ID Theft Red Flags: Awareness Programs Take Center Stage

Employee, Customer Education a Must for Nov. 1 Deadline As part of the Nov. 1 Identity Theft Red Flags Rule compliance deadline, financial institutions must step up efforts to train employees and customers alike to be more cognizant of Identity Theft and its symptoms.

The idea behind the education is simple: Increasing security awareness prevents the crime from happening. Employees can learn how to protect the customer's data, and heightened customer awareness about identity theft can benefit both the customer and the financial institution.

What are banks and credit unions doing to prepare these new training programs? Some bankers see a good deal of work ahead for them, but are hopeful that they will meet the deadline.

"We will be ready on Nov. 1, but it will be tough," says Brandon Farmer, Senior Vice President of Operations and Technology at Bank of the James, ($270 million assets), Lynchburg, VA. "We are incorporating a risk matrix into our account-opening procedure, and we will strengthen our account maintenance procedures to be in compliance." Farmer adds the bank is purchasing a BSA/AML program from Fiserv to help risk rate and to automate the researching of red flag items. "We will be providing training through webinars and in-person branch sessions," Farmer says.

Another bank, First State Bancshares of Blakely, GA predicts it will beat the deadline, but adds that its online training provider hasn't developed a training section on ID Theft Red Flags yet. First State Bank employs BAI's online training, says Jonathan Miskell, Internal Auditor and Security Officer at the $300 million asset bank. "Our trainer will certainly do in-person visits," Miskell says.

Training for ID Theft Red Flags should contain as many "'real life' examples as possible - even make some up, Miskell says, because students of drier material (almost every employee thinks banking stuff is dry) will latch on to things best when there are good examples, along with any 'war stories' to breathe life into the information.

The Fremont Bank ($1.9 billion in assets and 24 branches) in the San Francisco bay area will have a two-pronged training program, says Leslie Zaremba, Compliance Manager. In-person training and a computer-based training module will be implemented to train associates. Customer awareness and education will be done through statement inserts, direct mail, website postings and posters in the bank's branches.

Credit Unions Taking Action
Credit unions are also working to meet the guidance requirements and say they, too, will meet the November 1 deadline. At Arizona Central Credit Union, leaders have drafted a policy and will train employees during October. "Our biggest headaches are around address changes -- specifically a member who has changed their address and orders new plastic within 30 days," says Adam Jones, VP and Chief Information Officer at the Phoenix, AZ-based credit union with $420 million assets.

Jones says the policy has yet to go to the board for approval. "But in our discussions, we are leaning toward having members fill out paperwork for address changes. Our staff would then verify the signature on the paperwork to the signature on the membership application (We store these signatures electronically)," he notes. Home banking members will still be able to change their address once they have authenticated. Arizona Central CU serves 75,000 members.

The plans for Arizona Central's training on ID Theft Red Flags will be rolled into the credit union's existing in-service training days held Presidents Day and Columbus Day. "We close all of our branches and bring all staff into our corporate office for these training days. We have not developed the full ID Theft Red Flag training, but it will be a hands-on training developed from our policy. Typically we perform this around a game show format to keep interest," Jones notes. Customer awareness about identity theft is currently part of the credit union's website, and Arizona Central offers members low cost consumer credit monitoring service that monitors the member's credit bureau file for material changes such as a new account that could be an indication of identity theft.

At Purdue Employees Federal Credit Union in West Lafayette, IN, the compliance work is nearly complete, and the only thing that awaits is employee training, says Evelyn Royer, VP Risk Management, Support Services. "The only thing we need to do is train our staff adequately so they are able to perform the steps. Our plan is to create a training module for our staff to be completed prior to the deadline."

There were several of the Red Flag Rules that point toward the credit reporting agencies. "This was quite an education for all of our staff that reviews credit bureau reports along with our originating areas," Royer notes. With about half of the staff of 170 employees having direct member contact and conducting member transactions on a day-to-day basis, this is the area of staff that will be most affected by the Red Flag Rules, she adds.

One of the two obstacles Royer and the team at the credit union see with compliance is training. "As a small institution, we have to rely on our systems in order to have us alert of the little flags that are involved here, so our data processing system has to have some aspects to it that would tell us or alert us of a possible Red Flag issue," Royer explains.

After that is tackled, the second obstacle of training has to be answered. "We will train our staff to be able to recognize these flags and respond to them and adequately forward that information to the right department so that it can be investigated appropriately, and if there is anything that has to be done, reported appropriately," she notes. The credit union has done an organization-wide presentation with a quiz for the basics, and then is moving toward more specific training for staff through November 1.

Royer sees that Purdue Employees FCU is ahead of other institutions in customer awareness about identity theft issues. Member education programs, including identify theft, has been a focus for the credit union for the last four years. "All along we have been educating our members as to what they need to be aware of and steps to take in the event that their identity is stolen or is compromised," Royer says.

Employee Education Essentials
Since employee training is required to achieve complete compliance with the Fair and Accurate Credit Transactions Act (FACT Act or FACTA) identity theft regulations, institutions need to build an identity theft employee education component into their plans. These are the areas that institutions should consider covering in an employee education training program:

Fair Credit Reporting Act: Cover the general requirements under the Fair Credit Reporting Act (FCRA) for providing, obtaining, and using consumer credit information.

FACT Act: Review the FACT Act and the FCRA requirements and restrictions. The most significant of the FACT Act's provisions are the ones that prevent and mitigate the effects of identity theft and other forms of fraud.

FACT Act Identity Theft Red Flags: Review the new identity theft rules that are the basis for the financial institution's anti-identity theft program, some of this may already be part of your training program. Everyone at an institution that handles customer information from the teller to a loan officer to a call center representative need to be educated on what they need to know and what actions they should take when they spot a red flag.

See Also: The 26 Red Flags


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.