ID Theft Red Flags Rule: What Have Exams Uncovered?Most Institutions Compliant; Minority Challenged to Formalize Prevention Programs
So far, so good, regulators say. The majority of institutions examined have been in compliance, with a minority failing to either implement or document their ID theft prevention programs.
"Overall our institutions are doing pretty well in their exams," says April Breslaw, Director of Consumer Regulation at the Office of Thrift Supervision (OTS). "The vast majority is taking ID Theft Red Flags seriously and has implemented the program as required."
The Red Flags rule was adopted in late 2007, and regulators started examining for compliance last Nov. 1.
After six months of examinations, regulators found "substantial compliance" with the regulation, says Michael Jackson, spokesperson for the FDIC's regulatory compliance division. Yet, examiners also determined there were some common issues arising from institutions - including misidentified covered accounts, lack of security training for employees, and insufficient oversight of third-party service providers' compliance with the Red Flags Rule. So, the agencies in June issued guidance on Frequently Asked Questions. This guidance helped many institutions that were uncertain about their efforts, Breslaw says. "They appreciated the guidance. It didn't answer every single question that we were hearing, but it helped answer those that were coming up again and again."
The OTS incorporated the ID Theft Red Flags into its overall exam process for safety and soundness. S&S examinations occur once every 12 to 18 months for OTS-regulated institutions, Breslaw says. So, by the end of the second quarter 2010, all OTS-regulated banks will have been examined for Red Flags compliance.
Common Issues of Non-Compliance
While the majority of the 700 OTS-regulated institutions have passed their exams, a dozen or so institutions have had issues. "We've seen a small number of institutions that have a common thread of non-compliance with the regulation," Breslaw says. "Particularly, small institutions that have not formalized their programs -- there's the feeling that they're the small institution, and that they don't have to have a written program."
Some OTS-regulated institutions haven't done a risk assessment, Breslaw notes. "It is required. Everyone is expected to do a good faith look at the risks in their institution."
Every financial institution also must establish a written program that lays out how it will comply with the regulation. But some have failed to meet this requirement. "[Some] attempted to do a more informal program, but we're expecting it to be spelled out in writing," Breslaw says. Other institutions have missed the provision that the program must be updated periodically.
Those dozen or so non-compliant institutions are expected to have complete written programs in place the next time they are examined, she adds.
NCUA: 55 Credit Unions Violated Rule
The nation's credit unions have "overwhelmingly" been in compliance with the Red Flags rule, says Deborah Matz, Chair of the National Credit Union Administration (NCUA). But since examinations began, 59 violations of the rule have been reported in 55 credit unions, she says.
The predominant violation: failure to establish and implement an ID Theft Red Flags program. "NCUA remains committed to ensuring that those credit unions without proper Red Flag programs come into compliance as soon as possible," Matz says. "Like our Immediate Past Chairman Michael Fryzel, I believe it is important for credit unions to review their Red Flag programs on a regular basis to ensure their compliance."