ID Theft Red Flags: 8 Tips for Better Risk ManagementAdvice for Ensuring Compliance with the New Regulation Effective November 1, 2008, all federally regulated banks, credit card companies and other financial institutions will be required to be in full compliance with the Identity Theft Red Flags Rule, which is designed to financial services firms protect consumers' identities.. The goal of the rules is to "flag" attempted and actual identity theft early, thereby reducing consequences associated with identity theft.
Each institution's program must include policies and procedures for detecting, preventing and mitigating identity theft. Further, the program must set forth a list of red flag activities that signal possible identity theft and a response plan for when a flag is raised. In addition, each financial institution must update its program periodically to reflect changes in risks from identity theft and implement a risk management program as part of the ID Theft Red Flags regulation.
"All banks irrespective of size should have a well-defined and delegated risk management function to be able to address risk effectively" says, Jill Frisby, Manager of risk consulting practice at Crowe Chizek. "ID Theft Red Flags is a monitoring protocol where the goal is to understand who your customer is and focusing on who they say they are".
Banking institutions need to ensure that they follow the series of indicators and red flags that the ID theft regulation raises to protect their security and business from Identity thieves, and treat risk management effort not as a product, but as an ongoing process to stay compliant.
Frisby deals with community banks and large regional banks, helping them implement, maintain and comply with privacy, risk and security regulations. Here, she addresses efforts which every bank or financial institution should take to implement an enterprise wide risk management program as part of ID Theft Policy:
1. Assess in detail the different products and service offering of a financial institution, and review which red flags and level of risk is applicable for that particular product or service offer for example, - "credit cards" need high level of monitoring as well as pose high risk as fraudulent activities are most likely.
2. Streamline automation and manual checks for red flag items where necessary. 3. Focus on the different channels through which these products and services are provided to end users. For example, online access over the internet is more risky when compared to physically going to the bank.
4. Spend different amount of attention on each product and service offering based on risk factor. High risk demands more attention.
5. Study the historical data of an institution for identifying fraud activities, patterns etc.
6. Integrate risk management to current security and privacy programs by adopting similar approach for conducting risk assessments for different departments within the enterprise and leveraging data from these individual risk assessments to another. This will help identify clearly which regulation has directly focused on the risk or red flag action item, without duplicating effort, then attacking and placing checks on the ones that are relevant.
7. Do not depend totally on the vendor or service bureau for putting checks and conducting their own risk assessment. Instead have a thorough risk assessment program initiated and implemented by the financial institution for its different service bureaus to ensure full proof check and updates.
8. Appoint a key person to take charge and ownership of the risk management process. This person will initiate annual risk program effectiveness, adopt a revision process, monitor and constantly analyze current industry situations and risk profile, appoint a committee for ensuring that appropriate program is deployed, making and proposing changes etc.