Procrastination is an affliction that can strike even the finest of bankers. And just like the student scribbling algebra homework on the bus ride to school, many bankers are going to be scrambling over the next month-and-a-half to get compliant with the U.S. FACT Act Red Flags rule.
The Nov. 1 compliance deadline is looming and many community bankers have yet to push their efforts into overdrive. In a recent survey conducted by research firm Gartner, 60 percent of respondents deemed themselves to be compliant, though more big banks were compliant than small. Sources say that 50-percent compliance for community banks seems accurate.
Orlando, FL’s Old Southern Bank, which has $250 million in total assets, turned to Compliance Coach in the first quarter for help, says the bank’s svp, chief compliance & BSA officer Susan deFreese. She says that the product has helped to automate the process, which has saved hundreds of hours of labor and costs.
The process has been a daunting one, though, says deFreese, and has a word of advice for those banks dragging their feet: Get moving. “[Getting compliant] is much more involved than I had originally thought it would be,” she says. “It’s much more involved with everything that has to be done and how it impacts the entire bank.”
Regulatory compliance software vendor Compliance Coach is headquartered out of San Diego and markets its CompliancePal product to help banks get compliant. The company’s chairman and CEO Sai Huda says that banks that don’t get into compliance will have to worry about monetary fines, receiving a cease-and-desist order or, perhaps worst of all, getting dragged into a class-action lawsuit.
“We are expecting lots of lawsuits,” Huda says. “The rule says that you have to put together an identity theft prevention program, so what’s going to happen is, if there are any breaches of information, the lawyers are going to jump at it because now they can allege unfair deceptive acts violations. Why? Because the bank can be alleged to not have followed the written identity theft prevention program it had. It didn’t walk the talk, and failing to walk the talk creates unfair, deceptive issues.”
For example, he says, auto dealers are considered creditors under the rule. If the bank never asks if they are in compliance, and the dealer didn’t comply and loses information, the bank, which buys the loans from the dealer or provides credit, could be held liable in court. Attorneys will be looking to the bank because they are the ones with the deep pockets and they are the ultimate creditor.
Suda says that this is not too far fetched. Similar suits were filed under the Fair Lending Act in 2003 because dealer markups were greater for minority buyers than non-minorities and several banks were forced to settle out of court, he says. The cost to a bank could run six or even figures.
CompliancePal identifies 34 new, proprietary Red Flags in addition to the 26 that were put together by the government. Suda says that several hundred national institutions have signed up, most of which are community banks, but refused to give exact figures for competitive reasons. Suda also expects that number to reach into the thousands as the deadline approaches.
CompliancePal is similar to Intuit's TurboTax in that all the information is input and then the necessary compliance document, i.e., your tax return, are produced. In this case it’s an identity theft prevention program that can be taken to the board for approval. It’s a Web-based solution that costs a community bank with $165 million or less in total assets $295 per year. For institutions with up to a billion it runs $595 per year and for those banks with more than $1 billion in assets it costs $995.
While CompliancePal has made headlines with its 60 identified Red Flags, it’s hardly the only vendor on the market. Zoot Enterprises, The 41st Parameter, AdmitOne Security, Experian and Wolters Kluwer also tout their own Red Flags products.
Kevin Byrne, senior compliance consultant at Wolters Kluwer, says that he expects many bankers to take a wait-and-see attitude. Then, after this year’s examine cycle, if they get slapped on the wrist, they will have a whole year to know what to gear-up for.
“That’s a scary position to take because I personally think that we are going to see heavy enforcement,” he says. “Previous enforcement issues and rules that have been out there don’t necessarily affect people like identity theft does, which is very near and dear to everyone’s heart. The Red Flags is going to have a lot more punch behind it; I think the examiners are going to be looking and expecting that these banks are working [to comply] to the spirit of the rule. If people aren’t prepared and they aren’t doing what they’re supposed to be doing, they’re probably, come Nov. 1, going to have a little bit of heartache.”
The Federal Trade Commission estimates that more than eight million people fell victim to identity theft in 2005.