Waving a red flag

The long view of security strategies for your network.

In my last two columns, I introduced the Notice of Proposed Rulemaking to help protect customers of banks and other financial institutions against identity theft. The NPRM was published in July by a consortium of federal regulatory agencies. They issued a list of warning signs (“red flags”) of identity theft that financial institutions should act on to prevent identity theft.

In this final column on the subject, I review some of the comments in response to the NPRM published on the Federal Reserve Web site.

Some of the early comments were from individuals at small banks; in some cases, the banking staff appeared to believe that repeating emotional expressions from multiple employees of a single bank would carry weight with the regulators. These repetitive comments were along the lines of “Financial institutions are absurdly overburdened” and were devoid of any substantiating evidence or argument.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In my last two columns, I introduced the Notice of Proposed Rulemaking to help protect customers of banks and other financial institutions against identity theft. The NPRM was published in July by a consortium of federal regulatory agencies. They issued a list of warning signs (“red flags”) of identity theft that financial institutions should act on to prevent identity theft.

In this final column on the subject, I review some of the comments in response to the NPRM published on the Federal Reserve Web site.

Some of the early comments were from individuals at small banks; in some cases, the banking staff appeared to believe that repeating emotional expressions from multiple employees of a single bank would carry weight with the regulators. These repetitive comments were along the lines of “Financial institutions are absurdly overburdened” and were devoid of any substantiating evidence or argument.

Some of the contributions were flatly unprofessional; representing expletives with punctuation marks is not a good idea for any professional at any time - and especially not when his comments will be published on a government Web site for anyone to inspect. Do people not grasp that their comments are to be made public?

In the MSIA program at Norwich University, we require students to participate in online discussions; the Student Handbook specifically warns:

“Student discussion contributions are graded on the basis of research, articulation of rational arguments, and contributions to the class’s knowledge and understanding of the topics under discussion. Unsubstantiated opinions devoid of analysis or explanation are tolerated but not rewarded.”

I wish that a similar warning were posted on all requests for comment.

Despite the agitated pawing and snorting of some of the respondents reacting to red flags, some of the comments, especially those prepared by various associations of bankers, had substantive contributions to the discussion. For example, Attorney Pat Caldwell, writing on behalf of BancorpSouth wrote a thoughtful analysis that emphasized the dangers of duplication and overlap of the proposed rules with existing regulations such as elements of the Gramm-Leach-Bliley Act and of the U.S.A.P.A.T.R.I.O.T. Act. In addition, the attorney raises the question of how to meet the need for interference with fraud while preserving adequate customer service.

The American Bankers Association wrote in its thoughtful response:

“We conclude that the proposed regulatory language in many cases falls short of these stated intentions. Instead, we believe that the proposal runs a high risk of creating an artificial, stagnant, mandatory checklist regime that will not effectively advance the goals of detecting and preventing identity theft and fraud. We fear that unless these shortcomings are addressed, the result will be a diversion of resources from effective detection, investigation, and corrective action and will necessitate wasteful expenditure on burdensome, paperwork-laden compliance exercises. Bankers’ attention will be drawn into wasteful but obligatory drills to justify each judgment call made under a good faith effort to defeat identity thieves and fraudsters.”

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.