Community banks could benefit tremendously from offering identity theft protection to clients, as long as managers learn from recent missteps by larger institutions in regards to add-on products.

A spike in data breaches has raised consumer awareness about identity theft and similar exposures, making protective products more appealing. This opportunity, however, comes at a time when a number of big banks have been hit with regulatory enforcement actions and fines tied to payment protection and other ancillary services.

The potential for regulatory risk means that small banks must carefully vet the services they offer and any third-party vendors they use, industry observers said.

"It will be increasingly attractive for banks to offer these third-party products, but there's risk they have to bear in mind," said James Kaplan, a lawyer at Quarles & Brady. "Bankers have to think about how they will address those risks before regulators ask them about it."

Regulators have been wary of financial institutions selling add-on products. Capital One Financial and Discover Financial Services paid hefty fines in 2012 for improperly marketing payment protection and identity theft protection services for credit cards. Bank of America and U.S. Bancorp also paid fines last year for issues tied to their billing and marketing practices.

While community banks have been reluctant to sell add-on products, identity theft protection could emerge as a relatively inexpensive way to earn fee income, industry experts said.

"This is an area that customers are concerned about," said Brad Sturm, chief executive of Coulee Bank in La Crosse, Wis. "They're going to ask you for information about identity theft protection, and if you aren't prepared to answer that then your reputation could suffer in some measure."

LifeLock, which offers identity theft protection directly to individuals and through bank partnerships, has seen increased inquiries following recent breaches, including those at Target and Home Depot, said Eric Warbasse, the company's senior director of financial services.

Greater Hudson Bank offers identity theft protection because it "provides extraordinary value to customers" while "encouraging their loyalty and compelling them to broaden their relationships with our bank," said Lynne Allan, the Middletown, N.Y., company's chief operating officer.

Smaller banks must be mindful of the regulatory environment, industry experts said.

Associated Banc-Corp in Green Bay, Wis., recently warned in a regulatory filing that its debt and identity protection products have "received increased regulatory scrutiny," and that enforcement actions, including civil money penalties, were possible. The $26.7 billion-asset company established a $5 million reserve last year to proactively address "legacy debt protection products," the filing said.

A representative for Associated declined to comment further.

The Federal Reserve Board declined to comment, while efforts to reach the Federal Deposit Insurance Corp., Office of the Comptroller of the Currency and the Consumer Financial Protection Bureau were unsuccessful.

Regulators may regard fines for bigger banks as a way to get "the word out" about heightened scrutiny, said Steven Arnold, a lawyer at Manatt, Phelps & Phillips.

Community banks must be careful of several potential pitfalls. Executives should be careful to avoid charging customers an excessive amount compared with a product's value, which goes "right to the heart of unfair and deceitful practices," Arnold said.

MidWestOne Financial was close to selecting a vendor for its identity theft protection service when regulators began clamping down on bigger institutions, said Nick Pfeiffer, the Iowa City company's marketing officer. The $1.8 billion-asset company has "gone to great lengths in making sure it is very clear in what the product provides," he said.

Management never saw the product as a revenue driver — Midwest One charges a $2 monthly fee for the service — so employees lack an incentive to aggressively push the product on customers, Pfeiffer said.

"I think smaller banks tend to have a better relationship with their consumers, so they have the opportunity and ability to talk it through with a consumer," Pfeiffer said. "Smaller banks can make sure the product is a good fit, but it still depends on the consumer deciding whether it works for them."

Smaller banks must also be aware of the potential of misrepresenting the product, Arnold said. Risks include a lack of disclosure of important terms or failing to notify customers that the product costs money or is an optional service.

Finally, smaller institutions need to do their homework about vendors that offer add-on products, industry experts said. Regulators have been pushing banks to carefully vet their partnerships with outside companies.

"You can't just offer up your clients and disclaim all responsibility," Kaplan said. "If you do, you won't have that customer for very long. You have to protect your customers from products that don't work."

To avoid these issues, executives should review whether the vendor has a good track record of customer satisfaction and retention, Warbasse said. Banks also need to make sure that the enrollment process is clear so customers aren't being charged for a service they don't receive, he said. Clear communication is critical; customers should have just one point of contact for billing questions and requests to change plans.

"We endorse engaging in the compliance elements early on in partnership discussions," Warbasse said. "Different banks have different tolerances."

The $304 million-asset Coulee Bank was concerned about identity theft well before the latest data breaches, Sturm said. As criminals became more sophisticated, the bank decided it needed to provide more protection for consumers. The bank's identity theft protection product — it has two different levels — is one of its fastest-growing services, Sturm said.

Compliance, broadly speaking, is "like milking cows," Sturm said. "The job is never done."