The eleventh hour of compliance

An Ask the Expert feature with LexisNexis

Debra Geister discusses last-minute strategies that financial institutions can follow to help ensure Identity Theft Red Flags Rule compliance.

“Fraud, and identity theft in particular, often involve multiple channels. Addressing identity fraud only in internet banking may fail to address identity theft in credit card fraud or mortgage fraud”
-Debra Geister, LexisNexis

Most financial institutions are regulated by federal functional regulators and are therefore still subject to the original November 1, 2008, deadline. Fortunately, there are several strategies to help ensure your organization is fully compliant with the regulation when the examiners arrive at your doorstep.

Implement a cross-channel approach
Identity theft occurs in many industries – in any type of organization, in many departments and at any time during the customer lifecycle. In fact, fraud, and identity theft in particular, often involve multiple channels. This helps explain why a cross-channel approach is expected. For example, addressing identity fraud only in internet banking may fail to address identity theft in credit card fraud or mortgage fraud.

Compliance with the Identity Theft Red Flags regulation should involve looking across your entire organization and bringing together efforts to mitigate risk. A cross-channel approach should help drive programs at your institution to better protect the customer and ultimately lead to lower risk for the organization – which is simply good business.

Review
Even if you outsource your operations to one or more service providers, you remain ultimately responsible for compliance with the rules.

Service providers often have access to your customers’ private information. This can seriously compromise or hinder your efforts to protect customer information. A smart approach is to look at each and every service provider and determine how much data they handle and any points of weakness. Audit your service providers to determine whether they have policies and procedures to adequately guard against identity theft.

f any service providers are not willing to share their Identity Theft Red Flags Rules program information, or if their programs fall considerably short of your requirements, begin formal discussions about your program requirements and how that impacts your vendor selection. Be sure to document these conversations.

Initial Examinations
Early reviews are likely to seek evidence of evolutionary progress toward a comprehensive program rather than a completed program. Initially, most examiners will want to see that you conducted an enterprise-wide risk assessment, developed a written program, obtained board approval and completed sufficient training to implement an effective program.

Document all conversations and efforts pertaining to your program: project plans, risk assessments, meeting minutes, departmental procedures, training materials, documentation of training, board minutes, service provider contracts, etc. Some of our clients create a book for examiners that is very much like a training manual you would give to a new hire. By compiling this information into a single document, you can provide your examiners a tangible guide that walks them through your program and leaves little to question.

Getting started
The good news is that financial institutions should not have to start from scratch. You should be able to leverage current programs – CIP, credit card fraud prevention, data privacy, multi-factor authentication and online banking, among others – to cover a significant portion of these new requirements.

An enterprise-wide, cross-channel approach to your Identity Theft Prevention Program will build the foundation for a sound program. We expect compliance will evolve as this new regulation is further defined.

Debra Geister manages the development of fraud prevention and compliance solutions for the Risk and Information Analytics Group of LexisNexis. She spends most of her time working with customers to understand their needs, challenges and business processes. She also works with the ABA, other industry groups and the regulatory community.