For Star One Credit Union, which serves some 76,000 members in the heart of Silicon Valley, complying with federal Red Flag rules requires a lot of policy coordination and documentation.
"We have a lot of the pieces in place under current policy and procedure," said Lynn Brubaker, vice president of deposit services at Star One. "But Red Flags is requiring that we bring it all together under one policy and cross reference all those policies and procedures so that at a glance, an examiner or anyone could see what we're doing to mitigate ID theft," Brubaker said.
Once all the policies are coordinated, it will be a matter of training staffers, such as a teller, on how to spot a red flag, she said. Training will need to be job specific and ongoing, she added.
The Red Flag rules, issued by the Federal Trade Commission and federal banking regulators last October, took effect Jan. 1. They require financial institutions and creditors to have policies and procedures for spotting red flags that indicate possible identity theft, and systems for thwarting the crime in connection with new and existing accounts. The regulations implement Sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003. Organizations must comply by Nov. 1.
For many financial institutions, compliance with the rules may be more about documentation of existing procedures -- as in Star One's case -- rather than starting from scratch. A Gartner survey of 50 U.S. banks conducted in March and released in May, showed that banks are spending more on fraud prevention this year, but not because of the Red Flag regulations. Sixty percent of the banks surveyed believe they're already compliant with the rules.
"The intent is to protect consumers from identity theft, but it probably just requires some fine tuning, not a major overhaul of what they're doing today in most cases," said Avivah Litan, vice president and distinguished analyst at Gartner.
"It depends on how important fraud is to an institution," she added. "Some of the large banks are taking this very seriously and looking at it as an opportunity to beef up their multi-channel, cross-channel strategies."
Craig Priess, vice president of marketing at Guardian Analytics, a supplier of online fraud prevention technology, said his company is getting a lot of questions about the Red Flag rules from financial institutions.
"It's definitely on the radar," he said, but added that the regulations aren't getting the same amount of attention as the Federal Financial Institutions Examination Council (FFIEC) guidelines for strong authentication.
In general, the regulations don't pose a huge problem for large financial institutions, said Jonathan Gossels, president and CEO of security consulting firm SystemExperts.
"What we're seeing is, it has to do with the size of an organization. Larger ones were moving down that path anyway. They're used to complying with regulations," he said. "Smaller organizations are always resource constrained, so any new regulation is a burden."
The FTC offers 26 examples of red flags that financial institutions and creditors can consider including in their identity theft prevention programs. They include: personal information provided by the customer isn't consistent with other personal data provided by the customer; an account is used in a way that is inconsistent with established activity patterns; and shortly after notice of a change of address, an institution receives a request for new or additional cards.
"There isn't a defined set of red flags," Gossels said. "They're characteristics that an organization is supposed to develop to set up their red flags."
Compliance with the regulations is fundamentally about policies and procedures, but some technology can help, he added.
At Star One, the Guardian Analytics technology it implemented to secure its online channel will be a tool used in its overall Red Flags policy, said Margarete Mucker, vice president of remote services. Online banking is popular among its members, who are mostly high-tech workers.
Meeting the November compliance deadline won't be too difficult, Brubaker said, but she added that compliance will be an ongoing activity. "This is obviously a living, breathing document," she said.
Right now the credit union, which has assets of more than $3.5 billion, is performing its policy work manually, but is planning to implement software that will help automate the process, Brubaker said.
Gossels noted that the Red Flag rules affect more than financial institutions. They also impact businesses such as auto dealers, utility companies and telecommunications companies.
Auto dealers and smaller organizations will struggle with the rules, Gossels said. "Car dealers don't want to be in a position to deal with credit and reporting on discrepancies with addresses. That's not their business."
Litan also said non-banking businesses will be hit the hardest by the rules, but noted that there aren't enough FTC examiners to check their compliance. The FTC doesn't "have the staff to examine all these companies and most of them don't have anything in place," she said.