via email
From: Chris Newell
Sent: Tuesday, October 14, 2003 8:08 AM
To: regs.comments@federalreserve.gov; Comments
Cc: Bill Davis
Subject: Docket No. OP-1155
Ms. Jennifer J. Johnson
Secretary,
Board of Governors of the Federal Reverse System
20th Street and Constitution Avenue, NW.,
Washington, DC 20551
Docket No. OP-1155
RE: Request for Comment on Interagency
Guidance on Response Programs to Protect Against Identity Theft
Amarillo National Bank has already put in
place a response program similar to the proposal as a direct result of
prior information published by the agencies concerning Establishing
Standards for Safeguarding Customer Information. The Agencies have
invited comment on all aspects of the proposed Guidance including each
component of the response program. After reading the proposal we do have
some comments or requests for clarification.
The following questions are addressed:
* Should any component of the response
program be clarified in some way and, if so, how?
We have several requests for clarification.
1. What is the time frame for customer
notification?
2. What "other forms of assistance" are indicated? Can you list examples
of these other than those listed under Optional Elements?
3. What is meant by "assistance" in the Key Elements section?
4. How long should monitoring of affected customers' accounts for
unusual or suspicious activity be done? Are the guidelines proposed by
the FCRA of 90 days appropriate?
5. What constitutes "unauthorized . . . use of"? This term appears
numerous times within the text. Wouldn't it be more specific and/or
clear to state "unauthorized . . . resultant miss-use of"?
6. What is meant by the time calculations under Section III, subheading
entitled Estimated Burden? Does this imply that the institution
will be held to the time schedules used to identify customers and send
notices?
7. There is no mention of documentation or record retention
requirements. Is there any guidance on this issue?
8. Will there be further guidance concerning "initiate appropriate
controls to prevent the..." or will this be left up to the intuition?
* Are there additional components that
should be included in a response program to address incidents involving
unauthorized access to or use of customer information?
No comment.
* Should each component of the response
program be retained? If not, which components should be deleted and why?
No comment.
* Is the standard that leads to customer
notice inappropriate and if so what alternative thresholds are there?
We are concerned about the requirement to notify each customer within a
group of customers if individuals cannot be specifically identified.
Unless individual customers can be identified, we believe this group
should be monitored only or have an alternate notice that does not
contain the alarms of the required notice but is more general.
* What potential burdens are associated
with the notice requirements and will the burdens vary by size and
complexity of the institution?
The burden is based on the level of assistance the institution is
required to give the customer by law. If the notice is expected to give
information to "mitigate potential harm", this may result in panic on
the part of the general customer and thereby flooding the institution
with assistance calls unnecessarily. We do agree that the burden will
vary by size and complexity of the institution. The smaller the
institution and the less risk contained in services, the easier it will
be to control and notify customers without general panic. Even for small
institutions, the program response requirements will necessitate a whole
new set of responsibilities that will have to be funded and manned.
Therefore we believe that there should be no required format to the
notice.
* Is the discussion of securing accounts
sufficiently clear?
There is no clear indication for the time frame for securing an account.
We would like guidance on the timing issue and suggest the proposed 90
days monitoring under the FCRA.
* To what extent would service provider
contracts need to be modified if al all? How much burden will the
Guidance impose on service providers?
What is implied by "modifying contracts"? Is the institution required to
monitor performance of service providers to report incidences of
unauthorized access or is does the reference to modification of
contracts specific to reported incidents only?
* Should the proposed standard be
modified to apply to other extraordinary circumstances where
unauthorized access to other information will result in substantial harm
or inconvenience?
We believe the proposal has covered all circumstances well.
* Should the examples in the proposed
Guidance when the notice would be expected or when it would not, be
modified or supplemented?
We believe the examples are appropriate for the purposes of giving
notice.
We appreciate the opportunity to respond
to the proposed Interagency Guidance on Response Programs to Protect
Against Identity Theft and want to thank the Federal Reserve. Please
consider carefully our comments.
Respectfully,
Bill Davis
Data Security Administrator
Chris Newell
Compliance Officer
Amarillo National Bank
410 S. Taylor
Amarillo, TX 79105-0001
| 
