Wave that flag, wave it wide and high
Summertime done come and gone, my oh my
I’m Uncle Sam, that’s who I am
Been hiding out, in a rock and roll band
Shake the hand that shook the hand
Of P. T. Barnum and Charlie Chan
Shine your shoes, light your fuse
Can you use them old U.S. Blues
–Robert Hunter/Jerry Garcia
Can’t you just feel those U.S. Blues, Gonzo Nation? Unfortunately, the flag our industry is waving these days ain’t red, white and blue … it is simply RED! Bankers appear to have come down with a serious case of Red Flag fever, and the impetus for that flag waving is good ol’ Uncle Sam.
When are we going to catch a break? Seriously, we started off with the Patriot Act, then GLBA, OFAC, BASEL (which I thought was a spice, but one wasn’t good enough so we added BASEL II – guess we needed a little more flavor), SOX and then Multi-factor. I am certain I missed a few but the point is, with all this acronymic soup being thrown at us, when in the hell are we supposed to focus on banking? By banking, I mean “show me the money.” Spending all day and night laboring over regulatory propaganda just ain’t my idea of fun – and I suppose most in the Gonzo Nation aren’t whistling “zippity do da.”
But alas, we are bankers and it is our job to follow our government’s regulations and policies because we know deep down the government is only wanting us to do what is best for our customers (just thinking about it makes me almost shed a tear).
With that said, looming like an albatross is the Nov. 1, 2008, deadline for the Red Flag Rule. Every client I have visited or spoken with lately has mentioned that there is no way they are going to meet the Nov. 1 deadline. In a recent LexisNexis survey of more than 1,000 bankers, 84% said they either hadn’t started their red flag projects or were just starting them. An analyst at Gartner says, “Bankers aren’t paying it much notice, especially when you compare it to the attention the FFIEC guidance on multi-factor authentication received.” Well, my distinguished friend, my answer to the lack of attention is that the Red Flag Rule can’t be solved with a piece of software; consequently, the vendor community has nothing to peddle to the industry so the trade rags simply don’t mention it. I assure you if some vendor came up with a solution to solve the red flag compliance issue, we bankers would be like blind lemmings jumping off a cliff.
Nope, this time around if you are going to comply with the Red Flag Rule you are going to have to roll up those starched oxford button-downs, loosen the ties and get your hands dirty. However, not wanting to see any good banker mess up his manicured hands, I have put together the Gonzo Cliff Notes of the Red Flag Rule and what should be done to comply – because watching bankers run around like chickens with their heads cut off is just darn right embarrassing.
Let me first define a red flag – it is a pattern, practice or specific activity that indicates the possible risk of identity theft. Indicators of a “possible risk” would include phishing and security breaches involving the theft of personal information.
So beginning Nov. 1, 2008, new rules and guidelines implementing section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) and final rules implementing section 315 of the FACT Act will be mandated for any financial institution and creditor that offers or maintains one or more covered accounts. Specifically, section 114 directs financial institutions to issue guidelines regarding the detection, prevention and mitigation of identity theft, including special regulations requiring debit and credit card issuers to validate notifications of changes of address under certain circumstances. Furthermore, section 315 also requires that financial institutions provide guidance regarding reasonable policies and procedures that a user of a consumer report should employ when the user receives a notice of address discrepancy.
Basically, folks, we are talking about a souped-up Identity Theft Program. So here’s a Gonzo plan to help you keep the regulators happy and your customers’ identities safe.
Step One – Identity Theft Prevention Program
An Identity Theft Prevention Program should ensure there are reasonable policies and procedures in place to control the risks inherent in protecting customer data. The program should incorporate the following actions:
Step Two – Identity Theft Risk Assessment
Yes, friends, I realize the thought of yet another risk assessment sends shivers up your spine, but an Identity Theft Risk Assessment of your institution’s covered accounts is a critical (and unavoidable) aspect of your overall Identity Theft Prevention Program.
By definition, a covered account is “an account that a financial institution or creditor offers or maintains, primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account or savings account.” Covered accounts are also those that the financial institution or creditor offers or maintains “for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.”
A sample risk assessment could look something like the following:
ACCOUNT |
ACCESS |
INHERENT |
Deposit Accounts – Consumer & Business |
||
Checking Savings Money Market |
Account Opening: Account Access: |
High |
Certificates of Deposit IRAs |
Account Opening: Account Access: |
Medium |
Investments/Mutual Funds |
Account Opening: Account Access: |
Medium |
Loan Accounts – Consumer |
||
Mortgage Home Equity |
Account Opening: Account Access: |
High |
Personal Line of Credit |
Account Opening: Account Access: |
High |
Credit Card |
Account Opening: Account Access: |
High |
Automobile |
Account Opening: Account Access: |
Medium |
Loan Accounts – Business |
||
Commercial |
Account Opening: Account Access: |
Medium |
Commercial Mortgage |
Account Opening: Account Access: |
Medium |
Business Credit Card |
Account Opening: Account Access: |
High |
Other Services |
||
Safe Deposit Boxes |
Account Opening: Account Access: |
Medium |
Lock Box |
Account Opening: Account Access: |
Medium |
Remote Capture |
Account Opening: Account Access: |
Medium |
Step Three – Roles and Responsibilities
Bankers hate to be accountable for something like this, but hey, that is why you make the big bucks – right? Anyway, the Board of Directors must be responsible for:
The designated individual or committee must be responsible for:
Step Four – Identifying Policies & Procedures Addressing Identity Theft and Red Flags
The following are key policies and procedures that must be incorporated into your overall Identity Theft Program:
Final Steps
Once all of the aforementioned has taken place and your calloused hands have healed, the last few steps to compliance are not rocket science:
See, now that wasn’t so bad.
Our industry is under attack at the moment. Banks are failing left and right and customer confidence is … let’s just say I wouldn’t count on too many Christmas cards this year. The least we can do is demonstrate to our customers that we are looking out for them. Consequently, hoist up your red flags and wave them with pride because if you don’t, you may find your institution reluctantly waving a white one.
Reminder: GonzoBankers never surrender!
Later,
-tj
Risk Management is serious business, and Cornerstone Advisors is serious about helping you ensure your institution is doing everything it can to mitigate the threats bankers face in this volatile industry.
Cornerstone’s Risk Management Program Assessment was designed to review the effectiveness of the Risk Management Program within your institution and across the enterprise.
In addition to a review of your institution’s Red Flag Program, our Risk Assessment Program Assessment evaluates these and many other areas within your organization:
Visit our Web site or contact us for an introduction to Cornerstone’s top-down, 4-Step Approach to Risk Management.