Tag: Red Flags

12 Jan 2011

Trust and Risk Online

In a recently released paper by the Brookings Institute, they address the issue of trust in an increasingly on-line business environment.  They focus on the difficulty of establishing, maintaining and verifying identity on-line, and how the trust relationship between on-line services and consumers is being threatened by weaknesses in this identity layer component.

Although the paper is not specifically geared for the banking industry, it does contain several items of interest to bankers.  Discussion of on-line identity attacks is relevant to the emerging interest in social media.  Social engineering is also a topic of interest to banks, and has been for some time.  There is also a mention of the Red Flags model, and how compliance with the regulation (which started 12/31/2010) requires a strong identity authentication component.  They do note that the existing FFIEC authentication guidance is a good model, but they recognize that the Red Flags, and other financial institution guidance, falls short because:

“…three of the top five targets for phishing attacks in 2010 (eBay, Facebook, and Google) are not financial services web sites (Gudkova, 2010), and are thus are not necessarily covered by extant rules. Many other online services, including webmail sites, web hosting sites and social network sites are frequent targets. Clearly they are attractive targets for malicious actors seeking identity information, even if those identities are not actually the paying customers of those firms. Access to credentials of these sites can expose highly sensitive information and serve as the jumping off point to serious and highly customized fraud attempts.”

In the end, financial institution risk managers must carefully consider the risks of this “identity layer” in the current environment, and weigh them against the potential benefits of social media.  The paper is definitely worth a read…highly recommended.

21 Dec 2010

Red Flag enforcement to start 12/31

With the signing of legislation on 12/18 exempting certain health care  practitioners and other businesses from complying with the Red Flags Rules, it would seem to clear the way for enforcement to begin at the end of this month.  Financial institutions have had to comply with the guidelines since 1/1/2008, but regulatory enforcement has been delayed several times as organizations representing attorneys and physicians lobbied to exempt these professionals from complying.

A Red Flag is defined by the FTC as “…a pattern, practice, or specific activity that indicates the possible existence of identity theft.”  Financial institutions are expected to already have established a formal Identity Theft Prevention Program that contains reasonable policies and procedures to:

  • Identify
  • Detect, and
  • Respond…

…to any Red Flags that might indicate the presence of ID theft.  You must also have a process in place for administering the program, which includes involving the Board and senior management, training your staff, and the appropriate oversight of service providers.

Expect examiners to ask to review your ID Theft Program in your next examination, and request that your next audit include a review as well.

27 Oct 2010

ID Theft and SAR filings

In the past, authoritative reports on identity theft have used surveys conducted with the general public to collect ID theft related data.  However, in a recent FinCEN report, the data collected came directly from SAR’s filed from the financial institutions themselves, resulting in a much more accurate assessment of the scope of the identity theft problem.

About the SAR: The most recent version of the Suspicious Activity Report (SAR) is dated July 2003, and has required financial institutions to report in the separate category of identity theft since 2004.  (It’s found in Part III, 35 (u), with the narrative in Part V.)  Since the category was made available, the number of SAR filings reporting identity theft has gone from 15,445 in 2004, to 36,210 for 2009.

About ID Theft: The ID Theft/Red Flags Act is actually titled “Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003”, and was approved by the FFIEC and all regulatory bodies in October, 2007 with compliance mandatory by November 2008.  Since then enforcement has been delayed several times, most recently until December, 2010.  This does not extend the requirement for financial institutions to comply with the act, only regulatory enforcement.  All institutions should have (at the very least) and ID Theft policy, as well as established procedures.

About the report findings: There were a number of interesting findings in this report, but the most interesting to me was that the 2 most commonly identified Red Flags (as listed in Supplement A to Appendix A of the act) were #25 and #26;  or

  • 25. The financial institution or creditor is notified of unauthorized charges or transactions in connection with a customer’s covered account.
  • 26. The financial institution or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.

These 2 Red Flags accounted for 75% and 23% respectively of all filings.  This is interesting because it appears that the vast majority of the ID theft notifications are coming from the customers themselves.  When combined with the finding that 43% of ID theft related activity is discovered within 4 weeks, perhaps the most effective loss preventive control for institutions to consider is one that delivers account information to the customer more quickly.

21 Jun 2010

Reg Flag enforcement delayed until 12/31/10

The FTC has decided to further delay the enforcement of the “Red Flags” rule (although this does NOT affect the original 11/1/2008 deadline for compliance). This is the second delay since the rule became effective 1/1/2008.

Institutions should have a policy and procedures in place NOW, as examiners will undoubtedly be checking policy revision and approval dates once enforcement begins.

Additional help is available here.