Even amid a financial crisis, banks cannot let their guard down. In fact a mandatory component of the so-called "red flag" rules for protecting consumer data requires banks to periodically update their policies based on new threats.
The red flag rules, which are part of the Fair and Accurate Credit Transactions Act (FACTA) of 2003, state that companies must have in place programs that provide for the identification of, detection of and response to patterns, practices and activities that could indicate identity theft. While banks were required to comply as of Nov. 1, 2008, non-bank companies that are creditors under FTC regulations were given an extension until May 1, 2009, to prepare for the new legislation. But even as the deadline for compliance was extended for other creditors, the economic turmoil will not provide a free pass for banks.
According to Anthony Hernandez, a managing director with Devon, Pa.-based consultancy SMART, however, banks already are in a good position to comply with the red flag rules, and at this point their identity theft prevention programs likely will require little technology investment. "There's a general sense of confidence" among SMART's bank clients that compliance can be maintained, he relates.
Although banks are cutting back on discretionary spending due to the crisis, Hernandez adds, most of the institutions he deals with already are doing much of what the regulators are suggesting. "If banks needed to make huge changes to comply with red flags, then, yes, the crisis would have made a difference," he explains.
Overall, Hernandez says, banks have been well prepared for the red flag legislation, as fraud prevention and protection already are intrinsic parts of their cultures. The real challenge, he points out, will be the documentation of policies for detecting the warning signs of ID theft and what actions a bank plans to take to ameliorate such situations.
Banks won't have to reinvent the wheel to keep up with the red flag rules, agrees Patricia Cooper, SVP, bank secrecy, fraud and bank security with Defiance, Ohio-based First Federal Bank of the Midwest ($1.8 billion in assets). But, she notes, the pain of complying likely will depend on the size of the institution as banks continue to feel the squeeze from the financial crisis.
Nonetheless, "The efforts [banks] make in complying with the [red flag] requirements will definitely assist them in knowing their customers and give them an added level of security," Cooper says. "The red flag rules make the bank more ... risk-conscious."
A Comprehensive Toolbox
Financial institutions have many tools in place that can be repurposed for red flag compliance, SMART's Hernandez adds. "Many are using traditional business intelligence tools," he says. "Automation will also play a big role. At large institutions ... manually monitoring and reporting red flags is impossible."
Automation was the goal when First Federal developed its red flag program, according to the bank's Cooper. While the bank did have a number of processes tied to the Bank Secrecy Act (BSA), including various automated alerts, she notes, it wanted to be able to electronically capture information needed for BSA, OFAC, Know Your Customer and red flag compliance, as well as for customer and account risk rating.
First Federal found its solution in Wolters Kluwer's (Amsterdam/Minneapolis) Wiz Sentri: RiskID product, Cooper reports. "With this product and its ability to interface with other products [in First Federal], the bank was able to gather all the information, store it electronically and retrieve it quickly," she explains.
But while the industry is where it should be in terms of complying with the red flag rules, says SMART's Hernandez, the new regulation isn't a panacea for ID theft management. "Statistics show that 80 percent of breaches happen internally," he explains. "This legislation addresses the external threat. The current meltdown was due to a lack of internal controls."
Raising a Red Flag
The six agencies charged with drafting the "red flag" rules offer 26 potential red flags that financial services companies should be aware of when dealing with customers. Some examples from the list of commonsense guidelines include:
• A fraud alert included with a consumer report.
• A notice of address discrepancy provided by a consumer reporting agency.
• Documents provided for identification that appear altered or forged.
• Information on an ID, such as signature, that is inconsistent with information on file at the financial institution.
• An application appears forged or altered or destroyed and reassembled.
• A lack of correlation between Social Security number range and date of birth.
• An address or phone number matching one supplied by a large number of applicants.
• A drastic change in payment patterns, use of available credit or spending patterns.
• Mail sent to a customer is repeatedly returned as undeliverable despite ongoing transactions on an active account.
Source: Federal Trade Commission