BITS Provides Regulators Feedback on Developing ID Theft “Red Flags” Programs

In 2006, the U.S. financial regulatory agencies estimated that it would take, on average, 41 hours to create an Identity Theft “Red Flags” Program, prepare an annual report, and train staff.  In 2009, one of the regulatory agencies sought industry input on these estimates, as required by the Paperwork Reduction Act of 1995.  While Roundtable/BITS members anticipated that the estimate was way too low, we have learned that for many of our member companies it took over 2,600 hours on average to comply with these new requirements.

In early July 2009, BITS, the technology and operations division of the Financial Services Roundtable, submitted a comment letter to the OCC revealing significantly higher compliance burden estimates. The letter is based on the results of a June 2009 survey of eleven Roundtable/BITS member companies representing a diverse mix of banking, brokerage, consumer finance, and insurance products, responded to the survey.  The average amount of time spent on a “red flags” program was 2,650 hours with a low of 250 hours and 5,000 hours.  To view the comment letter, click here.

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) requires financial institutions that hold critical customer information to develop identity theft “red flags” programs for new and existing accounts by November 2008.  Since the agencies issued the proposed rule in 2006, BITS has worked with member financial institutions and regulators to understand the new regulation and to develop cost effective compliance strategies.  Our efforts include:
•    Submitting a detailed comment letter in 2007 to the regulatory agencies on a proposed regulation.
•    Convening a dozen conference calls with members and regulators to understand the rule and discuss compliance strategies.
•    Submitting questions for the Frequently Asked Question document (FAQ) in 2008.
•    Engaging credit bureaus, U.S. Postal Service and others on address discrepancy requirements.
•    Conducting two member surveys on implementation challenges and compliance burden.

An integral part of identity theft red flags programs is reliance on the Identity Theft Assistance Center (ITAC).  Federal financial regulators have begun examinations of financial institutions and the early indications are that financial institutions have developed robust and acceptable ID Theft Red Flags programs.

John Carlson is Senior Vice President of BITS/Financial Services Roundtable where he manages relationships with regulatory agencies and engages experts from financial institutions on information security, operational risk, vendor management, fraud risk, and business continuity planning. BITS is the technology and operations division of the Financial Services Roundtable. On June 11, the federal financial regulators and the Federal Trade Commission jointly issued answers to 37 frequently asked questions (FAQs) on the ID Theft “Red Flags” regulation. The FAQs are available on all of the agencies websites and here is a link to the FDIC’s website.