Q&A: John Carlson, Senior Vice President of BITS/Financial Services Roundtable Discusses “Red Flags” Rule

Following is an exclusive Q&A with John Carlson, Senior Vice President of BITS/Financial Services Roundtable who shared his insights into the Identity Theft “Red Flags Rule,” which requires creditors and financial services companies to develop a program to detect, prevent and minimize the damage that could result from identity theft. The compliance deadline for financial institutions was Nov.1, 2008. The FTC delayed enforcement for non-financial institutions until May 1, 2009. And, it was announced recently that the deadline was extended to August 1, 2009.

Q: Tell Us About the Red Flags Regulation.
A: Red Flags Rule requires many financial institutions and any other businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations.

The compliance deadline for financial institutions was November 1, 2008, but the FTC delayed its enforcement of the rules until May 1, 2009, and now it’s been extended to August 1, 2009, to give non-financial institutions more time to comply.

Q: What must financial institutions do to comply with the ruling?
A: The key elements are spelled out in the 60-page regulation. The risk-based rule requires each institution/creditor that holds customer accounts (or any other account for which there is a reasonably foreseeable risk of identity theft) to:

• Identify relevant patterns, practices and specific forms of activity
• Respond to red flags and incorporate into the program
• Oversee service providers
• Train staff
• Obtain approval of a written program by senior management or the board of directors and
• Continued oversight and updating of the program.

In addition, the rule includes “guidelines” that are more detailed and include 26 illustrative examples of red flags that institutions may consider in developing their program. These examples address: alerts from consumer reporting agencies, suspicious documents, suspicious personal identifying information, suspicious activity with a covered account and notices of suspicious activity.

Q: What is BITS doing regarding this regulation?
A: We have actually been very busy over the past two years in preparing for this regulation. As you may know, BITS is the technology and operations division of the Financial Services Roundtable, and primarily we have been working with executives from member financial institutions and regulators to understand the new regulation and to develop cost-effective compliance strategies.

Specifically, we have submitted a detailed comment letter to the federal regulatory agencies in 2007 in response to the proposed regulation; convened a dozen conference calls with an average of 75 members for each call to better understand the rule and discuss common compliance strategies; engaged credit bureaus, U.S. Postal Service and others on address discrepancy requirements; conducted a survey on challenges with developing red flags program with input from 32 member companies; and engaged regulators to understand the requirements and interpretation.

Q: What are the cost requirements of this ruling?
Given the way the regulatory agencies drafted the rules, there is some flexibility to developing programs that are risk-based and an integral part of existing programs, including fraud, customer authentication. The good news is that the regulation is drawing attention from the many parties (e.g., financial institutions, creditors, universities, credit bureaus, medical professionals, third party service providers, government agencies) that play an important role in preventing, detecting and responding to fraud and identity theft.

While new regulatory requirements usually add new costs, they can, if done well, help organizations better manage the risks while protecting consumers at the same time. For some financial institutions, the regulation provided a means for developing better fraud prevention programs that cut across multiple lines of business. For institutions that are not used to protecting personally identifiable information, the regulation could be very expensive to implement. Financial institutions are very good at protecting personally identifiable information. Given the tough economic environment, our members have looked at ways to implement cost-effective identity theft red flags programs.

Q: What role does ITAC, the Identity Theft Assistance Center play in this?
A: ITAC will play an integral part of implementing an identity theft red flags program for the vast majority of Roundtable members, as well those who have participated in the BITS red flags discussions that are using as part of their comprehensive identity theft program.

John Carlson is Senior Vice President of BITS/Financial Services Roundtable where he oversees the BITS regulatory program covering information security, operational risk, vendor management, fraud risk, and business continuity planning. BITS is the technology and operations division of the Financial Services Roundtable.