The Federal Trade Commission, the Federal Reserve, the National Credit Union Administration and other financial regulators have instituted what they call the Red Flag Rules. These rules, set out in the Fair and Accurate Credit Transactions Act, require financial institutions to set up written plans for identifying “red flag” transactions that could indicate identity theft or fraud.
Steps to developing an identify theft program
While the regulations may seem daunting, a prudent approach to developing a program need not be. A scalable approach to developing an identity theft program includes the following:
- scope and impact assessment,
- requirements analysis and gap assessment,
- gap closure plan and execution.
Scope and Impact Assessment
This analysis should begin with a review of existing policies and procedures and should be combined with a review of the red flag categories and specific items defined within the regulation to determine which types of accounts are currently being managed, which of those accounts are “covered accounts,” and, most important for those accounts, which activities defined are relevant to your organization.
A key element of this review should be the development of a repeatable process to conduct this assessment on a periodic basis. This will enhance your organization’s ability to periodically update the program.
When reviewing the account categories and red flags for applicability, do not stop at what is defined in the regulations; review other areas where your organization has reason to believe there may be a risk of identity theft. This will enable your program to respond to new threats as they are identified.
When conducting the impact analysis, it is important to gain input from the personnel closest to the business to enhance the understanding of accounts being managed and the applicable risks.
After initial identification of accounts, relevant red flags, and existing policies and procedures, the next step is to determine how well your organization’s existing policies and procedures align with the regulation’s requirements, in other words, identifying the extent of the gap between your current capabilities and the new requirements.
There are only a few prescriptive measures in the regulations, however, a careful review of them can provide useful insights and suggested actions that can be used as input for updates that will allow your organization to develop a program that responds appropriately.
Requirements Analysis and Gap Assessment
Generally, the gap assessment will reveal that the organization’s capabilities fall into one of three general categories. The first category indicates significant gaps in the areas of policy and process to facilitate the identification, response and mitigation of the threat of identity theft.
The second category may indicate that either formal or informal processes exist, but documentation may be lacking. The third category would indicate that processes exist, are appropriately documented and being applied within key areas of the company.
Gap Closure Plan and Execution
Once the gaps are identified within the program, developing and executing a “gap closure plan” is essential. For processes that exist and are appropriately documented, noting these and incorporating them into the program documentation will be essential.
For processes that are functioning, albeit without adequate documentation, appropriate updates to existing policies and procedures can be completed and incorporated into the overall identity theft program efforts.
Finally, attention should also be paid to developing or enhancing processes while considering existing identity theft and data protection efforts. The regulations include a broad range of criteria regarding detection and response to suspected identity theft. Determining which actions are appropriate for your organization is ultimately up to your team.
As stated above, the program must be documented and appropriate to the size of the organization. This will require that the relevant red flags be identified, the reporting structure and oversight of the program be appropriate, and that reporting of the effectiveness of the program be defined.
The reporting aspect of the program is a key element that should be considered as the program is developed; specifically, the program documentation should include the types of reports that will be created and the frequency with which they will be reviewed by senior management.
The program documentation should further contain specific references to appropriate policies and procedures that are involved. Documentation is a challenge, but the organizations should know what aspects of the rule actually apply to them, where it is applicable to their organization, and what practices already exist.
As with any change, as new processes are put forward, it is critical that the people involved receive adequate training. Focused training for the individuals involved can be an effective way to help the process work effectively. Training should be required on an ongoing basis, and the set of procedures around the red flags rule should be tailored to each organization.
In conclusion, while some of this regulation may seem burdensome, it is important to remember that its ultimate goal is to help prevent the threat of fraud from identity theft. Mitigation of these threats is not only an expectation outlined in this regulation, but an increasing concern and expectation of customers and employees.