By Bryan Ansley
In November, new Federal Reserve Board rules for identity threat protection went into effect. Bankers now have less than a year to bring their institutions into compliance. The clock is ticking.
Those who fail to put adequate safeguards in place by November 2008 will find identity theft and other online fraud transformed from a mere public relations problem into a serious, and potentially costly, compliance matter.
It’s no wonder bankers are scrambling to develop or outsource identity theft prevention solutions. Unfortunately, many are finding identity theft protection tools are not created equal. Most of the available solutions only address a subset of the Fed’s regulations.
For example, while the Fed’s rules require banks to protect all their customers, many ID theft protection solutions can only enroll and notify participants who bank online. That leaves an estimated 29 percent of bank customers disenfranchised.
Likewise, credit monitoring services can detect potential criminal-borrowing patterns, but can’t flag when non-credit records, such as drivers’ licenses and medical records, are being tampered with. Here’s what bankers need to know to get their institutions into compliance with new guidelines.
What the Fed Said
First, a quick regulation recap. In January, the Federal Reserve Board and other bank regulators required financial institutions to implement identity theft protection programs. This includes creating “reasonable policies and procedures” for preventing ID theft, identifying “red flag” activities and notifying victims.
The reason for these changes is simple: ID crime is spiraling out of control. FBI statistics show United States companies spend $67 billion annually combating cyber crime. And consumers lose $50 billion to identity theft and recovery expenses every year, according to the Federal Trade Commission.
Regulators realize that banks can play a pivotal role in the fight against identity fraud. But to adhere to the new guidelines, many bankers are sourcing outside solutions. In doing so, they should consider four key aspects as they narrow the field for an identity theft protection vendor.
Total identity monitoring: Basic credit monitoring finds only 34 percent of identity breaches. To flag the other 66 percent, the service must also track utilities, DMV records, medical records, bank records and other relevant databases that use customers’ Social Security numbers. When a potential breach is detected, the service should contact the victim directly, not the bank, to ensure privacy. Some service providers also provide a Web site that lets bank customers self-check their data, and contact the service if they suspect a problem.
Fully managed breach recovery: Identity theft protection programs will offer one of four approaches to recovery: assisted, limited event, semi-managed or fully managed. Only fully managed recovery plans provide a professional advisor who, through limited power of attorney, works on victims’ behalf to recover their identity. The advisor, not the customer, will handle the recovery process from beginning to end, including all research, phone calls, letter writing, documentation and follow-through. Recovery is expedited, while victims’ stress is greatly reduced because they know the process is being professionally handled.
Expense reimbursement insurance: High, out-of-pocket expenses and time off from work can cost victims up to $16,000 in lost income on average, according to the Identity Theft Resource Center. The best plans provide ample insurance coverage for damages. But pay close attention to deductibles, reimbursement amounts, and premiums. Be sure to compare these factors in a spreadsheet or grid. Many plans offer low coverage at high premiums, or carry outrageous deductibles. Lastly, look for a policy that has few, if any, exclusions – ideally, one that covers all financial losses associated with the ID theft and recovery. This includes legal expenses, lost wages, loan application fees, long distance telephone bills, mailing and postage, notarization fees, credit reports and so on.
Ongoing employee and customer education: Knowing how to minimize risk upfront is job one. Look for a service provider who integrates education into their program and teaches customers how to get the most out of their ID protection benefit. Educational programs will include one or more features, such as newsletters, Web sites, Webinars, conference calls and on-site, live seminars. Some of these can fulfill Community Reinvestment Act requirements, too, so scope out providers’ experience with qualified programs. Ideally, the vendor will be able to custom-tailor an educational program to meet a bank’s needs.
Implementing a robust identity theft prevention program can do more than protect depositors. It can also protect the bank from the public backlash that occurs in the wake of a data breach. Bank managers can point to their ID recovery program, and note how victims will recover their identities and financial losses. This also demonstrates the bank’s commitment to security policies that ensure every reasonable measure is taken to protect depositors.
Offering comprehensive and affordable theft insurance also differentiates an institution in the marketplace. Educational seminars can draw prospects into branches, teach them how to better protect their IDs and encourage them to sign up.
Lastly, an ID protection package can be a profit center, driving recurring non-interest income for the bank. Discounted group rates can also be offered, creating a means to win blocks of new depositors, i.e. businesses, concerned about the rising tide of ID theft.
With the proper system in place, banks will be prepared to do more than simply comply with the new Fed regulations. They can use the regulations as a catalyst to provide a higher level of services to depositors – services which drive revenue, deter crime and preserve the bank’s good standing in the community. s
Bryan Ansley is president and CEO of Brentwood, Tenn.-based Secure Identity Systems (www.secureidentitysystems.com), a total identity monitoring, protection and recovery service provider.