Red Flag Rule Compliance: 5 Things You Need to Know
by Bryan Ansley
With a Nov. 1 deadline looming, many banks are racing to bring their institutions into full compliance, or risk suffering penalties and other costly consequences. The regulations mandate that all banks implement identity theft protection programs that include creating "reasonable policies and procedures" for preventing ID theft, identifying "red flag" signals of possible identity theft, and notifying victims.
Compliance with the complex Red Flag regulations and the tools available on the market deserve some explanation. How are banks to know which solutions put them in compliance with the new regulations? After all, not all identity theft protection tools are created equal.
For example, the new Fed rules require banks to protect all customers. However, many ID theft protection solutions only enroll and notify individuals who bank online, alienating an estimated 29 percent of bank customers.
Similarly, credit monitoring services detect criminal-borrowing patterns, but can't flag when non-credit records such as drivers' licenses, utilities and medical records are being tampered with. This limitation allows 66 percent of identity breaches to avoid detection. What's more, many of these credit monitoring services offer only credit freezes or fraud alerts- measures that can be obtained by consumers on their own and for free.
These and other loopholes make choosing the most comprehensive program difficult. Here's what bankers need to know to navigate the marketplace and find the solution that will bring their institution into total compliance.
- Total Identity Monitoring. Basic credit monitoring detects only 34 percent of identity breaches. To identify the other 66 percent, an ID protection service must also monitor utilities, DMV records, medical records, bank records and any other databases that use Social Security numbers. Some providers also supply a Web site that lets bank customers proactively self-check their data and request help if they suspect fraudulent activity.
- Fully managed breach recovery. When it comes to recovery, identity theft programs will offer one of four approaches: assisted, limited event, semi-managed or fully-managed. Only fully managed plans provide victims with a professional advisor who, through limited power of attorney, works on their behalf to recover their identity. The advisor, not the customer, will handle the recovery process from beginning to end, including all research, phone calls, letter writing, documentation, and follow-through, expediting recovery and helping victims avoid further stress and disruptions.
- Expense reimbursement insurance. According to the Federal Trade Commission, the average cost to restore a stolen identity is $8,000, making a comprehensive insurance plan extremely valuable. The best plans provide ample insurance coverage for damages, but banks should pay close attention to deductibles, reimbursement amounts and premiums that might be buried in the policies' fine print. Many plans offer low coverage at high premiums, or carry outrageous deductibles. Lastly, look for a policy that has few, if any exclusions. The ideal policy will cover all financial losses associated with the ID theft and recovery including legal expenses, lost wages, loan application fees, long distance telephone bills, mailing and postage, notarization fees, credit reports, and more.
- Educating employees and customers. Knowing how to minimize risk upfront should be an integral part of any ID protection service. Look for a provider who makes education a key priority, and teaches staff and customers how to utilize their ID protection system. Educational programs should include newsletters, Web sites, Webinars, conference calls, and live, on-site seminars. Some of these can even fulfill Community Reinvestment Act requirements, so look at providers' experience with qualified programs. Ideally, the provider will be able to customize an educational program to meet a bank's exact needs, and eliminate the need to hire additional people to handle program implementation.
- Monitoring the bank's identity. Section 114 of the "Red Flag" ruling requires financial institutions to address the threat of phishing. Therefore, it is imperative for a bank's ID protection program to include an "anti-phishing" component that not only monitors the online identities of the institution, but will also perform a "take down" service should a fraudulent entity be discovered.
Secure Identity Systems is the only company in the U.S. that offers the end-to-end solution for Red Flag compliance including: Initial Risk Assessment, Policies and Procedures Manual, New Account Authentication, Change of Address Verification, Identity Theft Protection with fully managed recovery, On-site Staff Training, and an Anti-Phishing Program. For additional information, please call (615) 377-7661, or e-mail: bansley@secureidentitysystems.com.
First published on BankersOnline.com 10/13/08