Tom Hinkel, Account Manager
You can almost hear the ticking…as of August 1st, Financial Institutions have just three months to comply with the new Red Flag regulation. The good news is that many of you already have a head start on this process whether you know it or not. The rules allow you to plug your existing policies and procedures into the controls. The bad news is that there won’t be a “phase-in” period. Examiners expect full compliance November 1st, and they estimate the resource impact on each institution to be about forty-one hours.
But first, what is this all about? The nature and scope of the rules can really be summed up in one sentence:
The Board of Directors must oversee the development, implementation, administration, and ongoing maintenance of a program, appropriate to the size and complexity of the institution, and nature and scope of its operations, that is designed to detect, prevent, and mitigate patterns, practices, and activities in covered accounts that could result in reasonably foreseeable financial, operational, compliance, reputation, or litigation risks to the safety and soundness of the institution or customer due to identity theft.
Whew…OK, so I didn’t say it was a simple sentence. The best way to understand what this means to the institution is to break the sentence down into its functional components.
The Board of Directors – Although the Board may delegate plan development, they have ultimate responsibility for implementing the program, and must receive updated reports at least annually on the adequacy and effectiveness of the program.
Development, implementation, administration, and ongoing maintenance – Form a committee, document the minutes of the meeting, and plan to meet every couple of weeks until the plan is competed. Then, plan to meet at least annually to determine if the controls are sufficient.
Appropriate to the size and complexity of the institution, and nature and scope of its operations – One size does not fit all, and you can’t just recycle a plan you found on the Internet. Most importantly, because it must coordinate seamlessly with your existing policies and procedures, you can’t use a fill-in-the-blank template either.
Detect, prevent, and mitigate -“ Ask yourself these questions: In what ways could someone open a fraudulent account, change an existing account, or access an account that doesn’t belong to them? This detection phase is also where you’ll need to consider the four broader categories of warnings:
- Alerts, notifications and warnings from a consumer reporting agency
- Suspicious documents or personal identifying information
- Unusual or suspicious activity in the account
- Any notice regarding possible identity theft.
Additionally, what existing controls do we have in place to prevent this from happening? Are these controls sufficient? What do we do if we have an incident in spite of the controls?
Patterns, practices, and activities – This is where the twenty-six specific Red Flag examples, found in Supplement A to the regulation, are individually addressed.
Covered accounts-Defined as any account (including business accounts) with more than one method of access. Checking, savings, lines of credit, chances are that all institutions reading this have accounts that would qualify as “covered.”
Reasonably foreseeable– Based on the type of accounts you offer, what are the …financial, operational, compliance, reputation, or litigation risks…you should consider. Rank them by likelihood of occurrence and potential impact. You should specifically address any incidents you’ve had in the past.
Institution or customer – The intention of the regulation is not to just protect the institution, but also (and equally) the customer. Usually, what benefits the institution will also benefit the customer, but not always.
We are expecting additional guidance from the FFIEC any day. Hopefully, the guidance will provide more specifics on items such as vendor management as well as specific detection and prevention methods. But even with additional guidance, some issues will have to be resolved by the institution. For example, Red Flag #2 addresses a credit freeze on a customer’s consumer report. Services such as LifeLock routinely use a credit freeze as a part of their product feature set. This will trigger a Red Flag, but will it need to be reported? Also, most institutions already employ automated tools to detect abnormal patterns of activity, but Red Flag #23 mentions returned mail. Do your existing tools have some mechanism to log the return of undeliverable mail? Or Red Flag #24, with the popularity of online transactions, many customers are opting out of paper statements. Do you have a method of verifying that the request to discontinue paper statements actually originated with the customer?
With the deadline looming, institutions don’t have time to wait for every issue to be clarified. Use your best efforts to develop the most complete plan you can now. Cross reference to your existing policies, and be prepared to revise the plan as needed. Update your vendor management program and document your staff training. Forty-one hours in three months is not insignificant, but it’s not insurmountable either.
As always, ask your Account Manager for any additional resources you may need as you prepare for November 1st.