Banks’ and credit unions’ roles in protecting customers from identity theft is about to expand, but only about one-third of Massachusetts institutions will be ready by the time the new “Red Flags” regulation goes into effect on Nov. 1, industry analysts say.
“A lot of banks think that their compliance with prior regulations is going to cover them,” said George Tubin, research analyst at Needham financial services firm The Tower Group, who recently authored a report on the rules. “But it’s clear from what’s being written that the regulators are asking for a lot more.”
Under the red flags rules – the latest-to-be-implemented section of the 2003 Fair and Accurate Credit Transactions Act – the five federal bank and credit union regulators have put out a list of 26 warnings that financial institutions must now watch for in protecting customers from identity theft.
Among other things, they will now have to present evidence that they have steps in place to detect whether new revolving credit ac-counts are used in a manner commonly associated with known fraud patterns, or verify that a Social Security number provided by a potential customer matches actual numbers issued during the year the customer was born.
The rules cover consumer deposit and lending accounts, as well as certain small business accounts and lines of credit.
You’re On Your Own
Some banks and credit unions may think their compliance with the related Bank Secrecy Act and Gramm-Leach-Bliley laws cover their responsibilities under the red flags rules, Tubin said, but the new rules will be different.
For one thing, they leave the matter of how a bank complies up to the bank.
Historically, banks have gotten more direction on how to comply with regulations, he said.
To date, just one regulator – the Office of Thrift Supervision – has released actual exam guidelines, showing how it will assess compliance with Red Flags rules, said Stephen King, director of the regulatory compliance services group at Boston accounting firm Wolf & Co.
And there’s another difference: Gramm-Leach-Bliley requires banks to keep individual customer information safe from computer hackers and the like, King explained, while the red flags rules instruct them that, like credit card companies, they must also prevent identity thieves from attempting to use a customer’s information.
“Gramm-Leach-Bliley is about loss of individual information. What the red flags are really gearing toward is the [improper] utilization of that information,” King said.
The Bank Secrecy Act, meanwhile, requires financial institutions to report suspicious account activity specifically in cases where they think it could be a sign of criminal activity – such as money laundering or tax evasion.
Risk advisors are telling clients to assume their compliance with the new rules will be judged by safety, soundness and consumer protection standards.
OTS exam guidelines state that accounts covered encompass all those that present “a foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft.”
Wolf & Co. has advised clients in preparing their red flags compliance plan, they must consider “financial, compliance, operational, litigation and reputation risks,” as well as “identity theft risks, detection methods and responses.”
Henry Liu, compliance officer at $3.6 billion Middlesex Savings Bank in Natick, said the bank’s red flags compliance plan is nearly complete.
“It required a lot of effort,” he said. “But as technology improves, so does the ability of identity thieves to go after information. So I recognize the need.”
Many of the red flags examples regulators defined are, in fact, covered by Bank Secrecy Act compliance procedures already in place, he said. But not all.
One example that has been causing concern is no. 21 on the list, which requires banks to determine that “a covered account is used in a manner that is not consistent with established patterns of activity on the account.”
“It’s a challenge to come up with a defendable and reasonable approach to that item,” Liu said. “For a bank our size, with six digits’ worth of customers, how are you going to monitor all those transactions?”
Middlesex Savings hired an outside vendor, Falcon Fraud, earlier this year to help it detect inconsistent activity on debit and credit card accounts, he said. But line-of-credit accounts will have to be addressed otherwise.
Still, he believes the bank will be ready by Nov. 1.
An Eastern Bank spokesman said that institution is also confident it will be prepared.
They may be in the minority, however.
King, of Wolf & Co, said he’s seen just “a handful” of institutions who believe their current practices cover them under the new regulation.
“The majority of banks are saying, ‘I know an examiner is going to walk in my door and say, ‘Show me your red flags program,” he said – and have been scrambling to put the right measures in place.