ID Theft Red Flags Examinations: What to Expect?Interview with Banking/Security Expert Bill Sewall As of Nov. 1, banking institutions are now eligible to be examined by federal regulators for compliance with the new Identity Theft Red Flags Rule.
So, what should banking/security leaders expect from their initial examinations?
In an exclusive interview, Bill Sewall previews his new webinar, "How to Prepare for Your First Identity Theft Red Flags Rule Exam," discussing:
Bill Sewall is an Information security, compliance and risk management specialist with 30 years experience as a corporate attorney and general counsel, CIO, information security officer, and operational risk manager. Most recently, Sewall spent 10 years as a senior executive information security officer in Citigroup, including management of the IS training and awareness program and responsibility for the Citigroup IS Policy and Standards.
In his career, Sewall has managed information security compliance requirements for one of the largest financial services organization in the world, implemented that institution's information security program at the business unit level and developed the information security awareness training program. He currently provides IS risk management and training services through ISRMC, LCC
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. The topic today is Identify Theft Red Flags Rule Compliance, and we are speaking with a new expert on the topic, Bill Sewall. Bill thanks so much for joining me today.
BILL SEWALL: You're welcome.
FIELD: Bill, you've been immersed in this topic I know now for a couple of weeks, but before we get into talking a bit about that, why don't you tell us a little bit about yourself and your unique experience.
SEWALL: Well I spent the last 30 years in a variety of roles as corporate attorney, general counsel, chief information security officer, and operational risk manager. I spent the last ten years with Citigroup handling a lot of the information security tasks such as helping to write the Citigroup Information Security Policy and Standards and running their training and awareness program.
So I have had a pretty diverse experience both in the field trying to implement the nuts and bolts of information security, plus also doing the high level policies and procedures and things like that.
FIELD: So Bill, you've got a webinar upcoming for us, where you are really going to walk through the examination guidelines for the Red Flags Rule. In the time you've immersed yourself in that, how big of a task would you say Red Flags compliance is for banking institutions?
SEWALL: Well, assuming the bank has a good identity theft program already in place, there is really not going to be that much work. Basically it would be a documentation exercise. You will need Board approval, you will need to probably draft some specific documents on how you detect and handle Red Flag events, and probably enhance your incident response process and your training.
But if the bank does not have a good identity theft program in place already, then the task is going to be pretty monumental, and keep in mind it is not going to be Red Flags that is going to make it a big task; it is really getting the overall identity theft program up to speed.
So, Red Flags are really an enhancement to an identity theft program so if it is in place it is not a big job. But identity theft programs not in place, then yeah, it is going to take a lot of resources.
FIELD: So as you go through these examination guidelines, where do you find say the biggest "gotchas" for an institution?
SEWALL: I don't think there really are going to be gotchas. I mean it's a new regulation and it will be a new set of examination procedures and there will be that learning process, but the Address Discrepancy Rule, the Red Flag Rule that the regulators issue, they are all consistent and they are for the most part pretty straight forward; especially the Address Discrepancy Rules, they are pretty simple and the Red Flag Rules are almost a cut and paste out of the regulations themselves. So I don't think there is going to be any surprises in terms of the specific language of the examination procedures.
FIELD: Now do you see any specific areas that stand out as those that the institutions should prepare for in advance of this examination?
SEWALL: The one thing I'd focus on is one thing that all the regulators focus on that are the three critical words that a business must be able to detect, prevent and mitigate identity theft. And the regulators use these words so many times that they are sending through, I think, a message that says you have got to have a seamless integrated program that runs start to finish so you must be able to not only detect a Red Flag event, but you've got to be able to take steps to prevent it from causing harm to the customer or the bank, and you've got a way to mitigate it quickly and make sure it doesn't happen again.
So if the institution just adopts say a Red Flag program that identifies the 26 events but doesn't tell the employee what to do to resolve it or how to hand it off to the incident response team, it really has got a disconnect in that detect, prevent and mitigate requirement. So that is probably one of the things I would focus on is making sure I covered all three bases so that it is a seamless connection between all three and that there are clear handoffs between detection all the way through to the mitigation and even reporting to senior management.
FIELD: Now we've seen examination guidelines come from the OTS, the OCC, FDIC, NCUA, from what you have seen how will the exams differ from agency to agency?
SEWALL: Based upon the language and what the regulators are saying there should not be any difference at all really. The language in the regulations, the language in the examination procedures is exactly the same from agency to agency. There are some minor differences for example, the FTC had delayed enforcement of their requirements until next year, but that doesn't relieve businesses subject to FTC oversight from having to start compliance as of the November 1 deadline.
There will also be some minor differences in terms of how the actual examination is conducted. For example, the Safety and Soundness Examiners will be looking at the Red Flag program overall, while the Customer Compliance Examiners will be focusing on the Address Discrepancy provisions. And then if you have got automated systems for example that handle any of the Red Flag detection or resolution, then the Technology Examiners will be most likely looking at that. So overall there should not be any distinction between the agencies, but in terms of the details, for example there may be an assignment of responsibility amongst the examiners based upon how the agency sets up its overall team. But it should not be a major hurdle in terms of agency-to-agency discrepancies.
FIELD: Bill, you've just completed recording a webinar on the examination guidelines, walking through them step by step. What should prospective attendees expect from this session?
SEWALL: Well, basically I provide an overview of the basic requirements for the Address Discrepancy and Red Flag programs. I give you an idea of the laws from which they evolved and the regulations that were issued for them and then we go through, in detail, each of the examination procedures for these two areas and try to give you some tips and advice on how to prepare for them and deal with any problems that may pop up during the examination. And then at the end I go through quite a few resources that you could use to get further information.
And also there is a lot of stuff, miscellaneous detailed issues that need to be addressed in these examinations so I put together a checklist that you can use in advance to go through and make sure you covered the bases so that when the examinations start you know that you are in a good starting position to go forward. And also you can use the checklist juts for general compliance overview to make sure your Red Flag program does comply with the regulatory and examination requirements.
FIELD: One of the things I really enjoyed about your presentation was that you took time at the beginning to explain to the banking and security leader what they might do in advance of the examination. If you could pull from that one tip that you would offer in how best to prepare for this process, what would that be?
SEWALL: Well, you know, regardless of the type of examination you are going into, the one thing that I have always found is that the best thing you can do is to develop a good working relationship with your examiner or your examination team. I have found that if you can develop a relationship that is based upon trust and respect, it will save you a lot of grief and additional work during the examination.
Because inevitably problems are going to be raised, and whether they ultimately wind up in the report or not, you are going to need a way to quickly and effectively deal with those programs and demonstrate to the regulator that even if it was slip up, there is enough of a good rigorous program in place that it should not have any significant impact. And the only way you are going to be able to do that is to convince them that you have got a good program in place, and they are going to have to trust your judgment, your sincerity, in expressing how strong that program is.
So you know, one of the things I have always focused on in regulatory examinations is making sure I've got a good working relationship with that examiner. You know it also works on the other side, Tom, You also need to be sure that management is fully committed to the program because when that problem arises the regulator is going to want to see whether management either was aware of the program and is effectively trying to fix it. Or, if there was even an issue that came out of the blue management has the type of commitment that even if they don't fully agree with the finding, they realize that it is something they've got to focus on and they are committed to carrying it forward to some type of effective resolution.
So I think if you covered those two bases you will be pretty well prepared for any type of problem that may come up during the examination.
FIELD: Very good. Bill you've offered valuable insight and I know that people will get a lot out of your webinar so I appreciate you taking time today to give us some additional thoughts on it.
SEWALL: Well, thank you for the opportunity.
FIELD: We've been talking with Bill Sewall. The topic has been Identity Theft Red Flags Rule Compliance and the Examination Guidelines. For Information Security Media Group, I'm Tom Field. Thank you very much.