Sent Via FAX
October 14, 2003
Robert E. Feldman
Executive Secretary
Attention: Comments/OES
Federal Deposit Insurance Corporation
550 17th Street, N.W.
Washington, DC 20429
Dear Mr. Feldman:
I am writing on behalf of Commerce Bancorp, a $21 billion multi-bank
holding company located in Cherry Hill, New Jersey and its wholly owned
subsidiary banks Commerce Bank N.A., Commerce Bank/Pennsylvania N.A.,
Commerce Bank/Shore N.A., Commerce Bank/North, and Commerce
Bank/Delaware NA.
Commerce Bancorp and its subsidiaries fully support efforts to
protect customer information and assist customers who have been affected
by theft of sensitive information. However, we have the following
comments and concerns.
DEFINITIONS AND TERMS
Some of the terms used in the proposal are very broad and subject to
interpretation (reasonably foreseeable, unlikely to occur, substantial
harm, securing accounts). We are concerned that financial institutions
may not apply the same level of attention to these issues. Some may take
a conservative approach and unnecessarily alarm customers who may lose
faith in their financial institution and the banking system. Even those financial institutions
with the best intentions and security measures in place are at risk for
thievery and hacking. In addition, some examiners may interpret the
terms more conservatively and disagree with judgement calls made by bank
management at the time an incident occurred.
SERVICE PROVIDERS
If a security breach occurred via a third party service provider, the
financial institution may not be aware that a security breach occurred.
Although financial institutions take extreme care to ensure that third
party service providers have adequate internal and security controls in
place, we cannot guarantee that a security breach would not occur at
some future date due to control failures or even, a new creative idea
developed by a "hacker".
COVERAGE
To date, the proposal covers banks, thrifts, and credit unions that
control a fraction of financial transactions that occur in the US. To
truly protect and assist customers, similar regulations should be
implemented to cover other types of financial institutions (broker-
dealers, money service providers, mortgage companies). In addition,
service providers should be subject to similar rules and be legally
required to notify and assist clients in resolving security breaches.
If banks were the only financial institutions covered by this
regulation, it would appear to the general public that banks are the
only organizations experiencing security breaches. This would not only
tarnish the banking industry's reputation but it could also induce
customers to move accounts to financial service providers that are not
covered by the regulation and that may be much less secure. In addition,
the cost of establishing the infrastructure necessary to support the
requirements will put banks at a disadvantage to other financial service
providers.
CUSTOMER NOTIFICATION
We agree that customers should be notified when their information has
been compromised. However, customer reaction can be unnecessarily
harmful to a financial institution's reputation especially if the
customer does not understand the nature of the security breach or the
reason the breach occurred.
CONCLUSION
We recognize that identity theft is a serious and growing problem and
we agree that as "fiduciaries" of customer assets and information, we
should be leaders in addressing this issue. However, security control is
an art - not a science. We need to recognize that the best security
measures are at risk due to continuing advances in technology and
creativity by those that seek financial gain or simply love a challenge.
We appreciate the effort the regulators have put into writing this
important regulation as well as the opportunity to comment on it. It is
our hope that these comments will assist the regulators in achieving a
practical solution to a very serious issue.
Sincerely,
Susan U. Bredehoft
Senior Vice President
Compliance Risk Management
101 Haddonfield Road
Cherry Hill, NJ 08002
cc: Office of the Comptroller of the Currency, Attn: Docket No, 03-18
David Wojcik
