Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Federal Register Publications

FDIC Federal Register Citations



Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations




FDIC Federal Register Citations


October 13, 2003
 

Public Information Room
Office of the Comptroller of the Currency
250 E Street, SW, Mail stop 1-5
Washington, D.C. 20219
Attention:  Docket No. 03-18

Regulation Comments
Chief Counsel's Office
Office of Thrift Supervision
1700 G. Street, N.W.
Washington, DC 20522
Attention: No. 03-35
Ms. Jennifer J. Johnson, Secretary
Board of Governors of the
Federal Reserve System
20th Street and Constitution Ave, NW
Washington, D.C. 20551
Docket No. OP-1155
Robert E. Feldman
Executive Secretary
Attention: Comments/OES
Federal Deposit Insurance Corporation
550 17th Street, N.W.
Washington, D.C. 20429

Re: Proposed Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice

Dear Sir/Madame:

The Wisconsin Bankers Association (WBA) is the largest financial institution trade association in Wisconsin and represents nearly 320 state and nationally chartered banks, savings banks and savings and loan associations located in communities throughout the state. WBA appreciates the opportunity to comment on the above-referenced "Guidance."

WBA and its member institutions recognize, understand and value the importance of safeguarding customer information and helping to deter identity theft of customers. In an effort to thwart identity theft and other crimes, WBA members comply with a variety of security measures including the "Security Guidelines" set forth in the Interagency Guidelines on Safeguarding Customer Information. In addition, WBA and its members provide resources to customers such as brochures, statement stuffers, website information, and customer forums to educate customers about identity theft. Therefore, WBA applauds the federal banking regulatory agencies (Agencies) for your efforts in issuing the proposed Guidance and submits the following comments and suggestions for careful consideration.

The Final Guidance Should Provide Additional Flexibility By Considering the Size and Complexity of the Institution in the Development of An Appropriate Response Program

WBA is encouraged by the general flexibility of the Guidance, and appreciates the comments sought by the Agencies in that regard. Specifically, the Agencies ask whether consideration should be given to how the customer notice burden may vary depending upon the size and complexity of the institution. To this we unequivocally answer, yes; however, WBA believes this flexibility should be extended to another aspect of the proposed Guidance relating to the "Corrective Measures" section.

In the "Flag Accounts" discussion of the "Corrective Measures" section, institutions are directed to "immediately begin identifying and monitoring accounts of those customers whose information may have been accessed or misused. In particular, the institution should provide staff with instructions regarding the recording and reporting of any unusual activity, and, if indicated, given the facts of a particular incident, implement controls to prevent the unauthorized withdrawal or transfers of funds from customer accounts." Some large institutions may have sophisticated monitoring technology capable of monitoring each account for any activity; however, there are undoubtedly countless smaller institutions that simply do not have the technology or other resources to monitor individual accounts in this fashion. Instead, these institutions may only be capable of monitoring accounts for unusual activity. Typically, when these institutions detect unusual activity on an account, the transaction in question is reviewed. If the transaction occurs on an account that is flagged, the institution will review the account. There may be other ways in which monitoring systems may operate given the size and complexity of the institution.

If institutions are required to monitor each account rather than monitor accounts for unusual activity, the financial impact will be enormous, as expensive technology would have to be purchased, more personnel hired, or both. Furthermore, WBA highly doubts that the primary purpose of the Guidance-to prevent unauthorized access to customer information-is better served by monitoring each account, when no unusual activity has occurred. Therefore, the Guidance should be sufficiently flexible to encompass the wide range of capabilities of these systems.

In addition, WBA encourages the Agencies to provide institutions with flexibility to close an account rather than monitor an account if unusual activity is detected. Finally, the Agencies should include in the "Corrective Measures" section a provision that gives institutions flexibility in determining the length of time a flagged account should be monitored.

The Agencies Should Clarify The Customer Notice and Assistance Provision to Exclude from Coverage Those Customers Suspected of Fraud.

In the discussion of "Customer Notice and Assistance" in the "Corrective Measures" section, an institution is directed to "notify and offer assistance to customers whose information was the subject of an incident." WBA believes this section should be clarified so that institutions are not required to provide a notice to a customer when the institution has reasonable cause to believe that the customer is involved in fraud. Absent this clarification, institutions will be required to provide notice to customers who may be involved in the very wrongdoing the Guidance is attempting to quell.

Conclusion

WBA appreciates the opportunity to comment on this important proposed Guidance. WBA and its members are active in the fight against identity theft and other crimes resulting from unauthorized access to customer information, whether it is shoulder surfing at an ATM or through intrusion of computer systems.

To that end, WBA reiterates its support of the proposed Guidance. Furthermore, WBA is certain that the key to effective response programs is flexibility. Given the general flexibility already built-in to the proposal, it appears the Agencies share that view. Therefore, WBA urges that the Agencies build on this foundation by adopting the additional flexibility WBA describes today.

Sincerely,
Harry J. Argue, CAE
Executive Vice President/CEO
Wisconsin Bankers Association
Madison, WI

 

Last Updated 10/16/2003 regs@fdic.gov

Last Updated: August 4, 2024