A Bank Systems & Technology article Agencies Issue Proposed Rule on Identity Theft 'Red Flags' reports that US federal banking regulators are proposing new rules requiring banks to perform monitoring of customers' accounts as part of their standard operations:
The proposed regulations include guidelines listing patterns, practices and specific forms of activity that should raise a "red flag" signaling a possible risk of identity theft. Under proposed regulations, an identity theft prevention program established by a financial institution or creditor would have to include policies and procedures for detecting any "red flag" relevant to its own operations and implementing a mitigation strategy appropriate for the level of risk, according to a release from the agencies.
Although it is likely that banks will come back with questions regarding this proposal, an identity theft program seems close enough in appearance to their ongoing anti-money laundering (AML) programs that there will be little additional compliance burden. Specifically, the program as mandated by the Bank Secrecy Act (BSA) requires monitoring for suspicious activity, including specific money laundering 'red-flags'.
It is likely that financial institutions will be able to leverage current technology, or use this event as a driver to invest in appropriate technology, to perform automated monitoring and analysis of transactions and activities to also encompass the identity theft 'red flags'. From the Bank Systems & Technology report:
The proposal lists 31 red flags in connection with an account application or an existing account, including:
- A notice of address discrepancy is provided by consumer reporting agency.
- The photograph of physical description on the identification is not consistent with the pearance of the applicant or customer presenting the identification.
- An account that has been inactive for a reasonably lengthy period of time is used.
- The financial institution or creditor is notified that the customer is not receiving account statements.
- An employee has accessed or downloaded an unusually large number of customer account records.
It would surprise me if some of these items were not already included in the AML program. For example, Know Your Customer requires that an institution verifies the identity of new customers. Discrepancies with other sources of information should automatically flag an issue. Not all 'red flags' will apply to every bank, and their risk assessments will help mould the scope of the new compliance program.
James Taylor often blogs about the capabilities of business rules and decision management to address these types of issues. Once in place these systems enable institutions to respond to this type of compliance monitoring rapidly and with minimal incremental cost. These approaches, along with basic monitoring within BPM processes such as New Account Opening could provide everything that is required across a range of identity theft, fraud and AML requirements. Another approach to look at is Aungate, which has examples of background monitoring capabilities.
As with any compliance regulation, the documentation and periodic audit of the program and controls may end up being larger than the effort to actually put it in place. Well designed automated systems reduce this burden by being effectively self-documenting and readily available for audit. A decent document management system, or an enterprise compliance management system (e.g. Certus) will hold all that documentation.
Since it seems that some banks already perform some of this monitoring as a fee-based service, this regulation may purely represent a revenue stream that may be going away soon.