The Red Flags Deadline Is Looming: Best Practices to Meeting Guidelines and Implementing a Successful Solution

By Adam Elliott, President, ID Insight.  Reprinted from the CCH Federal Banking Law Reporter.

With roughly three months left until the FACT Act Red Flag Guidelines compliance deadline, it’s becoming apparent that we collectively have a large mountain to climb.

News on the Red Flag Guidelines can be found around every corner these days. Webinars, white papers and industry publications are bursting with information about the impending November 1 deadline. But despite the deadline’s increasing visibility, all of this discussion appears to have done little to spur banks and credit unions into action. In a recent survey by BankInfoSecurity.com, only half of financial institutions said they will beat the compliance deadline for the FACT Act Red Flag Guidelines.

This underscores much of what we have been seeing in the market. With the banking crisis still hanging out there, and the myriad of other challenges still looming, banks and credit unions are struggling to fully get their arms around the Red Flag Guidelines.

This is a bit ominous on many fronts. First, this suggests that many banks will not be compliant and will be faced with dealing with their auditors and regulators in the weeks and months after November 1. Second, we are seeing that there will be a mad rush to deploy solutions just prior to the deadline.

However, while the time is short, we do see some banks taking definitive action now to gear up for the date and methodically tracking to a plan to do so. As we have watched and listened to the marketplace, we have observed some best practices approaches to becoming compliant.

A Changing Compliance Environment

When the Fair and Accurate Transactions Act was signed into law in December of 2003, it received relatively little fanfare. Buried within the document, however, were the Red Flag Guidelines. These did not receive much initial attention, as the Red Flag Guidelines were initially written as a placeholder of sorts. The language was there, but it was not final and there was no compliance date set.

After many iterations and the commentary period, it was finally acknowledged by all governmental agencies and placed into the Federal Register in November of 2007. In publishing these new provisions, the date for compliance was set for November 1, 2008.

Since then, we have seen nearly a week by week change among banks on how they are addressing the deadline and how they are taking action. In January, everyone was heading into their “war rooms” to determine what the language actually said and what action would be needed.

From there, everyone started doing their “gap analysis” to see where they were covered and where they would need help. As it stands today, many banks and institutions are still in this analysis phase, and therefore will be hard pressed to make the date. Many others have now completed or are close to completing their analysis and have moved forward with trying to close those gaps.

Where Are the Gaps?

If you take a step back and consider the Red Flag Guidelines, here is a summary of what is being required:

1. Section 315 – If you pull a credit report from a credit bureau for permissible purpose and the address at the credit bureau is substantially different than that on the application, then the institution must resolve the address discrepancy to make sure it is not identity theft.
2. Section 114(B) – If you receive a customer request for an address change and the same customer requests a credit or debit card within 30 days, the financial institution must take steps to make sure it is not identity theft.
3. Section 114 (Red Flags) – In addition to Sections 315 and 114(B), if there is anything else that is indicative of identity theft, then the financial institution needs to identify, put controls in place and document in their Red Flag plan.

Another way to look at it: Financial institutions need to comply with the prescriptive requirements of 1 and 2 above, and if there is anything else that is indicative of identity theft – then this also needs to be resolved. Over time, all of this has been lumped under the “Red Flag Guidelines” umbrella.

As banks have gone through the gap analysis, the general theme we are seeing is that it is the two prescriptive pieces that are the typical gaps. Today – in financial services – it is much more common for banks not to screen address changes or address discrepancies. For many, the major “to-do” list is to put solutions and processes in place to solve for these first two requirements.

When we get to number three, it gets much more vague. First, the language says that you need to take action “if” it applies to you. And second, many or most of the potential Red Flags listed are already being addressed. For these situations, these existing processes simply need to be documented in the overall approved board of directors’ plan.

Best Practices

As the days go by, we continue to hone in much more specifically on what constitutes a “best practices” approach to preparing for Red Flags. Through our work with a range of banks implementing new strategies and solutions to meet the Red Flag guidelines, we have gathered a number of guiding principles to aid in creating a streamlined process with a successful result, including:

1. Implement an enterprise plan. Among the largest institutions, we are seeing that in developing their plan, they “want” to look at it from an enterprise level, but this is easier than it sounds. Those who have been able to look at solutions on an enterprise level have been much more action oriented, have fewer people involved and therefore have been able to make decisions much more quickly.
2. Use smaller teams. As banks of all sizes have assembled their project teams, we have observed that smaller teams are able to work much more efficiently. Make sure to have the right people from your compliance, fraud and IT departments involved, but resist the temptation to create a committee of the masses. We are working with one regional bank right now that has a team of 15 people, and the chairman can’t get anyone to return his emails and phone calls. This bank is not going to make it before November 1.
3. Don’t cut corners. I have heard many banks say they’re looking to simply “check the box” and do whatever is minimally needed to become compliant. I mentioned this to a top 10 bank, and they were adamant that they were going to use this opportunity to not just comply, but to “get it right.” Right now, the FACT Act torch is burning bright, so use that focus and attention (and budget) to do it the right way. It will be more difficult to change when things go back to normal, and more costly if it has to be re-done in the long run.
4. Screen all address changes. While the Red Flags stipulate that you only need to screen address changes followed by a request for a credit or debit card, this really is not sufficient as the identity thief can also request personal checks, convenience checks, etc. Trying to connect all of these systems is more costly than simply screening address changes the moment they happen. This will result in less expense and more identity theft and fraud prevented in the long run.
5. Avoid sending “the letter.” To screen address changes, one of the options is to send a letter to your customer at the old and new address to confirm the address change, to the effect of: “Mr. Smith, we see that an address change was requested. If that wasn’t you—please call!” While it may seem easy to simply send a letter, it is very costly, does not catch the fraud and provides a customer-service headache when calls start coming in from people wondering why they haven’t yet received their card.
6. Adopt new technology. In a world of information and analytics, look instead to use data and information related to the address changes that can immediately identify high-risk address changes. Why is Mr. Smith moving from his suburban 2,500-square-foot home 500 miles away to a vacant lot in the highest-crime part of the big city? By accessing billions of pieces of information instantly, you can now catch the fraud before it happens, alleviate manual processes, and be compliant—all at a fraction of the cost of traditional methods.
7. Demand documentation. As you are considering deploying these new processes, make sure that they are iron-clad auditable. If you are thinking of sending a letter—how do you prove it got delivered? If you are going to have someone manually review a case, determine how it will be documented – every time. Your auditors will appreciate it.

Whether you choose to be compliant on November 1 or shortly thereafter, pick your date and then begin tracking to it. You can be wielding a big stick right now. Use it to your advantage.

ABOUT THE AUTHOR

Adam Elliott is president of Minnesota-based ID Insight, the innovator in using access-point intelligence to reduce fraud. The company’s solutions, Safe2Change^SM, Safe2Ship^SM, AddressWatch^SM and CompleteID^SM, utilize a combination of extensive data and cutting-edge analytics to allow financial institutions to approve more requests, eliminate identity fraud and slash operating expense. For more information, visit www.idinsight.com or call 877-749-8731.

Product Spotlight

Bankruptcy Law Guide    New bankruptcy legislative requirements and changing economic conditions have drastically increased the amount of information required to handle this costly and uncertain area of law. The Bankruptcy Law Reporter provides all the most up-to-date information necessary to navigate the maze of bankruptcy law. Whether it's simply ensuring your company is on solid legal and financial ground, settling court disputes or protecting your own personal interests in a corporate or personal case, the answers are all here.   More Info...

Bank Digest Bank Digest tracks the latest banking activity, regulatory changes and trends in federal banking policy. Each day, Bank Digest provides both a concise abstract and the full text of that day's releases from the federal agencies that impact the banking industry. Bank Digest also provides additional detail of significant events in weekly and monthly features.   More Info...

Consumer Credit Guide In the past, many states have attempted to cure problems and abuses that have appeared on a "one-at-a-time" basis, resulting in a multiplicity of consumer credit laws. In addition, the federal government has injected standards into broad areas of consumer credit previously regulated only by the states. The CCH Consumer Credit Guide publishes the information that you need to succeed in the complex area of state and federal consumer credit laws and regulations.   More Info...

Financial Privacy Law Guide This product provides comprehensive coverage of federal and state laws, regulations, interpretations and decisions. The Guide covers data security, insurance and health information privacy, fair credit reporting, bank secrecy, identity theft, the Gramm-Leach-Bliley Act, the E-Sign Act, the Electronic Fund Transfer Act, the Freedom of Information Act, the Right to Financial Privacy Act and international privacy. More Info...

State Banking Law Reporter Expedite your research with the CCH© State Banking Law Reporter. Now there's a single source for state banking law, giving banking professionals and legal counsel ready access to the information you need. State Banking Law Reporter combines the full text of state laws and regulations with authoritative explanations and consistent, topical organization.   More Info...