|
Via email
From: Marcia McKeag
Sent: Wednesday, October 15, 2003 4:32 PM
To: Comments
Subject: Comments on Proposed Interagency Guidance
October 10, 2003
Robert E. Feldman, Executive Secretary
Attention: Comments/OES
Federal Deposit Insurance Corporation
Comments on Proposed Interagency Guidance on Response Programs for
Unauthorized Access to Customer Information and Customer Notice
Dear Mr. Feldman:
Thank you for the opportunity to comment on the Proposed Interagency
Guidance on Response Programs for Unauthorized Access to Customer
Information and Customer Notice. We agree with the general intent of the
Guidance and, with the increasing incidence of identity theft, that
adequate measures are very important for prevention.
II. Components of a Response Program
The Proposed Guidance indicates that a response program should
include timely customer notification under the circumstances as
described “to manage an institution’s reputation risk.” The potential
for broad interpretation of what would require customer notification
could in itself pose a risk to a financial institution’s reputation. The
situations warranting customer notification should be defined more
clearly to avoid unnecessary notification.
B. Notify Regulatory and Law Enforcement Agencies
Regulatory and law enforcement agencies could experience overly
onerous notice from financial institutions due to a broad interpretation
of what warrants notification. Specifically, the Guidance indicates
notification should be made due to “an incident involving unauthorized
access to or use of customer information that could result in
substantial harm or inconvenience to its customers.” What is the
intended definition of “inconvenience”? Examples demonstrating the
appropriate meaning would clarify the standard for notification.
Do the agencies foresee any situations that would warrant notice to
Regulatory and Law Enforcement Agencies but not to the Customer?
Financial institutions will likely be reporting more than needed
overwhelming the Agencies so much that they will not be able to
appropriately respond.
D. Corrective Measures
This section indicates that accounts should immediately be flagged,
but does not provide guidance for how long. Suggested timeframes are
given to be included in the customer notice; should these same
timeframes apply to the financial institution’s monitoring of customer
accounts?
What action does “Securing Account” mean? This section, broadly
interpreted, could cause needless inconvenience to customers or
reputation risk to the financial institution. It implies that access
alone to “a checking, savings, or other deposit account number, debit or
credit card account number, personal identification number (PIN),
password, or other unique identifier” warrants securing of account(s)
and customer notification. Also, some confusion is created between this
section and the section later defining Sensitive Customer Information.
Although we think specific timeframes should be risk based, we would
appreciate further guidance on how long the Agencies think accounts
should be flagged, monitored and secured.
We do believe that if a situation warrants closing of an account,
that decision should be between the financial institution and the
customer and not guided by regulators.
Financial institutions will face increased costs related to flagging
and monitoring of accounts, particularly if it is needlessly taking
place due to misinterpretation of the Guidelines.
III. Circumstances for Customer Notice
Sensitive Customer Information
This section, and throughout the Guidance, repeatedly uses customer
“inconvenience” as a factor to notify customers. Without further
clarification of the Agencies’ intent, customers will be unduly notified
causing concern and inconvenience. This could have as a mitigating
effect on all involved.
As written, Sensitive Customer Information could be interpreted to
mean a combination of a personal identification number (PIN) and phone
number, which, by itself, is not sufficient information for identity
fraud. In this case, customer notice would cause more harm than good.
The Guidance should provide further clarification as well as be more
consistent to the Interagency Guidelines Establishing Standard for
Safeguarding Customer Information in defining sensitive customer
information.
Examples of When Notice Should Be Given
These incidents are very broad and could lead to excessive
notification. For example, the first scenario does not indicate any
fraudulent intent or misuse of information, but because an employee
obtained unauthorized access to sensitive customer information,
customers should be notified as well as accounts flagged and secured.
In summary, we support customer notification but think that the
Guidance is too broad. Without further clarification, Regulators, Law
Enforcement Agencies and customers will be subject to unnecessary
notification. Also, financial institutions will experience excessive
costs related to account flagging and monitoring as well as customer
notification.
Sincerely,
IOWA STATE BANK & TRUST COMPANY
Iowa City, Iowa
Charles N. Funk
President and CEO
Marcia McKeag
Compliance Officer
| 
