MBA Tech NewsLink recently talked with Brad Kelso, vice president and director of marketing and product development at Informative Research, Garden Grove, Calif.
Kelso has 22 years of experience in the financial services industry; Prior to joining Informative Research, Brad led Countrywide’s credit fraud initiatives and system development efforts with credits as a national expert and speaker on Authorized User Score Fraud. He is the primary architect of two products related to identity fraud for the mortgage industry, the last of which, Informative Research’s Red Flags Risk Platform, is a specialized solution to the Fair and Accurate Credit Transactions Act requirements.
MBA TECH NEWSLINK: Why should Red Flags compliance be viewed as a necessary burden?
BRAD KELSO: Whether a lender or broker, the compliance burden is mandated by federal laws--FACTA and FCRA [the Fair Credit Reporting Act]. These laws are enforced by bank lending regulators or by the Federal Trade Commission for brokers. The laws attempt to ensure better consumer protection from identity theft and private information misuse.
Perhaps more importantly, added scrutiny on loan fraud and loan quality overall (losses from negligence) make Red Flags’ requirements to “Detect, Prevent and Mitigate” more than just a “drive-by” procedure for compliance purposes only. Compliance failure can legitimately influence the viability of any loan originator.
NEWSLINK: What are the potential risks of not complying?
KELSO: The stated dangers of non-compliance are simply fines—up to $3,500 per occurrence. These may be enforced by any of the regulatory entities: the Treasury Department through the Office of the Comptroller of the Currency, the Office of Thrift Supervision, with strong impact from the Federal Deposit Insurance Corp. or the Federal Savings and Loan Insurance Corp.
Yet beyond fines, there are greater concerns. For banks and credit unions, decreased safety and soundness ratings from compliance audits can yield decreased ratings that raise deposit insurance costs that dwarf potential fines. Lower soundness ratings may also impact the qualification for federal funds, bailout monies through TARP, and other federal borrowings. A depository lender’s own reputation as reflected by its fiduciary brand, defines its ability to attract capital, depositors, and reputable borrowers. Any publicized failure, especially those implying negligence, can cause broad erosion of the lender’s credibility.
For brokers, the FACTA Red Flags requirements and obligations are, practically speaking, reduced in scope. Still they are heavily influenced by the lender’s own origination practices. Brokers DO NOT have a free pass just because they are not the lender of record. They are subject to the same fines through the FTC. Lenders may vary in their requirements for their service vendors, but all brokers they will all have to independently show compliance with the Guidelines.
NEWSLINK: What simple best practices can financial institutions implement as a foundation for Red Flags compliance—if they haven’t done so already?
KELSO: A compliance foundation can be attained in three steps:
Step 1. Understand the Regulations in YOUR Context
a. Read the FACTA regulations
b. Understand the regulations as they apply to your operations
c. Focus on the 26 Suggested Red Flags issues, again as they apply to your business.
Step 2. Identity and actively prioritize the risks for policies and procedures
d. Prioritize your potential identity failure points (the practical risks of ID theft/ misuse) for both the consumer AND the entity across each of FACTA’s 26 suggested elements noting what you are doing today to ‘detect, prevent and mitigate’ the risk flag by flag.
e. Draft policies and procedures to address the risks and match those efforts to your assigned priority
f. Assess automated products and services as a means of addressing 80 percent of the identity issues, avoiding “generic” identity risk products that create unnecessary false positives or replicate any of your existing mortgage practices.
Step 3. Integrate, Document and Adopt
g. Integrate the automated and manual procedures matched back to the policy.
h. Establish a tracking and reporting mechanism
i. Get board buy-in and approval and use the tracking to report to the board.
NEWSLINK: Are there “gray areas” in the FTC rules that financial institutions should know about?
KELSO: The biggest gray area is that each entity must have a comprehensive policy and procedure response, yet there is no exact definition of what those policies and procedures must say. Despite its growth, identity fraud is still a risk area that many have not had experienced directly. They lack an understanding of what fraudsters do. This makes it tough to effectively write policies and procedures that prevent it.
So, the true “gray area” is quite literally in the “gray matter” that has to be applied to cover all the elements of the regulation.
Entities are essentially “on their own” to consider the 26 FACTA guidelines and to define their own risk tolerance, not just for their customers, but for themselves. Since there is no clear “minimum standard” there is also no single solution, despite what vendors may otherwise claim with fraud alerts, consent based social verifications and the like. Identity products will only get you so far toward compliance.
The good news is, since there is no one “right” path to detect, prevent and mitigate ID fraud, regulatory audits will most likely focus on whether the institution has been “adequate” in considering the suggested guidelines, justifying its response and then executing. Lenders are used to establishing such risk processes. Brokers however, will generally have to ramp up their efforts to mimic the lenders they serve and make sure they have a proven audit trail enough to evidence those responses.
NEWSLINK: Will fraudsters find ways to stay ahead of the game?
KELSO: Fraudsters always find ways to stay ahead; it’s an integral part of their job. In fact, an important intrinsic reward for white collar criminals is to invent ways to beat the system. When systems change, experienced crooks will confide that it culls out "amateurs" and offers increased opportunities and rewards for “pros.” Some even use their occasional incarcerations (going to “camp”) to develop insights from other fraudsters on beating the system-an odd form of career development.
Increased fraud protections on one front often gives false security to institutions who, believing they’ve tightened defenses, inexplicably divest themselves of previously effective deterrents. A case in point: collusive fraud involving insiders is still among the most prevalent and damaging. Identity fraud prevention efforts could shift attention away from preventing collusion, even though historically, the losses from collusion with appraisers, agents or straw buyers, etc. are far greater.
A final thought: consider that the adoption of video cameras for banks hasn’t necessarily prevented the incidence of robberies; rather, its only allowed the criminals to admire their work, masks and all, on the ten o’clock news.