FTC Red Flag Rule


Published on

All 60 pages of it. Want us to break it down for you? Just call 860-367-8584.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

FTC Red Flag Rule

  1. 1. Friday, November 9, 2007 Part IV Department of the Treasury Office of the Comptroller of the Currency 12 CFR Part 41 Federal Reserve System 12 CFR Part 222 Federal Deposit Insurance Corporation 12 CFR Parts 334 and 364 Department of the Treasury Office of Thrift Supervision 12 CFR Part 571 National Credit Union Administration 12 CFR Part 717 Federal Trade Commission 16 CFR Part 681 Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule jlentini on PROD1PC65 with RULES4 VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00001 Fmt 4737 Sfmt 4737 E:FRFM09NOR4.SGM 09NOR4
  2. 2. 63718 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations DEPARTMENT OF THE TREASURY and mitigate identity theft in connection Office of Thrift Supervision, 1700 G with the opening of certain accounts or Street, NW., Washington, DC 20552. Office of the Comptroller of the certain existing accounts. In addition, NCUA: Regina M. Metz, Staff Currency the Agencies are issuing guidelines to Attorney, Office of General Counsel, assist financial institutions and (703) 518–6540, National Credit Union 12 CFR Part 41 creditors in the formulation and Administration, 1775 Duke Street, [Docket ID OCC–2007–0017] maintenance of a Program that satisfies Alexandria, VA 22314–3428. the requirements of the rules. The rules FTC: Naomi B. Lefkovitz, Attorney, or RIN 1557–AC87 implementing section 114 also require Pavneet Singh, Attorney, Division of credit and debit card issuers to assess Privacy and Identity Protection, Bureau FEDERAL RESERVE SYSTEM the validity of notifications of changes of Consumer Protection, (202) 326– of address under certain circumstances. 2252, Federal Trade Commission, 600 12 CFR Part 222 Additionally, the Agencies are issuing Pennsylvania Avenue, NW., Washington [Docket No. R–1255] joint rules under section 315 that DC 20580. provide guidance regarding reasonable SUPPLEMENTARY INFORMATION: FEDERAL DEPOSIT INSURANCE policies and procedures that a user of CORPORATION consumer reports must employ when a I. Introduction consumer reporting agency sends the The President signed the FACT Act 12 CFR Parts 334 and 364 user a notice of address discrepancy. into law on December 4, 2003.1 The DATES: The joint final rules and FACT Act added several new provisions RIN 3064–AD00 guidelines are effective January 1, 2008. to the Fair Credit Reporting Act of 1970 DEPARTMENT OF THE TREASURY The mandatory compliance date for this (FCRA), 15 U.S.C. 1681 et seq. Section rule is November 1, 2008. 114 of the FACT Act, 15 U.S.C. Office of Thrift Supervision 1681m(e), amends section 615 of the FOR FURTHER INFORMATION CONTACT: FCRA, and directs the Agencies to issue OCC: Amy Friend, Assistant Chief joint regulations and guidelines 12 CFR Part 571 Counsel, (202) 874–5200; Deborah Katz, regarding the detection, prevention, and [Docket No. OTS–2007–0019] Senior Counsel, or Andra Shuster, mitigation of identity theft, including Special Counsel, Legislative and special regulations requiring debit and RIN 1550–AC04 Regulatory Activities Division, (202) credit card issuers to validate 874–5090; Paul Utterback, Compliance notifications of changes of address NATIONAL CREDIT UNION Specialist, Compliance Department, under certain circumstances.2 Section ADMINISTRATION (202) 874–5461; or Aida Plaza Carter, 315 of the FACT Act, 15 U.S.C. Director, Bank Information Technology, 1681c(h), adds a new section 605(h)(2) 12 CFR Part 717 (202) 874–4740, Office of the to the FCRA requiring the Agencies to Comptroller of the Currency, 250 E issue joint regulations that provide FEDERAL TRADE COMMISSION Street, SW., Washington, DC 20219. guidance regarding reasonable policies 16 CFR Part 681 Board: David A. Stein or Ky Tran- and procedures that a user of a Trong, Counsels, or Amy Burke, consumer report should employ when RIN 3084–AA94 Attorney, Division of Consumer and the user receives a notice of address Community Affairs, (202) 452–3667; discrepancy. Identity Theft Red Flags and Address Kara L. Handzlik, Attorney, Legal On July 18, 2006, the Agencies Discrepancies Under the Fair and Division, (202) 452–3852; or John published a joint notice of proposed Accurate Credit Transactions Act of Gibbons, Supervisory Financial Analyst, rulemaking (NPRM) in the Federal 2003 Division of Banking Supervision and Register (71 FR 40786) proposing rules AGENCIES: Office of the Comptroller of Regulation, (202) 452–6409, Board of and guidelines to implement section the Currency, Treasury (OCC); Board of Governors of the Federal Reserve 114 and proposing rules to implement Governors of the Federal Reserve System, 20th and C Streets, NW., section 315 of the FACT Act. The public System (Board); Federal Deposit Washington, DC 20551. comment period closed on September Insurance Corporation (FDIC); Office of FDIC: Jeffrey M. Kopchik, Senior 18, 2006. The Agencies collectively Thrift Supervision, Treasury (OTS); Policy Analyst, (202) 898–3872, or received a total of 129 comments in National Credit Union Administration David P. Lafleur, Policy Analyst, (202) response to the NPRM, although many (NCUA); and Federal Trade Commission 898–6569, Division of Supervision and commenters sent copies of the same (FTC or Commission). Consumer Protection; Richard M. letter to each of the Agencies. The ACTION: Joint final rules and guidelines. Schwartz, Counsel, (202) 898–7424, or comments included 63 from financial Richard B. Foley, Counsel, (202) 898– institutions, 12 from financial SUMMARY: The OCC, Board, FDIC, OTS, 3784, Legal Division, Federal Deposit institution holding companies, 23 from NCUA and FTC (the Agencies) are Insurance Corporation, 550 17th Street, financial institution trade associations, jointly issuing final rules and guidelines NW., Washington, DC 20429. 12 from individuals, nine from other implementing section 114 of the Fair OTS: Ekita Mitchell, Consumer trade associations, five from other and Accurate Credit Transactions Act of Regulations Analyst, Compliance and business entities, three from consumer 2003 (FACT Act) and final rules Consumer Protection, (202) 906–6451; implementing section 315 of the FACT Kathleen M. McNulty, Technology 1 Pub. L. 108–159. jlentini on PROD1PC65 with RULES4 Act. The rules implementing section Program Manager, Information 2 Section 111 of the FACT Act defines ‘‘identity 114 require each financial institution or Technology Risk Management, (202) theft’’ as ‘‘a fraud committed using the identifying information of another person, subject to such creditor to develop and implement a 906–6322; or Richard Bennett, Senior further definition as the [Federal Trade] written Identity Theft Prevention Compliance Counsel, Regulations and Commission may prescribe, by regulation.’’ 15 Program (Program) to detect, prevent, Legislation Division, (202) 906–7409, U.S.C. 1681a(q)(3). VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
  3. 3. Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63719 groups,3 one from a member of indicators of a possible risk of identity commenters suggested that the Congress, and one from the United theft (Red Flags), including indicators regulations and guidelines take the form States Small Business Administration from among those listed in the of broad objectives modeled on the (SBA). guidelines. To promote flexibility and objectives set forth in the ‘‘Interagency responsiveness to the changing nature of Guidelines Establishing Information II. Section 114 of the FACT Act identity theft, the proposed rules also Security Standards’’ (Information A. Red Flag Regulations and Guidelines stated that covered entities would need Security Standards).7 A few financial 1. Background to include in their Programs relevant institution commenters asserted that the Red Flags from applicable supervisory primary cause of identity theft is the Section 114 of the FACT Act requires guidance, their own experiences, and lack of care on the part of the consumer. the Agencies to jointly issue guidelines methods that the entity had identified They stated that consumers should be for financial institutions and creditors that reflect changes in identity theft held responsible for protecting their regarding identity theft with respect to risks. own identifying information. their account holders and customers. The Agencies invited comment on all The Agencies have modified the Section 114 also directs the Agencies to aspects of the proposed regulations and proposed rules and guidelines in light of prescribe joint regulations requiring guidelines implementing section 114, the comments received. An overview of each financial institution and creditor to and specifically requested comment on the final rules, guidelines, and establish reasonable policies and whether the elements described in supplement, a discussion of the procedures for implementing the section 114 had been properly allocated comments, and the specific manner in guidelines, to identify possible risks to between the proposed regulations and which the proposed rules and account holders or customers or to the the proposed guidelines. guidelines have been modified, follows. safety and soundness of the institution Consumer groups maintained that the or ‘‘customer.’’4 proposed regulations provided too 3. Overview of final rules and In developing the guidelines, the much discretion to financial institutions guidelines Agencies must identify patterns, and creditors to decide which accounts The Agencies are issuing final rules practices, and specific forms of activity and Red Flags to include in their and guidelines that provide both that indicate the possible existence of Programs and how to respond to those flexibility and more guidance to identity theft. The guidelines must be Red Flags. These commenters stated that financial institutions and creditors. The updated as often as necessary, and the flexible and risk-based approach final rules also require the Program to cannot be inconsistent with the policies taken in the proposed rulemaking address accounts where identity theft is and procedures issued under section would permit ‘‘business as usual.’’ 326 of the USA PATRIOT Act,5 31 most likely to occur. The final rules Some small financial institutions also describe which financial institutions U.S.C. 5318(l), that require verification expressed concern about the flexibility of the identity of persons opening new and creditors are required to have a afforded by the proposal. These Program, the objectives of the Program, accounts. The Agencies also must commenters stated that they preferred to consider including reasonable the elements that the Program must have clearer, more structured guidance contain, and how the Program must be guidelines that would apply when a describing exactly how to develop and transaction occurs in connection with a administered. implement a Program and what they Under the final rules, only those consumer’s credit or deposit account would need to do to achieve that has been inactive for two years. financial institutions and creditors that compliance. offer or maintain ‘‘covered accounts’’ These guidelines would provide that in Most commenters, however, including such circumstances, a financial must develop and implement a written many financial institutions and Program. A covered account is (1) an institution or creditor ‘‘shall follow creditors, asserted that the proposal was reasonable policies and procedures’’ for account primarily for personal, family, overly prescriptive, contained or household purposes, that involves or notifying the consumer, ‘‘in a manner requirements beyond those mandated in reasonably designed to reduce the is designed to permit multiple payments the FACT Act, would be costly and or transactions, or (2) any other account likelihood of identity theft.’’ burdensome to implement, and would for which there is a reasonably 2. Overview of Proposal and Comments complicate the existing efforts of foreseeable risk to customers or the Received financial institutions and creditors to safety and soundness of the financial The Agencies proposed to implement detect and prevent identity theft. Some institution or creditor from identity section 114 through regulations industry commenters asserted that the theft. Each financial institution and requiring each financial institution and rulemaking was unnecessary because creditor must periodically determine creditor to implement a written Program large businesses, such as banks and whether it offers or maintains a to detect, prevent and mitigate identity telecommunications companies, already ‘‘covered account.’’ theft in connection with the opening of are motivated to prevent identity theft The final regulations provide that the an account or any existing account. The and other forms of fraud in order to Program must be designed to detect, Agencies also proposed guidelines that limit their own financial losses. prevent, and mitigate identity theft in identified 31 patterns, practices, and Financial institution commenters connection with the opening of a specific forms of activity that indicate a maintained that they are already doing covered account or any existing covered possible risk of identity theft. The most of what would be required by the account. In addition, the Program must proposed regulations required each proposal as a result of having to comply be tailored to the entity’s size, financial institution and creditor to with the customer identification complexity and nature of its operations. incorporate into its Program relevant program (CIP) regulations implementing section 326 of the USA PATRIOT Act 6 jlentini on PROD1PC65 with RULES4 7 12 CFR part 30, app. B (national banks); 12 CFR 3 One of these letters represented the comments and other existing requirements. These part 208, app. D–2 and part 225, app. F (state of five consumer groups. member banks and holding companies); 12 CFR 4 Use of the term ‘‘customer,’’ here, appears to be 6 See, e.g., 31 CFR 103.121 (applicable to banks, part 364, app. B (state non-member banks); 12 CFR a drafting error and likely should read ‘‘creditor.’’ thrifts and credit unions and certain non-federally part 570, app. B (savings associations); 12 CFR part 5 Pub. L. 107–56. regulated banks). 748, App. A (credit unions). VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
  4. 4. 63720 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations The final regulations list the four 4. Section-by-Section Analysis 8 Agencies use the term ‘‘continuing basic elements that must be included in relationship’’ instead, and define this Sectionl.90(a) Purpose and Scope the Program of a financial institution or phrase in a manner consistent with the creditor. The Program must contain Proposed §l.90(a) described the Agencies’’ privacy rules 10 ‘‘reasonable policies and procedures’’ statutory authority for the proposed implementing Title V of the Gramm- to: regulations, namely, section 114 of the Leach-Bliley Act (GLBA), 15 U.S.C. FACT Act. It also defined the scope of 6801.11 These commenters urged that • Identify relevant Red Flags for this section; each of the Agencies the definition of ‘‘account’’ not be covered accounts and incorporate those proposed tailoring this paragraph to expanded to include relationships that Red Flags into the Program; describe those entities to which this are not ‘‘continuing.’’ They stated that it • Detect Red Flags that have been section would apply. The Agencies would be very burdensome to gather incorporated into the Program; received no comments on this section, and maintain information on non- • Respond appropriately to any Red and it is adopted as proposed. customers for one-time transactions. Flags that are detected to prevent and Sectionl.90(b) Definitions Other commenters suggested defining mitigate identity theft; and the term ‘‘account’’ in a manner Proposed §l.90(b) contained consistent with the CIP rules. • Ensure the Program is updated definitions of various terms that applied Many commenters stated that defining periodically, to reflect changes in risks to the proposed rules and guidelines. ‘‘account’’ to cover both consumer and to customers or to the safety and While §l.90(b) of the final rules business accounts was too broad, soundness of the financial institution or continues to describe the definitions exceeded the scope of the FACT Act, creditor from identity theft. applicable to the final rules and and would make the regulation too The regulations also enumerate guidelines, changes have been made to burdensome. These commenters certain steps that financial institutions address the comments, as follows. recommended limiting the scope of the and creditors must take to administer Sectionl.90(b)(1) Account. The regulations and guidelines to cover only Agencies proposed using the term consumer financial services, specifically the Program. These steps include ‘‘account’’ to describe the relationships accounts established for personal, obtaining approval of the initial written covered by section 114 that an account family and household purposes, because Program by the board of directors or a holder or customer may have with a these types of accounts typically are committee of the board, ensuring financial institution or creditor.9 The targets of identity theft. They asserted oversight of the development, proposed definition of ‘‘account’’ was ‘‘a that identity theft has not historically implementation and administration of continuing relationship established to been common in connection with the Program, training staff, and provide a financial product or service business or commercial accounts. overseeing service provider that a financial holding company could Consumer groups maintained that the arrangements. offer by engaging in an activity that is proposed definition of ‘‘account’’ was In order to provide financial financial in nature or incidental to such too narrow. They explained that because institutions and creditors with more a financial activity under section 4(k) of the proposed definition was tied to flexibility in developing a Program, the the Bank Holding Company Act, 12 financial products and services that can Agencies have moved certain detail U.S.C. 1843(k).’’ The definition also be offered under the Bank Holding formerly contained in the proposed gave examples of types of ‘‘accounts.’’ Company Act, it inappropriately regulations to the guidelines located in Some commenters stated that the excluded certain transactions involving Appendix J. This detailed guidance regulations do not need a definition of creditors that are not financial should assist financial institutions and ‘‘account’’ to give effect to their terms. institutions that should be covered by creditors in the formulation and Some commenters maintained that a the regulations. Some of these new definition for ‘‘account’’ would be commenters recommended that the maintenance of a Program that satisfies confusing as this term is already defined definition of ‘‘account’’ include any the requirements of the regulations to inconsistently in several regulations and relationship with a financial institution detect, prevent, and mitigate identity in section 615(e) of the FCRA. These or creditor in which funds could be theft. Each financial institution or commenters recommended that the intercepted or credit could be extended, creditor that is required to implement a as well as any other transaction which Program must consider the guidelines 8 The OCC, Board, FDIC, OTS and NCUA are could obligate an individual or other and include in its Program those placing the regulations and guidelines covered entity, including transactions guidelines that are appropriate. The implementing section 114 in the part of their regulations that implement the FCRA—12 CFR that do not result in a continuing guidelines provide policies and parts 41, 222, 334, 571, and 717, respectively. In relationship. Others suggested that there procedures for use by institutions and addition, the FDIC cross-references the regulations should be no flexibility to exclude any creditors, where appropriate, to satisfy and guidelines in 12 CFR part 364. For ease of account that is held by an individual or reference, the discussion in this preamble uses the the requirements of the final rules, shared numerical suffix of each of these agency’s which generates information about including the four elements listed regulations. The FTC also is placing the final individuals that reflects on their above. While an institution or creditor regulations and guidelines in the part of its financial or credit reputations. may determine that particular regulations implementing the FCRA, specifically 16 The Agencies have modified the CFR part 681. However, the FTC uses different guidelines are not appropriate to numerical suffixes that equate to the numerical definition of ‘‘account’’ to address these incorporate into its Program, the suffixes discussed in the preamble as follows: comments. First, the final rules now Program must nonetheless contain preamble suffix .82 = FTC suffix .1, preamble suffix apply to ‘‘covered accounts,’’ a term that .90 = FTC suffix .2, and preamble suffix .91 = FTC the Agencies have added to the reasonable policies and procedures to suffix .3. In addition, Appendix J referenced in the meet the specific requirements of the definition section to eliminate jlentini on PROD1PC65 with RULES4 preamble is the FTC’s Appendix A. final rules. The illustrative examples of 9 The Agencies acknowledged that section 114 10 See 12 CFR 40 (OCC); 12 CFR 216 (Board); 12 Red Flags formerly in Appendix J are does not use the term ‘‘account’’ and, in other contexts, the FCRA defines the term ‘‘account’’ CFR 332 (FDIC); 12 CFR 573 (OTS); 12 CFR 716 now listed in a supplement to the narrowly to describe certain consumer deposit or (NCUA); and 16 CFR 313 (FTC). guidelines. asset accounts. See 15 U.S.C. 1681a(r)(4). 11 Pub. L. 106–102. VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
  5. 5. Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63721 confusion between these rules and other established, but also to account The Agencies recognize that rules that apply to an ‘‘account.’’ The openings, when a relationship has not consumer accounts are presently the Agencies have retained a definition of yet been established. most common target of identity theft ‘‘account’’ simply to clarify and provide Sectionl.90(b)(2) Board of Directors. and acknowledge that Congress context for the definition of ‘‘covered The proposed regulations discussed the expected the final regulation to address account.’’ role of the board of directors of a risks of identity theft to consumers.13 Section 114 provides broad discretion financial institution or creditor. For For this reason, the final rules require to the Agencies to prescribe regulations financial institutions and creditors each Program to cover accounts and guidelines to address identity theft. covered by the regulations that do not established primarily for personal, The terminology in section 114 is not have boards of directors, the proposed family or household purposes, that confined to ‘‘consumer’’ accounts. regulations defined ‘‘board of directors’’ involve or are designed to permit While identity theft primarily has been to include, in the case of a branch or multiple payments or transactions, i.e., directed at consumers, the Agencies are agency of a foreign bank, the managing consumer accounts. As discussed above aware that small businesses also have official in charge of the branch or in connection with the definition of been targets of identity theft. Over time, agency. For other creditors that do not ‘‘account,’’ the final rules also require identity theft could expand to affect have boards of directors, the proposed the Programs of financial institutions other types of accounts. Thus, the regulations defined ‘‘board of directors’’ and creditors to cover any other type of definition of ‘‘account’’ in §l.90(b)(1) as a designated employee. account that the institution or creditor of the final rules continues to cover any Consumer groups objected to the offers or maintains for which there is a relationship to obtain a product or proposed definition as it applied to reasonably foreseeable risk from identity service that an account holder or creditors that do not have boards of theft. customer may have with a financial directors. These commenters Accordingly, the definition of institution or creditor.12 Through recommended that for these entities, ‘‘covered account’’ is divided into two examples, the definition makes clear ‘‘board of directors’’ should be defined parts. The first part refers to ‘‘an account that the purchase of property or services as a designated employee at the level of that a financial institution or creditor involving a deferred payment is senior management. They asserted that offers or maintains, primarily for considered to be an account. otherwise, institutions that do not have personal, family, or household Although the definition of ‘‘account’’ a board of directors would be given an purposes, that involves or is designed to includes business accounts, the risk- unfair advantage for purposes of the permit multiple payments or based nature of the final rules allows substantive provisions of the rules, transactions.’’ The definition provides each financial institution or creditor because they would be permitted to examples to illustrate that these types of flexibility to determine which business assign any employee to fulfill the role of consumer accounts include, ‘‘a credit accounts will be covered by its Program the ‘‘board of directors.’’ card account, mortgage loan, automobile through a risk evaluation process. The Agencies agree this important loan, margin account, cell phone The Agencies also recognize that a role should be performed by an account, utility account, checking person may establish a relationship with employee at the level of senior account, or savings account.’’14 a creditor, such as an automobile dealer management, rather than any designated The second part of the definition or a telecommunications provider, employee. Accordingly, the definition of refers to ‘‘any other account that the primarily to obtain a product or service ‘‘board of directors’’ has been revised in financial institution or creditor offers or that is not financial in nature. To make § l.90(b)(2) of the final rules so that, in maintains for which there is a clear that an ‘‘account’’ includes the case of a creditor that does not have reasonably foreseeable risk to customers relationships with creditors that are not a board of directors, the term ‘‘board of or to the safety and soundness of the financial institutions, the definition is directors’’ means ‘‘a designated financial institution or creditor from no longer tied to the provision of employee at the level of senior identity theft, including financial, ‘‘financial’’ products and services. management.’’ operational, compliance, reputation, or Accordingly, the Agencies have deleted Section l.90(b)(3) Covered Account. litigation risks.’’ This part of the the reference to the Bank Holding As mentioned previously, the Agencies definition reflects the Agencies’ belief Company Act. have added a new definition of that other types of accounts, such as The definition of ‘‘account’’ still ‘‘covered account’’ in § l.90(b)(3) to small business accounts or sole includes the words ‘‘continuing proprietorship accounts, may be describe the type of ‘‘account’’ covered relationship.’’ The Agencies have vulnerable to identity theft, and, by the final rules. The proposed rules determined that, at this time, the burden therefore, should be considered for would have provided a financial that would be imposed upon financial coverage by the Program of a financial institution or creditor with broad institutions and creditors by a institution or creditor. flexibility to apply its Program to those requirement to detect, prevent and In response to the proposed definition accounts that it determined were mitigate identity theft in connection of ‘‘account,’’ a trade association vulnerable to the risk of identity theft, with single, non-continuing transactions representing credit unions suggested and did not mandate coverage of any by non-customers would outweigh the that the term ‘‘customer’’ in the particular type of account. benefits of such a requirement. The definition be revised to refer to Consumer group commenters urged Agencies recognize, however, that the Agencies to limit the discretion identity theft may occur at the time of 13 See S. Rep. No. 108–166 at 13 (Oct. 17, 2003) afforded to financial institutions and account opening. Therefore, as detailed (accompanying S. 1753). creditors by requiring them to cover below, the obligations of the final rule 14 These examples reflect the fact that the rules consumer accounts in their Programs. are applicable to a variety of financial institutions apply not only to existing accounts, jlentini on PROD1PC65 with RULES4 While seeking to preserve their and creditors. They are not intended to confer any where a relationship already has been additional powers on covered entities. Nonetheless, discretion, many industry commenters some of the Agencies have chosen to limit the 12 Accordingly, the definition of ‘‘account’’ still requested that the Agencies limit the examples in their rule texts to those products applies to fiduciary, agency, custodial, brokerage final rules to consumer accounts, where covered entities subject to their jurisdiction are and investment advisory activities. identity theft is most likely to occur. legally permitted to offer. VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
  6. 6. 63722 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations ‘‘member’’ to better reflect the that the Agencies chose this broad individual who has a consumer account ownership structure of some financial definition because, in addition to will always be a ‘‘customer.’’ A institutions or to ‘‘consumer’’ to include individuals, various types of entities ‘‘customer’’ may also be a person that all individuals doing business at all (e.g., small businesses) can be victims of has another type of account for which types of financial institutions. The identity theft. Under the proposed a financial institution or creditor definition of ‘‘account’’ in the final rules definition, however, a financial determines there is a reasonably no longer makes reference to the term institution or creditor would have had foreseeable risk to its customers or to its ‘‘customer’’; however, the definition of the discretion to determine which type own safety and soundness from identity ‘‘covered account’’ continues to employ of customer accounts would be covered theft. this term, to be consistent with section under its Program, since the proposed The Agencies note that the 114 of the FACT Act, which uses the regulations were risk-based.17 Information Security Standards and the term ‘‘customer.’’ Of course, in the case As noted above, most industry privacy rules implemented various of credit unions, the final rules and commenters maintained that including sections of Title V of the GLBA, 15 guidelines will apply to the accounts of all persons, not just consumers, within U.S.C. 6801, which specifically apply members that are maintained primarily the definition of ‘‘customer’’ would only to customers who are consumers. for personal, family, or household impose a substantial financial burden By contrast, section 114 does not define purposes, and those that are otherwise on financial institutions and creditors, the term ‘‘customer.’’ Because the subject to a reasonably foreseeable risk and make compliance with the Agencies continue to believe that a of identity theft. regulations more burdensome. These business customer can be a target of Sections l.90(b)(4) and (b)(5) Credit commenters stated that business identity theft, the final rules contain a and Creditor. The proposed rules identity theft is rare, and maintained risk-based process designed to ensure defined these terms by cross-reference that financial institutions and creditors that these types of customers will be to the relevant sections of the FCRA. should be allowed to direct their fraud covered by the Program of a financial There were no comments on the prevention resources to the areas of institution or creditor, when the risk of definition of ‘‘credit’’ and § l.90(b)(4) highest risk. They also noted that identity theft is reasonably foreseeable. of the final rules adopts the definition businesses are more sophisticated than The definition of ‘‘customer’’ in the as proposed. consumers, and are in a better position final rules continues to cover only Some commenters asked the Agencies to protect themselves against fraud than customers that already have accounts. to clarify that the term ‘‘creditor’’ does consumers, both in terms of prevention The Agencies note, however, that the not cover third-party debt collectors and in enforcing their legal rights. substantive provisions of the final rules, who regularly arrange for the extension, Some financial institution described later, require the Program of renewal, or continuation of credit. commenters were concerned that the a financial institution or creditor to Section 114 applies to financial broad definition of ‘‘customer’’ would detect, prevent, and mitigate identity institutions and creditors. Under the create opportunities for commercial theft in connection with the opening of FCRA, the term ‘‘creditor’’ has the same customers to shift responsibility from a covered account as well as any meaning as in section 702 of the Equal themselves to the financial institution existing covered account. The final rules Credit Opportunity Act (ECOA), 15 for not discovering Red Flags and address persons whose identities are U.S.C. 1691a.15 ECOA defines alerting business customers about used by an imposter to open an account ‘‘creditor’’ to include a person who embezzlement or other fraudulent in these substantive provisions, rather arranges for the extension, renewal, or transactions by the commercial than through the definition of continuation of credit, which in some customer’s own employees. These ‘‘customer.’’ cases could include third-party debt commenters suggested narrowing the Section l.90(b)(7) Financial collectors. 15 U.S.C. 1691a(e). definition to cover natural persons and Institution. The Agencies received no Therefore, the Agencies are not to exclude business customers. Some of comments on the proposed definition of excluding third-party debt collectors these commenters suggested that the ‘‘financial institution.’’ It is adopted in from the scope of the final rules, and definition of ‘‘customer’’ should be § l.90(b)(7), as proposed, with a cross- § l.90(b)(5) of the final rules adopts the consistent with the definition of this reference to the relevant definition in definition of ‘‘creditor’’ as proposed. term in the Information Security the FCRA. Section l.90(b)(6) Customer. Section Standards and the Agencies’ privacy Section l.90(b)(8) Identity Theft. The 114 of the FACT Act refers to ‘‘account rules. proposal defined ‘‘identity theft’’ by holders’’ and ‘‘customers’’ of financial Consumer groups commented that the cross-referencing the FTC’s rule that institutions and creditors without proposed definition of ‘‘customer’’ was defines ‘‘identity theft’’ for purposes of defining either of these terms. For ease too narrow. They recommended that the the FCRA.18 of reference, the Agencies proposed to definition be amended, so that the Most industry commenters objected to use the term ‘‘customer’’ to encompass regulations would not only protect the breadth of the proposed definition of both ‘‘customers’’ and ‘‘account persons who are already customers of a ‘‘identity theft.’’ They recommended holders.’’ ‘‘Customer’’ was defined as a financial institution or creditor, but also that the definition include only actual person that has an account with a persons whose identities are used by an fraud committed using identifying financial institution or creditor. The imposter to open an account. information of a consumer, and exclude proposed definition of ‘‘customer’’ Section l.90(b)(6) of the final rule attempted fraud, identity theft applied to any ‘‘person,’’ defined by the defines ‘‘customer’’ to mean a person committed against businesses, and any FCRA as any individual, partnership, that has a ‘‘covered account’’ with a identity fraud involving the creation of corporation, trust, estate, cooperative, financial institution or creditor. Under a fictitious identity using fictitious data association, government or the definition of ‘‘covered account,’’ an combined with real information from jlentini on PROD1PC65 with RULES4 governmental subdivision or agency, or 17 Proposed § l.90(d)(1) required this 18 69 FR 63922 (Nov. 3, 2004) (codified at 16 CFR other entity.16 The proposal explained 603.2(a)). Section 111 of the FACT Act added determination to be substantiated by a risk evaluation that takes into consideration which several new definitions to the FCRA, including 15 See 15 U.S.C. 1681a(r)(5). customer accounts of the financial institution or ‘‘identity theft,’’ and authorized the FTC to further 16 See 15 U.S.C. 1681a(b). creditor are subject to a risk of identity theft. define this term. See 15 U.S.C. 1681a. VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
  7. 7. Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63723 multiple individuals. By contrast, identity theft as ‘‘Red Flags’’ to better consider aggravating factors that may consumer groups supported a broad position financial institutions and heighten the risk of identity theft in interpretation of ‘‘identity theft,’’ creditors to stop identity theft at its determining an appropriate response to including the incorporation of inception. the Red Flags it detects. ‘‘attempted fraud’’ in the definition. Most industry commenters objected to Section l.90(b)(10) Service Provider. Section l.90(b)(8) of the final rules the broad scope of the definition of The proposed regulations defined adopts the definition of ‘‘identity theft’’ ‘‘Red Flag,’’ particularly the phrase ‘‘service provider’’ as a person that as proposed. The Agencies believe that ‘‘possible risk of identity theft.’’ These provides a service directly to the it is important to ensure that all commenters believed that this definition financial institution or creditor. This provisions of the FACT Act that address would require financial institutions and definition was based upon the identity theft are interpreted in a creditors to identify all risks and definition of ‘‘service provider’’ in the consistent manner. Therefore, the final develop procedures to prevent or Information Security Standards.23 rule continues to define identity theft mitigate them, without regard to the One commenter agreed with this with reference to the FTC’s regulation, significance of the risk. They asserted definition. However, two other which as currently drafted provides that that the statute does not support the use commenters stated that the definition the term ‘‘identity theft’’ means ‘‘a fraud of ‘‘possible risk’’ and suggested was too broad. They suggested committed or attempted using the defining a ‘‘Red Flag’’ as an indicator of narrowing the definition of ‘‘service identifying information of another significant, substantial, or the probable provider’’ to persons or entities that person without authority.’’ 19 The FTC risk of identity theft. These commenters have access to customer information. defines the term ‘‘identifying stated that this would allow a financial Section l.90(b)(10) of the final rules information’’ to mean ‘‘any name or institution or creditor to focus adopts the definition as proposed. The number that may be used, alone or in compliance in areas where it is most Agencies have concluded that defining conjunction with any other information, needed. ‘‘service provider’’ to include only to identify a specific person, including Most industry commenters also stated persons that have access to customer any— that the inclusion of precursors to information would inappropriately (1) Name, social security number, date identity theft in the definition of ‘‘Red narrow the coverage of the final rules. of birth, official State or government Flag’’ would make the regulations even The Agencies have interpreted section issued driver’s license or identification broader and more burdensome. They 114 broadly to require each financial number, alien registration number, stated that financial institutions and institution and creditor to detect, government passport number, employer creditors do not have the ability to prevent, and mitigate identity theft not or taxpayer identification number; detect and respond to precursors, such only in connection with any existing (2) Unique biometric data, such as as phishing, in the same manner as covered account, but also in connection fingerprint, voice print, retina or iris other Red Flags that are more indicative with the opening of an account. A image, or other unique physical of actual ongoing identity theft. financial institution or creditor is representation; By contrast, consumer groups ultimately responsible for complying (3) Unique electronic identification supported the inclusion of the phrase with the final rules and guidelines even number, address, or routing code; or ‘‘possible risk of identity theft’’ and the if it outsources an activity to a third- (4) Telecommunication identifying reference to precursors in the proposed party service provider. Thus, a financial information or access device (as defined definition of ‘‘Red Flag.’’ These institution or creditor that uses a service in 18 U.S.C. 1029(e)). commenters stated that placing provider to open accounts will need to Thus, under the FTC’s regulation, the emphasis on detecting precursors to provide for the detection, prevention, creation of a fictitious identity using any identity theft, instead of waiting for and mitigation of identity theft in single piece of information belonging to proven cases, is the right approach. connection with this activity, even a real person falls within the definition The Agencies have concluded that the when the service provider has access to of ‘‘identity theft’’ because such a fraud phrase ‘‘possible risk’’ in the proposed the information of a person who is not involves ‘‘using the identifying definition of ‘‘Red Flag’’ is confusing yet, and may not become, a ‘‘customer.’’ information of another person without and could unduly burden entities with authority.’’ 20 limited resources. Therefore, the final Section l.90(c) Periodic Identification Section l.90(b)(9) Red Flag. The rules define ‘‘Red Flag’’ in § l.90(b)(9) of Covered Accounts proposed regulations defined ‘‘Red using language derived directly from To simplify compliance with the final Flag’’ as a pattern, practice, or specific section 114, namely, ‘‘a pattern, rules, the Agencies added a new activity that indicates the possible risk practice, or specific activity that provision in § l.90(c) that requires each of identity theft. The preamble to the indicates the possible existence of financial institution and creditor to proposed rules explained that indicators identity theft.’’ 22 periodically determine whether it offers of a ‘‘possible risk’’ of identity theft The Agencies continue to believe, or maintains any covered accounts. As would include precursors to identity however, that financial institutions and a part of this determination, a financial theft such as phishing,21 and security creditors should consider precursors to institution or creditor must conduct a breaches involving the theft of personal identity theft in order to stop identity risk assessment to determine whether it information, which often are a means to theft before it occurs. Therefore, as acquire the information of another described below, the Agencies have 23 The Information Security Standards define person for use in committing identity chosen to address precursors directly, ‘‘service provider’’ to mean any person or entity theft. The preamble explained that the through a substantive provision in that maintains, processes, or otherwise is permitted Agencies included such precursors to access to customer information or consumer section IV of the guidelines titled information through the provision of services ‘‘Prevention and Mitigation,’’ rather directly to the financial institution. 12 CFR part 30, jlentini on PROD1PC65 with RULES4 19 See 16 CFR 603.2(a). than through the definition of ‘‘Red app. B (national banks); 12 CFR part 208, app. D– 20 See 16 CFR 603.2(b). Flag.’’ This provision states that a 2 and part 225, app. F (state member banks and 21 Electronic messages to customers of financial holding companies); 12 CFR part 364, app. B (state institutions and creditors directing them to provide financial institution or creditor should non-member banks); 12 CFR part 570, app. B personal information in response to a fraudulent (savings associations); 12 CFR part 748, App. A e-mail. 22 15 U.S.C. 1681m(c)(2)(A). (credit unions). VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4