A collection of observations, ruminations, predictions and random thoughts from Cornerstone Advisors.

Learn More

September 5, 2008 by Gonzo Guest Writer

Wave That Flag – But You Best Hurry

by Tripp Johnson

 
Wave that flag, wave it wide and high
Summertime done come and gone, my oh my
I’m Uncle Sam, that’s who I am
Been hiding out, in a rock and roll band
Shake the hand that shook the hand
Of P. T. Barnum and Charlie Chan

Shine your shoes, light your fuse
Can you use them old U.S. Blues
–Robert Hunter/Jerry Garcia

Can’t you just feel those U.S. Blues, Gonzo Nation? Unfortunately, the flag our industry is waving these days ain’t red, white and blue … it is simply RED! Bankers appear to have come down with a serious case of Red Flag fever, and the impetus for that flag waving is good ol’ Uncle Sam.

When are we going to catch a break? Seriously, we started off with the Patriot Act, then GLBA, OFAC, BASEL (which I thought was a spice, but one wasn’t good enough so we added BASEL II – guess we needed a little more flavor), SOX and then Multi-factor. I am certain I missed a few but the point is, with all this acronymic soup being thrown at us, when in the hell are we supposed to focus on banking? By banking, I mean “show me the money.” Spending all day and night laboring over regulatory propaganda just ain’t my idea of fun – and I suppose most in the Gonzo Nation aren’t whistling “zippity do da.”

But alas, we are bankers and it is our job to follow our government’s regulations and policies because we know deep down the government is only wanting us to do what is best for our customers (just thinking about it makes me almost shed a tear).

With that said, looming like an albatross is the Nov. 1, 2008, deadline for the Red Flag Rule. Every client I have visited or spoken with lately has mentioned that there is no way they are going to meet the Nov. 1 deadline. In a recent LexisNexis survey of more than 1,000 bankers, 84% said they either hadn’t started their red flag projects or were just starting them. An analyst at Gartner says, “Bankers aren’t paying it much notice, especially when you compare it to the attention the FFIEC guidance on multi-factor authentication received.” Well, my distinguished friend, my answer to the lack of attention is that the Red Flag Rule can’t be solved with a piece of software; consequently, the vendor community has nothing to peddle to the industry so the trade rags simply don’t mention it. I assure you if some vendor came up with a solution to solve the red flag compliance issue, we bankers would be like blind lemmings jumping off a cliff.

Nope, this time around if you are going to comply with the Red Flag Rule you are going to have to roll up those starched oxford button-downs, loosen the ties and get your hands dirty. However, not wanting to see any good banker mess up his manicured hands, I have put together the Gonzo Cliff Notes of the Red Flag Rule and what should be done to comply – because watching bankers run around like chickens with their heads cut off is just darn right embarrassing.

Background of the Red Flag Rule

Let me first define a red flag – it is a pattern, practice or specific activity that indicates the possible risk of identity theft. Indicators of a “possible risk” would include phishing and security breaches involving the theft of personal information.

So beginning Nov. 1, 2008, new rules and guidelines implementing section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) and final rules implementing section 315 of the FACT Act will be mandated for any financial institution and creditor that offers or maintains one or more covered accounts. Specifically, section 114 directs financial institutions to issue guidelines regarding the detection, prevention and mitigation of identity theft, including special regulations requiring debit and credit card issuers to validate notifications of changes of address under certain circumstances. Furthermore, section 315 also requires that financial institutions provide guidance regarding reasonable policies and procedures that a user of a consumer report should employ when the user receives a notice of address discrepancy.

Basically, folks, we are talking about a souped-up Identity Theft Program. So here’s a Gonzo plan to help you keep the regulators happy and your customers’ identities safe.

Step One – Identity Theft Prevention Program
An Identity Theft Prevention Program should ensure there are reasonable policies and procedures in place to control the risks inherent in protecting customer data. The program should incorporate the following actions:

  • Commit to ensuring that customer address discrepancies involving consumer reports are appropriately identified, investigated and handled
  • Identify relevant red flags for the covered accounts and incorporate those red flags into the program
  • Respond to any red flags that are detected
  • Ensure the program is updated on an annual basis
  • Provide program administration
  • Implement program guidelines

Step Two – Identity Theft Risk Assessment
Yes, friends, I realize the thought of yet another risk assessment sends shivers up your spine, but an Identity Theft Risk Assessment of your institution’s covered accounts is a critical (and unavoidable) aspect of your overall Identity Theft Prevention Program.

By definition, a covered account is “an account that a financial institution or creditor offers or maintains, primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account or savings account.” Covered accounts are also those that the financial institution or creditor offers or maintains “for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.”

A sample risk assessment could look something like the following:

ACCOUNT
TYPE

ACCESS
METHODS

INHERENT
RISK

Deposit Accounts – Consumer & Business

Checking

Savings

Money Market

Account Opening:
– In-person only

Account Access:
– In-person
– Telephone
– Internet
– Card (Debit/ATM)
– ACH
– Wire
– Check
– Mail

High

Certificates of Deposit

IRAs

Account Opening:
– In-person only

Account Access:
– In-person
– Telephone
– Internet

Medium

Investments/Mutual Funds

Account Opening:
– In-person only

Account Access:
– In-person
– Telephone
– Internet (consumer only)

Medium

Loan Accounts – Consumer

Mortgage

Home Equity

Account Opening:
– In-person only

Account Access:
– In-person
– Telephone
– Mail

High

Personal Line of Credit

Account Opening:
– In-person only

Account Access:
– In-person
– Telephone
– Mail

High

Credit Card

Account Opening:
– In-person
– Mail-in application

Account Access:
– In-person
– ATM/POS
– Mail
– Telephone
– Internet

High

Automobile

Account Opening:
– In-person
– Mail-in application

Account Access:
– In-person
– Mail

Medium

Loan Accounts – Business

Commercial

Account Opening:
– In-person
– Mail-in application

Account Access:
– In-person
– Mail

Medium

Commercial Mortgage

Account Opening:
– In-person
– Mail-in application

Account Access:
– In-person
– Mail

Medium

Business Credit Card

Account Opening:
– In-person
– Mail-in application

Account Access:
– In-person
– ATM/POS
– Mail
– Telephone
– Internet

High

Other Services

Safe Deposit Boxes

Account Opening:
– In-person only

Account Access:
– In-person

Medium

Lock Box

Account Opening:
– In-person only

Account Access:
– In-person
– Courier service

Medium

Remote Capture

Account Opening:
– In-person only

Account Access:
– In-person
– Courier service

Medium

 

Step Three – Roles and Responsibilities
Bankers hate to be accountable for something like this, but hey, that is why you make the big bucks – right? Anyway, the Board of Directors must be responsible for:

  • Reviewing and approving the written Identity Theft Program
  • Designating an individual or committee to oversee and coordinate the implementation
  • Overseeing the efforts to develop, implement and maintain the program

The designated individual or committee must be responsible for:

  • Administering the Identity Theft Program’s implementation
  • Evaluating the impact on the program from changing business arrangements such as mergers or acquisitions, alliances, joint ventures and outsourcing arrangements
  • Overseeing a periodic risk assessment of the red flag monitoring controls and processes
  • Keeping the Board informed

Step Four – Identifying Policies & Procedures Addressing Identity Theft and Red Flags
The following are key policies and procedures that must be incorporated into your overall Identity Theft Program:

  • Customer Identification Program Telephone Calls and In-Person Contact
  • Address Change and Account Maintenance
  • Fraud Monitoring Practices
  • Information Security Policies and Procedures
  • Vendor Management Policy

Final Steps

Once all of the aforementioned has taken place and your calloused hands have healed, the last few steps to compliance are not rocket science:

  • Test – at a minimum, semi-annually test the key controls, systems and procedures of your Identity Theft Program
  • Program Updates – update the program on an annual basis
  • Employee Training – ensure all employees know the corporate policies and their responsibilities
  • Reporting – put together at least an annual report for the Board

See, now that wasn’t so bad.

Our industry is under attack at the moment. Banks are failing left and right and customer confidence is … let’s just say I wouldn’t count on too many Christmas cards this year. The least we can do is demonstrate to our customers that we are looking out for them. Consequently, hoist up your red flags and wave them with pride because if you don’t, you may find your institution reluctantly waving a white one.

Reminder: GonzoBankers never surrender!

Later,
-tj

Strengthen your Identity Theft Program with Cornerstone’s Risk Assessment Services

Risk Management is serious business, and Cornerstone Advisors is serious about helping you ensure your institution is doing everything it can to mitigate the threats bankers face in this volatile industry.

Cornerstone’s Risk Management Program Assessment was designed to review the effectiveness of the Risk Management Program within your institution and across the enterprise.

In addition to a review of your institution’s Red Flag Program, our Risk Assessment Program Assessment evaluates these and many other areas within your organization:

  • Risk Management Program Document
  • Enterprise Wide Risk Assessment and Business Impact Analysis
  • Information Security Program Risk Assessment and Business Impact Analysis
  • Compliance Program, including:
    – Know Your Customer (CIP)
    – Bank Secrecy Act
    – Privacy
    – General Compliance Areas
  • Progress on Issues Pointed Out by Regulators and Other Third Parties

Visit our Web site or contact us for an introduction to Cornerstone’s top-down, 4-Step Approach to Risk Management.



Print This Post

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.