Regulatory Compliance
What to do when you see a Red Flag. Your Identity Theft Prevention Program should include appropriate responses when you detect a Red Flag. You must assess whether the Red Flag evidences a risk of identity theft. If so, your response must be commensurate with the degree of risk posed. Depending on the level of risk, an appropriate response may include contacting your applicant, not opening a new account or even determining that no response is necessary.
By: Tom Hannagan Part 1 Beyond the risk management considerations related to a bank’s capital position, which is directly impacted by Troubled Asset Relief Program (TARP) participation, it should be clear that TARP also involves business (or strategic) risk. We have spoken in the past of several major categories of risk: credit risk, market risk, operational risk and business risk. Business risk includes: A variety of risks associated with the outcomes from strategic decision making; Governance considerations; Executive behavior (for lack of better terminology); Management succession events or other leadership occurrences that may affect the performance and financial viability of the business. Aside from the monetary impact on the bank’s capital position, TARP involves a new capital securities owner being in the mix. And, with a 20% infusion of added tier 1 capital, we are almost always talking about a very large, new owner relative to existing shareholders. The United States Department of the Treasury is the investor or holder of the newly issued preferred stock and warrants. The Treasury Department does not have voting rights like common shareholders, but the Treasury’s Securities Purchase Agreement – Standard Form includes at least 35 pages of terms, plus the required Letter Agreement, Schedules attached to the Letter Agreement and at least five significant Annex’s to the Purchase Agreement. It’s NOT an easy, quick or fun read. In the Recitals section, it states that the bank: “agrees to expand the flow of credit to U.S. consumers and businesses on competitive terms as appropriate to strengthen the health of the U.S. economy” and, later, “agrees to work diligently, under existing programs, to modify the terms of residential mortgages as appropriate to strengthen the health of the U.S. economy.” Fortunately, if you’re a banker, these topics are not (currently) revisited elsewhere in the document, period. However, these are examples of the new shareholder effecting business decision making without the need to be on the Board of Directors, or voting common shares. The Agreement covers a number of other requirements and limitations, such as executive compensation, dividend payments, other capital sourcing and retention of bank holding company status. None of these are particularly onerous, but they must be taken into account by management. Visit my next post to read about the very interesting Amendment clause that may represent an open-ended business portfolio risk management decision for the future.
How do I know which Red Flags apply to me? The Red Flag guidelines that will apply to you depend on a number of factors including: The types of covered accounts you offer and how those accounts may be opened and accessed Your previous experiences with identity theft In order to determine the applicable Red Flags, you must consider these factors as well as various sources and categories of Red Flags identified in the Guidelines. There are many resources available to help you gain the upper hand on Identity Theft Red Flags. I encourage you to visit this site for more information including a white paper, webinar, data sheet and more.
It seems to me that there remains quite a bit of dispute and confusion around the inclusion of healthcare providers under the umbrella of "creditors." This would, in turn, imply that a physician's office would need to have a Red Flags Identity Theft Prevention Program in place. Yikes! My guess is that this will not be fully resolved by May 1, 2009. I see too many disparate opinions out there to think otherwise. I certainly see both sides. On the one hand, the definition of "creditor" to include "deferred payment of debts" does make the case for most physicians’ offices to be covered under the rule. On the other hand, to what extent will each and every physician's office be able to have a verification process in place by May 1, 2009? Certainly, those offices integrated with third party processing will have an easier go of it, but the stand-alone practices are facing a tough challenge. There is no doubt that the healthcare space is, and should be, covered under the Red Flags rule, I just have to wonder how comprehensive and enforceable compliance will be. Let me know your thoughts!
During a recent real-time survey of 850 representatives of the financial services industry: only 36 percent said that they completely understood the new Identity Theft Red Flags Rule guidelines and were prepared to meet the deadline. 60 percent said that they had just started to determine their approach to Red Flag compliance.
I’m speculating a bit here, but I have a feeling that as the first wave of Red Flag rule examinations occurs, one of the potential perceived weak points in your program(s) may be your vendor relationships. Of particular note are collections agencies. Per the guidelines, “Section 114 applies to financial institutions and creditors.” Under the FCRA, the term “creditor” has the same meaning as in section 702 of the Equal Credit Opportunity Act (ECOA), 15 U.S.C. 1691a.15 ECOA defines “creditor” to include a person who arranges for the extension, renewal or continuation of credit, which in some cases could include third-party debt collectors. Therefore, the Agencies are not excluding third-party debt collectors from the scope of the final rules and “a financial institution or creditor is ultimately responsible for complying with the final rules and guidelines even if it outsources an activity to a third-party service provider.” A general rule of thumb in any examination process is to look closely at activities that are the most difficult for the examinee to control. Third-party relationship management certainly falls into this category. So, make sure your written and operational programs have procedures in place to ensure and regularly monitor appropriate Red Flag compliance -- even when customer (or potential customer) activities occur outside your walls. Good luck!
I have heard this question posed and you may be asking yourselves: Why are referral volumes (the potential that the account origination or maintenance process will get bogged down due to a significant number of red flags detected) such a significant operations concern? These concerns are not without merit. Because of the new Red Flag Rules, financial institutions are likely to be more cautious. As a result, many transactions may be subject to greater customer identification scrutiny than is necessary. Organizations may be able to control referral volumes through the use of automated tools that evaluate the level of identity theft risk in a given transaction. For example, customers with a low-risk authentication score can be moved quickly through the account origination process absent any additional red flags detected in the ordinary course of the application or transaction. In fact, using such tools may allow organizations to quicken the origination process for customers. They can then identify and focus resources on transactions that pose the greatest potential for identity theft. A risk-based approach to Red Flags compliance affords an institution the ability to reconcile the majority of detected Red Flag conditions efficiently, consistently and with minimal consumer impact. Detection of Red Flag conditions is only half the battle. Responding to those conditions is a substantial problem to solve for most institutions. A response policy that incorporates scoring, alternate data sources and flexible decisioning can reduce the majority of referrals to real-time approvals without staff intervention or customer hardship.
What is your greatest concern as the May 1, 2009 enforcement date approaches for all guidelines in the Identity Theft Red Flags Rule?
Hello Red Flaggers! I’m still getting some questions from our clients these days around the FTC enforcement extension. My concern is that there seems to be a perception that May 1, 2009 is the enforcement date for all of the guidelines in the Red Flags Rule. In reading through the recently released FTC Enforcement Policy (Identity Theft Red Flags Rule, 16 CFR, 681.2), it clearly states the following: This delay in enforcement is limited to the Identity Theft Red Flags Rule (16 CFR 681.2), and does not extend to the rule regarding address discrepancies applicable to users of consumer reports (16 CFR 681.1), or to the rule regarding changes of address applicable to card issuers (16 CFR 681.3). So, while you may be breathing a sigh of relief as far as the implementation of your overall Identity Theft Prevention Program is concerned, be advised that the May 1, 2009 extension does not cover the need to detect and/or respond to address discrepancies on consumer reports or during address changes on card accounts. As previously mentioned in an earlier blog of mine (see Nov. 13 blog), responding to address discrepancies on consumer reports may be the biggest challenge for many of our clients, as (depending on market served) the percentage of consumer reports with an address discrepancy can number over 20 percent. This can create an operational burden from the perspective of cost, customer experience, and the ability to quickly book legitimate and profitable customers. Have a look at my previous blog on a risk based approach to address discrepancies for a refresher on this subject. Good luck!!
We continue to receive inquiries from our clients, and the market in general, around whether they are required to comply with the Red Flag Rule or not. That final decision can be found with the legal and compliance teams within your organization. I am finding, however, that there generally seems to be too literal and narrow an interpretation of the terms ‘creditor’ or ‘financial institution’ as described in the guidelines. I often hear an organization state that they don’t believe they’re covered because they are not one of those types of entities. Ultimately, as I said, that’s up to your internal team(s) to establish. I would recommend, however, that you ensure that opinion and ultimate determination is well researched. It may sound simple, but reach out to your examining agencies or the Federal Trade Commission (FTC) and discuss any ambiguities you feel exist related to covered accounts. There is some great clarifying language out there beyond the initial Red Flag Rule. For example, the FTC provided a very useful article (www.ftc.gov/bcp/edu/pubs/articles/art11.shtm) that described how even health care providers can be covered under the Red Flag Rule. At first glance, they may not seem to fall under the umbrella of a ‘creditor or financial institution.’ As stated in the article, the extension of credit “means an arrangement by which you defer payment of debts or accept deferred payments for the purchase of property or services. In other words, payment is made after the product was sold or the service was rendered. Even if you’re a non-profit or government agency, you still may be a creditor if you accept deferred payments for goods or services.” Maybe it’s just me, but that description is arguably much broader-reaching than one might initially think. Long story short: do your research, and don’t assume you or your accounts are not covered under the guidelines. Better to find out now instead of after your first examination….for obvious reasons.
The Federal Trade Commission (FTC) suspended enforcement of the new Red Flag Rule until May 1, 2009. According to the FTC’s Enforcement Policy, “…during the course of the Commission’s education and outreach efforts following publication of the rule, the Commission has learned that some industries and entities within the FTC’s jurisdiction have expressed confusion and uncertainty about their coverage under the rule. These entities indicated that they were not aware that they were undertaking activities that would cause them to fall within FACTA Sections 114 and 315 definitions of ‘creditor’ or ’financial institution’.” So, depending upon which enforcement entity (or entities) will be knocking on your door in the coming months, you may (and I emphasize “may”) have some extra time to get your house in order. While many of you are likely confident that you have a compliant written and operational Identity Theft Prevention Program, this break in the action can be a great time to take care of setting up some ongoing procedures for keeping your program up to date. Here are some ideas to keep in mind along the way: 1. Make sure you have clear responsibilities and accountabilities identified and assigned to appropriate persons. Lack thereof may lead to everyone thinking someone else is keeping tabs. 2. Start setting the stage for a process to update your program based on: a. Your new experiences with identity theft; b. Changes in methods of identity theft; c. Changes in methods to detect, prevent, and mitigate identity theft; d. Changes in the types of accounts you offer or maintain; and e. Changes in your business arrangements, including mergers, acquisitions, alliances, joint ventures and service provider arrangements. 3. Set up a process for program review at the board level. Remember that your program does not have to be approved by your board of directors annually, but the board (or a committee of the board) or senior management must review reports regarding your program each year. They must approve any material changes to your program should they occur. 4. Prepare now for follow up actions associated with your first Red Flag Rule examination(s). There will surely be suggestions or mandates stemming from that exercise, and now is a good time to start securing appropriate resources and time. My key message here is that, while there may be lull in the world of Red Flags activity, this is a great time to keep momentum in your program development and upkeep by planning for the next wave of updates and your impending examinations. Best of luck.
I’m working with many of our clients in reviewing their existing or evolving Red Flags Identity Theft Prevention Programs. While the majority of them appear to be buttoned up from the perspective of identifying covered accounts and applicable Red Flag conditions, as well as establishing detection methodologies, I often still see too much subjectivity in their response and reconciliation procedures. Here are a few reasons why the “response” portion of a strong Red Flags Identity Theft Prevention program needs to employ consistent and objective process, decisioning, and actions: 1. Inconsistent or subjectively varied responses and actions greatly reduce the ability to measure process effectiveness over time. It becomes increasingly difficult for retro-analysis to identify which processes and specific steps in those processes were successful in either positively or negatively reconciling potential fraudulent activity. Subsequently, it clouds any ability to make effective or necessary changes to specific activities that may not be working well. 2. Examiners may focus heavily on the response portion of your program. During operational side by sides, or even written program reviews, the less ambiguity and inconsistency identified or perceived, the better. A quick rule of thumb for any examination: preempt any questions with exhaustive information and clarity. Examiners that don’t need to ask many, or any, questions are happy examiners. 3. Objective and consistent process allows for more manageable staff training. It is much easier to educate your staff around a justified and effective uniform process than around intuitive and haphazard procedures and consumer interactions. It is tough to set expectations with your staff if there are gaping holes in the activities they are expected to execute. 4. Customer experience will certainly be more positive, and less of a worry for managers, as inequity of treatment is removed from the equation. It is better to have each customer progress through similar steps toward authentication than varied ones from the perspective of time, perception, effectiveness, and convenience. Now, certainly, a risk-based approach allows for varied treatment based on that risk. The point here is more toward the need to apply those varied techniques consistently. 5. Social engineering. Fraudsters are pretty good at figuring out if an operational process is open to interpretation and manipulation. They’ll continue to engage in a process with the goal of landing with the right associate who may be following a more easily penetrable fraud detection method. Bottom line: keep the walls around your business the same height throughout. Until next time, best of luck as you continue to develop and improve your Red Flags programs.
As someone heavily engaged with the market and our clients discussing Red Flag Rule compliance, Red Flag guidelines, etc...this question has come up over and over again. You’d think by now I’d have a simple, clever, and strategically created product name to throw out there. Well, I don’t, and here’s why: we had Red Flag relevant products before Red Flags were in vogue. So, why didn’t we just rename them under the Red Flag brand? Because honestly, that would border on irresponsibility. Let me explain briefly… If you recall, the Red Flags Rule requires that covered institutions employ a written and operational Program that addresses the four mandatory elements of: • Identifying Red Flags applicable to covered accounts and incorporating them into the Program; • Detecting and evaluating the Red Flags included in the Program; • Responding to the Red Flags detected in a manner that is appropriate to the degree of risk they pose; and • Updating the Program to address changes in the risks to customers, and to the financial institution’s or creditor’s safety and soundness, from identity theft. You read in these requirements words like “applicable” and “appropriate” and “degree of risk.” You don’t read words like “use this tool” or “detect this specific set of conditions.” My point here is that, over the past year, we’ve been working with our clients to map in the “appropriate” and “applicable” set of products and services to allow them to become Red Flag compliant. These products and services range in data leverage and provision, predictive power, decisioning, and of course, cost. That is a good thing, as our clients require individualized tool sets and processes based on their serviced market, gathered information, consumer relationships, products offered, and risk associated with all of those factors. We don’t offer an unlimited or overwhelming number of Red Flag relevant products, but we do offer a diverse enough set that has afforded our clients an opportunity to select the best fit. Whether you choose to adopt Experian as your Red Flag partner or another service provider, keep in mind that one size does not fit all, and be wary of those claiming to be just that. As Red Flag examinations start rolling out in the coming months, there will be a focus on ensuring that your programs are comprehensive and effective. Examiners will be looking at your programs, not your service provider. Be sure to collaborate with your partners to meticulously apply the best solution. At Experian, we’ve taken this collaborative approach with each of our clients, and have employed products ranging from our robust Precise ID SM consumer authentication platform to our Fraud Shield SM risk warning product. Time spent up front in identifying your Red Flag requirements and working with your service provider to determine the best course of action will pay dividends down the road, and ensure you implement a compliant process once….not twice.
One of the more significant operational concerns around Red Flags compliance centers on the management of resultant referral volumes, i.e., the potential that the account origination or maintenance process will get bogged down due to a significant number of red flags detected. These concerns are not without merit, and are arguably the most frequently discussed Red Flag issue with our client base. Organizations may be able to control referral volumes through the use of automated tools that evaluate the level of identity theft risk in a given transaction. For example, customers with a low-risk authentication score can be moved quickly through the account origination process absent any additional red flags detected in the ordinary course of the application or transaction. In fact, using such tools may allow organizations to speed up the origination process for these customers and identify and focus resources on those transactions that pose the greatest potential for identity theft. A risk-based approach to Red Flags compliance affords an institution the ability to reconcile the majority of detected Red Flag conditions efficiently, consistently and with minimal consumer impact. Detection of Red Flag conditions is literally only half the battle. In fact, responding to those Red Flag conditions is a substantial problem to solve for most institutions. A response policy that incorporates scoring, alternate data sources and flexible decisioning can reduce the vast majority of referrals to real-time approvals without staff intervention or customer hardship. Rather than implementing a “rules-based” program (one in which particular Red Flags are identified, detected and used in isolation or near isolation in decisioning), many institutions are opting to approach Red Flag compliance from a “risk-based” perspective. This “risk-based” approach assumes that no single Red Flag Rule or even set of rules provides a comprehensive view of a consumer’s identity and associated fraud risk. Instead, a “risk-based” systematic approach to consumer authentication employs a process by which an appropriately comprehensive set of consumer data sources can provide the foundation for highly effective fraud prediction models in combination with detailed consumer authentication conditions (such as address mismatches or Social Security number inconsistencies). A risk-based fraud detection system allows institutions to make consumer relationship and transactional decisions based not on a handful of rules or conditions in isolation, but on a holistic view of a consumer’s identity and predicted likelihood of associated identity theft. Many, if not all, of the suggested Rules in the published guidelines are not “silver bullets” that ensure the presence or absence of identity theft. A substantial ratio of false positives will comprise the set of consumers and accounts being reviewed as having met one or more of the suggested Red Flag rule conditions. These rules and guidelines are intended neither to prevent legitimate consumers from establishing relationships with institutions nor create a burdensome and prohibitive volume of consumer “referrals.” While those rules incorporated into an institution’s Program must be addressed when detected, a risk-based system allows for an operationally efficient method of reconciliation in tandem with identity theft mitigation.
By: Tom Hannagan In my last post, I addressed the need for banks to advance their management of risk to include the relationship between capital and risk in their internal decisions and actions. While it is difficult for me to make this topic very exciting, it can’t be ignored. It very nearly resulted in bankrupting the global financial system. Beyond profitability, bank executives must measure and monitor their risk-based capital because: 1) equity capital represents the ownership interest in a bank; 2) equity capital is by far the most expensive source of funding; and 3) the risk associated with capital sufficiency and continued solvency is important. As Colonel Jessup might confirm, “Yes, we’re talking about mortal danger”. Many are scrambling to apply for the TARP (Troubled Asset Relief Program) capital infusion – and most are getting approved for these windfall funds. (Today’s investment advice from the experts: don’t buy common shares in any bank that applied and was turned down.) Let’s take a look at the impact of these funds. If we were, for example, a $10 billion total asset bank, with say $800 million in equity capital prior to TARP and had roughly $700 million in risk-weighted assets, we might get approved for $200 million in TARP-related preferred shares at a cost of 5 percent (after tax) for the next five years. If, our make believe $10 billion bank was earning an average pre-2008 economic-and-credit-crisis return on assets of 1 percent, or $100 million per annum, what are the implications of the added $200 million in capital on future earnings? That $100 million in “pre-crisis” earnings represented a return on equity of 12.5 percent on our original capital of $800 million. (Stay with me, now…) Since we need to pay the Feds (our new shareholders) $10 million in preferred dividends per annum in after-tax money, we need to earn an added $16 million in pre-tax operating income just to break even on the deal. That would mean, in our otherwise static model, that earnings need to move from $100 million to $110 million. More importantly, pre-tax income needs to move from say $150 million to $166 million, assuming about a 33 percent effective tax rate. We’ve got the fresh $200 million to work with, assuming we don’t need part of it to cover credit charge-offs or other asset write-downs. To earn $16 million from that $200 million investment, we would need an 8 percent pre-tax operating income (that’s after expenses, folks). I’m open to suggestions at this point...And you thought banking was easy. You do that the old fashion way -- with leverage. You use the $200 million to get someone (depositors, the Federal Home Loan Bank, a Federal Reserve Bank, or anyone else) to give you more money to invest (at a critically important tax-deductible cost) along with your fresh $200 million in preferred equity. Remember, our bank is already operating with leverage, supporting $7 billion in risk-weighted assets, and $10 billion in total assets, with the pre-existing $800 million in capital. Unfortunately, leverage involves at least liquidity risk, and probably market risk -- on top of whatever direct (credit, market, operational) risks are associated with whatever end investment you choose (…and the Feds hope you choose loans). Obviously, the fastest way to get the added leverage, along with a quick addition to earnings assets, is to go buy another bank (and absorb them more successfully than the two of you ran separately). Thus, a new round of consolidation has begun. Regardless of the method used to grow into the TARP money, any bank that doesn’t take into account the risks associated with these decisions/actions is merely kidding itself. TARP funding will not make any real headway in improving risk-adjusted earnings going forward. There is (and always has been) a direct relationship between actual risk and risk-adjusted return. It is now more important than ever for bank management to monitor and measure their organization’s activities (loan pricing and profitability, investing, deposit taking, investment management, credit risk modeling, buying other banks...and anything else they do) based on the relative risk of those activities and based on the equity capital realistically required to support those risks. This means using return on equity measurement internally as well as at the entity level. I look forward to your comments.
Learn More Image
