Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank

Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations

FDIC Federal Register Citations

via email

From: Chris Newell
Sent: Tuesday, October 14, 2003 8:08 AM
To:; Comments
Cc: Bill Davis
Subject: Docket No. OP-1155

Ms. Jennifer J. Johnson
Board of Governors of the Federal Reverse System
20th Street and Constitution Avenue, NW.,
Washington, DC 20551

Docket No. OP-1155

RE: Request for Comment on Interagency Guidance on Response Programs to Protect Against Identity Theft

Amarillo National Bank has already put in place a response program similar to the proposal as a direct result of prior information published by the agencies concerning Establishing Standards for Safeguarding Customer Information. The Agencies have invited comment on all aspects of the proposed Guidance including each component of the response program. After reading the proposal we do have some comments or requests for clarification.

The following questions are addressed:

* Should any component of the response program be clarified in some way and, if so, how?
We have several requests for clarification.

1. What is the time frame for customer notification?
2. What "other forms of assistance" are indicated? Can you list examples of these other than those listed under Optional Elements?
3. What is meant by "assistance" in the Key Elements section?
4. How long should monitoring of affected customers' accounts for unusual or suspicious activity be done? Are the guidelines proposed by the FCRA of 90 days appropriate?
5. What constitutes "unauthorized . . . use of"? This term appears numerous times within the text. Wouldn't it be more specific and/or clear to state "unauthorized . . . resultant miss-use of"?
6. What is meant by the time calculations under Section III, subheading entitled Estimated Burden? Does this imply that the institution will be held to the time schedules used to identify customers and send notices?
7. There is no mention of documentation or record retention requirements. Is there any guidance on this issue?
8. Will there be further guidance concerning "initiate appropriate controls to prevent the..." or will this be left up to the intuition?

* Are there additional components that should be included in a response program to address incidents involving unauthorized access to or use of customer information?
No comment.

* Should each component of the response program be retained? If not, which components should be deleted and why?
No comment

* Is the standard that leads to customer notice inappropriate and if so what alternative thresholds are there?
We are concerned about the requirement to notify each customer within a group of customers if individuals cannot be specifically identified. Unless individual customers can be identified, we believe this group should be monitored only or have an alternate notice that does not contain the alarms of the required notice but is more general.

* What potential burdens are associated with the notice requirements and will the burdens vary by size and complexity of the institution?
The burden is based on the level of assistance the institution is required to give the customer by law. If the notice is expected to give information to "mitigate potential harm", this may result in panic on the part of the general customer and thereby flooding the institution with assistance calls unnecessarily. We do agree that the burden will vary by size and complexity of the institution. The smaller the institution and the less risk contained in services, the easier it will be to control and notify customers without general panic. Even for small institutions, the program response requirements will necessitate a whole new set of responsibilities that will have to be funded and manned. Therefore we believe that there should be no required format to the notice.

* Is the discussion of securing accounts sufficiently clear?
There is no clear indication for the time frame for securing an account. We would like guidance on the timing issue and suggest the proposed 90 days monitoring under the FCRA.

* To what extent would service provider contracts need to be modified if al all? How much burden will the Guidance impose on service providers?
What is implied by "modifying contracts"? Is the institution required to monitor performance of service providers to report incidences of unauthorized access or is does the reference to modification of contracts specific to reported incidents only?

* Should the proposed standard be modified to apply to other extraordinary circumstances where unauthorized access to other information will result in substantial harm or inconvenience?
We believe the proposal has covered all circumstances well.

* Should the examples in the proposed Guidance when the notice would be expected or when it would not, be modified or supplemented?
We believe the examples are appropriate for the purposes of giving notice.

We appreciate the opportunity to respond to the proposed Interagency Guidance on Response Programs to Protect Against Identity Theft and want to thank the Federal Reserve. Please consider carefully our comments.

Bill Davis
Data Security Administrator
Chris Newell
Compliance Officer
Amarillo National Bank
410 S. Taylor
Amarillo, TX 79105-0001

Last Updated 10/14/2003

Skip Footer back to content