The Tricky Business of Identity Theft Compliance

Article excerpt

Conditioning bank employees to spot suspicious customer behavior may be the biggest single challenge in complying with new regulations aimed at curbing identity theft, bankers say.

As it is, customer service representatives have to ensure customers are who they say they are, and under regulations set to take effect Nov. 1, they will have to be on the lookout for additional red flags.

For example, if a customer wants to report an address change, a bank employee might take that now at face value. But under regulations set forth in the Fair and Accurate Credit Transactions Act of 2003, the employee might be required to ask a string of questions to verify the customers identity all while trying to serve the customer quickly and not keep others waiting.

Customer contact people must think about production, taking care of customers, and be focused on the fact that good customer service goes beyond greeting them, said Lisa Carter, the compliance officer at the $184 million-asset Bank of Virginia in Midlothian.

Roughly 50 of its employees from branch managers to loan officers to tellers and call center representatives will need to go through three hours of training to learn how to detect and prevent a customers identity from being stolen. That includes reinforcement through follow-up training.

In addition, Bank of Virginia is figuring on conducting a smaller amount of refresher training each year for all the employees, as well as the entire package of training for new employees as they join the bank, Ms. Carter said.

The training requirements are a result of the latest regulations to come out of the FACT Act.

Last fall federal agencies approved final regulations requiring banks to implement a system to identify warning signs that a customers identity is at risk of being stolen. By Nov. 1 banks must be able to demonstrate to regulators that they have policies and procedures in place to identify and deal with the warning signs, and they must show that their employees are ready to follow those policies and procedures.

That means, in part, creating a board-approved policy that directs managers to create a program, outlines its features, and commits the bank to training employees and educating customers.

More in depth than the policy are the procedures that each area of the bank will use to spot identity theft, along with the internal controls surrounding those procedures, according to Rick Haney, the compliance officer at the $186 million-asset North Shore Bank of Commerce in Duluth, Minn.

The internal controls i.e., who is going to monitor the red flags that is where you are going to have time and money spent, he said. Maintaining that is the part that really hits the bank hard.

Regulators have developed a list of 26 red flags for bank employees, ranging from warnings on credit reports to suspicious documentation and unusual purchasing patterns. (A full list of the interagency guidelines on spotting, preventing, and mitigating identity theft is linked to this story at

Much of the responsibility for spotting the red flags will fall on front-line employees, such as tellers and call center representatives. Mr. Haney said that ongoing training will be required, because turnover is highest in those positions.

Though training may be the main challenge, bank executives say developing policies and programs is a big job in and of itself.

Bank of Virginia is working off a policy and program model provided by the Virginia Association of Community Bankers, but Ms. Carter expects customizing those documents to fit her bank to take her a solid week of work.

According to BVS Performance Systems, a Cedar Rapids, Iowa, provider of training for banks, the regulation is flexible in that it requires banks to implement programs tailored to banks size and complexity, as well as the scope of its activities. …