|
FDIC Federal Register Citations
[Federal Register: July 18, 2006 (Volume 71, Number 137)]
[Proposed Rules]
[Page 40785-40826]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr18jy06-16]
[[Page 40785]]
-----------------------------------------------------------------------
Part II
Department of the Treasury
Office of the Comptroller of the Currency
12 CFR Part 41
Federal Reserve System
12 CFR Part 222
Federal Deposit Insurance Corporation
12 CFR Parts 334 and 364
Department of the Treasury
Office of Thrift Supervision
12 CFR Part 571
National Credit Union Administration
12 CFR Part 717
Federal Trade Commission
16 CFR Part 681
-----------------------------------------------------------------------
Identity Theft Red Flags and Address Discrepancies Under the Fair and
Accurate Credit Transactions Act of 2003; Proposed Rule
[[Page 40786]]
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
12 CFR Part 41
[Docket No. 06-07]
RIN 1557-AC87
FEDERAL RESERVE SYSTEM
12 CFR Part 222
[Docket No. R-1255]
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Parts 334 and 364
RIN 3064-AD00
DEPARTMENT OF THE TREASURY
Office of Thrift Supervision
12 CFR Part 571
[No. 2006-19]
RIN 1550-AC04
NATIONAL CREDIT UNION ADMINISTRATION
12 CFR Part 717
FEDERAL TRADE COMMISSION
16 CFR Part 681
RIN 3084-AA94
Identity Theft Red Flags and Address Discrepancies Under the Fair
and Accurate Credit Transactions Act of 2003
AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC);
Board of Governors of the Federal Reserve System (Board); Federal
Deposit Insurance Corporation (FDIC); Office of Thrift Supervision,
Treasury (OTS); National Credit Union Administration (NCUA); and
Federal Trade Commission (FTC or Commission).
ACTION: Joint notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: The OCC, Board, FDIC, OTS, NCUA and FTC (the Agencies) request
comment on a proposal that would implement sections 114 and 315 of the
Fair and Accurate Credit Transactions Act of 2003 (FACT Act). As
required by section 114, the Agencies are jointly proposing guidelines
for financial institutions and creditors identifying patterns,
practices, and specific forms of activity, that indicate the possible
existence of identity theft. The Agencies also are proposing joint
regulations requiring each financial institution and creditor to
establish reasonable policies and procedures for implementing the
guidelines, including a provision requiring credit and debit card
issuers to assess the validity of a request for a change of address
under certain circumstances.
In addition, the Agencies are proposing joint regulations under
section 315 that provide guidance regarding reasonable policies and
procedures that a user of consumer reports must employ when such a user
receives a notice of address discrepancy from a consumer reporting
agency.
DATES: Comments must be submitted on or before September 18, 2006.
ADDRESSES: The Agencies will jointly review all of the comments
submitted. Therefore, you may comment to any of the Agencies and you
need not send comments (or copies) to all of the Agencies. Because
paper mail in the Washington area and at the Agencies is subject to
delay, please submit your comments by e-mail whenever possible.
Commenters are encouraged to use the title ``Red Flags Rule'' in
addition to the docket or RIN number to facilitate the organization and
distribution of comments among the Agencies. Interested parties are
invited to submit comments in accordance with the following
instructions:
OCC: You should designate OCC in your comment and include Docket
Number 06-07. You may submit comments by any of the following methods:
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
OCC Web site: http://www.occ.treas.gov. Click on ``Contact
the OCC,'' scroll down and click on ``Comments on Proposed
Regulations.''
Fax: (202) 874-4448.
Mail: Office of the Comptroller of the Currency, 250 E
Street, SW., Public Reference Room, Mail Stop 1-5, Washington, DC
20219.
Hand Delivery/Courier: 250 E Street, SW., Attn: Public
Reference Room, Mail Stop 1-5, Washington, DC 20219.
Instructions: All submissions received must include the agency name
(OCC) and docket number or Regulatory Information Number (RIN) for this
notice of proposed rulemaking. In general, the OCC will enter all
comments received into the docket without change, including any
business or personal information that you provide.
You may review the comments received by the OCC and other related
materials by any of the following methods:
Viewing Comments Personally: You may personally inspect
and photocopy comments received at the OCC's Public Reference Room, 250
E Street, SW., Washington, DC. You can make an appointment to inspect
comments by calling (202) 874-5043.
Viewing Comments Electronically: You may request e-mail or
CD-ROM copies of comments that the OCC has received by contacting the
OCC's Public Reference Room at regs.comments@occ.treas.gov.
Docket: You may also request available background
documents using the methods described earlier.
Board: You may submit comments, identified by Docket No. R-1255, by
any of the following methods:
Agency Web site: http://www.federalreserve.gov Follow the instructions for
submitting comments at http://www.federalreserve.gov/.
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
E-mail: regs.comments@federalreserve.gov. Include docket
number in the subject line of the message.
FAX: 202/452-3819 or 202/452-3102.
Mail: Jennifer J. Johnson, Secretary, Board of Governors
of the Federal Reserve System, 20th Street and Constitution Avenue,
NW., Washington, DC 20551.
All public comments are available from the Board's Web site at
http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as
submitted,
unless modified for technical reasons. Accordingly, your comments will
not be edited to remove any identifying or contact information. Public
comments may also be viewed electronically or in paper in Room MP-500
of the Board's Martin Building (20th and C Streets, NW.) between 9 a.m.
and 5 p.m. on weekdays.
FDIC: You may submit comments, identified by RIN number by any of
the following methods:
Agency Web site:
http://www.FDIC.gov/regulations/laws/federal/propose.html..
Follow instructions for submitting comments on
the Agency Web site.
E-mail: comments@fdic.gov. Include the RIN number in the
subject line of the message.
[[Page 40787]]
Mail: Robert E. Feldman, Executive Secretary, Attention:
Comments, Federal Deposit Insurance Corporation, 550 17th Street, NW.,
Washington, DC 20429.
Hand Delivery/Courier: Guard station at the rear of the
550 17th Street Building (located on F Street) on business days between
7 a.m. and 5 p.m.
Instructions: All submissions received must include the
agency name and RIN for this rulemaking. All comments received will be
posted without change to
http://www.FDIC.gov/regulations/laws/federal/propose.html
including any personal information provided. Comments may
be inspected at the FDIC Public Information Center, Room E-1002, 3502
North Fairfax Drive, Arlington, VA, 22226, between 9 a.m. and 5 p.m. on
business days.
OTS: You may submit comments, identified by No. 2006-19, by any of
the following methods:
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
E-mail: regs.comments@ots.treas.gov. Please include No.
2006-19 in the subject line of the message and include your name and
telephone number in the message.
Fax: (202) 906-6518.
Mail: Regulation Comments, Chief Counsel's Office, Office
of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552,
Attention: No. 2006-19.
Hand Delivery/Courier: Guard's Desk, East Lobby Entrance,
1700 G Street, NW., from 9 a.m. to 4 p.m. on business days, Attention:
Regulation Comments, Chief Counsel's Office, Attention: No. 2006-19.
Instructions: All submissions received must include the agency name
and number or Regulatory Information Number (RIN) for this rulemaking.
All comments received will be posted without change to http://www.ots.treas.gov/pagehtml.cfm?catNumber=67&an=1
, including any
personal information provided.
Docket: For access to the docket to read background documents or
comments received, go to http://www.ots.treas.gov/pagehtml.cfm?catNumber=67&an=1.
In addition, you may inspect comments
at the Public Reading Room, 1700 G Street, NW, by appointment. To make
an appointment for access, call (202) 906-5922, send an e-mail to
public.info@ots.treas.gov, or send a facsimile transmission to (202)
906-7755. (Prior notice identifying the materials you will be
requesting will assist us in serving you.) We schedule appointments on
business days between 10 a.m. and 4 p.m. In most cases, appointments
will be available the next business day following the date we receive a
request.
NCUA: You may submit comments by any of the following methods
(Please send comments by one method only):
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
NCUA Web site: http://www.ncua.gov/RegulationsOpinionsLaws/proposed_regs/proposed_regs.html.
Follow the
instructions for submitting comments.
E-mail: Address to regcomments@ncua.gov. Include ``[Your
name] Comments on Proposed Rule 717, Identity Theft Red Flags,'' in the
e-mail subject line.
Fax: (703) 518-6319. Use the subject line described above
for e-mail.
Mail: Address to Mary F. Rupp, Secretary of the Board,
National Credit Union Administration, 1775 Duke Street, Alexandria,
Virginia 22314-3428.
Hand Delivery/Courier: Same as mail address.
FTC: Comments should refer to ``The Red Flags Rule, Project No.
R611019,'' and may be submitted by any of the following methods.
However, if the comment contains any material for which confidential
treatment is requested, it must be filed in paper form, and the first
page of the document must be clearly labeled ``Confidential.'' \1\
---------------------------------------------------------------------------
\1\ Commission Rule 4.2(d), 16 CFR 4.2(d). The comment must be
accompanied by an explicit request for confidential treatment,
including the factual and legal basis for the request, and must
identify the specific portions of the comment to be withheld from
the public record. The request will be granted or denied by the
Commission's General Counsel, consistent with applicable law and the
public interest. See Commission Rule 4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------
E-mail: Comments filed in electronic form should be
submitted by clicking on the following Web link: https://secure.commentworks.com/ftc-redflags
and following the instructions on
the Web-based form. To ensure that the Commission considers an
electronic comment, you must file it on the Web-based form at https://secure.commentworks.com/ftc-redflags
.
Federal eRulemaking Portal: If this notice appears at
http://www.regulations.gov, you may also file an electronic comment
through that Web site. The Commission will consider all comments that
regulations.gov forwards to it.
Mail or Hand Delivery: A comment filed in paper form
should include ``The Red Flags Rule, Project No. R611019,'' both in the
text and on the envelope and should be mailed or delivered, with two
complete copies, to the following address: Federal Trade Commission/
Office of the Secretary, Room H-135 (Annex M), 600 Pennsylvania Avenue,
NW., Washington, DC 20580. Because paper mail in the Washington area
and at the Commission is subject to delay, please consider submitting
your comments in electronic form, as prescribed above. The FTC is
requesting that any comment filed in paper form be sent by courier or
overnight service, if possible.
Comments on any proposed filing, recordkeeping, or disclosure
requirements that are subject to paperwork burden review under the
Paperwork Reduction Act should additionally be submitted to: Office of
Management and Budget, Attention: Desk Officer for the Federal Trade
Commission. Comments should be submitted via facsimile to (202) 395-
6974 because U.S. Postal Mail is subject to lengthy delays due to
heightened security precautions.
The FTC Act and other laws the Commission administers permit the
collection of public comments to consider and use in this proceeding as
appropriate. All timely and responsive public comments, whether filed
in paper or electronic form, will be considered by the Commission, and
will be available to the public on the FTC Web site, to the extent
practicable, at http://www.ftc.gov/os/publiccomments.htm. As a matter
of discretion, the FTC makes every effort to remove home contact
information for individuals from the public comments it receives before
placing those comments on the FTC Web site. More information, including
routine uses permitted by the Privacy Act, may be found in the FTC's
privacy policy, at http://www.ftc.gov/ftc/privacy.htm.
FOR FURTHER INFORMATION CONTACT: OCC: Amy Friend, Assistant Chief
Counsel, (202) 874-5200; Deborah Katz, Senior Counsel, or Andra
Shuster, Special Counsel, Legislative and Regulatory Activities
Division, (202) 874-5090; Paul Utterback, Compliance Specialist,
Compliance Department, (202) 874-5461; or Aida Plaza Carter, Director,
Bank Information Technology, (202) 874-4740, Office of the Comptroller
of the Currency, 250 E Street, SW., Washington, DC 20219.
Board: David A. Stein, Counsel, or Ky Tran-Trong, Senior Attorney,
Division of Consumer and Community Affairs, (202) 452-3667; Andrew
Miller, Counsel, Legal Division, (202) 452-
[[Page 40788]]
3428; or John Gibbons, Supervisory Financial Analyst, Division of
Banking Supervision and Regulation, (202) 452-6409, Board of Governors
of the Federal Reserve System, 20th and C Streets, NW., Washington, DC
20551.
FDIC: Jeffrey M. Kopchik, Senior Policy Analyst, (202) 898-3872 or
David P. Lafleur, Policy Analyst, (202) 898-6569, Division of
Supervision and Consumer Protection; Richard M. Schwartz, Counsel,
(202) 898-7424, or Richard B. Foley, Counsel, (202) 898-3784, Legal
Division, Federal Deposit Insurance Corporation, 550 17th Street, NW.,
Washington, DC 20429.
OTS: Glenn Gimble, Senior Project Manager, Operation Risk, (202)
906-7158; Kathleen M. McNulty, Technology Program Manager, Information
Technology Risk Management, (202) 906-6322; or Richard Bennett,
Counsel, Regulations and Legislation Division, (202) 906-7409, Office
of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552.
NCUA: Regina M. Metz, Staff Attorney, Office of General Counsel,
(703) 518-6540, National Credit Union Administration, 1775 Duke Street,
Alexandria, VA 22314-3428.
FTC: Naomi B. Lefkovitz, Attorney, Division of Privacy and Identity
Protection, Bureau of Consumer Protection, (202) 326-3228, Federal
Trade Commission, 600 Pennsylvania Avenue, NW., Washington DC 20580
SUPPLEMENTARY INFORMATION: This notice contains the following sections:
I. Section 114 of the FACT Act
A. Background
The President signed the FACT Act into law on December 4, 2003.
Pub. L. 108-159 (2003). The FACT Act added several new provisions to
the Fair Credit Reporting Act of 1970 (FCRA), 15 U.S.C. 1681 et seq.,
that relate to the detection, prevention, and mitigation of identity
theft.\2\ Section 114 amends section 615 of the FCRA and requires the
Agencies to jointly issue guidelines for financial institutions and
creditors regarding identity theft with respect to their account
holders and customers. In developing the guidelines, the Agencies must
identify patterns, practices, and specific forms of activity that
indicate the possible existence of identity theft. The guidelines must
be updated as often as necessary, and cannot be inconsistent with the
policies and procedures required under section 326 of the USA PATRIOT
Act, 31 U.S.C. 5318(l), which requires verification of the identity of
persons opening new accounts.
---------------------------------------------------------------------------
\2\ Section 111 of the FACT Act defines ``identity theft'' as
``a fraud committed using the identifying information of another
person, subject to such further definition as the [Federal Trade]
Commission may prescribe, by regulation.'' 15 U.S.C. 1681a(q)(3).
---------------------------------------------------------------------------
Section 114 also directs the Agencies to consider including
reasonable guidelines providing that a financial institution or
creditor ``shall follow reasonable policies and procedures'' for
notifying the consumer, ``in a manner reasonably designed to reduce the
likelihood of identity theft,'' when a transaction occurs in connection
with a consumer's credit or deposit account that has been inactive for
two years.
In addition, the Agencies must jointly prescribe regulations
requiring each financial institution and creditor to establish
reasonable policies and procedures for implementing the guidelines to
identify possible risks to account holders or customers or to the
safety and soundness of the institution or customer.
The joint regulations must include a provision generally requiring
credit and debit card issuers to assess the validity of change of
address requests. In particular, if the card issuer receives a notice
of change of address for an existing account, and within a short period
of time (during at least the first 30 days) receives a request for an
additional or replacement card for the same account, the issuer must
follow reasonable policies and procedures designed to prevent identity
theft. Under these circumstances, the card issuer may not issue the
card unless it (1) Notifies the cardholder of the request at the
cardholder's former address and provides the cardholder with a means to
promptly report an incorrect address; (2) notifies the cardholder of
the address change request by another means of communication previously
agreed to by the issuer and the cardholder; or (3) uses other means of
evaluating the validity of the address change in accordance with the
reasonable policies and procedures established by the card issuer to
comply with the joint regulations.
Section 114 broadly describes elements that belong in the
regulations and those that belong in the ``guidelines'' without
defining this term. The Agencies are proposing to implement the
requirements of section 114 through regulations (Red Flag Regulations)
requiring each financial institution and creditor to implement a
written Identity Theft Prevention Program (Program). The Program must
contain reasonable policies and procedures to address the risk of
identity theft. The Agencies also are proposing guidelines that
identify patterns, practices, and specific forms of activity that
indicate a possible risk of identity theft (Red Flag Guidelines or
Appendix J). As required by statute, the Agencies will update the Red
Flag Guidelines as often as necessary. The proposed Red Flag
Regulations require financial institutions and creditors to incorporate
relevant indicators of identity theft into their Programs. The Agencies
request comment on whether the elements described in section 114 have
been properly allocated between the proposed regulations and the
proposed guidelines.
As required by section 114, the Agencies also are proposing joint
regulations requiring credit card issuers to implement reasonable
policies and procedures to assess the validity of a change of address.
B. Proposed Red Flag Regulations
1. Overview
The Agencies are proposing Red Flag Regulations that adopt a
flexible risk-based approach similar to the approach used in the
``Interagency Guidelines Establishing Information Security Standards''
\3\ issued by the Federal banking agencies (FDIC, Board, OCC and OTS),
the ``Guidelines for Safeguarding Member Information'' issued by the
NCUA,\4\ and the ``Standards for Safeguarding Customer Information''
\5\ issued by the FTC, (collectively, Information Security Standards),
to implement section 501(b) of the Gramm-Leach-Bliley Act (GLBA), 15
U.S.C. 6801.
---------------------------------------------------------------------------
\3\ 12 CFR part 30, app. B (national banks); 12 CFR part 208,
app. D-2 and part 225, app. F (state member banks and holding
companies); 12 CFR part 364, app. B (state non-member banks); 12 CFR
part 570, app. B (savings associations).
\4\ 12 CFR part 748, app. A.
\5\ 16 CFR part 314.
---------------------------------------------------------------------------
Under the proposed Red Flag Regulations, financial institutions and
creditors must have a written Program that is based upon the risk
assessment of the financial institution or creditor and that includes
controls to address the identity theft risks identified. Like the
program described in the Agencies' Information Security Standards, this
Program must be appropriate to the size and complexity of the financial
institution or creditor and the nature and scope of its activities, and
be flexible to address changing identity theft risks as they arise. A
financial institution or creditor may wish to combine its program to
prevent identity theft with its information security program, as these
programs are complementary in many ways.\6 \
---------------------------------------------------------------------------
\6\ The Agencies note, however, that some creditors covered by
the proposed Red Flag Guidelines are not financial institutions
subject to Title V of the GLBA and, therefore, are not required to
have an information security program under the GLBA. Moreover, the
term ``customer'' is defined more broadly in the proposed Red Flag
Regulations than in the Information Security Standards.
---------------------------------------------------------------------------
[[Page 40789]]
Briefly summarized, under the proposed Red Flag Regulations, the
Program of each financial institution or creditor must be designed to
address the risk of identity theft to customers and to the safety and
soundness of the financial institution or creditor. The Program must
include policies and procedures to prevent identity theft from
occurring, including policies and procedures to:
Identify those Red Flags that are relevant to detecting a
possible risk of identity theft to customers or to the safety and
soundness of the financial institution or creditor;
Verify the identity of persons opening accounts;
Detect the Red Flags that the financial institution or
creditor identifies as relevant in connection with the opening of an
account or any existing account;
Assess whether the Red Flags detected evidence a risk of
identity theft;
Mitigate the risk of identity theft, commensurate with the
degree of risk posed;
Train staff to implement the Program; and
Oversee service provider arrangements.
The proposed Red Flag Regulations also require the board of
directors or an appropriate committee of the board to approve the
Program. In addition, the board, an appropriate committee of the board,
or senior management must exercise oversight over the Program's
implementation. Staff implementing the Program must report to its
board, an appropriate committee or senior management, at least
annually, on compliance by the financial institution or creditor with
the Red Flag Regulations. These Regulations are described in greater
detail in the section-by-section analysis that follows.
2. Proposed Red Flag Regulations: Section-by-Section Analysis
The OCC, Board, FDIC, OTS and NCUA propose putting the Red Flag
Regulations and Guidelines in the FCRA part of their regulations, 12
CFR parts 41, 222, 334, 571, and 717, respectively. In addition, the
FDIC proposes to cross-reference the Red Flag Regulations and
Guidelines in 12 CFR part 364. For ease of reference, the discussion in
this preamble uses the shared numerical suffix of each of these
agency's regulations.\7\
---------------------------------------------------------------------------
\7\ The FTC also proposes putting the Red Flag Regulations and
Guidelines in the FCRA part of its regulations, specifically 16 CFR
part 681. However, the FTC uses different numerical suffixes that
equate to the numerical suffixes discussed in the preamble as
follows: preamble suffix .82 = FTC suffix .1, preamble suffix .90 =
FTC suffix .2, and preamble suffix .91 = FTC suffix .3. In addition,
the Appendix J referenced in the preamble equates to Appendix A for
the FTC.
---------------------------------------------------------------------------
Section ----.90 Duties regarding the detection, prevention, and
mitigation of identity theft
Section ----.90(a) Purpose and Scope
Proposed Sec. ----.90(a) sets forth the statutory authority for
the proposed Red Flag Regulations, namely, section 114 of the FACT Act,
which amends section 615 of the FCRA, 15 U.S.C. 1681m. It also defines
the scope of this section; each of the Agencies has tailored this
paragraph to describe those entities to which this section applies.
Section ----.90(b) Definitions
Proposed Sec. ----.90(b) sets forth the definitions of various
terms that apply to this section.
1. Account. Section 114 of the FACT Act does not use the term
``account.'' However, for ease of reference, the Agencies believe it is
helpful to identify a single term to describe the relationships covered
by section 114 that an account holder or customer may have with a
financial institution or creditor. Therefore, for purposes of the Red
Flag Regulations, the Agencies propose to use the term ``account'' to
broadly describe the various relationships an account holder or
customer may have with a financial institution or creditor that may
become subject to identity theft.\8\
---------------------------------------------------------------------------
\8\ The Agencies recognize that, in other contexts, the FCRA
defines the term ``account'' narrowly to describe certain deposit
relationships. See 15 U.S.C. 1681a(r)(4).
---------------------------------------------------------------------------
The proposed definition of ``account'' is similar to the definition
of ``customer relationship'' found in the Agencies' privacy
regulations.\9\ In particular, the proposed definition of ``account''
is ``a continuing relationship established to provide a financial
product or service that a financial holding company could offer by
engaging in an activity that is financial in nature or incidental to
such a financial activity under section 4(k) of the Bank Holding
Company Act, 12 U.S.C. 1843(k).'' \10\ The definition gives examples of
an ``account'' including an extension of credit for personal, family,
household or business purposes (such as a credit card account, margin
account, or retail installment sales contract, including a car loan or
lease), and a demand deposit, savings or other asset account for
personal, family, household or business purposes (such as a checking or
savings account). While the proposed definition of ``account'' is
expansive, the risk-based nature of the proposed Red Flag Regulations
affords each financial institution or creditor flexibility to determine
which relationships will be covered by its Program through a risk
evaluation process.
---------------------------------------------------------------------------
\9\ See 12 CFR 40.3(i)(1) (OCC); 12 CFR 216.3(i)(1) (Board); 12
CFR 332.3(i)(1) (FDIC); 12 CFR 573.3(i)(1) (OTS); 12 CFR 716.3(j)
(NCUA); and 16 CFR 313.3(i)(1) (FTC).
\10\ See 12 CFR 225.86 for a description of activities that are
``financial in nature or incidental to a financial activity,'' and
explanation that these include activities that are ``closely related
to banking,'' as set forth in 12 CFR 225.28, such as fiduciary,
agency, custodial, brokerage and investment advisory activities.
---------------------------------------------------------------------------
The Agencies request comment on the scope of the proposed
definition of ``account.'' In particular, the Agencies solicit comment
on whether reference to ``financial products and services that a
financial holding company could offer by engaging in an activity that
is financial in nature or incidental to such a financial activity under
section 4(k) of the Bank Holding Company Act'' is appropriate to
describe the relationships that an account holder or customer may have
with a financial institution or creditor that should be covered by the
Red Flag Regulations. The Agencies also request comment on whether the
definition of ``account'' should include relationships that are not
``continuing'' that a person may have with a financial institution or
creditor. In addition, the Agencies request comment on whether
additional or different examples of accounts should be added to the
Regulations.
2. Board of Directors. The proposed Red Flag Regulations discuss
the role of the board of directors of a financial institution or
creditor. However, the Agencies recognize that some of the financial
institutions and creditors covered by the Regulations will not have a
board of directors. Therefore, in addition to its plain meaning, the
proposed definition of ``board of directors'' includes, in the case of
a foreign branch or agency of a foreign bank, the managing official in
charge of the branch or agency. In the case of any other creditor that
does not have a board of directors, ``board of directors'' is defined
as a designated employee.
3. Customer. Section 114 of the FACT Act refers to ``account
holders'' and ``customers'' of financial institutions and creditors
without defining either of these terms. For ease of reference, the
[[Page 40790]]
Agencies are proposing to define ``customer'' to encompass both
``customers'' and ``account holders.'' Thus, ``customer'' means a
person that has an account with a financial institution or creditor.
The proposed definition of ``customer'' is broader than the
definition of this term in the Information Security Standards. The
proposed definition applies to any ``person,'' defined by the FCRA as
any individual, partnership, corporation, trust, estate, cooperative,
association, government or governmental subdivision or agency, or other
entity.\11\
---------------------------------------------------------------------------
\11\ See 15 U.S.C. 1681a(b).
---------------------------------------------------------------------------
The Agencies chose this broad definition because, in addition to
individuals, various types of entities (e.g., small businesses) can be
victims of identity theft. Although the definition of ``customer'' is
broad, a financial institution or creditor would have the discretion to
determine which type of customer accounts will be covered under its
Program, since the proposed Red Flag Regulations are risk-based.\12\
The Agencies solicit comment on the scope of the proposed definition of
``customer.''
---------------------------------------------------------------------------
\12\ Under proposed Sec. ----.90(d)(1), this determination must
be substantiated by a risk evaluation that takes into consideration
which customer accounts of the financial institution or creditor are
subject to a risk of identity theft.
---------------------------------------------------------------------------
4. Identity Theft. The proposed definition of ``identity theft''
states that this term has the same meaning as in 16 CFR 603.2(a).
Section 111 of the FACT Act added several new definitions to the FCRA,
including ``identity theft.'' However, section 111 granted authority to
the FTC to further define this term.\13\ The FTC exercised this
authority and issued a final rule, which became effective on December
1, 2004, that defines ``identity theft'' as ``a fraud committed or
attempted using the identifying information of another person without
authority.'' \14\ The FTC's rule defines ``identifying information'' to
mean any name or number that may be used, alone or in conjunction with
any other information, to identify a specific person, such as a name,
social security number, date of birth, official State or government
issued driver's license or identification number, alien registration
number, government passport number, or employer or taxpayer
identification number.\15\
---------------------------------------------------------------------------
\13\ 15 U.S.C. 1681a(q)(3).
\14\ 69 FR 63922 (Nov. 3, 2004) (codified at 16 CFR 603.2(a)).
\15\ See 16 CFR 603.2(b) for additional examples of
``identifying information,'' including unique biometric identifiers.
---------------------------------------------------------------------------
This definition of ``identity theft'' in the FTC's rule would be
applicable to the Red Flag Regulations. Accordingly, ``identity theft''
within the meaning of the proposed Red Flag Regulations includes both
actual and attempted identity theft.
5. Red Flag. The proposed definition of a ``Red Flag'' is a
pattern, practice, or specific activity that indicates the possible
risk of identity theft. This definition is based on the statutory
language. Section 114 states that in developing the Red Flag
Guidelines, the Agencies must identify patterns, practices, and
specific forms of activity that indicate ``the possible existence'' of
identity theft. In other words, the Red Flags identified by the
Agencies must be indicators of ``the possible existence'' of ``a fraud
committed or attempted using the identifying information of another
person without authority.'' \16\
---------------------------------------------------------------------------
\16\ See 16 CFR 603.2(a)(defining ``identity theft'').
---------------------------------------------------------------------------
Section 114 also states that the purpose of the Red Flag
Regulations is to identify ``possible risks'' to account holders or
customers or to the safety and soundness of the institution or
``customer'' \17\ from identity theft. The Agencies believe that a
``possible risk'' of identity theft may exist even where the ``possible
existence'' of identity theft is not necessarily indicated. For
example, electronic messages to customers of financial institutions and
creditors directing them to a fraudulent website in order to obtain
their personal information (``phishing''), and a security breach
involving the theft of personal information often are a means to
acquire the information of another person for use in committing
identity theft. Because of the linkage between these events and
identity theft, the Agencies believe that it is important to include
such precursors to identity theft as Red Flags. Defining these early
warning signals as Red Flags will better position financial
institutions and creditors to stop identity theft at its inception.
Therefore, the Agencies have defined ``Red Flags'' expansively to
include those precursors to identity theft which indicate ``a possible
risk'' of identity theft to customers, financial institutions, and
creditors.
---------------------------------------------------------------------------
\17\ Use of the term ``customer'' here appears to be a drafting
error and likely should read ``creditor.'' Use of the term
``customer'' here appears to be a drafting error and likely should
read ``creditor.''
---------------------------------------------------------------------------
The Agencies request comment on the scope of the definition of
``Red Flags'' and, specifically, whether the definition of Red Flags
should include precursors to identity theft.
6. Service Provider. The proposed definition of ``service
provider'' is a person that provides a service directly to the
financial institution or creditor. This definition is based upon the
definition of ``service provider'' in the Agencies'' standards
implementing section 501(b) of the GLBA.\18\
---------------------------------------------------------------------------
\18\ 12 CFR part 30, app. B (national banks); 12 CFR part 208,
app. D-2 and part 225, app. F (state member banks and holding
companies); 12 CFR part 364, app. B (state non-member banks); 12 CFR
part 570, app. B (savings associations); 12 CFR part 748, app. A
(credit unions); 16 CFR part 314 (FTC regulated financial
institutions).
---------------------------------------------------------------------------
Section ----.90(c) Identity Theft Prevention Program
Proposed paragraph Sec. ----.90(c) describes the primary
objectives of the Program. It states that each financial institution or
creditor must implement a written Program that includes reasonable
policies and procedures to address the risk of identity theft to its
customers and the safety and soundness of the financial institution or
creditor, in the manner described in Sec. ----.90(d). The program must
address financial, operational, compliance, reputation, and litigation
risks.
The risks of identity theft to a customer may include financial,
reputation and litigation risks that occur when another person uses a
customer's account fraudulently, such as by using the customer's credit
card account number to make unauthorized purchases. The risks of
identity theft to the safety and soundness of the financial institution
or creditor may include: compliance, reputation, or litigation risks
for failure to adequately protect customers from identity theft;
operational and financial risks from absorbing losses to customers who
are the victims of identity theft; or losses to the financial
institution or creditor from opening an account for a person engaged in
identity theft. Addressing identity theft in these circumstances would
not only benefit customers, but would also benefit the financial
institution or creditor, and any person (who has no relationship with
the financial institution or creditor) whose identity has been
misappropriated.
In addition, proposed paragraph Sec. ----.90(c) states that the
Program must be appropriate to the size and complexity of the financial
institution or creditor and the nature and scope of its activities.
Thus, the proposed Red Flag Regulations are flexible and take into
account the operations of smaller institutions.\19\
---------------------------------------------------------------------------
\19\ Agencies ``are expected to take into account the limited
personnel and resources available to smaller institutions and craft
such regulations and guidelines in a manner that does not unduly
burden these smaller institutions.'' See 149 Cong. Rec. E2513 (daily
ed. December 8, 2003) (statement Rep. Oxley).
---------------------------------------------------------------------------
Proposed paragraph Sec. ----.90(c) also states that the Program
must address
[[Page 40791]]
changing identity theft risks as they arise based upon the experience
of the financial institution or creditor with identity theft. In
addition, the Program must also address changes in methods of identity
theft, methods to detect, prevent, and mitigate identity theft, in the
types of accounts the financial institution or creditor offers, and in
its business arrangements, such as mergers and acquisitions, alliances
and joint ventures, and service provider arrangements.
Thus, to ensure the Program's effectiveness in addressing the risk
of identity theft to customers and to its own safety and soundness,
each financial institution or creditor must monitor, evaluate, and
adjust its Program, including the type of accounts covered, as
appropriate. For example, a financial institution or creditor must
periodically reassess whether to adjust the types of accounts covered
by its Program and whether to adjust the Red Flags that are a part of
its Program based upon any changes in the types and methods of identity
theft that it experiences.
Section----.90(d) Development and Implementation of Identity Theft
Prevention Program.
1. Identification and Evaluation of Red Flags
i. Risk-Based Red Flags
Under proposed paragraph Sec. ----.90(d)(1)(i), the Program must
include policies and procedures to identify which Red Flags, singly or
in combination, are relevant to detecting the possible risk of identity
theft to customers or to the safety and soundness of the financial
institution or creditor, using the risk evaluation described in Sec.
----.90(d)(1)(ii). The Red Flags identified must reflect changing
identity theft risks to customers and to the financial institution or
creditor as they arise. At a minimum, the Program must incorporate any
relevant Red Flags from Appendix J, applicable supervisory guidance,
incidents of identity theft that the financial institution or creditor
has experienced, and methods of identity theft that the financial
institution or creditor has identified that reflect changes in identity
theft risks.
The proposed Red Flags enumerated in Appendix J are indicators of a
possible risk of identity theft that the Agencies compiled from
literature on the topic, information from credit bureaus, financial
institutions, creditors, designers of fraud detection software, and the
Agencies' own experiences. Some of the Red Flags may, by themselves, be
reliable indicators of a possible risk of identity theft, such as a
photograph on identification that is not consistent with the appearance
of the applicant. Some Red Flags may be less reliable except in
combination with additional Red Flags, such as where a home phone
number and address submitted on an application match the address and
number provided by another applicant. Such a match may be attributable
to identity theft or, for example, it may indicate that the two
applicants who share a residence are opening separate accounts.
The Agencies expect that the final Red Flag Regulations will apply
to a wide variety of financial institutions and creditors that offer
many different products and services, from credit cards to certain cell
phone accounts. The Agencies are not proposing to prescribe which Red
Flags will be relevant to a particular type of financial institution or
creditor. For this reason, the proposed Regulations provide that each
financial institution and creditor must identify for itself which Red
Flags are relevant to detecting the risk of identity theft, based upon
the risk evaluation described in Sec. ----.90(d)(1)(ii).
The Agencies recognize that some Red Flags that are relevant today
may become obsolete as time passes. While the Agencies expect to update
Appendix J periodically,\20\ it may be difficult to do so quickly
enough to keep pace with rapidly evolving patterns of identity theft or
as quickly as financial institutions and creditors experience new types
of identity theft. The Agencies may, however, be able to issue
supervisory guidance more rapidly. Therefore, proposed paragraph Sec.
----.90(d)(1)(i) provides that each financial institution and creditor
must have policies and procedures to identify any additional Red Flags
that are relevant to detecting a possible risk of identity theft from
applicable supervisory guidance, incidents of identity theft that the
financial institution or creditor has experienced, and methods of
identity theft that the financial institution or creditor has
identified that reflect changes in identity theft risks.
---------------------------------------------------------------------------
\20\ Section 114 directs the Agencies to update the guidelines
as often as necessary. See 15 U.S.C. 1681m(e)(1)(a).
---------------------------------------------------------------------------
Given the changing nature of identity theft, a financial
institution or creditor must incorporate Red Flags on a continuing
basis so that its Program reflects changing identity theft risks to
customers and to the financial institution or creditor as they arise.
Ultimately, a financial institution or creditor is responsible for
implementing a Program that is designed to effectively detect, prevent,
and mitigate identity theft. The Agencies request comment on whether
the enumerated sources of Red Flags are appropriate.
The Agencies understand that many financial institutions and
creditors already have implemented sophisticated policies and
procedures to detect and prevent fraud, including identity theft,
through such methods as detection of anomalous patterns of account
usage. Often these policies and procedures include the use of complex
computer-based products, such as sophisticated software. The Agencies
attempted to draft this section in a flexible, technologically neutral
manner that would not require financial institutions or creditors to
acquire expensive new technology to comply with the Red Flag
Regulations, and also would not prevent financial institutions and
creditors from continuing to use their own or a third party's computer-
based products. The Agencies note, however, that a financial
institution or creditor that uses a third party's computer-based
programs to detect fraud and identity theft must independently assess
whether such programs meet the requirements of the Red Flag Regulations
and Red Flag Guidelines and should not rely solely on the
representations of the third party.
The Agencies request comment on the anticipated impact of this
proposed paragraph on the policies and procedures that financial
institutions and creditors currently have to detect, prevent, and
mitigate identity theft, including on third party computer-based
products that are currently being used to detect identity theft.
ii. Risk Evaluation
Proposed paragraph Sec. ----.90(d)(1)(ii) provides that in order
to identify which Red Flags are relevant to detecting a possible risk
of identity theft to its customers or to its own safety and soundness,
the financial institution or creditor must consider:
A. Which of its accounts are subject to a risk of identity theft;
B. The methods it provides to open these accounts;
C. The methods it provides to access these accounts; and
D. Its size, location, and customer base.
This provision describes a key part of the Program of a financial
institution or creditor. Under proposed paragraph Sec. --
--.90(d)(1)(ii), the financial institution or creditor must define the
scope of its Program by assessing which of its accounts are subject to
a risk of identity theft. For example, the financial institution or
creditor must assess
[[Page 40792]]
whether it will identify Red Flags in connection with extensions of
credit only, or whether other types of relationships, such as deposit
accounts, are likely to be subject to identity theft and should,
therefore, be included in the scope of its Program. It must also assess
whether to include solely the accounts of individual customers, or
whether other types of accounts, such as those of small businesses,
will be included in the scope of its Program. The financial institution
or creditor must determine which Red Flags are relevant when it
initially establishes its Program, and whenever it is necessary to
address changing risks of identity theft.
The factors enumerated in proposed Sec. ----.90(d)(1)(ii) are
nearly identical to those that each financial institution must consider
when designing procedures for verifying the identity of customers
opening new accounts in accordance with the Customer Identification
Program (CIP) rules, issued to implement section 326 of the USA PATRIOT
Act, 31 U.S.C. 5318(l).\21\ The Agencies believe that these CIP factors
are equally relevant in the Red Flags context. For example, the Red
Flags that may be relevant when an account is opened in a face-to-face
transaction may be different from those relevant to an account that is
opened remotely, by telephone, or over the Internet.
---------------------------------------------------------------------------
\21\ See, e.g., 31 CFR 103.121 (banks, savings associations,
credit unions, and certain non-federally regulated banks); 31 CFR
103.122 (broker-dealers); 31 CFR 103.123 (futures commission
merchants).
---------------------------------------------------------------------------
The Agencies solicit comment on whether the factors that must be
considered are appropriate and whether any additional factors should be
included.
2. Identity Theft Prevention and Mitigation
Proposed Sec. ----.90(d)(2) states that the Program must include
reasonable policies and procedures designed to prevent and mitigate
identity theft in connection with the opening of an account or any
existing account. This section then describes the following policies
and procedures that the Program must include. Some of the policies and
procedures relate solely to account openings. Others relate to existing
accounts.
i. Verify Identity of Persons Opening Accounts
Proposed paragraph Sec. ----.90(d)(2)(i) states that the Program
must include reasonable policies and procedures to obtain identifying
information about, and verify the identity of, a person opening an
account. This provision is designed to address the risk of identity
theft to a financial institution or creditor that occurs in connection
with the opening of new accounts.
Some financial institutions and creditors already are subject to
the CIP rules, which require verification of the identity of customers
opening accounts. A financial institution or creditor may satisfy the
proposed requirement in Sec. ----.90(d)(2)(i) to have policies and
procedures for verifying the identity of a person opening an account by
applying the policies and procedures for identity verification it has
developed to comply with the CIP rules. However, the financial
institution or creditor must use the CIP policies and procedures to
verify the identity of any ``customer,'' meaning any person that opens
a new account, in connection with any type of ``account'' that its risk
evaluation indicates could be the subject of identity theft. By
contrast, the CIP rules exclude a variety of entities from the
definition of ``customer'' and exclude a number of products and
relationships from the definition of ``account.'' The Agencies are not
proposing any exclusions from either of these terms given the risk-
based nature of the Red Flag Regulations.\22\
---------------------------------------------------------------------------
\22\ See, e.g., 31 CFR 103.121(a).
---------------------------------------------------------------------------
The Agencies recognize, however, that not all financial
institutions and creditors that must implement the Red Flag Regulations
are required to comply with the CIP rules. This provision would allow
any financial institution or creditor to follow the CIP rules to
satisfy the Red Flag requirements to obtain identifying information
about, and verify the identity of, a person opening an account. This
approach is designed to ensure that, as stated in section 114, the Red
Flag Guidelines are not inconsistent with the policies and procedures
required by the CIP rules.
ii. Detect Red Flags
Proposed paragraph. Sec. ----.90(d)(2)(ii) states that the Program
must include reasonable policies and procedures to detect the Red Flags
identified pursuant to paragraph Sec. ----.90(d)(1).
iii. Assess the Risk of Identity Theft
Proposed paragraph Sec. ----.90(d)(2)(iii) states that the Program
must include policies and procedures to assess whether the Red Flags
the financial institution or creditor has detected pursuant to
paragraph Sec. ----.90(d)(2)(ii) evidence a risk of identity theft. It
also states that a financial institution or creditor must have a
reasonable basis for concluding that a Red Flag does not evidence a
risk of identity theft.
Factors indicating that a Red Flag does not evidence a risk of
identity theft might include: Patterns of spending that are
inconsistent with established patterns of activity on an account
because the customer is traveling abroad, or an inconsistency between
the social security number on an account application and a consumer
report because numbers inadvertently were transposed during the
application process.
iv. Address the Risk of Identity Theft
Proposed paragraph Sec. ----.90(d)(2)(iv) states that the Program
must include policies and procedures that address the risk of identity
theft to the customer, the financial institution, or creditor,
commensurate with the degree of risk posed. The Regulations then
provide an illustrative list of measures that a financial institution
or creditor may take,\23\ including:
---------------------------------------------------------------------------
\23\ In the case of credit, the Equal Credit Opportunity Act
(ECOA), 15 U.S.C. 1691 et seq., applies. Under ECOA, it is unlawful
for a creditor to discriminate against any applicant for credit
because the applicant has in good faith exercised any right under
the Consumer Credit Protection Act (CCPA). 15 U.S.C. 1691(a). A
consumer who requests the inclusion of a fraud alert or active duty
alert in his or her credit file is exercising a right under the
FCRA, which is a part of the CCPA, 15 U.S.C. 1601 et seq. 15 U.S.C.
1681c-1. Consequently, when a credit file contains a fraud or active
duty alert, a creditor must take reasonable steps to verify the
identity of the individual in accordance with the requirements in 15
U.S.C. 1681c-1 before extending credit, closing an account, or
otherwise limiting the availability of credit. The inability of a
creditor to verify the individual's identity may indicate that the
individual is engaged in identity theft and, in those circumstances,
the creditor may decline to open an account, close an account or
take other reasonable actions to limit the availability of credit.
---------------------------------------------------------------------------
A. Monitoring an account for evidence of identity theft;
B. Contacting the customer;
C. Changing any passwords, security codes, or other security
devices that permit access to a customer's account;
D. Reopening an account with a new account number;
E. Not opening a new account;
F. Closing an existing account;
G. Notifying law enforcement and, for those that are subject to 31
U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with
applicable law and regulation;
H. Implementing any requirements regarding limitations on credit
extensions under 15 U.S.C. 1681c-1(h), such as declining to issue an
additional credit card when the financial institution or creditor
detects a fraud or active duty alert associated with the
[[Page 40793]]
opening of an account, or an existing account; or
I. Implementing any requirements for furnishers of information to
consumer reporting agencies under 15 U.S.C. 1681s-2, to correct or
update inaccurate or incomplete information.
Financial institutions and creditors typically use such measures to
mitigate the risk of identity theft. In addition, measures E through G
are actions that each financial institution subject to the CIP rules
must include in its procedures for responding to circumstances in which
it cannot form a reasonable belief that it knows the true identity of a
customer.\24\ Measure H describes the procedures required in section
112 of the FACT Act, 15 U.S.C. 1681c-1(h), that are applicable to a
prospective user of credit reports when a user obtains a credit report
that includes a fraud alert or active duty alert. Measure I describes
the requirements in section 623 of the FCRA, 15 U.S.C. 1681s-2,
applicable to a furnisher of information to consumer reporting agencies
that discovers inaccurate or incomplete information about a consumer.
---------------------------------------------------------------------------
\24\ See, e.g., 31 CFR 103.121(b)(2)(iii).
---------------------------------------------------------------------------
These measures illustrate various actions that a financial
institution or creditor may take depending upon the degree of risk that
is present. For example, a financial institution or creditor may choose
to contact a customer to determine whether a material change in credit
card usage reflects purchases made by the customer or unauthorized
charges. However, if the financial institution or creditor is notified
that a customer provided his or her password and account number to a
fraudulent website, it likely will close the customer's existing
account and reopen it with a new account number.
The Agencies solicit comment on whether the enumerated measures
should be included as examples that a financial institution or creditor
may take and whether additional measures should be included.
3. Train Staff
Under proposed paragraph Sec. ----.90(d)(3), each financial
institution or creditor must train staff to implement its Program.
Proper training will enable staff to address the risk of identity
theft. For example, staff should be trained to detect Red Flags with
regard to new and existing accounts, such as discrepancies in
identification presented by a person opening an account or anomalous
wire transfers in connection with a customer's deposit account. Staff
should also be trained to mitigate identity theft, for example, by
recognizing when an account should not be opened.
4. Oversee Service Provider Arrangements
Proposed paragraph Sec. ----.90(d)(4) states that whenever a
financial institution or creditor engages a service provider to perform
an activity on its behalf that is covered by Sec. ----.90, the
financial institution or creditor must take steps designed to ensure
that the activity is conducted in compliance with a Program that meets
the requirements of paragraphs (c) and (d) of this section. For
example, a financial institution or creditor that uses a service
provider to open accounts on its behalf, may reserve for itself the
responsibility to verify the identity of a person opening a new
account, may direct the service provider to do so, or may use another
service provider to verify identity. Ultimately, however, the financial
institution or creditor remains responsible for ensuring that the
activity is being conducted in compliance with a Program that meets the
requirements of the Red Flag Regulations.
In addition, this provision would allow a service provider that
provides services to multiple financial institutions and creditors to
conduct activities on behalf of these entities in accordance with its
own program to prevent identity theft, as long as the program meets the
requirements of the Red Flag Regulations. The service provider would
not need to apply the particular Program of each individual financial
institution or creditor to whom it is providing services.
Under the Agencies' Information Security Standards, financial
institutions must require their service providers by contract to
safeguard customer information in any manner that meets the objectives
of the Standards. The Standards provide flexibility for a service
provider's information security measures to differ from the program
that a financial institution implements. By contrast, the CIP
regulations do not contain a service provider provision. Instead, the
preamble to the CIP regulations simply states that the CIP regulations
do not affect a financial institution's authority to contract for
services to be performed by a third party either on or off the
institution's premises, and also does not alter an institution's
authority to use an agent to perform services on its behalf.\25\ The
Agencies invite comment on whether permitting a service provider to
implement a Program, including policies and procedures to identify and
detect Red Flags, that differs from the programs of the individual
financial institution or creditor to whom it is providing services,
would fulfill the objectives of the Red Flag Regulations. The Agencies
also invite comment on whether it is necessary to address service
provider arrangements in the Red Flag Regulations, or whether it is
self-evident that a financial institution or creditor remains
responsible for complying with the standards set forth in the
Regulations, including when it contracts with a third party to perform
an activity on its behalf.
---------------------------------------------------------------------------
\25\ 68 FR 25104 (May 9, 2003)(preamble to CIP rule applicable
to banks, savings associations, and credit unions).
---------------------------------------------------------------------------
5. Involve the Board of Directors and Senior Management
Proposed Sec. ----.90(d)(5) highlights the responsibility of the
board of directors and senior management to develop and implement the
Program. The board of directors or an appropriate committee of the
board must approve the written Program. The board, an appropriate
committee of the board, or senior management is charged with overseeing
the development, implementation, and maintenance of the Program,
including assigning specific responsibility for its implementation. In
addition, persons charged with overseeing the Program must review
reports that must be prepared at least annually by staff regarding
compliance by the financial institution or creditor with the Red Flag
Regulations. The reports must discuss material matters related to the
Program and evaluate issues such as: The effectiveness of the policies
and procedures of the financial institution or creditor in addressing
the risk of identity theft in connection with the opening of accounts
and with respect to existing accounts; service provider arrangements;
significant incidents involving identity theft and management's
response; and recommendations for changes in the Program. This report
will indicate whether the Program must be adjusted to increase its
effectiveness.
The Agencies request comment regarding the frequency with which
reports should be prepared for the board, a board committee, or senior
management. The Agencies also request comment on whether this paragraph
properly allocates the responsibility for oversight and implementation
of the Program between the board and senior management.
C. Proposed Red Flag Guidelines: Appendix J
Section 114 of the FACT Act states that in developing the
guidelines, the
[[Page 40794]]
Agencies are directed to identify patterns, practices, and specific
forms of activity that indicate the possible existence of identity
theft. The Agencies are proposing to implement this provision by
requiring the Program of a financial institution or creditor to include
policies and procedures that require the identification and detection
of risk-based Red Flags.
As discussed earlier, the Program must include policies and
procedures designed to identify Red Flags relevant to detecting a
possible risk of identity theft from among those listed in Appendix J.
The proposed Red Flags enumerated in Appendix J are indicators of a
possible risk of identity theft that the Agencies compiled from a
variety of sources. Appendix J covers Red Flags that may be detected in
connection with an account opening or an existing account. Some of the
Red Flags, by themselves, may be reliable indicators of identity theft,
while others are more reliable when detected in combination with other
Red Flags.
Recognizing that a wide range of financial institutions and
creditors and a broad variety of accounts will be covered by the Red
Flag Regulations, the proposed Regulations provide each financial
institution and creditor with the flexibility to develop policies and
procedures to identify which Red Flags in Appendix J are relevant to
detecting the possible risk of identity theft.
The proposed list in Appendix J is not meant to be exhaustive.
Therefore, proposed Sec. ----.90(d)(1) of the Red Flag Regulations
also provide that each financial institution and creditor must have
policies and procedures to identify additional Red Flags from
applicable supervisory guidance that may be issued from time-to-time,
incidents of identity theft that the financial institution or creditor
has experienced, and methods of identity theft that the financial
institution or creditor has identified that reflect changes in identity
theft risks. Ultimately, the financial institution or creditor is
responsible for implementing a Program that is designed to effectively
detect, prevent and mitigate identity theft.
The Agencies solicit comment on whether the proposed Red Flags
listed in Appendix J are too specific or not specific enough, and
whether additional or different Red Flags should be included.
Section 114 also directs the Agencies to consider whether to
include reasonable guidelines for notifying the consumer when a
transaction occurs in connection with a consumer's credit or deposit
account that has been inactive for two years, in order to reduce the
likelihood of identity theft. The Agencies considered whether to
incorporate this provision directly into Appendix J, but determined
that the two-year limit may not be an accurate indicator of identity
theft given the wide variety of credit and deposit accounts that would
be covered by the provision.
The Agencies have concluded, however, that activity in connection
with an account that has been inactive for a period of time may be an
indicator of a possible risk of identity theft, depending upon the
circumstances. Therefore, the Agencies have incorporated a Red Flag on
inactive accounts into Appendix J that is flexible and is designed to
take into consideration the type of account, the expected pattern of
usage of the account, and any other relevant factors.
The Agencies request comment on whether a provision that mirrors
the statutory language regarding inactive accounts should be placed
directly into Appendix J or the Red Flag Regulations, or whether the
more flexible approach to inactive accounts proposed (i.e., listing as
a Red Flag the use of an account that has been inactive for a
reasonably lengthy period of time) should be retained.
The Agencies also request comment on whether, for ease of use, this
appendix should be moved to the end of Subpart J or remain at the end
of the part as proposed.
D. Proposed Special Rules for Card Issuers: Section-by-Section Analysis
Section ----.91 Duties of Card Issuers Regarding Changes of Address
Section ----.91(a) Scope
Section 114 specifically provides that the Agencies must prescribe
regulations requiring credit and debit card issuers to assess the
validity of change of address requests. Therefore, in addition to the
general rule in Sec. ----.90 that applies to all financial
institutions and creditors, the Agencies are proposing regulations for
card issuers, namely a person described in Sec. ----.90(a) that issues
a debit or credit card. A financial institution or creditor that is a
card issuer may incorporate the requirements of Sec. ----.91 into its
Program.
Section ----.91(b) Definitions
The proposed regulations include two definitions that are solely
applicable to the special rule for card issuers. The first proposed
definition is for the term ``cardholder.'' Section 114 states that the
regulations must require the card issuer to follow reasonable policies
and procedures to assess the validity of a change of address before
issuing an additional or replacement card. Section 114 provides that a
card issuer may satisfy this requirement by notifying ``the
cardholder.''
The term ``cardholder'' is not defined in the statute. The
legislative history relating to this provision indicates that ``issuers
of credit cards and debit cards who receive a consumer request for an
additional or replacement card for an existing account'' may assess the
validity of the request by notifying ``the cardholder.'' \26\
Presumably, the request will be valid if the consumer making the
request and the cardholder are one and the same ``consumer.''
Therefore, the proposal defines ``cardholder'' as a consumer who has
been issued a credit or debit card. Further, because ``consumer'' is
defined in the FCRA as an ``individual'' \27\ the proposed regulations
will cover a request by an individual for a business card. The Agencies
request comment on whether this definition of ``cardholder'' is
appropriate.
---------------------------------------------------------------------------
\26\ See 149 Cong. Rec. E2513 (daily ed. December 8, 2003)
(statement of Rep. Oxley) (emphasis added).
\27\ 15 U.S.C. 1681a(c).
---------------------------------------------------------------------------
The second proposed definition is for the phrase ``clear and
conspicuous.'' Section ----.91 includes a provision requiring that any
written or electronic notice provided by a card issuer to the consumer
pursuant to the regulations be given in a ``clear and conspicuous
manner.'' The proposed regulations define ``clear and conspicuous''
based on the definition of this phrase found in the Agencies' privacy
regulations.\28\
---------------------------------------------------------------------------
\28\ 12 CFR 40.3(b)(1) (OCC); 12 CFR 216.3(b)(1) (Board); 12 CFR
332.3(b)(1) (FDIC); 12 CFR 573.3(b)(1) (OTS); 12 CFR 716.3(b)(1)
(NCUA); 16 CFR 313.3(b)(1) (FTC).
---------------------------------------------------------------------------
The Agencies request comment on whether, for ease of use, the
regulations implementing section 315 should define additional terms,
such as ``card issuer,'' ``credit card,'' and ``debit card,'' that are
already defined in the FCRA.
Section ----.91(c) General Requirements
As required by section 114, proposed Sec. ----.91(c) states that a
card issuer that receives notification of a change of address for a
consumer's debit or credit card account, and within a short period of
time afterwards (during at least the first 30 days after it receives
such notification) receives a request for an additional or replacement
card for the same account, may not honor the request and issue such a
card, unless it assesses the validity of the change of address request
in at least one of three ways. As specified in section 114, proposed
paragraph Sec. ----.91(c)
[[Page 40795]]
provides that, in accordance with the card issuer's reasonable policies
and procedures, and for the purpose of assessing the validity of the
change of address, the card issuer must:
(i) Notify the cardholder of the request at the cardholder's former
address and provide to the cardholder a means of promptly reporting
incorrect address changes;
(ii) Notify the cardholder of the request by any other means of
communication that the card issuer and the cardholder have previously
agreed to use; or
(iii) Use other means of assessing the validity of the change of
address, in accordance with the policies and procedures that the card
issuer has established pursuant to Sec. ----.90.
The proposed rule text specifies that the notification of a change
of address must pertain to a ``consumer's'' debit or credit account,
consistent with the legislative history discussed above.\29\
---------------------------------------------------------------------------
\29\ See 149 Cong. Rec. E2513 (daily ed. December 8, 2003)
(statement of Rep. Oxley) (describing this section as relating to
``issuers of credit cards and debit cards who receive a consumer
request for an additional or replacement card for an existing
account.'' (Emphasis added.))
---------------------------------------------------------------------------
The Agencies request comment on this provision and, in particular,
whether the Agencies should elaborate further on the means that a card
issuer must use to assess the validity of a request for a change of
address.
Section ----.91(d) Form of Notice
The Agencies note that section 114 is titled ``Establishment of
Procedures for the Identification of Possible Instances of Identity
Theft.'' The Agencies understand that Congress singled out this
scenario involving card issuers and placed it in section 114 because it
is well known to be a possible indicator of identity theft. The
Agencies believe that a consumer needs to be able to recognize the
urgent nature of a written or electronic notice that he or she receives
from a card issuer pursuant to Sec. ----.91(d). Therefore, the
proposed regulations prescribe the form that such a notice should take.
They state that any written or electronic notice that a card issuer
provides under this paragraph must be clear and conspicuous and
provided separately from its regular correspondence with the
cardholder. Of course, a card issuer may give notice orally in
accordance with the policies and procedures the cardholder has
established pursuant to Sec. ----.90(b).
The Agencies request comment on whether this section should
elaborate further on the form that a notice provided under Sec. --
--.91(d) must take.
II. Section 315 of the FACT Act
A. Background
Section 315 of the FACT Act amends section 605 of the FCRA, 15
U.S.C. 1681c, by adding a new section (h). Section 315 requires that,
when providing consumer reports to requesting users, nationwide
consumer reporting agencies (as defined in section 603(p) of the FCRA)
(CRAs) must provide a notice of the existence of a discrepancy if the
address provided by the user in its request ``substantially differs''
from the address the CRA has in the consumer's file.
Section 315 also requires the Agencies to jointly issue regulations
that provide guidance regarding reasonable policies and procedures that
a user of a consumer report should employ when the user receives a
notice of address discrepancy. These regulations must describe
reasonable policies and procedures for users of consumer reports to (i)
enable them to form a reasonable belief that the user knows the
identity of the person for whom it has obtained a consumer report, and
(ii) reconcile the address of the consumer with the CRA, if the user
establishes a continuing relationship with the consumer and regularly
and in the ordinary course of business furnishes information to the
CRA.
B. Proposed Regulation Implementing Section 315: Section-by-Section
Analysis
Section ----.82(a) Scope
The scope of section 315 differs from the scope of section 114.
Section 315 applies to ``users of consumer reports'' and ``persons
requesting consumer reports'' (hereinafter referred to as ``users''),
as opposed to financial institutions and creditors. Therefore, section
315 does not apply to a financial institution or creditor that does not
use consumer reports.
Section ----.82(b) Definition
The proposed rule defines ``notice of address discrepancy,'' a new
term introduced in section 315.\30\ The proposed definition is ``a
notice sent to a user of a consumer report by a CRA pursuant to 15
U.S.C. 1681c(h)(1), that informs the user of a substantial difference
\31\ between the address for the consumer provided by the user in
requesting the consumer report and the address or addresses the CRA has
in the consumer's file.''
---------------------------------------------------------------------------
\30\ All other terms used in this section of the proposal have
the same meanings as set forth in the FCRA (15 U.S.C. 1681a).
\31\ The term used in the statute, ``substantially differs,'' is
not defined. CRAs are responsible for determining when addresses
substantially differ and, hence, when they must send a notice of
address discrepancy to a user requesting a consumer report.
---------------------------------------------------------------------------
The Agencies note that the provisions of section 315 requiring CRAs
to provide notices of address discrepancy became effective on December
1, 2004. To the extent that CRAs each have developed their own
standards for delivery of notices of address discrepancy, it is
particularly important for users to be able to recognize and receive
notices of address discrepancy, especially if they are being delivered
electronically by CRAs. For example, CRAs may provide consumer reports
with some type of a code to indicate an address discrepancy. Users must
be prepared to recognize the code as an indication of an address
discrepancy.
Section ----.82(c) Requirement to Form a Reasonable Belief
Proposed Sec. ----.82(c) implements the requirement in section 315
that the Agencies prescribe regulations describing reasonable policies
and procedures that will enable the user to form a reasonable belief
that the user knows ``the identity of the person to whom the consumer
report pertains'' when the user receives a notice of address
discrepancy. Proposed Sec. ----.82(c) states that a user must develop
and implement reasonable policies and procedures for ``verifying the
identity of the consumer for whom it has obtained a consumer report''
whenever it receives a notice of address discrepancy. These policies
and procedures must be designed to enable the user to form a reasonable
belief that it knows the identity of the consumer for whom it has
obtained a consumer report, or determine that it cannot do so.
This section also provides that if a user employs the policies and
procedures regarding identification and verification set forth in the
CIP rules,\32\ it satisfies the requirement to have policies and
procedures to verify the identity of the consumer. This provision takes
into consideration that many users already may be subject to the CIP
rules, and have in place procedures to comply with those rules, at
least with respect to the opening of accounts. Thus, such a user could
use its existing CIP policies and procedures to satisfy this
requirement, so long as it applies them in all situations where it
receives a notice of address discrepancy. In addition, any user, such
as a landlord or employer, may adopt the CIP rules and apply them in
all situations where it receives an address discrepancy to meet
[[Page 40796]]
this requirement, even if it is not subject to a CIP rule.
---------------------------------------------------------------------------
\32\ See, e.g., 31 CFR 103.121(b)(2)(i) and (ii).
---------------------------------------------------------------------------
The Agencies request comment on whether the CIP procedures are
sufficient to enable a user that receives a notice of address
discrepancy with a consumer report to form a reasonable belief that it
knows the identity of the consumer for whom it obtained the report,
both in connection with the opening of an account, and in other
circumstances where a user obtains a consumer report.\33\
---------------------------------------------------------------------------
\33\ For example, a user may request a consumer report on a
consumer with whom it already has a continuing relationship in order
to determine whether to increase the consumer's credit line, or in
other circumstances, such as in the case of a landlord or employer,
to determine a consumer's eligibility to rent housing or for
employment.
---------------------------------------------------------------------------
The statutory requirement that a user must form a reasonable belief
that it knows the identity of the consumer for whom it obtained a
consumer report applies whether or not the user subsequently
establishes a continuing relationship with the consumer. By contrast,
the additional statutory requirement that a user reconcile the address
of the consumer with the CRA only applies if the user establishes a
continuing relationship with the consumer.
The requirement that the user form a reasonable belief that it
knows the identity of the consumer is likely to benefit both consumers
and users. For example, this requirement should reduce the likelihood
that a user will rely on the wrong consumer report in making a decision
about a consumer's eligibility for a product, such as the consumer
report of another consumer with the same name who lives at a different
address. In addition, these policies and procedures may assist the user
to detect whether a consumer about whom it has requested a consumer
report is engaged in identity theft or is a victim of identity
theft.\34\
---------------------------------------------------------------------------
\34\ Under the Red Flag Guidelines, a notice of address
discrepancy received from a consumer reporting agency is a Red Flag.
Thus, a user subject to the Red Flag Regulations that receives a
notice of address discrepancy will need to determine whether its
policies and procedures regarding identity theft prevention and
mitigation apply here.
---------------------------------------------------------------------------
Section ----.82(d)(1) Requirement to Furnish Consumer's Address To a
Consumer Reporting Agency
Proposed Sec. ----.82(d)(1) provides that a user must develop and
implement reasonable policies and procedures for furnishing to the CRA
from whom it received the notice of address discrepancy an address for
the consumer that the user has reasonably confirmed is accurate when
the following three conditions are satisfied. The first condition set
forth in proposed Sec. ----.82(d)(1)(i) is that the user must be able
to form a reasonable belief that it knows the identity of the consumer
for whom the consumer report was obtained. This condition will ensure
that the user furnishes a new address for the consumer to the CRA only
after the user forms a reasonable belief that it knows the identity of
the consumer, using the policies and procedures set forth in paragraph
Sec. ----.82(c).
The second condition, set forth in proposed Sec. --
--.82(d)(1)(ii), is that the user furnish the address to the CRA if it
establishes or maintains a continuing relationship with the consumer.
Section 315 specifically requires that the user furnish the consumer's
address to the CRA if the user establishes a continuing relationship
with the consumer. Therefore, proposed Sec. ----.82(d)(1)(ii)
reiterates this requirement. However, a user also may obtain a notice
of address discrepancy in connection with a consumer with whom it
already has an existing relationship. Section 315 provides the Agencies
with broad authority to prescribe regulations in all circumstances when
a user has received a notice of address discrepancy. The Agencies have
exercised this authority to provide that the user must also furnish the
consumer's address to the CRA from whom the user has received a notice
of address discrepancy when the user maintains a continuing
relationship with the consumer.
Finally, as required by section 315, the third condition set out in
proposed Sec. ----.82(d)(1)(iii) is that if the user regularly and in
the ordinary course of business furnishes information to the CRA from
which a notice of address discrepancy pertaining to the consumer was
obtained, the consumer's address must be communicated to the CRA as
part of the information the user regularly provides.
Section ----.82(d)(2) Requirement To Confirm Consumer's Address
The Agencies note that section 315 requires the Agencies to
prescribe regulations describing reasonable policies and procedures for
a user ``to reconcile the address of the consumer'' about whom it has
obtained a notice of address discrepancy with the CRA ``by furnishing
such address'' to the CRA. (Emphasis added.) Even when the user is able
to form a reasonable belief that it knows the identity of the consumer,
there may be many reasons that the initial address furnished by the
consumer is incorrect. For example, a consumer may have provided the
address of a secondary residence or inadvertently reversed a street
number. To ensure that the address that is furnished to the CRA is
accurate, the Agencies are proposing to interpret the phrase, ``such
address,'' as an address that the user has reasonably confirmed is
accurate. This interpretation requires a user to take steps to
``reconcile'' the address it initially received from the consumer when
it receives a notice of address discrepancy rather than simply
furnishing the initial address it received to the CRA. Proposed Sec.
----.82(d)(2) contains the following list of illustrative measures that
a user may employ to reasonably confirm the accuracy of the consumer's
address:
Verifying the address with the person to whom the consumer
report pertains;
Reviewing its own records of the address provided to
request the consumer report;
Verifying the address through third-party sources; or
Using other reasonable means.
The Agencies solicit comment on whether the regulation should
include examples of measures to reasonably confirm the accuracy of the
consumer's address, or whether different or additional examples should
be listed.
Section ----.82(d)(3) Timing
Section 315 specifically addresses when a user must furnish the
consumer's address to the CRA. It states that this information must be
furnished for the reporting period in which the user's relationship
with the consumer is established. Accordingly, proposed Sec. --
--.82(d)(3)(i) states that, with respect to new relationships, the
policies and procedures that a user develops in accordance with Sec.
----.82(d)(1) must provide that a user will furnish the consumer's
address that it has reasonably confirmed to the CRA as part of the
information it regularly furnishes for the reporting period in which it
establishes a relationship with the consumer.
However, a user may also receive a notice of address discrepancy in
other circumstances, such as when it requests a consumer report for a
consumer with whom it already has an existing relationship. As
previously noted, section 315 provides the Agencies with broad
authority to prescribe regulations in all circumstances when a user has
received a notice of discrepancy. Thus, proposed paragraph Sec. --
--.82(d)(3)(ii) states that in other circumstances, such as when the
user already has an existing relationship with the consumer, the user
should furnish this information for the reporting period in which the
user has reasonably confirmed the accuracy of
[[Page 40797]]
the address of the consumer for whom it has obtained a consumer report.
The Agencies recognize that the timing provision for newly
established relationships may be problematic for users hoping to take
full advantage of the flexibility in the timing for verification of
identity afforded by the CIP rules. As required by statute, proposed
Sec. ----.82(d)(3)(i), the timing provision for new relationships,
states that the reconciled address must be furnished for the reporting
period in which the user establishes a relationship with the consumer.
Proposed Sec. ----.82(d)(1), which also mirrors the requirement of the
statute, requires the reconciled address to be furnished to the CRA
only when the user both establishes a continuing relationship with the
consumer and forms a reasonable belief that it knows the identity of
the consumer to whom the consumer report relates. Typically, the CIP
rules permit an account to be opened (i.e, relationship to be
established) if certain identifying information is provided.
Verification to establish the true identity of the customer is required
within a reasonable period of time after the account has been opened.
However, in this context, and in order to satisfy the requirements of
both Sec. ----.82(d)(1) and Sec. ----.82(d)(3)(i), a user employing
the CIP rules will have to both establish a continuing relationship and
a reasonable belief that it knows the consumer's identity during the
same reporting period.
The Agencies request comment on whether the timing for responding
to notices of address discrepancy received in connection with newly
established relationships and in connection with circumstances other
than newly established relationships is appropriate.
III. General Provisions
The OCC, the Board, the FDIC, the OTS, and the NCUA \35\ are
proposing to amend the first sentence in Sec. ----.3, which contains
the definitions that are applicable throughout this part. This sentence
currently states that the list of definitions in Sec. ----.3 apply
throughout the part ``unless the context requires otherwise.'' These
agencies are proposing to amend this introductory sentence to make
clear that the definitions in Sec. ----.3 apply ``for purposes of this
part, unless explicitly stated otherwise.'' Thus, these definitions
apply throughout the part unless defined differently in an individual
subpart.
---------------------------------------------------------------------------
\35\ The equivalent language for the FTC already exists in 16
CFR 603.1.
---------------------------------------------------------------------------
OTS is also proposing nonsubstantive, technical changes to its rule
sections on purpose and scope (Sec. 571.1) and disposal of consumer
information (Sec. 571.83). These changes are necessary in light of the
proposed incorporation of the address discrepancy section into subpart
I.
IV. Regulatory Analysis
A. Paperwork Reduction Act
I. Request for Comment on Proposed Information Collection
In accordance with the requirements of the Paperwork Reduction Act
of 1995, the Agencies may not conduct or sponsor, and the respondent is
not required to respond to, an information collection unless it
displays a currently valid Office of Management and Budget (OMB)
control number.
The information collection requirements contained in this joint
notice of proposed rulemaking have been submitted by the OCC, FDIC,
OTS, NCUA, and FTC to OMB for review and approval under the Paperwork
Reduction Act of 1995. The requirements are found in 12 CFR 41.82,
41.90, 41.91, 334.82, 334.90, 334.91, 571.82, 571.90, 571.91, and
717.82; 717.90; and 717.91; and 16 CFR 681.1, 681.2, and 681.3.
In accordance with the Paperwork Reduction Act (PRA) of 1995 (44
U.S.C. 3506; 5 CFR part 1320, Appendix A.1), the Board has reviewed the
proposed rule under the authority delegated by OMB. The proposed rule
contains requirements subject to the PRA. The collections of
information that are required by this proposed rule are found in 12 CFR
222.82, 222.90, and 222.91. The Board may not conduct or sponsor, and
an organization is not required to respond to, this information
collection unless it displays a currently valid OMB control number. The
OMB control number is to be assigned.
Comments are invited on:
(a) Whether the collection of information is necessary for the
proper performance of the Agencies' functions, including whether the
information has practical utility;
(b) The accuracy of the estimates of the burden of the information
collection, including the validity of the methodology and assumptions
used;
(c) Ways to enhance the quality, utility, and clarity of the
information to be collected;
(d) Ways to minimize the burden of the information collection on
respondents, including through the use of automated collection
techniques or other forms of information technology; and
(e) Estimates of capital or start up costs and costs of operation,
maintenance, and purchase of services to provide information.
All comments will become a matter of public record.
Comments should be addressed to: OCC: Communications Division,
Office of the Comptroller of the Currency, Public Information Room,
Mail stop 1-5, Attention: 1557-NEW, 250 E Street, SW., Washington, DC
20219. In addition, comments may be sent by fax to 202-874-4448, or by
electronic mail to regs.comments@occ.treas.gov. You can inspect and
photocopy the comments at the OCC's Public Information Room, 250 E
Street, SW., Washington, DC 20219. You can make an appointment to
inspect the comments by calling 202-874-5043.
Board: You may submit comments, identified by R-1255, by any of the
following methods:
Agency Web site: http://www.federalreserve.gov Follow the instructions for
submitting comments on the http://.
http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm.
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
E-mail: regs.comments@federalreserve.gov. Include docket
number in the subject line of the message.
FAX: 202-452-3819 or 202-452-3102.
Mail: Jennifer J. Johnson, Secretary, Board of Governors
of the Federal Reserve System, 20th Street and Constitution Avenue,
NW., Washington, DC 20551.
All public comments are available from the Board's Web site at
http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm
as submitted,
unless modified for technical reasons. Accordingly, your comments will
not be edited to remove any identifying or contact information. Public
comments may also be viewed electronically or in paper in Room MP-500
of the Board's Martin Building (20th and C Streets, NW.) between 9 a.m.
and 5 p.m. on weekdays.
FDIC: You may submit written comments, which should refer to 3064-
------, by any of the following methods:
Agency Web site: http://www.fdic.gov/regulations/laws/federal/propose.html.
Follow the instructions for submitting comments
on the FDIC Web site.
[[Page 40798]]
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
E-mail: Comments@FDIC.gov.
Mail: Robert E. Feldman, Executive Secretary, Attention:
Comments, FDIC, 550 17th Street, NW., Washington, DC 20429.
Hand Delivery/Courier: Guard station at the rear of the
550 17th Street Building (located on F Street) on business days between
7 a.m. and 5 p.m.
Public Inspection: All comments received will be posted without
change to http://www.fdic.gov/regulations/laws/federal/propose/html
including any personal information provided. Comments may be inspected
at the FDIC Public Information Center, Room 100, 801 17th Street, NW.,
Washington, DC, between 9 a.m. and 4:30 p.m. on business days.
OTS: Information Collection Comments, Chief Counsel's Office,
Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552;
send a facsimile transmission to (202) 906-6518; or send an e-mail to
related index on the OTS Internet site at http://www.ots.treas.gov. In
addition, interested persons may inspect the comments at the Public
Reading Room, 1700 G Street, NW., by appointment. To make an
appointment, call (202) 906-5922, send an e-mail to
publicinfo@ots.treas.gov, or send a facsimile transmission to (202)
906-7755.
NCUA: You may submit comments by any of the following methods
(Please send comments by one method only):
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
NCUA Web site:
http://www.ncua.gov/RegulationsOpinionsLaws/proposedregs/proposedregs.html.
Follow the
instructions for submitting comments.
E-mail: Address to regcomments@ncua.gov. Include ``[Your
name] Comments on ----,'' in the e-mail subject line.
Fax: (703) 518-6319. Use the subject line described above
for e-mail.
Mail: Address to Mary F. Rupp, Secretary of the Board,
National Credit Union Administration, 1775 Duke Street, Alexandria, VA
22314-3428.
Hand Delivery/Courier: Same as mail address.
FTC: Comments should refer to ``The Red Flags Rule: Project No.
R611019,'' and may be submitted by any of the following methods.
However, if the comment contains any material for which confidential
treatment is requested, it must be filed in paper form, and the first
page of the document must be clearly labeled ``Confidential.'' \36\
---------------------------------------------------------------------------
\36\ Commission Rule 4.2(d), 16 CFR 4.2(d). The comment must be
accompanied by an explicit request for confidential treatment,
including the factual and legal basis for the request, and must
identify the specific portions of the comment to be withheld from
the public record. The request will be granted or denied by the
Commission's General Counsel, consistent with applicable law and the
public interest. See Commission Rule 4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------
E-mail: Comments filed in electronic form should be
submitted by clicking on the following Web link:
https://secure.commentworks.com/ftc-redflags
and following the instructions on
the Web-based form. To ensure that the Commission considers an
electronic comment, you must file it on the Web-based form at
https://secure.commentworks.com/ftc-redflags
.
Federal eRulemaking Portal: If this notice appears at
http://www.regulations.gov, you may also file an electronic comment
through that Web site. The Commission will consider all comments that
regulations.gov forwards to it.
Mail or Hand Delivery: A comment filed in paper form
should include ``The Red Flags Rule, Project No. R611019,'' both in the
text and on the envelope and should be mailed or delivered, with two
complete copies, to the following address: Federal Trade Commission/
Office of the Secretary, Room H-135 (Annex M), 600 Pennsylvania Avenue,
NW., Washington, DC 20580. Because paper mail in the Washington area
and at the Commission is subject to delay, please consider submitting
your comments in electronic form, as prescribed above. The FTC is
requesting that any comment filed in paper form be sent by courier or
overnight service, if possible.
Comments on any proposed filing, recordkeeping, or disclosure
requirements that are subject to paperwork burden review under the
Paperwork Reduction Act should additionally be submitted to: Office of
Management and Budget, Attention: Desk Officer for the Federal Trade
Commission. Comments should be submitted via facsimile to (202) 395-
6974 because U.S. Postal Mail is subject to lengthy delays due to
heightened security precautions.
The FTC Act and other laws the Commission administers permit the
collection of public comments to consider and use in this proceeding as
appropriate. All timely and responsive public comments, whether filed
in paper or electronic form, will be considered by the Commission, and
will be available to the public on the FTC Web site, to the extent
practicable, at http://www.ftc.gov/os/publiccomments.htm. As a matter
of discretion, the FTC makes every effort to remove home contact
information for individuals from the public comments it receives before
placing those comments on the FTC Web site. More information, including
routine uses permitted by the Privacy Act, may be found in the FTC's
privacy policy, at http://www.ftc.gov/ftc/privacy.htm.
II. Proposed Information Collection
Title of Information Collection: Identity Theft Red Flags and
Address Discrepancies under the Fair and Accurate Credit Transactions
Act of 2002.
Frequency of Response: On occasion.
Affected Public: OCC: National banks and Federal branches and
agencies of foreign banks and certain subsidiaries of these entities.
Board: State member banks, uninsured state agencies and branches of
foreign banks, commercial lending companies owned or controlled by
foreign banks, and Edge and agreement corporations.
FDIC: Insured nonmember banks, insured state branches of foreign
banks, and certain subsidiaries of these entities.
OTS: Savings associations and certain of their subsidiaries.
NCUA: Federally-chartered credit unions.
FTC: Section 114: State-chartered credit unions, non-bank lenders,
mortgage brokers, motor vehicle dealers, utility companies,
telecommunications companies, and any other person that regularly
participates in a credit decision, including setting the terms of
credit.
Section 315: State-chartered credit unions, non-bank lenders,
insurers, landlords, employers, mortgage brokers, motor vehicle
dealers, collection agencies, and any other person who requests a
consumer report from a nationwide consumer reporting agency as
described in section 603(p) of the FCRA.
Abstract: Section 114: As required by section 114, the Agencies are
jointly proposing guidelines for financial institutions and creditors
identifying patterns, practices, and specific forms of activity, that
indicate the possible existence of identity theft. The Agencies also
are proposing joint regulations requiring each financial institution
and creditor to establish reasonable policies
[[Page 40799]]
and procedures to address the risk of identity theft that incorporate
the guidelines. In addition, credit and debit card issuers must develop
policies and procedures to assess the validity of a request for a
change of address under certain circumstances.
The information collections in the proposed regulations
implementing section 114 would require each financial institution and
creditor to create an Identity Theft Prevention Program (Program) and
report to the board of directors, a committee thereof or senior
management at least annually on compliance with the proposed
regulations. Staff must be trained to implement the Program. In
addition, each credit and debit card issuer would be required to
establish policies and procedures to assess the validity of a change of
address request. The proposed regulations require the card issuer to
notify the cardholder in writing, electronically, or orally, or use
another means of assessing the validity of the change of address.
Section 315: The Agencies are proposing joint regulations under
section 315 that provide guidance regarding reasonable policies and
procedures that a user of consumer reports must employ when a user
receives a notice of address discrepancy from a consumer reporting
agency.
The information collections in the proposed regulations
implementing section 315 would require each user of consumer reports to
develop reasonable policies and procedures that it will employ when it
receives a notice of address discrepancy from a consumer reporting
agency. The proposed regulations require a user of consumer reports to
furnish an address that the user has reasonably confirmed is accurate
to the consumer reporting agency from which it receives a notice of
address discrepancy.
Estimated Burden: \37\ Section 114: The Agencies estimate that it
will initially take financial institutions and creditors 25 hours to
create the Program outlined in the proposed rule, 4 hours to prepare an
annual report, and 2 hours to train staff to implement the Program.
---------------------------------------------------------------------------
\37\ The Estimated Burden section reflects the views of all of
the Agencies except the FTC, which has prepared a separate analysis.
---------------------------------------------------------------------------
The Agencies estimate that it will take credit and debit card
issuers 4 hours to develop policies and procedures to assess the
validity of a change of address request.
The Agencies believe that most of the covered entities already
employ a variety of measures to detect and address identity theft that
are required by section 114 of the proposed regulations because these
are usual and customary business practices that they engage in to
minimize losses due to fraud. In addition, the Agencies believe that
many financial institutions and creditors already have implemented some
of the requirements of the proposed regulations implementing section
114 as a result of having to comply with other existing regulations and
guidance, such as the regulations implementing section 326 of the USA
PATRIOT Act, 31 U.S.C. 5318(l),\38\ the Information Security Standards
that implement section 501(b) of the Gramm-Leach-Bliley Act (GLBA), 15
U.S.C. 6801, and section 216 of the FACT Act, 15 U.S.C. 1681w,\39\ and
guidance issued by the Agencies or the Federal Financial Institutions
Examination Council regarding information security, authentication,
identity theft, and response programs.\40\ The Agencies also believe
that card issuers already assess the validity of change of address
requests, and for the most part, have automated the process of
notifying the cardholder or using other means to assess the validity of
changes of address. Therefore implementation of this requirement will
pose no further burden. Accordingly, these estimates represent the
incremental amount of time the Agencies believe it will take to create
a written Program that incorporates the policies and procedures that
covered entities are likely to already have in place, the incremental
time to train staff to implement the Program, to establish policies and
procedures to assess the validity of changes of address, and to notify
cardholders, as appropriate.
---------------------------------------------------------------------------
\38\ See, e.g., 31 CFR 103.121 (banks, savings associations,
credit unions, and certain non-federally regulated banks); 31 CFR
103.122 (broker-dealers); 31 CFR 103.123 (futures commission
merchants).
\39\ 12 CFR part 30, app. B (national banks); 12 CFR part 208,
app. D-2 and part 225, app. F (state member banks and holding
companies); 12 CFR part 364, app. B (state non-member banks); 12 CFR
part 570, app. B (savings associations); 12 CFR part 748, app. A and
B, and 12 CFR 717 (credit unions); 16 CFR part 314 (financial
institutions that are not regulated by the Board, FDIC, NCUA, OCC
and OTS).
\40\ See, e.g., 12 CFR part 30, supp. A to app. B (national
banks); 12 CFR part 208, supp. A to app. D-2 and part 225, supp. A
to app. F (state member banks and holding companies); 12 CFR part
364, supp. A to app. B (state non-member banks); 12 CFR part 570,
supp. A to app. B (savings associations); 12 CFR 748, app. A and B
(credit unions); Federal Financial Institutions Examination Council
(FFIEC) Information Technology Examination Handbook's Information
Security Booklet (the ``IS Booklet'') available at
http://www.ffiec.gov/guides.htm
; FFIEC ``Authentication in an Internet
Banking Environment'' available at
http://www.ffiec.gov/pdf/authentication_guidance.pdf
; Board SR 01-11 (Supp) (Apr. 26, 2001)
available at:
http://www.federalreserve.gov/boarddocs/srletters/2001/sr0111.htm
; ``Guidance on Identity Theft and Pretext Calling,''
OCC AL 2001-4 (April 30, 2001); ``Identity Theft and Pretext
Calling,'' OTS CEO Letter 139 (May 4, 2001); NCUA Letter to
Credit Unions 01-CU-09, ``Identity Theft and Pretext Calling''
(Sept. 2001); OCC 2005-24, ``Threats from Fraudulent Bank Web Sites:
Risk Mitigation and Response Guidance for Web Site Spoofing
Incidents,'' (July 1, 2005); ``Phishing and E-mail Scams,'' OTS CEO
Letter 193 (Mar. 8, 2004); NCUA Letter to Credit Unions 04-
CU-12, ``Phishing Guidance for Credit Unions'' (Sept. 2004).
---------------------------------------------------------------------------
Section 315: The Agencies estimate that it will take users of
consumer reports 4 hours to develop policies and procedures that they
will employ when they receive a notice of address discrepancy. The
Agencies believe that users of credit reports covered by this analysis
already are furnishing this information to consumer reporting agencies
because it is a usual and customary business practice. Therefore, the
Agencies estimate that there will be no implementation burden.
Thus, the burden associated with this collection of information may
be summarized as follows.
OCC
Number of respondents: 2,100.
Estimated time per response: 39.
Developing program: 25.
Preparing annual report: 4.
Training: 2.
Developing policies and procedures to assess validity of changes of
address: 4.
Developing policies and procedures to respond to notices of address
discrepancy: 4.
Total estimated annual burden: 81,900.
Board
Number of respondents: 1,182.
Estimated time per response: 39 hours.
Developing program: 25 hours.
Preparing annual report: 4 hours.
Training: 2 hours.
Developing policies and procedures to assess validity of changes of
address: 4 hours.
Developing policies and procedures to respond to notices of address
discrepancy: 4 hours.
Total Estimated Annual Burden: 46,098.
FDIC
Number of respondents: 5,245.
Estimated time per response: 39 hours.
Developing program: 25 hours.
Preparing annual report: 4 hours.
Training: 2 hours.
Developing policies and procedures to assess validity of changes of
address: 4 hours.
[[Page 40800]]
Developing policies and procedures to respond to notices of address
discrepancy: 4 hours.
Total Estimated Annual Burden: 204,555 hours.
OTS
Number of respondents: 858.
Estimated time per response: 39 hours.
Developing program: 25 hours.
Preparing annual report: 4 hours.
Training: 2 hours.
Developing policies and procedures to assess validity of changes of
address: 4 hours.
Developing policies and procedures to respond to notices of address
discrepancy: 4 hours.
Total Estimated Annual Burden: 33,462.
NCUA
Number of respondents: 5,393.
Estimated time per Response: 39 hours.
Developing program: 25 hours.
Preparing annual report: 4 hours.
Training: 2 hours.
Developing policies and procedures to assess validity of changes of
address: 4 hours.
Developing policies and procedures to respond to notice of address
discrepancy: 4 hours.
Total Estimated Annual Burden: 210,327.
FTC 41
---------------------------------------------------------------------------
\41\ Due to the varied nature of the entities subject to the
jurisdiction of the FTC, this Estimated Burden section reflects only
the view of the FTC. The banking regulatory agencies have jointly
prepared a separate analysis.
---------------------------------------------------------------------------
Section 114: Estimated Hours Burden: As discussed above, the
proposed regulations would require financial institutions and creditors
to create a Program and report to the board of directors, a committee
thereof, or senior management at least annually on compliance with the
proposed regulations. The FCRA defines ``creditor'' to have the same
meaning as in section 702 of the ECOA.\42\ Under Regulation B, which
implements the ECOA, a creditor means a person who regularly
participates in a credit decision, including setting the terms of
credit. Regulation B defines credit as a transaction in which the party
has a right to defer payment of a debt, regardless of whether the
credit is for personal or commercial purposes.\43\ Given the broad
scope of entities covered, it is difficult to determine precisely the
number of financial institutions and creditors that are subject to the
FTC's jurisdiction. There are numerous small businesses under the FTC's
jurisdiction, and there is no formal way to track them; moreover, as a
whole, the entities under the FTC's jurisdiction are so varied that
there are no general sources that provide a record of their existence.
Nonetheless, FTC staff estimates that the proposed regulations
implementing section 114 will affect over 3500 financial institutions
\44\ and over 11 million creditors \45\ subject to the FTC's
jurisdiction, for a combined total of approximately 11.1 million
affected entities. As detailed below, FTC staff estimates that the
average annual information collection burden during the three-year
period for which OMB clearance is sought will be 6,279,000 hours
(rounded to the nearest thousand). The estimated annual labor cost
associated with this burden is $134,621,000 (rounded to the nearest
thousand).
---------------------------------------------------------------------------
\42\ 15 U.S.C. 1681a(r)(5).
\43\ Regulation B Equal Credit Opportunity, 12 CFR 202 (as
amended effective April 15, 2003).
\44\ Under the FCRA, the only financial institutions over which
the FTC has jurisdiction are state-chartered credit unions. 15
U.S.C. 1681s. As of December 31, 2005, there were 3,302 state-
chartered federally-insured credit unions and 362 state-chartered
nonfederally insured credit unions, totaling 3,664 financial
institutions. See http://www.ncua.gov/news/quick_facts/quick_facts.html
and ``Disclosures for Non-Federally Insured Depository
Institutions under the Federal Deposit Insurance Corporation
Improvement Act (FDICIA),'' 70 FR 12823 (March 16, 2005).
\45\ This estimate is derived from an analysis of a database of
U.S. businesses based on NAICS codes for businesses that market
goods or services to consumers or other businesses, which totaled
11,076,463 creditors subject to the FTC's jurisdiction.
---------------------------------------------------------------------------
FTC staff believes that the affected entities can be categorized in
two groups, based on the nature of their businesses: Entities that are
subject to a high risk of identity theft and entities that are subject
to a low risk of identity theft.\46\ Moreover, FTC staff believes that
many of the high-risk entities, as part of their usual and customary
business practices, already take steps to minimize losses due to fraud.
Furthermore, FTC staff believes that motor vehicle dealers would incur
less burden than other high-risk entities. Because their loans are
typically financed by financial institutions that are also subject to
these proposed regulations, FTC staff believes that motor vehicle
dealers are likely to use the financial institutions' programs as a
basis for developing their own programs. Accordingly, FTC staff
estimates that to create and implement a written Program that
incorporates the policies and procedures that high-risk entities
already are likely to have in place, it will take high-risk entities
(excluding motor vehicle dealers) 25 hours, with an annual recurring
burden of 1 hour, and it will take motor vehicle dealers 5 hours, with
an annual recurring burden of 1 hour. FTC staff also estimates that the
incremental time to train staff to implement the Program will take
high-risk entities (including motor vehicle dealers) 2 hours, with an
annual recurring burden of 1 hour. Finally, FTC staff estimates that
preparation of an annual report will take high-risk entities (including
motor vehicle dealers) 4 hours, with an annual recurring burden of 1
hour.
---------------------------------------------------------------------------
\46\ In general, high-risk entities may provide consumer
financial services or other goods or services of value to identity
thieves such as telecommunication services or goods that are easily
convertible to cash, whereas low-risk entities may do business
primarily with other businesses and provide non-financial services
or goods that are not easily convertible to cash.
---------------------------------------------------------------------------
FTC staff assumes that most of the low-risk entities do not employ
currently the measures to detect and address identity theft that are
required by section 114 of the proposed regulations. However, the
proposed regulations are drafted in a flexible manner that allows
entities to develop and implement different types of programs based
upon their size, complexity, and the nature and scope of their
activities. Moreover, the emphasis of the written Program, as required
under the proposed regulations, is to identify risks of identity theft.
To the extent that entities determine that they have a minimal risk of
identity theft, they would be tasked only with developing a streamlined
Program. As a result, FTC staff anticipates that the burden on low-risk
entities to comply with the proposed regulations will be minimal.
Accordingly, FTC staff believes that to create a streamlined Program,
it will take low-risk entities 20 minutes, with an annual recurring
burden of 5 minutes. The FTC staff believes that training staff to be
attentive to any future risks of identity theft will take low-risk
entities 10 minutes, with an annual recurring burden of 5 minutes. The
FTC staff believes that preparing an annual report will take low-risk
entities 10 minutes, with an annual recurring burden of 5 minutes.
Accordingly, FTC staff estimates that the proposed regulations
implementing section 114 affect the following: 93,487 high-risk
entities (excluding motor vehicle dealers) subject to the FTC's
jurisdiction at an average annual burden of 12 hours and 20 minutes per
entity [average annual burden over 3-year clearance period for creation
and implementation of Program ((25 + 1 + 1)/3) plus average annual
burden over 3-year clearance period for staff training ((2 + 1 + 1)/3)
plus average annual
[[Page 40801]]
burden over 3-year clearance period for preparing annual report ((4 + 1
+ 1)/3)], for a total of 1,153,000 hours (rounded to the nearest
thousand); 173,115 motor vehicle dealers subject to the FTC's
jurisdiction at an average annual burden of 5 hours and 40 minutes per
entity [average annual burden over 3-year clearance period for creation
and implementation of Program ((5+1+1)/3) plus average annual burden
over 3-year clearance period for staff training ((2 + 1 + 1)/3) plus
average annual burden over 3-year clearance period for preparing annual
report ((4 + 1 + 1)/3)], for a total of 981,000 hours (rounded to the
nearest thousand); and 10,813,525 low-risk entities subject to the
FTC's jurisdiction at an average annual burden of approximately 23
minutes per entity [average annual burden over 3-year clearance period
for creation and implementation of streamlined Program ((20 + 5 + 5)/3)
plus average annual burden over 3-year clearance period for staff
training ((10+5+5)/3) plus average annual burden over 3-year clearance
period for preparing annual report ((10 + 5 + 5)/3], for a total of
4,145,000 hours (rounded to the nearest thousand).
The FTC requests comment on whether the proposed regulations are
sufficiently flexible to minimize the burden of compliance on entities
that are not subject to a significant risk of identity theft. If not,
are there ways in which the burden for such entities could be minimized
further? If so, what are the ways in which the burden could be
minimized further?
The proposed regulations implementing Section 114 also require
credit and debit card issuers to establish policies and procedures to
assess the validity of a change of address request, including notifying
the cardholder or using another means of assessing the validity of the
change of address. FTC staff believes that there may be as many as
3,764 credit or debit card issuers under the FTC's jurisdiction.\47\
FTC staff estimates that most of the credit or debit card issuers are
high-risk entities that already have automated the process of notifying
the cardholder or using other means to assess the validity of the
change of address, such that implementation will pose no further
burden. Nevertheless, in order to be conservative, FTC staff estimates
that it will take 100 credit or debit card issuers 4 hours to develop
and implement policies and procedures to assess the validity of a
change of address request for a total burden of 400 hours.
---------------------------------------------------------------------------
\47\ In addition to the 3,664 state-chartered credit unions
under FTC jurisdiction (see supra), there may be other creditors
that issue their own credit cards. FTC staff is unable to determine
how many such creditors exist, but estimates that there may be as
many as 100. FTC staff requests comment on the number of such
creditors in existence.
---------------------------------------------------------------------------
Estimated Cost Burden: FTC staff derived labor costs by applying
appropriate estimated hourly cost figures to the burden hours described
above. It is difficult to calculate with precision the labor costs
associated with the proposed regulations, as they entail varying
compensation levels of management and/or technical staff among
companies of different sizes. In calculating the cost figures, staff
assumes that for high-risk entities, professional technical personnel
and/or managerial personnel will create and implement the Program,
prepare the annual report, train employees, and assess the validity of
a change of address request, at an hourly rate of $32.00.\48\ Staff
assumes that for low-risk entities, administrative support personnel
will justify the low-risk of identity theft, prepare the annual report,
and train employees, at an hourly rate of $16.00.\49\
---------------------------------------------------------------------------
\48\ The cost is derived from a mid-range among the reported
2004 Bureau of Labor Statistics (BLS) rates for likely positions
within the professional technical and managerial categories.
\49\ The cost is derived from a mid-range among the reported
2004 BLS rates for likely positions within the administrative
support category.
---------------------------------------------------------------------------
Based on the above estimates and assumptions, the total annual
labor costs for all categories of covered entities under the proposed
regulations implementing section 114 are $134,621,000 (rounded to the
nearest thousand) [((1,153,000 hours + 400 hours + 981,000 hours) x
$32.00 = $68,301,000) + (4,145,000 hours x $16.00 = $66,320,000)].
Section 315: Estimated Hours Burden: User Policies and Procedures:
As discussed above, the regulations implementing section 315 provide
guidance regarding reasonable policies and procedures that a user of
consumer reports must employ when a user receives a notice of address
discrepancy from a consumer reporting agency. Given the broad scope of
users of consumer reports, it is difficult to determine with precision
the number of users of consumer reports that are subject to the FTC's
jurisdiction. As noted above, there are numerous small businesses under
the FTC's jurisdiction, and there is no formal way to track them;
moreover, as a whole, the entities under the FTC's jurisdiction are so
varied that there are no general sources that provide a record of their
existence. Nonetheless, FTC staff estimates that the proposed
regulations implementing section 315 will affect approximately 1.6
million users of consumer reports subject to the FTC's
jurisdiction.\50\ As detailed below, FTC staff estimates that the
average annual information collection burden during the three-year
period for which OMB clearance is sought will be 831,000 hours (rounded
to the nearest thousand). The estimated annual labor cost associated
with this burden is $13,296,000 (rounded to the nearest thousand).
---------------------------------------------------------------------------
\50\ This estimate is derived from an analysis of a database of
U.S. businesses based on NAICS codes for businesses in industries
that typically use consumer reports from consumer reporting agencies
described in section 603(p), which totaled 1,658,758 users of
consumer reports subject to the FTC's jurisdiction.
---------------------------------------------------------------------------
Although Section 315 created a new obligation for consumer
reporting agencies to provide a notice of address discrepancy to users
of consumer reports, prior to FACTA's enactment, users of consumer
reports could compare the address on the consumer report to the address
provided by the consumer and discern for themselves any discrepancy. As
a result, FTC staff believes that many users of consumer reports have
developed methods of reconciling address discrepancies, and the
following estimates represent the incremental amount of time it will
take users of consumer reports to develop and comply with the policies
and procedures for when they receive a notice of address discrepancy.
Due to the varied nature of the entities under the jurisdiction of
the FTC, it is difficult to determine the appropriate burden estimates.
For example, users of consumer reports can range from a landlord
renting a single unit who may use no more than one consumer report a
year, to insurance companies that may use thousands of consumer reports
a year. FTC staff estimates that it may take a small user no more than
16 minutes to develop and comply with the policies and procedures that
it will employ when it receives a notice of address discrepancy,
whereas a large user may take 1 hour. Similarly, FTC staff estimates
that, during the remaining two years of the clearance, it may take a
small user no more than 1 minute to comply with the policies and
procedures that it will employ when it receives a notice of address
discrepancy, whereas a large user may take 45 minutes. Taking into
account these extremes, FTC staff estimates that, during the first year
of the clearance, it will take users of consumer reports under the
jurisdiction of the FTC an average of 40 minutes [the midrange between
16 minutes and 60 minutes is approximately 38 minutes rounded to 40
minutes] to develop and comply with the policies and procedures that
they
[[Page 40802]]
will employ when they receive a notice of address discrepancy. FTC
staff also estimates that the average recurring burden during the
remaining two years of the clearance period will be 25 minutes [the
midrange between 1 minute and 45 minutes is approximately 23 minutes
rounded to 25 minutes].
Furnishing Correct Addresses: The proposed regulations implementing
section 315 also require a user of consumer reports to furnish an
address that the user has reasonably confirmed is accurate to the
consumer reporting agency from which it receives a notice of address
discrepancy, but only to the extent that such user regularly and in the
ordinary course of business furnishes information to such consumer
reporting agency. FTC staff believes that only 10,000 of the 1,658,758
users of consumer reports furnish information to consumer reporting
agencies as part of their usual and customary business practices,\51\
therefore, only these 10,000 users of consumer reports will be affected
by the portion of the proposed regulations that require furnishing the
correct address. FTC staff estimates that it will take such users of
consumer reports 30 minutes to develop the policies and procedures for
furnishing the correct address to the consumer reporting agencies
pursuant to the proposed regulations for implementing section 315. FTC
staff believes that users of consumer reports that furnish information
to consumer reporting agencies as part of their usual and customary
business practices will have automated the process of furnishing the
correct address in the first year of the clearance, therefore, there
will be no annual recurring burden.
---------------------------------------------------------------------------
\51\ Report to Congress Under Sections 318 and 319 of the Fair
and Accurate Credit Transactions of 2003, Federal Trade Commission,
80 (Dec. 2004) available at
http://www.ftc.gov/reports/facta/041209factarpt.pdf
.
---------------------------------------------------------------------------
Accordingly, FTC staff estimates that the proposed regulations
implementing section 315 affect 1,658,758 users of consumer reports
subject to the FTC's jurisdiction that must develop policies and
procedures that they will employ when they receive a notice of address
discrepancy, at an average annual burden of 30 minutes per entity
[average annual burden over 3-year clearance period = (40 + 25 + 25)/
3)], for a total of approximately 829,000 hours (rounded to the nearest
thousand). The 10,000 of those users described above must also furnish
the correct address to the consumer reporting agency, at an average
annual burden of 10 minutes per entity [average annual burden over 3-
year clearance period = ((30 + 0 + 0)/3)], for a total of 2,000 hours
(rounded to the nearest thousand).
Estimated Cost Burden: FTC staff derived labor costs by applying
appropriate estimated hourly cost figures to the burden hours described
above. It is difficult to calculate with precision the labor costs
associated with the proposed regulations, as they entail varying
compensation levels of different types of support staff among companies
of different sizes, as well as users of consumer reports with no
employees. Nonetheless, in calculating the cost figures, staff assumes
that the policies and procedures for notice of address discrepancy and
furnishing the correct address will be set up by administrative support
personnel at an hourly rate of $16.00.\52\
---------------------------------------------------------------------------
\52\ As noted above, the cost is derived from a mid-range among
the reported 2004 BLS rates for likely positions within the
administrative support category.
---------------------------------------------------------------------------
Based on the above estimates and assumptions, the total annual
labor costs for the two categories of burden under the proposed
regulations implementing section 315 are $13,296,000 (rounded to the
nearest thousand) [(829,000 hours + 2,000 hours) x $16.00].
B. Regulatory Flexibility Act
OCC: When an agency issues a rulemaking proposal, the Regulatory
Flexibility Act (RFA), requires the agency to publish an initial
regulatory flexibility analysis unless the agency certifies that the
rule will not have ``a significant economic impact on a substantial
number of small entities.'' \53\ 5 U.S.C. 603, 605(b). The OCC has
reviewed the impact of the proposed regulations on small banks and
certifies that that proposed regulations, if adopted as proposed, would
not have a significant economic impact on a substantial number of small
entities.
---------------------------------------------------------------------------
\53\ Small Business Administration regulations define ``small
entities'' to include banks with total assets of $165 million or
less. 13 CFR 121.201.
---------------------------------------------------------------------------
The proposed rulemaking implements sections 114 and 315 of the FACT
Act and applies to all national banks, Federal branches and agencies
and their operating subsidiaries that are not functionally regulated
within the meaning of section 5(c)(5) of the Bank Holding Company
Act,\54\ 1,011 of which have assets of less than or equal to $165
million.
---------------------------------------------------------------------------
\54\ For convenience, these entities are referred to as
``national banks.''
---------------------------------------------------------------------------
The proposed regulations implementing section 114 require the
development and establishment of a written identity theft prevention
program to detect, prevent, and mitigate identity theft. The proposed
regulations also require card issuers to assess the validity of a
notice of address change under certain circumstances.
The OCC believes that the requirements in the proposed regulations
implementing section 114 of the FACT Act are consistent with banks'
usual and customary business practices used to minimize losses due to
fraud in connection with new and existing accounts. Banks also are
likely to have implemented most of the proposed requirements as a
result of having to comply with other existing regulations and
guidance. For example, national banks are already subject to CIP rules
requiring them to verify the identity of a person opening a new
account.\55\ A covered entity may use the policies and procedures
developed to comply with the CIP rules to satisfy the identity
verification requirements in the proposed rules.
---------------------------------------------------------------------------
\55\ 31 CFR 103.121; 12 CFR 21.21 (national banks).
---------------------------------------------------------------------------
National banks complying with the ``Interagency Guidelines
Establishing Information Security Standards'' \56\ and guidance
recently issued by the FFIEC titled ``Authentication in an Internet
Banking Environment'' \57\ already will have policies and procedures in
place to detect attempted and actual intrusions into customer
information systems. Banks complying with the OCC's ``Guidance on
Identity Theft and Pretext Calling'' \58\ already will have policies
and procedures to verify the validity of change of address requests on
existing accounts.
---------------------------------------------------------------------------
\56\ 12 CFR part 30, app. B (national banks).
\57\ OCC Bulletin 2005-35 (Oct. 12, 2005).
\58\ OCC AL 2001-4 (April 30, 2001).
---------------------------------------------------------------------------
In addition, the flexibility incorporated into the proposed
rulemaking provides a covered entity with discretion to design and
implement a program that is tailored to its size and complexity and the
nature and scope of its operations. In this regard, the OCC believes
that expenditures associated with establishing and implementing an
identity theft prevention program will be commensurate with the size of
the bank.
The OCC believes that the proposed regulations implementing section
114, if adopted as proposed, will not impose undue costs on national
banks and will not have a substantial economic impact on a substantial
number of small national banks. Nonetheless, the OCC specifically
requests comment and specific data on the size of the incremental
burden creating an identity theft prevention program would have on
small national banks, given banks'
[[Page 40803]]
current practices and compliance with existing requirements. The OCC
also requests comment on how the final regulations might minimize any
burden imposed to the extent consistent with the requirements of the
FACT Act.
The regulations implementing section 315 require users of consumer
reports to have various policies and procedures to respond to the
receipt of an address discrepancy. The FACT Act already requires CRAs
to provide notices of address discrepancy to users of credit reports.
The OCC understands that as a matter of good business practice, most
national banks currently have policies and procedures in place to
respond to these notices when they are provided in connection with both
new and existing accounts, by furnishing an address for the consumer
that the bank has reasonably confirmed is accurate to the CRA from
which it received the notice of address discrepancy. In addition, with
respect to new accounts, a national bank already is required by the CIP
rules to ensure that it knows the identity of a person opening a new
account and to keep a record describing the resolution of any
substantive discrepancy discovered during the verification process.
Given current practices of national banks in responding to notices
of address discrepancy from CRAs, and the existing requirements in the
CIP rule, the OCC believes that the proposed regulations implementing
section 315, if adopted as proposed, will not impose undue costs on
national banks and likely will not have a significant economic impact
on a substantial number of national banks. Nonetheless, the OCC
specifically requests comment on whether the proposed requirements
differ from small banks' current practices and whether the proposed
requirements on users of consumer reports to have policies and
procedures to respond to the receipt of an address discrepancy could be
altered to minimize any burden imposed to the extent consistent with
the requirements of the FACT Act.
Board: The Regulatory Flexibility Act (RFA) (5 U.S.C. 601 et seq.)
requires an agency either to provide an initial regulatory flexibility
analysis with a proposed rule or certify that the proposed rule will
not have a significant economic impact on a substantial number of small
entities (defined for purposes of the RFA to include commercial banks
and other depository institutions with less than $165 million in
assets).
A. Reasons for the Proposed Rule
The FACT Act amends the FCRA and was enacted, in part, for the
purpose of preventing the theft of consumer information. The statute
contains several provisions relating to the detection, prevention, and
mitigation of identity theft. The Board is proposing rules to implement
statutory directives in section 114 of the FACT Act, which amends
section 615 of the FCRA, and section 315 of the FACT Act, which amends
section 605 of the FCRA, that require the Board to prescribe
regulations jointly with other federal agencies.
Section 114 requires the Board to prescribe regulations that
require financial institutions and creditors to establish policies and
procedures to implement guidelines established by the Board that
address identity theft with respect to account holders and customers.
Section 114 also requires the Board to adopt regulations applicable to
credit and debit card issuers to implement policies and procedures to
assess the validity of change of address requests. Section 315 requires
the Board to prescribe regulations that provide guidance regarding
reasonable policies and procedures that a user of consumers' reports
should employ to verify the identity of a consumer when a consumer
reporting agency provides a notice of address discrepancy relating to
that consumer.
B. Statement of Objectives and Legal Basis
The SUPPLEMENTARY INFORMATION above contains information on the
objectives of the final rules. The legal bases for the proposed rules
are sections 114 and 315 of the FACT Act.
C. Description of Small Entities To Which the Rule Applies
The Board's proposed rule would apply to all banks that are members
of the Federal Reserve System (other than national banks) and their
respective operating subsidiaries, branches and agencies of foreign
banks (other than Federal branches, Federal Agencies, and insured State
branches of foreign banks), commercial lending companies owned or
controlled by foreign banks, and organizations operating under section
25 or 25A of the Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et
seq.). The Board's rule would apply to the following institutions
(numbers approximate): State member banks (902), U.S. branches and
agencies of foreign banks (206), commercial lending companies owned or
controlled by foreign banks (3), and Edge and agreement corporations
(71), for a total of approximately 1,182 institutions. The Board
estimates that more than 550 of these institutions could be considered
small institutions with assets less than $165 million.
D. Projected Reporting, Recordkeeping and Other Compliance Requirements
Section 114 requires the Board to prescribe regulations that
require financial institutions and creditors to establish reasonable
policies and procedures to implement guidelines established by the
Board and other federal agencies that address identity theft with
respect to account holders and customers. This would be implemented by
requiring a covered financial institution or creditor to create an
Identity Theft Prevention Program that detects, prevents and mitigates
the risk of identity theft applicable to its accounts.
Section 114 also requires the Board to adopt regulations applicable
to credit and debit card issuers to implement policies and procedures
to assess the validity of change of address requests. The proposed rule
would implement this by requiring credit and debit card issuers to
establish reasonable policies and procedures to assess the validity of
a change of address if it receives notification of a change of address
for a debit or credit card account and within a short period of time
afterwards (at least 30 days), the issuer receives a request for an
additional or replacement card for the same account.
Section 315 requires the Board to prescribe regulations that
provide guidance regarding reasonable policies and procedures that a
user of consumers' reports should employ to verify the identity of a
consumer when a consumer reporting agency provides a notice of address
discrepancy relating to that consumer and to reconcile the address
discrepancy with the consumer reporting agency in certain
circumstances. The proposed rule would require users of consumer
reports to develop and implement reasonable policies and procedures for
verifying the identity of a consumer for whom it has obtained a
consumer report and for whom it receives a notice of address
discrepancy and to reconcile an address discrepancy with the
appropriate consumer reporting agency in certain circumstances.
The Board seeks information and comment on any costs, compliance
requirements, or changes in operating procedures arising from the
application of the proposed rules in addition to or which may differ
from those arising
[[Page 40804]]
from the application of the statute generally.
E. Identification of Duplicative, Overlapping, or Conflicting Federal
Rules
The Board is unable to identify any federal statutes or regulations
that would duplicate, overlap, or conflict with the proposed rule. The
Board seeks comment regarding any statutes or regulations, including
state or local statutes or regulations, that would duplicate, overlap,
or conflict with the proposed rule, including particularly any statutes
or regulations that address situations in which institutions must adopt
specified policies and procedures to detect or prevent identity theft
or mitigate identity theft that has occurred.
Section 222.90 of the Board's proposed rule would require financial
institutions and creditors that are subject to the Board's rule to
implement a written identity theft program that includes reasonable
policies and procedures to address the risk of identity theft to its
customers and the safety and soundness of the financial institution or
creditor. Many of these entities also are subject to the Interagency
Guidelines Establishing Standards for Safeguarding Customer Information
(see 12 CFR part 208, appendix D-1) and rules of the Department of the
Treasury that require these entities to implement customer
identification programs (see 31 CFR 103.121).
Programs adopted pursuant to these requirements would include
policies and procedures that would safeguard against the theft of
customer information and would be considered complementary to the
identity theft prevention program that would be required under Sec.
222.90. For example, proposed Sec. 222.90(d) would require that
institutions adopt reasonable policies and procedures to, among other
things, obtain identifying information about, and verify the identity
of, persons opening an account. The proposed rule indicates that
policies and procedures an institution has adopted under the Department
of the Treasury's rules on customer identification programs would
satisfy this requirement.
F. Discussion of Significant Alternatives
The proposed rules would require financial institutions and
creditors to create an Identity Theft Prevention Program, maintain a
record of the Program, and report to the board of directors, a
committee of the board, or senior management at least annually on
compliance with the regulations. Credit and debit card issuers would be
required to assess the validity of a change of address request by
notifying the cardholder or using other means to assess the validity of
a change of address. Users of consumer reports would be required to
furnish an address that the user has reasonably confirmed is accurate
to the consumer reporting agency from which it receives a notice of
address discrepancy.
The Board welcomes comments on any significant alternatives,
consistent with the mandates in section 114 and 315, that would
minimize the impact of the proposed rules on small entities.
FDIC: In accordance with the Regulatory Flexibility Act (5 U.S.C.
601-612) (RFA), an agency must publish an initial regulatory
flexibility analysis with its proposed rule, unless the agency
certifies that the rule will not have a significant economic impact on
a substantial number of small entities (defined for purposes of the RFA
to include banks with less than $165 million in assets). The FDIC
hereby certifies that the proposed rule would not have a significant
economic impact on a substantial number of small entities.
Under the proposed rule, financial institutions and creditors must
have a written program that includes controls to address the identity
theft risks they have identified. With respect to credit and debit card
issuers, the program also must include policies and procedures to
assess the validity of change of address requests. Users of consumer
reports must have reasonable policies and procedures with respect to
address discrepancies. The program must be appropriate to the size and
complexity of the financial institution or creditor and the nature and
scope of its activities, and be flexible to address changing identity
theft risks as they arise. A financial institution or creditor may wish
to combine its program to prevent identity theft with its information
security program, as these programs are complementary in many ways.
The proposed rule would apply to all FDIC-insured state nonmember
banks, approximately 3,400 of which are small entities. The proposed
rule is drafted in a flexible manner that allows institutions to
develop and implement different types of programs based upon their
size, complexity, and the nature and scope of their activities. The
proposed rule would also permit institutions to modify existing
information security programs to address identity theft. The FDIC also
believes that many institutions have already implemented a significant
portion of the detection and mitigation efforts required by the
proposed rule.
OTS: When an agency issues a rulemaking proposal, the Regulatory
Flexibility Act (RFA), requires the agency to publish an initial
regulatory flexibility analysis unless the agency certifies that the
rule will not have ``a significant economic impact on a substantial
number of small entities.'' \59\ 5 U.S.C. 603, 605(b). OTS has reviewed
the impact of the proposed regulations on small savings associations
and certifies that that proposed regulations, if adopted as proposed,
would not have a significant economic impact on a substantial number of
small entities.
---------------------------------------------------------------------------
\59\ Small Business Administration regulations define ``small
entities'' to include savings associations with total assets of $165
million or less. 13 CFR 121.201.
---------------------------------------------------------------------------
The proposed rulemaking would implement sections 114 and 315 of the
FACT Act and would apply to all savings associations (and federal
savings association operating subsidiaries that are not functionally
regulated within the meaning of section 5(c)(5) of the Bank Holding
Company Act),\60\ 446 of which have assets of less than or equal to
$165 million.
---------------------------------------------------------------------------
\60\ For convenience, these entities are referred to as
``savings associations.''
---------------------------------------------------------------------------
The proposed regulations implementing section 114 would require the
development and establishment of a written identity theft prevention
program to detect, prevent, and mitigate identity theft. The proposed
regulations also would require card issuers to assess the validity of a
notice of address change under certain circumstances.
OTS believes that the proposed requirements implementing section
114 of the FACT Act would be consistent with savings associations'
usual and customary business practices used to minimize losses due to
fraud in connection with new and existing accounts. Savings
associations also are likely to have implemented most of the proposed
requirements as a result of having to comply with other existing
regulations and guidance. For example, savings associations are already
subject to CIP rules requiring them to verify the identity of a person
opening a new account.\61\ A covered entity may use the policies and
procedures developed to comply with the CIP rules to satisfy the
identity verification requirements in the proposed rules.
---------------------------------------------------------------------------
\61\ 31 CFR 103.121; 12 CFR 563.177 (savings associations).
---------------------------------------------------------------------------
Savings associations complying with the ``Interagency Guidelines
Establishing Information Security
[[Page 40805]]
Standards'' \62\ and guidance recently issued by the FFIEC titled
``Authentication in an Internet Banking Environment'' \63\ already will
have policies and procedures in place to detect attempted and actual
intrusions into customer information systems. Savings associations
complying with OTS's guidance on ``Identity Theft and Pretext Calling''
\64\ already will have policies and procedures to verify the validity
of change of address requests on existing accounts.
---------------------------------------------------------------------------
\62\ 12 CFR part 570, app. B (savings associations).
\63\ OTS CEO Letter 228 (Oct. 12, 2005).
\64\ ``Identity Theft and Pretext Calling,'' OTS CEO Letter
139 (May 4, 2001).
---------------------------------------------------------------------------
In addition, the flexibility incorporated into the proposed
rulemaking provides a covered entity with discretion to design and
implement a program that is tailored to its size and complexity and the
nature and scope of its operations. In this regard, OTS believes that
expenditures associated with establishing and implementing a program
would be commensurate with the size of the savings associations.
OTS believes that the proposed regulations implementing section 114
would not impose undue costs on savings associations and likely would
have a minimal economic impact on small savings associations.
Nonetheless, OTS specifically requests comment and specific data on the
size of the incremental burden creating a program would have on small
savings associations, given their current practices and compliance with
existing requirements. OTS also requests comment on how the final
regulations might minimize any burden imposed to the extent consistent
with the requirements of the FACT Act.
The proposed regulations implementing section 315 would require
users of consumer reports to have various policies and procedures to
respond to the receipt of an address discrepancy. The FACT Act already
requires CRAs to provide notices of address discrepancy to users of
credit reports. OTS understands that as a matter of good business
practice, most savings associations currently have policies and
procedures in place to respond to these notices when they are provided
in connection with both new and existing accounts, by furnishing an
address for the consumer that the savings association has reasonably
confirmed is accurate to the CRA from which it received the notice of
address discrepancy. In addition, with respect to new accounts, a
savings association already is required by the CIP rules to ensure that
it knows the identity of a person opening a new account and to keep a
record describing the resolution of any substantive discrepancy
discovered during the verification process.
Given current practices of savings associations in responding to
notices of address discrepancy from CRAs, and the existing requirements
in the CIP rule, OTS believes that the proposed regulations
implementing section 315 would not impose undue costs on savings
associations and likely would have a minimal economic impact on small
savings associations. Nonetheless, OTS specifically requests comment on
whether the proposed requirements differ from small savings
associations' current practices and how the final regulations might
minimize any burden imposed to the extent consistent with the
requirements of the FACT Act.
NCUA: The Regulatory Flexibility Act requires NCUA to prepare an
analysis to describe any significant economic impact a regulation may
have on a substantial number of small credit unions (primarily those
under $10 million in assets). The NCUA certifies the proposed rule will
not have a significant economic impact on a substantial number of small
credit unions and therefore, a regulatory flexibility analysis is not
required.
FTC: The Regulatory Flexibility Act (``RFA''), 5 U.S.C. 601-612,
requires that the Commission provide an Initial Regulatory Flexibility
Analysis (``IRFA'') with a proposed rule and a Final Regulatory
Flexibility Analysis (``FRFA''), if any, with the final rule, unless
the Commission certifies that the rule will not have a significant
economic impact on a substantial number of small entities. See 5 U.S.C.
603-605.
The Commission does not anticipate that the proposed regulations
will have a significant economic impact on a substantial number of
small entities. The Commission recognizes that the proposed regulations
will affect a substantial number of small businesses. We do not expect,
however, that the proposed requirements will have a significant
economic impact on these small entities.
This document serves as notice to the Small Business Administration
of the FTC's certification of no effect. To ensure the accuracy of this
certification, however, the Commission requests comment on whether the
proposed regulations will have a significant impact on a substantial
number of small entities, including specific information on the number
of entities that would be covered by the proposed regulations, the
number of these companies that are ``small entities,'' and the average
annual burden for each entity. Although the Commission certifies under
the RFA that the regulations proposed in this notice would not, if
promulgated, have a significant impact on a substantial number of small
entities, the Commission has determined, nonetheless, that it is
appropriate to publish an IRFA in order to inquire into the impact of
the proposed regulations on small entities. Therefore, the Commission
has prepared the following analysis:
1. Description of the Reasons That Action by the Agency Is Being Taken
The Federal Trade Commission is charged with enforcing the
requirements of sections 114 and 315 of the Fair and Accurate Credit
Transactions Act of 2003 (FACT Act) (15 U.S.C. 1681m(e) and
1681c(h)(2)), which require the agency to issue these proposed
regulations.
2. Statement of the Objectives of, and Legal Basis for, the Proposed
Regulations
The objective of the proposed regulations is to establish
guidelines for financial institutions and creditors identifying
patterns, practices, and specific forms of activity, that indicate the
possible existence of identity theft. In addition, the proposed
regulations require credit and debit card issuers to establish policies
and procedures to assess the validity of a change of address request.
They also set out requirements for policies and procedures that a user
of consumer reports must employ when such a user receives a notice of
address discrepancy from a consumer reporting agency described in
section 603(p) of the FCRA. The legal basis for the proposed
regulations is 15 U.S.C. 1681m(e) and1681c(h)(2).
3. Small Entities To Which the Proposed Rule Will Apply
The proposed regulations apply to a wide variety of business
categories under the Small Business Size Standards. Generally, the
proposed regulations would apply to financial institutions, creditors,
and users of consumer reports. In particular, entities under FTC's
jurisdiction covered by section 114 include State-chartered credit
unions, non-bank lenders, mortgage brokers, automobile dealers, utility
companies, telecommunications companies, and any other person that
regularly participates in a credit decision, including setting the
terms of credit. The section 315 requirements
[[Page 40806]]
apply to State-chartered credit unions, non-bank lenders, insurers,
landlords, employers, mortgage brokers, automobile dealers, collection
agencies, and any other person who requests a consumer report from a
consumer reporting agency described in section 603(p) of the FCRA.
Given the coverage of the proposed rule, a very large number of
small entities across almost every industry could be subject to the
Rule. For the majority of these entities, a small business is defined
by the Small Business Administration as one whose average annual
receipts do not exceed $6 million or who have fewer than 500
employees.\65\
---------------------------------------------------------------------------
\65\ These numbers represent the size standards for most retail
and service industries ($6 million total receipts) and manufacturing
industries (500 employees). A list of the SBA's size standards for
all industries can be found at http://www.sba.gov/size/summary-whatis.html
.
---------------------------------------------------------------------------
Section 114: As discussed in the PRA section of this Notice, given
the broad scope of section 114's requirements, it is difficult to
determine with precision the number of financial institutions and
creditors that are subject to the FTC's jurisdiction. There are
numerous small businesses under the FTC's jurisdiction and there is no
formal way to track them; moreover, as a whole, the entities under the
FTC's jurisdiction are so varied that there are no general sources that
provide a record of their existence. Nonetheless, FTC staff estimates
that the proposed regulations implementing section 114 will affect over
3500 financial institutions and over 11 million creditors \66 \subject
to the FTC's jurisdiction, for a combined total of approximately 11.1
million affected entities. Of this total, the FTC staff expects that
well over 90% of these firms qualify as small businesses under existing
size standards (i.e., $165 million in assets for financial institutions
and $6.5 million in sales for many creditors), but requests comment on
the number of small businesses that would be covered by the rule.
---------------------------------------------------------------------------
\66\ This estimate is derived from census data of U.S.
businesses based on NAICS codes for businesses that market goods or
services to consumers and businesses. 2003 County Business Patterns,
U.S. Census Bureau (http://censtats.census.gov/cgi-bin/cbpnaic/cbpsel.pl);
and 2002 Economic Census Bureau (http://www.census.gov/
gov/
---------------------------------------------------------------------------
The proposed regulations implementing Section 114 also require
credit and debit card issuers to establish policies and procedures to
assess the validity of a change of address request. Indeed, the
proposed regulations require credit and debit card issuers to notify
the cardholder or to use another means of assessing the validity of the
change of address. FTC staff believes that there may be as many as
3,764 credit or debit card issuers that fall under the jurisdiction of
the FTC and that well over 90% of these firms qualify as small
businesses under existing size standards (i.e., $165 million in assets
for financial institutions and $6.5 million in sales for many
creditors), but requests comment on the number of small businesses that
would be covered by the rule.
Section 315: As discussed in the PRA section of this Notice, given
the broad scope of section 315's requirements, it is difficult to
determine with precision the number of users of consumer reports that
are subject to the FTC's jurisdiction. There are numerous small
businesses under the FTC's jurisdiction and there is no formal way to
track them; moreover, as a whole, the entities under the FTC's
jurisdiction are so varied that there are no general sources that
provide a record of their existence. Nonetheless, FTC staff estimates
that the proposed regulations implementing section 315 will affect
approximately 1.6 million users of consumer reports subject to the
FTC's jurisdiction \67\ and that well over 90% of these firms qualify
as small businesses under existing size standards (i.e., $165 million
in assets for financial institutions and $6.5 million in sales for many
creditors), but requests comment on the number of small businesses that
would be covered by the rule.
---------------------------------------------------------------------------
\67\ This estimate is derived from census data of U.S.
businesses based on NAICS codes for businesses that market goods or
services to consumers and businesses. 2003 County Business Patterns,
U.S. Census Bureau (http://censtats.census.gov/cgi-bin/cbpnaic/cbpsel.pl);
and 2002 Economic Census, Bureau (http://www.census.gov/
.gov/
---------------------------------------------------------------------------
4. Projected Reporting, Recordkeeping and Other Compliance Requirements
The proposed requirements will involve some increased costs for
affected parties. Most of these costs will be incurred by those
required to draft identity theft Programs and annual reports. There
will also be costs associated with training, and for credit and debit
card issuers to establish policies and procedures to assess the
validity of a change of address request. In addition, there will be
costs related to developing reasonable policies and procedures that a
user of consumer reports must employ when a user receives a notice of
address discrepancy from a consumer reporting agency, and for
furnishing an address that the user has reasonably confirmed is
accurate The Commission does not expect, however, that the increased
costs associated with proposed regulations will be significant as
explained below.
Section 114: The FTC staff estimates that there may be as many as
90% of the businesses affected by the proposed rules under section 114
that are subject to a high-risk of identity theft that qualify as small
businesses, but staff requests comment on the number of small
businesses that would be affected. It is likely that such entities
already engage in various activities to minimize losses due to fraud as
part of their usual and customary business practices. Accordingly, the
impact of the proposed requirements would be merely incremental and not
significant. In particular, the rule will direct many of these entities
to consolidate their existing policies and procedures into a written
Program and may require some additional staff training.
The FTC expects that well over 90% of the businesses affected by
the proposed rules under section 114 that are subject to a low risk of
identity theft qualify as small businesses under existing size
standards (i.e., $165 million in assets for financial institutions and
$6.5 million in sales for many creditors), but the staff requests
comment on the number of small businesses that would be covered by the
rule. As discussed in the PRA section of this Notice, it is unlikely
that such low-risk entities employ the measures to detect and address
identity theft. Nevertheless, the proposed requirements are drafted in
a flexible manner that allows entities to develop and implement
different types of programs based upon their size, complexity, and the
nature and scope of their activities. As a result, the FTC staff
expects that the burden on these low-risk entities will be minimal
(i.e., not significant). The proposed regulations would require low-
risk entities that have no existing identity theft procedures to
justify in writing their low-risk of identity theft, train staff to be
attentive to future risks of identity theft, and prepare the annual
report. The FTC staff believes that, for the affected low-risk
entities, such activities will not be complex or resource-intensive
tasks.
The proposed regulations implementing Section 114 also require
credit and debit card issuers to establish policies and procedures to
assess the validity of a change of address request. It is likely that
most of the entities have automated the process of notifying the
cardholder or using other means to assess the validity of the change of
address such that implementation will pose no further burden. For those
that do not, the FTC staff expects that a small number of such entities
(100) will need to develop policies and procedures to assess the
validity of a change of
[[Page 40807]]
address request. The impacts on such entities should not be
significant, however.
Section 315: The regulations implementing section 315 provide
guidance regarding reasonable policies and procedures that a user of
consumer reports must employ when a user receives a notice of address
discrepancy from a consumer reporting agency. The proposed regulations
also require a user of consumer reports to furnish an address that the
user has reasonably confirmed is accurate to the consumer reporting
agency from which it receives a notice of address discrepancy, but only
to the extent that such user regularly and in the ordinary course of
business furnishes information to such consumer reporting agency. The
FTC staff believes that the impacts on users of consumer reports that
are small businesses will not be significant. As discussed in the PRA
section of this Notice, the FTC staff believes that it will not take
users of consumer reports under FTC jurisdiction a significant amount
of time to develop policies and procedures that they will employ when
they receive a notice of address discrepancy. FTC staff believes that
only 10,000 of such users of consumer reports furnish information to
consumer reporting agencies as part of their usual and customary
business practices and that approximately 20% of these entities qualify
as small businesses. Therefore, the staff estimates that 2,000 small
businesses will be affected by this portion of the proposed regulation
that requires furnishing the correct address. As discussed in the PRA
section of this Notice, FTC staff estimates that it will not take such
users of consumer reports a significant amount of time to develop the
policies and procedures for furnishing the correct address to the
consumer reporting agencies pursuant to the proposed regulations for
implementing section 315. The FTC staff estimates that the costs
associated with these impacts will not be significant.
The Commission does not expect that there will be any significant
legal, professional, or training costs to comply with the Rule.
Although it is not possible to estimate small businesses' compliance
costs precisely, such costs are likely to be quite modest for most
small entities. Nonetheless, because the Commission is concerned about
the potential impact of the proposed Rule on small entities, it
specifically invites comment on the costs of compliance for such
parties. In particular, although the Commission does not expect that
small entities will require legal assistance to meet the proposed
Rule's requirements, the Commission requests comment on whether small
entities believe that they will incur such costs and, if so, what they
will be. In addition, the Commission requests comment on the costs, if
any, of training relevant employees regarding the proposed
requirements. The Commission invites comment and information on these
issues.
5. Duplicative, Overlapping, or Conflicting Federal Rules
The Commission has not identified any other federal statutes,
rules, or policies that would duplicate, overlap, or conflict with the
proposed Rule. The Commission invites comment and information on this
issue.
6. Significant Alternatives to the Proposed Rule
The standards in the proposed Rule are flexible, and take into
account a covered entity's size and sophistication, as well as the
costs and benefits of alternative compliance methods. Nevertheless, the
Commission seeks comment and information on the need, if any, for
alternative compliance methods that, consistent with the statutory
requirements, would reduce the economic impact of the rule on such
small entities, including the need, if any, to delay the rule's
effective date to provide additional time for small business
compliance.
If the comments filed in response to this notice identify small
entities that are affected by the rule, as well as alternative methods
of compliance that would reduce the economic impact of the rule on such
entities, the Commission will consider the feasibility of such
alternatives and determine whether they should be incorporated into the
final rule.
C. OCC and OTS Executive Order 12866 Determination
The OCC and the OTS each has determined that this proposed
rulemaking, mandated by sections 114 and 315 of the FACT Act, is not a
significant regulatory action under Executive Order 12866.
The OCC and OTS believe that national banks and savings
associations, respectively, already have procedures in place that
fulfill many of the requirements of the proposed regulations because
they are consistent with institutions' usual and customary business
practices used to minimize losses due to fraud in connection with new
and existing accounts. Institutions also are likely to have implemented
many of the proposed requirements as a result of complying with other
existing regulations and guidance. For these reasons, and for the
reasons discussed elsewhere in this preamble, the OCC and OTS each
believes that the burden stemming from this rulemaking will not cause
the proposed rules to be a ``significant regulatory action.''
Nevertheless, because the proposed rulemaking implements new
statutory requirements, it may impose costs on some national banks and
savings associations by requiring them to formalize or enhance their
existing policies and procedures. Therefore, the OCC and OTS invite
national banks, savings associations and the public to provide any cost
estimates and related data that they think would be useful in
evaluating the overall costs of this rulemaking. The OCC and OTS will
review any comments and cost data provided carefully, and will revisit
the cost aspects of the proposed rules in developing final rules.
D. OCC and OTS Executive Order 13132 Determination
The OCC and the OTS each has determined that this proposal does not
have any federalism implications for purposes of Executive Order 13132.
E. NCUA Executive Order 13132 Determination
Executive Order 13132 encourages independent regulatory agencies to
consider the impact of their actions on State and local interests. In
adherence to fundamental federalism principles, the NCUA, an
independent regulatory agency as defined in 44 U.S.C. 3502(5)
voluntarily complies with the Executive Order. The proposed rule
applies only to federally chartered credit unions and would not have
substantial direct effects on the States, on the connection between the
national government and the States, or on the distribution of power and
responsibilities among the various levels of government. The NCUA has
determined that this proposed rule does not constitute a policy that
has federalism implications for purposes of the Executive Order.
F. OCC and OTS Unfunded Mandates Reform Act of 1995 Determination
Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law
104-4 (Unfunded Mandates Act) requires that an agency prepare a
budgetary impact statement before promulgating a rule that includes a
Federal mandate that may result in expenditure by State, local, and
tribal governments, in the aggregate, or by the private sector, of $100
million or more in any one year (adjusted annually for inflation). If a
budgetary impact
[[Page 40808]]
statement is required section 205 of the Unfunded Mandates Act also
requires an agency to identify and consider a reasonable number of
regulatory alternatives before promulgating a rule.
The OCC and OTS each believes that the financial institutions
subject to their jurisdiction covered by the proposed rules already
have identity theft prevention programs because it is a sound business
practice. In addition, key elements of the proposed rules are elements
in existing regulations and guidance. Therefore, the OCC and OTS each
has determined that this proposed rule will not result in expenditures
by State, local, and tribal governments, or by the private sector, that
exceed the expenditure threshold. Accordingly, neither the OCC nor OTS
has prepared a budgetary impact statement or specifically addressed
regulatory alternatives considered.
G. NCUA: The Treasury and General Government Appropriations Act, 1999--
Assessment of Federal Regulations and Policies on Families
The NCUA has determined that this proposed rule would not affect
family well-being within the meaning of section 654 of the Treasury and
General Government Appropriations Act, 1999, Pub. L. 105-277, 112 Stat.
2681 (1998).
H. Community Bank Comment Request
The Agencies invite your comments on the impact of this proposal on
community banks. The Agencies recognize that community banks operate
with more limited resources than larger institutions and may present a
different risk profile. Thus, the Agencies specifically request comment
on the impact of the proposal on community banks' current resources and
available personnel with the requisite expertise, and whether the goals
of the proposal could be achieved, for community banks, through an
alternative approach.
V. Solicitation of Comments on Use of Plain Language
Section 722 of the Gramm-Leach-Bliley Act, Pub. L. 106-102, sec.
722, 113 Stat. 1338, 1471 (Nov. 12, 1999), requires the OCC, Board,
FDIC, and OTS to use plain language in all proposed and final rules
published after January 1, 2000. Therefore, these agencies specifically
invite your comments on how to make this proposal easier to understand.
For example:
Have we organized the material to suit your needs? If not,
how could this material be better organized?
Are the requirements in the proposed guidelines and
regulations clearly stated? If not, how could the guidelines and
regulations be more clearly stated?
Do the proposed guidelines and regulations contain
language or jargon that is not clear? If so, which language requires
clarification?
Would a different format (grouping and order of sections,
use of headings, paragraphing) make the guidelines and regulations
easier to understand? If so, what changes to the format would make them
easier to understand?
What else could we do to make the guidelines and
regulations easier to understand?
VI. Communications by Outside Parties to FTC Commissioners or Their
Advisors
Written communications and summaries or transcripts of oral
communications respecting the merits of this proceeding from any
outside party to any FTC Commissioner or FTC Commissioner's advisor
will be placed on the public record. See 16 CFR 1.26(b)(5).
List of Subjects
12 CFR Part 41
Banks, banking, Consumer protection, National Banks, Reporting and
recordkeeping requirements.
12 CFR Part 222
Banks, banking, Holding companies, state member banks.
12 CFR Part 334
Administrative practice and procedure, Bank deposit insurance,
Banks, Banking, Reporting and recordkeeping requirements, Safety and
soundness.
12 CFR Part 364
Administrative practice and procedure, Bank deposit insurance,
Banks, Banking, Reporting and recordkeeping requirements, Safety and
Soundness.
12 CFR Part 571
Consumer protection, Credit, Fair Credit Reporting Act, Privacy,
Reporting and recordkeeping requirements, Savings associations.
12 CFR Part 717
Consumer protection, Credit unions, Fair credit reporting, Privacy,
Reporting and recordkeeping requirements.
16 CFR Part 681
Fair Credit Reporting Act, Consumer reports, Consumer report users,
Consumer reporting agencies, Credit, Creditors, Information furnishers,
Identity theft, Trade practices.
Department of the Treasury
Office of the Comptroller of the Currency
12 CFR Chapter I
Authority and Issuance
For the reasons discussed in the joint preamble, the Office of the
Comptroller of the Currency proposes to amend chapter I of title 12 of
the Code of Federal Regulations by amending 12 CFR part 41 as follows:
PART 41--FAIR CREDIT REPORTING
1. The authority citation for part 41 is revised to read as
follows:
Authority: 12 U.S.C. 1 et seq., 24(Seventh), 93a, 481, and 1818;
15 U.S.C. 1681c, 1681m, 1681s, 1681w, 6801 and 6805.
Subpart A--General Provisions
2. Amend Sec. 41.3 by revising the introductory text to read as
follows:
Sec. 41.3 Definitions.
For purposes of this part, unless explicitly stated otherwise:
* * * * *
Subpart I--Duties of Users of Consumer Reports Regarding Address
Discrepancies and Records Disposal
3. Revise the heading for Subpart I as shown above.
4. Add Sec. 41.82 to read as follows:
Sec. 41.82 Duties of users regarding address discrepancies.
(a) Scope. This section applies to users of consumer reports that
receive notices of address discrepancies from credit reporting agencies
(referred to as ``users''), and that are national banks, Federal
branches and agencies of foreign banks, and any of their operating
subsidiaries that are not functionally regulated within the meaning of
section 5(c)(5) of the Bank Holding Company Act of 1956, as amended (12
U.S.C. 1844(c)(5)).
(b) Definition. For purposes of this section, a notice of address
discrepancy means a notice sent to a user of a consumer report by a
consumer reporting agency pursuant to 15 U.S.C. 1681c(h)(1), that
informs the user of a substantial difference between the address for
the consumer that the user provided to request the consumer report and
the address(es) in the agency's file for the consumer.
(c) Requirement to form a reasonable belief. A user must develop
and implement reasonable policies and procedures for verifying the
identity of the consumer for whom it has obtained a consumer report and
for whom it
[[Page 40809]]
receives a notice of address discrepancy. These policies and procedures
must be designed to enable the user either to form a reasonable belief
that it knows the identity of the consumer or determine that it cannot
do so. A user that employs the policies and procedures regarding
identification and verification set forth in the Customer
Identification Program (CIP) rules implementing 31 U.S.C. 5318(l) under
these circumstances satisfies this requirement, whether or not the user
is subject to the CIP rules.
(d) Consumer's address (1) Requirement to furnish consumer's
address to a consumer reporting agency. A user must develop and
implement reasonable policies and procedures for furnishing an address
for the consumer that the user has reasonably confirmed is accurate to
the consumer reporting agency from whom it received the notice of
address discrepancy when the user:
(i) Can form a reasonable belief that it knows the identity of the
consumer for whom the consumer report was obtained;
(ii) Establishes or maintains a continuing relationship with the
consumer; and
(iii) Regularly and in the ordinary course of business furnishes
information to the consumer reporting agency from which the notice of
address discrepancy pertaining to the consumer was obtained.
(2) Requirement to confirm consumer's address. The user may
reasonably confirm an address is accurate by:
(i) Verifying the address with the person to whom the consumer
report pertains;
(ii) Reviewing its own records of the address provided to request
the consumer report;
(iii) Verifying the address through third-party sources; or
(iv) Using other reasonable means.
(3) Timing. The policies and procedures developed in accordance
with paragraph (d)(1) of this section must provide that the user will
furnish the consumer's address that the user has reasonably confirmed
is accurate to the consumer reporting agency as part of the information
it regularly furnishes:
(i) With respect to new relationships, for the reporting period in
which it establishes a relationship with the consumer; and
(ii) In other circumstances, for the reporting period in which the
user confirms the accuracy of the address of the consumer.
5. Add Subpart J to part 41 to read as follows:
Subpart J--Identity Theft Red Flags
Sec. 41.90 Duties regarding the detection, prevention, and mitigation
of identity theft.
(a) Purpose and scope. This section implements section 114 of the
Fair and Accurate Credit Transactions Act, 15 U.S.C. 1681m, which
amends section 615 of the Fair Credit Reporting Act (FCRA). It applies
to financial institutions and creditors that are national banks,
Federal branches and agencies of foreign banks, and any of their
operating subsidiaries that are not functionally regulated within the
meaning of section 5(c)(5) of the Bank Holding Company Act of 1956, as
amended (12 U.S.C. 1844(c)(5)).
(b) Definitions. For purposes of this section, the following
definitions apply:
(1) Account means a continuing relationship established to provide
a financial product or service that a financial holding company could
offer by engaging in an activity that is financial in nature or
incidental to such a financial activity under section 4(k) of the Bank
Holding Company Act, 12 U.S.C. 1843(k). Account includes:
(i) An extension of credit for personal, family, household or
business purposes, such as a credit card account, margin account, or
retail installment sales contract, such as a car loan or lease; and
(ii) A demand deposit, savings or other asset account for personal,
family, household, or business purposes, such as a checking or savings
account.
(2) The term board of directors includes:
(i) In the case of a foreign branch or agency of a foreign bank,
the managing official in charge of the branch or agency; and
(ii) In the case of any other creditor that does not have a board
of directors, a designated employee.
(3) Customer means a person that has an account with a financial
institution or creditor.
(4) Identity theft has the same meaning as in 16 CFR 603.2(a).
(5) Red Flag means a pattern, practice, or specific activity that
indicates the possible risk of identity theft.
(6) Service provider means a person that provides a service
directly to the financial institution or creditor.
(c) Identity Theft Prevention Program. Each financial institution
or creditor must implement a written Identity Theft Prevention Program
(Program). The Program must include reasonable policies and procedures
to address the risk of identity theft to its customers and the safety
and soundness of the financial institution or creditor, including
financial, operational, compliance, reputation, and litigation risks,
in the manner discussed in paragraph (d) of this section. The Program
must be:
(1) Appropriate to the size and complexity of the financial
institution or creditor and the nature and scope of its activities; and
(2) Designed to address changing identity theft risks as they arise
in connection with the experiences of the financial institution or
creditor with identity theft, and changes in methods of identity theft,
methods to detect, prevent, and mitigate identity theft, the types of
accounts it offers, and business arrangements, including mergers,
acquisitions, alliances, joint ventures, and service provider
arrangements.
(d) Development and implementation of Program. (1) Identification
and evaluation of Red Flags. (i) Risk-based Red Flags. The Program must
include policies and procedures to identify Red Flags, singly or in
combination, that are relevant to detecting a possible risk of identity
theft to customers or to the safety and soundness of the financial
institution or creditor, using the risk evaluation set forth in
paragraph (d)(1)(ii) of this section. The Red Flags identified must
reflect changing identity theft risks to customers and to the financial
institution or creditor as they arise. At a minimum, the Program must
incorporate any relevant Red Flags from:
(A) Appendix J to this part;
(B) Applicable supervisory guidance;
(C) Incidents of identity theft that the financial institution or
creditor has experienced; and
(D) Methods of identity theft that the financial institution or
creditor has identified that reflect changes in identity theft risks.
(ii) Risk evaluation. In identifying which Red Flags are relevant,
the financial institution or creditor must consider:
(A) Which of its accounts are subject to a risk of identity theft;
(B) The methods it provides to open these accounts;
(C) The methods it provides to access these accounts; and
(D) Its size, location, and customer base.
(2) Identity theft prevention and mitigation. The Program must
include reasonable policies and procedures designed to prevent and
mitigate identity theft in connection with the opening of an account or
any existing account, including policies and procedures to:
(i) Obtain identifying information about, and verify the identity
of, a person opening an account. A financial institution or creditor
that uses the policies and procedures regarding
[[Page 40810]]
identification and verification set forth in the Customer
Identification Program (CIP) rules implementing 31 U.S.C. 5318(l),
under these circumstances, satisfies this requirement whether or not
the user is subject to the CIP rules;
(ii) Detect the Red Flags identified pursuant to paragraph (d)(1)
of this section;
(iii) Assess whether the Red Flags detected pursuant to paragraph
(d)(2)(ii) of this section evidence a risk of identity theft. An
institution or creditor must have a reasonable basis for concluding
that a Red Flag does not evidence a risk of identity theft; and
(iv) Address the risk of identity theft, commensurate with the
degree of risk posed, such as by:
(A) Monitoring an account for evidence of identity theft;
(B) Contacting the customer;
(C) Changing any passwords, security codes, or other security
devices that permit access to a customer's account;
(D) Reopening an account with a new account number;
(E) Not opening a new account;
(F) Closing an existing account;
(G) Notifying law enforcement and, for those that are subject to 31
U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with
applicable law and regulation;
(H) Implementing any requirements regarding limitations on credit
extensions under 15 U.S.C. 1681c-1(h), such as declining to issue an
additional credit card when the financial institution or creditor
detects a fraud or active duty alert associated with the opening of an
account, or an existing account; or
(I) Implementing any requirements for furnishers of information to
consumer reporting agencies under 15 U.S.C. 1681s-2, to correct or
update inaccurate or incomplete information.
(3) Staff training. Each financial institution or creditor must
train staff to implement its Program.
(4) Oversight of service provider arrangements. Whenever a
financial institution or creditor engages a service provider to perform
an activity on its behalf and the requirements of its Program are
applicable to that activity (such as account opening), the financial
institution or creditor must take steps designed to ensure that the
activity is conducted in compliance with a Program that meets the
requirements of paragraphs (c) and (d) of this section.
(5) Involvement of board of directors and senior management. (i)
Board approval. The board of directors or an appropriate committee of
the board must approve the written Program.
(ii) Oversight by board or senior management. The board of
directors, an appropriate committee of the board, or senior management
must oversee the development, implementation, and maintenance of the
Program, including assigning specific responsibility for its
implementation, and reviewing annual reports prepared by staff
regarding compliance by the financial institution or creditor with this
section.
(iii) Reports. (A) In general. Staff of the financial institution
or creditor responsible for implementation of its Program must report
to the board, an appropriate committee of the board, or senior
management, at least annually, on compliance by the financial
institution or creditor with this section.
(B) Contents of report. The report must discuss material matters
related to the Program and evaluate issues such as: the effectiveness
of the policies and procedures of the financial institution or creditor
in addressing the risk of identity theft in connection with the opening
of accounts and with respect to existing accounts; service provider
arrangements; significant incidents involving identity theft and
management's response; and recommendations for changes in the Program.
Sec. 41.91 Duties of card issuers regarding changes of address.
(a) Scope. This section applies to a person described in Sec.
41.90(a) that issues a debit or credit card.
(b) Definitions. For purposes of this section:
(1) Cardholder means a consumer who has been issued a credit or
debit card.
(2) Clear and conspicuous means reasonably understandable and
designed to call attention to the nature and significance of the
information presented.
(c) In general. A card issuer must establish and implement
reasonable policies and procedures to assess the validity of a change
of address if it receives notification of a change of address for a
consumer's debit or credit card account and within a short period of
time afterwards (during at least the first 30 days after it receives
such notification), the card issuer receives a request for an
additional or replacement card for the same account. Under these
circumstances, the card issuer may not issue an additional or
replacement card, unless, in accordance with its reasonable policies
and procedures and for the purpose of assessing the validity of the
change of address, the card issuer:
(1) Notifies the cardholder of the request at the cardholder's
former address and provides to the cardholder a means of promptly
reporting incorrect address changes;
(2) Notifies the cardholder of the request by any other means of
communication that the card issuer and the cardholder have previously
agreed to use; or
(3) Uses other means of assessing the validity of the change of
address, in accordance with the policies and procedures the card issuer
has established pursuant to Sec. 41.90.
(d) Form of notice. Any written or electronic notice that the card
issuer provides under this paragraph shall be clear and conspicuous and
provided separately from its regular correspondence with the
cardholder.
6. Reserve appendices B through I to part 41.
7. Add Appendix J to part 41 to read as follows:
Appendix J to Part 41--Interagency Guidelines on Identity Theft
Detection, Prevention, and MitigationRed Flags in Connection With
an Account Application or an Existing Account Information From a
Consumer Reporting Agency
1. A fraud or active duty alert is included with a consumer
report.
2. A notice of address discrepancy is provided by a consumer
reporting agency.
3. A consumer report indicates a pattern of activity that is
inconsistent with the history and usual pattern of activity of an
applicant or customer, such as:
a. A recent and significant increase in the volume of inquiries.
b. An unusual number of recently established credit
relationships.
c. A material change in the use of credit, especially with
respect to recently established credit relationships.
d. An account was closed for cause or identified for abuse of
account privileges by a financial institution or creditor.
Documentary Identification
4. Documents provided for identification appear to have been
altered.
5. The photograph or physical description on the identification
is not consistent with the appearance of the applicant or customer
presenting the identification.
6. Other information on the identification is not consistent
with information provided by the person opening a new account or
customer presenting the identification.
7. Other information on the identification is not consistent
with information that is on file, such as a signature card.
Personal Information
8. Personal information provided is inconsistent when compared
against external information sources. For example:
a. The address does not match any address in the consumer
report; or
b. The Social Security Number (SSN) has not been issued, or is
listed on the Social Security Administration's Death Master File.
9. Personal information provided is internally inconsistent. For
example, there is
[[Page 40811]]
a lack of correlation between the SSN range and date of birth.
10. Personal information provided is associated with known
fraudulent activity. For example:
a. The address on an application is the same as the address
provided on a fraudulent application; or
b. The phone number on an application is the same as the number
provided on a fraudulent application.
11. Personal information provided is of a type commonly
associated with fraudulent activity. For example:
a. The address on an application is fictitious, a mail drop, or
prison.
b. The phone number is invalid, or is associated with a pager or
answering service.
12. The address, SSN, or home or cell phone number provided is
the same as that submitted by other persons opening an account or
other customers.
13. The person opening the account or the customer fails to
provide all required information on an application.
14. Personal information provided is not consistent with
information that is on file.
15. The person opening the account or the customer cannot
provide authenticating information beyond that which generally would
be available from a wallet or consumer report.
Address Changes
16. Shortly following the notice of a change of address for an
account, the institution or creditor receives a request for new,
additional, or replacement checks, convenience checks, cards, or a
cell phone, or for the addition of authorized users on the account.
17. Mail sent to the customer is returned as undeliverable
although transactions continue to be conducted in connection with
the customer's account.
Anomalous Use of the Account
18. A new revolving credit account is used in a manner commonly
associated with fraud. For example:
a. The majority of available credit is used for cash advances or
merchandise that is easily convertible to cash (e.g., electronics
equipment or jewelry); or
b. The customer fails to make the first payment or makes an
initial payment but no subsequent payments.
19. An account is used in a manner that is not consistent with
established patterns of activity on the account. There is, for
example:
a. Nonpayment when there is no history of late or missed
payments;
b. A material increase in the use of available credit;
c. A material change in purchasing or spending patterns;
d. A material change in electronic fund transfer patterns in
connection with a deposit account; or
e. A material change in telephone call patterns in connection
with a cellular phone account.
20. An account that has been inactive for a reasonably lengthy
period of time is used (taking into consideration the type of
account, the expected pattern of usage and other relevant factors).
Notice from Customers or Others Regarding Customer Accounts
21. The financial institution or creditor is notified of
unauthorized charges in connection with a customer's account.
22. The financial institution or creditor is notified that it
has opened a fraudulent account for a person engaged in identity
theft.
23. The financial institution or creditor is notified that the
customer is not receiving account statements.
24. The financial institution or creditor is notified that its
customer has provided information to someone fraudulently claiming
to represent the financial institution or creditor or to a
fraudulent website.
25. Electronic messages are returned to mail servers of the
financial institution or creditor that it did not originally send,
indicating that its customers may have been asked to provide
information to a fraudulent website that looks very similar, if not
identical, to the website of the financial institution or creditor.
Other Red Flags
26. The name of an employee of the financial institution or
creditor has been added as an authorized user on an account.
27. An employee has accessed or downloaded an unusually large
number of customer account records.
28. The financial institution or creditor detects attempts to
access a customer's account by unauthorized persons.
29. The financial institution or creditor detects or is informed
of unauthorized access to a customer's personal information.
30. There are unusually frequent and large check orders in
connection with a customer's account.
31. The person opening an account or the customer is unable to
lift a credit freeze placed on his or her consumer report.
Board of Governors of the Federal Reserve System
12 CFR Chapter II
Authority and Issuance
For the reasons discussed in the joint preamble, the Board of
Governors of the Federal Reserve System proposes to amend chapter II of
title 12 of the Code of Federal Regulations by amending 12 CFR part 222
as follows:
PART 222--FAIR CREDIT REPORTING (REGULATION V)
1. The authority citation for part 222 is revised to read as
follows:
Authority: 15 U.S.C. 1681b, 1681c, 1681m and 1681s; Secs. 3,
214, and 216, Pub. L. 108-159, 117 Stat. 1952.
2. Amend Sec. 222.3 by revising the introductory text to read as
follows:
Subpart A--General Provisions
* * * * *
Sec. 222.3 Definitions.
For purposes of this part, unless explicitly stated otherwise:
* * * * *
3. Revise the heading for Subpart I to read as follows:
Subpart I--Duties of Users of Consumer Reports Regarding Address
Discrepancies and Records Disposal
4. Add Sec. 222.82 to read as follows:
Sec. 222.82 Duties of users regarding address discrepancies.
(a) Scope. This section applies to users of consumer reports that
receive notices of address discrepancies from credit reporting agencies
(referred to as ``users''), and that are member banks of the Federal
Reserve System (other than national banks) and their respective
operating subsidiaries, branches and Agencies of foreign banks (other
than Federal branches, Federal Agencies, and insured State branches of
foreign banks), commercial lending companies owned or controlled by
foreign banks, and organizations operating under section 25 or 25A of
the Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.).
(b) Definition. For purposes of this section, a notice of address
discrepancy means a notice sent to a user of a consumer report by a
consumer reporting agency pursuant to 15 U.S.C. 1681c(h)(1), that
informs the user of a substantial difference between the address for
the consumer that the user provided to request the consumer report and
the address(es) in the agency's file for the consumer.
(c) Requirement to form a reasonable belief. A user must develop
and implement reasonable policies and procedures for verifying the
identity of the consumer for whom it has obtained a consumer report and
for whom it receives a notice of address discrepancy. These policies
and procedures must be designed to enable the user either to form a
reasonable belief that it knows the identity of the consumer or
determine that it cannot do so. A user that employs the policies and
procedures regarding identification and verification set forth in the
Customer Identification Program (CIP) rules implementing 31 U.S.C.
5318(l) under these circumstances satisfies this requirement, whether
or not the user is subject to the CIP rules.
(d) Consumer's address. (1) Requirement to furnish consumer's
address to a consumer reporting agency. A user must develop and
implement reasonable policies and procedures for furnishing an address
for the consumer that the user has reasonably confirmed
[[Page 40812]]
is accurate to the consumer reporting agency from whom it received the
notice of address discrepancy when the user:
(i) Can form a reasonable belief that it knows the identity of the
consumer for whom the consumer report was obtained;
(ii) Establishes or maintains a continuing relationship with the
consumer; and
(iii) Regularly and in the ordinary course of business furnishes
information to the consumer reporting agency from which the notice of
address discrepancy pertaining to the consumer was obtained.
(2) Requirement to confirm consumer's address. The user may
reasonably confirm an address is accurate by:
(i) Verifying the address with the person to whom the consumer
report pertains;
(ii) Reviewing its own records of the address provided to request
the consumer report;
(iii) Verifying the address through third-party sources; or
(iv) Using other reasonable means.
(3) Timing. The policies and procedures developed in accordance
with paragraph (d)(1) of this section must provide that the user will
furnish the consumer's address that the user has reasonably confirmed
is accurate to the consumer reporting agency as part of the information
it regularly furnishes:
(i) With respect to new relationships, for the reporting period in
which it establishes a relationship with the consumer; and
(ii) In other circumstances, for the reporting period in which the
user confirms the accuracy of the address of the consumer.
5. Add Subpart J to part 222 to read as follows:
Subpart J--Identity Theft Red Flags
Sec. 222.90 Duties regarding the detection, prevention, and
mitigation of identity theft.
(a) Purpose and scope. This section implements section 114 of the
Fair and Accurate Credit Transactions Act, 15 U.S.C. 1681m, which
amends section 615 of the Fair Credit Reporting Act (FCRA). It applies
to financial institutions and creditors that are member banks of the
Federal Reserve System (other than national banks) and their respective
operating subsidiaries, branches and Agencies of foreign banks (other
than Federal branches, Federal Agencies, and insured State branches of
foreign banks), commercial lending companies owned or controlled by
foreign banks, and organizations operating under section 25 or 25A of
the Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.).
(b) Definitions. For purposes of this section, the following
definitions apply:
(1) Account means a continuing relationship established to provide
a financial product or service that a financial holding company could
offer by engaging in an activity that is financial in nature or
incidental to such a financial activity under section 4(k) of the Bank
Holding Company Act, 12 U.S.C. 1843(k). Account includes:
(i) An extension of credit for personal, family, household or
business purposes, such as a credit card account, margin account, or
retail installment sales contract, such as a car loan or lease; and
(ii) A demand deposit, savings or other asset account for personal,
family, household, or business purposes, such as a checking or savings
account.
(2) The term board of directors includes:
(i) In the case of a foreign branch or agency of a foreign bank,
the managing official in charge of the branch or agency; and
(ii) In the case of any other creditor that does not have a board
of directors, a designated employee.
(3) Customer means a person that has an account with a financial
institution or creditor.
(4) Identity theft has the same meaning as in 16 CFR 603.2(a).
(5) Red Flag means a pattern, practice, or specific activity that
indicates the possible risk of identity theft.
(6) Service provider means a person that provides a service
directly to the financial institution or creditor.
(c) Identity Theft Prevention Program. Each financial institution
or creditor must implement a written Identity Theft Prevention Program
(Program). The Program must include reasonable policies and procedures
to address the risk of identity theft to its customers and the safety
and soundness of the financial institution or creditor, including
financial, operational, compliance, reputation, and litigation risks,
in the manner discussed in paragraph (d) of this section. The Program
must be:
(1) Appropriate to the size and complexity of the financial
institution or creditor and the nature and scope of its activities; and
(2) Designed to address changing identity theft risks as they arise
in connection with the experiences of the financial institution or
creditor with identity theft, and changes in methods of identity theft,
methods to detect, prevent, and mitigate identity theft, the types of
accounts it offers, and business arrangements, including mergers,
acquisitions, alliances, joint ventures, and service provider
arrangements.
(d) Development and implementation of Program. (1) Identification
and evaluation of Red Flags. (i) Risk-based Red Flags. The Program must
include policies and procedures to identify Red Flags, singly or in
combination, that are relevant to detecting a possible risk of identity
theft to customers or to the safety and soundness of the financial
institution or creditor, using the risk evaluation set forth in
paragraph (d)(1)(ii) of this section. The Red Flags identified must
reflect changing identity theft risks to customers and to the financial
institution or creditor as they arise. At a minimum, the Program must
incorporate any relevant Red Flags from:
(A) Appendix J to this part;
(B) Applicable supervisory guidance;
(C) Incidents of identity theft that the financial institution or
creditor has experienced; and
(D) Methods of identity theft that the financial institution or
creditor has identified that reflect changes in identity theft risks.
(ii) Risk evaluation. In identifying which Red Flags are relevant,
the financial institution or creditor must consider:
(A) Which of its accounts are subject to a risk of identity theft;
(B) The methods it provides to open these accounts;
(C) The methods it provides to access these accounts; and
(D) Its size, location, and customer base.
(2) Identity theft prevention and mitigation. The Program must
include reasonable policies and procedures designed to prevent and
mitigate identity theft in connection with the opening of an account or
any existing account, including policies and procedures to:
(i) Obtain identifying information about, and verify the identity
of, a person opening an account. A financial institution or creditor
that uses the policies and procedures regarding identification and
verification set forth in the Customer Identification Program (CIP)
rules implementing 31 U.S.C. 5318(l), under these circumstances,
satisfies this requirement whether or not the user is subject to the
CIP rules;
(ii) Detect the Red Flags identified pursuant to paragraph (d)(1)
of this section;
(iii) Assess whether the Red Flags detected pursuant to paragraph
(d)(2)(ii) of this section evidence a risk of identity theft. An
institution or creditor must have a reasonable basis for concluding
[[Page 40813]]
that a Red Flag does not evidence a risk of identity theft; and
(iv) Address the risk of identity theft, commensurate with the
degree of risk posed, such as by:
(A) Monitoring an account for evidence of identity theft;
(B) Contacting the customer;
(C) Changing any passwords, security codes, or other security
devices that permit access to a customer's account;
(D) Reopening an account with a new account number;
(E) Not opening a new account;
(F) Closing an existing account;
(G) Notifying law enforcement and, for those that are subject to 31
U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with
applicable law and regulation;
(H) Implementing any requirements regarding limitations on credit
extensions under 15 U.S.C. 1681c-1(h), such as declining to issue an
additional credit card when the financial institution or creditor
detects a fraud or active duty alert associated with the opening of an
account, or an existing account; or
(I) Implementing any requirements for furnishers of information to
consumer reporting agencies under 15 U.S.C. 1681s-2, to correct or
update inaccurate or incomplete information.
(3) Staff training. Each financial institution or creditor must
train staff to implement its Program.
(4) Oversight of service provider arrangements. Whenever a
financial institution or creditor engages a service provider to perform
an activity on its behalf and the requirements of its Program are
applicable to that activity (such as account opening), the financial
institution or creditor must take steps designed to ensure that the
activity is conducted in compliance with a Program that meets the
requirements of paragraphs (c) and (d) of this section.
(5) Involvement of board of directors and senior management. (i)
Board approval. The board of directors or an appropriate committee of
the board must approve the written Program.
(ii) Oversight by board or senior management. The board of
directors, an appropriate committee of the board, or senior management
must oversee the development, implementation, and maintenance of the
Program, including assigning specific responsibility for its
implementation, and reviewing annual reports prepared by staff
regarding compliance by the financial institution or creditor with this
section.
(iii) Reports. (A) In general. Staff of the financial institution
or creditor responsible for implementation of its Program must report
to the board, an appropriate committee of the board, or senior
management, at least annually, on compliance by the financial
institution or creditor with this section.
(B) Contents of report. The report must discuss material matters
related to the Program and evaluate issues such as: the effectiveness
of the policies and procedures of the financial institution or creditor
in addressing the risk of identity theft in connection with the opening
of accounts and with respect to existing accounts; service provider
arrangements; significant incidents involving identity theft and
management's response; and recommendations for changes in the Program.
Sec. 222.91 Duties of card issuers regarding changes of address.
(a) Scope. This section applies to a person described in Sec.
222.90(a) that issues a debit or credit card.
(b) Definitions. For purposes of this section:
(1) Cardholder means a consumer who has been issued a credit or
debit card.
(2) Clear and conspicuous means reasonably understandable and
designed to call attention to the nature and significance of the
information presented.
(c) In general. A card issuer must establish and implement
reasonable policies and procedures to assess the validity of a change
of address if it receives notification of a change of address for a
consumer's debit or credit card account and within a short period of
time afterwards (during at least the first 30 days after it receives
such notification), the card issuer receives a request for an
additional or replacement card for the same account. Under these
circumstances, the card issuer may not issue an additional or
replacement card, unless, in accordance with its reasonable policies
and procedures and for the purpose of assessing the validity of the
change of address, the card issuer:
(1) Notifies the cardholder of the request at the cardholder's
former address and provides to the cardholder a means of promptly
reporting incorrect address changes;
(2) Notifies the cardholder of the request by any other means of
communication that the card issuer and the cardholder have previously
agreed to use; or
(3) Uses other means of assessing the validity of the change of
address, in accordance with the policies and procedures the card issuer
has established pursuant to section 222.90.
(d) Form of notice. Any written or electronic notice that the card
issuer provides under this paragraph shall be clear and conspicuous and
provided separately from its regular correspondence with the
cardholder.
6. Reserve appendices C through I to part 222.
7. Add Appendix J to part 222 to read as follows:
Appendix J to Part 222--Interagency Guidelines on Identity Theft
Detection, Prevention, and MitigationRed Flags in Connection With
an Account Application or an Existing Account Information From a
Consumer Reporting Agency
1. A fraud or active duty alert is included with a consumer
report.
2. A notice of address discrepancy is provided by a consumer
reporting agency.
3. A consumer report indicates a pattern of activity that is
inconsistent with the history and usual pattern of activity of an
applicant or customer, such as:
a. A recent and significant increase in the volume of inquiries.
b. An unusual number of recently established credit
relationships.
c. A material change in the use of credit, especially with
respect to recently established credit relationships.
d. An account was closed for cause or identified for abuse of
account privileges by a financial institution or creditor.
Documentary Identification
4. Documents provided for identification appear to have been
altered.
5. The photograph or physical description on the identification
is not consistent with the appearance of the applicant or customer
presenting the identification.
6. Other information on the identification is not consistent
with information provided by the person opening a new account or
customer presenting the identification.
7. Other information on the identification is not consistent
with information that is on file, such as a signature card.
Personal Information
8. Personal information provided is inconsistent when compared
against external information sources. For example:
a. The address does not match any address in the consumer
report; or
b. The Social Security Number (SSN) has not been issued, or is
listed on the Social Security Administration's Death Master File.
9. Personal information provided is internally inconsistent. For
example, there is a lack of correlation between the SSN range and
date of birth.
10. Personal information provided is associated with known
fraudulent activity. For example:
a. The address on an application is the same as the address
provided on a fraudulent application; or
b. The phone number on an application is the same as the number
provided on a fraudulent application.
11. Personal information provided is of a type commonly
associated with fraudulent activity. For example:
a. The address on an application is fictitious, a mail drop, or
prison.
[[Page 40814]]
b. The phone number is invalid, or is associated with a pager or
answering service.
12. The address, SSN, or home or cell phone number provided is
the same as that submitted by other persons opening an account or
other customers.
13. The person opening the account or the customer fails to
provide all required information on an application.
14. Personal information provided is not consistent with
information that is on file.
15. The person opening the account or the customer cannot
provide authenticating information beyond that which generally would
be available from a wallet or consumer report.
Address Changes
16. Shortly following the notice of a change of address for an
account, the institution or creditor receives a request for new,
additional, or replacement checks, convenience checks, cards, or a
cell phone, or for the addition of authorized users on the account.
17. Mail sent to the customer is returned as undeliverable
although transactions continue to be conducted in connection with
the customer's account.
Anomalous Use of the Account
18. A new revolving credit account is used in a manner commonly
associated with fraud. For example:
a. The majority of available credit is used for cash advances or
merchandise that is easily convertible to cash (e.g., electronics
equipment or jewelry); or
b. The customer fails to make the first payment or makes an
initial payment but no subsequent payments.
19. An account is used in a manner that is not consistent with
established patterns of activity on the account. There is, for
example:
a. Nonpayment when there is no history of late or missed
payments;
b. A material increase in the use of available credit;
c. A material change in purchasing or spending patterns;
d. A material change in electronic fund transfer patterns in
connection with a deposit account; or
e. A material change in telephone call patterns in connection
with a cellular phone account.
20. An account that has been inactive for a reasonably lengthy
period of time is used (taking into consideration the type of
account, the expected pattern of usage and other relevant factors).
Notice From Customers or Others Regarding Customer Accounts
21. The financial institution or creditor is notified of
unauthorized charges in connection with a customer's account.
22. The financial institution or creditor is notified that it
has opened a fraudulent account for a person engaged in identity
theft.
23. The financial institution or creditor is notified that the
customer is not receiving account statements.
24. The financial institution or creditor is notified that its
customer has provided information to someone fraudulently claiming
to represent the financial institution or creditor or to a
fraudulent website.
25. Electronic messages are returned to mail servers of the
financial institution or creditor that it did not originally send,
indicating that its customers may have been asked to provide
information to a fraudulent website that looks very similar, if not
identical, to the website of the financial institution or creditor.
Other Red Flags
26. The name of an employee of the financial institution or
creditor has been added as an authorized user on an account.
27. An employee has accessed or downloaded an unusually large
number of customer account records.
28. The financial institution or creditor detects attempts to
access a customer's account by unauthorized persons.
29. The financial institution or creditor detects or is informed
of unauthorized access to a customer's personal information.
30. There are unusually frequent and large check orders in
connection with a customer's account.
31. The person opening an account or the customer is unable to
lift a credit freeze placed on his or her consumer report.
Federal Deposit Insurance Corporation
12 CFR Chapter III
Authority and Issuance
For the reasons set forth in the joint preamble, the Federal
Deposit Insurance Corporation proposes to amend chapter III of title 12
of the Code of Federal Regulations by amending 12 CFR parts 334 and 364
as follows:
PART 334--FAIR CREDIT REPORTING
1. The authority citation for part 334 is revised to read as
follows:
Authority: 12 U.S.C. 1818 and 1819 (Tenth); 15 U.S.C. 1681b,
1681c, 1681m, 1681s, 1681w, 6801 and 6805.
Subpart A--General Provisions
2. Amend Sec. 334.3 by revising the introductory text to read as
follows:
Sec. 334.3 Definitions.
For purposes of this part, unless explicitly stated otherwise:
* * * * *
Subpart I--Duties of Users of Consumer Reports Regarding Address
Discrepancies and Records Disposal
3. Revise the heading for Subpart I as shown above.
4. Add Sec. 334.82 to read as follows:
Sec. 334.82 Duties of users regarding address discrepancies.
(a) Scope. This section applies to users of consumer reports that
receive notices of address discrepancies from credit reporting agencies
(referred to as ``users''), and that are insured state nonmember banks,
insured state licensed branches of foreign banks, or subsidiaries of
such entities (except brokers, dealers, persons providing insurance,
investment companies, and investment advisers).
(b) Definition. For purposes of this section, a notice of address
discrepancy means a notice sent to a user of a consumer report by a
consumer reporting agency pursuant to 15 U.S.C. 1681c(h)(1), that
informs the user of a substantial difference between the address for
the consumer that the user provided to request the consumer report and
the address(es) in the agency's file for the consumer.
(c) Requirement to form a reasonable belief. A user must develop
and implement reasonable policies and procedures for verifying the
identity of the consumer for whom it has obtained a consumer report and
for whom it receives a notice of address discrepancy. These policies
and procedures must be designed to enable the user either to form a
reasonable belief that it knows the identity of the consumer or
determine that it cannot do so. A user that employs the policies and
procedures regarding identification and verification set forth in the
Customer Identification Program (CIP) rules implementing 31 U.S.C.
5318(l) under these circumstances satisfies this requirement, whether
or not the user is subject to the CIP rules.
(d) Consumer's address (1) Requirement to furnish consumer's
address to a consumer reporting agency. A user must develop and
implement reasonable policies and procedures for furnishing an address
for the consumer that the user has reasonably confirmed is accurate to
the consumer reporting agency from whom it received the notice of
address discrepancy when the user:
(i) Can form a reasonable belief that it knows the identity of the
consumer for whom the consumer report was obtained;
(ii) Establishes or maintains a continuing relationship with the
consumer; and
(iii) Regularly and in the ordinary course of business furnishes
information to the consumer reporting agency from which the notice of
address discrepancy pertaining to the consumer was obtained.
(2) Requirement to confirm consumer's address. The user may
reasonably confirm an address is accurate by:
[[Page 40815]]
(i) Verifying the address with the person to whom the consumer
report pertains;
(ii) Reviewing its own records of the address provided to request
the consumer report;
(iii) Verifying the address through third-party sources; or
(iv) Using other reasonable means.
(3) Timing. The policies and procedures developed in accordance
with paragraph (d)(1) of this section must provide that the user will
furnish the consumer's address that the user has reasonably confirmed
is accurate to the consumer reporting agency as part of the information
it regularly furnishes:
(i) With respect to new relationships, for the reporting period in
which it establishes a relationship with the consumer; and
(ii) In other circumstances, for the reporting period in which the
user confirms the accuracy of the address of the consumer.
5. Add Subpart J to part 334 to read as follows:
Subpart J--Identity Theft Red Flags
Sec. 334.90 Duties regarding the detection, prevention, and
mitigation of identity theft.
(a) Purpose and scope. This section implements section 114 of the
Fair and Accurate Credit Transactions Act, 15 U.S.C. 1681m, which
amends section 615 of the Fair Credit Reporting Act (FCRA). It applies
to financial institutions and creditors that are insured state
nonmember banks, insured state licensed branches of foreign banks, or
subsidiaries of such entities (except brokers, dealers, persons
providing insurance, investment companies, and investment advisers).
(b) Definitions. For purposes of this section, the following
definitions apply:
(1) Account means a continuing relationship established to provide
a financial product or service that a financial holding company could
offer by engaging in an activity that is financial in nature or
incidental to such a financial activity under section 4(k) of the Bank
Holding Company Act, 12 U.S.C. 1843(k). Account includes:
(i) An extension of credit for personal, family, household or
business purposes, such as a credit card account, margin account, or
retail installment sales contract, such as a car loan or lease; and
(ii) A demand deposit, savings or other asset account for personal,
family, household, or business purposes, such as a checking or savings
account.
(2) The term board of directors includes:
(i) In the case of a foreign branch or agency of a foreign bank,
the managing official in charge of the branch or agency; and
(ii) In the case of any other creditor that does not have a board
of directors, a designated employee.
(3) Customer means a person that has an account with a financial
institution or creditor.
(4) Identity theft has the same meaning as in 16 CFR 603.2(a).
(5) Red Flag means a pattern, practice, or specific activity that
indicates the possible risk of identity theft.
(6) Service provider means a person that provides a service
directly to the financial institution or creditor.
(c) Identity Theft Prevention Program. Each financial institution
or creditor must implement a written Identity Theft Prevention Program
(Program). The Program must include reasonable policies and procedures
to address the risk of identity theft to its customers and the safety
and soundness of the financial institution or creditor, including
financial, operational, compliance, reputation, and litigation risks,
in the manner discussed in paragraph (d) of this section. The Program
must be:
(1) Appropriate to the size and complexity of the financial
institution or creditor and the nature and scope of its activities; and
(2) Designed to address changing identity theft risks as they arise
in connection with the experiences of the financial institution or
creditor with identity theft, and changes in methods of identity theft,
methods to detect, prevent, and mitigate identity theft, the types of
accounts it offers, and business arrangements, including mergers,
acquisitions, alliances, joint ventures, and service provider
arrangements.
(d) Development and implementation of Program. (1) Identification
and evaluation of Red Flags. (i) Risk-based Red Flags. The Program must
include policies and procedures to identify Red Flags, singly or in
combination, that are relevant to detecting a possible risk of identity
theft to customers or to the safety and soundness of the financial
institution or creditor, using the risk evaluation set forth in
paragraph (d)(1)(ii) of this section. The Red Flags identified must
reflect changing identity theft risks to customers and to the financial
institution or creditor as they arise. At a minimum, the Program must
incorporate any relevant Red Flags from:
(A) Appendix J to this part;
(B) Applicable supervisory guidance;
(C) Incidents of identity theft that the financial institution or
creditor has experienced; and
(D) Methods of identity theft that the financial institution or
creditor has identified that reflect changes in identity theft risks.
(ii) Risk evaluation. In identifying which Red Flags are relevant,
the financial institution or creditor must consider:
(A) Which of its accounts are subject to a risk of identity theft;
(B) The methods it provides to open these accounts;
(C) The methods it provides to access these accounts; and
(D) Its size, location, and customer base.
(2) Identity theft prevention and mitigation. The Program must
include reasonable policies and procedures designed to prevent and
mitigate identity theft in connection with the opening of an account or
any existing account, including policies and procedures to:
(i) Obtain identifying information about, and verify the identity
of, a person opening an account. A financial institution or creditor
that uses the policies and procedures regarding identification and
verification set forth in the Customer Identification Program (CIP)
rules implementing 31 U.S.C. 5318(l), under these circumstances,
satisfies this requirement whether or not the user is subject to the
CIP rules;
(ii) Detect the Red Flags identified pursuant to paragraph (d)(1)
of this section;
(iii) Assess whether the Red Flags detected pursuant to paragraph
(d)(2)(ii) of this section evidence a risk of identity theft. An
institution or creditor must have a reasonable basis for concluding
that a Red Flag does not evidence a risk of identity theft; and
(iv) Address the risk of identity theft, commensurate with the
degree of risk posed, such as by:
(A) Monitoring an account for evidence of identity theft;
(B) Contacting the customer;
(C) Changing any passwords, security codes, or other security
devices that permit access to a customer's account;
(D) Reopening an account with a new account number;
(E) Not opening a new account;
(F) Closing an existing account;
(G) Notifying law enforcement and, for those that are subject to 31
U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with
applicable law and regulation;
(H) Implementing any requirements regarding limitations on credit
extensions under 15 U.S.C. 1681c-1(h), such as declining to issue an
additional credit card when the financial institution or creditor
detects a fraud or active duty alert associated with the opening of an
account, or an existing account; or
[[Page 40816]]
(I) Implementing any requirements for furnishers of information to
consumer reporting agencies under 15 U.S.C. 1681s-2, to correct or
update inaccurate or incomplete information.
(3) Staff training. Each financial institution or creditor must
train staff to implement its Program.
(4) Oversight of service provider arrangements. Whenever a
financial institution or creditor engages a service provider to perform
an activity on its behalf and the requirements of its Program are
applicable to that activity (such as account opening), the financial
institution or creditor must take steps designed to ensure that the
activity is conducted in compliance with a Program that meets the
requirements of paragraphs (c) and (d) of this section.
(5) Involvement of board of directors and senior management. (i)
Board approval. The board of directors or an appropriate committee of
the board must approve the written Program.
(ii) Oversight by board or senior management. The board of
directors, an appropriate committee of the board, or senior management
must oversee the development, implementation, and maintenance of the
Program, including assigning specific responsibility for its
implementation, and reviewing annual reports prepared by staff
regarding compliance by the financial institution or creditor with this
section.
(iii) Reports. (A) In general. Staff of the financial institution
or creditor responsible for implementation of its Program must report
to the board, an appropriate committee of the board, or senior
management, at least annually, on compliance by the financial
institution or creditor with this section.
(B) Contents of report. The report must discuss material matters
related to the Program and evaluate issues such as: the effectiveness
of the policies and procedures of the financial institution or creditor
in addressing the risk of identity theft in connection with the opening
of accounts and with respect to existing accounts; service provider
arrangements; significant incidents involving identity theft and
management's response; and recommendations for changes in the Program.
Sec. 334.91 Duties of card issuers regarding changes of address.
(a) Scope. This section applies to a person described in Sec.
334.90(a) that issues a debit or credit card.
(b) Definitions. For purposes of this section:
(1) Cardholder means a consumer who has been issued a credit or
debit card.
(2) Clear and conspicuous means reasonably understandable and
designed to call attention to the nature and significance of the
information presented.
(c) In general. A card issuer must establish and implement
reasonable policies and procedures to assess the validity of a change
of address if it receives notification of a change of address for a
consumer's debit or credit card account and within a short period of
time afterwards (during at least the first 30 days after it receives
such notification), the card issuer receives a request for an
additional or replacement card for the same account. Under these
circumstances, the card issuer may not issue an additional or
replacement card, unless, in accordance with its reasonable policies
and procedures and for the purpose of assessing the validity of the
change of address, the card issuer:
(1) Notifies the cardholder of the request at the cardholder's
former address and provides to the cardholder a means of promptly
reporting incorrect address changes;
(2) Notifies the cardholder of the request by any other means of
communication that the card issuer and the cardholder have previously
agreed to use; or
(3) Uses other means of assessing the validity of the change of
address, in accordance with the policies and procedures the card issuer
has established pursuant to section 334.90.
(d) Form of notice. Any written or electronic notice that the card
issuer provides under this paragraph shall be clear and conspicuous and
provided separately from its regular correspondence with the
cardholder.
6. Reserve appendices A through I to part 334.
7. Add Appendix J to part 334 to read as follows:
Appendix J to Part 334--Interagency Guidelines on Identity Theft
Detection, Prevention, and MitigationRed Flags in Connection With
an Account Application or an Existing Account Information From a
Consumer Reporting Agency
1. A fraud or active duty alert is included with a consumer
report.
2. A notice of address discrepancy is provided by a consumer
reporting agency.
3. A consumer report indicates a pattern of activity that is
inconsistent with the history and usual pattern of activity of an
applicant or customer, such as:
a. A recent and significant increase in the volume of inquiries.
b. An unusual number of recently established credit
relationships.
c. A material change in the use of credit, especially with
respect to recently established credit relationships.
d. An account was closed for cause or identified for abuse of
account privileges by a financial institution or creditor.
Documentary Identification
4. Documents provided for identification appear to have been
altered.
5. The photograph or physical description on the identification
is not consistent with the appearance of the applicant or customer
presenting the identification.
6. Other information on the identification is not consistent
with information provided by the person opening a new account or
customer presenting the identification.
7. Other information on the identification is not consistent
with information that is on file, such as a signature card.
Personal Information
8. Personal information provided is inconsistent when compared
against external information sources. For example:
a. The address does not match any address in the consumer
report; or
b. The Social Security Number (SSN) has not been issued, or is
listed on the Social Security Administration's Death Master File.
9. Personal information provided is internally inconsistent. For
example, there is a lack of correlation between the SSN range and
date of birth.
10. Personal information provided is associated with known
fraudulent activity. For example:
a. The address on an application is the same as the address
provided on a fraudulent application; or
b. The phone number on an application is the same as the number
provided on a fraudulent application.
11. Personal information provided is of a type commonly
associated with fraudulent activity. For example:
a. The address on an application is fictitious, a mail drop, or
prison.
b. The phone number is invalid, or is associated with a pager or
answering service.
12. The address, SSN, or home or cell phone number provided is
the same as that submitted by other persons opening an account or
other customers.
13. The person opening the account or the customer fails to
provide all required information on an application.
14. Personal information provided is not consistent with
information that is on file.
15. The person opening the account or the customer cannot
provide authenticating information beyond that which generally would
be available from a wallet or consumer report.
Address Changes
16. Shortly following the notice of a change of address for an
account, the institution or creditor receives a request for new,
additional or replacement checks, convenience checks, cards, or cell
phone, or for the addition of authorized users on the account.
17. Mail sent to the customer is returned as undeliverable
although transactions continue to be conducted in connection with
the customer's account.
[[Page 40817]]
Anomalous Use of the Account
18. A new revolving credit account is used in a manner commonly
associated with fraud. For example:
a. The majority of available credit is used for cash advances or
merchandise that is easily convertible to cash (e.g., electronics
equipment or jewelry); or
b. The customer fails to make the first payment or makes an
initial payment but no subsequent payments.
19. An account is used in a manner that is not consistent with
established patterns of activity on the account. There is, for
example:
a. Nonpayment when there is no history of late or missed
payments;
b. A material increase in the use of available credit;
c. A material change in purchasing or spending patterns;
d. A material change in electronic fund transfer patterns in
connection with a deposit account; or
e. A material change in telephone call patterns in connection
with a cellular phone account.
20. An account that has been inactive for a reasonably lengthy
period of time is used (taking into consideration the type of
account, the expected pattern of usage and other relevant factors).
Notice From Customers or Others Regarding Customer Accounts
21. The financial institution or creditor is notified of
unauthorized charges in connection with a customer's account.
22. The financial institution or creditor is notified that it
has opened a fraudulent account for a person engaged in identity
theft.
23. The financial institution or creditor is notified that the
customer is not receiving account statements.
24. The financial institution or creditor is notified that its
customer has provided information to someone fraudulently claiming
to represent the financial institution or creditor or to a
fraudulent Web site.
25. Electronic messages are returned to mail servers of the
financial institution or creditor that it did not originally send,
indicating that its customers may have been asked to provide
information to a fraudulent Web site that looks very similar, if not
identical, to the Web site of the financial institution or creditor.
Other Red Flags
26. The name of an employee of the financial institution or
creditor has been added as an authorized user on an account.
27. An employee has accessed or downloaded an unusually large
number of customer account records.
28. The financial institution or creditor detects attempts to
access a customer's account by unauthorized persons.
29. The financial institution or creditor detects or is informed
of unauthorized access to a customer's personal information.
30. There are unusually frequent and large check orders in
connection with a customer's account.
31. The person opening an account or the customer is unable to
lift a credit freeze placed on his or her consumer report.
PART 364--STANDARDS FOR SAFETY AND SOUNDNESS
8. The authority citation for part 364 continues to read as
follows:
Authority: 12 U.S.C. 1819(Tenth), 1831p-1; 15 U.S.C. 1681s,
1681w, 6801(b), 6805(b)(1).
9. Add the following sentence at the end of Sec. 364.101(b):
Sec. 364.101 Standards for safety and soundness.
* * * * *
(b) * * * The interagency regulations and guidelines on identity
theft detection, prevention, and mitigation prescribed pursuant to
section 114 of the Fair and Accurate Credit Transactions Act of 2003,
15 U.S.C. 1681m(e), are set forth in Sec. Sec. 334.90, 334.91, and
Appendix J of part 334.
Department of the Treasury
Office of Thrift Supervision
12 CFR Chapter V
Authority and Issuance
For the reasons discussed in the joint preamble, the Office of
Thrift Supervision proposes to amend chapter V of title 12 of the Code
of Federal Regulations by amending 12 CFR part 571 as follows:
PART 571--FAIR CREDIT REPORTING
1. The authority citation for part 571 is revised to read as
follows:
Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828, 1831p-1,
and 1881-1884; 15 U.S.C. 1681b, 1681c, 1681m, 1681s, and 1681w; 15
U.S.C. 6801 and 6805(b)(1).
Subpart A--General Provisions
2. Amend Sec. 571.1 by revising paragraph (b)(9) and adding a new
paragraph (b)(10) to read as follows:
Sec. 571.1 Purpose and Scope.
* * * * *
(b) Scope.
* * * * *
(9)(i) The scope of Sec. 571.82 of Subpart I of this part is
stated in Sec. 571.82(a).
(ii) The scope of Sec. 571.83 of Subpart I of this part is stated
in Sec. 571.83(a).
(10) The scope of Subpart J of this part is stated in Sec.
571.90(a).
3. Amend Sec. 571.3 by revising the introductory text to read as
follows:
Sec. 571.3 Definitions.
For purposes of this part, unless explicitly stated otherwise:
* * * * *
Subpart I--Duties of Users of Consumer Reports Regarding Address
Discrepancies and Records Disposal
4. Revise the heading for Subpart I as shown above.
5. Add Sec. 571.82 to read as follows:
Sec. 571.82 Duties of users regarding address discrepancies.
(a) Scope. This section applies to users of consumer reports that
receive notices of address discrepancies from credit reporting agencies
(referred to as ``users''), and that are either savings associations
whose deposits are insured by the Federal Deposit Insurance Corporation
or, in accordance with Sec. 559.3(h)(1) of this chapter, federal
savings association operating subsidiaries that are not functionally
regulated within the meaning of section 5(c)(5) of the Bank Holding
Company Act of 1956, as amended (12 U.S.C. 1844(c)(5)).
(b) Definition. For purposes of this section, a notice of address
discrepancy means a notice sent to a user of a consumer report by a
consumer reporting agency pursuant to 15 U.S.C. 1681c(h)(1), that
informs the user of a substantial difference between the address for
the consumer that the user provided to request the consumer report and
the address(es) in the agency's file for the consumer.
(c) Requirement to form a reasonable belief. A user must develop
and implement reasonable policies and procedures for verifying the
identity of the consumer for whom it has obtained a consumer report and
for whom it receives a notice of address discrepancy. These policies
and procedures must be designed to enable the user either to form a
reasonable belief that it knows the identity of the consumer or
determine that it cannot do so. A user that employs the policies and
procedures regarding identification and verification set forth in the
Customer Identification Program (CIP) rules implementing 31 U.S.C.
5318(l) under these circumstances satisfies this requirement, whether
or not the user is subject to the CIP rules.
(d) Consumer's address. (1) Requirement to furnish consumer's
address to a consumer reporting agency. A user must develop and
implement reasonable policies and procedures for furnishing an address
for the consumer that the user has reasonably confirmed is accurate to
the consumer reporting agency from whom it received the notice of
address discrepancy when the user:
(i) Can form a reasonable belief that it knows the identity of the
consumer for
[[Page 40818]]
whom the consumer report was obtained;
(ii) Establishes or maintains a continuing relationship with the
consumer; and
(iii) Regularly and in the ordinary course of business furnishes
information to the consumer reporting agency from which the notice of
address discrepancy pertaining to the consumer was obtained.
(2) Requirement to confirm consumer's address. The user may
reasonably confirm an address is accurate by:
(i) Verifying the address with the person to whom the consumer
report pertains;
(ii) Reviewing its own records of the address provided to request
the consumer report;
(iii) Verifying the address through third-party sources; or
(iv) Using other reasonable means.
(3) Timing. The policies and procedures developed in accordance
with paragraph (d)(1) of this section must provide that the user will
furnish the consumer's address that the user has reasonably confirmed
is accurate to the consumer reporting agency as part of the information
it regularly furnishes:
(i) With respect to new relationships, for the reporting period in
which it establishes a relationship with the consumer; and
(ii) In other circumstances, for the reporting period in which the
user confirms the accuracy of the address of the consumer.
6. Revise Sec. 571.83 by:
a. Redesignating paragraphs (a) and (b) as paragraph (b) and (c),
respectively.
b. Adding a new paragraph (a) to read as follows:
Sec. 571.83 Disposition of consumer information.
(a) Scope. This section applies to savings associations whose
deposits are insured by the Federal Deposit Insurance Corporation (and
federal savings association operating subsidiaries in accordance with
Sec. 559.3(h)(1) of this chapter) (defined as ``you'' in Sec.
571.3(o) of this part).
* * * * *
7. Add Subpart J to part 571 to read as follows:
Subpart J--Identity Theft Red Flags
Sec. 571.90 Duties regarding the detection, prevention, and
mitigation of identity theft.
(a) Purpose and scope. This section implements section 114 of the
Fair and Accurate Credit Transactions Act, 15 U.S.C. 1681m, which
amends section 615 of the Fair Credit Reporting Act (FCRA). It applies
to financial institutions and creditors that are either savings
associations whose deposits are insured by the Federal Deposit
Insurance Corporation or, in accordance with Sec. 559.3(h)(1) of this
chapter, federal savings association operating subsidiaries that are
not functionally regulated within the meaning of section 5(c)(5) of the
Bank Holding Company Act of 1956, as amended (12 U.S.C. 1844(c)(5)).
(b) Definitions. For purposes of this section, the following
definitions apply:
(1) Account means a continuing relationship established to provide
a financial product or service that a financial holding company could
offer by engaging in an activity that is financial in nature or
incidental to such a financial activity under section 4(k) of the Bank
Holding Company Act, 12 U.S.C. 1843(k). Account includes:
(i) An extension of credit for personal, family, household or
business purposes, such as a credit card account, margin account, or
retail installment sales contract, such as a car loan or lease; and
(ii) A demand deposit, savings or other asset account for personal,
family, household, or business purposes, such as a checking or savings
account.
(2) The term board of directors includes:
(i) In the case of a foreign branch or agency of a foreign bank,
the managing official in charge of the branch or agency; and
(ii) In the case of any other creditor that does not have a board
of directors, a designated employee.
(3) Customer means a person that has an account with a financial
institution or creditor.
(4) Identity theft has the same meaning as in 16 CFR 603.2(a).
(5) Red Flag means a pattern, practice, or specific activity that
indicates the possible risk of identity theft.
(6) Service provider means a person that provides a service
directly to the financial institution or creditor.
(c) Identity Theft Prevention Program. Each financial institution
or creditor must implement a written Identity Theft Prevention Program
(Program). The Program must include reasonable policies and procedures
to address the risk of identity theft to its customers and the safety
and soundness of the financial institution or creditor, including
financial, operational, compliance, reputation, and litigation risks,
in the manner discussed in paragraph (d) of this section. The Program
must be:
(1) Appropriate to the size and complexity of the financial
institution or creditor and the nature and scope of its activities; and
(2) Designed to address changing identity theft risks as they arise
in connection with the experiences of the financial institution or
credit with identity theft, and changes in methods of identity theft,
methods to detect, prevent, and mitigate identity theft, the types of
accounts it offers, and business arrangements, including mergers,
acquisitions, alliances, joint ventures, and service provider
arrangements.
(d) Development and implementation of Program. (1) Identification
and evaluation of Red Flags. (i) Risk-based Red Flags. The Program must
include policies and procedures to identify Red Flags, singly or in
combination, that are relevant to detecting a possible risk of identity
theft to customers or to the safety and soundness of the financial
institution or creditor, using the risk evaluation set forth in
paragraph (d)(1)(ii) of this section. The Red Flags identified must
reflect changing identity theft risks to customers and to the financial
institution or creditor as they arise. At a minimum, the Program must
incorporate any relevant Red Flags from:
(A) Appendix J to this part;
(B) Applicable supervisory guidance;
(C) Incidents of identity theft that the financial institution or
creditor has experienced; and
(D) Methods of identity theft that the financial institution or
creditor has identified that reflect changes in identity theft risks.
(ii) Risk evaluation. In identifying which Red Flags are relevant,
the financial institution or creditor must consider:
(A) Which of its accounts are subject to a risk of identity theft;
(B) The methods it provides to open these accounts;
(C) The methods it provides to access these accounts; and
(D) Its size, location, and customer base.
(2) Identity theft prevention and mitigation. The Program must
include reasonable policies and procedures designed to prevent and
mitigate identity theft in connection with the opening of an account or
any existing account, including policies and procedures to:
(i) Obtain identifying information about, and verify the identity
of, a person opening an account. A financial institution or creditor
that uses the policies and procedures regarding identification and
verification set forth in the Customer Identification Program (CIP)
rules implementing 31 U.S.C. 5318(l), under these circumstances,
[[Page 40819]]
satisfies this requirement whether or not the user is subject to the
CIP rules;
(ii) Detect the Red Flags pursuant to paragraph (d)(1) of this
section;
(iii) Assess whether the Red Flags detected pursuant to paragraph
(d)(2)(ii) of this section evidence a risk of identity theft. An
institution or creditor must have a reasonable basis for concluding
that a Red Flag does not evidence a risk of identity theft; and
(iv) Address the risk of identity theft, commensurate with the
degree of risk posed, such as by:
(A) Monitoring an account for evidence of identity theft;
(B) Contacting the customer;
(C) Changing any passwords, security codes, or other security
devices that permit access to a customer's account;
(D) Reopening an account with a new account number;
(E) Not opening a new account;
(F) Closing an existing account;
(G) Notifying law enforcement and, for those that are subject to 31
U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with
applicable law and regulation;
(H) Implementing any requirements regarding limitations on credit
extensions under 15 U.S.C. 1681c-1(h) as declining to issue an
additional credit card when the financial institution or creditor
detects a fraud or active duty alert associated with the opening of an
account, or an existing account; or
(I) Implementing any requirements for furnishers of information to
consumer reporting agencies under 15 U.S.C. 1681s-2, to correct or
update inaccurate or incomplete information.
(3) Staff training. Each financial institution or creditor must
train staff to implement its Program.
(4) Oversight of service provider arrangements. Whenever a
financial institution or creditor engages a service provider to perform
an activity on its behalf and the requirements of its Program are
applicable to that activity (such as account opening), the financial
institution or creditor must take steps designed to ensure that the
activity is conducted in compliance with a Program that meets the
requirements of paragraphs (c) and (d) of this section.
(5) Involvement of board of directors and senior management. (i)
Board approval. The board of directors or an appropriate committee of
the board must approve the written Program.
(ii) Oversight by board or senior management. The board of
directors, an appropriate committee of the board, or senior management
must oversee the development, implementation, and maintenance of the
Program, including assigning specific responsibility for its
implementation, and reviewing annual reports prepared by staff
regarding compliance by the financial institution or creditor with this
section.
(iii) Reports. (A) In general. Staff of the financial institution
or creditor responsible for implementation of its Program must report
to the board, an appropriate committee of the board, or senior
management, at least annually, on compliance by the financial
institution or creditor with this section.
(B) Contents of report. The report must discuss material matters
related to the Program and evaluate issues such as: the effectiveness
of the policies and procedures of the financial institution or creditor
in addressing the risk of identity theft in connection with the opening
of accounts and with respect to existing accounts; service provider
arrangements; significant incidents involving identity theft and
management's response; and recommendations for changes in the Program.
Sec. 571.91 Duties of card issuers regarding changes of address.
(a) Scope. This section applies to a person described in Sec.
571.90(a) that issues a debit or credit card.
(b) Definitions. For purposes of this section:
(1) Cardholder means a consumer who has been issued a credit or
debit card.
(2) Clear and conspicuous means reasonably understandable and
designed to call attention to the nature and significance of the
information presented.
(c) In general. The card issuer must establish and implement
reasonable policies and procedures to assess the validity of a change
of address if it receives notification of a change of address for a
consumer's debit or credit card account and within a short period of
time afterwards (during at least the first 30 days after it receives
such notification), the card issuer receives a request for an
additional or replacement card for the same account. Under these
circumstances, the card issuer may not issue an additional or
replacement card, unless, in accordance with its reasonable policies
and procedures and for the purpose of assessing the validity of the
change of address, the card issuer:
(1) Notifies the cardholder of the request at the cardholder's
former address and provides to the cardholder a means of promptly
reporting incorrect address changes;
(2) Notifies the cardholder of the request by any other means of
communication that the card issuer and the cardholder have previously
agreed to use; or
(3) Uses other means of assessing the validity of the change of
address, in accordance with the policies and procedures the card issuer
has established pursuant to section 571.90.
(d) Form of notice. Any written or electronic notice that the card
issuer provides under this paragraph shall be clear and conspicuous and
provided separately from its regular correspondence with the
cardholder.
8. Reserve appendices A through I to part 571.
9. Add Appendix J to part 571 to read as follows:
Appendix J to Part 571--Interagency Guidelines on Identity Theft
Detection, Prevention, and MitigationRed Flags in Connection With
an Account Application or an Existing Account Information From a
Consumer Reporting Agency
1. A fraud or active duty alert is included with a consumer
report.
2. A notice of address discrepancy is provided by a consumer
reporting agency.
3. A consumer report indicates a pattern of activity that is
inconsistent with the history and usual pattern of activity of an
applicant or customer, such as:
a. A recent and significant increase in the volume of inquiries.
b. An unusual number of recently established credit
relationships.
c. A material change in the use of credit, especially with
respect to recently established credit relationships.
d. An account was closed for cause or identified for abuse of
account privileges by a financial institution or creditor.
Documentary Identification
4. Documents provided for identification appear to have been
altered.
5. The photograph or physical description on the identification
is not consistent with the appearance of the applicant or customer
presenting the identification.
6. Other information on the identification is not consistent
with information provided by the person opening a new account or
customer presenting the identification.
7. Other information on the identification is not consistent
with information that is on file, such as a signature card.
Personal Information
8. Personal information provided is inconsistent when compared
against external information sources. For example:
a. The address does not match any address in the consumer
report; or
b. The Social Security Number (SSN) has not been issued, or is
listed on the Social Security Administration's Death Master File.
9. Personal information provided is internally inconsistent. For
example, there is a lack of correlation between the SSN range and
date of birth.
10. Personal information provided is associated with known
fraudulent activity. For example:
[[Page 40820]]
a. The address on an application is the same as the address
provided on a fraudulent application; or
b. The phone number on an application is the same as the number
provided on a fraudulent application.
11. Personal information provided is of a type commonly
associated with fraudulent activity. For example:
a. The address on an application is fictitious, a mail drop, or
prison.
b. The phone number is invalid, or is associated with a pager or
answering service.
12. The address, SSN, or home or cell phone number provided is
the same as that submitted by other persons opening an account or
other customers.
13. The person opening the account or the customer fails to
provide all required information on an application.
14. Personal information provided is not consistent with
information that is on file.
15. The person opening the account or the customer cannot
provide authenticating information beyond that which generally would
be available from a wallet or consumer report.
Address Changes
16. Shortly following the notice of a change of address for an
account, the institution or creditor receives a request for new,
additional, or replacement checks, convenience checks, cards, or a
cell phone, or for the addition of authorized users on the account.
17. Mail sent to the customer is returned as undeliverable
although transactions continue to be conducted in connection with
the customer's account.
Anomalous Use of the Account
18. A new revolving credit account is used in a manner commonly
associated with fraud. For example:
a. The majority of available credit is used for cash advances or
merchandise that is easily convertible to cash (e.g., electronics
equipment or jewelry); or
b. The customer fails to make the first payment or makes an
initial payment but no subsequent payments.
19. An account is used in a manner that is not consistent with
established patterns of activity on the account. There is, for
example:
a. Nonpayment when there is no history of late or missed
payments;
b. A material increase in the use of available credit;
c. A material change in purchasing or spending patterns;
d. A material change in electronic fund transfer patterns in
connection with a deposit account; or
e. A material change in telephone call patterns in connection
with a cellular phone account.
20. An account that has been inactive for a reasonably lengthy
period of time is used (taking into consideration the type of
account, the expected pattern of usage and other relevant factors).
Notice From Customers or Others Regarding Customer Accounts
21. The financial institution or creditor is notified of
unauthorized charges in connection with a customer's account.
22. The financial institution or creditor is notified that it
has opened a fraudulent account for a person engaged in identity
theft.
23. The financial institution or creditor is notified that the
customer is not receiving account statements.
24. The financial institution or creditor is notified that its
customer has provided information to someone fraudulently claiming
to represent the financial institution or creditor or to a
fraudulent website.
25. Electronic messages are returned to mail servers of the
financial institution or creditor that it did not originally send,
indicating that its customers may have been asked to provide
information to a fraudulent Web site that looks very similar, if not
identical, to the Web site of the financial institution or creditor.
Other Red Flags
26. The name of an employee of the financial institution or
creditor has been added as an authorized user on an account.
27. An employee has accessed or downloaded an unusually large
number of customer account records.
28. The financial institution or creditor detects attempts to
access a customer's account by unauthorized persons.
29. The financial institution or creditor detects or is informed
of unauthorized access to a customer's personal information.
30. There are unusually frequent and large check orders in
connection with a customer's account.
31. The person opening an account or the customer is unable to
lift a credit freeze placed on his or her consumer report.
National Credit Union Administration
12 CFR Part 717
Authority and Issuance
For the reasons discussed in the joint preamble, the National
Credit Union Administration proposes to amend chapter VII of title 12
of the Code of Federal Regulations by amending 12 CFR part 717 as
follows:
PART 717--FAIR CREDIT REPORTING
1. The authority citation for part 717 is revised to read as
follows:
Authority: 15 U.S.C. 1681a, 1681c, 1681m, 1681s, 1681w, 6801 and
6805.
Subpart A--General Provisions
2. Amend Sec. 717.3 by revising the introductory text to read as
follows:
Sec. 717.3 Definitions.
For purposes of this part, unless explicitly stated otherwise:
* * * * *
Subpart I--Duties of Users of Consumer Reports Regarding Address
Discrepancies and Records Disposal
3. Revise the heading for Subpart I as shown above.
4. Add Sec. 717.82 to read as follows:
Sec. 717.82 Duties of users regarding address discrepancies.
(a) Scope. This section applies to users of consumer reports that
receive notices of address discrepancies from credit reporting agencies
(referred to as ``users''), and that are Federal credit unions.
(b) Definition. For purposes of this section, a notice of address
discrepancy means a notice sent to a user of a consumer report by a
consumer reporting agency pursuant to 15 U.S.C. 1681c(h)(1), that
informs the user of a substantial difference between the address for
the consumer that the user provided to request the consumer report and
the address(es) in the agency's file for the consumer.
(c) Requirement to form a reasonable belief. A user must develop
and implement reasonable policies and procedures for verifying the
identity of the consumer for whom it has obtained a consumer report and
for whom it receives a notice of address discrepancy. These policies
and procedures must be designed to enable the user either to form a
reasonable belief that it knows the identity of the consumer or
determine that it cannot do so. A user that employs the policies and
procedures regarding identification and verification set forth in the
Customer Identification Program (CIP) rules implementing 31 U.S.C.
5318(l) under these circumstances satisfies this requirement, whether
or not the user is subject to the CIP rules.
(d) Consumer's address (1) Requirement to furnish consumer's
address to a consumer reporting agency. A user must develop and
implement reasonable policies and procedures for furnishing an address
for the consumer that the user has reasonably confirmed is accurate to
the consumer reporting agency from whom it received the notice of
address discrepancy when the user:
(i) Can form a reasonable belief that it knows the identity of the
consumer for whom the consumer report was obtained;
(ii) Establishes or maintains a continuing relationship with the
consumer; and
(iii) Regularly and in the ordinary course of business furnishes
information to the consumer reporting agency from which the notice of
address discrepancy
[[Page 40821]]
pertaining to the consumer was obtained.
(2) Requirement to confirm consumer's address. The user may
reasonably confirm an address is accurate by:
(i) Verifying the address with the person to whom the consumer
report pertains;
(ii) Reviewing its own records of the address provided to request
the consumer report;
(iii) Verifying the address through third-party sources; or
(iv) Using other reasonable means.
(3) Timing. The policies and procedures developed in accordance
with paragraph (d)(1) of this section must provide that the user will
furnish the consumer's address that the user has reasonably confirmed
is accurate to the consumer reporting agency as part of the information
it regularly furnishes:
(i) With respect to new relationships, for the reporting period in
which it establishes a relationship with the consumer; and
(ii) In other circumstances, for the reporting period in which the
user confirms the accuracy of the address of the consumer.
5. Add Subpart J to part 717 to read as follows:
Subpart J--Identity Theft Red Flags
Sec. 717.90 Duties regarding the detection, prevention, and
mitigation of identity theft.
(a) Purpose and scope. This section implements section 114 of the
Fair and Accurate Credit Transactions Act, 15 U.S.C. 1681m, which
amends section 615 of the Fair Credit Reporting Act (FCRA). It applies
to financial institutions and creditors that are Federal credit unions.
(b) Definitions. For purposes of this section, the following
definitions apply:
(1) Account means a continuing relationship established to provide
a financial product or service that a financial holding company could
offer by engaging in an activity that is financial in nature or
incidental to such a financial activity under section 4(k) of the Bank
Holding Company Act, 12 U.S.C. 1843(k). Account includes:
(i) An extension of credit for personal, family, household or
business purposes, such as a credit card account, margin account, or
retail installment sales contract, such as a car loan or lease; and
(ii) A demand deposit, savings or other asset account for personal,
family, household, or business purposes, such as a checking or savings
account.
(2) The term board of directors includes:
(i) In the case of a foreign branch or agency of a foreign bank,
the managing official in charge of the branch or agency; and
(ii) In the case of any other creditor that does not have a board
of directors, a designated employee.
(3) Customer means a person that has an account with a financial
institution or creditor.
(4) Identity theft has the same meaning as in 16 CFR 603.2(a).
(5) Red Flag means a pattern, practice, or specific activity that
indicates the possible risk of identity theft.
(6) Service provider means a person that provides a service
directly to the financial institution or creditor.
(c) Identity Theft Prevention Program. Each financial institution
or creditor must implement a written Identity Theft Prevention Program
(Program). The Program must include reasonable policies and procedures
to address the risk of identity theft to its customers and the safety
and soundness of the financial institution or creditor, including
financial, operational, compliance, reputation, and litigation risks,
in the manner discussed in paragraph (d) of this section. The Program
must be:
(1) Appropriate to the size and complexity of the financial
institution or creditor and the nature and scope of its activities; and
(2) Designed to address changing identity theft risks as they arise
in connection with the experiences of the financial institution or
creditor with identity theft, and changes in methods of identity theft,
methods to detect, prevent, and mitigate identity theft, the types of
accounts it offers, and business arrangements, including mergers,
acquisitions, alliances, joint ventures, and service provider
arrangements.
(d) Development and implementation of Program. (1) Identification
and evaluation of Red Flags. (i) Risk-based Red Flags. The Program must
include policies and procedures to identify Red Flags, singly or in
combination, that are relevant to detecting a possible risk of identity
theft to customers or to the safety and soundness of the financial
institution or creditor, using the risk evaluation set forth in
paragraph (d)(1)(ii) of this section. The Red Flags identified must
reflect changing identity theft risks to customers and to the financial
institution or creditor as they arise. At a minimum, the Program must
incorporate any relevant Red Flags from:
(A) Appendix J to this part;
(B) Applicable supervisory guidance;
(C) Incidents of identity theft that the financial institution or
creditor has experienced; and
(D) Methods of identity theft that the financial institution or
creditor has identified that reflect changes in identity theft risks.
(ii) Risk evaluation. In identifying which Red Flags are relevant,
the financial institution or creditor must consider:
(A) Which of its accounts are subject to a risk of identity theft;
(B) The methods it provides to open these accounts;
(C) The methods it provides to access these accounts; and
(D) Its size, location, and customer base.
(2) Identity theft prevention and mitigation. The Program must
include reasonable policies and procedures designed to prevent and
mitigate identity theft in connection with the opening of an account or
any existing account, including policies and procedures to:
(i) Obtain identifying information about, and verify the identity
of, a person opening an account. A financial institution or creditor
that uses the policies and procedures regarding identification and
verification set forth in the Customer Identification Program (CIP)
rules implementing 31 U.S.C. 5318(l), under these circumstances,
satisfies this requirement whether or not the user is subject to the
CIP rules;
(ii) Detect the Red Flags identified pursuant to paragraph (d)(1)
of this section;
(iii) Assess whether the Red Flags detected pursuant to paragraph
(d)(2)(ii) of this section evidence a risk of identity theft. An
institution or creditor must have a reasonable basis for concluding
that a Red Flag does not evidence a risk of identity theft; and
(iv) Address the risk of identity theft, commensurate with the
degree of risk posed, such as by:
(A) Monitoring an account for evidence of identity theft;
(B) Contacting the customer;
(C) Changing any passwords, security codes, or other security
devices that permit access to a customer's account;
(D) Reopening an account with a new account number;
(E) Not opening a new account;
(F) Closing an existing account;
(G) Notifying law enforcement and, for those that are subject to 31
U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with
applicable law and regulation;
(H) Implementing any requirements regarding limitations on credit
extensions under 15 U.S.C. 1681c-1(h), such as declining to issue an
additional credit card when the financial institution or creditor
detects a fraud or active duty alert associated with the opening of an
account, or an existing account; or
[[Page 40822]]
(I) Implementing any requirements for furnishers of information to
consumer reporting agencies under 15 U.S.C. 1681s-2, to correct or
update inaccurate or incomplete information.
(3) Staff training. Each financial institution or creditor must
train staff to implement its Program.
(4) Oversight of service provider arrangements. Whenever a
financial institution or creditor engages a service provider to perform
an activity on its behalf and the requirements of its Program are
applicable to that activity (such as account opening), the financial
institution or creditor must take steps designed to ensure that the
activity is conducted in compliance with a Program that meets the
requirements of paragraphs (c) and (d) of this section.
(5) Involvement of board of directors and senior management. (i)
Board approval. The board of directors or an appropriate committee of
the board must approve the written Program.
(ii) Oversight by board or senior management. The board of
directors, an appropriate committee of the board, or senior management
must oversee the development, implementation, and maintenance of the
Program, including assigning specific responsibility for its
implementation, and reviewing annual reports prepared by staff
regarding compliance by the financial institution or creditor with this
section.
(iii) Reports. (A) In general. Staff of the financial institution
or creditor responsible for implementation of its Program must report
to the board, an appropriate committee of the board, or senior
management, at least annually, on compliance by the financial
institution or creditor with this section.
(B) Contents of report. The report must discuss material matters
related to the Program and evaluate issues such as: the effectiveness
of the policies and procedures of the financial institution or creditor
in addressing the risk of identity theft in connection with the opening
of accounts and with respect to existing accounts; service provider
arrangements; significant incidents involving identity theft and
management's response; and recommendations for changes in the Program.
Sec. 717.91 Duties of card issuers regarding changes of address.
(a) Scope. This section applies to a person described in Sec.
717.90(a) that issues a debit or credit card.
(b) Definitions. For purposes of this section:
(1) Cardholder means a consumer who has been issued a credit or
debit card.
(2) Clear and conspicuous means reasonably understandable and
designed to call attention to the nature and significance of the
information presented.
(c) In general. A card issuer must establish and implement
reasonable policies and procedures to assess the validity of a change
of address if it receives notification of a change of address for a
consumer's debit or credit card account and within a short period of
time afterwards (during at least the first 30 days after it receives
such notification), the card issuer receives a request for an
additional or replacement card for the same account. Under these
circumstances, the card issuer may not issue an additional or
replacement card, unless, in accordance with its reasonable policies
and procedures and for the purpose of assessing the validity of the
change of address, the card issuer:
(1) Notifies the cardholder of the request at the cardholder's
former address and provides to the cardholder a means of promptly
reporting incorrect address changes;
(2) Notifies the cardholder of the request by any other means of
communication that the card issuer and the cardholder have previously
agreed to use; or
(3) Uses other means of assessing the validity of the change of
address, in accordance with the policies and procedures the card issuer
has established pursuant to section 717.90.
(d) Form of notice. Any written or electronic notice that the card
issuer provides under this paragraph shall be clear and conspicuous and
provided separately from its regular correspondence with the
cardholder.
6. Reserve appendices A through I to part 717.
7. Add Appendix J to part 717 to read as follows:
Appendix J to Part 717--Interagency Guidelines on Identity Theft
Detection, Prevention, and Mitigation
Red Flags in Connection With an Account Application or an Existing
Account Information From a Consumer Reporting Agency
1. A fraud or active duty alert is included with a consumer
report.
2. A notice of address discrepancy is provided by a consumer
reporting agency.
3. A consumer report indicates a pattern of activity that is
inconsistent with the history and usual pattern of activity of an
applicant or customer, such as:
a. A recent and significant increase in the volume of inquiries.
b. An unusual number of recently established credit
relationships.
c. A material change in the use of credit, especially with
respect to recently established credit relationships.
d. An account was closed for cause or identified for abuse of
account privileges by a financial institution or creditor.
Documentary Identification
4. Documents provided for identification appear to have been
altered.
5. The photograph or physical description on the identification
is not consistent with the appearance of the applicant or customer
presenting the identification.
6. Other information on the identification is not consistent
with information provided by the person opening a new account or
customer presenting the identification.
7. Other information on the identification is not consistent
with information that is on file, such as a signature card.
Personal Information
8. Personal information provided is inconsistent when compared
against external information sources. For example:
a. The address does not match any address in the consumer
report; or
b. The Social Security Number (SSN) has not been issued, or is
listed on the Social Security Administration's Death Master File.
9. Personal information provided is internally inconsistent. For
example, there is a lack of correlation between the SSN range and
date of birth.
10. Personal information provided is associated with known
fraudulent activity. For example:
a. The address on an application is the same as the address
provided on a fraudulent application; or
b. The phone number on an application is the same as the number
provided on a fraudulent application.
11. Personal information provided is of a type commonly
associated with fraudulent activity. For example:
a. The address on an application is fictitious, a mail drop, or
prison.
b. The phone number is invalid, or is associated with a pager or
answering service.
12. The address, SSN, or home or cell phone number provided is
the same as that submitted by other persons opening an account or
other customers.
13. The person opening the account or the customer fails to
provide all required information on an application.
14. Personal information provided is not consistent with
information that is on file.
15. The person opening the account or the customer cannot
provide authenticating information beyond that which generally would
be available from a wallet or consumer report.
Address Changes
16. Shortly following the notice of a change of address for an
account, the institution or creditor receives a request for new,
additional, or replacement checks, convenience checks, cards, or a
cell phone, or for the addition of authorized users on the account.
17. Mail sent to the customer is returned as undeliverable
although transactions continue to be conducted in connection with
the customer's account.
[[Page 40823]]
Anomalous Use of the Account
18. A new revolving credit account is used in a manner commonly
associated with fraud. For example:
a. The majority of available credit is used for cash advances or
merchandise that is easily convertible to cash (e.g., electronics
equipment or jewelry); or
b. The customer fails to make the first payment or makes an
initial payment but no subsequent payments.
19. An account is used in a manner that is not consistent with
established patterns of activity on the account. There is, for
example:
a. Nonpayment when there is no history of late or missed
payments;
b. A material increase in the use of available credit;
c. A material change in purchasing or spending patterns;
d. A material change in electronic fund transfer patterns in
connection with a deposit account; or
e. A material change in telephone call patterns in connection
with a cellular phone account.
20. An account that has been inactive for a reasonably lengthy
period of time is used (taking into consideration the type of
account, the expected pattern of usage and other relevant factors).
Notice From Customers or Others Regarding Customer Accounts
21. The financial institution or creditor is notified of
unauthorized charges in connection with a customer's account.
22. The financial institution or creditor is notified that it
has opened a fraudulent account for a person engaged in identity
theft.
23. The financial institution or creditor is notified that the
customer is not receiving account statements.
24. The financial institution or creditor is notified that its
customer has provided information to someone fraudulently claiming
to represent the financial institution or creditor or to a
fraudulent Web site.
25. Electronic messages are returned to mail servers of the
financial institution or creditor that it did not originally send,
indicating that its customers may have been asked to provide
information to a fraudulent Web site that looks very similar, if not
identical, to the Web site of the financial institution or creditor.
Other Red Flags
26. The name of an employee of the financial institution or
creditor has been added as an authorized user on an account.
27. An employee has accessed or downloaded an unusually large
number of customer account records.
28. The financial institution or creditor detects attempts to
access a customer's account by unauthorized persons.
29. The financial institution or creditor detects or is informed
of unauthorized access to a customer's personal information.
30. There are unusually frequent and large check orders in
connection with a customer's account.
31. The person opening an account or the customer is unable to
lift a credit freeze placed on his or her consumer report.
Federal Trade Commission
16 CFR Part 681
For the reasons discussed in the joint preamble, the Commission
proposes to add part 681 of title 16 of the Code of Federal Regulations
as follows:
PART 681--IDENTITY THEFT RULES
Sec.
681.1 Duties of users of consumer reports regarding address
discrepancies.
681.2 Duties regarding the detection, prevention, and mitigation of
identity theft.
681.3 Duties of card issuers regarding changes of address.
Appendix A to Part 681 Interagency Guidelines on Identity Theft
Detection, Prevention, and Mitigation
Authority: Pub. L. 108-159, sec 114 and sec 315; 15 U.S.C.
1681m(e) and 15 U.S.C. 1681c(h).
Sec. 681.1 Duties of users of consumer reports regarding address
discrepancies.
(a) Scope. This section applies to users of consumer reports that
are subject to administrative enforcement of the FCRA by the Federal
Trade Commission pursuant to 15 U.S.C. 1681s(a)(1) (referred to as
``users'').
(b) Definition. For purposes of this section, a notice of address
discrepancy means a notice sent to a user of a consumer report by a
consumer reporting agency pursuant to 15 U.S.C. 1681c(h)(1), that
informs the user of a substantial difference between the address for
the consumer that the user provided to request the consumer report and
the address(es) in the agency's file for the consumer.
(c) Requirement to form a reasonable belief. A user must develop
and implement reasonable policies and procedures for verifying the
identity of the consumer for whom it has obtained a consumer report and
for whom it receives a notice of address discrepancy. These policies
and procedures must be designed to enable the user either to form a
reasonable belief that it knows the identity of the consumer or
determine that it cannot do so. A user that employs the policies and
procedures regarding identification and verification set forth in the
Customer Identification Program (CIP) rules implementing 31 U.S.C.
5318(l) under these circumstances satisfies this requirement, whether
or not the user is subject to the CIP rules.
(d) Consumer's address
(1) Requirement to furnish consumer's address to a consumer
reporting agency. A user must develop and implement reasonable policies
and procedures for furnishing an address for the consumer that the user
has reasonably confirmed is accurate to the consumer reporting agency
from whom it received the notice of address discrepancy when the user:
(i) Can form a reasonable belief that it knows the identity of the
consumer for whom the consumer report was obtained;
(ii) Establishes or maintains a continuing relationship with the
consumer; and
(iii) Regularly and in the ordinary course of business furnishes
information to the consumer reporting agency from which the notice of
address discrepancy pertaining to the consumer was obtained.
(2) Requirement to confirm consumer's address. The user may
reasonably confirm an address is accurate by:
(i) Verifying the address with the person to whom the consumer
report pertains;
(ii) Reviewing its own records of the address provided to request
the consumer report;
(iii) Verifying the address through third-party sources; or
(iv) Using other reasonable means.
(3) Timing. The policies and procedures developed in accordance
with paragraph (d)(1) of this section must provide that the user will
furnish the consumer's address that the user has reasonably confirmed
is accurate to the consumer reporting agency as part of the information
it regularly furnishes:
(i) With respect to new relationships, for the reporting period in
which it establishes a relationship with the consumer; and
(ii) In other circumstances, for the reporting period in which the
user confirms the accuracy of the address of the consumer.
Sec. 681.2 Duties regarding the detection, prevention, and mitigation
of identity theft.
(a) Purpose and scope. This section implements section 114 of the
Fair and Accurate Credit Transactions Act, 15 U.S.C. 1681m, which
amends section 615 of the Fair Credit Reporting Act (FCRA). It applies
to financial institutions and creditors that are subject to
administrative enforcement of the FCRA by the Federal Trade Commission
pursuant to 15 U.S.C. 1681s(a)(1).
(b) Definitions. For purposes of this section, the following
definitions apply:
(1) Account means a continuing relationship established to provide
a financial product or service that a
[[Page 40824]]
financial holding company could offer by engaging in an activity that
is financial in nature or incidental to such a financial activity under
section 4(k) of the Bank Holding Company Act, 12 U.S.C. 1843(k).
Account includes:
(i) An extension of credit for personal, family, household or
business purposes, such as a credit card account, margin account, or
retail installment sales contract, such as a car loan or lease; and
(ii) A demand deposit, savings or other asset account for personal,
family, household, or business purposes, such as a checking or savings
account.
(2) The term board of directors includes:
(i) In the case of a foreign branch or agency of a foreign bank,
the managing official in charge of the branch or agency; and
(ii) In the case of any other creditor that does not have a board
of directors, a designated employee.
(3) Customer means a person that has an account with a financial
institution or creditor.
(4) Identity theft has the same meaning as in 16 CFR 603.2(a).
(5) Red Flag means a pattern, practice, or specific activity that
indicates the possible risk of identity theft.
(6) Service provider means a person that provides a service
directly to the financial institution or creditor.
(c) Identity Theft Prevention Program. Each financial institution
or creditor must implement a written Identity Theft Prevention Program
(Program). The Program must include reasonable policies and procedures
to address the risk of identity theft to its customers and the safety
and soundness of the financial institution or creditor, including
financial, operational, compliance, reputation, and litigation risks,
in the manner discussed in paragraph (d) of this section. The Program
must be:
(1) Appropriate to the size and complexity of the financial
institution or creditor and the nature and scope of its activities; and
(2) Designed to address changing identity theft risks as they arise
in connection with the experiences of the financial institution or
creditor with identity theft, and changes in methods of identity theft,
methods to detect, prevent, and mitigate identity theft, the types of
accounts it offers, and business arrangements, including mergers,
acquisitions, alliances, joint ventures, and service provider
arrangements.
(d) Development and implementation of Program.
(1) Identification and evaluation of Red Flags.
(i) Risk-based Red Flags. The Program must include policies and
procedures to identify Red Flags, singly or in combination, that are
relevant to detecting a possible risk of identity theft to customers or
to the safety and soundness of the financial institution or creditor,
using the risk evaluation set forth in paragraph (d)(1)(ii) of this
section. The Red Flags identified must reflect changing identity theft
risks to customers and to the financial institution or creditor as they
arise. At a minimum, the Program must incorporate any relevant Red
Flags from:
(A) Appendix A to this part;
(B) Applicable supervisory guidance;
(C) Incidents of identity theft that the financial institution or
creditor has experienced; and
(D) Methods of identity theft that the financial institution or
creditor has identified that reflect changes in identity theft risks.
(ii) Risk evaluation. In identifying which Red Flags are relevant,
the financial institution or creditor must consider:
(A) Which of its accounts are subject to a risk of identity theft;
(B) The methods it provides to open these accounts;
(C) The methods it provides to access these accounts; and
(D) Its size, location, and customer base.
(2) Identity theft prevention and mitigation. The Program must
include reasonable policies and procedures designed to prevent and
mitigate identity theft in connection with the opening of an account or
any existing account, including policies and procedures to:
(i) Obtain identifying information about, and verify the identity
of, a person opening an account. A financial institution or creditor
that uses the policies and procedures regarding identification and
verification set forth in the Customer Identification Program (CIP)
rules implementing 31 U.S.C. 5318(l), under these circumstances,
satisfies this requirement whether or not the user is subject to the
CIP rules;
(ii) Detect the Red Flags identified pursuant to paragraph (d)(1)
of this section;
(iii) Assess whether the Red Flags detected pursuant to paragraph
(d)(2)(ii) of this section evidence a risk of identity theft. An
institution or creditor must have a reasonable basis for concluding
that a Red Flag does not evidence a risk of identity theft; and
(iv) Address the risk of identity theft, commensurate with the
degree of risk posed, such as by:
(A) Monitoring an account for evidence of identity theft;
(B) Contacting the customer;
(C) Changing any passwords, security codes, or other security
devices that permit access to a customer's account;
(D) Reopening an account with a new account number;
(E) Not opening a new account;
(F) Closing an existing account;
(G) Notifying law enforcement and, for those that are subject to 31
U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with
applicable law and regulation;
(H) Implementing any requirements regarding limitations on credit
extensions under 15 U.S.C. 1681c-1(h), such as declining to issue an
additional credit card when the financial institution or creditor
detects a fraud or active duty alert associated with the opening of an
account, or an existing account; or
(I) Implementing any requirements for furnishers of information to
consumer reporting agencies under 15 U.S.C. 1681s-2, to correct or
update inaccurate or incomplete information.
(3) Staff training. Each financial institution or creditor must
train staff to implement its Program.
(4) Oversight of service provider arrangements. Whenever a
financial institution or creditor engages a service provider to perform
an activity on its behalf and the requirements of its Program are
applicable to that activity (such as account opening), the financial
institution or creditor must take steps designed to ensure that the
activity is conducted in compliance with a Program that meets the
requirements of paragraphs (c) and (d) of this section.
(5) Involvement of board of directors and senior management. (i)
Board approval. The board of directors or an appropriate committee of
the board must approve the written Program.
(ii) Oversight by board or senior management. The board of
directors, an appropriate committee of the board, or senior management
must oversee the development, implementation, and maintenance of the
Program, including assigning specific responsibility for its
implementation, and reviewing annual reports prepared by staff
regarding compliance by the financial institution or creditor with this
section.
(iii) Reports.
(A) In general. Staff of the financial institution or creditor
responsible for implementation of its Program must report to the board,
an appropriate committee of the board, or senior management, at least
annually, on compliance by the financial institution or creditor with
this section.
[[Page 40825]]
(B) Contents of report. The report must discuss material matters
related to the Program and evaluate issues such as: the effectiveness
of the policies and procedures of the financial institution or creditor
in addressing the risk of identity theft in connection with the opening
of accounts and with respect to existing accounts; service provider
arrangements; significant incidents involving identity theft and
management's response; and recommendations for changes in the Program.
Sec. 681.3 Duties of card issuers regarding changes of address.
(a) Scope. This section applies to a person described in Sec.
681.2(a) that issues a debit or credit card.
(b) Definitions. For purposes of this section:
(1) Cardholder means a consumer who has been issued a credit or
debit card.
(2) Clear and conspicuous means reasonably understandable and
designed to call attention to the nature and significance of the
information presented.
(c) In general. A card issuer must establish and implement
reasonable policies and procedures to assess the validity of a change
of address if it receives notification of a change of address for a
consumer's debit or credit card account and within a short period of
time afterwards (during at least the first 30 days after it receives
such notification), the card issuer receives a request for an
additional or replacement card for the same account. Under these
circumstances, the card issuer may not issue an additional or
replacement card, unless, in accordance with its reasonable policies
and procedures and for the purpose of assessing the validity of the
change of address, the card issuer:
(1) Notifies the cardholder of the request at the cardholder's
former address and provides to the cardholder a means of promptly
reporting incorrect address changes;
(2) Notifies the cardholder of the request by any other means of
communication that the card issuer and the cardholder have previously
agreed to use; or
(3) Uses other means of assessing the validity of the change of
address, in accordance with the policies and procedures the card issuer
has established pursuant to this section.
(d) Form of notice. Any written or electronic notice that the card
issuer provides under this paragraph shall be clear and conspicuous and
provided separately from its regular correspondence with the
cardholder.
Appendix A to Part 681--Interagency Guidelines on Identity Theft
Detection, Prevention, and MitigationRed Flags in Connection With
an Account Application or an Existing Account
Information From a Consumer Reporting Agency
1. A fraud or active duty alert is included with a consumer
report.
2. A notice of address discrepancy is provided by a consumer
reporting agency.
3. A consumer report indicates a pattern of activity that is
inconsistent with the history and usual pattern of activity of an
applicant or customer, such as:
a. A recent and significant increase in the volume of inquiries.
b. An unusual number of recently established credit
relationships.
c. A material change in the use of credit, especially with
respect to recently established credit relationships.
d. An account was closed for cause or identified for abuse of
account privileges by a financial institution or creditor.
Documentary Identification
4. Documents provided for identification appear to have been
altered.
5. The photograph or physical description on the identification
is not consistent with the appearance of the applicant or customer
presenting the identification.
6. Other information on the identification is not consistent
with information provided by the person opening a new account or
customer presenting the identification.
7. Other information on the identification is not consistent
with information that is on file, such as a signature card.
Personal Information
8. Personal information provided is inconsistent when compared
against external information sources. For example:
a. The address does not match any address in the consumer
report; or
b. The Social Security Number (SSN) has not been issued, or is
listed on the Social Security Administration's Death Master File.
9. Personal information provided is internally inconsistent. For
example, there is a lack of correlation between the SSN range and
date of birth.
10. Personal information provided is associated with known
fraudulent activity. For example:
a. The address on an application is the same as the address
provided on a fraudulent application; or
b. The phone number on an application is the same as the number
provided on a fraudulent application.
11. Personal information provided is of a type commonly
associated with fraudulent activity. For example:
a. The address on an application is fictitious, a mail drop, or
prison.
b. The phone number is invalid, or is associated with a pager or
answering service.
12. The address, SSN, or home or cell phone number provided is
the same as that submitted by other persons opening an account or
other customers.
13. The person opening the account or the customer fails to
provide all required information on an application.
14. Personal information provided is not consistent with
information that is on file.
15. The person opening the account or the customer cannot
provide authenticating information beyond that which generally would
be available from a wallet or consumer report.
Address Changes
16. Shortly following the notice of a change of address for an
account, the institution or creditor receives a request for new,
additional or replacement checks, convenience checks, cards, or cell
phone, or for the addition of authorized users on the account.
17. Mail sent to the customer is returned as undeliverable
although transactions continue to be conducted in connection with
the customer's account.
Anomalous Use of the Account
18. A new revolving credit account is used in a manner commonly
associated with fraud. For example:
a. The majority of available credit is used for cash advances or
merchandise that is easily convertible to cash (e.g., electronics
equipment or jewelry); or
b. The customer fails to make the first payment or makes an
initial payment but no subsequent payments.
19. An account is used in a manner that is not consistent with
established patterns of activity on the account. There is, for
example:
a. Nonpayment when there is no history of late or missed
payments;
b. A material increase in the use of available credit;
c. A material change in purchasing or spending patterns;
d. A material change in electronic fund transfer patterns in
connection with a deposit account; or
e. A material change in telephone call patterns in connection
with a cellular phone account.
20. An account that has been inactive for a reasonably lengthy
period of time is used (taking into consideration the type of
account, the expected pattern of usage and other relevant factors).
Notice From Customers or Others Regarding Customer Accounts
21. The financial institution or creditor is notified of
unauthorized charges in connection with a customer's account.
22. The financial institution or creditor is notified that it
has opened a fraudulent account for a person engaged in identity
theft.
23. The financial institution or creditor is notified that the
customer is not receiving account statements.
24. The financial institution or creditor is notified that its
customer has provided information to someone fraudulently claiming
to represent the financial institution or creditor or to a
fraudulent Web site.
25. Electronic messages are returned to mail servers of the
financial institution or creditor that it did not originally send,
[[Page 40826]]
indicating that its customers may have been asked to provide
information to a fraudulent Web site that looks very similar, if not
identical, to the Web site of the financial institution or creditor.
Other Red Flags
26. The name of an employee of the financial institution or
creditor has been added as an authorized user on an account.
27. An employee has accessed or downloaded an unusually large
number of customer account records.
28. The financial institution or creditor detects attempts to
access a customer's account by unauthorized persons.
29. The financial institution or creditor detects or is informed
of unauthorized access to a customer's personal information.
30. There are unusually frequent and large check orders in
connection with a customer's account.
31. The person opening an account or the customer is unable to
lift a credit freeze placed on his or her consumer report.
Dated: May 8, 2006.
John C. Dugan,
Comptroller of the Currency.
By Order of the Board of Governors of the Federal Reserve
System, July 5, 2006.
Jennifer J. Johnson,
Secretary of the Board.
By Order of the Board of Directors.
Dated at Washington, DC, the 9th day of May, 2006. Federal
Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.
Dated: April 10, 2006.
By the Office of Thrift Supervision.
John M. Reich,
Director.
By the National Credit Union Administration Board on June 15,
2006.
Mary Rupp,
Secretary of the Board.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 06-6187 Filed 7-17-06; 8:45 am]
BILLING CODE 4810-33-P
|