|
FDIC Federal Register Citations
[Federal Register: November 9, 2007 (Volume 72, Number 217)]
[Rules and Regulations]
[Page 63717-63775]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr09no07-17]
[[Page 63717]]
-----------------------------------------------------------------------
Part IV
Department of the Treasury
Office of the Comptroller of the Currency
12 CFR Part 41
-----------------------------------------------------------------------
Federal Reserve System
12 CFR Part 222
-----------------------------------------------------------------------
Federal Deposit Insurance Corporation
12 CFR Parts 334 and 364
-----------------------------------------------------------------------
Department of the Treasury
Office of Thrift Supervision
12 CFR Part 571
-----------------------------------------------------------------------
National Credit Union Administration
12 CFR Part 717
-----------------------------------------------------------------------
Federal Trade Commission
16 CFR Part 681
-----------------------------------------------------------------------
Identity Theft Red Flags and Address Discrepancies Under the Fair and
Accurate Credit Transactions Act of 2003; Final Rule
[[Page 63718]]
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
12 CFR Part 41
[Docket ID OCC-2007-0017]
RIN 1557-AC87
FEDERAL RESERVE SYSTEM
12 CFR Part 222
[Docket No. R-1255]
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Parts 334 and 364
RIN 3064-AD00
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Part 571
[Docket No. OTS-2007-0019]
RIN 1550-AC04
NATIONAL CREDIT UNION ADMINISTRATION
12 CFR Part 717
FEDERAL TRADE COMMISSION
16 CFR Part 681
RIN 3084-AA94
Identity Theft Red Flags and Address Discrepancies Under the Fair
and Accurate Credit Transactions Act of 2003
AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC);
Board of Governors of the Federal Reserve System (Board); Federal
Deposit Insurance Corporation (FDIC); Office of Thrift Supervision,
Treasury (OTS); National Credit Union Administration (NCUA); and
Federal Trade Commission (FTC or Commission).
ACTION: Joint final rules and guidelines.
-----------------------------------------------------------------------
SUMMARY: The OCC, Board, FDIC, OTS, NCUA and FTC (the Agencies) are
jointly issuing final rules and guidelines implementing section 114 of
the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) and
final rules implementing section 315 of the FACT Act. The rules
implementing section 114 require each financial institution or creditor
to develop and implement a written Identity Theft Prevention Program
(Program) to detect, prevent, and mitigate identity theft in connection
with the opening of certain accounts or certain existing accounts. In
addition, the Agencies are issuing guidelines to assist financial
institutions and creditors in the formulation and maintenance of a
Program that satisfies the requirements of the rules. The rules
implementing section 114 also require credit and debit card issuers to
assess the validity of notifications of changes of address under
certain circumstances. Additionally, the Agencies are issuing joint
rules under section 315 that provide guidance regarding reasonable
policies and procedures that a user of consumer reports must employ
when a consumer reporting agency sends the user a notice of address
discrepancy.
DATES: The joint final rules and guidelines are effective January 1,
2008. The mandatory compliance date for this rule is November 1, 2008.
FOR FURTHER INFORMATION CONTACT:
OCC: Amy Friend, Assistant Chief Counsel, (202) 874-5200;
Deborah
Katz, Senior Counsel, or Andra Shuster, Special Counsel, Legislative
and Regulatory Activities Division, (202) 874-5090; Paul Utterback,
Compliance Specialist, Compliance Department, (202) 874-5461; or Aida
Plaza Carter, Director, Bank Information Technology, (202) 874-4740,
Office of the Comptroller of the Currency, 250 E Street, SW.,
Washington, DC 20219.
Board: David A. Stein or Ky Tran-Trong, Counsels, or Amy
Burke,
Attorney, Division of Consumer and Community Affairs, (202) 452-3667;
Kara L. Handzlik, Attorney, Legal Division, (202) 452-3852; or John
Gibbons, Supervisory Financial Analyst, Division of Banking Supervision
and Regulation, (202) 452-6409, Board of Governors of the Federal
Reserve System, 20th and C Streets, NW., Washington, DC 20551.
FDIC: Jeffrey M. Kopchik, Senior Policy Analyst, (202)
898-3872, or
David P. Lafleur, Policy Analyst, (202) 898-6569, Division of
Supervision and Consumer Protection; Richard M. Schwartz, Counsel,
(202) 898-7424, or Richard B. Foley, Counsel, (202) 898-3784, Legal
Division, Federal Deposit Insurance Corporation, 550 17th Street, NW.,
Washington, DC 20429.
OTS: Ekita Mitchell, Consumer Regulations Analyst, Compliance
and
Consumer Protection, (202) 906-6451; Kathleen M. McNulty, Technology
Program Manager, Information Technology Risk Management, (202) 906-
6322; or Richard Bennett, Senior Compliance Counsel, Regulations and
Legislation Division, (202) 906-7409, Office of Thrift Supervision,
1700 G Street, NW., Washington, DC 20552.
NCUA: Regina M. Metz, Staff Attorney, Office of General
Counsel,
(703) 518-6540, National Credit Union Administration, 1775 Duke Street,
Alexandria, VA 22314-3428.
FTC: Naomi B. Lefkovitz, Attorney, or Pavneet Singh,
Attorney,
Division of Privacy and Identity Protection, Bureau of Consumer
Protection, (202) 326-2252, Federal Trade Commission, 600 Pennsylvania
Avenue, NW., Washington DC 20580.
SUPPLEMENTARY INFORMATION:
I. Introduction
The President signed the FACT Act into law on December 4,
2003.\1\
The FACT Act added several new provisions to the Fair Credit Reporting
Act of 1970 (FCRA), 15 U.S.C. 1681 et seq. Section 114 of the FACT Act,
15 U.S.C. 1681m(e), amends section 615 of the FCRA, and directs the
Agencies to issue joint regulations and guidelines regarding the
detection, prevention, and mitigation of identity theft, including
special regulations requiring debit and credit card issuers to validate
notifications of changes of address under certain circumstances.\2\
Section 315 of the FACT Act, 15 U.S.C. 1681c(h), adds a new section
605(h)(2) to the FCRA requiring the Agencies to issue joint regulations
that provide guidance regarding reasonable policies and procedures that
a user of a consumer report should employ when the user receives a
notice of address discrepancy.
---------------------------------------------------------------------------
\1\ Pub. L. 108-159.
\2\ Section 111 of the FACT Act defines ``identity theft'' as
``a fraud committed using the identifying information of another
person, subject to such further definition as the [Federal Trade]
Commission may prescribe, by regulation.'' 15 U.S.C. 1681a(q)(3).
---------------------------------------------------------------------------
On July 18, 2006, the Agencies published a joint notice of
proposed
rulemaking (NPRM) in the Federal Register (71 FR 40786) proposing rules
and guidelines to implement section 114 and proposing rules to
implement section 315 of the FACT Act. The public comment period closed
on September 18, 2006. The Agencies collectively received a total of
129 comments in response to the NPRM, although many commenters sent
copies of the same letter to each of the Agencies. The comments
included 63 from financial institutions, 12 from financial institution
holding companies, 23 from financial institution trade associations, 12
from individuals, nine from other trade associations, five from other
business entities, three from consumer
[[Page 63719]]
groups,\3\ one from a member of Congress, and one from the United
States Small Business Administration (SBA).
---------------------------------------------------------------------------
\3\ One of these letters represented the comments of five
consumer groups.
---------------------------------------------------------------------------
II. Section 114 of the FACT Act
A. Red Flag Regulations and Guidelines
1. Background
Section 114 of the FACT Act requires the Agencies to jointly
issue
guidelines for financial institutions and creditors regarding identity
theft with respect to their account holders and customers. Section 114
also directs the Agencies to prescribe joint regulations requiring each
financial institution and creditor to establish reasonable policies and
procedures for implementing the guidelines, to identify possible risks
to account holders or customers or to the safety and soundness of the
institution or ``customer.''\4\
---------------------------------------------------------------------------
\4\ Use of the term ``customer,'' here, appears to be a
drafting
error and likely should read ``creditor.''
---------------------------------------------------------------------------
In developing the guidelines, the Agencies must identify
patterns,
practices, and specific forms of activity that indicate the possible
existence of identity theft. The guidelines must be updated as often as
necessary, and cannot be inconsistent with the policies and procedures
issued under section 326 of the USA PATRIOT Act,\5\ 31 U.S.C. 5318(l),
that require verification of the identity of persons opening new
accounts. The Agencies also must consider including reasonable
guidelines that would apply when a transaction occurs in connection
with a consumer's credit or deposit account that has been inactive for
two years. These guidelines would provide that in such circumstances, a
financial institution or creditor ``shall follow reasonable policies
and procedures'' for notifying the consumer, ``in a manner reasonably
designed to reduce the likelihood of identity theft.''
---------------------------------------------------------------------------
\5\ Pub. L. 107-56.
---------------------------------------------------------------------------
2. Overview of Proposal and Comments Received
The Agencies proposed to implement section 114 through
regulations
requiring each financial institution and creditor to implement a
written Program to detect, prevent and mitigate identity theft in
connection with the opening of an account or any existing account. The
Agencies also proposed guidelines that identified 31 patterns,
practices, and specific forms of activity that indicate a possible risk
of identity theft. The proposed regulations required each financial
institution and creditor to incorporate into its Program relevant
indicators of a possible risk of identity theft (Red Flags), including
indicators from among those listed in the guidelines. To promote
flexibility and responsiveness to the changing nature of identity
theft, the proposed rules also stated that covered entities would need
to include in their Programs relevant Red Flags from applicable
supervisory guidance, their own experiences, and methods that the
entity had identified that reflect changes in identity theft risks.
The Agencies invited comment on all aspects of the proposed
regulations and guidelines implementing section 114, and specifically
requested comment on whether the elements described in section 114 had
been properly allocated between the proposed regulations and the
proposed guidelines.
Consumer groups maintained that the proposed regulations
provided
too much discretion to financial institutions and creditors to decide
which accounts and Red Flags to include in their Programs and how to
respond to those Red Flags. These commenters stated that the flexible
and risk-based approach taken in the proposed rulemaking would permit
``business as usual.''
Some small financial institutions also expressed concern
about the
flexibility afforded by the proposal. These commenters stated that they
preferred to have clearer, more structured guidance describing exactly
how to develop and implement a Program and what they would need to do
to achieve compliance.
Most commenters, however, including many financial
institutions and
creditors, asserted that the proposal was overly prescriptive,
contained requirements beyond those mandated in the FACT Act, would be
costly and burdensome to implement, and would complicate the existing
efforts of financial institutions and creditors to detect and prevent
identity theft. Some industry commenters asserted that the rulemaking
was unnecessary because large businesses, such as banks and
telecommunications companies, already are motivated to prevent identity
theft and other forms of fraud in order to limit their own financial
losses. Financial institution commenters maintained that they are
already doing most of what would be required by the proposal as a
result of having to comply with the customer identification program
(CIP) regulations implementing section 326 of the USA PATRIOT Act \6\
and other existing requirements. These commenters suggested that the
regulations and guidelines take the form of broad objectives modeled on
the objectives set forth in the ``Interagency Guidelines Establishing
Information Security Standards'' (Information Security Standards).\7\ A
few financial institution commenters asserted that the primary cause of
identity theft is the lack of care on the part of the consumer. They
stated that consumers should be held responsible for protecting their
own identifying information.
---------------------------------------------------------------------------
\6\ See, e.g., 31 CFR 103.121 (applicable to banks, thrifts
and
credit unions and certain non-federally regulated banks).
\7\ 12 CFR part 30, app. B (national banks); 12 CFR part 208,
app. D-2 and part 225, app. F (state member banks and holding
companies); 12 CFR part 364, app. B (state non-member banks); 12 CFR
part 570, app. B (savings associations); 12 CFR part 748, App. A
(credit unions).
---------------------------------------------------------------------------
The Agencies have modified the proposed rules and guidelines
in
light of the comments received. An overview of the final rules,
guidelines, and supplement, a discussion of the comments, and the
specific manner in which the proposed rules and guidelines have been
modified, follows.
3. Overview of final rules and guidelines
The Agencies are issuing final rules and guidelines that
provide
both flexibility and more guidance to financial institutions and
creditors. The final rules also require the Program to address accounts
where identity theft is most likely to occur. The final rules describe
which financial institutions and creditors are required to have a
Program, the objectives of the Program, the elements that the Program
must contain, and how the Program must be administered.
Under the final rules, only those financial institutions and
creditors that offer or maintain ``covered accounts'' must develop and
implement a written Program. A covered account is (1) an account
primarily for personal, family, or household purposes, that involves or
is designed to permit multiple payments or transactions, or (2) any
other account for which there is a reasonably foreseeable risk to
customers or the safety and soundness of the financial institution or
creditor from identity theft. Each financial institution and creditor
must periodically determine whether it offers or maintains a ``covered
account.''
The final regulations provide that the Program must be
designed to
detect, prevent, and mitigate identity theft in connection with the
opening of a covered account or any existing covered account. In
addition, the Program must be tailored to the entity's size, complexity
and nature of its operations.
[[Page 63720]]
The final regulations list the four basic elements that must
be
included in the Program of a financial institution or creditor. The
Program must contain ``reasonable policies and procedures'' to:
Identify relevant Red Flags for covered accounts and
incorporate those Red Flags into the Program;
Detect Red Flags that have been incorporated into the
Program;
Respond appropriately to any Red Flags that are detected
to prevent and mitigate identity theft; and
Ensure the Program is updated periodically, to reflect
changes in risks to customers or to the safety and soundness of the
financial institution or creditor from identity theft.
The regulations also enumerate certain steps that financial
institutions and creditors must take to administer the Program. These
steps include obtaining approval of the initial written Program by the
board of directors or a committee of the board, ensuring oversight of
the development, implementation and administration of the Program,
training staff, and overseeing service provider arrangements.
In order to provide financial institutions and creditors with
more
flexibility in developing a Program, the Agencies have moved certain
detail formerly contained in the proposed regulations to the guidelines
located in Appendix J. This detailed guidance should assist financial
institutions and creditors in the formulation and maintenance of a
Program that satisfies the requirements of the regulations to detect,
prevent, and mitigate identity theft. Each financial institution or
creditor that is required to implement a Program must consider the
guidelines and include in its Program those guidelines that are
appropriate. The guidelines provide policies and procedures for use by
institutions and creditors, where appropriate, to satisfy the
requirements of the final rules, including the four elements listed
above. While an institution or creditor may determine that particular
guidelines are not appropriate to incorporate into its Program, the
Program must nonetheless contain reasonable policies and procedures to
meet the specific requirements of the final rules. The illustrative
examples of Red Flags formerly in Appendix J are now listed in a
supplement to the guidelines.
4. Section-by-Section Analysis \8\
---------------------------------------------------------------------------
\8\ The OCC, Board, FDIC, OTS and NCUA are placing the
regulations and guidelines implementing section 114 in the part of
their regulations that implement the FCRA--12 CFR parts 41, 222,
334, 571, and 717, respectively. In addition, the FDIC cross-
references the regulations and guidelines in 12 CFR part 364. For
ease of reference, the discussion in this preamble uses the shared
numerical suffix of each of these agency's regulations. The FTC also
is placing the final regulations and guidelines in the part of its
regulations implementing the FCRA, specifically 16 CFR part 681.
However, the FTC uses different numerical suffixes that equate to
the numerical suffixes discussed in the preamble as follows:
preamble suffix .82 = FTC suffix .1, preamble suffix .90 = FTC
suffix .2, and preamble suffix .91 = FTC suffix .3. In addition,
Appendix J referenced in the preamble is the FTC's Appendix A.
---------------------------------------------------------------------------
Section --.90(a) Purpose and Scope
Proposed Sec. --.90(a) described the statutory authority for
the
proposed regulations, namely, section 114 of the FACT Act. It also
defined the scope of this section; each of the Agencies proposed
tailoring this paragraph to describe those entities to which this
section would apply. The Agencies received no comments on this section,
and it is adopted as proposed.
Section --.90(b) Definitions
Proposed Sec. --.90(b) contained definitions of various terms
that
applied to the proposed rules and guidelines. While Sec. --.90(b) of
the final rules continues to describe the definitions applicable to the
final rules and guidelines, changes have been made to address the
comments, as follows.
Section --.90(b)(1) Account. The Agencies proposed using the
term
``account'' to describe the relationships covered by section 114 that
an account holder or customer may have with a financial institution or
creditor.\9\ The proposed definition of ``account'' was ``a continuing
relationship established to provide a financial product or service that
a financial holding company could offer by engaging in an activity that
is financial in nature or incidental to such a financial activity under
section 4(k) of the Bank Holding Company Act, 12 U.S.C. 1843(k).'' The
definition also gave examples of types of ``accounts.''
---------------------------------------------------------------------------
\9\ The Agencies acknowledged that section 114 does not use
the
term ``account'' and, in other contexts, the FCRA defines the term
``account'' narrowly to describe certain consumer deposit or asset
accounts. See 15 U.S.C. 1681a(r)(4).
---------------------------------------------------------------------------
Some commenters stated that the regulations do not need a
definition of ``account'' to give effect to their terms. Some
commenters maintained that a new definition for ``account'' would be
confusing as this term is already defined inconsistently in several
regulations and in section 615(e) of the FCRA. These commenters
recommended that the Agencies use the term ``continuing relationship''
instead, and define this phrase in a manner consistent with the
Agencies'' privacy rules \10\ implementing Title V of the Gramm-Leach-
Bliley Act (GLBA), 15 U.S.C. 6801.\11\ These commenters urged that the
definition of ``account'' not be expanded to include relationships that
are not ``continuing.'' They stated that it would be very burdensome to
gather and maintain information on non-customers for one-time
transactions. Other commenters suggested defining the term ``account''
in a manner consistent with the CIP rules.
---------------------------------------------------------------------------
\10\ See 12 CFR 40 (OCC); 12 CFR 216 (Board); 12 CFR 332
(FDIC);
12 CFR 573 (OTS); 12 CFR 716 (NCUA); and 16 CFR 313 (FTC).
\11\ Pub. L. 106-102.
---------------------------------------------------------------------------
Many commenters stated that defining ``account'' to cover
both
consumer and business accounts was too broad, exceeded the scope of the
FACT Act, and would make the regulation too burdensome. These
commenters recommended limiting the scope of the regulations and
guidelines to cover only consumer financial services, specifically
accounts established for personal, family and household purposes,
because these types of accounts typically are targets of identity
theft. They asserted that identity theft has not historically been
common in connection with business or commercial accounts.
Consumer groups maintained that the proposed definition of
``account'' was too narrow. They explained that because the proposed
definition was tied to financial products and services that can be
offered under the Bank Holding Company Act, it inappropriately excluded
certain transactions involving creditors that are not financial
institutions that should be covered by the regulations. Some of these
commenters recommended that the definition of ``account'' include any
relationship with a financial institution or creditor in which funds
could be intercepted or credit could be extended, as well as any other
transaction which could obligate an individual or other covered entity,
including transactions that do not result in a continuing relationship.
Others suggested that there should be no flexibility to exclude any
account that is held by an individual or which generates information
about individuals that reflects on their financial or credit
reputations.
The Agencies have modified the definition of ``account'' to
address
these comments. First, the final rules now apply to ``covered
accounts,'' a term that the Agencies have added to the definition
section to eliminate
[[Page 63721]]
confusion between these rules and other rules that apply to an
``account.'' The Agencies have retained a definition of ``account''
simply to clarify and provide context for the definition of ``covered
account.''
Section 114 provides broad discretion to the Agencies to
prescribe
regulations and guidelines to address identity theft. The terminology
in section 114 is not confined to ``consumer'' accounts. While identity
theft primarily has been directed at consumers, the Agencies are aware
that small businesses also have been targets of identity theft. Over
time, identity theft could expand to affect other types of accounts.
Thus, the definition of ``account'' in Sec. --.90(b)(1) of the final
rules continues to cover any relationship to obtain a product or
service that an account holder or customer may have with a financial
institution or creditor.\12\ Through examples, the definition makes
clear that the purchase of property or services involving a deferred
payment is considered to be an account.
---------------------------------------------------------------------------
\12\ Accordingly, the definition of ``account'' still applies
to
fiduciary, agency, custodial, brokerage and investment advisory
activities.
---------------------------------------------------------------------------
Although the definition of ``account'' includes business
accounts,
the risk-based nature of the final rules allows each financial
institution or creditor flexibility to determine which business
accounts will be covered by its Program through a risk evaluation
process.
The Agencies also recognize that a person may establish a
relationship with a creditor, such as an automobile dealer or a
telecommunications provider, primarily to obtain a product or service
that is not financial in nature. To make clear that an ``account''
includes relationships with creditors that are not financial
institutions, the definition is no longer tied to the provision of
``financial'' products and services. Accordingly, the Agencies have
deleted the reference to the Bank Holding Company Act.
The definition of ``account'' still includes the words
``continuing
relationship.'' The Agencies have determined that, at this time, the
burden that would be imposed upon financial institutions and creditors
by a requirement to detect, prevent and mitigate identity theft in
connection with single, non-continuing transactions by non-customers
would outweigh the benefits of such a requirement. The Agencies
recognize, however, that identity theft may occur at the time of
account opening. Therefore, as detailed below, the obligations of the
final rule apply not only to existing accounts, where a relationship
already has been established, but also to account openings, when a
relationship has not yet been established.
Section --.90(b)(2) Board of Directors. The proposed
regulations
discussed the role of the board of directors of a financial institution
or creditor. For financial institutions and creditors covered by the
regulations that do not have boards of directors, the proposed
regulations defined ``board of directors'' to include, in the case of a
branch or agency of a foreign bank, the managing official in charge of
the branch or agency. For other creditors that do not have boards of
directors, the proposed regulations defined ``board of directors'' as a
designated employee.
Consumer groups objected to the proposed definition as it
applied
to creditors that do not have boards of directors. These commenters
recommended that for these entities, ``board of directors'' should be
defined as a designated employee at the level of senior management.
They asserted that otherwise, institutions that do not have a board of
directors would be given an unfair advantage for purposes of the
substantive provisions of the rules, because they would be permitted to
assign any employee to fulfill the role of the ``board of directors.''
The Agencies agree this important role should be performed by
an
employee at the level of senior management, rather than any designated
employee. Accordingly, the definition of ``board of directors'' has
been revised in Sec. --.90(b)(2) of the final rules so that, in the
case of a creditor that does not have a board of directors, the term
``board of directors'' means ``a designated employee at the level of
senior management.''
Section --.90(b)(3) Covered Account. As mentioned previously,
the
Agencies have added a new definition of ``covered account'' in Sec.
--.90(b)(3) to describe the type of ``account'' covered by the final
rules. The proposed rules would have provided a financial institution
or creditor with broad flexibility to apply its Program to those
accounts that it determined were vulnerable to the risk of identity
theft, and did not mandate coverage of any particular type of account.
Consumer group commenters urged the Agencies to limit the
discretion afforded to financial institutions and creditors by
requiring them to cover consumer accounts in their Programs. While
seeking to preserve their discretion, many industry commenters
requested that the Agencies limit the final rules to consumer accounts,
where identity theft is most likely to occur.
The Agencies recognize that consumer accounts are presently
the
most common target of identity theft and acknowledge that Congress
expected the final regulation to address risks of identity theft to
consumers.\13\ For this reason, the final rules require each Program to
cover accounts established primarily for personal, family or household
purposes, that involve or are designed to permit multiple payments or
transactions, i.e., consumer accounts. As discussed above in connection
with the definition of ``account,'' the final rules also require the
Programs of financial institutions and creditors to cover any other
type of account that the institution or creditor offers or maintains
for which there is a reasonably foreseeable risk from identity theft.
---------------------------------------------------------------------------
\13\ See S. Rep. No. 108-166 at 13 (Oct. 17, 2003)
(accompanying
S. 1753).
---------------------------------------------------------------------------
Accordingly, the definition of ``covered account'' is divided
into
two parts. The first part refers to ``an account that a financial
institution or creditor offers or maintains, primarily for personal,
family, or household purposes, that involves or is designed to permit
multiple payments or transactions.'' The definition provides examples
to illustrate that these types of consumer accounts include, ``a credit
card account, mortgage loan, automobile loan, margin account, cell
phone account, utility account, checking account, or savings
account.''\14\
---------------------------------------------------------------------------
\14\ These examples reflect the fact that the rules are
applicable to a variety of financial institutions and creditors.
They are not intended to confer any additional powers on covered
entities. Nonetheless, some of the Agencies have chosen to limit the
examples in their rule texts to those products covered entities
subject to their jurisdiction are legally permitted to offer.
---------------------------------------------------------------------------
The second part of the definition refers to ``any other
account
that the financial institution or creditor offers or maintains for
which there is a reasonably foreseeable risk to customers or to the
safety and soundness of the financial institution or creditor from
identity theft, including financial, operational, compliance,
reputation, or litigation risks.'' This part of the definition reflects
the Agencies' belief that other types of accounts, such as small
business accounts or sole proprietorship accounts, may be vulnerable to
identity theft, and, therefore, should be considered for coverage by
the Program of a financial institution or creditor.
In response to the proposed definition of ``account,'' a
trade
association representing credit unions suggested that the term
``customer'' in the definition be revised to refer to
[[Page 63722]]
``member'' to better reflect the ownership structure of some financial
institutions or to ``consumer'' to include all individuals doing
business at all types of financial institutions. The definition of
``account'' in the final rules no longer makes reference to the term
``customer''; however, the definition of ``covered account'' continues
to employ this term, to be consistent with section 114 of the FACT Act,
which uses the term ``customer.'' Of course, in the case of credit
unions, the final rules and guidelines will apply to the accounts of
members that are maintained primarily for personal, family, or
household purposes, and those that are otherwise subject to a
reasonably foreseeable risk of identity theft.
Sections --.90(b)(4) and (b)(5) Credit and Creditor. The
proposed
rules defined these terms by cross-reference to the relevant sections
of the FCRA. There were no comments on the definition of ``credit'' and
Sec. --.90(b)(4) of the final rules adopts the definition as proposed.
Some commenters asked the Agencies to clarify that the term
``creditor'' does not cover third-party debt collectors who regularly
arrange for the extension, renewal, or continuation of credit.
Section 114 applies to financial institutions and creditors.
Under
the FCRA, the term ``creditor'' has the same meaning as in section 702
of the Equal Credit Opportunity Act (ECOA), 15 U.S.C. 1691a.\15\ ECOA
defines ``creditor'' to include a person who arranges for the
extension, renewal, or continuation of credit, which in some cases
could include third-party debt collectors. 15 U.S.C. 1691a(e).
Therefore, the Agencies are not excluding third-party debt collectors
from the scope of the final rules, and Sec. --.90(b)(5) of the final
rules adopts the definition of ``creditor'' as proposed.
---------------------------------------------------------------------------
\15\ See 15 U.S.C. 1681a(r)(5).
---------------------------------------------------------------------------
Section --.90(b)(6) Customer. Section 114 of the FACT Act
refers to
``account holders'' and ``customers'' of financial institutions and
creditors without defining either of these terms. For ease of
reference, the Agencies proposed to use the term ``customer'' to
encompass both ``customers'' and ``account holders.'' ``Customer'' was
defined as a person that has an account with a financial institution or
creditor. The proposed definition of ``customer'' applied to any
``person,'' defined by the FCRA as any individual, partnership,
corporation, trust, estate, cooperative, association, government or
governmental subdivision or agency, or other entity.\16\ The proposal
explained that the Agencies chose this broad definition because, in
addition to individuals, various types of entities (e.g., small
businesses) can be victims of identity theft. Under the proposed
definition, however, a financial institution or creditor would have had
the discretion to determine which type of customer accounts would be
covered under its Program, since the proposed regulations were risk-
based.\17\
---------------------------------------------------------------------------
\16\ See 15 U.S.C. 1681a(b).
\17\ Proposed Sec. --.90(d)(1) required this
determination to
be substantiated by a risk evaluation that takes into consideration
which customer accounts of the financial institution or creditor are
subject to a risk of identity theft.
---------------------------------------------------------------------------
As noted above, most industry commenters maintained that
including
all persons, not just consumers, within the definition of ``customer''
would impose a substantial financial burden on financial institutions
and creditors, and make compliance with the regulations more
burdensome. These commenters stated that business identity theft is
rare, and maintained that financial institutions and creditors should
be allowed to direct their fraud prevention resources to the areas of
highest risk. They also noted that businesses are more sophisticated
than consumers, and are in a better position to protect themselves
against fraud than consumers, both in terms of prevention and in
enforcing their legal rights.
Some financial institution commenters were concerned that the
broad
definition of ``customer'' would create opportunities for commercial
customers to shift responsibility from themselves to the financial
institution for not discovering Red Flags and alerting business
customers about embezzlement or other fraudulent transactions by the
commercial customer's own employees. These commenters suggested
narrowing the definition to cover natural persons and to exclude
business customers. Some of these commenters suggested that the
definition of ``customer'' should be consistent with the definition of
this term in the Information Security Standards and the Agencies'
privacy rules.
Consumer groups commented that the proposed definition of
``customer'' was too narrow. They recommended that the definition be
amended, so that the regulations would not only protect persons who are
already customers of a financial institution or creditor, but also
persons whose identities are used by an imposter to open an account.
Section --.90(b)(6) of the final rule defines ``customer'' to
mean
a person that has a ``covered account'' with a financial institution or
creditor. Under the definition of ``covered account,'' an individual
who has a consumer account will always be a ``customer.'' A
``customer'' may also be a person that has another type of account for
which a financial institution or creditor determines there is a
reasonably foreseeable risk to its customers or to its own safety and
soundness from identity theft.
The Agencies note that the Information Security Standards and
the
privacy rules implemented various sections of Title V of the GLBA, 15
U.S.C. 6801, which specifically apply only to customers who are
consumers. By contrast, section 114 does not define the term
``customer.'' Because the Agencies continue to believe that a business
customer can be a target of identity theft, the final rules contain a
risk-based process designed to ensure that these types of customers
will be covered by the Program of a financial institution or creditor,
when the risk of identity theft is reasonably foreseeable.
The definition of ``customer'' in the final rules continues
to
cover only customers that already have accounts. The Agencies note,
however, that the substantive provisions of the final rules, described
later, require the Program of a financial institution or creditor to
detect, prevent, and mitigate identity theft in connection with the
opening of a covered account as well as any existing covered account.
The final rules address persons whose identities are used by an
imposter to open an account in these substantive provisions, rather
than through the definition of ``customer.''
Section --.90(b)(7) Financial Institution. The Agencies
received no
comments on the proposed definition of ``financial institution.'' It is
adopted in Sec. --.90(b)(7), as proposed, with a cross-reference to
the relevant definition in the FCRA.
Section --.90(b)(8) Identity Theft. The proposal defined
``identity
theft'' by cross-referencing the FTC's rule that defines ``identity
theft'' for purposes of the FCRA.\18\
---------------------------------------------------------------------------
\18\ 69 FR 63922 (Nov. 3, 2004) (codified at 16 CFR
603.2(a)).
Section 111 of the FACT Act added several new definitions to the
FCRA, including ``identity theft,'' and authorized the FTC to
further define this term. See 15 U.S.C. 1681a.
---------------------------------------------------------------------------
Most industry commenters objected to the breadth of the
proposed
definition of ``identity theft.'' They recommended that the definition
include only actual fraud committed using identifying information of a
consumer, and exclude attempted fraud, identity theft committed against
businesses, and any identity fraud involving the creation of a
fictitious identity using fictitious data combined with real
information from
[[Page 63723]]
multiple individuals. By contrast, consumer groups supported a broad
interpretation of ``identity theft,'' including the incorporation of
``attempted fraud'' in the definition.
Section --.90(b)(8) of the final rules adopts the definition
of
``identity theft'' as proposed. The Agencies believe that it is
important to ensure that all provisions of the FACT Act that address
identity theft are interpreted in a consistent manner. Therefore, the
final rule continues to define identity theft with reference to the
FTC's regulation, which as currently drafted provides that the term
``identity theft'' means ``a fraud committed or attempted using the
identifying information of another person without authority.'' \19\ The
FTC defines the term ``identifying information'' to mean ``any name or
number that may be used, alone or in conjunction with any other
information, to identify a specific person, including any--
---------------------------------------------------------------------------
\19\ See 16 CFR 603.2(a).
---------------------------------------------------------------------------
(1) Name, social security number, date of birth, official
State or
government issued driver's license or identification number, alien
registration number, government passport number, employer or taxpayer
identification number;
(2) Unique biometric data, such as fingerprint, voice print,
retina
or iris image, or other unique physical representation;
(3) Unique electronic identification number, address, or
routing
code; or
(4) Telecommunication identifying information or access
device (as
defined in 18 U.S.C. 1029(e)).
Thus, under the FTC's regulation, the creation of a
fictitious
identity using any single piece of information belonging to a real
person falls within the definition of ``identity theft'' because such a
fraud involves ``using the identifying information of another person
without authority.'' \20\
---------------------------------------------------------------------------
\20\ See 16 CFR 603.2(b).
---------------------------------------------------------------------------
Section --.90(b)(9) Red Flag. The proposed regulations
defined
``Red Flag'' as a pattern, practice, or specific activity that
indicates the possible risk of identity theft. The preamble to the
proposed rules explained that indicators of a ``possible risk'' of
identity theft would include precursors to identity theft such as
phishing,\21\ and security breaches involving the theft of personal
information, which often are a means to acquire the information of
another person for use in committing identity theft. The preamble
explained that the Agencies included such precursors to identity theft
as ``Red Flags'' to better position financial institutions and
creditors to stop identity theft at its inception.
---------------------------------------------------------------------------
\21\ Electronic messages to customers of financial
institutions
and creditors directing them to provide personal information in
response to a fraudulent e-mail.
---------------------------------------------------------------------------
Most industry commenters objected to the broad scope of the
definition of ``Red Flag,'' particularly the phrase ``possible risk of
identity theft.'' These commenters believed that this definition would
require financial institutions and creditors to identify all risks and
develop procedures to prevent or mitigate them, without regard to the
significance of the risk. They asserted that the statute does not
support the use of ``possible risk'' and suggested defining a ``Red
Flag'' as an indicator of significant, substantial, or the probable
risk of identity theft. These commenters stated that this would allow a
financial institution or creditor to focus compliance in areas where it
is most needed.
Most industry commenters also stated that the inclusion of
precursors to identity theft in the definition of ``Red Flag'' would
make the regulations even broader and more burdensome. They stated that
financial institutions and creditors do not have the ability to detect
and respond to precursors, such as phishing, in the same manner as
other Red Flags that are more indicative of actual ongoing identity
theft.
By contrast, consumer groups supported the inclusion of the
phrase
``possible risk of identity theft'' and the reference to precursors in
the proposed definition of ``Red Flag.'' These commenters stated that
placing emphasis on detecting precursors to identity theft, instead of
waiting for proven cases, is the right approach.
The Agencies have concluded that the phrase ``possible risk''
in
the proposed definition of ``Red Flag'' is confusing and could unduly
burden entities with limited resources. Therefore, the final rules
define ``Red Flag'' in Sec. --.90(b)(9) using language derived
directly from section 114, namely, ``a pattern, practice, or specific
activity that indicates the possible existence of identity theft.''
\22\
---------------------------------------------------------------------------
\22\ 15 U.S.C. 1681m(c)(2)(A).
---------------------------------------------------------------------------
The Agencies continue to believe, however, that financial
institutions and creditors should consider precursors to identity theft
in order to stop identity theft before it occurs. Therefore, as
described below, the Agencies have chosen to address precursors
directly, through a substantive provision in section IV of the
guidelines titled ``Prevention and Mitigation,'' rather than through
the definition of ``Red Flag.'' This provision states that a financial
institution or creditor should consider aggravating factors that may
heighten the risk of identity theft in determining an appropriate
response to the Red Flags it detects.
Section --.90(b)(10) Service Provider. The proposed
regulations
defined ``service provider'' as a person that provides a service
directly to the financial institution or creditor. This definition was
based upon the definition of ``service provider'' in the Information
Security Standards.\23\
---------------------------------------------------------------------------
\23\ The Information Security Standards define ``service
provider'' to mean any person or entity that maintains, processes,
or otherwise is permitted access to customer information or consumer
information through the provision of services directly to the
financial institution. 12 CFR part 30, app. B (national banks); 12
CFR part 208, app. D-2 and part 225, app. F (state member banks and
holding companies); 12 CFR part 364, app. B (state non-member
banks); 12 CFR part 570, app. B (savings associations); 12 CFR part
748, App. A (credit unions).
---------------------------------------------------------------------------
One commenter agreed with this definition. However, two other
commenters stated that the definition was too broad. They suggested
narrowing the definition of ``service provider'' to persons or entities
that have access to customer information.
Section --.90(b)(10) of the final rules adopts the definition
as
proposed. The Agencies have concluded that defining ``service
provider'' to include only persons that have access to customer
information would inappropriately narrow the coverage of the final
rules. The Agencies have interpreted section 114 broadly to require
each financial institution and creditor to detect, prevent, and
mitigate identity theft not only in connection with any existing
covered account, but also in connection with the opening of an account.
A financial institution or creditor is ultimately responsible for
complying with the final rules and guidelines even if it outsources an
activity to a third-party service provider. Thus, a financial
institution or creditor that uses a service provider to open accounts
will need to provide for the detection, prevention, and mitigation of
identity theft in connection with this activity, even when the service
provider has access to the information of a person who is not yet, and
may not become, a ``customer.''
Section --.90(c) Periodic Identification of Covered Accounts
To simplify compliance with the final rules, the Agencies
added a
new provision in Sec. --.90(c) that requires each financial
institution and creditor to periodically determine whether it offers or
maintains any covered accounts. As a part of this determination, a
financial institution or creditor must conduct a risk assessment to
determine whether it
[[Page 63724]]
offers or maintains covered accounts described in Sec. --.90(b)(3)(ii)
(accounts other than consumer accounts), taking into consideration:
The methods it provides to open its accounts;
The methods it provides to access its accounts; and
Its previous experiences with identity theft.
Thus, a financial institution or creditor should consider
whether,
for example, a reasonably foreseeable risk of identity theft may exist
in connection with business accounts it offers or maintains that may be
opened or accessed remotely, through methods that do not require face-
to-face contact, such as through the internet or telephone. In
addition, those institutions and creditors that offer or maintain
business accounts that have been the target of identity theft should
factor those experiences with identity theft into their determination.
This provision is modeled on various process-oriented and
risk-
based regulations issued by the Agencies, such as the Information
Security Standards. Compliance with this type of regulation is based
upon a regulated entity's own preliminary risk assessment. The risk
assessment required here directs a financial institution or creditor to
determine, as a threshold matter, whether it will need to have a
Program.\24\ If a financial institution or creditor determines that it
does need a Program, then this risk assessment will enable the
financial institution or creditor to identify those accounts the
Program must address. This provision also requires a financial
institution or creditor that initially determines that it does not need
to have a Program to reassess periodically whether it must develop and
implement a Program in light of changes in the accounts that it offers
or maintains and the various other factors set forth in the provision.
---------------------------------------------------------------------------
\24\ The Agencies anticipate that some financial institutions
and creditors, such as various creditors regualted by the FTC that
solely engage in business-to-business transactions, will be able to
determine that they do not need to develop and implement a Program.
---------------------------------------------------------------------------
Section --.90(d)(1) Identity Theft Prevention Program Requirement
Proposed Sec. --.90(c) described the primary objectives
of a
Program. It stated that each financial institution or creditor must
implement a written Program that includes reasonable policies and
procedures to address the risk of identity theft to its customers and
to the safety and soundness of the financial institution or creditor,
in the manner described in proposed Sec. --.90(d), which described the
development and implementation of a Program. It also stated that the
Program must address financial, operational, compliance, reputation,
and litigation risks and be appropriate to the size and complexity of
the financial institution or creditor and the nature and scope of its
activities.
Some commenters believed that the proposed regulations
exceeded the
scope of section 114 by covering deposit accounts and by requiring a
response to the risk of identity theft, not just the identification of
the risk of identity theft. One commenter expressed concern about the
application of the Program to existing accounts.
The SBA commented that requiring all small businesses covered
by
the regulations to create a written Program would be overly burdensome.
Several financial institution commenters objected to what they
perceived as a proposed requirement that financial institutions and
creditors have a written Program solely to address identity theft. They
recommended that the final regulations allow a covered entity to simply
maintain or expand its existing fraud prevention and information
security programs as long as they included the detection, prevention,
and mitigation of identity theft. Some of these commenters stated that
requiring a written program would merely focus examiner attention on
documentation and cause financial institutions to produce needless
paperwork.
While commenters generally agreed that the Program should be
appropriate to the size and complexity of the financial institution or
creditor, and the nature and scope of its activities, many industry
commenters objected to the prescriptive nature of this section. They
urged the Agencies to provide greater flexibility to financial
institutions and creditors by allowing them to implement their own
procedures as opposed to those provided in the proposed regulations.
Several other commenters suggested permitting financial institutions
and creditors to take into account the cost and effectiveness of
policies and procedures and the institution's history of fraud when
designing its Program.
Several financial institution commenters maintained that the
Program required by the proposed rules was not sufficiently flexible.
They maintained that a true risk-based approach would permit
institutions to prioritize the importance of various controls, address
the most important risks first, and accept the good faith judgments of
institutions in differentiating among their options for conducting
safe, sound, and compliant operations. Some of these commenters urged
the Agencies to revise the final rules and guidelines and adopt an
approach similar to the Information Security Standards which they
characterized as providing institutions with an outline of issues to
consider without requiring specific approaches.
Although a few commenters believed that the proposed
requirement to
update the Program was burdensome and should be eliminated, most
commenters agreed that the Program should be designed to address
changing risks over time. A number of these commenters, however,
objected to the requirement that the Program must be designed to
address changing identity theft risks ``as they arise,'' as too
burdensome a standard. Instead, they recommended that the final
regulations require a financial institution or creditor to reassess
periodically whether to adjust the types of accounts covered or Red
Flags to be detected based upon any changes in the types and methods of
identity theft that an institution or creditor has experienced.
Section --.90(d) of the final rules requires each financial
institution or creditor that offers or maintains one or more covered
accounts to develop and implement a written Program that is designed to
detect, prevent, and mitigate identity theft in connection with the
opening of a covered account or any existing covered account. To signal
that the final rules are flexible, and allow smaller financial
institutions and creditors to tailor their Programs to their
operations, the final rules state that the Program must be appropriate
to the size and complexity of the financial institution or creditor and
the nature and scope of its activities.
The guidelines are appended to the final rules to assist
financial
institutions and creditors in the formulation and maintenance of a
Program that satisfies the requirements of the regulation. Section I of
the guidelines, titled ``The Program,'' makes clear that a covered
entity may incorporate into its Program, as appropriate, its existing
processes that control reasonably foreseeable risks to customers or to
the safety and soundness of the financial institution or creditor from
identity theft, such as those already developed in connection with the
entity's fraud prevention program. This will avoid duplication and
allow covered entities to benefit from existing policies and
procedures.
The Agencies do not agree with those commenters who asserted
that
the scope of the proposed regulations (and hence the final rules that
adopt the identical approach with respect to these issues)
[[Page 63725]]
exceed the Agencies'' statutory mandate. First, section 114 clearly
permits the Agencies to issue regulations and guidelines that address
more than the mere identification of the risk of identity theft.
Section 114 contains a broad mandate directing the Agencies to issue
guidelines ``regarding identity theft'' and to prescribe regulations
requiring covered entities to establish reasonable policies and
procedures for implementing the guidelines. Second, two provisions in
section 114 indicate that Congress expected the Agencies to issue final
regulations and guidelines requiring financial institutions and
creditors to detect, prevent, and mitigate identity theft.
The first relevant provision is codified in section
615(e)(1)(C) of
the FCRA, where Congress addressed a particular scenario involving card
issuers. In that provision, Congress directed the Agencies to prescribe
regulations requiring a card issuer to take specific steps to assess
the validity of a change of address request when it receives such a
request and, within a short period of time, also receives a request for
an additional or replacement card. The regulations must prohibit a card
issuer from issuing an additional or replacement card under such
circumstances, unless it notifies the cardholder or ``uses other means
of assessing the validity of the change of address in accordance with
reasonable policies and procedures established by the card issuer in
accordance with the regulations prescribed [by the Agencies] * * *.''
This provision makes clear that Congress contemplated that the
Agencies' regulations would require a financial institution or creditor
to have policies and procedures not only to identify Red Flags, but
also, to prevent and mitigate identity theft.
The second relevant provision is codified in section
615(e)(2)(B)
of the FCRA, and directs the Agencies to consider addressing in the
identity theft guidelines transactions that occur with respect to
credit or deposit accounts that have been inactive for more than two
years. The Agencies must consider whether a creditor or financial
institution detecting such activity should ``follow reasonable policies
that provide for notice to be given to the consumer in a manner
reasonably designed to reduce the likelihood of identity theft with
respect to such account.'' This provision signals that the Agencies are
authorized to prescribe regulations and guidelines that comprehensively
address identity theft--in a manner that goes beyond the mere
identification of possible risks.
The Agencies' interpretation of section 114 is also supported
by
the legislative history that indicates Congress expected the Agencies
to issue regulations and guidelines for the purposes of ``identifying
and preventing identity theft.'' \25\
---------------------------------------------------------------------------
\25\ See S. Rep. No. 108-166 at 13 (Oct. 17, 2003)
(accompanying
S. 1753).
---------------------------------------------------------------------------
Finally, the Agencies' interpretation of section 114 is
broad,
based on a public policy perspective that regulations and guidelines
addressing the identification of the risk of identity theft, without
addressing the prevention and mitigation of identity theft, would not
be particularly meaningful or effective.
The Agencies also have concluded that the scope of section
114 does
not only apply to credit transactions, but also applies, for example,
to deposit accounts. Section 114 refers to the risk of identity theft,
generally, and not strictly in connection with credit. Because identity
theft can and does occur in connection with various types of accounts,
including deposit accounts, the final rules address identity theft in a
comprehensive manner.
Furthermore, nothing in section 114 indicates that the
regulations
must only apply to identity theft in connection with account openings.
The FTC has defined ``identity theft'' as ``a fraud committed or
attempted using the identifying information of another person without
authority.'' \26\ Such fraud may occur in connection with account
openings and with existing accounts. Section 615(e)(3) states that the
guidelines that the Agencies prescribe ``shall not be inconsistent''
with the policies and procedures required under 31 U.S.C. 5318(l), a
reference to the CIP rules which require certain financial institutions
to verify the identity of customers opening new accounts. However, the
Agencies do not read this phrase to prevent them from prescribing rules
directed at existing accounts. To interpret the provision in this
manner would solely authorize the Agencies to prescribe regulations and
guidelines identical to and duplicative of those already issued--making
the Agencies' regulatory authority in this area superfluous and
meaningless.\27\
---------------------------------------------------------------------------
\26\ 16 CFR 603.2(a).
\27\ The Agencies' conclusion is also supported by case law
interpreting similar terminology, albeit in a different context,
finding that ``inconsistent'' means it is impossible to comply with
two laws simultaneously, or one law frustrates the purposes and
objectives of another. See, e.g., Davenport v. Farmers Ins. Group,
378 F.3d 839 (8th Cir. 2004); Retail Credit Co. v. Dade County,
Florida, 393 F. Supp. 577 (S.D. Fla. 1975); Alexiou v. Brad Benson
Mitsubishi, 127 F. Supp.2d 557 (D.N.J. 2000).
---------------------------------------------------------------------------
The Agencies recognize that requiring a written Program will
impose
some burden. However, the Agencies believe the benefit of being able to
assess a covered entity's compliance with the final rules by evaluating
the adequacy and implementation of its written Program outweighs the
burdens imposed by this requirement.
Moreover, although the final rules continue to require a
written
Program, as detailed below, the Agencies have substantially revised the
proposal to focus the final rules and guidelines on reasonably
foreseeable risks, make the final rules less prescriptive, and provide
financial institutions and creditors with more discretion to develop
policies and procedures to detect, prevent, and mitigate identity
theft.
Proposed Sec. --.90(c) also provided that the Program
must address
changing identity theft risks as they arise based upon the experience
of the financial institution or creditor with identity theft and
changes in: Methods of identity theft; methods to detect, prevent, and
mitigate identity theft; the types of accounts the financial
institution or creditor offers; and its business arrangements, such as
mergers and acquisitions, alliances and joint ventures, and service
provider arrangements.
The Agencies continue to believe that, to ensure a Program's
continuing effectiveness, it must be updated, at least periodically.
However, in order to simplify the final rules, the Agencies moved this
requirement into the next section, where it is one of the required
elements of the Program, as discussed below.
Development and Implementation of Identity Theft Prevention Program
The remaining provisions of the proposed rules were set forth
under
the above-referenced section heading. Many commenters asserted that the
Agencies should simply articulate certain objectives and provide
financial institutions and creditors the flexibility and discretion to
design policies and procedures to fulfill the objectives of the Program
without the level of detail required under this section.
As described earlier, to ensure that financial institutions
and
creditors are able to design Programs that effectively address identity
theft in a manner tailored to their own operations, the Agencies have
made significant changes in the proposal by deleting whole provisions
or moving them into the guidelines in Appendix J. More specifically,
the Agencies abbreviated the proposed requirements formerly located in
the provisions titled
[[Page 63726]]
``Identification and Evaluation of Red Flags'' and ``Identity Theft
Prevention and Mitigation'' and have placed them under a section of the
final rules titled ``Elements of a Program.'' The proposed requirements
on ``Staff Training,'' ``Oversight of Service Provider Arrangements,''
and ``Involvement of Board of Directors and Senior Management'' are now
in a section of the final rules titled ``Administration of the
Program.'' The guidelines in Appendix J elaborate on these
requirements. A discussion of the comments received on these sections
of the proposed rules, and the corresponding sections of the final
rules and guidelines follows.
Section --.90(d)(2)(i) Element I of the Program: Identification of Red
Flags
Proposed Sec. --.90(d)(1)(i) required a Program to
include
policies and procedures to identify which Red Flags, singly or in
combination, are relevant to detecting the possible risk of identity
theft to customers or to the safety and soundness of the financial
institution or creditor, using the risk evaluation described in Sec.
--.90(d)(1)(ii). It also required the Red Flags identified to reflect
changing identity theft risks to customers and to the financial
institution or creditor as they arise.
Proposed Sec. --.90(d)(1)(i) provided that each
financial
institution and creditor must incorporate into its Program relevant Red
Flags from Appendix J. The preamble to the proposed rules acknowledged
that some Red Flags that are relevant today may become obsolete as time
passes. The preamble stated that the Agencies expected to update
Appendix J periodically,\28\ but that it may be difficult to do so
quickly enough to keep pace with rapidly evolving patterns of identity
theft or as quickly as financial institutions and creditors experience
new types of identity theft. Therefore, proposed Sec. --.90(d)(1)(i)
also provided that each financial institution and creditor must
incorporate into its Program relevant Red Flags from applicable
supervisory guidance, incidents of identity theft that the financial
institution or creditor has experienced, and methods of identity theft
that the financial institution or creditor has identified that reflect
changes in identity theft risks.
---------------------------------------------------------------------------
\28\ Section 114 directs the Agencies to update the
guidelines
as often as necessary. See 15 U.S.C. 1681m(e)(1)(a).
---------------------------------------------------------------------------
Some commenters objected to the proposed requirement that the
Program contain policies and procedures to identify which Red Flags,
singly or in combination, are relevant to detecting the possible risk
of identity theft to customers or to the safety and soundness of the
financial institution or creditor. They criticized the phrase
``possible risk'' as too broad and stated that it was unrealistic to
impose upon covered entities a continuing obligation to incorporate
into their Programs Red Flags to address virtually any new identity
theft incident or trend and potential fraud prevention measure. These
commenters stated that this would be a burdensome compliance exercise
that would limit flexibility and add costs, which in turn, would take
away limited resources from the ultimate objective of combating
identity theft.
Many commenters objected to the proposed requirement that the
Red
Flags identified by a financial institution or creditor reflect
changing identity theft risks to customers and to the financial
institution or creditor ``as they arise.'' These commenters requested
that the final rules permit financial institutions and creditors a
reasonable amount of time to adjust the Red Flags included in their
Programs.
Some commenters agreed that the enumerated sources of Red
Flags
were appropriate. A few commenters stated that financial institutions
and creditors should not be required to include in their Programs any
Red Flags except for those set forth in Appendix J or in supervisory
guidance, or that they had experienced. However, most commenters
objected to the requirement that, at a minimum, the Program incorporate
any relevant Red Flags from Appendix J.
Some financial institution commenters urged deletion of the
proposed requirement to include a list of relevant Red Flags in their
Program. They stated that a financial institution should be able to
assess which Red Flags are appropriate without having to justify to an
examiner why it failed to include a specific Red Flag on a list. Other
commenters recommended that the list of Red Flags in Appendix J be
illustrative only. These commenters recommended that a financial
institution or creditor be permitted to include any Red Flags on its
list that it concludes are appropriate. They suggested that the
Agencies encourage institutions to review the list of Red Flags, and
use their own experience and expertise to identify other Red Flags that
become apparent as fraudsters adapt and develop new techniques. They
maintained that in this manner, institutions and creditors would be
able to identify the appropriate Red Flags and not waste limited
resources and effort addressing those Red Flags in Appendix J that were
obsolete or not appropriate for their activities.
By contrast, consumer groups criticized the flexibility and
discretion afforded to financial institutions and creditors in this
section of the proposed rules. These commenters urged the Agencies to
make certain Red Flags from Appendix J mandatory, such as a fraud alert
on a consumer report.
Proposed Sec. --.90(d)(1)(ii) provided that in order to
identify
which Red Flags are relevant to detecting a possible risk of identity
theft to its customers or to its own safety and soundness, the
financial institution or creditor must consider:
A. Which of its accounts are subject to a risk of identity
theft;
B. The methods it provides to open these accounts;
C. The methods it provides to access these accounts; and
D. Its size, location, and customer base.
While some industry commenters thought the enumerated factors
were
appropriate, other commenters stated that the factors on the list were
not necessarily the ones used by financial institutions to identify
risk and were irrelevant to any determination of identity theft or
actual fraud. These commenters maintained that this proposed
requirement would require financial institutions to develop entirely
new programs that may not be as effective or efficient as those
designed by anti-fraud experts. Therefore, they recommended that the
final rules provide financial institutions and creditors with wide
latitude to determine what factors they should consider and how they
categorize them. These commenters urged the Agencies to refrain from
providing a list of factors that financial institutions and creditors
would have to consider because a finite list could limit their ability
to adapt to new forms of identity theft.
Some commenters suggested that the risk evaluation include an
assessment of other factors such as the likelihood of harm, the cost
and operational burden of using a particular Red Flag and the
effectiveness of a particular Red Flag for that institution or
creditor. Some commenters suggested that the factors refer to the
likely risk of identity theft, while others suggested that the factors
be modified to refer to the possible risk of identity theft to which
each type of account offered by the financial institution or creditor
is subject. Other commenters, including a trade association
representing small financial institutions, asked the Agencies to
provide guidelines on how to conduct a risk assessment.
[[Page 63727]]
The final rules continue to address the identification of
relevant
Red Flags, but simply state that the first element of a Program must be
reasonable policies and procedures to identify relevant Red Flags for
the covered accounts that the financial institution or creditor offers
or maintains. The final rules also state that a financial institution
or creditor must incorporate these Red Flags into its Program.
The final rules do not require policies and procedures for
identifying which Red Flags are relevant to detecting a ``possible
risk'' of identity theft. Moreover, as described below, a covered
entity's obligation to update its Red Flags is now a separate element
of the Program. The section of the proposed rules describing the
various factors that a financial institution or creditor must consider
to identify relevant Red Flags, and the sources from which a financial
institution or creditor must derive its Red Flags, are now in section
II of the guidelines titled `` Identifying Relevant Red Flags.''
The Agencies acknowledge that establishing a finite list of
factors
that a financial institution or creditor must consider when identifying
relevant Red Flags for covered accounts could limit the ability of a
financial institution or creditor to respond to new forms of identity
theft. Therefore, section II of the guidelines contains a list of
factors that a financial institution or creditor ``should consider * *
* as appropriate'' in identifying relevant Red Flags.
The Agencies also modified the list in order to provide more
appropriate examples of factors for consideration by a financial
institution or creditor determining which Red Flags may be relevant.
These factors are:
The types of covered accounts it offers or maintains;
The methods it provides to open its covered accounts;
The methods it provides to access its covered accounts;
and
Its previous experiences with identity theft.
Thus, for example, Red Flags relevant to deposit accounts may
differ from those relevant to credit accounts, and those applicable to
consumer accounts may differ from those applicable to business
accounts. Red Flags appropriate for accounts that may be opened or
accessed remotely may differ from those that require face-to-face
contact. In addition, a financial institution or creditor should
consider identifying as relevant those Red Flags that directly relate
to its previous experiences with identity theft.
Section II of the guidelines also gives examples of sources
from
which financial institutions and creditors should derive relevant Red
Flags, rather than requiring that the Program incorporate relevant Red
Flags strictly from the four sources listed in the proposed rules.
Section II states that a financial institution or creditor should
incorporate into its Program relevant Red Flags from sources such as:
(1) Incidents of identity theft that the financial institution or
creditor has experienced; (2) methods of identity theft that the
financial institution or creditor has identified that reflect changes
in identity theft risks; and (3) applicable supervisory guidance.
The Agencies have deleted the reference to the Red Flags in
Appendix J as a source. Instead, a separate provision in section II of
the guidelines, titled ``Categories of Red Flags,'' states that the
Program of a financial institution or creditor ``should include''
relevant Red Flags from five particular categories ``as appropriate.''
The Agencies have included these categories, which summarize the
various types of Red Flags that were previously enumerated in Appendix
J, in order to provide additional non-prescriptive guidance regarding
the identification of relevant Red Flags.
Section II of the guidelines also notes that ``examples'' of
individual Red Flags from each of the five categories are appended as
Supplement A to Appendix J. The examples in Supplement A are a list of
Red Flags similar to those found in the proposed rules. The Agencies
did not intend for these examples to be a comprehensive list of all
types of identity theft that a financial institution or creditor may
experience. When identifying Red Flags, financial institutions and
creditors must consider the nature of their business and the type of
identity theft to which they may be subject. For instance, creditors in
the health care field may be at risk of medical identity theft (i.e.,
identity theft for the purpose of obtaining medical services) and,
therefore, must identify Red Flags that reflect this risk.
The Agencies also have decided not to single out any specific
Red
Flags as mandatory for all financial institutions and creditors.
Rather, the final rule continues to follow the risk-based, non-
prescriptive approach regarding the identification of Red Flags that
was set forth in the proposal. The Agencies recognize that the final
rules and guidelines cover a wide variety of financial institutions and
creditors that offer and maintain many different products and services,
and require the flexibility to be able to adapt to rapidly changing
risks of identity theft.
Sections --.90(d)(2)(ii) and (iii) Elements II and III of the Program:
Detection of and Response to Red Flags
Proposed Sec. --.90(d)(2) stated that the Program must
include
reasonable policies and procedures designed to prevent and mitigate
identity theft in connection with the opening of an account or any
existing account. This section then described the policies and
procedures that the Program must include, some of which related solely
to account openings while others related to existing accounts.
Some financial institution commenters acknowledged that
reference
to prevention and mitigation of identity theft was generally a good
objective, but they urged that the final rules refrain from prescribing
how financial institutions must achieve it. Others noted that the CIP
rules and the Information Security Standards already required many of
the steps in the proposal. They recommended that the final rules
recognize this and clarify that compliance with parallel requirements
would be sufficient for compliance under these rules.
Section --.90(d)(1) of the final rules requires financial
institutions and creditors to develop and implement a written Program
to detect, prevent, and mitigate identity theft in connection with the
opening of a covered account or any existing covered account.
Therefore, the Agencies concluded that it was not necessary to
reiterate this requirement in Sec. --.90(d)(2). The Agencies have
deleted the prefatory language from proposed Sec. --.90(d)(2) on
prevention and mitigation in order to streamline the final rules. The
various provisions addressing prevention and mitigation formerly in
this section, namely, verification of identity, detection of Red Flags,
assessment of the risk of Red Flags, and responses to the risk of
identity theft, have been incorporated into the final rules as
``Elements of the Program'' and into the guidelines elaborating on
these provisions. Comments received regarding these provisions and the
manner in which they have been integrated into the final rules and
guidelines follows.
Detecting Red Flags
Proposed Sec. --.90(d)(2)(i) stated that the Program
must include
reasonable policies and procedures to obtain identifying information
about, and verify the identity of, a person opening an account. This
provision was designed to address the risk of identity
[[Page 63728]]
theft to a financial institution or creditor that occurs in connection
with the opening of new accounts.
The proposed rules stated that any financial institution or
creditor would be able to satisfy the proposed requirement in Sec.
--.90(d)(2)(i) by using the policies and procedures for identity
verification set forth in the CIP rules. The preamble to the proposed
rules explained that although the CIP rules exclude a variety of
entities from the definition of ``customer'' and exclude a number of
products and relationships from the definition of ``account,'' \29\ the
Agencies were not proposing any exclusions from either of these terms
given the risk-based nature of the regulations.
---------------------------------------------------------------------------
\29\ See, e.g., 31 CFR 103.121(a).
---------------------------------------------------------------------------
Most commenters supported this provision. Many of these
commenters
urged the Agencies to include in the final rules a clear statement
acknowledging that financial institutions and creditors complying with
the CIP rules would be deemed to be in compliance with this provision's
requirements. Some of these commenters encouraged the Agencies to place
the exemptions from the CIP rules in these final rules for consistency
in implementing both regulatory mandates.
Some commenters, however, believed the requirement to verify
the
identity of a person opening an account duplicated the requirements in
the CIP rules and urged elimination of this redundancy. Other entities
not already subject to the CIP rules stated that complying with those
rules would be very costly and burdensome. These commenters asked that
the Agencies provide them with additional guidance regarding the CIP
rules.
Consumer groups were concerned that use of the CIP rules
would not
adequately address identity theft. They stated that the CIP rules allow
accounts to be opened before identity is verified, which is not the
proper standard to prevent identity theft.
As described below, the Agencies have moved verification of
the
identity of persons opening an account into section III of the
guidelines where it is described as one of the policies and procedures
that a financial institution or creditor should have to detect Red
Flags in connection with the opening of a covered account.
Proposed Sec. --.90(d)(2)(ii) stated that the Program
must include
reasonable policies and procedures to detect the Red Flags identified
pursuant to paragraph Sec. --.90(d)(1). The Agencies did not receive
any specific comments on this provision.
In the final rules, the detection of Red Flags is the second
element of the Program. The final rules provide that a Program must
contain reasonable policies and procedures to detect the Red Flags that
a financial institution or creditor has incorporated into its Program.
Section III of the guidelines provides examples of various
means to
detect Red Flags. It states that the Program's policies and procedures
should address the detection of Red Flags in connection with the
opening of covered accounts, such as by obtaining identifying
information about, and verifying the identity of, a person opening a
covered account, for example, using the policies and procedures
regarding identification and verification set forth in the CIP rules.
Section III also states that the Program's policies and procedures
should address the detection of Red Flags in connection with existing
covered accounts, such as by authenticating customers, monitoring
transactions, and verifying the validity of change of address requests,
in the case of existing covered accounts.
Covered entities subject to the CIP rules, the Federal
Financial
Institution's Examination Council's guidance on authentication,\30\ the
Information Security Standards, and Bank Secrecy Act (BSA) rules \31\
may already be engaged in detecting Red Flags. These entities may wish
to integrate the policies and procedures already developed for purposes
of complying with these issuances into their Programs. However, such
policies and procedures may need to be supplemented. For example, the
CIP rules were written to implement section 326 \32\ of the USA PATRIOT
Act,\33\ an Act directed toward facilitating the prevention, detection,
and prosecution of international money laundering and the financing of
terrorism. Certain types of ``accounts,'' ``customers,'' and products
are exempted or treated specially in the CIP rules because they pose a
lower risk of money laundering or terrorist financing. Such special
treatment may not be appropriate to accomplish the broader objective of
detecting, preventing, and mitigating identity theft. Accordingly, the
Agencies expect all financial institutions and creditors to evaluate
the adequacy of existing policies and procedures and to develop and
implement risk-based policies and procedures that detect Red Flags in
an effective and comprehensive manner.
---------------------------------------------------------------------------
\30\ ``Authentication in an Internet Banking Environment''
(October 12, 2005) available at
http://www.ffiec.gov/press/pr101205.htm
.
\31\ See, e.g. 12 CFR 21.21 (national banks); 12 CFR 208.63
(state member banks); 12 CFR 326.8 (state non-member banks); 12 CFR
563.177 (savings associations); and 12 CFR 748.2 (credit unions).
\32\ 31 U.S.C. 5318(l).
\33\ Pub. L. 107-56.
---------------------------------------------------------------------------
Responding to Red Flags
Proposed Sec. --.90(d)(2)(iii) stated that to prevent
and mitigate
identity theft, the Program must include policies and procedures to
assess whether the Red Flags the financial institution or creditor
detected pursuant to proposed Sec. --.90(d)(2)(ii) evidence a risk of
identity theft. It also stated that a financial institution or creditor
must have a reasonable basis for concluding that a Red Flag (detected)
does not evidence a risk of identity theft.
Financial institution commenters expressed concern that this
standard would force an institution to justify to examiners why it did
not take measures to respond to a particular Red Flag. Some consumer
groups believed it was appropriate to require a financial institution
or creditor to have a reasonable basis for concluding that a particular
Red Flag detected does not evidence a risk of identity theft. Other
consumer groups believed that this was too weak a standard and that
mandating the detection of certain Red Flags would be more effective
and preventive.
Some commenters mistakenly read the proposed provision as
requiring
a financial institution or creditor to have a reasonable basis for
excluding a Red Flag listed in Appendix J from its Program requiring
the mandatory review and analysis of each and every Red Flag. These
commenters urged the Agencies to delete this provision.
Proposed Sec. --.90(d)(2)(iv) stated that to prevent
and mitigate
identity theft, the Program must include policies and procedures that
address the risk of identity theft to the customer, the financial
institution, or creditor, commensurate with the degree of risk posed.
The proposed regulations also provided an illustrative list of measures
that a financial institution or creditor could take, including:
Monitoring an account for evidence of identity theft;
Contacting the customer;
Changing any passwords, security codes, or other security
devices that permit access to a customer's account;
Reopening an account with a new account number;
Not opening a new account;
Closing an existing account;
Notifying law enforcement and, for those that are subject
to 31 U.S.C. 5318(g), filing a Suspicious Activity Report in accordance
with applicable law and regulation;
[[Page 63729]]
Implementing any requirements regarding limitations on
credit extensions under 15 U.S.C. 1681c-1(h), such as declining to
issue an additional credit card when the financial institution or
creditor detects a fraud or active duty alert associated with the
opening of an account, or an existing account; or
Implementing any requirements for furnishers of
information to consumer reporting agencies under 15 U.S.C. 1681s-2, to
correct or update inaccurate or incomplete information.
Some commenters agreed that financial institutions and
creditors
should be able to use their own judgment to determine which measures to
take depending upon the degree of risk that is present. However,
consumer groups believed that the final rules should require
notification of consumers in every case where a Red Flag that requires
a response has been detected.
Other commenters objected to some of the examples given as
measures
that financial institutions and creditors could take to address the
risk of identity theft. For example, one commenter objected to the
inclusion, as an example, of the requirements regarding limitations on
credit extensions under 15 U.S.C. 1681c-1(h). The commenter stated that
this statutory provision is confusing, useless, and should not be
referenced in the final rules. Other commenters suggested that the
Agencies clarify that the inclusion of this statutory provision in the
proposed rules as an example of how to address the risk of identity
theft did not make this provision discretionary.
The final rules merge the concepts previously in proposed
Sec.
--.90(d)(2)(iii) and Sec. --.90(d)(2)(iv) into the third element of
the Program: reasonable policies and procedures to respond
appropriately to any Red Flags that are detected pursuant to paragraph
(d)(2)(ii) of this section to prevent and mitigate identity theft.
In order to ``respond appropriately,'' it is implicit that a
financial institution or creditor must assess whether the Red Flags
detected evidence a risk of identity theft, and must have a reasonable
basis for concluding that a Red Flag does not evidence a risk of
identity theft. Therefore, the Agencies concluded that it is not
necessary to specify any such separate assessment, and, accordingly,
deleted the language from the proposal regarding assessing Red Flags
and addressing the risk of identity theft.
Most of the examples of measures for preventing and
mitigating
identity theft previously listed in proposed Sec. --.90(d)(2)(iv) are
now located in section IV of the guidelines, titled ``Prevention and
Mitigation of Identity Theft.'' Section IV states that the Program's
policies and procedures should provide for appropriate responses to the
Red Flags the financial institution or creditor has detected that are
commensurate with the degree of risk posed. In addition, as described
earlier, the final rules do not define Red Flags to include indicators
of a ``possible risk'' of identity theft (including ``precursors'' to
identity theft). Instead, section IV states that in determining an
appropriate response, a financial institution or creditor should
consider aggravating factors that may heighten the risk of identity
theft, and provides examples of such factors.
The Agencies also modified the examples of appropriate
responses as
follows. First, the Agencies added ``not attempting to collect on a
covered account or not selling a covered account to a debt collector''
as a possible response to Red Flags detected. Second, the Agencies
added ``determining that no response is warranted under the particular
circumstances'' to make clear that an appropriate response may be no
response, especially, for example, when a financial institution or
creditor has a reasonable basis for concluding that the Red Flags
detected do not evidence a risk of identity theft.
In addition, the Agencies moved the proposed examples, that
referenced responses mandated by statute, to section VII of the
guidelines titled ``Other Applicable Legal Requirements'' to highlight
that certain responses are legally required.
The section of the proposal listing examples of measures to
address
the risk of identity theft included a footnote that discussed the
relationship between a consumer's placement of a fraud or active duty
alert on his or her consumer report and ECOA, 15 U.S.C. 1691, et seq. A
few commenters objected to this footnote. Some commenters believed that
creditors had a right to deny credit automatically whenever a fraud or
active duty alert appears on the consumer report of an applicant. Other
commenters believed that the footnote raised complex issues under the
ECOA and FCRA that required more thorough consideration, and questioned
the need and appropriateness of addressing ECOA in the context of this
rulemaking.
Under ECOA, it is unlawful for a creditor to discriminate
against
any applicant for credit because the applicant has in good faith
exercised any right under the Consumer Credit Protection Act (CCPA), 15
U.S.C. 1691(a). A consumer who requests the inclusion of a fraud alert
or active duty alert in his or her credit file is exercising a right
under the FCRA, which is a part of the CCPA, 15 U.S.C. 1601, et seq.
When a credit file contains a fraud or active duty alert, section 605A
of the FCRA, 15 U.S.C. 1681c-1(h), requires a creditor to take certain
steps before extending credit, increasing a credit limit, or issuing an
additional card on an existing credit account. For an initial or active
duty alert, these steps include utilizing reasonable policies and
procedures to form a reasonable belief that the creditor knows the
identity of the consumer and, where a consumer has specified a
telephone number for identity verification purposes, contacting the
consumer at that telephone number or taking reasonable steps to verify
the consumer's identity and confirm that the application is not the
result of identity theft, 15 U.S.C. 1681c-1(h)(1)(B).
The purpose of the footnote was to remind financial
institutions
and creditors of their legal responsibilities in circumstances where a
consumer has placed a fraud or active duty alert on his or her consumer
report. In particular, the Agencies have concerns that in some cases,
creditors have adopted policies of automatically denying credit to
consumers whenever an initial fraud alert or an active duty alert
appears on an applicant's consumer report. The Agencies agree that this
rulemaking is not the appropriate vehicle for addressing issues under
ECOA. However, the Agencies will continue to evaluate compliance with
ECOA through their routine examination or enforcement processes,
including issues related to fraud and active duty alerts.
Section --.90(d)(2)(iv) Element IV of the Program: Updating the Program
To ensure that the Program of a financial institution or
creditor
remains effective over time, the final rules provide a fourth element
of the Program: policies and procedures to ensure the Program
(including the Red Flags determined to be relevant) is updated
periodically to reflect changes in risks to customers and to the safety
and soundness of the financial institution or creditor from identity
theft. As described earlier, this element replaces the requirements
formerly in proposed Sec. --.90(c)(2) which stated that the Program
must be designed to address changing identity theft risks as they
arise, and proposed Sec. --.90(d)(1)(i) which stated that the Red
Flags included in a covered entity's Program must reflect changing
identity theft risks to customers and to the financial institution or
creditor as they arise.
[[Page 63730]]
Unlike the proposed provisions, however, this element only requires
``periodic'' updating. The Agencies concluded that requiring financial
institutions and creditors to immediately and continuously update their
Programs would be overly burdensome.
Section V of the guidelines elaborates on the obligation to
ensure
that the Program is periodically updated. It reiterates the factors
previously in proposed Sec. --.90(c)(2) that should cause a financial
institution or creditor to update its Program, such as its own
experiences with identity theft, changes in methods of identity theft,
changes in methods to detect, prevent and mitigate identity theft,
changes in accounts that it offers or maintains, and changes in its
business arrangements.
Section --.90(e) Administration of the Program
The final rules group the remaining provisions of the
proposed
rules under the heading ``Administration of the Program,'' albeit in a
different order than proposed. This section of the final rules
describes the steps that financial institutions and creditors must take
to administer the Program, including: Obtaining approval of the initial
written Program; ensuring oversight of the development, implementation
and administration of the Program; training staff; and overseeing
service provider arrangements.
A number of commenters criticized each of the proposed
provisions
regarding administration of the Program, arguing they were not
specifically required by section 114. The Agencies believe the mandate
in section 114 is broad, and provides the Agencies with an ample basis
to issue rules and guidelines containing these provisions because they
are critical to ensuring the effectiveness of a Program. Therefore, the
Agencies have retained these elements in the final rules and guidelines
with some modifications, as follows.
Sections --.90(e)(1) and (2) Involvement of the Board of Directors and
Senior Management
Proposed Sec. --.90(d)(5) highlighted the
responsibility of the
board of directors and senior management to develop, implement, and
oversee the Program. Proposed Sec. --.90(d)(5)(i) specifically
required the board of directors or an appropriate committee of the
board to approve the written Program. Proposed Sec. --.90(d)(5)(ii)
required that the board, an appropriate committee of the board, or
senior management be charged with overseeing the development,
i |
