theft prevention plan? If so, what detection mechanisms do you have in place?
  • How will our institution be alerted if information about our clients is compromised?
  • If a red flag is found, how will our organization coordinate to respond to that red flag?
  • How do you plan to report on the effectiveness of your program?
  • If you do make changes to your program, and they affect us, how will our organization be notified?
• Enforce, if needed, through contractual amendments
• Conduct a service provider audit, or request copies of SAS 70 compliance documentation
• Request and maintain a copy of the service provider’s program to have for your records

We have been told that some service providers are not willing to share their Identity Theft Red Flags Rules program information. In other cases, the service provider shared the program, but it fell considerably short of meeting the requirements of the bank. In either case, you will need to address this with them as your vendor. It may be part of your next contract negotiation – or it may even spur an amendment to your existing contract. If you are locked into a contract for the foreseeable future, document any conversations and requests you make, as well as future steps the service provider intends to take.

What Initial Exams Will Bring
Given that this is a principles-based regulation, examiners will likely be more focused on the outcomes of your program than the actual mechanics. The principles-based approach allows for a greater degree of latitude in the way you develop your program.

Based on discussions with regulators, early reviews are likely to seek evidence of evolutionary progress toward a comprehensive program rather than a completed program. What will be important is demonstrating that you have taken a thoughtful and reasonable approach in designing your organization’s policy and program. The most likely way organizations will get in trouble, particularly in the first round of examinations, is if the regulators think you have not given careful attention or adequate effort to your compliance program.

Examiners want to see an organizational attitude that embraces the controls put in place to comply with the regulation. Initially, most examiners will want to see that your line of attack includes an enterprise-wide risk assessment, board approval and sufficient training to adequately implement and maintain the program.

The regulation provides examples of situations that could indicate the possible existence of identity theft. Found in an appendix, these situations are known as “red flags.” However, the list only provides examples and is not exhaustive. The intent is for financial institutions to make the best effort to identify instances where a customer may become a victim of identity theft. A holistic approach in how you create your organization’s red flags will probably factor in many of the examples provided in the appendix, as well as situations that are based upon your own experience or trends unique to your industry. Regulators will look to see that you have identified those types of flags which are considered high risk within your organization and then detect them consistently. Once a red flag has been detected, a correlative action must then take place to mitigate your customers’ risk of identity theft. All of this should be evident in your policies and procedures.

As with all compliance programs, it is critical that you document conversations and efforts that have taken place. Your program must be well documented and appropriate to the size, complexity and activities of your institution. To achieve this, you should document all of your efforts, which in most cases will be quite significant: project plans, risk assessments, meeting minutes, departmental procedures, training materials, documentation of training, board minutes, service provider contracts and anything else that may be relevant to your organization.

Some of our clients create a book for examiners that is very much like a training manual you would give to a new hire. By compiling this information into a single document, you can provide your examiners a tangible guide that walks them through your program and leaves little to question. It can start with a high-level summary document, describing in plain English the process you’ve undertaken, and then delve into the roles and responsibilities. If the examination of this compliance program is like others, such a book will be a wise move.

Financial institutions should expect that the programs will continue to evolve over time. At first, the examiners will not be expecting perfection. They will be looking for basic blocking and tackling that demonstrates that you have addressed major issues pertinent to your organization; that your focus is on protecting customers as well as the institution; and that your program implements a cross-channel approach across business units that is not isolated to only a few areas of the organization.

Getting Started
An effective solution will augment what you already have in place to help you protect your business and your customers against the growing danger of identity theft and fraudulent activity. It will help you address and automate important compliance obligations—at account setup and throughout the account lifecycle—to help you identify, research and act on threats to your organization. It will also allow you to continue to monitor the risk of identity theft to you and your customers.

The important thing to remember is that one size does not fit all. By taking an enterprise-wide, cross-channel approach to your Identity Theft Prevention Program, you will have the foundation for a sound program, which will evolve over time as what constitutes compliance with this new regulation is further defined.

Contact details:
Debra Geister, Director of Fraud Prevention and Compliance Solutions
T: (320) 354-4533, E: debra.geister@lexisnexis.com, W: risk.lexisnexis.com/checklist

LexisNexis® Risk & Information Analytics Group provides authoritative information concerning risk management and related subjects. In distributing these works neither the authors nor LexisNexis Risk & Information Analytics Group, or its affiliated companies, is engaged in rendering legal or other professional services. Competent professional persons should be considered and consulted if such assistance is required. This information is not intended to and does not constitute legal advice. The accuracy, completeness, adequacy or currency of the information is not warranted or guaranteed. LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc.