Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank

Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations

FDIC Federal Register Citations

Sent Federal Express

October 10, 2003

Robert E. Feldman
Executive Secretary
Attention: Comments/OES
Federal Deposit Insurance Corporation
550 17th Street, N.W.
Washington, DC 20429

Dear Mr. Feldman:

Re: Comments on Proposed Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice

Dear Mr. Feldman:

This letter is written on behalf of the Connecticut Bankers Association (the "CBA") for the purpose of submitting comments on the Notice and Request for Comment on the proposed Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (the "Proposed Guidance"). The Connecticut Bankers Association is an industry trade association that represents approximately 78commercial banks, savings banks, and savings and loan associations of all sizes throughout Connecticut. The CBA has the following comments on the Proposed Guidance:

1. The Proposed Guidance asks for comment on whether the discussion of "securing accounts" is sufficiently clear. The CBA believes that this discussion is not sufficiently clear, and requests clarification that "securing accounts" does not require denying access to the accounts. A bank holding a deposit account for a customer is in the position of a debtor that owes the funds in the account to the customer, the creditor, when the funds are requested by the customer. The bank generally does not have the right to refuse to pay a depositor's funds to the depositor. This obligation to pay the funds in the account to the depositor is not changed by the fact that sensitive customer information to the account may have been stolen. While the bank needs to protect against paying the funds in an account to any person other than the depositor, the guidance should clarify that the bank has flexibility in how it "secures accounts". Thus, for example, a bank may determine that it needs to limit online access to the account until access codes have been changed, but can continue to allow (i) in person withdrawals, because the bank will have the opportunity to check photo identification and signatures, and (ii) payment of checks, because the bank will have the opportunity to check signatures on the account. Clarifying that a bank has the discretion to make a determination as to how and to what extent accounts will be secured will allow a bank the flexibility to continue to serve its customers while taking appropriate steps designed to protect against withdrawal of funds by a person other than the depositor.

2. The Proposed Guidance asks for comments on whether the examples of when customer notice is required should be modified or supplemented. The CBA believes that two examples in particular should be clarified. The first is the example of an employee obtaining unauthorized access to sensitive customer information. The Guidance should include examples of situations in which the institution could conclude that the misuse of the information is unlikely. For example, if the employee is apprehended before the sensitive information has been used, then the institution may be in a position to conclude that misuse of the information is unlikely to occur. This is because an individual that has been apprehended may be unlikely to misuse the information because such individual knows that he or she will be immediately implicated in any misuse of the information. The second example that should be clarified is the example of lost or stolen computer equipment such as a laptop computer, floppy disk or CD-ROM. The Proposed Guidance should clarify that if the institution reasonably concludes that the item has been lost, rather than stolen, that the institution may be able to reasonably determine that the misuse of the sensitive customer information is unlikely. A floppy disk or CD can occasionally be misplaced or lost, and unless there is evidence of theft, there is generally no reason to believe that the information on the floppy disk or CD will be misused.

3. The CBA respectfully requests that when final guidance is issued, institutions be given sufficient time to develop response policies and to amend vendor contracts. We would suggest a period of at least 9 months to develop a response program, and at least 12 months to modify all vendor contracts as may be required by the final guidance.

Thank you for allowing us this opportunity to comment. If you have any questions on this letter, please feel free to contact me.


Fillis W. Stober
Tyler Cooper & Alcorn, LLP
185 Asylum Street
CityPlace/35th Floor
Hartford, CT 06103-3488

cc: Lindsey Pinkham
Connecticut Bankers Association

Last Updated 10/20/2003

Skip Footer back to content