Identity theft continues to accelerate, and protecting against it has become a multimillion dollar business, says Deloitte's Mark Steinhoff.
Identity theft continues to accelerate, and protecting against it has become a multimillion dollar business. A survey conducted by the Federal Trade Commission (FTC) in 2006 estimated that 8.3 million American consumers, or 3.7 percent of the adult population, became victims of identity theft in 2005. Reported incidents collected by the agency in its annual fraud analysis showed 258,427 cases logged in their databases. Stepping into this foray is the U.S. federal government's Fair and Accurate Credit Reporting Act and its “Identity Theft Red Flags and Address Discrepancies” provisions. This Act defines specific “Red Flags” that organizations must monitor, act upon, and have a documented program in place to address. Some of these items may be addressed by existing policies and procedures, others may be new. Regardless, responding to this is not an option. The joint final rules and guidelines were effective January 1, 2008 with a mandatory compliance date of November 1, 2008. Overall, regulators have raised the bar and it is not sufficient anymore to simply have policies and procedures. Organizations should be aware of where their data is, how to protect it and how to protect their employees.
The end victims of identity theft, the consumers, are rarely held responsible for fraudulent debts incurred in their name. Rather, creditors frequently attempt to collect the bad debt, or simply write it off. Compliance with these regulations can help to reduce the incidence of identity theft suffered by your organization, which, in turn, may result in lower end costs. With a compliance date only weeks away, your organization's response should begin now. What can you do to be prepared?
Preparing for identify theft Red Flags deadline
First, organizations need to understand where the rules apply, and know what types of data are at stake in order to understand these policies and practices and address the issues on a sustainable basis. The regulations call for the “Establishment of an Identity Theft Prevention Program” that is appropriate to the size and complexity of the organization. The regulation, as the name implies, was originally intended to address discrepancies between credit reporting agencies and creditors. This has been broadened to look at many areas that can be indications of identity theft. Several of these areas overlap with existing anti-money laundering processes, as well as information security standards published as part of the Gramm-Leach-Bliley Act and other regulations. The regulations focus on individuals and the accounts they maintain (these are the most common victims of identity theft); however, this does not eliminate a range of businesses from the mix. If you manage accounts that fit within the definition, it is important that you understand what is in this regulation and the actions that you should be taking.
The regulations were jointly published by six agencies: the Department of the Treasury – Office of the Comptroller of the Currency, the Federal Reserve System, the Federal Deposit Insurance Corporation, the Department of the Treasury – Office of Thrift Supervision, the National Credit Union Administration and the Federal Trade Commission. Because the FTC is involved, this is not just a banking regulation. It covers anyone that offers credit or manages a “covered account.” Therefore, it potentially extends to hundreds of businesses.
The term “covered account” is divided into two parts. The first part refers to “an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions.” The second part of the definition refers to “any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers, or to the safety and soundness of the financial institution, or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.
The final regulations list the four basic elements that must be included in the identity theft program. It must contain “reasonable policies and procedures” to: identify relevant red flags, detect red flags, respond appropriately to any red flags and ensure that the identity theft program is updated periodically. The regulations further define that the program must be documented and have oversight from the board of directors, a committee of the board, or an employee at a senior management level.
Steps to developing an identify theft program
While the regulations may seem daunting, a prudent approach to developing a program need not be. A scalable approach to developing an identity theft program includes the following: scope and impact assessment, requirements analysis and gap assessment, gap closure plan and execution.
As you begin to develop an identity theft program, start by assessing the scope and impact.
This analysis should begin with a review of existing policies and procedures and should be combined with a review of the red flag categories and specific items defined within the regulation to determine which types of accounts are currently being managed, which of those accounts are “covered accounts,” and, most important for those accounts, which activities defined are relevant to your organization. A key element of this review should be the development of a repeatable process to conduct this assessment on a periodic basis. This will enhance your organization's ability to periodically update the program. When reviewing the account categories and red flags for applicability, do not stop at what is defined in the regulations; review other areas where your organization has reason to believe there may be a risk of identity theft. This will enable your program to respond to new threats as they are identified. When conducting the impact analysis, it is important to gain input from the personnel closest to the business to enhance the understanding of accounts being managed and the applicable risks.
After initial identification of accounts, relevant red flags, and existing policies and procedures, the next step is to determine how well your organization's existing policies and procedures align with the regulation's requirements, in other words, identifying the extent of the gap between your current capabilities and the new requirements. There are only a few prescriptive measures in the regulations, however, a careful review of them can provide useful insights and suggested actions that can be used as input for updates that will allow your organization to develop a program that responds appropriately. Generally, the gap assessment will reveal that the organization's capabilities fall into one of three general categories. The first category indicates significant gaps in the areas of policy and process to facilitate the identification, response and mitigation of the threat of identity theft. The second category may indicate that either formal or informal processes exist, but documentation may be lacking. The third category would indicate that processes exist, are appropriately documented and being applied within key areas of the company.
Once the gaps are identified within the program, developing and executing a “gap closure plan” is essential. For processes that exist and are appropriately documented, noting these and incorporating them into the program documentation will be essential. For processes that are functioning, albeit without adequate documentation, appropriate updates to existing policies and procedures can be completed and incorporated into the overall identity theft program efforts. Finally, attention should also be paid to developing or enhancing processes while considering existing identity theft and data protection efforts. The regulations include a broad range of criteria regarding detection and response to suspected identity theft. Determining which actions are appropriate for your organization is ultimately up to your team.
As stated above, the program must be documented and appropriate to the size of the organization. This will require that the relevant red flags be identified, the reporting structure and oversight of the program be appropriate, and that reporting of the effectiveness of the program be defined. The reporting aspect of the program is a key element that should be considered as the program is developed; specifically, the program documentation should include the types of reports that will be created and the frequency with which they will be reviewed by senior management. The program documentation should further contain specific references to appropriate policies and procedures that are involved. Documentation is a challenge, but the organizations should know what aspects of the rule actually apply to them, where it is applicable to their organization, and what practices already exist.
As with any change, as new processes are put forward, it is critical that the people involved receive adequate training. Focused training for the individuals involved can be an effective way to help the process work effectively. Training should be required on an ongoing basis, and the set of procedures around the red flags rule should be tailored to each organization.
In conclusion, while some of this regulation may seem burdensome, it is important to remember that its ultimate goal is to help prevent the threat of fraud from identity theft. Mitigation of these threats is not only an expectation outlined in this regulation, but an increasing concern and expectation of customers and employees.
Mark Steinhoff leads Deloitte's national financial services industry security & privacy practice, specializing in information security and privacy and data protection services consulting. Steinhoff is a regular speaker on privacy and security matters with over 24 years of experience, including information risk management, systems administration, and project management. He can be reached at firstname.lastname@example.org.