Coming Soon: New ID Security Rules

Six federal banking regulators, including the U.S. Federal Reserve, FDIC and Office of Thrift Supervision, last November issued final rules clarifying what U.S. banks and credit institutions would have to do to comply with Red Flag provisions of the 2003 Fair and Accurate Credit Transaction Act (Facta).

The rules are crafted to ensure that banks and credit service providers nationwide have comprehensive, up-to-date identity theft and online fraud prevention systems in place. Financial industry participants have until Nov. 1 to be in compliance.

The impending deadline and the rush to ensure compliance has prompted EMC (NYSE: EMC) and its IT security division, RSA, to combine their respective consulting and identity protection and verification systems technology initiatives to offer banks and credit institutions a comprehensive, "holistic" solution that ensures Facta Red Flags compliance.

Facta Red Flag Provisions

Based on comments reviewed during the Facta Red Flags public comment period the regulatory agencies, which also included the National Credit Union Administration, Office of the Comptroller of the Currency and Federal Trade Commission, narrowed and clarified the definition of Red Flags in their final ruling so as to reduce confusion and avoid unduly burdening "entities with limited resources." The definition of Red Flag in the final ruling simply reads thus: "a pattern, practice, or specific activity that indicates the possible existence of identity theft."

The final ruling lists four basic elements, as well as supporting policies and procedures and systems, that must be incorporated in banks, savings and loans' and creditors' compliance programs:

• The ability to identify relevant Red Flags for covered accounts and incorporate them into the program;
• The ability to detect Red Flags that have been incorporated into the program;
• The ability to respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and
• Ensure the program is updated periodically to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from ID theft.

Financial institutions and creditors must also enumerate certain steps to administer the program, including obtaining approval of the initial program by the board of directors or a committee of the board, ensuring oversight of development, implementation and administration of the program, training staff and overseeing service provider agreements, according to the agencies' final ruling.

Clock Is Ticking

EMC and RSA had independently introduced consulting and information systems and technology programs geared specifically to assist customers develop solutions with Facta's Red Flag provisions and ensure compliance.

The final ruling's scope, the seriousness of regulators in ensuring compliance and the impending Nov. 1 deadline, along with inquiries and feedback from customers, has prompted the two to offer a comprehensive compliance solution that assures financial institutions and creditors have a reliable, effective Red Flag governance structure in place thereafter.

"With the Nov. 1, 2008, deadline approaching, momentum is building to ensure that banks and credit institutions comply. We're getting a lot of questions from institutions as to what they can do to comply and fill in any gaps not covered by existing programs," explained Amanda Van Veen, senior marketing manager, industry solutions at RSA, EMC's security division. "We're working with existing customers and reaching out to new customers regarding Facta compliance."

Eight-Point Compliance Plan

EMC and RSA have put together a package of processes and tools that accelerates the compliance process centered on eight key elements:

• Reviewing existing policies, procedures, models and systems related to ID theft and fraud;
• Laying out a Facta compliance roadmap and associated requirements;
• Methods and tools to design and deploy automated Red Flag detection software across internal and customer communication channels;
• Implementing ID theft prevention reporting, including metrics to measure program effectiveness;
• Integrating third-party customer reporting agency data within front- and back-office systems;
• Establishing and maintaining a Facta program management office; and
• Setting up a Quality Assurance program that provides evidence that Facta business requirements are implemented and performing effectively.

"I think Facta gives banks and creditors the opportunity to look across the enterprise and create some consistent controls," Van Veen commented. "This is a real, comprehensive, packaged program.

Gauging the Impact

"EMC Consulting really has a risk assessment service that helps customers go in and determine how Facta affects their organization on an enterprise-wide basis: identifying affected accounts and services across processes and customer channels; examining existing procedures and systems brought in to comply with prior regulations; and helping them understand new threats and identify gaps in coverage by bringing in processes and sound capabilities to measure the effectiveness of their Facta program and the controls they have in place."

In terms of IT, networks and telecommunications, EMC-RSA's Facta compliance methodology revolves around four core elements: verifying the identity of existing and new customers and visitors; authenticating users; transaction monitoring; and designing and deploying an anti-fraud action service.

The latter, Van Veen elaborated "is run in the background by RSA's Anti-Fraud Command Center, which tracks fraudsters and shuts down phishing and pharming attempts, and, in terms of preventive measures, alerts customers to threats that are out there."