Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank

Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations

FDIC Federal Register Citations

Sent Via FAX

October 14, 2003

Robert E. Feldman
Executive Secretary
Attention: Comments/OES
Federal Deposit Insurance Corporation
550 17th Street, N.W.
Washington, DC 20429

Dear Mr. Feldman:

I am writing on behalf of Commerce Bancorp, a $21 billion multi-bank holding company located in Cherry Hill, New Jersey and its wholly owned subsidiary banks Commerce Bank N.A., Commerce Bank/Pennsylvania N.A., Commerce Bank/Shore N.A., Commerce Bank/North, and Commerce Bank/Delaware NA.

Commerce Bancorp and its subsidiaries fully support efforts to protect customer information and assist customers who have been affected by theft of sensitive information. However, we have the following comments and concerns.


Some of the terms used in the proposal are very broad and subject to interpretation (reasonably foreseeable, unlikely to occur, substantial harm, securing accounts). We are concerned that financial institutions may not apply the same level of attention to these issues. Some may take a conservative approach and unnecessarily alarm customers who may lose faith in their financial institution and the banking system. Even those financial institutions with the best intentions and security measures in place are at risk for thievery and hacking. In addition, some examiners may interpret the terms more conservatively and disagree with judgement calls made by bank management at the time an incident occurred.


If a security breach occurred via a third party service provider, the financial institution may not be aware that a security breach occurred. Although financial institutions take extreme care to ensure that third party service providers have adequate internal and security controls in place, we cannot guarantee that a security breach would not occur at some future date due to control failures or even, a new creative idea developed by a "hacker".


To date, the proposal covers banks, thrifts, and credit unions that control a fraction of financial transactions that occur in the US. To truly protect and assist customers, similar regulations should be implemented to cover other types of financial institutions (broker- dealers, money service providers, mortgage companies). In addition, service providers should be subject to similar rules and be legally required to notify and assist clients in resolving security breaches.

If banks were the only financial institutions covered by this regulation, it would appear to the general public that banks are the only organizations experiencing security breaches. This would not only tarnish the banking industry's reputation but it could also induce customers to move accounts to financial service providers that are not covered by the regulation and that may be much less secure. In addition, the cost of establishing the infrastructure necessary to support the requirements will put banks at a disadvantage to other financial service providers.


We agree that customers should be notified when their information has been compromised. However, customer reaction can be unnecessarily harmful to a financial institution's reputation especially if the customer does not understand the nature of the security breach or the reason the breach occurred.


We recognize that identity theft is a serious and growing problem and we agree that as "fiduciaries" of customer assets and information, we should be leaders in addressing this issue. However, security control is an art - not a science. We need to recognize that the best security measures are at risk due to continuing advances in technology and creativity by those that seek financial gain or simply love a challenge.

We appreciate the effort the regulators have put into writing this important regulation as well as the opportunity to comment on it. It is our hope that these comments will assist the regulators in achieving a practical solution to a very serious issue.


Susan U. Bredehoft
Senior Vice President
Compliance Risk Management
101 Haddonfield Road
Cherry Hill, NJ  08002

cc: Office of the Comptroller of the Currency, Attn: Docket No, 03-18
David Wojcik

Last Updated 10/20/2003

Skip Footer back to content