ID Theft Red Flags Compliance Will Impact Examinations for Years to Come
Some think this will have a minor impact based upon the assumption that much of what's needed is already in place and simply needs to be coordinated better. Others think it will require some effort upfront, including strengthening related control activities and creation of appropriate documentation (a.k.a. policies and procedures). Personally, I think this is going to have a dramatic impact on the institutions we work with; only it will take time for events to unfold.
My thinking is based largely on the fact that much of what will serve as the foundation for Red Flags, the elements that are supposed to already be in place and functioning, are going to receive greater scrutiny and be found to be flawed. Incident response plans, risk assessment approaches and capabilities, as well as the ability to coordinate and track activities across functional lines are all going to be cast out into the spotlight. And from what I've seen first-hand in the field, I think they will reveal themselves to be less than what management is expecting and, more importantly, less than what the examiners consider acceptable.
Personally, I think [ID Theft Red Flags compliance] is going to have a dramatic impact on the institutions we work with; only it will take time for events to unfold.
Much like what's happening now with Vendor Management, once the examiners start scratching at the surface of existing practices, they'll find disconnects between policies and their related procedures and insufficient evidence to prove compliance with either. I know this because I see it all the time when conducting audits and assessments or reviewing reports from my team.
As to why I think the issues will take time to unfold, it's simply a matter of basic arithmetic. There are only so many examiners conducting fieldwork with so many cycles to spend conducting exams. During year one of Red Flags, they're going to check for the programs existence and design and offer an opinion as to its completeness. In year two, they're going to look for evidence of compliance with the program, and that's when they're going to start digging deeper. That's when I'm predicting the impact takes a decided turn from little more than minimal to being tap-dead center on the Board of Directors tracking radar.
My guess is that in somewhere between nine and 15 months this will become the hottest compliance topic and hold that position for a while.
Of course only time will tell how this plays out. I'm hopeful that many institutions will make the necessary adjustments in advance of needing to, but I'm not expecting it.