Red Flag Rules compliance demands a risk-based approach

Financial-services firms face significant risk if they cannot demonstrate compliance with the federal Red Flag Rules, which require organizations to implement a program that effectively detects, prevents and mitigates identity theft risk. In this tip, Michael Rasmussen explains how the rules require a risk-based approach and describes the elements involved in compliance, including oversight, policies and training.

Financial-services firms, as well as organizations in other industries, face significant risk if they cannot demonstrate compliance to the federal Red Flag Rules. The Red Flag Rules stem from the implementation of the Fair Credit Reporting Act and aim at reducing the threat of identity theft. An alarming number of organizations are unaware of the liability they face for non-compliance.

Some organizations are willing to sit back and see how the Red Flag Rules are enforced since they are not a "policed" regulation. Regulators are not going to send out their compliance cops to see if organizations are compliant on a proactive basis; neither the FTC nor the financial regulators have any active plans to proactively audit organizations. Rather, the regulation is reactive in that it invokes an investigation and liability when an incident occurs. This may come in the form of a data breach or an internal whistle blower notifying authorities or the public of an incident. Companies that have a violation of non-compliance face both monetary penalties and potential civil litigation. The most significant risk comes from civil liability where an individual can sue the corporation for actual damages from an identity theft breach; this also allows a class-action suit.

Red flags are aimed to protect individuals from identity theft by assuring that organizations which collect sensitive financial and personal information are actively monitoring the risk of identity theft. The rules offer 26 key risk indicators (KRI) of suspicious behavior that are guidelines, but not an exhaustive list for organizations to actively monitor. KRIs include altered documents, fraud alerts on credit reports, unusual account activity, and suspicious address changes.

Compliance with the Red Flag rules must take a risk-based approach. Organizations are not given a specific set of items to implement; there is no detailed checklist. Compliance is principle-based focused on the outcome -- avoiding identity theft -- and not on specific requirements. The organization is challenged to assess, monitor, mitigate and manage risk of suspicious behavior -- red flags -- that indicate possible identity theft. At a high-level, compliance involves:

A compliance program. Organizations need to implement a program that effectively detects, prevents and mitigates identify theft risk. This is effectively a risk-based process that identifies where identity theft may occur, assesses the significance of this risk, implements controls to mitigate risk to acceptable levels, and monitors corresponding KRIs to alert on suspicious behavior.

Oversight. The program needs to be managed on a continual basis by somebody who is accountable for its operation; for some organizations this may be a chief compliance officer, while in others it will fall to the CISO. Oversight of the program is essential with clear lines or reporting to executives and the Board of Directors. As identity theft risk involves multiple areas and functions within the organization, the oversight role needs to build a collaborative effort to manage risk and compliance across legal, corporate compliance, information security, physical security, privacy, enterprise/operational risk management and records management.

Policies & procedures. An organization must implement and maintain clear and current policies and procedures that instruct individuals on how to protect and manage the security of sensitive identity information. This is fundamental to any compliance program and provides the foundation of what organizational expectations are for behavior and control. Policies and procedures are to have a single owner responsible for their development and maintenance, but be written collaboratively with all responsible parties. Every policy should be reviewed at least annually to validate that it is still appropriate and effective to maintain compliance and manage risk. Policies that are outdated or which put the organization in a state of non-compliance must be addressed immediately

Training. Publishing policies and procedures alone are not enough; Organizations need to demonstrate that employees and business partners are adequately trained on compliance as well as to defined policies and procedures What courts and regulators expect is that organizations go above beyond simple publication and availability of policies to demonstrating that individuals are trained and understand what is expected of them. Red Flag Rules compliance will have an ongoing training program in either a classroom or e-learning environment to train employees and business partners.

Risk assessment. Organizations need to be continually monitoring for risk of identity theft. At its base, this involves making sure people are who they say they are; authenticating identities is critical. A risk assessment is best done according to standardized methodologies. The best risk management/assessment process methodology is found in the draft of ISO 31000 (which is built on the AS/NZS 4360:2004 Risk Management Standard). This methodology takes an organization through the risk management and assessment process and is easily adaptable to managing risk around identity theft and maintaining compliance.

Audit compliance. Red Flag rules compliance requires regular validation of the program, policies, procedures, training and overall effectiveness of compliance. A cooperative effort should be in place between management responsible for Red Flag Rules compliance and the internal audit function, and a regular audit schedule and work paper plan should be implemented to monitor the effectiveness of the compliance program.

Investigations. A good risk management program for Red Flag Rules compliance will also have an integrated investigations process that helps the organization manage identity theft incidents. Each incident should be documented and loss to the organization should be measured. Loss metrics and data are fed into the risk assessment process to help the organization learn from incidents and calculate exposure based on the history of events.

About the author: Michael Rasmussen ([email protected]), a governance, risk and compliance (GRC) expert, is with Corporate Integrity, LLC. He is a keynote speaker, author and collaborator on GRC issues around the world and is noted for being the first analyst to define and model the GRC market for technology and professional services. Corporate Integrity, LLC is a strategy & research advisory firm providing education, research and analysis on enterprise governance, risk management and compliance.

Dig Deeper on Financial services compliance requirements