FDIC ISSUES GUIDANCE ON IDENTITY THEFT AND PRETEXT CALLING
FOR IMMEDIATE RELEASE PR-36-2001 (5-9-2001)
David Barr (202) 898-6992
The FDIC today issued guidance on measures to prevent identity theft and pretext calling. The guidance reminds financial institutions how to report such activities to regulators using Suspicious Activity Reports (SARs), suggests educating consumers on identity theft and pretext calling, and summarizes relevant federal laws. The other federal financial regulatory agencies are also issuing similar, consistent guidance on this matter.
The guidance is in response to provisions in the Gramm-Leach-Bliley Act (GLBA) that direct the FDIC and other federal banking agencies to review their regulations and guidelines to ensure that financial institutions have policies, procedures and controls in place to prevent the unauthorized disclosure of customer financial information and to deter and detect fraudulent access to such information. Consistent with section 525 of the GLBA (15 U.S.C. 6825), the FDIC developed the guidance to address how banks should protect customer information against identity theft. The guidance supplements guidelines on customer information security issued on February 1 pursuant to section 501(b) of the Gramm-Leach-Bliley Act (GLBA). The guidelines take effect on July 1, 2001.
Identity theft affects more than 500,000 consumers a year. To prevent identity theft, banks are reminded to adopt procedures such as verifying customer account
information by using independent sources, calling a customer to confirm the customer has opened a credit card or checking account, using an independently verified telephone number, or verifying information through an employer identified on an application form. Other security precautions reviewed in the advisory include verifying change of address requests on existing accounts, and maintaining adequate security standards.
To safeguard against pretext calling, financial institutions are encouraged to limit telephone disclosures of customer information, train employees to recognize fraudulent
attempts to obtain customer information, and test information security systems.
The guidance suggests that banks inform customers about precautionary measures that can be taken to protect against identity theft and pretext calling. Financial institutions are also encouraged to have measures in place to assist victims of fraud and to have trained personnel to respond to customer calls about identity theft or pretext calling.
In completing SARs, financial institutions are advised to specify incidents of identity theft and pretext calling and to provide narrative explanations in addition to reporting the underlying fraud (e.g., credit card or loan fraud).
The guidance briefly summarizes federal criminal statutes involving identity theft. The provisions on pretext calling in the GLBA are also described, along with the recently issued guidelines pursuant to 501(b) of GLBA.
Congress created the Federal Deposit Insurance Corporation in 1933 to restore public confidence in the nation's banking system. The FDIC insures deposits at the nation's 9,905 banks and savings associations and it promotes the safety and soundness of these institutions by identifying, monitoring and addressing risks to which they are exposed.
FDIC press releases and other information are available on the Internet via the World Wide Web at www.fdic.gov and may also be obtained through the FDIC's Public Information Center (800-276-6003 or (703) 562-2200).