Banks Are Not Ready for Red Flag Regulation

On November 1, financial services providers and other entities will be required to comply with the "red flag" provision of the Fair and Accurate Credit Transactions Act. The regulation calls for tougher fraud prevention to protect consumers' personal data. Many banks, however, are not prepared for the new rules, say insiders.

The red flag regulation is the result of efforts by the financial services regulatory bodies and the Federal Trade Commission to create guidelines to identify activity that might indicate possible identity theft or raise a "red flag." The rule requires banks to have solutions in place to detect, prevent and mitigate identity theft in both new and existing accounts.

But exactly how organizations must do this is unclear, according Matt Shanahan, SVP of marketing with AdmitOne, an Issaquah, Wash.-based provider of risk-based authentication software for the online channel. The regulation "is still very vague with regard to how [banks] must comply," he says. "[It] tells you what to achieve, but not how to achieve it. ... A lot of financial institutions aren't acting right away."

According to a recent LexisNexis survey of approximately 1,100 bankers, 84 percent either hadn't started their red flag projects or were very early on in their efforts, reports Deb Geister, director, fraud prevention and compliance software, with the Dayton, Ohio-based firm. "The challenge is that it's open to interpretation," she explains.

Adding to the lack of action by banks is the fact that, when compared to similar regulations, there isn't much publicity around the red flag rules, contends Avivah Litan, VP and distinguished analyst with Gartner (Stamford, Conn.). While there's a need for this kind of legislation, she says, people aren't paying it much notice, even among the regulators.

"There's not as much attention being paid to red flag as there was around the FFIEC guidance [on multifactor authentication]," Litan asserts. "There's no proactive campaign and no real red flag champion."

Leveraging Existing Investments

Still, many banks already may have the pieces in place to comply with the red flag rule, experts say. According to AdmitOne's Shanahan, banks will look to leverage the fraud protection solutions they already have in place. "Another layer of [technology] investment won't make sense. Red flag lets you reanalyze all the siloed initiatives you have in place and integrate those solutions better," Shanahan explains.

"You want to look at your existing practices and see how you can augment them for red flags so you're just making adjustments to the systems," adds LexisNexis' Geister. Transaction-monitoring products, for example, can be tapped for red flag compliance, she says.

This type of reuse can apply to vendors, too. Rather than releasing a new suite of products for red flag compliance, LexisNexis is enhancing its existing solutions with, for example, additional detection scenarios, Geister explains.

Yet even with technology recycling, the red flag mandate can be a burden -- especially for small banks. "[Red flag] will be a challenge, especially for the regional and community banks, because as the larger organizations harden their systems, fraudsters will look for softer targets down-market," predicts Todd Cooper, VP, financial intelligence unit, with Wolters Kluwer (Minneapolis/Amsterdam). "The impact on some financial institutions can be tremendous in terms of the systems they need to embrace in such a short amount of time."

Related Sidebar: Complying for All the Wrong Reasons

According to a survey of 50 banks by Stamford, Conn.-based Gartner, 60 percent of bank managers believe they already are red flag-compliant. When asked to rate their motivations for beefing up security on a scale of 1 to 7 (7 being "extremely important" and 1 being "not at all important"), however, participants ranked compliance as the No. 1 driver (6.58 average), ahead of improving fraud prevention (6.26) and increasing consumer confidence (6.22).