Publications & Resources
September/October 2008
Focus: Technology
ID Theft Rule – Automating the Compliance Process
By Saskia Rietbroek, CAMS
Identity theft is a significant concern for
The ID theft red flags rule requires banks, and other financial institutions to be vigilant and proactive in helping to protect their customers from this serious financial crime. The rule requires them to have controls designed to address the risk of identity theft to consumers and to the safety and soundness of the institution. They must implement a risk-based written Identity Theft Prevention Program containing reasonable policies and procedures to address the risk of identity theft. The program must be board approved and staff must be trained on the program. The mandatory compliance date for the rule is November 2008.
“Risk-based” means that financial institutions have greater flexibility in implementing the ID theft program appropriate to its own risk profile. The rule provides a significant degree of flexibility to allow institutions to adapt the requirements to their own individual needs and circumstances. The program is not a one size fits all, but depends on size, and complexity of the financial institution. This risk-sensitive approach will also allow the firm to more easily address evolving identity theft risks, and focus on the areas where the risks are the biggest.
Earlier detection of potential risks is key. The rule includes guidelines for financial institutions to identify patterns, practices, and specific forms of activity that indicate possible identity theft in connection with the opening of a new account or an existing account. Appendix J of the rule is a list of 26 early warning signals or red flags. A red flag is a warning or a sense that something isn’t right, and should lead the financial institution to take a closer look. The list helps firms know what to look for when identifying possible fraudulent behaviors. In line with the risk based approach, each financial institution has the flexibility to develop policies and procedures to identify which of the red flags are relevant for them. Yet, assessing the risks of customers and transactions, and monitoring for relevant red flags is no easy task.
There are transaction monitoring vendors in the market that can offer tools to help financial institutions support their identity theft prevention programs, assess the risk that they face, and comply with the “Red Flags Rule.” Here are a few examples of what transaction monitoring software programs can do to comply:
Focus on risky customers: Automated monitoring tools can identify customers that are at risk of becoming a fraud victim based on their characteristics, such as age, account balance and activity of the account. Software can also help proactively identify customers that could be fraudsters based on their characteristics, such as age, employment status, or residence in a high-risk location. Once these customers are identified they can be more closely monitored for suspicious transactions.
Unusual transfers: Software programs can trigger an alert when unusual transfers occur. For example, a phishing victim’s account can show a transfer from the savings account to a current account, and later, another amount is transferred out of the current account to a third party. The software tool knows that the activity is unusual because the frequency is higher (more activity than usual), and the amounts are bigger than is common for the victim’s profile. Furthermore, the customer has never transferred money to this third party’s account before. This means that the so called “B-account” was new for the victim’s “profile.” Based on this, the software can generate an alert that can be investigated by the fraud team of the financial institution.
Unusual address changes combined with a new card request: In an ID theft scheme, the fraudster can submit an address change on behalf of victim, shortly followed by a request for a new card and PIN. The criminal then uses the new card at ATMs to empty the account. Some transaction monitoring software do not only monitor “transactions,” but also monitor so called “non-financial events” such as address changes, and requests for a new card, and generate an alert if unusual address changes and new card requests occur within a certain period of time.
There is a growing need for financial institutions to have enterprise-wide clarity when it comes to the management of fraud and other financial crimes such as money laundering. Often, we see that point solutions for various elements of fraud monitoring and management are already in place for specific types of fraud, such as debit card fraud and check fraud. But with a growing number of channels for customer intake and interaction, including via telephone, and internet, fraudsters are taking advantage the situation by “channel-surfing”. This cross channel fraud exploits the vulnerabilities of traditional tactical point-solutions and is likely to be one of the greatest "hot" fraud areas in the coming years.
To mitigate these risks, financial institutions are moving away from tactical point solutions and looking for vendors with a holistic approach to enterprise risk management. With one integrated case management and red flag management system, some solutions provide a central repository for both fraud and money laundering alerts, with a 360° holistic customer view that can be used seamlessly across channels and departments.
With the ground breaking ID theft rule, financial institutions must take every possible step to protect and assist customers who become victims. On top of that, the bad guys continue to find new ways to commit ID theft. Without the proper technology, all this becomes a very challenging task. Only with advanced detection analytics and an enterprise-wide view of financial crime, firms can have instant business risk insight and achieve operational efficiencies in a turbulent market.
Saskia
Rietbroek is financial crime advisor for Fiserv NetEconomy, a firm specializing
in real-time enterprise risk monitoring solutions. She is based in
Unauthorized reproduction of all or part of this material without the express written consent of the author is strictly prohibited. All rights reserved.