Financial institutions and other companies that extend credit must have in place an identity theft prevention program by November 1. The so-called “red flag” rules require that the program be designed to identify red flag events that signal possible identity theft and to detect and respond to those red flags.
Some examples of red flags include the presentation of suspicious documents on account opening and unusual use of an account. Some of the actions suggested to combat red flags are account monitoring, customer notification, and contacting law enforcement.
These rules apply to any business that extends credit, holds customer accounts that permit multiple payments and transactions, or otherwise might have “foreseeable risk” of identity theft. Thus car companies, if they have loan financing divisions, and casinos, which set up accounts and lines of credit for customers, also have to comply.
Banks already had programs in place that fulfilled several of the rule’s requirements, according to Stephen Kenneally, vice president of the Center for Regulatory Compliance at the American Bankers Association. For them, complying with at least part of the rule may be just a matter of repackaging their policies.
For example, Kenneally says, banks are already required to have “Know Your Customer” identification programs as part of the USA PATRIOT Act, and they are required to confirm that a customer matches his or her photo identification.
“If someone’s face obviously doesn’t match their driver’s license, you wouldn’t want to open their account. That would be a red flag,” he says, adding, “This would just be sort of repackaging it, saying, whereas we always require you to check a picture ID when opening an account, now we’re officially going to be calling it a ‘red flag’ and putting it into our written identity theft prevention program.”
But partial compliance is not sufficient. As for the aspects of the requirements that don’t fit existing policies, a recent survey by BankInfoSecurity found that only 50 percent of financial institutions surveyed would definitely be in compliance before the deadline, while 41 percent estimated that they would barely meet the deadline.
One challenge banks face is devising a protocol for assessing which accounts are most at risk of identity theft. Keith Monson, of Premier Bank— which operates in Missouri, Illinois and Texas—says that the most difficult part of compliance with the rule for his bank was the risk assessment and determining whether the program should apply to business accounts.
Danny Shaw, who consults on red-flag rules compliance for Milwaukee-based auditing and consulting firm Jefferson Wells, agrees that risk assessment has been a challenge. It is where many of his clients were lagging. “If they already have security things in place, a lot of times, companies are believing that they’ve got themselves covered, but they haven’t verified that through a true identity [theft] review,” says Shaw.
Not surprisingly, the regulation is deemed to be harder on smaller banks than on large ones. “The bottom line,” says Kenneally, is that “if you’re a smaller bank, and you only have one-and-a half full-time employees devoted to compliance, and then all of a sudden, you get something like this added onto it, it’s a lot bigger burden than if you’re a bank that has a hundred people in compliance that can spread the work around.”
Another issue is account monitoring. Priscilla J. Barnes, vice president of regulatory risk management at Oklahoma-based Stillwater National Bank, wrote that her bank could likely not afford the technology to help them comply with the rules. Barnes wrote that her bank, which has more than $2 billion in assets, did not have the resources to manually monitor all of its accounts.
One company offering solutions is Wolters Kluwer Financial Services. Its Wiz Sentri account monitoring option ranges in price from $10,000 to $20,000 for “small applications” all the way to $500,000 for larger deals.
Monson does not believe that the identity theft rules are an undue burden on any institution—rather, they are a cost of doing business. Shaw agrees. “It’s not a matter of whether you have time or money. It’s a requirement…. [Are] your reputation and loss of money, both, worth not getting it done?”
Whether the rules will achieve their objective is another question. Barnes also pointed out in her comments that “it is impossible for any organization to develop a program that will ensure the prevention of identity theft,” because organizations do not have control over customers’ lives and information.