October 13, 2003
Public
Information Room
Office of
the Comptroller of the Currency
250 E Street, SW,
Mail stop 1-5
Washington, D.C. 20219
Attention: Docket No. 03-18 |
Regulation Comments
Chief Counsel's Office
Office of Thrift Supervision
1700 G. Street, N.W.
Washington, DC 20522
Attention: No. 03-35 |
Ms. Jennifer J. Johnson, Secretary
Board of Governors of the
Federal Reserve
System
20th Street and Constitution Ave, NW
Washington, D.C. 20551
Docket No. OP-1155 |
Robert E. Feldman
Executive Secretary
Attention: Comments/OES
Federal Deposit Insurance Corporation
550 17th Street, N.W.
Washington, D.C. 20429 |
Re: Proposed Interagency Guidance on Response Programs for Unauthorized Access
to Customer Information and Customer Notice
Dear Sir/Madame:
The Wisconsin Bankers Association (WBA) is the largest financial
institution trade association in Wisconsin and represents nearly 320
state and nationally chartered banks, savings banks and savings and loan
associations located in communities throughout the state. WBA
appreciates the opportunity to comment on the above-referenced
"Guidance."
WBA and its member institutions recognize, understand and value the
importance of safeguarding customer information and helping to deter
identity theft of customers. In an effort to thwart identity theft and
other crimes, WBA members comply with a variety of security measures
including the "Security Guidelines" set forth in the Interagency
Guidelines on Safeguarding Customer Information. In addition, WBA and
its members provide resources to customers such as brochures, statement
stuffers, website information, and customer forums to educate customers
about identity theft. Therefore, WBA applauds the federal banking
regulatory agencies (Agencies) for your efforts in issuing the proposed
Guidance and submits the following comments and suggestions for careful
consideration.
The Final Guidance Should Provide Additional Flexibility By
Considering the Size and Complexity of the Institution in the
Development of An Appropriate Response Program
WBA is encouraged by the general flexibility of the Guidance, and
appreciates the comments sought by the Agencies in that regard.
Specifically, the Agencies ask whether consideration should be given to
how the customer notice burden may vary depending upon the size and
complexity of the institution. To this we unequivocally answer, yes;
however, WBA believes this flexibility should be extended to another
aspect of the proposed Guidance relating to the "Corrective Measures"
section.
In the "Flag Accounts" discussion of the "Corrective Measures"
section, institutions are directed to "immediately begin identifying and
monitoring accounts of those customers whose information may have been
accessed or misused. In particular, the institution should provide staff
with instructions regarding the recording and reporting of any unusual
activity, and, if indicated, given the facts of a particular incident,
implement controls to prevent the unauthorized withdrawal or transfers
of funds from customer accounts." Some large institutions may have
sophisticated monitoring technology capable of monitoring each account
for any activity; however, there are undoubtedly countless smaller
institutions that simply do not have the technology or other resources
to monitor individual accounts in this fashion. Instead, these
institutions may only be capable of monitoring accounts for unusual
activity. Typically, when these institutions detect unusual activity on
an account, the transaction in question is reviewed. If the transaction
occurs on an account that is flagged, the institution will review the
account. There may be other ways in which monitoring systems may operate
given the size and complexity of the institution.
If institutions are required to monitor each account rather than
monitor accounts for unusual activity, the financial impact will be
enormous, as expensive technology would have to be purchased, more
personnel hired, or both. Furthermore, WBA highly doubts that the
primary purpose of the Guidance-to prevent unauthorized access to
customer information-is better served by monitoring each account, when
no unusual activity has occurred. Therefore, the Guidance should be
sufficiently flexible to encompass the wide range of capabilities of
these systems.
In addition, WBA encourages the Agencies to provide institutions with
flexibility to close an account rather than monitor an account if
unusual activity is detected. Finally, the Agencies should include in
the "Corrective Measures" section a provision that gives institutions
flexibility in determining the length of time a flagged account should
be monitored.
The Agencies Should Clarify The Customer Notice and Assistance
Provision to Exclude from Coverage Those Customers Suspected of Fraud.
In the discussion of "Customer Notice and Assistance" in the
"Corrective Measures" section, an institution is directed to "notify and
offer assistance to customers whose information was the subject of an
incident." WBA believes this section should be clarified so that
institutions are not required to provide a notice to a customer when the
institution has reasonable cause to believe that the customer is
involved in fraud. Absent this clarification, institutions will be
required to provide notice to customers who may be involved in the very
wrongdoing the Guidance is attempting to quell.
Conclusion
WBA appreciates the opportunity to comment on this important proposed
Guidance. WBA and its members are active in the fight against identity
theft and other crimes resulting from unauthorized access to customer
information, whether it is shoulder surfing at an ATM or through
intrusion of computer systems.
To that end, WBA reiterates its support of the proposed Guidance.
Furthermore, WBA is certain that the key to effective response programs
is flexibility. Given the general flexibility already built-in to the
proposal, it appears the Agencies share that view. Therefore, WBA urges
that the Agencies build on this foundation by adopting the additional
flexibility WBA describes today.
Sincerely,
Harry J. Argue, CAE
Executive Vice President/CEO
Wisconsin Bankers Association
Madison, WI
|