July 8, 2008 - Mike D'Agostino

We are in the process of analyzing data from the Identity Theft Red Flags survey we recently administered - a survey that aims to gauge the current readiness of financial institutions as they move toward complying with new guidance from the banking agencies regarding their identity theft prevention programs. Many of the questions focus on how financial institutions are dedicating resources for this effort, what have been the most significant challenges moving toward compliance, and how their identity theft prevention programs are being managed. Two questions stand out to me though, and the responses are somewhat disappointing.

In one question we ask, "How will you measure the success of your Red Flags program?" and in another, "How does the Red Flag guidance affect your current customer awareness program?"

The Identity Theft Red Flags guidance ultimately means a standard has been set for financial institutions.

Let me back up a bit to relate one piece of information that I have learned, which is basically understood by everyone within the banking information security industry, and one which was resoundingly corroborated by our State of Banking Information Security 2008 Survey. The number one driver for information security initiatives at financial institutions is regulatory compliance. My take is that financial institutions in the end are businesses, and this means they have to be wary of where resources are allocated. Yes, it would be great if every single system inside and out were 100% secure - however that would mean a lot of time, money and resources would need to be devoted to this initiative. More time, money and resources than banks would necessarily care to allocate - especially since in the end they are businesses, and businesses need to make money.

Instead, financial institutions rely on what they are told to do, more so, HAVE to do - according to regulatory guidelines. So, to say that financial institutions want to dedicate more time, money and resources to combating identity theft - an issue which many times is untraceable to a single bank, credit union, retail store, etc. - would be false. And our survey data mirrors this notion. Close to 60% of the respondents say that positive feedback from regulators and passing external audits would be the measure of success of their new and/or updated identity theft programs - far more than any of the other responses. A scant 22% say greater security awareness among employees and customers would be a significant measure of success.

Back to the second question I mentioned above regarding how this identity theft guidance will affect current customer awareness programs. A mere 25% of respondents indicate that the guidance does not have much affect on their identity theft programs - they are already doing it well. No wonder a new guidance has been issued.

I will infer from the data that financial institutions are not doing a good job of educating their customers about information security issues, and they know it. More surprising, ultimately they don't care. They are not basing the success of their program on increased customer awareness - but rather what their regulators opine.

As someone who is part of an Internet business, involved in ecommerce and payments systems, I can feel for the financial institutions who say they are more concerned with how their examiners grade their identity theft program - as security isn't often as glamorous as a "shiny" new interactive website feature. However, as a consumer and banking customer, I feel slighted.

I will admit there seems to be something intangible about identity theft, that without a flawless authentication system you cannot really be totally completely 100% sure of someone's identity. But as a customer - of a bank and a business - I demand a certain level of security over my finances.

So, coming from the consumer inside of me that has a bit more insight into the security happenings of financial institutions than the average person, I am both worried and at least a bit encouraged by the Identity Theft Red Flags guidance. On one hand, it is a signal to consumers as a whole that there is a problem here, one that requires the banking agencies to take action. On the other hand, I also feel a bit empowered by the fact that financial institutions will have standards toward preventative measures against identity theft - ones they will be held accountable for, and minimum requirements for doing business in a time when consumers increasingly demand adequate security.

To banking customers, the Identity Theft Red Flags guidance ultimately means a standard has been set. It's up to each institution whether they are satisfied with just meeting regulatory requirements - or going beyond and touting their efforts as a means of marketing to attract new and retain current customers.