The Target Case
and the implications for Red Flags Policies and Procedures
For many of our clients, when it comes to Red Flags and
Identity theft policies and procedures, the response has been a bit of “write
it and forget about it”. Lets face it,
the changes to the Fact Act that
prompted regulators to ask banks to develop policies and procedures in
this areas have been have not been
followed up with a great deal of examination or regulatory resources. With the financial meltdown, the development
of a new regulatory agency, significant changes in consumer regulation and ongoing
concerns in BSA/AML, Red Flags and identity Theft have not been the
priority. However, we believe that
significant change is at hand. We
believe that this is true due to a confluence of factors.
By now most of us have heard about the case of Fraud that
Target Department stores is currently experiencing. In fact, as the days go by it seems that the
level of the breach of security is ever increasing. More and more customers are finding out that
their debit cards may have been corrupted and the potential for identity theft
is poignant. In addition to the obvious
financial consequences of this breach of security is the harm to the reputation
of Target stores. The loss in confidence
in the ability of an institutions ability to handle confidential information
can be particular harmful to the bottom line.
This is especially true when considering a bank. There can be no question then, that the
trouble that Target stores is having will heighten the review of Red Flags
policies and procedures at banks in the coming year.
Increased
Enforcement
It is not just the Target incident that will soon heighten regulatory
activity in this area. The dispute about which entities would be included in
the act’s definition of a creditor prevented any enforcement action from 2008
through 2010. The FTC resolved this
dispute by changing the definition and with their updated rule. In 2013 the SEC and the Futures Trading
Commission published their versions of the rule and so now the circle is complete.
All the agencies will use a form of Interagency Guidelines on Identity Theft
Detection, Prevention, and Mitigation [1]when
evaluating the Red Flags and identity theft program at a bank. We
suggest that the beginning of the year is a great time to review your Red Flags
policies and procedures to make sure they are up to date.
26 Red Flags
The Interagency Guidance describes 26 examples of red flags
that Banks should be able to identify, monitor and address should they be
activated. Although the guidance does
not purport to be exhaustive, we believe that these 26 items are the minimum that
should be part of a proper Red Flags risk mitigation program.
There are five categories that fit the 26 examples given in the
guidance. These categories are:
·
Alerts, notifications, or other warnings
received from consumer reporting agencies or service providers, such as fraud
detection services;
·
The presentation of suspicious documents;
·
The presentation of suspicious personal
identifying information, such as a suspicious address change;
·
The unusual use of, or other suspicious activity
related to, a covered account; and
·
Notice from customers, victims of identity
theft, law enforcement authorities, or other persons regarding possible
identity theft in connection with covered accounts held by the financial
institution or creditor.
In addition to the above list there is a sixth category that
does not include examples. It is described
as:
·
Other red flags based upon the financial
institutions experience.
This last category should be given particular care and
attention. In the event that there is some
sort of fraud activity that the Bank has experienced that outside of the norm,
the expectation is that the compliance team will be vigilant in taking steps to
monitor and mitigate that activity.
Examiners will pay particular attention to this area as this category
tends to show activity that is unique to the product base or customer base of the
bank that experienced the fraud.
Red Flags and BSA
Compliance
A quick review of the categories of fraud that are discussed
in the Red Flags guidance should alert the reader to the similar areas of focus
between a strong CIP/KYC program and a Red Flags program. As part of strong BSA program, information is
collected from customers and monitored on a regular basis in an effort to fully
identify and monitor customer activity to reduce the possibility of suspicious
activity. A strong Red Flags program
should address this same area of information.
The account opening process could, and in our opinion should serve as the heart of the Red
Flags and BSA/AML programs. A strong program will require account opening
staff to obtain complete and accurate documentation from the potential customer
at the time an account is being opened. Any
discrepancies in the information provided should be pursued and the account
should not be opened unless or until the discrepancy is resolved. In the event that no resolution is provided
by the customer the SAR investigation process should begin and the potential
for a SAR filing should be thoroughly pursued.
The same symbiotic relationship between Red Flags and
ongoing monitoring for BSA/AML exists. Even with established customers, unusual
or unexpected activity should serve as a red flag for identity theft or fraud as
well as a key for heightened scrutiny or Enhanced Due Diligence.
The Red Flags
Program
While the BSA and the red flags programs can be quite
similar and work side by side, regulators are expecting to see a robust separate
red flags program that is designed to identify and monitor fraudulent activity
and to take steps to mitigate the risk of further fraud. The
strong Red Flags program should include:
·
A Red Flags Risk Assessment- The assessment should
include all covered accounts and should be updated annually
·
Policies- Board approved policies in the area of
red flags should be reviewed and approve don an annual basis
·
Procedures- Compliance staff should review
procedures on a regular basis to make sure that current practices at the bank
are in compliance with the procedures and that procedures are in fact up to
date and consistent with policy.
·
Ongoing Review- Compliance should verify on a
regular basis that staff understands the requirements of the red flags
procedures and why they are important. We
recommend a quarterly transaction testing sample to gauge the level of
understanding.
·
Independent testing- As part of the regular
audit scope for operations compliance, there should be independent testing of
compliance in this area.
Although the area of Red Flags has been somewhat dormant
over the past several years, expect that 2014 will bring renewed focus on this
area.
No comments:
Post a Comment