How does this program help comply with the FFIEC guidance for ID Theft Awareness and Education?
The FFIEC calls for “Customer/Member Awareness and Education” in their Supplement to Authentication in an Internet Banking Environment.
Here's how this ID Theft Education Program specifically addresses the guidance (verbiage from the FFIEC guidance on customer education is in bold italic):
A financial institution's customer awareness and educational efforts should address both retail and commercial account holders and, at a minimum, include the following elements:
- An explanation of protections provided, and not provided, to account holders relative to electronic funds transfers under Regulation E, and a related explanation of the applicability of Regulation E to the types of accounts with Internet access;
While this information is provided to consumers in Regulation E account disclosures, the intent of the FFIEC is to present the information in a clear and more conspicuous way to all account holders. The ID Theft Education Program includes a statement insert, email message, and Web landing page text that specifically spells out the protections offered, and not offered, on EFTs. Beavercreek Marketing suggests sending the same Reg E insert and email blast to all consumer and business accounts – as business account holders need to know that these protections are only available to consumers.You may want to consider including these inserts with all new account openings as well.
- An explanation of under what, if any, circumstances and through what means the institution may contact a customer on an unsolicited basis and request the customer's provision of electronic banking credentials;
Most financial institutions already have a policy of not requesting electronic banking credentials such as passwords and user IDs in an unsolicited phone call or email. The statement inserts, email messages, web pages, and videos available through this program clearly state this “default” policy (“We will never ask for confidential information in an unsolicited email or phone call.”) If your policy differs, then modify the materials to spell out the details to reflect your policy.
- A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically;
The Beavercreek ID Theft Education program addresses this suggestion by providing a “Small Biz IT Risk Assessment” template that can be offered to your business customers/members as a service. This IT Risk Assessment is especially useful for Merchant Source Capture (Remote Deposit) users, along with high volume or high-risk ACH and wire customers/members. The financial institution should decide whether or not to make this an annual requirement for businesses - it could be included as part of your standard annual loan review documents. There is no charge for this template with a $1000 minimum purchase of ID Theft materials. Customized Small Biz IT Risk Assessments can be purchased from Beavercreek (printed or pdf).
- A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk, or alternatively, a listing of available resources where such information can be found;
Every element of the Beavercreek program offers suggestions, tips, and best practices for protecting consumer and business account holders against identify theft and other security threats. In addition, the sample web page for business customers/members has a library of resources and links that offers additional “risk control mechanisms.”
- A listing of institutional contacts for customers' discretionary use in the event they notice suspicious activity or experience customer information security-related events.
All of the ID theft education program materials including statement inserts, emails, sample web landing pages, and the ID Theft videos contain specific contact information to meet this guidance.
Beavercreek Marketing’s ID Theft Education Program is an ongoing program and will continue to deliver updated educational materials to meet the next generation of threats and challenges in order to protect consumers and businesses.