The provisions are requiring organizations to develop and implement a written identity theft prevention program that would be approved by an appropriate senior-level management committee. It's supposed to be a program that would also include various components reflecting the appropriate governance structure as well as how the program would be administered on a continuing basis; it should also address policies and procedures around the identity theft program. This obviously incorporates the risk assessment process: an organization would need to identify the types of covered accounts that are described in the rule. The company would also need to reflect, for example, how it has looked at its service provider community and its policies concerning ongoing training and awareness internally as well as for customers. Finally, there's a requirement to report on the effectiveness of the program…The rule also mentions that this program should be a standalone program, not necessarily confused with or buried in existing anti-money laundering processes. Financial security managers have said they were already doing a lot of what the Red Flag regulation requires, but the challenge is documentation. What advice do you have for them?
An effective approach is first to understand what aspects of the rule -- and the red flags that are listed in the rule -- actually apply to the organization, and then understand what practices are already in place in the organization that address them. While the rule indicates that it should be a standalone program, it's not clear what the definition of standalone program is.
One of the challenges many of our clients have is the competing compliance requirements. While the program may need to be to initially established as a standalone, that doesn't mean it can't be integrated with other practices. Once you understand what you're doing today, there's a challenge around documentation…. you have to document that you have "a written program." The guidance doesn't necessarily tell you what that should look like or how extensive those policies and procedures should be, but it's important there should be documentation around the risk assessment process. One of the things the regulators always look at is the process you went through to determine your risk levels and how you're going to mitigate those. There are other challenges around documenting what you're doing to provide ongoing training and awareness, and ultimately deciding what the right level of reporting that's required at what levels of management is… There is really documentation at two levels: first, documenting how you went through the risk-assessment process and, second, documenting the practices that will be in place to mitigate risk going forward. Can you elaborate on the training requirements?
Training should be looked at on two levels. One is general training and awareness for the mass of employees and customers around the program itself: Why are we doing this, what's required of us, and what are we doing on an ongoing basis? The next level down would be to understand how the training relates to specific red flags.
The training and awareness around the specific red flags should be tailored to a particular practice at the organization. For example, most organizations have an existing third-party or service provider risk assessment process. They would need to update their policies and procedures to make sure they incorporated attention to the appropriate red flags for those service providers who are involved in either the processing or collection of data in covered accounts. Individuals who are executing those procedures would need to be aware of that program and how the results need to be reported. Are financial institutions aware that the Red Flag provisions incorporate requirements for service providers?
It's one aspect of the Red Flag rules that is not necessarily highlighted but it's referenced and noted that institutions need to address this. Again, there's no firm guidance on how to go about doing it. Third-party service providers and business partners [that handle information in covered accounts] are probably one of the biggest risks related to privacy, data protection and identity theft. It's been important for us to make them [clients] aware of how important that component is to their overall program. What are your recommendations for ongoing compliance?
Our recommendation would be to address the specific provisions of the rule by looking at them in light of existing risk management and compliance initiatives as they relate to data protection, identity theft and privacy and anti-money laundering and customer identification programs, to ensure there is a holistic view. Oftentimes, we've seen that organizations will create a new program -- maybe in one part of the business or selected parts of the business -- without a holistic view, particularly as it relates to governance and oversight as well risk assessment. While the rules are requiring institutions to make sure this is a standalone program… this is very much an issue around protection of data. So integrating this with existing programs will allow institutions to address these issues on an ongoing, sustainable basis as opposed to creating something that's more onerous than it needs to be. Will the upheaval in the financial services industry affect compliance efforts?
In the short term, all of these events clearly are a distraction from the day-to-day plans and practices. The longer term implications are continued competition for time, money and resources to address these issues. I don't believe the regulators are going to allow organizations to use the current market conditions as an excuse for not addressing these requirements. [Market conditions] make it that much more important to integrate this with existing practices. There's already tremendous pressure on organizations around fraud, identity theft, and data protection; this is just adding to it. Over the last eight to 12 months, the regulators have raised the bar relative to practices in these areas...it's not sufficient to have policies and procedures; they want to know more about where the data is, how you are protecting it, and how you are protecting your customers and employees.