For those of us that have been following the Red Flag Rules adoption for more than a year now, the recent arrival and passing of the November 1 compliance deadline allows us to pause to assess where we are — and where we are heading. One question seems to surface regularly these days:
How ready or compliant is the market today?
Well, I think it’s safe to say that the market is certainly not 100% home when it comes to compliance readiness.
Experian surveys registrants on our RedFlags online resource site. As of October 31 — a.k.a. ‘Compliance Eve’ — nearly half of the registrants (48%) fell into the category of ‘just starting to review the rules and determine a compliance plan’. Other industry surveys, interviews, and analyst reports suggest an even lower rate of compliance (closer to only one-third of covered institutions) in the market.
The Federal Trade Commission seemed to sense this market condition, and granted a six-month reprieve from Red Flags compliance enforcement – to May 1, 2009. While this extension is welcome news for those institutions falling under the FTC’s jurisdictional umbrella, other institutions are arguably out of compliance today, and face pending examinations in the coming months.
So, is the market ready today? The broad answer is a resounding ‘no.’
Much of the market’s effort has gone into the creation of written Identity Theft Prevention Programs as part of the Red Flag Rule requirements. How well will these written procedures be received by the examining agencies? How will these written programs translate into effective and (as importantly) manageable operational processes? The first wave of examinations will help answer some of these questions and concerns….and ongoing cost analysis (associated with: referral volumes; application acceptance rates; manual or automated processes; and, of course, fraud losses) will help paint a clearer picture in the months to come.