We get the following question quite a bit:
Would the regulators expect to see a log of detected activity and resulting mitigation?
Short answer:
The Red Flags Rule does not specifically require you to maintain a log, nor do the guidelines suggest that a log should be maintained. However, covered institutions are required to prepare regular reports around the effectiveness of their program. Additionally, there exists the requirement to incorporate an institution’s own experiences with identity theft when reviewing and updating their program.
Long answer:
Think now about the value of incorporating robust (and, optimally, transaction level) reporting into your program for a few key reasons:
1.Reporting allows you to more easily and comprehensively create and disseminate board-level reports related to program effectiveness. These aren’t a bad thing to show a regulator either.
2.Detailed reporting provides you an opportunity to more accurately monitor your program’s performance with respect to decisioning strategies, false positives, false negatives, fraud detection and prevention rates, resultant losses and legitimate costs.
3.The more historic detail you have compiled, the easier it will be to make educated, analytically based, and quantifiable updates to your program over time. Without this, you may be living and dying with anecdotal decision making….never good.
4.Finally, maintaining program performance data will afford you the ability to work with other service providers in validating their capabilities against known transactional or account level outcomes. We, at Experian, certainly find this useful in working with our clients to deliver optimal strategies.
Thanks as always.