Loading...

How Red Flags Rule affects risk managers and compliance officers, Part 1

While the FACT Act’s Red Flags Rule seems to capture all of the headlines these days, it’s just one of a number of compliance challenges that banks, credit unions, and a myriad of other institutions face on a daily basis.  And meeting today’s regulatory requirements is more complicated than ever.  Risk managers and compliance officers are asked to consider many questions, including:

1. Do FACTA Sections 114 and 315 apply to me?
2. What do I have to do to comply?
3. What impact does this have on the customer’s experience?
4. What is this going to cost me in terms of people and process?

Interpretation of the law or guideline – including who it applies to and to whom it does not – varies widely.  Which types of businesses are subject to the Red Flags Rule?  What is a “covered account?”  If you’re not sure, you’re not alone – it’s a primary reason why the Federal Trade Commission (FTC) continues to postpone enforcement of the rule, while this healthy debate continues.

And by the way, FTC – it’s almost November 1st…aren’t we about due for another delay? But we’re not talking about just protecting consumers from identity theft and reducing fraud and protecting themselves using the Identity Theft Prevention Program.

The USA Patriot Act and “Know Your Customer” requirements have been around much longer, but there are current challenges of interpretation and practical application when it comes to identifying customers and performing due diligence to deter fraud and money laundering.  Since Customer Identification Programs require procedures based on the bank’s own “assessment of the relevant risks,” including types of accounts opened, methods of opening, and even the bank’s “size, location, and customer base,” it’s safe to say that each program will differ slightly – or even greatly.

So it’s clear there’s a lack of specificity in the regulations of the Red Flags Rule which cause heartburn for those tasked with compliance…but are there some common themes and requirements across the two?  The short answer is Yes.  In my next post, I’ll talk about the elements in common and how authentication products can play a part in addressing both.