Gonzobanker Wave That Flag – But You Best Hurry

by Tripp Johnson

Wave that flag, wave it wide and high
Summertime done come and gone, my oh my
I’m Uncle Sam, that’s who I am
Been hiding out, in a rock and roll band
Shake the hand that shook the hand
Of P. T. Barnum and Charlie Chan

Shine your shoes, light your fuse
Can you use them old U.S. Blues
–Robert Hunter/Jerry Garcia

Can’t you just feel those U.S. Blues, Gonzo Nation? Unfortunately, the flag our industry is waving these days ain’t red, white and blue … it is simply RED! Bankers appear to have come down with a serious case of Red Flag fever, and the impetus for that flag waving is good ol’ Uncle Sam.

When are we going to catch a break? Seriously, we started off with the Patriot Act, then GLBA, OFAC, BASEL (which I thought was a spice, but one wasn’t good enough so we added BASEL II – guess we needed a little more flavor), SOX and then Multi-factor. I am certain I missed a few but the point is, with all this acronymic soup being thrown at us, when in the hell are we supposed to focus on banking? By banking, I mean “show me the money.” Spending all day and night laboring over regulatory propaganda just ain’t my idea of fun – and I suppose most in the Gonzo Nation aren’t whistling “zippity do da.”

But alas, we are bankers and it is our job to follow our government’s regulations and policies because we know deep down the government is only wanting us to do what is best for our customers (just thinking about it makes me almost shed a tear).

With that said, looming like an albatross is the Nov. 1, 2008, deadline for the Red Flag Rule. Every client I have visited or spoken with lately has mentioned that there is no way they are going to meet the Nov. 1 deadline. In a recent LexisNexis survey of more than 1,000 bankers, 84% said they either hadn’t started their red flag projects or were just starting them. An analyst at Gartner says, “Bankers aren’t paying it much notice, especially when you compare it to the attention the FFIEC guidance on multi-factor authentication received.” Well, my distinguished friend, my answer to the lack of attention is that the Red Flag Rule can’t be solved with a piece of software; consequently, the vendor community has nothing to peddle to the industry so the trade rags simply don’t mention it. I assure you if some vendor came up with a solution to solve the red flag compliance issue, we bankers would be like blind lemmings jumping off a cliff.

Nope, this time around if you are going to comply with the Red Flag Rule you are going to have to roll up those starched oxford button-downs, loosen the ties and get your hands dirty. However, not wanting to see any good banker mess up his manicured hands, I have put together the Gonzo Cliff Notes of the Red Flag Rule and what should be done to comply – because watching bankers run around like chickens with their heads cut off is just darn right embarrassing.

Background of the Red Flag Rule

Let me first define a red flag – it is a pattern, practice or specific activity that indicates the possible risk of identity theft. Indicators of a “possible risk” would include phishing and security breaches involving the theft of personal information.

So beginning Nov. 1, 2008, new rules and guidelines implementing section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) and final rules implementing section 315 of the FACT Act will be mandated for any financial institution and creditor that offers or maintains one or more covered accounts. Specifically, section 114 directs financial institutions to issue guidelines regarding the detection, prevention and mitigation of identity theft, including special regulations requiring debit and credit card issuers to validate notifications of changes of address under certain circumstances. Furthermore, section 315 also requires that financial institutions provide guidance regarding reasonable policies and procedures that a user of a consumer report should employ when the user receives a notice of address discrepancy.

^[1]

Basically, folks, we are talking about a souped-up Identity Theft Program. So here’s a Gonzo plan to help you keep the regulators happy and your customers’ identities safe.

Step One – Identity Theft Prevention Program
An Identity Theft Prevention Program should ensure there are reasonable policies and procedures in place to control the risks inherent in protecting customer data. The program should incorporate the following actions:

Commit to ensuring that customer address discrepancies involving consumer reports are appropriately identified, investigated and handled
Identify relevant red flags for the covered accounts and incorporate those red flags into the program
Respond to any red flags that are detected
Ensure the program is updated on an annual basis
Provide program administration
Implement program guidelines

Step Two – Identity Theft Risk Assessment
Yes, friends, I realize the thought of yet another risk assessment sends shivers up your spine, but an Identity Theft Risk Assessment of your institution’s covered accounts is a critical (and unavoidable) aspect of your overall Identity Theft Prevention Program.

By definition, a covered account is “an account that a financial institution or creditor offers or maintains, primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account or savings account.” Covered accounts are also those that the financial institution or creditor offers or maintains “for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.”

A sample risk assessment could look something like the following:

ACCOUNT TYPE	ACCESS METHODS	INHERENT RISK
Deposit Accounts – Consumer & Business
Checking Savings Money Market	Account Opening: – In-person only Account Access: – In-person – Telephone – Internet – Card (Debit/ATM) – ACH – Wire – Check – Mail	High
Certificates of Deposit IRAs	Account Opening: – In-person only Account Access: – In-person – Telephone – Internet	Medium
Investments/Mutual Funds	Account Opening: – In-person only Account Access: – In-person – Telephone – Internet (consumer only)	Medium
Loan Accounts – Consumer
Mortgage Home Equity	Account Opening: – In-person only Account Access: – In-person – Telephone – Mail	High
Personal Line of Credit	Account Opening: – In-person only Account Access: – In-person – Telephone – Mail	High
Credit Card	Account Opening: – In-person – Mail-in application Account Access: – In-person – ATM/POS – Mail – Telephone – Internet	High
Automobile	Account Opening: – In-person – Mail-in application Account Access: – In-person – Mail	Medium
Loan Accounts – Business
Commercial	Account Opening: – In-person – Mail-in application Account Access: – In-person – Mail	Medium
Commercial Mortgage	Account Opening: – In-person – Mail-in application Account Access: – In-person – Mail	Medium
Business Credit Card	Account Opening: – In-person – Mail-in application Account Access: – In-person – ATM/POS – Mail – Telephone – Internet	High
Other Services
Safe Deposit Boxes	Account Opening: – In-person only Account Access: – In-person	Medium
Lock Box	Account Opening: – In-person only Account Access: – In-person – Courier service	Medium
Remote Capture	Account Opening: – In-person only Account Access: – In-person – Courier service	Medium

Step Three – Roles and Responsibilities
Bankers hate to be accountable for something like this, but hey, that is why you make the big bucks – right? Anyway, the Board of Directors must be responsible for:

Reviewing and approving the written Identity Theft Program
Designating an individual or committee to oversee and coordinate the implementation
Overseeing the efforts to develop, implement and maintain the program

The designated individual or committee must be responsible for:

Administering the Identity Theft Program’s implementation
Evaluating the impact on the program from changing business arrangements such as mergers or acquisitions, alliances, joint ventures and outsourcing arrangements
Overseeing a periodic risk assessment of the red flag monitoring controls and processes
Keeping the Board informed

Step Four – Identifying Policies & Procedures Addressing Identity Theft and Red Flags
The following are key policies and procedures that must be incorporated into your overall Identity Theft Program:

Customer Identification Program Telephone Calls and In-Person Contact
Address Change and Account Maintenance
Fraud Monitoring Practices
Information Security Policies and Procedures
Vendor Management Policy

Final Steps

Once all of the aforementioned has taken place and your calloused hands have healed, the last few steps to compliance are not rocket science:

Test – at a minimum, semi-annually test the key controls, systems and procedures of your Identity Theft Program
Program Updates – update the program on an annual basis
Employee Training – ensure all employees know the corporate policies and their responsibilities
Reporting – put together at least an annual report for the Board

See, now that wasn’t so bad.

Our industry is under attack at the moment. Banks are failing left and right and customer confidence is … let’s just say I wouldn’t count on too many Christmas cards this year. The least we can do is demonstrate to our customers that we are looking out for them. Consequently, hoist up your red flags and wave them with pride because if you don’t, you may find your institution reluctantly waving a white one.

Reminder: GonzoBankers never surrender!

Later,
-tj

Strengthen your Identity Theft Program with Cornerstone’s Risk Assessment Services

Risk Management is serious business, and Cornerstone Advisors ^[2] is serious about helping you ensure your institution is doing everything it can to mitigate the threats bankers face in this volatile industry.

Cornerstone’s Risk Management Program Assessment was designed to review the effectiveness of the Risk Management Program within your institution and across the enterprise.

In addition to a review of your institution’s Red Flag Program, our Risk Assessment Program Assessment evaluates these and many other areas within your organization:

Risk Management Program Document
Enterprise Wide Risk Assessment and Business Impact Analysis
Information Security Program Risk Assessment and Business Impact Analysis
Compliance Program, including:
– Know Your Customer (CIP)
– Bank Secrecy Act
– Privacy
– General Compliance Areas
Progress on Issues Pointed Out by Regulators and Other Third Parties

Visit ^[3]our Web site or contact us ^[4] for an introduction to Cornerstone’s top-down, 4-Step Approach to Risk Management.