Friday, October 24, 2008

FDIC Pushes Back ID Theft Red Flags Rule Enforcement

That's right.

As reported by in an article posted today, the FDIC is delaying enforcement of a rule that has been on the books for quite some time because entities covered by this regulation aren't in compliance yet. Although the FDIC initially published a notice to this rule on November 9th, 2007 (enforcing the Fair and Accurate Credit Transactions Act of 2003), and the rule went into effect January 1st, 2008, with compliance required by November 1st, 2008 - this is now being pushed back 6 months because the the "we didn't know we needed to comply, give us more time" argument was thrown down. How absolutely irrisponsible!
"...FTC observers saw that many industry segments were unaware of the
compliance date..."

Isn't that a little rediculous? The FDIC attempts to explain itself here, in this release... I understand that it's a good practice to give affected parties ample time to comply before bringing down the hammer (I would say 11 months is fair, wouldn't you?), and according to some of the analysts closer to this issue than I this rule-enforcement is broadening those entities covered under the 2003 regulation - I still can't see a reason why a reasonable regulations and compliance officer wouldn't figure this out.

I will admit that this goes beyond banks to credit unions, car dealers, and public utilities - basically anyone that handles your credit/personal information. I will further take the stance that this reglation falls under the "It's about da** time" argument, and delaying enforcement is irrisponsible at best, and criminally negligent at worst.

Let's analyze what this regulation requires - for those that aren't familiar with it...
"In designing its Program, a financial institution or creditor may incorporate,
as appropriate, its existing policies, procedures, and other arrangements that
control reasonably foreseeable risks to customers or to the safety and soundness
of the financial institution or creditor from identity theft." (Source here)

  • This regulation requires an institution to establish a "Red Flag Program" to have a written policy for detecting identity theft/fraud via "red flag" activities (high-risk activities) which is then enforced within the institution
  • This program is based off of the institution's experience with identity theft (from past incidents?) - which is an interesting requirement...
  • The Program framework requires the use of historic data on identity theft to be pro-active in preventing new and mitigating existing identity theft and fraud
  • More information on the framework and requirements of the program available here.
  • The actual regulation language available here.

Some soapbox commentary:

{Steps on soapbox}
If you are an institution which typically deals (or has dealt with in the past) identity theft or identity-fraud-related activities... is boggles the mind that you would not have a program of "Red Flags" to identify when/how this is happening. I suspect this is a sad commentary on the state of identity theft... it's running so rampant that there are now specific regulations from the Federal Goverment (FDIC) which are forcing businesses and institutions to implement programs to identify and precent identity theft and credit fraud. I believe it is a further sad commentary that the FDIC has "relaxed" the enforcement date for businesses based (no doubt) on some lobbying efforts from groups which simply don't feel like complying. Look folks, programs like this don't cost incredible amounts of money to implement. They should be fundamental to all businesses models, not just banks and credit cards companies and retailers.

I firmly believe that institutions which do *not* have these types of programs (are non-compliant) after the May 1st enforcement date which have incidents of identity theft and fraud should be fined and sued for negligence by anyone who has their identity compromised through these entities. It's black and white here... there is no gray-area. Ordinarily I wouldn't say this but you're either compliant or not. You are either responsible with people's information and have a program in place to detect and root out identity theft and fraud - or you're negligent and should be severely punnished.
{steps off soapbox}


Anonymous said...

The FTC extended their deadline for compliance, NOT the FDIC. The FTC is responsible for companies not already being supervised by the FFIEC member agencies (FDIC, FRB, NCUA, OTS, OCC). This is an important distinction b/c the FFIEC covers all of the banks and credit unions in the U.S. (minus state-chartered CUs, which are regulated by the FTC). Banks and CUs still have to meet the Nov. 1 deadline.

Rafal Los said...

@anonymous: Thanks for that clarification... reading through mountains of regulation is enough to make anyone's head spin.