SCRANTON, Penn. - Credit unions are mixing technology with manual processes as they work to gradually comply with "Red Flag" rules.
"Most of the monitoring we do now is manual," said Charlene Jeffers, operations manager at $98-million Penn East FCU. Once a week, Jeffers uses a reporting tool to pull data and monitor "higher risk accounts."
However, about six months ago, Penn East started using technologies that verify member identity and deliver fraud scores based on the member's risk, profitability and any discrepancies in physical address.
The solutions-Qualifile, ID Verification and Address Analysis-are part of the seven-piece Red Flag Solution provided by Jacksonville, Fla.-based Fidelity National Information Services.
A red flag is any pattern, practice or activity that indicates possible identity theft. Federal CUs are required to document and implement a program to address identity theft by Nov. 1 under Sections 114 and 315 of The Fair and Accurate Credit Transactions Act of 2003 (FACTA), also known as the Red Flag regulations.
Most CUs, it seems, are calling their Red Flag program a "work in progress." In fact, half of all financial institutions won't make the Red Flag November deadline, according to a survey by Information Security Media Group, Princeton, N.J.
Penn East will rely more and more on automated Red Flag compliance as the organization expands, continued Jeffers. "When we add a third and fourth branch, I'm not going to want to monitor everything manually. It would be ridiculous."
Check fraud jumped to more than $20,000 in losses last year at Penn East, up from about $6,000 in 2006, said Jeffers. After implementing the FIS tools, the CU has had zero fraud loss to date, she said.
"We have seen loss lessen with the automation and training tellers and MSRs to recognize fraudulent checks," she added.
Although there are 26 Red Flag requirements outlined in FACTA, Penn East won't bother with some of them, said Jeffers. "Penn East is not doing the kind of business described in some of the Red Flags," she explained. Penn East hired a lawyer to help it beat the compliance clock, said Jeffers. "We're meeting to get a handle on what the procedures should look like. The lawyer is thrilled that we have ID Verification and Address Analysis and said that, especially as a smaller credit union, we're headed in the right direction."
Corporate America Family CU in Elgin, Ill., is still working on "a comprehensive plan to ensure Red Flag compliance throughout the organization," according to Peter Paulson, CEO of the $545-million CU.
Meanwhile, the CU's online branch is protected by Red Flag Pass, a "fully compliant" enhancement that's built into the credit union's Internet banking product, WebFederal3, offered by PM Systems Corp. (PMSC), Chapin, S.C., according to Freddie Glenn, CSO at PMSC.
"Red Flag controls will be used as part of the online member signup process and member profile changes, such as the change of address alert that is configured to notify both the credit union and the member," Paulson explained.
In addition, Red Flag Pass will check the information provided by new online applicants against the national credit bureaus and other databases, such as the OFAC, and applicants will be required to answer challenge-response questions that are generated from credit bureau data, he said.
Currently, Penn East doesn't allow members to open accounts or change addresses via the website, so Red Flag automation isn't necessary online, Jeffers said.
Corporate America doesn't have Red Flag automation in other business units but is likely to add tools as it develops its program, said Paulson.
"Technology is necessary for institutions to help deploy a consistent Red Flag strategy that is not labor intensive," suggested PMSC's Glenn.
The "Nigerian" and "lottery" check scams prompted Penn East to use the FIS solutions, said Jeffers. "Before, we were just using ChexSystems. Members were coming in with more checks that they weren't sure were good. We needed something that was automated and could give us more info."
(c) 2008
