Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank

Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations

FDIC Federal Register Citations

Via email

From: Marcia McKeag
Sent: Wednesday, October 15, 2003 4:32 PM
To: Comments
Subject: Comments on Proposed Interagency Guidance

October 10, 2003

Robert E. Feldman, Executive Secretary
Attention: Comments/OES
Federal Deposit Insurance Corporation

Comments on Proposed Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice

Dear Mr. Feldman:

Thank you for the opportunity to comment on the Proposed Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. We agree with the general intent of the Guidance and, with the increasing incidence of identity theft, that adequate measures are very important for prevention.

II. Components of a Response Program

The Proposed Guidance indicates that a response program should include timely customer notification under the circumstances as described “to manage an institution’s reputation risk.” The potential for broad interpretation of what would require customer notification could in itself pose a risk to a financial institution’s reputation. The situations warranting customer notification should be defined more clearly to avoid unnecessary notification.

B. Notify Regulatory and Law Enforcement Agencies

Regulatory and law enforcement agencies could experience overly onerous notice from financial institutions due to a broad interpretation of what warrants notification. Specifically, the Guidance indicates notification should be made due to “an incident involving unauthorized access to or use of customer information that could result in substantial harm or inconvenience to its customers.” What is the intended definition of “inconvenience”? Examples demonstrating the appropriate meaning would clarify the standard for notification.

Do the agencies foresee any situations that would warrant notice to Regulatory and Law Enforcement Agencies but not to the Customer?

Financial institutions will likely be reporting more than needed overwhelming the Agencies so much that they will not be able to appropriately respond.

D. Corrective Measures

This section indicates that accounts should immediately be flagged, but does not provide guidance for how long. Suggested timeframes are given to be included in the customer notice; should these same timeframes apply to the financial institution’s monitoring of customer accounts?

What action does “Securing Account” mean? This section, broadly interpreted, could cause needless inconvenience to customers or reputation risk to the financial institution. It implies that access alone to “a checking, savings, or other deposit account number, debit or credit card account number, personal identification number (PIN), password, or other unique identifier” warrants securing of account(s) and customer notification. Also, some confusion is created between this section and the section later defining Sensitive Customer Information.

Although we think specific timeframes should be risk based, we would appreciate further guidance on how long the Agencies think accounts should be flagged, monitored and secured.

We do believe that if a situation warrants closing of an account, that decision should be between the financial institution and the customer and not guided by regulators.

Financial institutions will face increased costs related to flagging and monitoring of accounts, particularly if it is needlessly taking place due to misinterpretation of the Guidelines.

III. Circumstances for Customer Notice

Sensitive Customer Information

This section, and throughout the Guidance, repeatedly uses customer “inconvenience” as a factor to notify customers. Without further clarification of the Agencies’ intent, customers will be unduly notified causing concern and inconvenience. This could have as a mitigating effect on all involved.

As written, Sensitive Customer Information could be interpreted to mean a combination of a personal identification number (PIN) and phone number, which, by itself, is not sufficient information for identity fraud. In this case, customer notice would cause more harm than good. The Guidance should provide further clarification as well as be more consistent to the Interagency Guidelines Establishing Standard for Safeguarding Customer Information in defining sensitive customer information.

Examples of When Notice Should Be Given

These incidents are very broad and could lead to excessive notification. For example, the first scenario does not indicate any fraudulent intent or misuse of information, but because an employee obtained unauthorized access to sensitive customer information, customers should be notified as well as accounts flagged and secured.

In summary, we support customer notification but think that the Guidance is too broad. Without further clarification, Regulators, Law Enforcement Agencies and customers will be subject to unnecessary notification. Also, financial institutions will experience excessive costs related to account flagging and monitoring as well as customer notification.


Iowa City, Iowa

Charles N. Funk
President and CEO

Marcia McKeag
Compliance Officer

Last Updated 10/16/2003

Skip Footer back to content