ID Theft Red Flags: The 3 Questions You Must Answer by Nov. 1It's the 11th Hour; Do You Have Your Board's Approval Yet?
The deadline for compliance with the Identity Theft Red Flags Rule is less than one month away, and financial institutions are scrambling to meet it.
Yet, a new study from Tower Group, the financial services research firm, predicts that less than one-third of institutions will be compliant by Nov. 1. And even those institutions that are confident in their compliance will end up finding some minor areas to improvement when examined, says George Tubin, Senior Analyst at Tower Group.
For all institutions, the open question remains: How will they know if they are fully compliant? The answer: When banking regulators examine them. And yet, with less than a month to go, the regulatory agencies have only begun to release their ID Theft Red Flags Rule examination procedures.
As institutions await Nov. 1 and further clarity from their regulators, here are three key compliance questions they must answer for themselves:
1. Have we performed a risk assessment, mapped covered accounts to red flags, detection and response procedures and developed a risk-based, written Identity Theft Prevention Program?
2. Have we obtained the board of directors' approval of the written Identity Theft Prevention Program?
3. Have we trained appropriate staff?
The Cost for Non-Compliance
So, what should financial institutions be worried about if they don't meet the Nov. 1 deadline?
"Non-compliance will lead to cease and desist orders and civil money penalties," says Sai Huda, Chairman & CEO of Compliance Coach, a San Diego-based banking consultancy. He adds that plaintiff attorneys will be on the prowl and will sue based on unfair deceptive acts and practices violations. "Negative publicity is the last thing banks and credit unions need right now, with consumers wondering if both their money and information are safe with their bank or credit union," Huda says.
Huda offers suggestions for ensuring compliance:
Map Your Program to Your Risk Profile. Whether you use an automated tool or work manually, get a committee together to delegate the risk assessment and mapping tasks, Huda says. Make sure your program is risk-based, and you focus on higher-risk accounts and areas -- don't overkill on lower risk items, wasting time and resources. "You must be able to demonstrate to the examiners that your program is commensurate for your risk profile," Huda says.
Get Your Board's Ear. If you've not received approval yet, and your board of directors will not meet before the deadline, see if you can have a committee of the board review and approve your identity theft prevention program (e.g. the Audit Committee) via a conference call or webinar meeting. "The Rule allows flexibility here," Huda says. "It can be the entire board or a designated committee of the board. The Rule does not mandate an in-person meeting to approve. Just be sure to document formal approval for the examiners." He also recommends that institutions take the opportunity to educate the board or its committee on why this rule exits, what are the risks, and how the new program mitigates the risks. "Don't make this a rubber-stamp session, but a risk management discussion at the highest level so you will have the board's full understanding and support," Huda says.
Train Appropriate Staff. Although identity theft prevention training is a huge component of compliance, the rule allows flexibility -- you do not have to train every single employee, Huda notes. Train only appropriate staff. This will save you time and money. However, be sure you train all appropriate staff at the front line, as well as in the back office. Be sure to train on your specific program, not just the rule. "This way, the staff will fully understand what identity theft is, what are the relevant red flags they should be on the lookout for, and what to do if they detect it," Huda says. Institutions should consider using e-learning or webinars to roll out the training to save time and money, and to make the training consistent and documented for the examiners.
Upon meeting compliance, institutions will still need to periodically update their programs. Analysts suggest these factors as the triggers to an update:
The bottom-line, says Huda, is that the ID Theft Red Flags Rule is really about managing the risk of identity theft. "If you think of this as another risk management issue and make it an integral part of your overall banking risk management process, you will approach it proactively and dynamically, and will succeed in mitigating the risk," Huda says.
And remember the clichÃ©: This is a journey, not a destination. "Your obligations do not end on Nov. 1, but really just begin."