Is Your Financial Institution Red Flag Ready?
by Bryan Ansley
Let's start with some good news. It turns out identify fraud is wreaking less havoc on the financial services industry and the general public. Although $45 billion was stolen last year, it was a 12-percent decrease from total money lost due to identity theft in 2006, according to a Javelin Strategy and Research survey. The same survey also found the number of fraud victims, 8.1 million people, decreased by four percent.
The financial trend is positive. Although the numbers are still sky-high, financial institutions can take the credit for the downturn in identity theft. There have been widespread steps taken throughout the industry to deter and react to security threats, but we're not out of the woods yet. Identity theft threats are becoming increasingly more complex and hard to combat.
A new scam, "man-in-the-middle" or MITM, uses phishing e-mails to lure customers into releasing their log-in and password information, along with banking account and Social Security Numbers. Basically, consumers click a link in a fraudulent e-mail and are directed to a Website engineered to be the mirror image of their financial institution's home page. As the consumers attempt to conduct their online banking, hackers gather the sensitive information as it is typed.
To mitigate identity fraud attacks, in late 2007 the Federal Reserve issued the Red Flag Rule, which requires all financial institutions to conduct an identity theft assessment of their organization and, based on those findings, develop measures to mitigate the risks. On November 1, 2008, those safety measures must be in place. If no action is taken, non-compliant financial institutions will face potential sanctions and monetary penalties.
Due to the downturn in identity theft cases, many financial institutions may have a false sense of comfort related to the new Red Flag regulations. While many financial institutions have online banking security measures, these measures may not reach other vulnerable areas like call-in customer support centers or mail-in correspondence. The new regulations will require a strong security blanket across the board.
With the November Red Flag compliance deadline less than three months away, what are financial institutions doing to get ready? The answer varies. During 2008, many institutions have focused heavily on the mortgage crisis. Nevertheless, a great number of financial institutions are reaching out to third-party vendors that specialize in identity theft for anti-fraud services and technologies.
For Red Flag compliance, the first step is conducting a thorough initial risk assessment, surveying all the different facets of a financial institution's offering and services. Taking those into account, the assessment will review and compare anti-fraud procedures with Bank Secrecy Act requirements and the institution's identity theft program that covers its accounts.
During the process, a gap analysis of all products and services that do not have the proper risk controls in place will be examined. Periodically the risk assessment must be updated. These revisions will be based on changes in methods used to open accounts, methods available to access accounts, and the institution's recent run-ins with identity theft.
All the information gained from the initial risk assessment and subsequent evaluations is used to create a policies and procedures manual. The manual will detail the process and protocols for dealing and detecting "red flags" such as information mismatches, pattern usage issues and change of address and passwords situations, which may indicate potential identity theft on an account.
When an audit is initiated, financial institutions must have a policies and procedures handbook approved by its board and updated to reflect the organization's experience with identity theft crimes. While satisfying the regulation, this manual will also be a tool for the financial institution to decrease fraud losses.
The risk assessment and polices and procedures manual are only two of the requirements of the new Red Flag Rules. Once this critical step is in place, however, a financial institution will have a new level of clarity related to its compliance and requirements for additional security measures. Knowing where the holes are located and the necessary next steps to take is crucial to protecting key information and valued customers.
In the end, going beyond a minimalist approach to defend against identity theft adds value to a financial institution's offerings drawing new and retaining current customers. According to a recent Unisys corporation survey, 50 percent of households would switch their financial institution for better identity protection. Obtaining the best identity theft security measures are in a financial institution's best interests.
Secure Identity Systems is the only company in the U.S. that offers the end-to-end solution for Red Flag compliance including: Initial Risk Assessment, Policies and Procedures Manual, New Account Authentication, Change of Address Verification, Identity Theft Protection with fully managed recovery, On-site Staff Training, and an Anti-Phishing Program. For additional information, please call (615) 377-7661, or e-mail: firstname.lastname@example.org.
First published on BankersOnline.com 8/11/08
First published on 08/11/2008