Is Your CU Ready To Raise The Red Flag? Alliant CU Lays Out Its Compliance Plan

WILLIAMSBURG, Va. - No credit union has raised the victory flag on its Red Flag program against identity theft, according to panelists at the recent CUNA Technology Council (CTC) Summit here-but Alliant CU of Chicago laid out part of its program at a session titled "New Red Flag Rules."

Processing Content

"We don't know of any credit union that has completed its Red Flag program; most are in the process of creating it," said Brian Warfel, chair of the CTC Executive Committee and SVP-sales and service at Power Financial CU in Pembroke Pines, Fla.

Federal credit unions must document and implement a program to prevent, detect and mitigate identity theft (ID) before Nov. 1 under the NCUA's new "Red Flag" rules, or Final Rule 12 CFR Part 717, said Cliff DeGroot, attorney and CPA with Portland, Ore.-based Farleigh Wada Witt Attorneys.

A Red Flag is any pattern, practice or activity that indicates possible identity theft. The NCUA Red Flag rules are drawn from The Fair and Accurate Credit Transactions Act of 2003 (FACTA) Section 114. Credit unions can comply with the rules using an eight-step process, DeGroot suggested.

Bill Podborny, director, information security at Alliant CU, showed the credit union's Red Flag policies to the group of about 35 attendees-policies that include frameworks to help score and respond to ID theft risks,

Using a Microsoft Excel spreadsheet, the $5.4-billion CU drew up a risk scoring framework that considers each type of Alliant account (on the vertical axis) against three risks: how the account is opened, how it is accessed and whether the account type has been vulnerable to ID theft in the past (on the horizontal axis).

"We didn't want to overcomplicate matters, so we decided not to assign risk to the type of account," Podborny said. "We found it wouldn't really adjust the score that much."

Alliant assigns scores to represent the risks for opening and accessing each account type, Podborny explained. Then, the CU multiplies the total score for each account type by a score representing how vulnerable the account type has been in the past.

The risk scoring framework is Alliant's attempt to satisfy NCUA requirements to identify consumer accounts that bear repeat transactions or any other foreseeable risks.

A second spreadsheet allows Alliant to document its planned responses to ID theft incidents, Podborny continued. This "response matrix" lists every risk according to FACTA-26 in all, according to DeGroot-as well as a section for any future risks that are not detailed by FACTA.

Alliant filled in its response procedure for each risk and asked its third-party vendors to do the same. FACTA Section 114 details appropriate responses for each risk, DeGroot added. The spreadsheet also contains a column in which Alliant can document the course of action it took in response to any Red Flags.

Podborny then outlined Alliant's Red Flag program in three focus areas: members, employees, and IT.

Member education will play a big part in preventing ID theft, said Podborny. In addition, Alliant employs transaction monitoring, multi-factor authentication and account verification through credit bureaus and a check verification service.

The CU provides members with automatic account alerts, and the call center asks members to verify identity with a PIN. Alliant is considering scanning driver licenses and adding code words to accounts to improve ID verification.

"We're also screening employees to make sure they're not performing ID theft," said Podborny. "And training helps us check to see if tellers are following the policies and whether they can recognize things like phony ID cards."

"That initial training of your new or additional policies should only take about 4 hours," DeGroot said.

The Alliant IT team addresses Red Flag with "extensive" security, including independent audits and quarterly vulnerability scans, Podborny continued. Fraud prevention and detection systems for online and core platforms; responses to phishing, smishing and vishing; a Data Loss Prevention system; and log consolidation, correlation and reporting round out the arsenal, he said.

MORE CUJOURNAL.COM

Read more about Red Flag regulations at cujournal.com and search the following bolded terms in the archive:

Raising The Red Flag ON Regulation

Could FACT Regulations Help Drive New Income?

FOUR: Time For CUs To Raise Red Flag

For info on this story:

www.alliantcreditunion.org

www.farleighwitt.com

www.ftc.gov/opa/2007/10/redflag.shtm (c) 2008 The Credit Union Journal and SourceMedia, Inc. All Rights Reserved.http://www.cujournal.com/ http://www.sourcemedia.com/


For reprint and licensing requests for this article, click here.
Technology
MORE FROM AMERICAN BANKER
Load More