Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
INACTIVE
This page is no longer active. Its content has expired or been rescinded by the FDIC.

Identity Theft Red Flags Interagency Final Regulation and Guidelines

Information Technology / Cybersecurity
November 15, 2007
Summary: The FDIC, along with the other federal financial institution regulatory agencies and the Federal Trade Commission, has issued the attached final rule and guidelines on identity theft "red flags" and address discrepancies. The rule requires that financial institutions and creditors implement a written identity theft prevention program, that card issuers assess the validity of change of address requests, and that users of consumer reports reasonably verify the identity of the subject of a consumer report in the event of a notice of address discrepancy.

Highlights:

  • The regulation and guidelines implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003.
  • The regulation requires financial institutions and creditors to implement a written identity theft prevention program.
  • The regulation requires card issuers to assess the validity of change of address requests before issuing additional or replacement debit or credit cards.
  • The regulation requires users of consumer reports to reasonably verify the identity of the subject of a consumer report in the event the user receives a notice of address discrepancy from the consumer reporting agency.
  • The guidelines are intended to assist financial institutions in implementing the regulation.
  • Supplement A to the guidelines contains a list of 26 "red flags" that financial institutions and creditors may consider incorporating into their identity theft prevention programs.
  • The regulation and guidelines are effective on January 1, 2008, and mandatory compliance is required by November 1, 2008.

Distribution:
FDIC-Supervised Banks (Commercial and Savings)

Suggested Routing:
Chief Executive Officer
Chief Information Security Officer

  • FIL-22-2006, Prohibition Against Discrimination in Credit
    Transactions, issued March 9, 2006
  • FIL-27-2005, Guidance on Response Programs for
    Unauthorized Access to Customer Information and
    Customer Notice, issued April 1, 2005
  • FIL-7-2005, Guidelines Requiring the Proper Disposal of
    Consumer Information, issued February 2, 2005
  • FIL-22-2001, Guidelines Establishing Standards for
    Safeguarding Customer Information, issued March 14,
    2001

Note:
FDIC financial institution letters (FILs) may be accessed from the FDIC's Web site at www.fdic.gov/news/financial-institution-letters/2007/index.html .

To receive FILs electronically, please visit http://www.fdic.gov/about/subscriptions/fil.html .

Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 3501 Fairfax Drive, E-1102, Arlington, VA 22226 (1-877- 275-3342 or 202-416-6940).



FIL-100-2007
Attachment(s)
Interagency Final Rule Regarding Identity Theft Red Flags and Address Discrepancies
Contact(s)
Richard M. Schwartz, (202) 898-7424

Last Updated: November 15, 2007