Red Flags Wave as November Nears Answers to common questions

By: (CISA, CISSP, CRISC)

Publication: BankNews , September 2008

If you had Googled "Red Flag" 6 months ago, it would have returned page after page of links to sites selling flags or discussing martial law. Today, if you search "Red Flag" you begin to see many advertisements and links to Identity Theft.

For the Financial, Auto, Telco, Energy, etc. industries, the term "Red Flag" has become synonymous with the new Identity Theft Red Flag rules and guidelines. These new rules require financial institutions or creditors to have a written Identity Theft Prevention Program (herein Program) in place to detect, prevent, and mitigate identity theft in connection with opening or accessing certain accounts by November 1, 2008!

While some studies indicate many financial institutions will be in compliance by the deadline, most surveys and analysts suggest almost half of financial institutions will not have a Program in place by November 1st. For those looking for some basic answers, a few commonly asked questions and answers associated with the new rules are compiled below:

In summary, what are my requirements under the new rules?

Each financial institution or creditor that offers or maintains covered accounts must develop a Program to detect, prevent, and mitigate identity theft. The Program must be updated regularly, include risk management, training, service provider oversight, and be reported to the Board of Directors or a committee of the Board at least annually.

I already have Identity Theft covered in my Information Security Program or Fraud Prevention Program, is that good enough, or do I need a separate Program?

The final ruling clearly states you must have a separate Identity Theft Prevention Program; however, you can incorporate into it existing policies and procedures, such as those already developed in connection with your Information Security Program, Customer Identification Program, or Fraud Prevention Program.

What is a covered account?

For the purposed of the Program, a covered account is:

"(i)An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and

(ii) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks."

What must be included in the Risk Assessment?

The risk assessment is possibly the most talked about component of the ruling; however, it receives perhaps the least amount of attention with the guidelines. In fact, the term "risk assessment" is only used one time in the final regulation:

"Each financial institution or creditor must periodically determine whether it offers or maintains covered accounts. As a part of this determination, a financial institution or creditor must conduct a risk assessment to determine whether it offers or maintains covered accounts described in paragraph (b)(3)(ii) of this section . . ."

However, with any successful Program, risk management is key. We recommend approaching the risk assessment from a risk mitigation standpoint.

First, let us consider our risk levels. At a minimum, we want to consider the likelihood of identity theft, the potential damage associated with identity theft, and finally, the overall risk of identity theft. We should probably break this down by account type since one account may have a higher risk of identity theft than another. For example, the risk of identity theft could be greater for a credit account than a safe deposit account.

Second, we must define the threats associated with identity theft. If you boil the threat of identity theft down to its basics, you uncover two threats; fraudulently opening an account and hijacking an account (or unauthorized access). So, we need to consider each of these threats for each covered account.

Next, we need to determine the methods used to open/access the accounts. This may increase or decrease the risk. For example, the risk associated with opening a Credit account in person may be less than the risk associated with opening a Credit account over the Internet.

Finally, we need to consider our previous experiences with identity theft. These trends can help determine and define higher risk areas. For example, you may be able to determine from prior experience that the risk of unauthorized access to deposit accounts is greater than the risk of unauthorized access to lending accounts.

Once you have completed the risk assessment for opening and accessing each covered account, you will have the information you need to ensure your controls (red flags) are appropriate to mitigate the risk.

Do I have to incorporate all 26 Red Flags from Supplement A into my Program?

No, the 26 Red Flags listed in Supplement A to Appendix J are only "illustrative examples". In addition, you are not limited to use only the 26 "example" Red Flags, you can also create your own. If you choose not to use one of the examples, we do recommend you document why. This will be helpful once you begin the examination phase.

Under the final rules, I know I am required to "exercise appropriate and effective oversight of service provider arrangements", but what does that mean, and what is the definition of a service provider?

The term "service provider" used in the final ruling was based upon the definition of "service provider" in the Information Security Standards: "service provider means a person that provides a service directly to the financial institution or creditor." The greatest risk is associated with service providers that perform activities in connection with one or more of your institutions covered accounts. For example, a service provider that is opening loan or lending accounts on your behalf. Many banks are simply managing the service providers through contractual requirements; however, some banks are going so far as to audit the service providers to ensure customer data is protected.

What does the annual report to the Board of Directors need to include?

Each financial institution must report to the Board of Directors, an appropriate committee of the Board, or a designated employee at the level of senior management at least annually. The report should include:

  • effectiveness of policies and procedures in addressing the risk of identity theft in connection with the opening or accessing covered accounts;
  • service provider arrangements;
  • significant incidents involving identity theft and management’s responses; and
  • recommendations for material changes to the program.

Where can I go to read the final rules and guidelines in their entirety?

To view the entire final ruling, visit conetrix.com/Files/ITPP_Regulation.pdf.