Identity Theft DEFENSES

Article excerpt


While liquidity, TARP capital and commercial real estate loan performance sizzle on front burners, compliance with the new "red flag" identity theft rules will no doubt still get attention when the examiners come calling. And the $1.5 billion-asset Rockville Bank in South Windsor, Conn., is certainly treating it as a hot issue.

While the community bank has had just one case of identity theft in its recent history, it has proactively sponsored identity theft educational seminars in its branches and at a home show. It has passed out "Fighting Back Against Identity Theft" brochures prepared by the Federal Trade Commission. It posts notices in its branches when a new scam surfaces in its market. It hosted an identity theft seminar for other bankers that drew a standing-room-only crowd of more than 500 people. It has raffled off shredders and sponsors shredding days when it brings trucks loaded with industrial-size shredders to its branches and invites customers to bring boxes of sensitive documents to be shredded. William J. McGurk, president and CEO, is committed to combating identity theft in all its forms.

Actually complying with the new rules didn't seem terribly difficult for Rockville Bank. "We essentially changed nothing," reports Karen Bryant, vice president for compliance and security. "We just built off an identity theft policy we already had in place." An outside consultant was called in to do a risk assessment and to help with the cross-referencing among relevant policies, a task which took some time for both Bryant and the consultant, but was easier than complying with the Bank Secrecy Act or the Gramm-Leach-Bliley Act, Bryant reports. "Except for the board reporting, which is now required, there wasn't much to change," she says.

During a safety and soundness exam in October, examiners asked the Rockville bankers if they would meet the Nov. 1 compliance deadline, but they did not inspect its plan. "We think we followed the guidance the regulators put out, so we should be all set, but we won't know for sure until we've had an exam," Bryant notes.

The $2 billion-asset Stillwater National Bank & Trust Co., in Stillwater, Okla., had examiners in the bank in October who took a cursory look at its Red Flags program and didn't raise any objections, reports Lori Miller, vice president and compliance officer. "We were already doing most of what they call for; we just had to organize it in the way they wanted."

Expecting Good Compliance

It's too early to tell what is working and what is not, asserts Ann Jaedicke, deputy comptroller for compliance policy at the Office of the Comptroller of the Currency. "We had a lot of conversations with community bankers leading up to November 1. They asked good questions and described good programs they were designing, so we're expecting good compliance. But we won't know for sure for several more months."

Things may not go as smoothly as many expect, however. According to Eduard Goodman, general counsel and chief privacy officer for Identity Theft 911, in Phoenix, Ariz., a significant number of community banks and credit unions are not ready. "Studies from before November 1 showed that less than one-third of all financial institutions would be compliant by the deadline, and I think that number is optimistic," Goodman says. It's not that the compliance standard is set so high; these mostly small financial institutions simply have not put their programs in place.

"The banks that brought in a consultant, identified the red flags that apply to them, organized a program, designated someone to be responsible and provided for reports to the board will be fine," Goodman predicts. "The ones that did nothing will be forced by the regulators to put a plan in place once an examination uncovers their neglect."

Until there has been time for examiners to inspect banks' Red Flag plans, it's all speculation, but the first round of examinations is likely to be soft, suggests Lucy Griffin, editor of Compliance Action in Reston, Va. …