Just because there is a financial crisis is no reason for banks to put their identity theft prevention efforts on the backburner. In fact, come May 1, non-bank companies that are creditors under FTC regulations will also be required to comply with the long-awaited "red flag" rules for protecting consumer data.
Although the rules took effect Nov. 1, 2008 for commercial banks, these other creditors were given a slight reprieve to fully prepare themselves for the new legislation that heightens the awareness of factors that can lead to identity theft. Red flags is part of the Fair and Accurate Credit Transactions Act (FACTA) of 2003. Programs must be in place that provide for the identification, detection and response to patterns, practices or specific activities that could indicate identity theft.
Much has changed in the financial services industry since last November. Now that the deadline has been extended, will the industry be ready for the new go-live date, even amidst the economic turmoil?
Anthony Hernandez, a managing director with Devon, Pa.-based consultancy SMART, thinks so. As is the case in similar situations, activity around red flags started to pick up as the deadline neared. "Red flags had been flying below the radar of banks during the summer," he relates. "But as Nov. 1 approached, our phones were ringing off the hook." However, now that the deadline has been moved up, "there's a general sense of confidence that banks will meet it."
Overall, Hernandez thinks banks will be well-prepared for red flags since fraud prevention and protection are already intrinsic parts of their cultures. The real challenge, he says, will be the actual documentation of policies for detecting the warning signs of ID theft and what actions a bank plans to take to ameliorate such situations.
The regulators do provide some rough guidelines as to what banks need to keep in mind when creating red flags policies. Among them are alerts or warnings from consumer reporting agencies; suspicious documents; suspect personal identifying information; unusual use of a covered accounts; and notices from consumers, authorities or businesses about possible identity theft related to covered accounts.
Will banks have to reinvent the wheel in order to meet these requirements? It probably depends on the size of the bank, says Patricia Cooper, SVP, bank secrecy, fraud and bank security with First Federal Bank of the Midwest ($1.8 billion in assets; Defiance, Ohio). She sees banks feeling the squeeze from the financial crisis—especially the smaller ones. However, "the efforts they make in complying with the [red flags] requirements will definitely assist them in knowing their customers and give them an added level of security when making changes to customers' accounts," she notes. "The red flag rules make the bank more aware of being compliant and risk conscious."
Hernandez doesn't foresee much in the way of new tech spending on red flags solutions. Although he sees clients cutting back on discretionary spending due to the crisis, most of the financial institutions he deals with are already doing much of what the regulators are suggesting. "If banks needed to make huge changes to comply with red flags, then, yes, the crisis would have made a difference," he explains.
Financial institutions have many tools in place that can be repurposed for red flags. "Many are considering using traditional business intelligence tools," he relates. "Automation will also play a big role. At large institutions with thousands of credit requests and reports passing through the systems, manually monitoring and reporting red flags is impossible," he comments, adding large financial institutions and card companies tend to be ahead of others in the areas of analytics and automation.
Automation was just what First Federal sought when it set out to become red flags compliant, says Cooper. Her bank did not have technology in place to facilitate the new regulation. It had a number of processes tied to the Bank Secrecy Act and red flags that it wanted to automate. The bank wanted to be able to electronically capture information needed for BSA, OFAC, KYC, red flag compliance, among other requirements, as well as customer and account risk rating. First Federal found a solution with Wolters Kluwers' (Amsterdam/Minneapolis) Wiz Sentri: RiskID product. "With this product and its ability to interface with other products [in First Federal], the bank was able to gather all the information, store it electronically and retrieve it quickly," Cooper explains.
Hernandez doesn't necessarily think the legislation needs to be refreshed because of the changing banking climate. However, he points out that a mandatory component of the red flags rules requires banks to periodically update their policies based on new developments and threats.
At this point, he thinks the industry is where it should be. However, red flags is not the panacea for identity theft management. "Statistics show that 80 percent of breaches happen internally," Hernandez explains. "This legislation addresses the external threat. The current meltdown was due to a lack of internal controls, so this might actually force the issue [of internal threats] in Washington."