In-Depth

ID Theft Red Flags: The Challenge for IT

What enterprises and IT must do to enhance their risk-management program.

By David Miner

For some financial and credit institutions, complying with the Identity Theft Red Flags Rules recently finalized by the Federal Trade Commission is simply a matter of formalizing existing controls. With consistent protective policies and procedures already established, it is business as usual for these organizations as the May 1, 2009 deadline approaches.

For organizations whose programs for detecting, preventing, and mitigating identity theft are still under development, the recent legislation likely provides an incentive to enhance their risk management program to protect against the losses associated with fraudulent activities. After all, identity theft comes with a hefty price tag. According to a report by Javelin Strategy and Research, identity theft cost consumers and businesses $52.7 billion in 2007.

The good news is that a growing range of options is available to enable financial and credit institutions to mitigate risks and strengthen their security posture in the face of this corrosive threat. By augmenting existing security strategies with best practices for identity theft prevention, organizations can be prepared to meet the requirements of the ID Theft Red Flags Rules and proactively preserve their brand, improve customer loyalty, minimize losses, and avoid liability.

Signals of ID Theft

The Red Flags Rules require financial institutions and creditors with accounts at risk of fraudulent activity (including consumer accounts) to develop and execute an identity theft prevention program in connection with new and existing accounts. The program must include policies and procedures for detecting, preventing, and mitigating identity theft.

Institutions must be able to identify relevant patterns, practices, and activities that signal possible identity theft and incorporate those red flags into their program, detect, respond to those flags, and keep their program updated.

Red-flag activities include address changes followed by unusual customer activity, which can include requesting an additional or replacement debit card, submitting altered or forged identification papers, and conducting unusual credit activity (such as an increase the number of accounts or inquiries).

Expert Assistance

Within some organizations, suspicious account activities are currently addressed using existing processes and procedures. However, many financial institutions and creditors prefer to delegate these and other critical security responsibilities to a service provider with expertise in detecting and preventing identity theft.

For example, a growing number of organizations are hiring an online fraud protection expert to serve as the primary contact point for identity theft and online fraud protection issues. This individual works hand-in-hand with the organization to optimize processes for managing security-related issues, giving them the onsite security expertise, without the burden of hiring, training, and retaining such individuals in-house.

An onsite security expert can help ensure all policies and procedures are being followed, including response identification of, and response to, red flag activities. The individual helps monitor the wide range of fraud events which may be triggered by the organization’s security systems, and makes sure automated controls to those events are effectively responding to them. If an exception occurs, the expert can provide rapid analysis and immediately take action to remediate the problem.

Additionally, he or she is able to provide critical reports to auditors and demonstrate the organization has the resources in place to coordinate its response to identity theft activity and online fraud, monitor the effectiveness of and enforcement of the risk management policies and procedures, and meet the compliance needs of the Red Flags Rules, GLBA, FFIEC, and other standards and regulations.

Tech Tools

Of course, the Red Flags Rules represent only a small portion of a complete program to protect against online fraud and identity theft. Other components are needed to guard against brand erosion, minimize losses from online fraud incidents, reduce the risks associated with online transactions, avoid potential litigation caused by security breaches, and stay current with the latest threats.

Phishing monitoring may be used to leverage e-mail scanning, domain monitoring, Web log analysis, abuse mailbox monitoring, and other technologies to identify phishing attacks and other threats to the organization’s brand.

Transaction monitoring, malware intelligence, and analysis are also vital. These components track transactions on back-office systems, block fraudulent activities, observe malware targeting the organization’s specific brand, and analyze new malware behavior. A comprehensive program also includes online fraud incident response and countermeasure capabilities to ensure rapid response to attacks in order to minimize losses and safeguard brand reputation.

Consumer Awareness and Education

One of the most important components of a comprehensive online fraud and identity theft prevention program is consumer education and protection. Financial institutions and creditors can significantly strengthen this link in the security chain by helping customers understand how identity theft can occur and how to avoid becoming a victim.

For example, with the growing focus on the importance of sound processes and procedures in security, more financial institutions and creditors are passing along recommendations to their customers. Suggestions include disabling file sharing, using discretion when opening attachments, reviewing bank and credit card statements regularly, patching computers’ operating systems, locking home mailboxes, and shredding bank and credit card statements.

Organizations are also providing links where customers can get more detailed information on preventing identity theft and reporting suspicious activity. Experts may also recommend technologies consumers can use to secure their computer systems.

With the right combination of people, processes and technologies, financial institutions and creditors can create a more secure and resilient environment to conduct business. As industry and government continue to outline programs such as the ID Theft Red Flags Rules to protect businesses and their customers, investing in proven services and tools to proactively fortify operations and infrastructure will likely continue to pay dividends far into the future.

David Miner is senior director financial services industry solutions worldwide marketing at Symantec Corp. You can reach the author at [email protected].

Must Read Articles