Core Vendor and CU Work Together As Red Flag Rules Kick In on Nov. 1
WALTHAM, Mass. -- With new Red Flag identity theft rules adding more weight to the compliance load that financial institutions must carry, where are credit unions turning for help?
For some, it's their main provider of technology: their core processor.
That's the case at Credit Union On-Line, a Waltham-based CUSO that calls itself the first service bureau provider dedicated to the XP2 host platform from Fiserv's XP Systems.
"The demand for help with Red Flag has really grown exponentially over the past four to six months as the deadline approached," said Barbra Lowman, chief operating officer at CUOL.
The Red Flag rules deadline is Saturday, Nov. 1. That's the day that anti-identity theft rules put in place by the Fair and Accurate Credit Transactions Act of 2003 take effect.
The new rules require credit unions and other creditors to be responsible for having an updated program in place to spot possible avenues of identity theft and to be prepared to handle problems when they arrive, and to be able to prove that all this is happening.
Those requirements touch on policies, procedures and processes alike, in basically every member-facing area of the credit union, from account opening to debit and credit cards to share accounts and lending. And that includes the third parties that handle all that member data.
Jackie Patin, CEO of $25 million Louisiana Employment Security Federal Credit Union in Baton Rouge, is one of those CUOL clients who have turned to its core processing vendor for help.
"You have to bring all that activity together to coordinate it, and at a small credit union like ours and a lot of bigger ones, we wear a lot of hats and really just can't do that on our own," Patin said.
CUOL currently serves 25 credit unions ranging in size from under $1 million to about $575 million in assets and is drawing on the capabilities of the XP2 platform as well as its own internal solutions and staff to craft a port for the Red Flag storm.
For example, Lowman said, the XP2 system offers a member identification module that captures digital photos and electronic signatures and can scan a driver's license at the teller window to ensure identification.
Also available is an address-matching service that surfs the U.S. Postal Service's vast database. The XP2 platform also can authenticate between transaction and identification data and includes suspicious activity reports that credit unions can use to spot such nefarious activities as check kiting, Lowman said.
"Beyond the core reports, we support multifactor authentication for Internet banking and we've created some custom reports on our own, as well," the CUOL chief operating officer said.
"For instance we do high-dollar Internet and voice response banking activity reports. We let our credit unions set their limits and we alert them anytime they are exceeded," she said.
Consulting services also are offered for credit unions that want CUOL staff to pay a visit and analyze business processes, develop a risk assessment program and help develop customized policies.
Customized is a key word here.
"Every credit union is different. They all have their own levels of risk. It's not like you can go ahead and do everything the same at every one of them," said Elayne Charron, CUOL's vice president of core services.
Charron pointed to the responsibility credit unions will now carry for the activities of their third-party vendors as one area of customization going forward, noting that each credit union has its own, often-changing set of relationships.
For example, one of the requirements under Red Flag is that credit unions are responsible for ensuring that members are alerted to new or replacement card requests within 30 days, even if the cards are issued by third parties.
There are market solutions that will do that automatically but "they're too expensive for small credit unions. We can do that for our credit unions, by developing customized reports that record any such changes," Charron said. "Someone at the credit union still has to look at that report on a daily basis, but at least the data will be consolidated right in front of them."
While Patin at L.E.S. FCU said she feels comfortable enough now with the Red Flag situation because of the help from CUOL, she's not optimistic about the impact increased regulation overall could eventually have on the credit union industry.
Patin and the CUOL managers said they expect to see credit unions continuing to turn to their core technology providers, along with their state leagues and other industry associations, to help hard-pressed staffs keep up with the red tape of Red Flag and other compliance mandates while at the same time maintaining current service levels and adding new products.
"I really feel like at some point, compliance is either going to make or break a small credit union, by keeping it from keeping up with changing times," Patin said.