• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
FTC  Red Flag Rule
 

FTC Red Flag Rule

on

  • 9,788 views

All 60 pages of it. Want us to break it down for you? Just call 860-367-8584.

All 60 pages of it. Want us to break it down for you? Just call 860-367-8584.

Statistics

Views

Total Views
9,788
Views on SlideShare
9,788
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    FTC  Red Flag Rule FTC Red Flag Rule Document Transcript

    • Friday, November 9, 2007 Part IV Department of the Treasury Office of the Comptroller of the Currency 12 CFR Part 41 Federal Reserve System 12 CFR Part 222 Federal Deposit Insurance Corporation 12 CFR Parts 334 and 364 Department of the Treasury Office of Thrift Supervision 12 CFR Part 571 National Credit Union Administration 12 CFR Part 717 Federal Trade Commission 16 CFR Part 681 Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule jlentini on PROD1PC65 with RULES4 VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00001 Fmt 4737 Sfmt 4737 E:FRFM09NOR4.SGM 09NOR4
    • 63718 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations DEPARTMENT OF THE TREASURY and mitigate identity theft in connection Office of Thrift Supervision, 1700 G with the opening of certain accounts or Street, NW., Washington, DC 20552. Office of the Comptroller of the certain existing accounts. In addition, NCUA: Regina M. Metz, Staff Currency the Agencies are issuing guidelines to Attorney, Office of General Counsel, assist financial institutions and (703) 518–6540, National Credit Union 12 CFR Part 41 creditors in the formulation and Administration, 1775 Duke Street, [Docket ID OCC–2007–0017] maintenance of a Program that satisfies Alexandria, VA 22314–3428. the requirements of the rules. The rules FTC: Naomi B. Lefkovitz, Attorney, or RIN 1557–AC87 implementing section 114 also require Pavneet Singh, Attorney, Division of credit and debit card issuers to assess Privacy and Identity Protection, Bureau FEDERAL RESERVE SYSTEM the validity of notifications of changes of Consumer Protection, (202) 326– of address under certain circumstances. 2252, Federal Trade Commission, 600 12 CFR Part 222 Additionally, the Agencies are issuing Pennsylvania Avenue, NW., Washington [Docket No. R–1255] joint rules under section 315 that DC 20580. provide guidance regarding reasonable SUPPLEMENTARY INFORMATION: FEDERAL DEPOSIT INSURANCE policies and procedures that a user of CORPORATION consumer reports must employ when a I. Introduction consumer reporting agency sends the The President signed the FACT Act 12 CFR Parts 334 and 364 user a notice of address discrepancy. into law on December 4, 2003.1 The DATES: The joint final rules and FACT Act added several new provisions RIN 3064–AD00 guidelines are effective January 1, 2008. to the Fair Credit Reporting Act of 1970 DEPARTMENT OF THE TREASURY The mandatory compliance date for this (FCRA), 15 U.S.C. 1681 et seq. Section rule is November 1, 2008. 114 of the FACT Act, 15 U.S.C. Office of Thrift Supervision 1681m(e), amends section 615 of the FOR FURTHER INFORMATION CONTACT: FCRA, and directs the Agencies to issue OCC: Amy Friend, Assistant Chief joint regulations and guidelines 12 CFR Part 571 Counsel, (202) 874–5200; Deborah Katz, regarding the detection, prevention, and [Docket No. OTS–2007–0019] Senior Counsel, or Andra Shuster, mitigation of identity theft, including Special Counsel, Legislative and special regulations requiring debit and RIN 1550–AC04 Regulatory Activities Division, (202) credit card issuers to validate 874–5090; Paul Utterback, Compliance notifications of changes of address NATIONAL CREDIT UNION Specialist, Compliance Department, under certain circumstances.2 Section ADMINISTRATION (202) 874–5461; or Aida Plaza Carter, 315 of the FACT Act, 15 U.S.C. Director, Bank Information Technology, 1681c(h), adds a new section 605(h)(2) 12 CFR Part 717 (202) 874–4740, Office of the to the FCRA requiring the Agencies to Comptroller of the Currency, 250 E issue joint regulations that provide FEDERAL TRADE COMMISSION Street, SW., Washington, DC 20219. guidance regarding reasonable policies 16 CFR Part 681 Board: David A. Stein or Ky Tran- and procedures that a user of a Trong, Counsels, or Amy Burke, consumer report should employ when RIN 3084–AA94 Attorney, Division of Consumer and the user receives a notice of address Community Affairs, (202) 452–3667; discrepancy. Identity Theft Red Flags and Address Kara L. Handzlik, Attorney, Legal On July 18, 2006, the Agencies Discrepancies Under the Fair and Division, (202) 452–3852; or John published a joint notice of proposed Accurate Credit Transactions Act of Gibbons, Supervisory Financial Analyst, rulemaking (NPRM) in the Federal 2003 Division of Banking Supervision and Register (71 FR 40786) proposing rules AGENCIES: Office of the Comptroller of Regulation, (202) 452–6409, Board of and guidelines to implement section the Currency, Treasury (OCC); Board of Governors of the Federal Reserve 114 and proposing rules to implement Governors of the Federal Reserve System, 20th and C Streets, NW., section 315 of the FACT Act. The public System (Board); Federal Deposit Washington, DC 20551. comment period closed on September Insurance Corporation (FDIC); Office of FDIC: Jeffrey M. Kopchik, Senior 18, 2006. The Agencies collectively Thrift Supervision, Treasury (OTS); Policy Analyst, (202) 898–3872, or received a total of 129 comments in National Credit Union Administration David P. Lafleur, Policy Analyst, (202) response to the NPRM, although many (NCUA); and Federal Trade Commission 898–6569, Division of Supervision and commenters sent copies of the same (FTC or Commission). Consumer Protection; Richard M. letter to each of the Agencies. The ACTION: Joint final rules and guidelines. Schwartz, Counsel, (202) 898–7424, or comments included 63 from financial Richard B. Foley, Counsel, (202) 898– institutions, 12 from financial SUMMARY: The OCC, Board, FDIC, OTS, 3784, Legal Division, Federal Deposit institution holding companies, 23 from NCUA and FTC (the Agencies) are Insurance Corporation, 550 17th Street, financial institution trade associations, jointly issuing final rules and guidelines NW., Washington, DC 20429. 12 from individuals, nine from other implementing section 114 of the Fair OTS: Ekita Mitchell, Consumer trade associations, five from other and Accurate Credit Transactions Act of Regulations Analyst, Compliance and business entities, three from consumer 2003 (FACT Act) and final rules Consumer Protection, (202) 906–6451; implementing section 315 of the FACT Kathleen M. McNulty, Technology 1 Pub. L. 108–159. jlentini on PROD1PC65 with RULES4 Act. The rules implementing section Program Manager, Information 2 Section 111 of the FACT Act defines ‘‘identity 114 require each financial institution or Technology Risk Management, (202) theft’’ as ‘‘a fraud committed using the identifying information of another person, subject to such creditor to develop and implement a 906–6322; or Richard Bennett, Senior further definition as the [Federal Trade] written Identity Theft Prevention Compliance Counsel, Regulations and Commission may prescribe, by regulation.’’ 15 Program (Program) to detect, prevent, Legislation Division, (202) 906–7409, U.S.C. 1681a(q)(3). VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63719 groups,3 one from a member of indicators of a possible risk of identity commenters suggested that the Congress, and one from the United theft (Red Flags), including indicators regulations and guidelines take the form States Small Business Administration from among those listed in the of broad objectives modeled on the (SBA). guidelines. To promote flexibility and objectives set forth in the ‘‘Interagency responsiveness to the changing nature of Guidelines Establishing Information II. Section 114 of the FACT Act identity theft, the proposed rules also Security Standards’’ (Information A. Red Flag Regulations and Guidelines stated that covered entities would need Security Standards).7 A few financial 1. Background to include in their Programs relevant institution commenters asserted that the Red Flags from applicable supervisory primary cause of identity theft is the Section 114 of the FACT Act requires guidance, their own experiences, and lack of care on the part of the consumer. the Agencies to jointly issue guidelines methods that the entity had identified They stated that consumers should be for financial institutions and creditors that reflect changes in identity theft held responsible for protecting their regarding identity theft with respect to risks. own identifying information. their account holders and customers. The Agencies invited comment on all The Agencies have modified the Section 114 also directs the Agencies to aspects of the proposed regulations and proposed rules and guidelines in light of prescribe joint regulations requiring guidelines implementing section 114, the comments received. An overview of each financial institution and creditor to and specifically requested comment on the final rules, guidelines, and establish reasonable policies and whether the elements described in supplement, a discussion of the procedures for implementing the section 114 had been properly allocated comments, and the specific manner in guidelines, to identify possible risks to between the proposed regulations and which the proposed rules and account holders or customers or to the the proposed guidelines. guidelines have been modified, follows. safety and soundness of the institution Consumer groups maintained that the or ‘‘customer.’’4 proposed regulations provided too 3. Overview of final rules and In developing the guidelines, the much discretion to financial institutions guidelines Agencies must identify patterns, and creditors to decide which accounts The Agencies are issuing final rules practices, and specific forms of activity and Red Flags to include in their and guidelines that provide both that indicate the possible existence of Programs and how to respond to those flexibility and more guidance to identity theft. The guidelines must be Red Flags. These commenters stated that financial institutions and creditors. The updated as often as necessary, and the flexible and risk-based approach final rules also require the Program to cannot be inconsistent with the policies taken in the proposed rulemaking address accounts where identity theft is and procedures issued under section would permit ‘‘business as usual.’’ 326 of the USA PATRIOT Act,5 31 most likely to occur. The final rules Some small financial institutions also describe which financial institutions U.S.C. 5318(l), that require verification expressed concern about the flexibility of the identity of persons opening new and creditors are required to have a afforded by the proposal. These Program, the objectives of the Program, accounts. The Agencies also must commenters stated that they preferred to consider including reasonable the elements that the Program must have clearer, more structured guidance contain, and how the Program must be guidelines that would apply when a describing exactly how to develop and transaction occurs in connection with a administered. implement a Program and what they Under the final rules, only those consumer’s credit or deposit account would need to do to achieve that has been inactive for two years. financial institutions and creditors that compliance. offer or maintain ‘‘covered accounts’’ These guidelines would provide that in Most commenters, however, including such circumstances, a financial must develop and implement a written many financial institutions and Program. A covered account is (1) an institution or creditor ‘‘shall follow creditors, asserted that the proposal was reasonable policies and procedures’’ for account primarily for personal, family, overly prescriptive, contained or household purposes, that involves or notifying the consumer, ‘‘in a manner requirements beyond those mandated in reasonably designed to reduce the is designed to permit multiple payments the FACT Act, would be costly and or transactions, or (2) any other account likelihood of identity theft.’’ burdensome to implement, and would for which there is a reasonably 2. Overview of Proposal and Comments complicate the existing efforts of foreseeable risk to customers or the Received financial institutions and creditors to safety and soundness of the financial The Agencies proposed to implement detect and prevent identity theft. Some institution or creditor from identity section 114 through regulations industry commenters asserted that the theft. Each financial institution and requiring each financial institution and rulemaking was unnecessary because creditor must periodically determine creditor to implement a written Program large businesses, such as banks and whether it offers or maintains a to detect, prevent and mitigate identity telecommunications companies, already ‘‘covered account.’’ theft in connection with the opening of are motivated to prevent identity theft The final regulations provide that the an account or any existing account. The and other forms of fraud in order to Program must be designed to detect, Agencies also proposed guidelines that limit their own financial losses. prevent, and mitigate identity theft in identified 31 patterns, practices, and Financial institution commenters connection with the opening of a specific forms of activity that indicate a maintained that they are already doing covered account or any existing covered possible risk of identity theft. The most of what would be required by the account. In addition, the Program must proposed regulations required each proposal as a result of having to comply be tailored to the entity’s size, financial institution and creditor to with the customer identification complexity and nature of its operations. incorporate into its Program relevant program (CIP) regulations implementing section 326 of the USA PATRIOT Act 6 jlentini on PROD1PC65 with RULES4 7 12 CFR part 30, app. B (national banks); 12 CFR 3 One of these letters represented the comments and other existing requirements. These part 208, app. D–2 and part 225, app. F (state of five consumer groups. member banks and holding companies); 12 CFR 4 Use of the term ‘‘customer,’’ here, appears to be 6 See, e.g., 31 CFR 103.121 (applicable to banks, part 364, app. B (state non-member banks); 12 CFR a drafting error and likely should read ‘‘creditor.’’ thrifts and credit unions and certain non-federally part 570, app. B (savings associations); 12 CFR part 5 Pub. L. 107–56. regulated banks). 748, App. A (credit unions). VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63720 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations The final regulations list the four 4. Section-by-Section Analysis 8 Agencies use the term ‘‘continuing basic elements that must be included in relationship’’ instead, and define this Sectionl.90(a) Purpose and Scope the Program of a financial institution or phrase in a manner consistent with the creditor. The Program must contain Proposed §l.90(a) described the Agencies’’ privacy rules 10 ‘‘reasonable policies and procedures’’ statutory authority for the proposed implementing Title V of the Gramm- to: regulations, namely, section 114 of the Leach-Bliley Act (GLBA), 15 U.S.C. FACT Act. It also defined the scope of 6801.11 These commenters urged that • Identify relevant Red Flags for this section; each of the Agencies the definition of ‘‘account’’ not be covered accounts and incorporate those proposed tailoring this paragraph to expanded to include relationships that Red Flags into the Program; describe those entities to which this are not ‘‘continuing.’’ They stated that it • Detect Red Flags that have been section would apply. The Agencies would be very burdensome to gather incorporated into the Program; received no comments on this section, and maintain information on non- • Respond appropriately to any Red and it is adopted as proposed. customers for one-time transactions. Flags that are detected to prevent and Sectionl.90(b) Definitions Other commenters suggested defining mitigate identity theft; and the term ‘‘account’’ in a manner Proposed §l.90(b) contained consistent with the CIP rules. • Ensure the Program is updated definitions of various terms that applied Many commenters stated that defining periodically, to reflect changes in risks to the proposed rules and guidelines. ‘‘account’’ to cover both consumer and to customers or to the safety and While §l.90(b) of the final rules business accounts was too broad, soundness of the financial institution or continues to describe the definitions exceeded the scope of the FACT Act, creditor from identity theft. applicable to the final rules and and would make the regulation too The regulations also enumerate guidelines, changes have been made to burdensome. These commenters certain steps that financial institutions address the comments, as follows. recommended limiting the scope of the and creditors must take to administer Sectionl.90(b)(1) Account. The regulations and guidelines to cover only Agencies proposed using the term consumer financial services, specifically the Program. These steps include ‘‘account’’ to describe the relationships accounts established for personal, obtaining approval of the initial written covered by section 114 that an account family and household purposes, because Program by the board of directors or a holder or customer may have with a these types of accounts typically are committee of the board, ensuring financial institution or creditor.9 The targets of identity theft. They asserted oversight of the development, proposed definition of ‘‘account’’ was ‘‘a that identity theft has not historically implementation and administration of continuing relationship established to been common in connection with the Program, training staff, and provide a financial product or service business or commercial accounts. overseeing service provider that a financial holding company could Consumer groups maintained that the arrangements. offer by engaging in an activity that is proposed definition of ‘‘account’’ was In order to provide financial financial in nature or incidental to such too narrow. They explained that because institutions and creditors with more a financial activity under section 4(k) of the proposed definition was tied to flexibility in developing a Program, the the Bank Holding Company Act, 12 financial products and services that can Agencies have moved certain detail U.S.C. 1843(k).’’ The definition also be offered under the Bank Holding formerly contained in the proposed gave examples of types of ‘‘accounts.’’ Company Act, it inappropriately regulations to the guidelines located in Some commenters stated that the excluded certain transactions involving Appendix J. This detailed guidance regulations do not need a definition of creditors that are not financial should assist financial institutions and ‘‘account’’ to give effect to their terms. institutions that should be covered by creditors in the formulation and Some commenters maintained that a the regulations. Some of these new definition for ‘‘account’’ would be commenters recommended that the maintenance of a Program that satisfies confusing as this term is already defined definition of ‘‘account’’ include any the requirements of the regulations to inconsistently in several regulations and relationship with a financial institution detect, prevent, and mitigate identity in section 615(e) of the FCRA. These or creditor in which funds could be theft. Each financial institution or commenters recommended that the intercepted or credit could be extended, creditor that is required to implement a as well as any other transaction which Program must consider the guidelines 8 The OCC, Board, FDIC, OTS and NCUA are could obligate an individual or other and include in its Program those placing the regulations and guidelines covered entity, including transactions guidelines that are appropriate. The implementing section 114 in the part of their regulations that implement the FCRA—12 CFR that do not result in a continuing guidelines provide policies and parts 41, 222, 334, 571, and 717, respectively. In relationship. Others suggested that there procedures for use by institutions and addition, the FDIC cross-references the regulations should be no flexibility to exclude any creditors, where appropriate, to satisfy and guidelines in 12 CFR part 364. For ease of account that is held by an individual or reference, the discussion in this preamble uses the the requirements of the final rules, shared numerical suffix of each of these agency’s which generates information about including the four elements listed regulations. The FTC also is placing the final individuals that reflects on their above. While an institution or creditor regulations and guidelines in the part of its financial or credit reputations. may determine that particular regulations implementing the FCRA, specifically 16 The Agencies have modified the CFR part 681. However, the FTC uses different guidelines are not appropriate to numerical suffixes that equate to the numerical definition of ‘‘account’’ to address these incorporate into its Program, the suffixes discussed in the preamble as follows: comments. First, the final rules now Program must nonetheless contain preamble suffix .82 = FTC suffix .1, preamble suffix apply to ‘‘covered accounts,’’ a term that .90 = FTC suffix .2, and preamble suffix .91 = FTC the Agencies have added to the reasonable policies and procedures to suffix .3. In addition, Appendix J referenced in the meet the specific requirements of the definition section to eliminate jlentini on PROD1PC65 with RULES4 preamble is the FTC’s Appendix A. final rules. The illustrative examples of 9 The Agencies acknowledged that section 114 10 See 12 CFR 40 (OCC); 12 CFR 216 (Board); 12 Red Flags formerly in Appendix J are does not use the term ‘‘account’’ and, in other contexts, the FCRA defines the term ‘‘account’’ CFR 332 (FDIC); 12 CFR 573 (OTS); 12 CFR 716 now listed in a supplement to the narrowly to describe certain consumer deposit or (NCUA); and 16 CFR 313 (FTC). guidelines. asset accounts. See 15 U.S.C. 1681a(r)(4). 11 Pub. L. 106–102. VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63721 confusion between these rules and other established, but also to account The Agencies recognize that rules that apply to an ‘‘account.’’ The openings, when a relationship has not consumer accounts are presently the Agencies have retained a definition of yet been established. most common target of identity theft ‘‘account’’ simply to clarify and provide Sectionl.90(b)(2) Board of Directors. and acknowledge that Congress context for the definition of ‘‘covered The proposed regulations discussed the expected the final regulation to address account.’’ role of the board of directors of a risks of identity theft to consumers.13 Section 114 provides broad discretion financial institution or creditor. For For this reason, the final rules require to the Agencies to prescribe regulations financial institutions and creditors each Program to cover accounts and guidelines to address identity theft. covered by the regulations that do not established primarily for personal, The terminology in section 114 is not have boards of directors, the proposed family or household purposes, that confined to ‘‘consumer’’ accounts. regulations defined ‘‘board of directors’’ involve or are designed to permit While identity theft primarily has been to include, in the case of a branch or multiple payments or transactions, i.e., directed at consumers, the Agencies are agency of a foreign bank, the managing consumer accounts. As discussed above aware that small businesses also have official in charge of the branch or in connection with the definition of been targets of identity theft. Over time, agency. For other creditors that do not ‘‘account,’’ the final rules also require identity theft could expand to affect have boards of directors, the proposed the Programs of financial institutions other types of accounts. Thus, the regulations defined ‘‘board of directors’’ and creditors to cover any other type of definition of ‘‘account’’ in §l.90(b)(1) as a designated employee. account that the institution or creditor of the final rules continues to cover any Consumer groups objected to the offers or maintains for which there is a relationship to obtain a product or proposed definition as it applied to reasonably foreseeable risk from identity service that an account holder or creditors that do not have boards of theft. customer may have with a financial directors. These commenters Accordingly, the definition of institution or creditor.12 Through recommended that for these entities, ‘‘covered account’’ is divided into two examples, the definition makes clear ‘‘board of directors’’ should be defined parts. The first part refers to ‘‘an account that the purchase of property or services as a designated employee at the level of that a financial institution or creditor involving a deferred payment is senior management. They asserted that offers or maintains, primarily for considered to be an account. otherwise, institutions that do not have personal, family, or household Although the definition of ‘‘account’’ a board of directors would be given an purposes, that involves or is designed to includes business accounts, the risk- unfair advantage for purposes of the permit multiple payments or based nature of the final rules allows substantive provisions of the rules, transactions.’’ The definition provides each financial institution or creditor because they would be permitted to examples to illustrate that these types of flexibility to determine which business assign any employee to fulfill the role of consumer accounts include, ‘‘a credit accounts will be covered by its Program the ‘‘board of directors.’’ card account, mortgage loan, automobile through a risk evaluation process. The Agencies agree this important loan, margin account, cell phone The Agencies also recognize that a role should be performed by an account, utility account, checking person may establish a relationship with employee at the level of senior account, or savings account.’’14 a creditor, such as an automobile dealer management, rather than any designated The second part of the definition or a telecommunications provider, employee. Accordingly, the definition of refers to ‘‘any other account that the primarily to obtain a product or service ‘‘board of directors’’ has been revised in financial institution or creditor offers or that is not financial in nature. To make § l.90(b)(2) of the final rules so that, in maintains for which there is a clear that an ‘‘account’’ includes the case of a creditor that does not have reasonably foreseeable risk to customers relationships with creditors that are not a board of directors, the term ‘‘board of or to the safety and soundness of the financial institutions, the definition is directors’’ means ‘‘a designated financial institution or creditor from no longer tied to the provision of employee at the level of senior identity theft, including financial, ‘‘financial’’ products and services. management.’’ operational, compliance, reputation, or Accordingly, the Agencies have deleted Section l.90(b)(3) Covered Account. litigation risks.’’ This part of the the reference to the Bank Holding As mentioned previously, the Agencies definition reflects the Agencies’ belief Company Act. have added a new definition of that other types of accounts, such as The definition of ‘‘account’’ still ‘‘covered account’’ in § l.90(b)(3) to small business accounts or sole includes the words ‘‘continuing proprietorship accounts, may be describe the type of ‘‘account’’ covered relationship.’’ The Agencies have vulnerable to identity theft, and, by the final rules. The proposed rules determined that, at this time, the burden therefore, should be considered for would have provided a financial that would be imposed upon financial coverage by the Program of a financial institution or creditor with broad institutions and creditors by a institution or creditor. flexibility to apply its Program to those requirement to detect, prevent and In response to the proposed definition accounts that it determined were mitigate identity theft in connection of ‘‘account,’’ a trade association vulnerable to the risk of identity theft, with single, non-continuing transactions representing credit unions suggested and did not mandate coverage of any by non-customers would outweigh the that the term ‘‘customer’’ in the particular type of account. benefits of such a requirement. The definition be revised to refer to Consumer group commenters urged Agencies recognize, however, that the Agencies to limit the discretion identity theft may occur at the time of 13 See S. Rep. No. 108–166 at 13 (Oct. 17, 2003) afforded to financial institutions and account opening. Therefore, as detailed (accompanying S. 1753). creditors by requiring them to cover below, the obligations of the final rule 14 These examples reflect the fact that the rules consumer accounts in their Programs. are applicable to a variety of financial institutions apply not only to existing accounts, jlentini on PROD1PC65 with RULES4 While seeking to preserve their and creditors. They are not intended to confer any where a relationship already has been additional powers on covered entities. Nonetheless, discretion, many industry commenters some of the Agencies have chosen to limit the 12 Accordingly, the definition of ‘‘account’’ still requested that the Agencies limit the examples in their rule texts to those products applies to fiduciary, agency, custodial, brokerage final rules to consumer accounts, where covered entities subject to their jurisdiction are and investment advisory activities. identity theft is most likely to occur. legally permitted to offer. VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63722 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations ‘‘member’’ to better reflect the that the Agencies chose this broad individual who has a consumer account ownership structure of some financial definition because, in addition to will always be a ‘‘customer.’’ A institutions or to ‘‘consumer’’ to include individuals, various types of entities ‘‘customer’’ may also be a person that all individuals doing business at all (e.g., small businesses) can be victims of has another type of account for which types of financial institutions. The identity theft. Under the proposed a financial institution or creditor definition of ‘‘account’’ in the final rules definition, however, a financial determines there is a reasonably no longer makes reference to the term institution or creditor would have had foreseeable risk to its customers or to its ‘‘customer’’; however, the definition of the discretion to determine which type own safety and soundness from identity ‘‘covered account’’ continues to employ of customer accounts would be covered theft. this term, to be consistent with section under its Program, since the proposed The Agencies note that the 114 of the FACT Act, which uses the regulations were risk-based.17 Information Security Standards and the term ‘‘customer.’’ Of course, in the case As noted above, most industry privacy rules implemented various of credit unions, the final rules and commenters maintained that including sections of Title V of the GLBA, 15 guidelines will apply to the accounts of all persons, not just consumers, within U.S.C. 6801, which specifically apply members that are maintained primarily the definition of ‘‘customer’’ would only to customers who are consumers. for personal, family, or household impose a substantial financial burden By contrast, section 114 does not define purposes, and those that are otherwise on financial institutions and creditors, the term ‘‘customer.’’ Because the subject to a reasonably foreseeable risk and make compliance with the Agencies continue to believe that a of identity theft. regulations more burdensome. These business customer can be a target of Sections l.90(b)(4) and (b)(5) Credit commenters stated that business identity theft, the final rules contain a and Creditor. The proposed rules identity theft is rare, and maintained risk-based process designed to ensure defined these terms by cross-reference that financial institutions and creditors that these types of customers will be to the relevant sections of the FCRA. should be allowed to direct their fraud covered by the Program of a financial There were no comments on the prevention resources to the areas of institution or creditor, when the risk of definition of ‘‘credit’’ and § l.90(b)(4) highest risk. They also noted that identity theft is reasonably foreseeable. of the final rules adopts the definition businesses are more sophisticated than The definition of ‘‘customer’’ in the as proposed. consumers, and are in a better position final rules continues to cover only Some commenters asked the Agencies to protect themselves against fraud than customers that already have accounts. to clarify that the term ‘‘creditor’’ does consumers, both in terms of prevention The Agencies note, however, that the not cover third-party debt collectors and in enforcing their legal rights. substantive provisions of the final rules, who regularly arrange for the extension, Some financial institution described later, require the Program of renewal, or continuation of credit. commenters were concerned that the a financial institution or creditor to Section 114 applies to financial broad definition of ‘‘customer’’ would detect, prevent, and mitigate identity institutions and creditors. Under the create opportunities for commercial theft in connection with the opening of FCRA, the term ‘‘creditor’’ has the same customers to shift responsibility from a covered account as well as any meaning as in section 702 of the Equal themselves to the financial institution existing covered account. The final rules Credit Opportunity Act (ECOA), 15 for not discovering Red Flags and address persons whose identities are U.S.C. 1691a.15 ECOA defines alerting business customers about used by an imposter to open an account ‘‘creditor’’ to include a person who embezzlement or other fraudulent in these substantive provisions, rather arranges for the extension, renewal, or transactions by the commercial than through the definition of continuation of credit, which in some customer’s own employees. These ‘‘customer.’’ cases could include third-party debt commenters suggested narrowing the Section l.90(b)(7) Financial collectors. 15 U.S.C. 1691a(e). definition to cover natural persons and Institution. The Agencies received no Therefore, the Agencies are not to exclude business customers. Some of comments on the proposed definition of excluding third-party debt collectors these commenters suggested that the ‘‘financial institution.’’ It is adopted in from the scope of the final rules, and definition of ‘‘customer’’ should be § l.90(b)(7), as proposed, with a cross- § l.90(b)(5) of the final rules adopts the consistent with the definition of this reference to the relevant definition in definition of ‘‘creditor’’ as proposed. term in the Information Security the FCRA. Section l.90(b)(6) Customer. Section Standards and the Agencies’ privacy Section l.90(b)(8) Identity Theft. The 114 of the FACT Act refers to ‘‘account rules. proposal defined ‘‘identity theft’’ by holders’’ and ‘‘customers’’ of financial Consumer groups commented that the cross-referencing the FTC’s rule that institutions and creditors without proposed definition of ‘‘customer’’ was defines ‘‘identity theft’’ for purposes of defining either of these terms. For ease too narrow. They recommended that the the FCRA.18 of reference, the Agencies proposed to definition be amended, so that the Most industry commenters objected to use the term ‘‘customer’’ to encompass regulations would not only protect the breadth of the proposed definition of both ‘‘customers’’ and ‘‘account persons who are already customers of a ‘‘identity theft.’’ They recommended holders.’’ ‘‘Customer’’ was defined as a financial institution or creditor, but also that the definition include only actual person that has an account with a persons whose identities are used by an fraud committed using identifying financial institution or creditor. The imposter to open an account. information of a consumer, and exclude proposed definition of ‘‘customer’’ Section l.90(b)(6) of the final rule attempted fraud, identity theft applied to any ‘‘person,’’ defined by the defines ‘‘customer’’ to mean a person committed against businesses, and any FCRA as any individual, partnership, that has a ‘‘covered account’’ with a identity fraud involving the creation of corporation, trust, estate, cooperative, financial institution or creditor. Under a fictitious identity using fictitious data association, government or the definition of ‘‘covered account,’’ an combined with real information from jlentini on PROD1PC65 with RULES4 governmental subdivision or agency, or 17 Proposed § l.90(d)(1) required this 18 69 FR 63922 (Nov. 3, 2004) (codified at 16 CFR other entity.16 The proposal explained 603.2(a)). Section 111 of the FACT Act added determination to be substantiated by a risk evaluation that takes into consideration which several new definitions to the FCRA, including 15 See 15 U.S.C. 1681a(r)(5). customer accounts of the financial institution or ‘‘identity theft,’’ and authorized the FTC to further 16 See 15 U.S.C. 1681a(b). creditor are subject to a risk of identity theft. define this term. See 15 U.S.C. 1681a. VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63723 multiple individuals. By contrast, identity theft as ‘‘Red Flags’’ to better consider aggravating factors that may consumer groups supported a broad position financial institutions and heighten the risk of identity theft in interpretation of ‘‘identity theft,’’ creditors to stop identity theft at its determining an appropriate response to including the incorporation of inception. the Red Flags it detects. ‘‘attempted fraud’’ in the definition. Most industry commenters objected to Section l.90(b)(10) Service Provider. Section l.90(b)(8) of the final rules the broad scope of the definition of The proposed regulations defined adopts the definition of ‘‘identity theft’’ ‘‘Red Flag,’’ particularly the phrase ‘‘service provider’’ as a person that as proposed. The Agencies believe that ‘‘possible risk of identity theft.’’ These provides a service directly to the it is important to ensure that all commenters believed that this definition financial institution or creditor. This provisions of the FACT Act that address would require financial institutions and definition was based upon the identity theft are interpreted in a creditors to identify all risks and definition of ‘‘service provider’’ in the consistent manner. Therefore, the final develop procedures to prevent or Information Security Standards.23 rule continues to define identity theft mitigate them, without regard to the One commenter agreed with this with reference to the FTC’s regulation, significance of the risk. They asserted definition. However, two other which as currently drafted provides that that the statute does not support the use commenters stated that the definition the term ‘‘identity theft’’ means ‘‘a fraud of ‘‘possible risk’’ and suggested was too broad. They suggested committed or attempted using the defining a ‘‘Red Flag’’ as an indicator of narrowing the definition of ‘‘service identifying information of another significant, substantial, or the probable provider’’ to persons or entities that person without authority.’’ 19 The FTC risk of identity theft. These commenters have access to customer information. defines the term ‘‘identifying stated that this would allow a financial Section l.90(b)(10) of the final rules information’’ to mean ‘‘any name or institution or creditor to focus adopts the definition as proposed. The number that may be used, alone or in compliance in areas where it is most Agencies have concluded that defining conjunction with any other information, needed. ‘‘service provider’’ to include only to identify a specific person, including Most industry commenters also stated persons that have access to customer any— that the inclusion of precursors to information would inappropriately (1) Name, social security number, date identity theft in the definition of ‘‘Red narrow the coverage of the final rules. of birth, official State or government Flag’’ would make the regulations even The Agencies have interpreted section issued driver’s license or identification broader and more burdensome. They 114 broadly to require each financial number, alien registration number, stated that financial institutions and institution and creditor to detect, government passport number, employer creditors do not have the ability to prevent, and mitigate identity theft not or taxpayer identification number; detect and respond to precursors, such only in connection with any existing (2) Unique biometric data, such as as phishing, in the same manner as covered account, but also in connection fingerprint, voice print, retina or iris other Red Flags that are more indicative with the opening of an account. A image, or other unique physical of actual ongoing identity theft. financial institution or creditor is representation; By contrast, consumer groups ultimately responsible for complying (3) Unique electronic identification supported the inclusion of the phrase with the final rules and guidelines even number, address, or routing code; or ‘‘possible risk of identity theft’’ and the if it outsources an activity to a third- (4) Telecommunication identifying reference to precursors in the proposed party service provider. Thus, a financial information or access device (as defined definition of ‘‘Red Flag.’’ These institution or creditor that uses a service in 18 U.S.C. 1029(e)). commenters stated that placing provider to open accounts will need to Thus, under the FTC’s regulation, the emphasis on detecting precursors to provide for the detection, prevention, creation of a fictitious identity using any identity theft, instead of waiting for and mitigation of identity theft in single piece of information belonging to proven cases, is the right approach. connection with this activity, even a real person falls within the definition The Agencies have concluded that the when the service provider has access to of ‘‘identity theft’’ because such a fraud phrase ‘‘possible risk’’ in the proposed the information of a person who is not involves ‘‘using the identifying definition of ‘‘Red Flag’’ is confusing yet, and may not become, a ‘‘customer.’’ information of another person without and could unduly burden entities with authority.’’ 20 limited resources. Therefore, the final Section l.90(c) Periodic Identification Section l.90(b)(9) Red Flag. The rules define ‘‘Red Flag’’ in § l.90(b)(9) of Covered Accounts proposed regulations defined ‘‘Red using language derived directly from To simplify compliance with the final Flag’’ as a pattern, practice, or specific section 114, namely, ‘‘a pattern, rules, the Agencies added a new activity that indicates the possible risk practice, or specific activity that provision in § l.90(c) that requires each of identity theft. The preamble to the indicates the possible existence of financial institution and creditor to proposed rules explained that indicators identity theft.’’ 22 periodically determine whether it offers of a ‘‘possible risk’’ of identity theft The Agencies continue to believe, or maintains any covered accounts. As would include precursors to identity however, that financial institutions and a part of this determination, a financial theft such as phishing,21 and security creditors should consider precursors to institution or creditor must conduct a breaches involving the theft of personal identity theft in order to stop identity risk assessment to determine whether it information, which often are a means to theft before it occurs. Therefore, as acquire the information of another described below, the Agencies have 23 The Information Security Standards define person for use in committing identity chosen to address precursors directly, ‘‘service provider’’ to mean any person or entity theft. The preamble explained that the through a substantive provision in that maintains, processes, or otherwise is permitted Agencies included such precursors to access to customer information or consumer section IV of the guidelines titled information through the provision of services ‘‘Prevention and Mitigation,’’ rather directly to the financial institution. 12 CFR part 30, jlentini on PROD1PC65 with RULES4 19 See 16 CFR 603.2(a). than through the definition of ‘‘Red app. B (national banks); 12 CFR part 208, app. D– 20 See 16 CFR 603.2(b). Flag.’’ This provision states that a 2 and part 225, app. F (state member banks and 21 Electronic messages to customers of financial holding companies); 12 CFR part 364, app. B (state institutions and creditors directing them to provide financial institution or creditor should non-member banks); 12 CFR part 570, app. B personal information in response to a fraudulent (savings associations); 12 CFR part 748, App. A e-mail. 22 15 U.S.C. 1681m(c)(2)(A). (credit unions). VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63724 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations offers or maintains covered accounts § l.90(d), which described the conducting safe, sound, and compliant described in § l.90(b)(3)(ii) (accounts development and implementation of a operations. Some of these commenters other than consumer accounts), taking Program. It also stated that the Program urged the Agencies to revise the final into consideration: must address financial, operational, rules and guidelines and adopt an • The methods it provides to open its compliance, reputation, and litigation approach similar to the Information accounts; risks and be appropriate to the size and Security Standards which they • The methods it provides to access complexity of the financial institution characterized as providing institutions its accounts; and or creditor and the nature and scope of with an outline of issues to consider • Its previous experiences with its activities. without requiring specific approaches. identity theft. Some commenters believed that the Although a few commenters believed Thus, a financial institution or proposed regulations exceeded the that the proposed requirement to update creditor should consider whether, for scope of section 114 by covering deposit the Program was burdensome and example, a reasonably foreseeable risk accounts and by requiring a response to should be eliminated, most commenters of identity theft may exist in connection the risk of identity theft, not just the agreed that the Program should be with business accounts it offers or identification of the risk of identity designed to address changing risks over maintains that may be opened or theft. One commenter expressed time. A number of these commenters, accessed remotely, through methods concern about the application of the however, objected to the requirement that do not require face-to-face contact, Program to existing accounts. that the Program must be designed to such as through the internet or The SBA commented that requiring address changing identity theft risks ‘‘as telephone. In addition, those all small businesses covered by the they arise,’’ as too burdensome a institutions and creditors that offer or regulations to create a written Program standard. Instead, they recommended maintain business accounts that have would be overly burdensome. Several that the final regulations require a been the target of identity theft should financial institution commenters financial institution or creditor to factor those experiences with identity objected to what they perceived as a reassess periodically whether to adjust theft into their determination. proposed requirement that financial the types of accounts covered or Red This provision is modeled on various institutions and creditors have a written Flags to be detected based upon any process-oriented and risk-based Program solely to address identity theft. changes in the types and methods of regulations issued by the Agencies, such They recommended that the final identity theft that an institution or as the Information Security Standards. regulations allow a covered entity to creditor has experienced. Compliance with this type of regulation simply maintain or expand its existing Section l.90(d) of the final rules is based upon a regulated entity’s own fraud prevention and information requires each financial institution or preliminary risk assessment. The risk security programs as long as they creditor that offers or maintains one or assessment required here directs a included the detection, prevention, and more covered accounts to develop and financial institution or creditor to mitigation of identity theft. Some of implement a written Program that is determine, as a threshold matter, these commenters stated that requiring designed to detect, prevent, and mitigate whether it will need to have a a written program would merely focus identity theft in connection with the Program.24 If a financial institution or examiner attention on documentation opening of a covered account or any creditor determines that it does need a and cause financial institutions to existing covered account. To signal that Program, then this risk assessment will produce needless paperwork. the final rules are flexible, and allow enable the financial institution or While commenters generally agreed smaller financial institutions and creditor to identify those accounts the that the Program should be appropriate creditors to tailor their Programs to their Program must address. This provision to the size and complexity of the operations, the final rules state that the also requires a financial institution or financial institution or creditor, and the Program must be appropriate to the size creditor that initially determines that it nature and scope of its activities, many and complexity of the financial does not need to have a Program to industry commenters objected to the institution or creditor and the nature reassess periodically whether it must prescriptive nature of this section. They and scope of its activities. develop and implement a Program in urged the Agencies to provide greater The guidelines are appended to the light of changes in the accounts that it flexibility to financial institutions and final rules to assist financial institutions offers or maintains and the various other creditors by allowing them to and creditors in the formulation and factors set forth in the provision. implement their own procedures as maintenance of a Program that satisfies opposed to those provided in the the requirements of the regulation. Section l.90(d)(1) Identity Theft proposed regulations. Several other Section I of the guidelines, titled ‘‘The Prevention Program Requirement commenters suggested permitting Program,’’ makes clear that a covered Proposed § l.90(c) described the financial institutions and creditors to entity may incorporate into its Program, primary objectives of a Program. It take into account the cost and as appropriate, its existing processes stated that each financial institution or effectiveness of policies and procedures that control reasonably foreseeable risks creditor must implement a written and the institution’s history of fraud to customers or to the safety and Program that includes reasonable when designing its Program. soundness of the financial institution or policies and procedures to address the Several financial institution creditor from identity theft, such as risk of identity theft to its customers and commenters maintained that the those already developed in connection to the safety and soundness of the Program required by the proposed rules with the entity’s fraud prevention financial institution or creditor, in the was not sufficiently flexible. They program. This will avoid duplication manner described in proposed maintained that a true risk-based and allow covered entities to benefit approach would permit institutions to from existing policies and procedures. jlentini on PROD1PC65 with RULES4 24 The Agencies anticipate that some financial prioritize the importance of various The Agencies do not agree with those institutions and creditors, such as various creditors controls, address the most important commenters who asserted that the scope regualted by the FTC that solely engage in business- to-business transactions, will be able to determine risks first, and accept the good faith of the proposed regulations (and hence that they do not need to develop and implement a judgments of institutions in the final rules that adopt the identical Program. differentiating among their options for approach with respect to these issues) VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00008 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63725 exceed the Agencies’’ statutory The Agencies’ interpretation of The Agencies recognize that requiring mandate. First, section 114 clearly section 114 is also supported by the a written Program will impose some permits the Agencies to issue legislative history that indicates burden. However, the Agencies believe regulations and guidelines that address Congress expected the Agencies to issue the benefit of being able to assess a more than the mere identification of the regulations and guidelines for the covered entity’s compliance with the risk of identity theft. Section 114 purposes of ‘‘identifying and preventing final rules by evaluating the adequacy contains a broad mandate directing the identity theft.’’ 25 and implementation of its written Agencies to issue guidelines ‘‘regarding Finally, the Agencies’ interpretation Program outweighs the burdens identity theft’’ and to prescribe of section 114 is broad, based on a imposed by this requirement. regulations requiring covered entities to public policy perspective that Moreover, although the final rules establish reasonable policies and regulations and guidelines addressing continue to require a written Program, procedures for implementing the the identification of the risk of identity as detailed below, the Agencies have guidelines. Second, two provisions in theft, without addressing the prevention substantially revised the proposal to section 114 indicate that Congress and mitigation of identity theft, would focus the final rules and guidelines on expected the Agencies to issue final not be particularly meaningful or reasonably foreseeable risks, make the regulations and guidelines requiring effective. final rules less prescriptive, and provide financial institutions and creditors to The Agencies also have concluded financial institutions and creditors with detect, prevent, and mitigate identity that the scope of section 114 does not more discretion to develop policies and theft. only apply to credit transactions, but procedures to detect, prevent, and The first relevant provision is codified mitigate identity theft. also applies, for example, to deposit in section 615(e)(1)(C) of the FCRA, Proposed § l.90(c) also provided that accounts. Section 114 refers to the risk where Congress addressed a particular the Program must address changing of identity theft, generally, and not identity theft risks as they arise based scenario involving card issuers. In that strictly in connection with credit. upon the experience of the financial provision, Congress directed the Because identity theft can and does institution or creditor with identity theft Agencies to prescribe regulations occur in connection with various types and changes in: Methods of identity requiring a card issuer to take specific of accounts, including deposit accounts, theft; methods to detect, prevent, and steps to assess the validity of a change the final rules address identity theft in mitigate identity theft; the types of of address request when it receives such a comprehensive manner. accounts the financial institution or a request and, within a short period of time, also receives a request for an Furthermore, nothing in section 114 creditor offers; and its business additional or replacement card. The indicates that the regulations must only arrangements, such as mergers and regulations must prohibit a card issuer apply to identity theft in connection acquisitions, alliances and joint from issuing an additional or with account openings. The FTC has ventures, and service provider replacement card under such defined ‘‘identity theft’’ as ‘‘a fraud arrangements. circumstances, unless it notifies the committed or attempted using the The Agencies continue to believe that, cardholder or ‘‘uses other means of identifying information of another to ensure a Program’s continuing assessing the validity of the change of person without authority.’’ 26 Such effectiveness, it must be updated, at address in accordance with reasonable fraud may occur in connection with least periodically. However, in order to policies and procedures established by account openings and with existing simplify the final rules, the Agencies the card issuer in accordance with the accounts. Section 615(e)(3) states that moved this requirement into the next regulations prescribed [by the Agencies] the guidelines that the Agencies section, where it is one of the required * * *.’’ This provision makes clear prescribe ‘‘shall not be inconsistent’’ elements of the Program, as discussed that Congress contemplated that the with the policies and procedures below. Agencies’ regulations would require a required under 31 U.S.C. 5318(l), a reference to the CIP rules which require Development and Implementation of financial institution or creditor to have certain financial institutions to verify Identity Theft Prevention Program policies and procedures not only to identify Red Flags, but also, to prevent the identity of customers opening new The remaining provisions of the and mitigate identity theft. accounts. However, the Agencies do not proposed rules were set forth under the The second relevant provision is read this phrase to prevent them from above-referenced section heading. Many codified in section 615(e)(2)(B) of the prescribing rules directed at existing commenters asserted that the Agencies FCRA, and directs the Agencies to accounts. To interpret the provision in should simply articulate certain consider addressing in the identity theft this manner would solely authorize the objectives and provide financial guidelines transactions that occur with Agencies to prescribe regulations and institutions and creditors the flexibility respect to credit or deposit accounts that guidelines identical to and duplicative and discretion to design policies and have been inactive for more than two of those already issued—making the procedures to fulfill the objectives of the years. The Agencies must consider Agencies’ regulatory authority in this Program without the level of detail whether a creditor or financial area superfluous and meaningless.27 required under this section. institution detecting such activity As described earlier, to ensure that should ‘‘follow reasonable policies that 25 See S. Rep. No. 108–166 at 13 (Oct. 17, 2003) financial institutions and creditors are provide for notice to be given to the (accompanying S. 1753). able to design Programs that effectively consumer in a manner reasonably 26 16 CFR 603.2(a). address identity theft in a manner 27 The Agencies’ conclusion is also supported by designed to reduce the likelihood of tailored to their own operations, the case law interpreting similar terminology, albeit in identity theft with respect to such a different context, finding that ‘‘inconsistent’’ Agencies have made significant changes account.’’ This provision signals that the means it is impossible to comply with two laws in the proposal by deleting whole jlentini on PROD1PC65 with RULES4 Agencies are authorized to prescribe simultaneously, or one law frustrates the purposes provisions or moving them into the regulations and guidelines that and objectives of another. See, e.g., Davenport v. guidelines in Appendix J. More Farmers Ins. Group, 378 F.3d 839 (8th Cir. 2004); comprehensively address identity Retail Credit Co. v. Dade County, Florida, 393 F. specifically, the Agencies abbreviated theft—in a manner that goes beyond the Supp. 577 (S.D. Fla. 1975); Alexiou v. Brad Benson the proposed requirements formerly mere identification of possible risks. Mitsubishi, 127 F. Supp.2d 557 (D.N.J. 2000). located in the provisions titled VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00009 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63726 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations ‘‘Identification and Evaluation of Red the possible risk of identity theft to Appendix J that were obsolete or not Flags’’ and ‘‘Identity Theft Prevention customers or to the safety and appropriate for their activities. and Mitigation’’ and have placed them soundness of the financial institution or By contrast, consumer groups under a section of the final rules titled creditor. They criticized the phrase criticized the flexibility and discretion ‘‘Elements of a Program.’’ The proposed ‘‘possible risk’’ as too broad and stated afforded to financial institutions and requirements on ‘‘Staff Training,’’ that it was unrealistic to impose upon creditors in this section of the proposed ‘‘Oversight of Service Provider covered entities a continuing obligation rules. These commenters urged the Arrangements,’’ and ‘‘Involvement of to incorporate into their Programs Red Agencies to make certain Red Flags from Board of Directors and Senior Flags to address virtually any new Appendix J mandatory, such as a fraud Management’’ are now in a section of identity theft incident or trend and alert on a consumer report. the final rules titled ‘‘Administration of potential fraud prevention measure. Proposed § l.90(d)(1)(ii) provided the Program.’’ The guidelines in These commenters stated that this that in order to identify which Red Flags Appendix J elaborate on these would be a burdensome compliance are relevant to detecting a possible risk requirements. A discussion of the exercise that would limit flexibility and of identity theft to its customers or to its comments received on these sections of add costs, which in turn, would take own safety and soundness, the financial the proposed rules, and the away limited resources from the institution or creditor must consider: corresponding sections of the final rules ultimate objective of combating identity A. Which of its accounts are subject and guidelines follows. theft. to a risk of identity theft; Many commenters objected to the B. The methods it provides to open Section l.90(d)(2)(i) Element I of the proposed requirement that the Red Flags Program: Identification of Red Flags these accounts; identified by a financial institution or C. The methods it provides to access Proposed § l.90(d)(1)(i) required a creditor reflect changing identity theft these accounts; and Program to include policies and risks to customers and to the financial D. Its size, location, and customer procedures to identify which Red Flags, institution or creditor ‘‘as they arise.’’ base. singly or in combination, are relevant to These commenters requested that the While some industry commenters detecting the possible risk of identity final rules permit financial institutions thought the enumerated factors were theft to customers or to the safety and and creditors a reasonable amount of appropriate, other commenters stated soundness of the financial institution or time to adjust the Red Flags included in that the factors on the list were not creditor, using the risk evaluation their Programs. Some commenters agreed that the necessarily the ones used by financial described in § l.90(d)(1)(ii). It also institutions to identify risk and were required the Red Flags identified to enumerated sources of Red Flags were appropriate. A few commenters stated irrelevant to any determination of reflect changing identity theft risks to identity theft or actual fraud. These customers and to the financial that financial institutions and creditors should not be required to include in commenters maintained that this institution or creditor as they arise. proposed requirement would require Proposed § l.90(d)(1)(i) provided that their Programs any Red Flags except for those set forth in Appendix J or in financial institutions to develop entirely each financial institution and creditor new programs that may not be as must incorporate into its Program supervisory guidance, or that they had experienced. However, most effective or efficient as those designed relevant Red Flags from Appendix J. by anti-fraud experts. Therefore, they The preamble to the proposed rules commenters objected to the requirement that, at a minimum, the Program recommended that the final rules acknowledged that some Red Flags that provide financial institutions and are relevant today may become obsolete incorporate any relevant Red Flags from Appendix J. creditors with wide latitude to as time passes. The preamble stated that determine what factors they should the Agencies expected to update Some financial institution commenters urged deletion of the consider and how they categorize them. Appendix J periodically,28 but that it These commenters urged the Agencies may be difficult to do so quickly enough proposed requirement to include a list of relevant Red Flags in their Program. to refrain from providing a list of factors to keep pace with rapidly evolving that financial institutions and creditors patterns of identity theft or as quickly as They stated that a financial institution should be able to assess which Red would have to consider because a finite financial institutions and creditors list could limit their ability to adapt to experience new types of identity theft. Flags are appropriate without having to justify to an examiner why it failed to new forms of identity theft. Therefore, proposed § l.90(d)(1)(i) also include a specific Red Flag on a list. Some commenters suggested that the provided that each financial institution Other commenters recommended that risk evaluation include an assessment of and creditor must incorporate into its the list of Red Flags in Appendix J be other factors such as the likelihood of Program relevant Red Flags from illustrative only. These commenters harm, the cost and operational burden applicable supervisory guidance, recommended that a financial of using a particular Red Flag and the incidents of identity theft that the institution or creditor be permitted to effectiveness of a particular Red Flag for financial institution or creditor has include any Red Flags on its list that it that institution or creditor. Some experienced, and methods of identity concludes are appropriate. They commenters suggested that the factors theft that the financial institution or suggested that the Agencies encourage refer to the likely risk of identity theft, creditor has identified that reflect institutions to review the list of Red while others suggested that the factors changes in identity theft risks. Flags, and use their own experience and be modified to refer to the possible risk Some commenters objected to the expertise to identify other Red Flags that of identity theft to which each type of proposed requirement that the Program become apparent as fraudsters adapt account offered by the financial contain policies and procedures to and develop new techniques. They institution or creditor is subject. Other identify which Red Flags, singly or in jlentini on PROD1PC65 with RULES4 maintained that in this manner, commenters, including a trade combination, are relevant to detecting institutions and creditors would be able association representing small financial 28 Section 114 directs the Agencies to update the to identify the appropriate Red Flags institutions, asked the Agencies to guidelines as often as necessary. See 15 U.S.C. and not waste limited resources and provide guidelines on how to conduct a 1681m(e)(1)(a). effort addressing those Red Flags in risk assessment. VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00010 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63727 The final rules continue to address Section II of the guidelines also gives flexibility to be able to adapt to rapidly the identification of relevant Red Flags, examples of sources from which changing risks of identity theft. but simply state that the first element of financial institutions and creditors Sections l.90(d)(2)(ii) and (iii) a Program must be reasonable policies should derive relevant Red Flags, rather Elements II and III of the Program: and procedures to identify relevant Red than requiring that the Program Detection of and Response to Red Flags Flags for the covered accounts that the incorporate relevant Red Flags strictly financial institution or creditor offers or from the four sources listed in the Proposed § l.90(d)(2) stated that the maintains. The final rules also state that proposed rules. Section II states that a Program must include reasonable a financial institution or creditor must financial institution or creditor should policies and procedures designed to incorporate these Red Flags into its incorporate into its Program relevant prevent and mitigate identity theft in Program. Red Flags from sources such as: (1) connection with the opening of an The final rules do not require policies Incidents of identity theft that the account or any existing account. This and procedures for identifying which financial institution or creditor has section then described the policies and Red Flags are relevant to detecting a experienced; (2) methods of identity procedures that the Program must ‘‘possible risk’’ of identity theft. theft that the financial institution or include, some of which related solely to Moreover, as described below, a covered creditor has identified that reflect account openings while others related to entity’s obligation to update its Red changes in identity theft risks; and (3) existing accounts. Flags is now a separate element of the applicable supervisory guidance. Some financial institution The Agencies have deleted the commenters acknowledged that Program. The section of the proposed reference to the Red Flags in Appendix reference to prevention and mitigation rules describing the various factors that J as a source. Instead, a separate of identity theft was generally a good a financial institution or creditor must provision in section II of the guidelines, objective, but they urged that the final consider to identify relevant Red Flags, titled ‘‘Categories of Red Flags,’’ states rules refrain from prescribing how and the sources from which a financial that the Program of a financial financial institutions must achieve it. institution or creditor must derive its institution or creditor ‘‘should include’’ Others noted that the CIP rules and the Red Flags, are now in section II of the relevant Red Flags from five particular Information Security Standards already guidelines titled ‘‘ Identifying Relevant categories ‘‘as appropriate.’’ The required many of the steps in the Red Flags.’’ Agencies have included these proposal. They recommended that the The Agencies acknowledge that final rules recognize this and clarify that establishing a finite list of factors that a categories, which summarize the various types of Red Flags that were compliance with parallel requirements financial institution or creditor must would be sufficient for compliance consider when identifying relevant Red previously enumerated in Appendix J, in order to provide additional non- under these rules. Flags for covered accounts could limit Section l.90(d)(1) of the final rules prescriptive guidance regarding the the ability of a financial institution or requires financial institutions and identification of relevant Red Flags. creditor to respond to new forms of creditors to develop and implement a Section II of the guidelines also notes identity theft. Therefore, section II of the that ‘‘examples’’ of individual Red Flags written Program to detect, prevent, and guidelines contains a list of factors that from each of the five categories are mitigate identity theft in connection a financial institution or creditor appended as Supplement A to with the opening of a covered account ‘‘should consider * * * as Appendix J. The examples in or any existing covered account. appropriate’’ in identifying relevant Red Supplement A are a list of Red Flags Therefore, the Agencies concluded that Flags. similar to those found in the proposed it was not necessary to reiterate this The Agencies also modified the list in rules. The Agencies did not intend for requirement in § l.90(d)(2). The order to provide more appropriate these examples to be a comprehensive Agencies have deleted the prefatory examples of factors for consideration by list of all types of identity theft that a language from proposed § l.90(d)(2) on a financial institution or creditor financial institution or creditor may prevention and mitigation in order to determining which Red Flags may be experience. When identifying Red Flags, streamline the final rules. The various relevant. These factors are: financial institutions and creditors must provisions addressing prevention and • The types of covered accounts it consider the nature of their business mitigation formerly in this section, offers or maintains; and the type of identity theft to which namely, verification of identity, • The methods it provides to open its they may be subject. For instance, detection of Red Flags, assessment of covered accounts; creditors in the health care field may be the risk of Red Flags, and responses to • The methods it provides to access at risk of medical identity theft (i.e., the risk of identity theft, have been its covered accounts; and identity theft for the purpose of incorporated into the final rules as • Its previous experiences with obtaining medical services) and, ‘‘Elements of the Program’’ and into the identity theft. therefore, must identify Red Flags that guidelines elaborating on these Thus, for example, Red Flags relevant reflect this risk. provisions. Comments received to deposit accounts may differ from The Agencies also have decided not to regarding these provisions and the those relevant to credit accounts, and single out any specific Red Flags as manner in which they have been those applicable to consumer accounts mandatory for all financial institutions integrated into the final rules and may differ from those applicable to and creditors. Rather, the final rule guidelines follows. business accounts. Red Flags continues to follow the risk-based, non- appropriate for accounts that may be prescriptive approach regarding the Detecting Red Flags opened or accessed remotely may differ identification of Red Flags that was set Proposed § l.90(d)(2)(i) stated that from those that require face-to-face forth in the proposal. The Agencies the Program must include reasonable jlentini on PROD1PC65 with RULES4 contact. In addition, a financial recognize that the final rules and policies and procedures to obtain institution or creditor should consider guidelines cover a wide variety of identifying information about, and identifying as relevant those Red Flags financial institutions and creditors that verify the identity of, a person opening that directly relate to its previous offer and maintain many different an account. This provision was experiences with identity theft. products and services, and require the designed to address the risk of identity VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00011 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63728 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations theft to a financial institution or creditor In the final rules, the detection of Red existing policies and procedures and to that occurs in connection with the Flags is the second element of the develop and implement risk-based opening of new accounts. Program. The final rules provide that a policies and procedures that detect Red The proposed rules stated that any Program must contain reasonable Flags in an effective and comprehensive financial institution or creditor would policies and procedures to detect the manner. be able to satisfy the proposed Red Flags that a financial institution or requirement in § l.90(d)(2)(i) by using creditor has incorporated into its Responding to Red Flags the policies and procedures for identity Program. Proposed § l.90(d)(2)(iii) stated that verification set forth in the CIP rules. Section III of the guidelines provides to prevent and mitigate identity theft, The preamble to the proposed rules examples of various means to detect Red the Program must include policies and explained that although the CIP rules Flags. It states that the Program’s procedures to assess whether the Red exclude a variety of entities from the policies and procedures should address Flags the financial institution or creditor definition of ‘‘customer’’ and exclude a the detection of Red Flags in connection detected pursuant to proposed number of products and relationships with the opening of covered accounts, § l.90(d)(2)(ii) evidence a risk of from the definition of ‘‘account,’’ 29 the such as by obtaining identifying identity theft. It also stated that a Agencies were not proposing any information about, and verifying the financial institution or creditor must exclusions from either of these terms identity of, a person opening a covered have a reasonable basis for concluding given the risk-based nature of the account, for example, using the policies that a Red Flag (detected) does not regulations. and procedures regarding identification evidence a risk of identity theft. Most commenters supported this and verification set forth in the CIP Financial institution commenters provision. Many of these commenters rules. Section III also states that the expressed concern that this standard urged the Agencies to include in the Program’s policies and procedures would force an institution to justify to final rules a clear statement should address the detection of Red examiners why it did not take measures acknowledging that financial Flags in connection with existing to respond to a particular Red Flag. institutions and creditors complying covered accounts, such as by Some consumer groups believed it was with the CIP rules would be deemed to authenticating customers, monitoring appropriate to require a financial be in compliance with this provision’s transactions, and verifying the validity institution or creditor to have a requirements. Some of these of change of address requests, in the reasonable basis for concluding that a commenters encouraged the Agencies to case of existing covered accounts. particular Red Flag detected does not place the exemptions from the CIP rules Covered entities subject to the CIP evidence a risk of identity theft. Other in these final rules for consistency in rules, the Federal Financial Institution’s consumer groups believed that this was implementing both regulatory mandates. Examination Council’s guidance on too weak a standard and that mandating Some commenters, however, believed authentication,30 the Information the detection of certain Red Flags would the requirement to verify the identity of Security Standards, and Bank Secrecy be more effective and preventive. a person opening an account duplicated Act (BSA) rules 31 may already be Some commenters mistakenly read the requirements in the CIP rules and engaged in detecting Red Flags. These the proposed provision as requiring a urged elimination of this redundancy. entities may wish to integrate the financial institution or creditor to have Other entities not already subject to the policies and procedures already a reasonable basis for excluding a Red CIP rules stated that complying with developed for purposes of complying Flag listed in Appendix J from its those rules would be very costly and with these issuances into their Program requiring the mandatory review burdensome. These commenters asked Programs. However, such policies and and analysis of each and every Red Flag. that the Agencies provide them with procedures may need to be These commenters urged the Agencies additional guidance regarding the CIP supplemented. For example, the CIP to delete this provision. rules. rules were written to implement section Proposed § l.90(d)(2)(iv) stated that Consumer groups were concerned that 326 32 of the USA PATRIOT Act,33 an to prevent and mitigate identity theft, use of the CIP rules would not Act directed toward facilitating the the Program must include policies and adequately address identity theft. They prevention, detection, and prosecution procedures that address the risk of stated that the CIP rules allow accounts of international money laundering and identity theft to the customer, the to be opened before identity is verified, the financing of terrorism. Certain types financial institution, or creditor, which is not the proper standard to of ‘‘accounts,’’ ‘‘customers,’’ and commensurate with the degree of risk prevent identity theft. products are exempted or treated posed. The proposed regulations also As described below, the Agencies specially in the CIP rules because they provided an illustrative list of measures have moved verification of the identity pose a lower risk of money laundering that a financial institution or creditor of persons opening an account into or terrorist financing. Such special could take, including: section III of the guidelines where it is treatment may not be appropriate to • Monitoring an account for evidence described as one of the policies and accomplish the broader objective of of identity theft; procedures that a financial institution or detecting, preventing, and mitigating • Contacting the customer; creditor should have to detect Red Flags identity theft. Accordingly, the Agencies • Changing any passwords, security in connection with the opening of a expect all financial institutions and codes, or other security devices that covered account. creditors to evaluate the adequacy of permit access to a customer’s account; Proposed § l.90(d)(2)(ii) stated that • Reopening an account with a new the Program must include reasonable 30 ‘‘Authentication in an Internet Banking account number; policies and procedures to detect the Environment’’ (October 12, 2005) available at • Not opening a new account; Red Flags identified pursuant to http://www.ffiec.gov/press/pr101205.htm. • Closing an existing account; • Notifying law enforcement and, for jlentini on PROD1PC65 with RULES4 paragraph § l.90(d)(1). The Agencies 31 See, e.g. 12 CFR 21.21 (national banks); 12 CFR 208.63 (state member banks); 12 CFR 326.8 (state did not receive any specific comments non-member banks); 12 CFR 563.177 (savings those that are subject to 31 U.S.C. on this provision. associations); and 12 CFR 748.2 (credit unions). 5318(g), filing a Suspicious Activity 32 31 U.S.C. 5318(l). Report in accordance with applicable 29 See, e.g., 31 CFR 103.121(a). 33 Pub. L. 107–56. law and regulation; VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00012 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63729 • Implementing any requirements § l.90(d)(2)(iv) are now located in inclusion of a fraud alert or active duty regarding limitations on credit section IV of the guidelines, titled alert in his or her credit file is exercising extensions under 15 U.S.C. 1681c–1(h), ‘‘Prevention and Mitigation of Identity a right under the FCRA, which is a part such as declining to issue an additional Theft.’’ Section IV states that the of the CCPA, 15 U.S.C. 1601, et seq. credit card when the financial Program’s policies and procedures When a credit file contains a fraud or institution or creditor detects a fraud or should provide for appropriate active duty alert, section 605A of the active duty alert associated with the responses to the Red Flags the financial FCRA, 15 U.S.C. 1681c–1(h), requires a opening of an account, or an existing institution or creditor has detected that creditor to take certain steps before account; or are commensurate with the degree of extending credit, increasing a credit • Implementing any requirements for risk posed. In addition, as described limit, or issuing an additional card on furnishers of information to consumer earlier, the final rules do not define Red an existing credit account. For an initial reporting agencies under 15 U.S.C. Flags to include indicators of a or active duty alert, these steps include 1681s–2, to correct or update inaccurate ‘‘possible risk’’ of identity theft utilizing reasonable policies and or incomplete information. (including ‘‘precursors’’ to identity procedures to form a reasonable belief Some commenters agreed that theft). Instead, section IV states that in that the creditor knows the identity of financial institutions and creditors determining an appropriate response, a the consumer and, where a consumer should be able to use their own financial institution or creditor should has specified a telephone number for judgment to determine which measures consider aggravating factors that may identity verification purposes, to take depending upon the degree of heighten the risk of identity theft, and contacting the consumer at that risk that is present. However, consumer provides examples of such factors. telephone number or taking reasonable groups believed that the final rules The Agencies also modified the steps to verify the consumer’s identity should require notification of examples of appropriate responses as and confirm that the application is not consumers in every case where a Red follows. First, the Agencies added ‘‘not the result of identity theft, 15 U.S.C. Flag that requires a response has been attempting to collect on a covered 1681c–1(h)(1)(B). detected. account or not selling a covered account The purpose of the footnote was to Other commenters objected to some of to a debt collector’’ as a possible remind financial institutions and the examples given as measures that response to Red Flags detected. Second, creditors of their legal responsibilities in financial institutions and creditors the Agencies added ‘‘determining that circumstances where a consumer has could take to address the risk of identity no response is warranted under the placed a fraud or active duty alert on his theft. For example, one commenter particular circumstances’’ to make clear or her consumer report. In particular, objected to the inclusion, as an example, that an appropriate response may be no the Agencies have concerns that in some of the requirements regarding response, especially, for example, when cases, creditors have adopted policies of limitations on credit extensions under a financial institution or creditor has a automatically denying credit to 15 U.S.C. 1681c–1(h). The commenter reasonable basis for concluding that the consumers whenever an initial fraud stated that this statutory provision is Red Flags detected do not evidence a alert or an active duty alert appears on confusing, useless, and should not be risk of identity theft. an applicant’s consumer report. The referenced in the final rules. Other In addition, the Agencies moved the Agencies agree that this rulemaking is commenters suggested that the Agencies proposed examples, that referenced not the appropriate vehicle for clarify that the inclusion of this responses mandated by statute, to addressing issues under ECOA. statutory provision in the proposed section VII of the guidelines titled However, the Agencies will continue to rules as an example of how to address ‘‘Other Applicable Legal Requirements’’ evaluate compliance with ECOA the risk of identity theft did not make to highlight that certain responses are through their routine examination or this provision discretionary. legally required. enforcement processes, including issues The final rules merge the concepts The section of the proposal listing related to fraud and active duty alerts. previously in proposed § l.90(d)(2)(iii) examples of measures to address the and § l.90(d)(2)(iv) into the third risk of identity theft included a footnote Section l.90(d)(2)(iv) Element IV of element of the Program: reasonable that discussed the relationship between the Program: Updating the Program policies and procedures to respond a consumer’s placement of a fraud or To ensure that the Program of a appropriately to any Red Flags that are active duty alert on his or her consumer financial institution or creditor remains detected pursuant to paragraph (d)(2)(ii) report and ECOA, 15 U.S.C. 1691, et seq. effective over time, the final rules of this section to prevent and mitigate A few commenters objected to this provide a fourth element of the Program: identity theft. footnote. Some commenters believed policies and procedures to ensure the In order to ‘‘respond appropriately,’’ it that creditors had a right to deny credit Program (including the Red Flags is implicit that a financial institution or automatically whenever a fraud or determined to be relevant) is updated creditor must assess whether the Red active duty alert appears on the periodically to reflect changes in risks to Flags detected evidence a risk of consumer report of an applicant. Other customers and to the safety and identity theft, and must have a commenters believed that the footnote soundness of the financial institution or reasonable basis for concluding that a raised complex issues under the ECOA creditor from identity theft. As Red Flag does not evidence a risk of and FCRA that required more thorough described earlier, this element replaces identity theft. Therefore, the Agencies consideration, and questioned the need the requirements formerly in proposed concluded that it is not necessary to and appropriateness of addressing § l.90(c)(2) which stated that the specify any such separate assessment, ECOA in the context of this rulemaking. Program must be designed to address and, accordingly, deleted the language Under ECOA, it is unlawful for a changing identity theft risks as they from the proposal regarding assessing creditor to discriminate against any arise, and proposed § l.90(d)(1)(i) jlentini on PROD1PC65 with RULES4 Red Flags and addressing the risk of applicant for credit because the which stated that the Red Flags identity theft. applicant has in good faith exercised included in a covered entity’s Program Most of the examples of measures for any right under the Consumer Credit must reflect changing identity theft risks preventing and mitigating identity theft Protection Act (CCPA), 15 U.S.C. to customers and to the financial previously listed in proposed 1691(a). A consumer who requests the institution or creditor as they arise. VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00013 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63730 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations Unlike the proposed provisions, implementation, and maintenance of the insure uniformity of policy throughout however, this element only requires Program, including assigning specific large organizations. ‘‘periodic’’ updating. The Agencies responsibility for its implementation. Some commenters stated that the concluded that requiring financial The proposal also provided that persons preparation of reports for board review institutions and creditors to charged with overseeing the Program would be costly and burdensome. The immediately and continuously update must review reports prepared at least SBA suggested that the FTC consider a their Programs would be overly annually by staff regarding compliance one-page certification option for small burdensome. by the financial institution or creditor low-risk entities to minimize the burden Section V of the guidelines elaborates with the regulations. of reports. One commenter opined that on the obligation to ensure that the Proposed § l.90(d)(5)(iii) stated that it would be sufficient if the Agencies Program is periodically updated. It reports must discuss material matters mandated that covered entities reiterates the factors previously in related to the Program and evaluate continuously review and evaluate the proposed § l.90(c)(2) that should cause issues such as: The effectiveness of the policies and procedures they adopted a financial institution or creditor to policies and procedures of the financial pursuant to the regulations and modify update its Program, such as its own institution or creditor in addressing the them as necessary. Consumer groups experiences with identity theft, changes risk of identity theft in connection with suggested that the final rules in methods of identity theft, changes in the opening of accounts and with specifically require financial methods to detect, prevent and mitigate respect to existing accounts; service institutions and creditors to adjust their identity theft, changes in accounts that provider arrangements; significant Programs to address deficiencies raised it offers or maintains, and changes in its incidents involving identity theft and by their annual reports. business arrangements. management’s response; and Commenters generally took the Section l.90(e) Administration of the recommendations for changes in the position that reports to the board, a Program Program. board committee, or senior management Some commenters agreed that identity regarding compliance with the final The final rules group the remaining rules should be prepared at most on a provisions of the proposed rules under theft is an important issue, and the board, therefore, should be involved in yearly basis, or when significant the heading ‘‘Administration of the changes have occurred that alter the Program,’’ albeit in a different order the overall development, approval, and oversight of the Program. These institution’s risk. One commenter than proposed. This section of the final recommended a clarification that any rules describes the steps that financial commenters suggested that the final rules make clear that the board need not reporting to the board of material institutions and creditors must take to information relating to the Program administer the Program, including: be responsible for the day-to-day operations of the Program. could be combined with reporting Obtaining approval of the initial written obligations required under the Program; ensuring oversight of the Most industry commenters opposed the proposed requirement that the board Information Security Standards. development, implementation and Section l.90(e)(1) of the final rules administration of the Program; training or board committee approve the Program and receive annual reports continues to require approval of the staff; and overseeing service provider written Program by the board of arrangements. about compliance with the Program. These commenters asserted that the directors or an appropriate committee of A number of commenters criticized the board. However, to ensure that this each of the proposed provisions statute does not mandate such requirements, and that compliance with requirement does not hamper the ability regarding administration of the Program, of a financial institution or creditor to arguing they were not specifically these rules did not warrant more board attention than other regulations. They update its Program in a timely manner, required by section 114. The Agencies the final rules provide that the board or believe the mandate in section 114 is asserted that such requirements would impede the ability of a financial an appropriate committee must approve broad, and provides the Agencies with only the initial written Program. an ample basis to issue rules and institution or creditor to keep up with the fast-paced changes and Thereafter, at the discretion of the guidelines containing these provisions covered entity, the board, a committee, because they are critical to ensuring the developments inherent with instances of fraud and identity theft. They stated or senior management may update the effectiveness of a Program. Therefore, Program. the Agencies have retained these that boards of directors should not be Bank holding companies and their elements in the final rules and required to consider the minutiae of the bank and non-bank subsidiaries will be guidelines with some modifications, as fraud prevention efforts of a financial governed by the principles articulated follows. institution or creditor and suggested the in connection with the banking task be delegated to senior management Sections l.90(e)(1) and (2) agencies’’ Information Security with expertise in this area. Some Involvement of the Board of Directors Standards: commenters suggested the final rules and Senior Management provide a covered entity with the The Agencies agree that subsidiaries Proposed § l.90(d)(5) highlighted the discretion to assign oversight within a holding company can use the responsibilities in a manner consistent security program developed at the holding responsibility of the board of directors company level. However, if subsidiary and senior management to develop, with the institution’s own risk institutions choose to use a security program implement, and oversee the Program. evaluation. developed at the holding company level, the Proposed § l.90(d)(5)(i) specifically One commenter suggested that the board of directors or an appropriate required the board of directors or an final rules permit the board of directors committee at each subsidiary institution appropriate committee of the board to of a holding company to approve and must conduct an independent review to jlentini on PROD1PC65 with RULES4 approve the written Program. Proposed oversee the Program for the entire ensure that the program is suitable and § l.90(d)(5)(ii) required that the board, organization. The commenter explained complies with the requirements prescribed an appropriate committee of the board, that this approach would eliminate the by the subsidiary’s primary regulator * * * . or senior management be charged with need for redundant actions by a 66 FR 8620 (Feb. 1, 2001) (Preamble to overseeing the development, multiplicity of boards, and help to final Information Security Standards.) VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00014 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63731 The Agencies recognize that boards of available to smaller institutions to perform an activity on its behalf and the directors have many responsibilities and provide training. requirements of the Program applied to it generally is not feasible for a board to Some financial institution that activity, the financial institution or involve itself in the detailed oversight, commenters stated that it was not clear creditor would be required to take steps development, implementation, and why staff training would be specifically designed to ensure the activity is administration of the Program. required under the final rules, absent a conducted in compliance with a Accordingly, § l.90(e)(2) of the final specific statutory requirement. They Program that satisfies the regulations. rules provides discretion to a financial maintained that financial institutions The preamble to the proposed rules institution or creditor to determine who have sufficient incentives to ensure that explained that this provision would will be responsible for these aspects of appropriate staff is trained. Other allow a service provider serving the Program. It states that a financial commenters suggested that the Agencies multiple financial institutions and institution or creditor must involve the clarify that this provision would only creditors to conduct activities on behalf board of directors, an appropriate require training for relevant staff and of these entities in accordance with its committee thereof, or a designated would permit training on identity theft own program to prevent identity theft, employee at the level of senior that is integrated into overall staff as long as the program meets the management in the oversight, training on similar or overlapping requirements of the regulations. The development, implementation, and matters such as fraud prevention. service provider would not need to administration of the Program. One commenter objected to an apply the particular Program of each Section VI of the guidelines elaborates example in the preamble to the individual financial institution or on this provision of the final rules. The proposed rules which stated that staff creditor to whom it is providing guidelines note that such oversight should be trained to detect ‘‘anomalous services. wire transfers in connection with a Several commenters asserted it would should include assigning specific customer’s deposit account.’’ The be costly and burdensome for financial responsibility for the Program’s commenter stated that this example institutions and creditors to ensure third implementation and reviewing reports potentially exposed financial party compliance with the final rules prepared by staff on compliance by the institutions to significant and and therefore, this provision should be financial institution or creditor with this unintended liability, predicting that eliminated. They urged that financial section. As suggested by commenters, customers and law enforcement would institutions and creditors be given the guidelines also state that oversight use the rules to support claims that maximum flexibility to manage service should include approving material financial institutions are responsible for provider relationships. changes to the Program as necessary to authorizing transactions by fraudsters. Some financial institution address changing identity theft risks. commenters also suggested that the The commenter asserted that financial Section VI also provides that reports Agencies withdraw this provision. They institutions do not have systems that should be prepared at least annually stated that the FACT Act does not can detect these transactions because and describes the contents of a report as address this issue and asserted that they fall outside the usual fraud filter proposed in § l.90(d)(5)(iii)(B). there already is no doubt that if a parameters. These steps are modeled on sections Section l.90(e)(3) of the final rules financial institution delegates any of its of the Information Security Standards.34 provides that a covered entity must train operations to a third party, the As noted previously, financial staff, as necessary, to effectively institution will remain responsible for institutions and creditors subject to implement the Program. There is no related regulatory compliance. these Standards may combine elements corresponding section of the guidelines. Other commenters stated that it required under the final rules and The Agencies continue to believe should remain a contractual matter guidelines, including reports, with those proper training will enable staff to between the parties whether the service required by the Standards, as they see address the risk of identity theft. provider may implement a program that fit. However, this provision requires is different from its financial institution Section l.90(e)(3) Staff Training training of only relevant staff. In client. addition, staff that has already been Consumer groups asked the Agencies Proposed § l.90(d)(3) required each trained, for example, as a part of the to ensure that the decision of a financial financial institution or creditor to train anti-fraud prevention efforts of the institution or creditor to outsource staff to implement its Program. financial institution or creditor, do not would not lead to lower Red Flag Consumer groups believed that this need to be re-trained except ‘‘as standards. These commenters suggested provision should be more detailed and necessary.’’ the final rules state that the Program specifically require monitoring, The Agencies recognize that some of must also meet the requirements that oversight, and auditing of a covered the examples, such as detecting would apply if the activity were entity’s training efforts. By contrast, a ‘‘anomalous wire transfers in performed without the use of a service number of industry commenters connection with a customer’s deposit provider. They also suggested the final recommended that the Agencies account’’ may fall outside the usual rules clarify that, in addition to any withdraw this provision because they fraud filter parameters. However, the responsibility on the service provider believed it was burdensome. Some of Agencies expect that compliance with imposed by law, regulation, or contract, these commenters asserted that the the final rules will improve the ability the financial institution or creditor Agencies had not taken into account the of financial institutions and creditors to would be responsible for a failure to limited personnel and resources detect, prevent, and mitigate identity comply with the Program. theft. Most commenters, however, agreed 34 A board approval requirement is also found in with the proposal and stated that a Section l.90(e)(4) Oversight of Service jlentini on PROD1PC65 with RULES4 the BSA rules of the Federal banking agencies and service provider must have the the NCUA. See 12 CFR 21.21; (OCC); 12 CFR 208.63 Provider Arrangements flexibility to meet the objectives of the (Board); 12 CFR 326.8 (FDIC); 12 CFR 563.177 (OTS); and 12 CFR 748.2 (NCUA). Thus, contrary Proposed § l.90(d)(4) stated that, rules without having to tailor its to the assertion of some commenters, this rule is whenever a financial institution or services to the Program requirements of being treated in a manner similar to other rules. creditor engaged a service provider to each company for which it provides VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00015 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63732 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations service. These commenters noted that each financial institution or creditor proposed to afford each financial this proposed approach was the same as that is required to implement a Program institution and creditor flexibility to that used in the Information Security must consider the guidelines in determine which Red Flags were Standards. Appendix J and include in its Program relevant for their purposes to detect The Agencies believe it is important those guidelines that are appropriate. identity theft, including from among to retain a provision in the final rules Each of the guidelines corresponds to those listed in Appendix J. addressing service providers to remind a provision of the final rules. As As mentioned previously, consumer financial institutions and creditors that mentioned earlier, the guidelines were groups criticized the discretion in the they continue to remain responsible for issued to assist financial institutions proposal that permitted financial compliance with the final rules, even if and creditors in the development and institutions and creditors to choose Red they outsource operations to a third implementation of a Program that Flags relevant to detecting the risk of party. However, the Agencies have satisfies the requirements of the final identity theft based upon the list of simplified the service provider rules. The guidelines provide policies enumerated factors. These groups urged provision in the final rules and moved and procedures that financial the Agencies to make certain Red Flags the remaining parts of proposed institutions and creditors should use, in Appendix J mandatory. In addition, § l.90(d)(4) to the guidelines. where appropriate, to satisfy the consumer groups suggested a number of Section l.90(e)(4) of the final rules regulatory requirements of the final additional Red Flags for inclusion in provides that a covered entity must rules. While an institution or a creditor Appendix J. exercise appropriate and effective may determine that a particular Some commenters agreed that the list oversight of service provider guideline is not appropriate for its of examples of Red Flags was arrangements, without further circumstances, it nonetheless must appropriate because, in their view, it elaboration. This provision provides ensure its Program contains reasonable was designed to be flexible. Some maximum flexibility to financial policies and procedures to fulfill the industry commenters, including a institutions and creditors in managing requirements of the final rules. This number of small financial institutions, their service provider arrangements, approach provides financial institutions stated that the Red Flags set forth in while making clear that a covered entity and creditors with the flexibility to Appendix J would assist them in cannot escape its obligations to comply determine ‘‘how best to develop and developing and improving their identity with the final rules and to include in its implement the required policies and theft prevention programs. Other Program those guidelines that are procedures.’’ 35 commenters suggested deleting the list appropriate by simply outsourcing an Supplement A to Appendix J: Examples of Red Flags or modifying the list in a activity. Section VI(c) of the guidelines of Red Flags manner appropriate to the nature of provides that, whenever a financial their own operations. Section 114 of the FACT Act states The Agencies have retained the list of institution or creditor engages a service that, in developing the guidelines, the provider to perform an activity in examples of Red Flags because section Agencies must identify patterns, 114 states that the Agencies ‘‘shall connection with one or more covered practices, and specific forms of activity, accounts, the financial institution or identify patterns, practices, and specific that indicate the possible existence of forms of activity that indicate the creditor should take steps to ensure that identity theft. The Agencies proposed the activity of the service provider is possible existence of identity theft.’’ The implementing this provision by Agencies also retained the list because conducted in accordance with requiring the Program of a financial reasonable policies and procedures some commenters indicated that having institution or creditor to include examples of Red Flags would be helpful designed to detect, prevent, and mitigate policies and procedures for the the risk of identity theft. Thus, the to them. However, the examples of Red identification and detection of Red Flags Flags are now set forth in a separate guidelines make clear that a service in connection with an account opening provider that provides services to supplement to the guidelines. The list of or an existing account, including from examples is similar to that which the multiple financial institutions and among those listed in Appendix J. creditors may do so in accordance with Agencies proposed, however, the Red The Agencies compiled the Red Flags Flags that the Agencies identified as its own program to prevent identity enumerated in Appendix J from a theft, as long as the program meets the precursors to identity theft have been variety of sources, such as literature on deleted and are now addressed in requirements of the regulations. The the topic, information from credit guidelines also provide an example of section IV of the guidelines. Moreover, bureaus, financial institutions, creditors, in response to a Congressional how a covered entity may comply with designers of fraud detection software, this provision. The guidelines state that commenter, the Agencies added, as an and the Agencies’ own experiences. The example of a Red Flag, an application a financial institution or creditor could preamble to the proposed rules stated require the service provider, by contract, that gives the appearance of having been that some of the Red Flags, by destroyed and reassembled. to have policies and procedures to themselves, may be reliable indicators detect relevant Red Flags that may arise The introductory language to the of identity theft, while others are more in the performance of the service supplement clarifies that the reliable when detected in combination provider’s activities and either report enumerated Red Flags are examples. with other Red Flags. the Red Flags to the financial institution Thus, a financial institution or creditor The preamble to the proposed rules or creditor or take appropriate steps to may tailor the Red Flags it chooses for explained that the Agencies recognized prevent or mitigate identity theft. its Program to its own operations. A that a wide range of financial financial institution or creditor will not Section l.90(f) Consideration of institutions and creditors, and a broad need to justify to an Agency its failure Guidelines in Appendix J variety of accounts would be covered by jlentini on PROD1PC65 with RULES4 to include in the Program a specific Red the regulations. Therefore, the Agencies The Agencies have added a provision Flag from the list of examples. However, to the final rules that explains the 35 See H.R. Rep. No. 108–263 at 43 (Sept. 4, 2003) a covered entity will have to account for relationship of the rules to the (accompanying H.R. 2622); S. Rep. No. 108–166 at the overall effectiveness of a Program guidelines. Section l.90(f) states that 13 (Oct. 17, 2003) (accompanying S. 1753). that is appropriate to its size and VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00016 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63733 complexity and the nature and scope of within a short period of time (during at issuer to follow reasonable policies and its activities. least the first 30 days), receives a procedures to assess the validity of a request for an additional or replacement change of address, before issuing an Inactive Accounts card for the same account, the issuer additional or replacement card. Section Section 114 also directs the Agencies must follow reasonable policies and 114 provides that a card issuer may to consider whether to include procedures to assess the validity of the satisfy this requirement by notifying reasonable guidelines for notifying the change of address through one of three ‘‘the cardholder.’’ The term consumer when a transaction occurs in methods. The card issuer may not issue ‘‘cardholder’’ is not defined in the FACT connection with a consumer’s credit or the card unless it: (1) Notifies the Act. The preamble to the proposed rules deposit account that has been inactive cardholder of the request at the explained that the legislative record for two years, in order to reduce the cardholder’s former address and relating to this provision indicates that likelihood of identity theft. The provides the cardholder with a means to ‘‘issuers of credit cards and debit cards preamble to the proposed rules noted promptly report an incorrect address; (2) who receive a consumer request for an that the Agencies believed that the two- notifies the cardholder of the address additional or replacement card for an year limit was not always an accurate change request by another means of existing account’’ may assess the indicator of identity theft given the wide communication previously agreed to by validity of the request by notifying ‘‘the variety of credit and deposit accounts the issuer and the cardholder; or (3) cardholder.’’ 36 As the preamble noted, that would be covered by the provision. uses other means of evaluating the the request, presumably, will be valid if Therefore, in place of guidelines on validity of the address change in the consumer making the request and inactive accounts, the Agencies accordance with the reasonable policies the cardholder are one and the same proposed incorporating a Red Flag on and procedures established by the card ‘‘consumer.’’ Therefore, the proposal inactive accounts into Appendix J that issuer to comply with the joint defined ‘‘cardholder’’ as a consumer was flexible and was designed to take regulations described earlier regarding who has been issued a credit or debit into consideration the type of account, identity theft. card. The preamble to the proposed the expected pattern of usage of the For this reason, the Agencies also rules also explained that, because account, and any other relevant factors. proposed special rules that required ‘‘consumer’’ is defined in the FCRA as Some consumer groups suggested that credit and debit card issuers to assess an ‘‘individual,’’ 37 the proposed a new section be added to the guidelines the validity of change of address regulations applied to any request for an requiring notice to the consumer when notifications by notifying the cardholder additional or replacement card by an a transaction occurs in connection with or through certain other means. The individual, including a card for a a consumer’s credit or deposit account proposed regulations stated that a business purpose, such as a corporate that has been inactive for two years financial institution or creditor that is a card. unless this pattern would be expected card issuer may incorporate the Some commenters asked the Agencies for a particular type of account. Other requirements of § l.91 into its Program. to clarify that this definition does not commenters agreed with the Agencies’ As described in the section-by-section apply to holders of stored value cards, proposal to simply make activity on an analysis that follows, commenters such as payroll and gift cards, or to inactive account a Red Flag. They also generally requested changes that would cards used to access a home equity line agreed that the Agencies should not use make the proposed rules more flexible. of credit. Another commenter urged that two years of inactivity as a hard and fast the final rules exclude credit and debit rule, and allow financial institutions 2. Section-by-Section Analysis cards for a business purpose. The final rules continue to define and creditors to use their own standards Section l.91(a) Scope to determine when an account is ‘‘cardholder’’ as a consumer who has inactive. The proposed rules stated that this been issued a credit or debit card. Both In the final rules, the Agencies section applies to a person, described in ‘‘credit card’’ and ‘‘debit card’’ are continue to list activity on an inactive proposed § l.90(a), that issues a debit defined in section 603(r) of the FCRA. 38 account as a Red Flag. Given the variety or credit card. The Agencies did not The definition of ‘‘credit card’’ is of covered accounts to which the final receive any comments on this section. defined by cross-reference to section rules and guidelines will apply, the In the final rules, for clarity, the 103 of the Truth in Lending Act, 15 Agencies concluded that the two-year Agencies deleted the cross-reference to U.S.C. 1601, et seq. 39 The definition of period suggested in section 114 would § l.90(a). Each Agency also revised its ‘‘debit card’’ is any card issued by a scope paragraph to list the entities over financial institution to a consumer for not necessarily be a useful indicator of which it has jurisdiction that are subject use in initiating an electronic fund identity theft. Therefore, the Agencies have not included a provision in the to § l.91. Under the final rules, section transfer from the account of the guidelines regarding notification when a l.91 applies to any debit or credit card consumer at such financial institution issuer (card issuer) that is subject to an for the purposes of transferring money transaction occurs in connection with a Agency’s jurisdiction. between accounts or obtaining money, consumer’s credit or deposit account property, labor, or services. 40 that has been inactive for two years. Section l.91(b) Definitions Section 603(r) of the FCRA provides B. Special Rules for Card Issuers The proposed rules included two that ‘‘account’’ and ‘‘electronic fund definitions solely applicable to the transfer’’ have the same meaning as 1. Background those terms have in the Electronic special rules for card issuers: Section 114 also requires the Agencies ‘‘cardholder’’ and ‘‘clear and Funds Transfer Act (EFTA), 15 U.S.C. to prescribe joint regulations generally conspicuous.’’ Section l.91(b) of the requiring credit and debit card issuers to final rules also contains these 36 See 149 Cong. Rec. E2513 (daily ed. December jlentini on PROD1PC65 with RULES4 assess the validity of change of address 8, 2003) (statement of Rep. Oxley) (emphasis definitions as follows. added). notifications. In particular, these regulations must ensure that if the card Section l.91(b)(1) Cardholder 37 15 U.S.C. 1681a(c). 38 15 U.S.C. 1681a. issuer receives a notice of change of Under section 114, the Agencies must 39 See 15 U.S.C. 1681a(r)(2). address for an existing account and, prescribe regulations requiring a card 40 15 U.S.C. 1681a(r)(3). VerDate Aug<31>2005 21:43 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00017 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63734 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 1693, et seq. The EFTA, and Regulation Sections l.91(c) and (d) Address assessing the validity of the change of E, 12 CFR part 205, govern electronic Validation address in accordance with the policies fund transfers. In contrast to section Proposed § l.91(c) simply restated and procedures the card issuer 603(r) of the FCRA, neither the EFTA the statutory requirements described establishes pursuant to § l.90. nor Regulation E defines the term ‘‘debit above with some minor stylistic Commenters also asked the Agencies card.’’ Instead, coverage under the EFTA changes. A number of commenters to clarify that the obligation to assess and Regulation E depends upon noted that the requirements of this the validity of a request for an address whether electronic fund transfers can be section would be difficult and change is not triggered unless the card made to or from an ‘‘account,’’ meaning expensive to implement. They stated issuer actually changes the cardholder’s a checking, savings, or other consumer that millions of address changes are address. asset account established primarily for Some commenters asked the Agencies processed every year, though very few personal, family or household purposes. to clarify whether electronic notices turn out to be fraudulent. The Board recently issued a final rule By contrast, consumer groups would be acceptable if the cardholder expanding the definition of ‘‘account’’ suggested that the final regulations had previously contracted for electronic under Regulation E to cover payroll card should require the card issuer to notify communications. Consumer groups accounts. 41 Therefore, a holder of a the consumer of a request for an address recommended electronic notification be payroll card is a ‘‘cardholder’’ for change followed by the request for an permitted only when the consumer purposes of § l.91(b)(1), provided that additional or replacement card, unless consents in accordance with the E-Sign the card issuer is a ‘‘financial there are special circumstances that Act. institution’’ as defined in section 603(t) prevent doing so in a timely manner. The Agencies note that the statutory of the FCRA. Many commenters recommended that provision being implemented here is The Board decided not to cover other quite specific. Congress mandated that the final rules provide credit and debit types of prepaid cards as accounts the requirements set forth in section card issuers with greater flexibility to under Regulation E at the time it issued 615(e)(1)(C) of the FCRA apply to verify address changes. For example, the payroll card rule. Therefore, the notifications of changes of address, they stated it is not clear that an address definition of ‘‘cardholder’’ does not which would necessarily include both change linked with a request for an include the holder of a gift card or other those received directly from consumers additional card is a significant indicator prepaid card product, unless and until and those received from the Postal of identity theft. Therefore, they the Board elects to cover such cards as Service. Congress also statutorily recommended the rules (1) specifically accounts under Regulation E. provided various methods to card The definition of ‘‘cardholder’’ would permit card issuers to satisfy the requirements of this section by verifying issuers for assessing the validity of a also include a recipient of a home change of address. 43 Accordingly, the equity loan if the holder is able to access the address at the time the address change notification is received, whether final rules reflect these methods. the proceeds of the loan with a credit or Under § l.91(c) of the final rules, a debit card within the meaning of 15 or not the notification is linked to a request for an additional or replacement card issuer that receives an address U.S.C. 1681a(r). change notification and, within at least Identity theft may occur in connection card; or (2) verify the address whenever a request for an additional or 30 days, a request for an additional or with a card that a consumer uses for a replacement card is made, whether or replacement card, may not issue an business purpose and may affect the not the card issuer receives notification additional or replacement card until it consumer’s personal credit standing. of an address change. has notified the cardholder or has Additionally, the definition of One commenter suggested that the otherwise assessed the validity of the ‘‘consumer’’ under the FCRA is simply rules should only apply to card issuers change of address in accordance with an ‘‘individual.’’ 42 For this reason, the that receive direct notification of an the policies and procedures the card Agencies continue to believe that the address change rather than an address issuer has established pursuant to protections of this provision must change notification from the U.S. Postal § l.90. The Agencies have concluded extend to consumers who hold a card Service. The commenter asserted that that card issuers should be granted for a personal, household, family or there is a higher risk of fraud with a additional flexibility. Therefore, business purpose. direct request for a change of address. § l.91(d) clarifies that a card issuer may Section l.91(b)(2) Clear and Consumer groups also recommended satisfy the requirements of § l.91(c) by conspicuous that the Agencies set a period longer validating an address, according to the The second proposed definition was than the 30-day minimum for card methods set forth in § l.91(c)(1) or (2), for the phrase ‘‘clear and conspicuous.’’ issuers to be on alert after an address when it receives an address change Proposed § l.91 included a provision change request. These commenters notification, before it receives a request that required any written or electronic recommended that, because of billing for an additional or replacement card. notice provided by a card issuer to the cycles and the time it takes to issue a The rules do not require a card issuer consumer pursuant to the regulations to new card, an issuer should be required that issues an additional or replacement be given in a ‘‘clear and conspicuous to assess the validity of an address card to validate an address whenever it manner.’’ The proposed regulations change if it receives a request for an receives a request for such a card, defined ‘‘clear and conspicuous’’ based additional or replacement card within at because section 114 only requires the on the definition of this phrase found in least 90 days after the request for the validation of an address when the card the Agencies’ privacy rules. address change. issuer also has received a notification of The Agencies received no comments Some commenters asked the Agencies a change of address. on the phrase ‘‘clear and conspicuous,’’ to clarify what ‘‘other means’’ would be jlentini on PROD1PC65 with RULES4 and have adopted the definition as acceptable in assessing the validity of a 43 See S. Rep. No. 108–166 at 14 (October 17, 2003)(accompanying S. 1753)(stating that a card proposed in § l.91(b)(2). change in address. One commenter issuer may rely on authentication procedures that stated that it is not cost effective to do not involve a separate communication with the 41 See 71 FR 51,437 (August 10, 2006). contact the customer, therefore, most cardholder so long as the issuer has reasonably 42 15 U.S.C. 1681a(c). card issuers would use ‘‘other means’’ of assessed the validity of the address change.) VerDate Aug<31>2005 21:43 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00018 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63735 The Agencies also revised § l.91 to procedures the card issuer has continuing relationship with the clarify that a card issuer must provide established. consumer and regularly and in the to the cardholder a ‘‘reasonable’’ means A few commenters recommended that ordinary course of business furnishes of promptly reporting incorrect address this proposed requirement apply only if information to the CRA. changes whenever the card issuer the issuer notifies the cardholder of the B. Section-by-Section Analysis notifies the cardholder of the request for change of address request at the an additional or replacement card. 44 cardholder’s former address. These Section l.82(a) Scope The Agencies declined to adopt the commenters stated that, otherwise, the Proposed § l.82(a) noted that the recommendation that an issuer assess provision would prohibit other types of scope of section 315 differs from the the validity of an address change if it notices, such as those in periodic scope of section 114 and explained that receives a request for an additional or statements. Another commenter stated section 315 applies to ‘‘users of replacement card within ‘‘at least 90 that this provision was not necessary consumer reports’’ and ‘‘persons days’’ after an address change because card issuers would send such requesting consumer reports’’ notification, as ‘‘at least 30 days’’ may notices separately in any event. (hereinafter referred to as ‘‘users’’), as be a reasonable period of time in some The Agencies are not convinced that opposed to financial institutions and cases. However, a card issuer that does such a notice would be provided creditors. Therefore, section 315 does not validate an address when it receives separately from a card issuer’s regular not apply to a financial institution or an address change notification may find correspondence with the cardholder creditor that does not use consumer it prudent to validate the address before unless required. Moreover, the Agencies reports. The Agencies did not receive issuing an additional or replacement do not agree that this requirement any comments on this section and have card, even when it receives a request for should apply only if a card issuer adopted it as proposed in the final rules. such a card more than 30 days after the chooses to notify the cardholder of the notification of address change. In sum, change of address request at the Section l.82(b) Definition the Agencies expect card issuers to cardholder’s former address in Proposed § l.82(b) defined ‘‘notice of exercise diligence commensurate with accordance with § l.91(c)(1). Even address discrepancy’’ as ‘‘a notice sent their own experiences with identity where the card issuer and cardholder to a user of a consumer report by a CRA theft. agree to some other means for notice, The Agencies also confirm that a card pursuant to 15 U.S.C. 1681c(h)(1), that this alternative means does not change issuer is not obligated to assess the informs the user of a substantial the important nature of the notice. difference between the address for the validity of a notification of an address Therefore, § l.91(e) of the final rules change after receiving a request for an consumer provided by the user in provides that any written or electronic additional or replacement card if it requesting the consumer report and the notice that the card issuer provides previously determined not to change the address or addresses the CRA has in the under this paragraph must be clear and cardholder’s address because the consumer’s file.’’ 46 conspicuous, and provided separately address change request was In the preamble to the proposed rules, from its regular correspondence with fraudulent. 45 the Agencies noted that section the cardholder. 605(h)(1) requiring CRAs to provide Section l.91(e) Form of Notice III. Section 315 of the FACT Act notices of address discrepancy became In the preamble to the proposed rules, effective on December 1, 2004. To the A. Background the Agencies noted that Congress had extent CRAs each have developed their singled out this scenario involving card Section 315 of the FACT Act amends own standards for delivery of notices of issuers and placed it in section 114 section 605 of the FCRA, 15 U.S.C. address discrepancy, the proposal noted because it is perceived to be a possible 1681c, by adding a new subsection (h). that it is important for users to be able indicator of identity theft. To highlight Section 605(h)(1) requires that, when to recognize and receive notices of the important and urgent nature of providing a consumer report to a person address discrepancy, especially if they notice that a consumer receives from a that requests the report (the user), a are being delivered electronically by card issuer pursuant to § l.91(c), the nationwide consumer reporting agency, CRAs. For example, CRAs may provide Agencies also proposed requiring that as defined in section 603(p) of the consumer reports with some type of a any written or electronic notice that a FCRA, (CRA) must provide a notice of code to indicate an address discrepancy. card issuer provides under this the existence of a discrepancy if the Users must be prepared to recognize the paragraph must be clear and address provided by the user in its code as an indication of an address conspicuous and provided separately request ‘‘substantially differs’’ from the discrepancy. from its regular correspondence with address the CRA has in the consumer’s While some commenters agreed with the cardholder. The preamble to the file. the proposed definition, a number of proposed rules stated that a card issuer Section 605(h)(2) requires the commenters suggested that the Agencies could also provide notice orally, in Agencies to issue joint regulations that clarify that only a ‘‘substantial’’ accordance with the policies and provide guidance regarding reasonable discrepancy would trigger the policies and procedures a user of a requirements in this provision and that 44 See S. Rep. No. 108–166 at 14 (October 17, consumer report should employ when obvious errors would not. Some 2003) (accompanying S. 1753) (stating that a means the user receives a notice of address commenters also suggested that the of reporting an incorrect change could be through discrepancy. These regulations must Agencies provide examples of what the mail, by telephone, or electronically.) describe reasonable policies and 45 This position is consistent with the legislative constitutes a ‘‘substantial difference.’’ history of this section. See S. Rep. No. 108–166 at procedures for a user of a consumer One commenter stated that users should 14 (Oct. 17, 2003) (accompanying S. 1753) (stating report to employ to (i) enable it to form be able to determine when there is a jlentini on PROD1PC65 with RULES4 that it would not be necessary for the card issuer a reasonable belief that the user knows substantial difference. to take these steps ‘‘if, despite receiving a request the identity of the person for whom it for an address change, the issuer did not actually change the cardholder’s address for any reason (e.g., has obtained a consumer report, and (ii) 46 All other terms used in this section have the the card issuer had previously determined that the reconcile the address of the consumer same meanings as set forth in the FCRA (15 U.S.C. request for an address change was invalid)’’). with the CRA, if the user establishes a 1681a). VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00019 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63736 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations As noted earlier, section 605(h)(1) regulations by simply determining it policies and procedures to verify the requires a CRA to send a notice of cannot form a reasonable belief would identity of the consumer. This provision address discrepancy when it determines allow the user to open an account, took into consideration the fact that that the address provided to the CRA by effectively rendering the statute many users already may be subject to a user ‘‘substantially differs’’ from the meaningless. the CIP rules, and have in place address the CRA has in the consumer’s The purpose of section 315 is to procedures to comply with those rules, file. The phrase ‘‘substantially differs’’ enhance the accuracy of consumer at least with respect to the opening of is not defined in the statute. Instead, the information, specifically to ensure that accounts. Thus, a user could rely upon statute allows each CRA to construe this the user has obtained the correct its existing CIP policies and procedures phrase as it chooses and, accordingly, to consumer report for the consumer about to satisfy this requirement, so long as it set the standard it will use to determine whom it has requested such a report. To applied them in all situations where it when it will send a notice of address implement this concept more clearly, receives a notice of address discrepancy. discrepancy. § l.82(c) of the final rules provides that The proposal also stated that any user, As required by section 605(h)(2), this a user must develop and implement such as a landlord or employer, may rulemaking focuses on the obligations of reasonable policies and procedures adopt the CIP rules and apply them in users that receive a notice of address designed to enable the user to form a all situations where it receives a notice discrepancy from a CRA. The statute reasonable belief that a consumer report of address discrepancy to meet this does not indicate that the Agencies are relates to the consumer about whom it requirement, even if it is not subject to to define the phrase ‘‘substantially has requested the report when the user a CIP rule. differs’’ for CRAs or to permit users to receives a notice of address The Agencies requested comment on define that phrase themselves. discrepancy.47 whether the CIP procedures would be Therefore, the final rules adopt the The Agencies do not agree with sufficient to enable a user that receives proposed definition of ‘‘notice of commenters who suggested that the a notice of address discrepancy with a address discrepancy’’ without change. proposed provision should apply only consumer report to form a reasonable in connection with the establishment of belief that it knows the identity of the Section l.82(c) Requirement to form a a continuing relationship with a consumer for whom it obtained the reasonable belief consumer, in other words, when a user report, both in connection with the Proposed § l.82(c) implemented the is opening a new account. The statutory opening of an account, as well as in requirement in section 605(h)(2)(B)(i) requirement in section 605(h)(2)(B)(i) other circumstances where a user that the Agencies prescribe regulations that a user form a reasonable belief that obtains a consumer report, such as describing reasonable policies and it knows the identity of the consumer when a user requests a consumer report procedures to enable the user to form a for whom it obtained a consumer report to determine whether to increase the reasonable belief that the user knows applies whether or not the user consumer’s credit line, or in the case of ‘‘the identity of the person to whom the subsequently establishes a continuing a landlord or employer, to determine a consumer report pertains’’ when the relationship with the consumer. This is consumer’s eligibility to rent housing or user receives a notice of address in contrast to the additional statutory for employment. discrepancy. Proposed § l.82(c) stated requirement in section 605(h)(2)(B)(ii) Many commenters supported the use that a user must develop and implement that a user reconcile the address of the of CIP to satisfy this requirement. Some reasonable policies and procedures for consumer with the CRA, only when the commenters, however, asked the ‘‘verifying the identity of the consumer user establishes a continuing Agencies to clarify that once a for whom it has obtained a consumer relationship with the consumer. consumer’s identity was verified using report’’ whenever it receives a notice of In addition, a user may receive a CIP, it would not be necessary to re- address discrepancy. The proposal notice of address discrepancy with a verify that consumer’s identity under stated further that these policies and consumer report, both in connection this provision. procedures must be designed to enable with the opening of an account and in Some commenters found the the user to form a reasonable belief that other circumstances when the user proposal’s preamble language confusing. it knows the identity of the consumer already has a relationship with the These commenters did not understand for whom it has obtained a consumer consumer, such as when the consumer why a user would need to use its CIP report, or determine that it cannot do so. applies for an increased credit line. The policies in every situation where a A number of commenters stated that Agencies believe it is important for a notice of address discrepancy was the statutory requirement that a user user to form a reasonable belief that a received in order to comply with this form a reasonable belief that it knows consumer report relates to the consumer requirement; they felt that it might be the identity of the consumer for whom about whom it has requested the report possible to form a reasonable belief it obtained a consumer report should in both of these cases. Accordingly, the without using CIP in some only apply in situations where the user final rules do not limit this provision circumstances. establishes a continuing relationship solely to the establishment of new Other commenters noted that the CIP with the consumer. accounts. rules, which were issued for different A consumer group suggested that the Proposed § l.82(c) also provided that purposes, are not the appropriate language in the proposed regulation if a user employs the policies and standard for investigating a consumer’s permitting a user to determine that it procedures regarding identification and identity after a notice of address cannot form a reasonable belief of the verification set forth in the CIP rules,48 discrepancy because those rules permit identity of the consumer should be it would satisfy the requirement to have verification of an address to occur after deleted because the statute specifically an account is opened and do not require requires a reasonable belief to be 47 The Agencies acknowledge that an address contacting the consumer. One jlentini on PROD1PC65 with RULES4 formed. This commenter stated that the discrepancy also may be an indicator of identity commenter stated that it was not clear purpose of the statute was to reduce the theft. To address this problem, the Agencies whether a user relying on the CIP rules included address discrepancies as an example of a number of new accounts opened using Red Flag in connection with the Identity Theft Red to satisfy the obligations under the false addresses, and that permitting a Flag regulations. regulation must comply with some or all user to satisfy its obligations under the 48 See, e.g., 31 CFR 103.121(b)(2)(i) and (ii). of the requirements in the CIP rules, VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00020 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63737 including those that require policies and the FCRA, a notice of address the statute. They also noted that users procedures to address circumstances discrepancy may be a Red Flag and often do not obtain full consumer when a user cannot form a reasonable require an appropriate response to reports for existing customers—just belief it knows the identity of the prevent and mitigate identity theft credit scores. These commenters noted consumer. under the user’s Identity Theft that limited reports often do not contain The Agencies believe that comparing Prevention Program. an address for a customer. Some information provided by a CRA to commenters also felt existing information the user obtains and uses Section l.82(d)(1) Requirement To relationships should be excluded (or has obtained and used) to verify a Furnish Consumer’s Address to a because users already would have consumer’s identity pursuant to the Consumer Reporting Agency verified a consumer’s address at the requirements set forth in the CIP rules Proposed § l.82(d)(1) provided that a time of account opening. is an appropriate way to satisfy this user must develop and implement The Agencies have modified this obligation, particularly in connection reasonable policies and procedures for section as follows. The final rules with the opening of a new account. furnishing to the CRA from whom it continue to provide that a user must However, when a user receives a notice received the notice of address develop and implement reasonable of address discrepancy in connection discrepancy an address for the policies and procedures for furnishing with an existing account, after already consumer that the user has reasonably an address for the consumer that the having identified and verified the confirmed is accurate when the user has reasonably confirmed is consumer in accordance with the CIP following three conditions are satisfied. accurate to the CRA when three rules, the Agencies would not expect a The first condition, in proposed conditions are present. The first user to employ the CIP procedures § l.82(d)(1)(i), was that the user must condition, in § _.82(d)(1)(i), has been again. To address this issue and provide be able to form a reasonable belief that revised to be consistent with the earlier users with flexibility, § l.82(c) of the it knows the identity of the consumer changes in section § _.82(c) that focus final rule provides examples of for whom the consumer report was more narrowly on accuracy and require reasonable policies and procedures that obtained. This condition would have that a user form a reasonable belief that a user may employ to enable the user to ensured the user would furnish a new a consumer report relates to the form a reasonable belief that a consumer address for the consumer to the CRA consumer about whom it requested the report relates to the consumer about only after the user had formed a report. The second condition, in whom it has requested the report. These reasonable belief that it knew the § _.82(d)(1)(ii), now applies only to new examples include comparing identity of the consumer, using the accounts and states that a confirmed information provided by the CRA with policies and procedures set forth in address must be furnished if the user information the user: (1) Obtains and paragraph § l.82(c). ‘‘establishes’’ a continuing relationship uses to verify the consumer’s identity in The second condition, in proposed with the consumer. The reference to ‘‘or accordance with the requirements of the § l.82(d)(1)(ii), was that the user maintains’’ a continuing relationship CIP rules; (2) maintains in its own furnish the address to the CRA if it has been deleted. The Agencies agree records, such as applications, change of establishes or maintains a continuing with commenters that section address notifications, other customer relationship with the consumer. Section 605(h)(2)(B)(ii) does not require the account records, or retained CIP 315 specifically requires that the user reporting of a confirmed address to a documentation; or (3) obtains from furnish the consumer’s address to the CRA in connection with existing third-party sources. Another example is CRA if the user establishes a continuing relationships. The Agencies have to verify the information in the relationship with the consumer. concluded that users are more likely consumer report provided by the CRA Therefore, proposed § l.82(d)(1)(ii) than a CRA to have an accurate address with the consumer. reiterated this requirement. However, for an existing customer and, therefore, If a user cannot establish a reasonable because a user also may obtain a notice should not be required by these rules to belief that the consumer report relates to of address discrepancy in connection take additional steps to confirm the the consumer about whom it has with a consumer with whom it already accuracy of the customer’s address. requested the report, the Agencies has an existing relationship, the Users already have an ongoing duty to expect the user will not use that report. proposal also provided that the user correct and update information for their While section 605(h)(2)(B)(i) is silent on must furnish the consumer’s address to existing customers under section 623 of this point, other laws may be applicable the CRA from whom the user has the FCRA, 15 U.S.C. 1681s–2. in such a situation. For example, in the received a notice of address discrepancy Accordingly, under the final rules, the case of account openings, a user that is when the user maintains a continuing obligation to furnish a confirmed subject to the CIP rules generally will relationship with the consumer. address for the consumer to the CRA is need to document how it has resolved Finally, the third condition, in applicable only to new relationships. the discrepancy between the address proposed § _.82(d)(1)(iii), provided that The third condition, in § _.82(d)(1)(iii), provided by the consumer and the if the user regularly and in the ordinary has been adopted in the final rule address in the consumer report.49 If the course of business furnishes information without substantive change. user cannot establish a reasonable belief to the CRA from which a notice of address discrepancy pertaining to the Section l.82(d)(2) Requirement To that it knows the true identity of the consumer was obtained, the consumer’s Confirm Consumer’s Address consumer, it will need to implement the policies and procedures for addressing address must be communicated to the In the preamble to the proposal, the these circumstances as required by the CRA as part of the information the user Agencies noted that section 315 requires CIP rules, which may involve not regularly provides. them to prescribe regulations describing opening an account or closing an A majority of commenters reasonable policies and procedures for a jlentini on PROD1PC65 with RULES4 account.50 If a user is a ‘‘financial recommended that the requirement to user ‘‘to reconcile the address of the institution’’ or ‘‘creditor’’ as defined by furnish a confirmed address should not consumer’’ about whom it has obtained apply to existing accounts. These a notice of address discrepancy with the 49 See, e.g., 31 CFR 103.121(b)(3)(i)(D). commenters maintained that such a CRA ‘‘by furnishing such address’’ to 50 See, e.g., 31 CFR 103.121(b)(2)(iii). requirement would exceed the scope of the CRA. (Emphasis added.) The VerDate Aug<31>2005 21:43 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00021 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63738 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations Agencies noted that, even when the user purpose. The Agencies believe the the user both establishes a continuing is able to form a reasonable belief that options for confirmation listed in the relationship with the consumer and it knows the identity of the consumer, regulation provide sufficient flexibility forms a reasonable belief that it knows there may be many reasons the initial for users to confirm consumers’ the identity of the consumer to whom address furnished by the consumer is addresses. For this reason, they have the consumer report relates. Typically, incorrect. For example, a consumer may been adopted in the final rule as the CIP rules permit an account to be have provided the address of a proposed, with minor technical opened (i.e., relationship to be secondary residence or inadvertently changes. Section l.82(d)(2)(i) has been established) if certain identifying reversed a street number. To ensure that revised to conform the language with information is provided. Verification to the address furnished to the CRA is § l.82(c). Section l.82(d)(2)(ii) has establish the true identity of the accurate, the Agencies proposed to been revised to emphasize the customer is required within a interpret the phrase, ‘‘such address,’’ as verification of the consumer’s address reasonable period of time after the an address the user has reasonably rather than the review of the user’s account has been opened. As explained confirmed is accurate. This records to determine whether the in the preamble to the proposed rules, interpretation would have required a address given by the consumer is the to satisfy the requirements of both user to take steps to ‘‘reconcile’’ the same. § l.82(d)(1) and § l.82(d)(3)(i), a user address it initially received from the Section l.82(d)(3) Timing employing the CIP rules would have to consumer when it receives a notice of verify the identity of the consumer address discrepancy, rather than simply Section 315 specifies when a user must furnish the consumer’s address to using the identifying information it furnishing the initial address it received obtained in accordance with the CIP from the consumer to the CRA. the CRA. It states that this information must be furnished for the reporting rules within the same reporting period Proposed § l.82(d)(2) contained the that the user opens the account and period in which the user’s relationship following list of illustrative measures establishes a continuing relationship with the consumer is established. that a user may employ to reasonably with the consumer. Accordingly, proposed § l.82(d)(3)(i) confirm the accuracy of the consumer’s The Agencies requested comment on stated that, with respect to new address: whether the timing for responding to • Verifying the address with the relationships, the policies and procedures a user develops in notices of address discrepancy received person to whom the consumer report pertains; accordance with § l.82(d)(1) must in connection with newly established • Reviewing its own records of the provide that a user will furnish the relationships and in connection with address provided to request the consumer’s address that it has circumstances other than newly consumer report; reasonably confirmed to the CRA as part established relationships is appropriate. • Verifying the address through third- of the information it regularly furnishes One commenter objected to the party sources; or for the reporting period in which it requirement that a user employing the • Using other reasonable means. establishes a relationship with the CIP rules would have to both establish The Agencies solicited comment on consumer. a continuing relationship and a whether these examples were necessary, The proposed rule also addressed reasonable belief that it knows the or whether different or additional other situations when a user may consumer’s identity during the same examples should be listed. receive a notice of address discrepancy. reporting period. A few commenters A number of commenters stated that Proposed § l.82(d)(3)(ii) stated that in noted that the timing for reporting requiring a user to confirm the address other circumstances, such as when the should simply be ‘‘reasonable,’’ such as furnished exceeded the scope of the user already has an existing relationship the next reporting cycle. statute. They asserted that the benefit of with the consumer, the user should Because the Agencies have improvements in the accuracy of furnish this information for the determined that the requirement to addresses and the prevention of identity reporting period in which the user has furnish a confirmed address will apply theft would not outweigh the additional reasonably confirmed the accuracy of only to newly established accounts, the burden of this requirement. A few the address of the consumer for whom Agencies have revised § l.82(d)(3) to commenters noted that complying with it has obtained a consumer report. The Agencies also noted that, in order remove the references to the timing for the CIP rules should be sufficient to to satisfy the requirements of both furnishing reports in connection with verify the address. Commenters also felt § l.82(d)(1) and § l.82(d)(3)(i), a user other accounts, contained in the that users should have the flexibility to employing the CIP rules would have to proposal. The final rules reflect the establish their own validation processes establish a continuing relationship and language in section 605(h)(2)(B)(ii), and based on risk. As stated earlier, the Agencies believe verify the identity of the consumer state that a user’s policies and the purpose of the statute is to enhance during the same reporting period. procedures must provide that the user the accuracy of information relating to The Agencies recognized the timing will furnish the consumer’s address that consumers by requiring the user to provision for newly established the user has reasonably confirmed is furnish an address that the user has relationships could be problematic for accurate to the consumer reporting reasonably confirmed is accurate.51 users hoping to take full advantage of agency as part of the information it Simply providing the CRA with the the flexibility in timing for verification regularly furnishes for the reporting initial address supplied to the user by of identity afforded by the CIP rules. As period in which it establishes a the consumer, and which caused the required by statute, proposed relationship with the consumer. CRA to send a notice of address § l.82(d)(3)(i) stated that the reconciled A timing issue still exists for a user discrepancy, would not serve this address must be furnished for the that chooses to compare the information reporting period in which the user in the consumer report with information jlentini on PROD1PC65 with RULES4 51 This requirement is consistent with the establishes a relationship with the that the user obtains and uses to verify legislative history which provides that this section consumer. Proposed § l.82(d)(1), which the consumer’s identity in accordance is intended to obligate the user to utilize reasonable policies and procedures to resolve discrepancies. also mirrored the requirement of the with the CIP rules for the purpose of See H.R. Rep. No. 108–263 at 46 (Sept. 4, 2003) statute, required the reconciled address forming a reasonable belief that a (accompanying H.R. 2622). to be furnished to the CRA only when consumer report relates to the consumer VerDate Aug<31>2005 21:43 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00022 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63739 about whom it has requested the report. final rules. These commenters felt they guidance, and thus may need more time However, the Agencies believe that the needed time to take an inventory of to implement the final rules and benefits of being able to use CIP for this their existing systems and develop new guidelines. Therefore, the Agencies are purpose should outweigh any additional programs necessary for compliance. providing covered entities with a burden of having to establish a Some commenters noted that they likely transition period to comply with the reasonable belief that a consumer report would use technological solutions to requirements contained in the final relates to the consumer about whom it comply with the rules and that it is rulemaking. has requested the report within the necessary to schedule such projects well VI. Regulatory Analysis same reporting period that the user in advance. Commenters also noted that opens the account and establishes a compliance with the final rules may A. Paperwork Reduction Act continuing relationship with the require systemic and operational In accordance with the requirements consumer. changes across business lines and could of the Paperwork Reduction Act of 1995 affect relationships with vendors and (PRA) (44 U.S.C. 3501 et seq., 5 CFR IV. General Provisions third party service providers that would part 1320 Appendix A.1), the Agencies The OCC, the Board, the FDIC, the require time to change. have reviewed the final rulemaking and OTS, and the NCUA 52 proposed to Neither section 114 nor section 315 of determined that it contains collections amend the first sentence in § l.3, the FACT Act specifically addresses the of information subject to the PRA. The which contains the definitions that are effective date of the regulations issued Board made this determination under applicable throughout this part. This pursuant to these sections. Under the authority delegated to the Board by the sentence stated that the list of Administrative Procedure Act (APA), 5 Office of Management and Budget definitions in § l.3 apply throughout U.S.C. 553(d), agencies must generally (OMB). The information collection the part ‘‘unless the context requires publish a substantive rule not less than requirements in the final rulemaking otherwise.’’ These agencies proposed to 30 days before its effective date. In may be found in 12 CFR 41.82, 41.90, amend this introductory sentence to addition, under section 302 of the Riegle 41.91, 222.82, 222.90, 222.91, 334.82, make clear that the definitions in § l.3 Community Development and 334.90, 334.91, 571.82, 571.90, 571.91, apply ‘‘for purposes of this part, unless Regulatory Improvement Act of 1994 717.82, 717.90; and 717.91; and 16 CFR explicitly stated otherwise.’’ Thus, these (CDRIA),53 rules issued by the Federal 681.1, 681.2, and 681.3. definitions apply throughout the part banking agencies that impose additional An agency may not conduct or unless defined differently in an reporting, disclosure, or other new sponsor, and a respondent is not individual subpart. There were no requirements on financial institutions required to respond to, an information comments on this proposal, and the generally will take effect on the first day collection unless it displays a currently change to § l.3 is adopted as proposed. of a calendar quarter that begins on or valid OMB control number. The OTS proposed nonsubstantive, after the date on which the regulations information collection requirements technical changes to its rule sections on are published in the Federal Register. contained in this joint final rule were purpose and scope (§ 571.1) and Because these final rules are substantive submitted by the OCC, FDIC, OTS, disposal of consumer information and impose additional requirements on NCUA, and FTC to OMB for review and (§ 571.83). OTS explained that these financial institutions, the Agencies have approval under the Paperwork changes were necessary in light of the provided for an effective date of Reduction Act of 1995. OMB assigned proposed incorporation of the address [January 1, 2008], consistent with the the following control numbers to the discrepancy section into subpart I. APA and CDRIA. collections of information: OMB Control There were no comments on these At the same time, the Agencies have Nos. 1557–0237 (OCC), 3064–0152 proposed changes and they are adopted determined that it is appropriate to (FDIC), 1550–0113 (OTS), 3133–0175 substantially as proposed. Further, since provide all covered entities with a (NCUA), and 3084–0137 (FTC). The these changes render the definition of delayed compliance date of November Board’s OMB Control No. is 7100– ‘‘you’’ in § 571.3(o) superfluous, OTS is 1, 2008, to comply with the 0308.54 removing that definition. requirements of the final rulemaking. The OCC’s final rules add a purpose Some financial institutions and Description of the Collection section at § 41.1. The final rules are creditors already employ a variety of Section 114: The proposed rules simply restoring the purpose section of measures that satisfy the requirements implementing section 114 required each part 41 that was inadvertently deleted of the final rulemaking because these financial institution and creditor to (1) when ‘‘subpart D-Medical Information’’ are usual and customary business create an Identity Theft Prevention was added to this part. practices to minimize losses due to Program (Program); (2) report to the fraud, or as a result of already board of directors, a committee thereof V. Effective Date complying with other existing or senior management, at least annually, The Agencies received a number of regulations and guidance that relate to on compliance with the proposed comments regarding the effective date of information security, authentication, regulations; and (3) train staff to the final regulations and guidelines, identity theft, and response programs. implement the Program. although the proposed rulemaking did However, the Agencies recognize that In addition, the proposed rules not address this issue. While consumer these entities may still need time to required each credit and debit card groups recommended that the effective evaluate their existing programs, and to issuer (card issuer) to establish policies date for compliance with the regulations integrate appropriate elements from and procedures to (1) assess the validity be the minimum time allowed by law, them into the Program and into the many financial institutions and other policies and procedures required 54 The information collections (ICs) in this rule creditors requested the time for by this final rulemaking. Further, the will be incorporated with the Board’s Disclosure jlentini on PROD1PC65 with RULES4 compliance be extended from between Agencies recognize that some covered Requirements Associated with Regulation V (OMB entities have not previously been No. 7100–0308). The burden estimates provided in 12 to 24 months from issuance of the this rule pertain only to the ICs associated with this subject to any related regulations or final rulemaking. The current OMB inventory for 52 The equivalent language for the FTC already Regulation V is available at: http://www.reginfo.gov/ exists in 16 CFR 603.1. 53 Pub. L. 103–325; 12 U.S.C. § 4802(b). public/do/PRAMain. VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00023 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63740 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations of a change of address notification many financial institutions and The final rulemaking also clarifies before honoring a request for an creditors already have implemented that only relevant staff need be trained additional or replacement card received some of the requirements of the final to implement the Program, as during at least the first 30 days after it rules implementing section 114 as a necessary—meaning that staff already receives the notification; and (2) notify result of having to comply with other trained, for example, as a part of a the cardholder in writing, electronically, existing regulations and guidance, such covered entity’s anti-fraud prevention or orally, or use another means of as the CIP regulations implementing efforts do not need to be re-trained assessing the validity of the change of section 326 of the USA PATRIOT Act, except as necessary. Despite this address. 31 U.S.C. 5318(l) that require clarification, in response to comments Section 315: The proposed rules verification of the identity of persons received, the Agencies are increasing implementing section 315 required each opening new accounts),55 the the burden estimates attributable to user of consumer reports to (1) develop Information Security Standards that training from two to four hours. reasonable policies and procedures it implement section 501(b) of the Gramm- The Agencies’ estimates attribute all would employ when it receives a notice Leach-Bliley Act (GLBA), 15 U.S.C. burden to covered entities, which are of address discrepancy from a CRA; and 6801, and section 216 of the FACT Act, entities directly subject to the (2) to furnish an address the user 15 U.S.C. 1681w,56 and guidance issued requirements of the final rulemaking. A reasonably confirmed is accurate to the by the Agencies or the Federal Financial covered entity that outsources activities CRA from which it receives a notice of Institutions Examination Council to a third-party service provider is, in address discrepancy. regarding information security, effect, reallocating to that service The information collections in the provider the burden that it would authentication, identity theft, and final rulemaking are the same as those otherwise have carried itself. Under response programs.57 The final in the proposal. these circumstances, burden is, by rulemaking underscores the ability of a contract, shifted from the covered entity Comments Received financial institution or creditor to to the service provider, but the total The Agencies sought comment on the incorporate into its Program its existing amount of burden is not increased. burden estimates for the information processes that control reasonably Thus, third-party service provider collections described in the proposal. foreseeable risks to customers or to its burden is already included in the The Agencies received approximately own safety and soundness from identity burden estimates provided for covered 129 comments on the proposed theft, such as those already developed entities. rulemaking. Most commenters in connection with the covered entity’s The Agencies continue to believe that maintained that proposal would impose fraud prevention program. Thus, the card issuers already assess the validity additional regulatory burden and burden estimate attributable to the of change of address requests and, for asserted that the estimates of the cost of creation of a Program is unchanged. the most part, have automated the compliance should be considerably process of notifying the cardholder or higher than the Agencies projected. A 55 See, e.g., 31 CFR 103.121 (banks, savings using other means to assess the validity few of these commenters specifically associations, credit unions, and certain non- of changes of address. Further, as federally regulated banks); 31 CFR 103.122 (broker- addressed PRA burden, however, they dealers); 31 CFR 103.123 (futures commission commenters requested, the final did not provide specific estimates of merchants). rulemaking clarifies that card issuers additional burden hours that would 56 12 CFR part 30, app. B (national banks); 12 CFR may satisfy the requirements of this result from the proposal. Some of these part 208, app. D–2 and part 225, app. F (state section by verifying the address at the member banks and holding companies); 12 CFR commenters stated that staff training part 364, app. B (state non-member banks); 12 CFR time the address change notification is estimates were significantly part 570, app. B (savings associations); 12 CFR part received, before a request for an underestimated. Other commenters 748, app. A and B, and 12 CFR 717 (credit unions); additional or replacement card. stated that the costs of compliance 16 CFR part 314 (financial institutions that are not Therefore, the estimates attributable to regulated by the Board, FDIC, NCUA, OCC and this portion of the rulemaking are failed to consider the cost to third-party OTS). service providers that the commenters 57 See, e.g., 12 CFR part 30, supp. A to app. B unchanged. characterized as being required to (national banks); 12 CFR part 208, supp. A to app. Regarding the final rules implement the Program. D–2 and part 225, supp. A to app. F (state member implementing section 315, the Agencies banks and holding companies); 12 CFR part 364, recognize that users of consumer reports Explanation of Burden Estimates Under supp. A to app. B (state non-member banks); 12 CFR will need to develop policies and the Final Rulemaking part 570, supp. A to app. B (savings associations); 12 CFR 748, app. A and B (credit unions); Federal procedures to employ upon receiving a The Agencies believe that many of the Financial Institutions Examination Council (FFIEC) notice of address discrepancy in order comments received regarding burden Information Technology Examination Handbook’s to: (1) Ensure that the user has obtained stemmed from commenters’ misreading Information Security Booklet (the ‘‘IS Booklet’’) the correct consumer report for the available at http://www.ffiec.gov/guides.htm; FFIEC of the requirements of the proposed ‘‘Authentication in an Internet Banking consumer; and (2) confirm the accuracy rulemaking. The final rulemaking Environment’’ available at http://www.ffiec.gov/ of the address the user furnishes to the clarifies these requirements, including pdf/authentication_guidance.pdf; Board SR 01–11 CRA. However, under the final rules, a those that relate to the information (Supp) (Apr. 26, 2001) available at: http:// user only must furnish a confirmed www.federalreserve.gov/boarddocs/srletters/2001/ collections. It also differs from the sr0111.htm; ‘‘Guidance on Identity Theft and address to a CRA for new relationships. proposal as described below. Pretext Calling,’’ OCC AL 2001–4 (April 30, 2001); Thus, the required policies and The Agencies continue to believe that ‘‘Identity Theft and Pretext Calling,’’ OTS CEO procedures will no longer need to most covered entities already employ a Letter #139 (May 4, 2001); NCUA Letter to Credit address the furnishing of confirmed Unions 01–CU–09, ‘‘Identity Theft and Pretext variety of measures to detect and Calling’’ (Sept. 2001); OCC 2005–24, ‘‘Threats from addresses for existing relationships, and address identity theft that are required Fraudulent Bank Web Sites: Risk Mitigation and users will not need to furnish to the jlentini on PROD1PC65 with RULES4 by section 114 of the final rulemaking Response Guidance for Web Site Spoofing CRA in connection with existing because these are usual and customary Incidents,’’ (July 1, 2005); ‘‘Phishing and E-mail relationships an address the user Scams,’’ OTS CEO Letter #193 (Mar. 8, 2004); business practices that they employ to NCUA Letter to Credit Unions 04–CU–12, reasonably confirmed is accurate. minimize losses due to fraud. In ‘‘Phishing Guidance for Credit Unions’’ (Sept. The Agencies believe that users of addition, the Agencies believe that 2004). credit reports covered by the final rules, VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00024 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63741 on a regular basis, already furnish Board: will affect over 3,500 financial information to CRAs in response to Number of respondents: 1,172. institutions 61 and over 11 million notices of address discrepancy because Total Estimated Annual Burden: creditors 62 subject to the FTC’s it is a usual and customary business 48,052. jurisdiction, for a combined total of practice—except in connection with FDIC: approximately 11.1 million affected new deposit relationships. For the Number of respondents: 5,260. entities. As detailed below, FTC staff proposed rulemaking, the Agencies had Total Estimated Annual Burden: estimates that the average annual estimated that there would be no 215,660 hours. information collection burden during implementation burden associated with OTS: the three-year period for which OMB furnishing confirmed addresses to Number of respondents: 832. clearance was sought will be 4,466,000 CRAs. However, as the result of Total Estimated Annual Burden: hours (rounded to the nearest additional research, the Agencies now 34,112. thousand). The estimated annual labor believe that some burden should be NCUA: cost associated with this burden is attributable to this collection, to account Number of respondents: 5,103. $142,925,000 (rounded to the nearest for information furnished to CRAs for Total Estimated Annual Burden: thousand). new deposit relationships. Because this 209,223. For the proposed rule, FTC staff had burden is offset by the reduction in FTC Estimated Burden:58 divided affected entities into two burden described above, the estimates Section 114: categories: entities that are subject to a for the collections attributable to the Estimated Hours Burden: high risk of identity theft and entities final rules implementing section 315 As discussed above, the final that are subject to a low risk of identity remain unchanged. regulations require financial institutions theft. Based on comments as well as The Agencies continue to believe that and creditors to conduct a risk changes in the final rule, FTC staff 25 hours to develop a Program, four assessment periodically to determine believes that the affected entities can be hours to prepare an annual report, four whether they have covered accounts, categorized in three groups, based on hours to develop policies and which include, at a minimum, the nature of their businesses: entities procedures to assess the validity of consumer accounts. If the financial subject to a high risk of identity theft, changes of address, and four hours to institutions and creditors determine that entities subject to a low risk of identity develop policies and procedures to they have covered accounts, the final theft, but having consumer accounts respond to notices of address regulations require them to create a that will require them to have a written discrepancy, are reasonable estimates. written Identity Theft Prevention Program, and entities subject to a low The potential respondents are Program (Program) and they should risk of identity theft, but not having national banks and Federal branches report to the board of directors, a consumer accounts.63 and agencies of foreign banks and committee thereof, or senior management at least annually on A. High-Risk Entities certain of their subsidiaries (OCC); state member banks, uninsured state agencies compliance with the final regulations. In drafting its PRA analysis for the and branches of foreign banks, The FCRA defines ‘‘creditor’’ to have proposed regulations, FTC staff believed commercial lending companies owned the same meaning as in section 702 of that because motor vehicle dealers’’ or controlled by foreign banks, and Edge the Equal Credit Opportunity Act loans typically are financed by financial and agreement corporations (Board); (ECOA).59 Under Regulation B, which institutions also subject to those insured nonmember banks, insured state implements the ECOA, a creditor means regulations, the dealers were likely to branches of foreign banks, and certain of a person who regularly participates in a use the latter’s programs as a basis to their subsidiaries (FDIC); savings credit decision, including setting the develop their own. Therefore, although associations and certain of their terms of credit. Regulation B defines subject to a high risk of identity theft, subsidiaries (OTS); Federally-chartered credit as a transaction in which the their burden would be less than other credit unions (NCUA); state-chartered party has a right to defer payment of a high-risk entities. Commenters, credit unions, non-bank lenders, debt, regardless of whether the credit is however, noted among other concerns mortgage brokers, motor vehicle dealers, for personal or commercial purposes.60 that some motor vehicle dealers finance utility companies, and any other person Given the broad scope of entities 61 Under the FCRA, the only financial institutions that regularly participates in a credit covered, it is difficult to determine over which the FTC has jurisdiction are state- decision, including setting the terms of precisely the number of financial chartered credit unions. 15 U.S.C. 1681s. As of credit (FTC). institutions and creditors that are December 31, 2005, there were 3,302 state-chartered subject to the FTC’s jurisdiction. There federally-insured credit unions and 362 state- Burden Estimates are numerous small businesses under chartered nonfederally insured credit unions, totaling 3,664 financial institutions. See The Agencies estimate the annual the FTC’s jurisdiction, and there is no www.ncua.gov/news/quick_facts/quick_facts.html burden per respondent is 41 hours (25 formal way to track them; moreover, as and ‘‘Disclosures for Non-Federally Insured hours to develop a Program, four hours a whole, the entities under the FTC’s Depository Institutions under the Federal Deposit to prepare an annual report, four hours jurisdiction are so varied that there are Insurance Corporation Improvement Act (FDICIA),’’ 70 FR 12823 (Mar. 16, 2005). for training, four hours for developing no general sources that provide a record 62 This estimate is derived from an analysis of a policies and procedures to assess the of their existence. Nonetheless, FTC database of U.S. businesses based on NAICS codes validity of changes of address, and four staff estimates that the proposed for businesses that market goods or services to hours for developing policies and regulations implementing section 114 consumers or other businesses, which totaled 11,076,463 creditors subject to the FTC’s procedures to respond to notices of jurisdiction. address discrepancy). The Agencies 58 Due to the varied nature of the entities subject 63 In general, high-risk entities may provide attribute total burden to covered entities to the jurisdiction of the FTC, this Estimated consumer financial services or other goods or jlentini on PROD1PC65 with RULES4 Burden section reflects only the view of the FTC. services of value to identity thieves such as as follows: The banking regulatory agencies have jointly OCC: telecommunication services or goods that are easily prepared a separate analysis. convertible to cash, whereas low-risk entities may Number of respondents: 1,806. 59 U.S.C. 1681a(r)(5). do business primarily with other businesses or Total estimated annual burden: 60 Regulation B Equal Credit Opportunity, 12 CFR provide non-financial services or goods that are not 74,046. 202 (as amended effective Apr. 15, 2003). easily convertible to cash. VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00025 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63742 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations their own loans. Thus, for this burden annual report on risks of identity theft annual burden over 3-year clearance estimate, FTC staff no longer is which are minimal or non-existent. period for preparing annual report considering motor vehicle dealers Nonetheless, FTC staff believes that it ((4+1+1)/3)], for a total of 3,466,000 separately from other high-risk entities. may have underestimated the time low- hours (rounded to the nearest As noted above, the Agencies risk entities may need to initially apply thousand); and 1,622,029 low-risk continue to believe that many of the the final rule to develop a Program. entities that have consumer accounts high-risk entities, as part of their usual Thus, FTC staff has increased from 20 subject to the FTC’s jurisdiction at an and customary business practices, minutes to 1 hour its previously stated average annual burden of approximately already take steps to minimize losses estimate for this activity. 37 minutes per entity [average annual due to fraud. The final rulemaking The final regulations have been burden over 3-year clearance period for clarifies that only relevant staff need be revised from the proposed regulations to trained to implement the Program, as alleviate the burden of creating a written creation and implementation of necessary meaning, for example, that Program for entities that determine that streamlined Program ((60+5+5)/3) plus staff already trained as a part of a they do not have any covered accounts. average annual burden over 3-year covered entity’s anti-fraud prevention The FTC staff believes that entities clearance period for staff training efforts do not need to be re-trained subject to a low risk of identity theft, but ((10+5+5)/3) plus average annual except as incrementally needed. not having consumer accounts, will burden over 3-year clearance period for Notwithstanding this clarification, in likely determine that they do not have preparing annual report ((10+5+5)/3], response to comments received, the covered accounts. Such entities would for a total of 1,000,000 hours (rounded Agencies are increasing the burden not be required to develop a written to the nearest thousand). estimates attributable to training from Program, and thus will not incur PRA The proposed regulations two to four hours, as is the FTC for high- burden. The FTC staff estimates that implementing Section 114 also require risk entities in their initial year of approximately 9,191,496 64 of the credit and debit card issuers to establish implementing the Program, but FTC 10,813,525 low-risk entities subject to policies and procedures to assess the staff continues to believe that one hour the requirement to create a written validity of a change of address request, of recurring annual training remains a Program under the proposed regulations reasonable estimate. including notifying the cardholder or will not have covered accounts under using another means of assessing the The FTC staff maintains its estimate the final rule. Therefore, these 9,191,496 of 25 hours for high-risk entities to validity of the change of address. The low-risk entities will not be required to create and implement a written FTC received no comments on its develop a written Program, thereby Program, with an annual recurring burden estimates in the NPRM and FTC substantially reducing the original burden of 1 hour. As before, FTC staff burden hours estimate in the NPRM for staff does not believe that the changes anticipates that these entities will low-risk entities. made to the final regulation have altered incorporate policies and procedures that The FTC staff believes that for entities its original burden estimates. they likely already have in place. The subject to a low risk of identity theft, but Accordingly, FTC staff maintains that it FTC staff continues to believe that having consumer accounts that will will take 100 credit or debit card issuers preparation of an annual report will take require them to have a written Program, 4 hours to develop and implement high-risk entities 4 hours initially, with it will take such entities 1 hour to policies and procedures to assess the an annual recurring burden of 1 hour. review the final regulations and create validity of a change of address request B. Low-Risk Entities a streamlined Program, with an annual for a total burden of 400 hours. recurring burden of 5 minutes. The FTC Estimated Cost Burden: A few commenters believed that FTC staff believes that training staff to be staff had underestimated the amount of The FTC staff derived labor costs by attentive to any future risks of identity time it would take low-risk entities to applying appropriate estimated hourly theft will take low-risk entities 10 comply with the proposed regulations. cost figures to the burden hours minutes, with an annual recurring These commenters estimated that the described above. It is difficult to burden of 5 minutes. The FTC staff amount of time would range from 6 to calculate with precision the labor costs believes that preparing an annual report 20 hours to create a program and 1 hour associated with the proposed will take low-risk entities 10 minutes, each to train employees and draft the regulations, as they entail varying with an annual recurring burden of 5 annual report. The FTC staff believes compensation levels of management minutes. these estimates were based on a Accordingly, FTC staff estimates that and/or technical staff among companies misunderstanding of the requirements the final regulations implementing of different sizes. In the NPRM, FTC of the proposed regulations, including section 114 affect the following: 266,602 staff had estimated that low-risk entities that the list of 31 Red Flags in the high-risk entities subject to the FTC’s would use administrative support proposed guidelines was intended to be jurisdiction at an average annual burden personnel at an hourly cost of $16.00. A a checklist. The final regulations clarify of 13 hours per entity [average annual few commenters disagreed that low-risk that the list of Red Flags is illustrative burden over 3-year clearance period for entities would use administrative only. Moreover, the emphasis of the creation and implementation of Program support personnel, arguing instead that written Program, as required under the ((25+1+1)/3) plus average annual the Program would be implemented at final regulations, is to identify risks of burden over 3-year clearance period for identity theft. To the extent that entities a managerial level, and the labor cost staff training ((4+1+1)/3) plus average should be at least $32.00 and possibly with consumer accounts determine that they have a minimal risk of identity even $48.00. Therefore, in calculating 64 This estimate is derived from an analysis of a theft, they would be tasked only with the cost figures, FTC staff assumes that database of U.S. businesses based on NAICS codes for all entities, professional technical jlentini on PROD1PC65 with RULES4 developing a streamlined Program. for businesses that market goods or services to Therefore, the FTC staff does not believe consumers or other businesses, net of the number personnel and/or managerial personnel of creditors subject to the FTC’s jurisdiction, an will create and implement the Program, that it would take such an entity 6 to 20 estimated subset of which comprise anticipated hours to develop a Program, 1 hour to low-risk entities not having covered accounts under prepare the annual report, train train employees, and 1 hour to draft an the final rule. employees, and assess the validity of a VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00026 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63743 change of address request, at an hourly inspect and photocopy the comments at federal/propose/html including any rate of $32.00.65 the OCC’s Public Information Room, 250 personal information provided. Based on the above estimates and E Street, SW., Washington, DC 20219. Comments may be inspected at the FDIC assumptions, the total annual labor For security reasons, the OCC requires Public Information Center, Room 100, costs for all categories of covered that visitors make an appointment to 801 17th Street, NW., Washington, DC, entities under the final regulations inspect comments. You may do so by between 9 a.m. and 4:30 p.m. on implementing section 114 are calling 202–874–5043. Upon arrival, business days. $142,925,000 (rounded to the nearest visitors will be required to present valid OTS: Information Collection thousand) [(3,466,000 hours + 400 hours government-issued photo identification Comments, Chief Counsel’s Office, + 1,000,000 hours) x $32.00)]. and submit to security screening in Office of Thrift Supervision, 1700 G Section 315: order to inspect and photocopy Street, NW., Washington, DC 20552; Estimated Hours Burden: comments. The Commission did not receive any send a facsimile transmission to (202) Board: You may submit comments, 906–6518; or send an e-mail to related comments relating to its original burden identified by R–1255, by any of the estimates for the information collection index on the OTS Internet site at http:// following methods: www.ots.treas.gov. In addition, requirements under section 315. Agency Web site: http:// Although the final regulations were interested persons may inspect the www.federalreserve.gov. Follow the comments at the Public Reading Room, modified such that they no longer instructions for submitting comments require users to furnish a confirmed 1700 G Street, NW., by appointment. To on http://www.federalreserve.gov/ make an appointment, call (202) 906– address to a CRA for existing generalinfo/foia/ProposedRegs.cfm. relationships, FTC staff does not believe 5922, send an e-mail to Federal eRulemaking Portal: http:// publicinfo@ots.treas.gov, or send a that this modification will significantly www.regulations.gov. Follow the alter its original burden estimates. facsimile transmission to (202) 906– instructions for submitting comments. 7755. Therefore, FTC staff burden estimates E-mail: remain unchanged under section 315 regs.comments@federalreserve.gov. NCUA: You may submit comments by from the estimates proposed in the Include docket number in the subject any of the following methods (Please NPRM. Accordingly, FTC staff estimates line of the message. send comments by one method only): that the average annual information Fax: 202–452–3819 or 202–452–3102. Federal eRulemaking Portal: http:// collection burden during the three-year Mail: Jennifer J. Johnson, Secretary, www.regulations.gov. period for which OMB clearance was Board of Governors of the Federal Follow the instructions for submitting sought will be 831,000 hours (rounded Reserve System, 20th Street and comments. to the nearest thousand). The FTC staff Constitution Avenue, NW., Washington, NCUA Web site: http:// continues to assume that the policies DC 20551. www.ncua.gov/ and procedures for notice of address All public comments are available RegulationsOpinionsLaws/ discrepancy and furnishing the correct from the Board’s Web site at http:// proposedregs/proposedregs.html. address will be set up by administrative www.federalreserve.gov/generalinfo/ Follow the instructions for submitting support personnel at an hourly rate of foia/ProposedRegs.cfm as submitted, comments. $16.66 Thus, the estimated annual labor unless modified for technical reasons. cost associated with this burden is Accordingly, your comments will not be E-mail: Address to $13,296,000 (rounded to the nearest edited to remove any identifying or regcomments@ncua.gov. Include ‘‘[Your thousand). contact information. Public comments name] Comments on -,’’ in the e-mail The Agencies have a continuing may also be viewed electronically or in subject line. interest in the public’s opinions of our paper form in Room MP–500 of the Fax: (703) 518–6319. Use the subject collections of information. At any time, Board’s Martin Building (20th and C line described above for e-mail. comments regarding the burden Streets, NW.) between 9 a.m. and 5 p.m. Mail: Address to Mary F. Rupp, estimate, or any other aspect of this on weekdays. Secretary of the Board, National Credit collection of information, including FDIC: You may submit written Union Administration, 1775 Duke suggestions for reducing the burden, comments, which should refer to 3064– Street, Alexandria, VA 22314–3428. may be sent to: AD00, by any of the following methods: Hand Delivery/Courier: Same as mail OCC: Communications Division, Agency Web site: http:// address. Office of the Comptroller of the www.fdic.gov/regulations/laws/federal/ Additionally, commenters may send a Currency, Public Information Room, propose.html. copy of their comments to the OMB Mail stop 1–5, Attention: 1557–0237, Follow the instructions for submitting desk officer for the OCC, Board, FDIC, 250 E Street, SW., Washington, DC comments on the FDIC Web site. OTS, and NCUA by mail to the Office 20219. In addition, comments may be Federal eRulemaking Portal: http:// of Information and Regulatory Affairs, sent by fax to 202–874–4448, or by www.regulations.gov. Follow the U.S. Office of Management and Budget, electronic mail to instructions for submitting comments. New Executive Office Building, Room regs.comments@occ.treas.gov. You can E-mail: Comments@FDIC.gov. 10235, 725 17th Street, NW., Mail: Robert E. Feldman, Executive Washington, DC 20503, or by fax to 65 The cost is derived from a mid-range among the Secretary, Attention: Comments, FDIC, reported 2006 Bureau of Labor Statistics rates for (202) 395–6974. 550 17th Street, NW., Washington, DC likely positions within the professional technical 20429. FTC: Comments should refer to ‘‘The and managerial categories. See June 2006 Bureau of Red Flags Rule: Project No. R611019,’’ Labor Statistics National Compensation Survey for Hand Delivery/Courier: Guard station occupational wages in the United States at http:// at the rear of the 550 17th Street and may be submitted by any of the following methods. However, if the jlentini on PROD1PC65 with RULES4 www.bls.gov/ncs/ocs/sp/ncbl0910.pdf (‘‘June 2006 Building (located on F Street) on BLS NCS Survey’’). business days between 7 a.m. and 5 p.m. comment contains any material for 66 This hourly wage is a conservative inflation- Public Inspection: All comments which confidential treatment is adjusted updating of hourly mean wages ($14.86) shown for administrative support personnel in the received will be posted without change requested, it must be filed in paper June 2006 BLS NCS Survey. to http://www.fdic.gov/regulations/laws/ form, and the first page of the document VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00027 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63744 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations must be clearly labeled http://www.ftc.gov/os/ proposed regulations implementing ‘‘Confidential.’’ 67 publiccomments.htm. As a matter of section 114, if adopted as proposed, E-mail: Comments filed in electronic discretion, the FTC makes every effort to would not impose undue costs on form should be submitted by clicking on remove home contact information for national banks and would not have a the following Web link: https:// individuals from the public comments it substantial economic impact on a secure.commentworks.com/ftc-redflags receives before placing those comments substantial number of small national and following the instructions on the on the FTC Web site. More information, banks. The OCC noted that national Web-based form. To ensure that the including routine uses permitted by the banks already employ a variety of Commission considers an electronic Privacy Act, may be found in the FTC’s measures that satisfy the requirements comment, you must file it on the Web- privacy policy, at http://www.ftc.gov/ of the rulemaking because (1) such based form at https:// ftc/privacy.htm. measures are a good business practice secure.commentworks.com/ftc-redflags. Members of the public also can and generally are a part of a bank’s Federal eRulemaking Portal: If this request additional information or a copy efforts to reduce losses due to fraud, and notice appears at http:// of the collection from: (2) national banks already comply with www.regulations.gov, you may also file OCC: Mary Gottlieb, OCC Clearance other regulations and guidance that an electronic comment through that Officer, (202) 874–5090, Legislative and relate to information security, Web site. The Commission will consider Regulatory Activities Division, Office of authentication, identity theft, and all comments that regulations.gov the Comptroller of the Currency, 250 E response programs. For example, forwards to it. Street, SW., Washington, DC 20219. national banks are already subject to CIP Mail or Hand Delivery: A comment Board: Michelle Shore, Clearance rules requiring them to verify the filed in paper form should include ‘‘The Officer, Division of Research and identity of a person opening a new Red Flags Rule, Project No. R611019,’’ Statistics (202) 452–3829. account 68 and already have various both in the text and on the envelope and FDIC: Steven F. Hanft, Clearance systems in place to detect certain should be mailed or delivered, with two Officer, Legal Division, (202–898–3907). patterns, practices and specific activities complete copies, to the following OTS: Ira L. Mills, OTS Clearance that indicate the possible existence of address: Federal Trade Commission/ Officer, Litigation Division, Chief identity theft in connection with the Office of the Secretary, Room H–135 Counsel’s Office, at opening of new accounts. Similarly, (Annex M), 600 Pennsylvania Avenue, Ira.Mills@ots.treas.gov, (202) 906–6531, national banks complying with the NW., Washington, DC 20580. Because or facsimile number (202) 906–6518. ‘‘Interagency Guidelines Establishing paper mail in the Washington area and NCUA: Regina M. Metz, Staff Information Security Standards’’ 69 and at the Commission is subject to delay, Attorney, Office of General Counsel, guidance recently issued by the FFIEC please consider submitting your (703) 518–6540. titled ‘‘Authentication in an Internet comments in electronic form, as FTC: See FOR FURTHER INFORMATION Banking Environment’’ 70 already have prescribed above. The FTC is requesting CONTACT above. policies and procedures in place to that any comment filed in paper form be detect attempted and actual intrusions sent by courier or overnight service, if B. Regulatory Flexibility Act into customer information systems and possible. OCC: Under section 605(b) of the to detect patterns, practices and specific Comments on any proposed filing, Regulatory Flexibility Act (RFA), 5 activities that indicate the possible recordkeeping, or disclosure U.S.C. 605(b), the OCC must either existence of identity theft in connection requirements that are subject to publish a Final Regulatory Flexibility with existing accounts. Banks paperwork burden review under the Analysis (FRFA) for a final rule or complying with the OCC’s ‘‘Guidance Paperwork Reduction Act should certify, along with a statement providing on Identity Theft and Pretext Calling’’ 71 additionally be submitted to: Office of the factual basis for such certification, already have policies and procedures to Management and Budget, Attention: the rule will not have a significant verify the validity of change of address Desk Officer for the Federal Trade economic impact on a substantial requests on existing accounts. Commission. Comments should be number of small entities. The Small Nonetheless, the OCC specifically submitted via facsimile to (202) 395– Business Administration has defined requested comment and specific data on 6974 because U.S. Postal Mail is subject ‘‘small entities’’ for banking purposes as the size of the incremental burden to lengthy delays due to heightened a bank or savings institution with assets creating an identity theft prevention security precautions. of $165 million or less. See 13 CFR program would have on small national The FTC Act and other laws the 121.201. banks, given banks’’ current practices Commission administers permit the Based on its analysis and for the and compliance with existing collection of public comments to reasons stated below, the OCC certifies requirements. The OCC also requested consider and use in this proceeding as that this final rulemaking will not have comment on how the final regulations appropriate. All timely and responsive a significant economic impact on a might minimize any burden imposed to public comments, whether filed in substantial number of small entities. the extent consistent with the paper or electronic form, will be Rules Implementing Section 114 requirements of the FACT Act. considered by the Commission, and will Commenters confirmed that the be available to the public on the FTC The proposed regulations proposed regulations implementing Web site, to the extent practicable, at implementing section 114 required the section 114 of the FACT Act are development and establishment of a consistent with banks’’ usual and 67 Commission Rule 4.2(d), 16 CFR 4.2(d). The written identity theft prevention customary business practices used to comment must be accompanied by an explicit request for confidential treatment, including the program to detect, prevent, and mitigate minimize losses due to fraud in factual and legal basis for the request, and must identity theft. The proposed regulations connection with new and existing jlentini on PROD1PC65 with RULES4 identify the specific portions of the comment to be also required card issuers to assess the withheld from the public record. The request will validity of a notice of address change 68 31 be granted or denied by the Commission’s General CFR 103.121; 12 CFR 21.21 (national banks). Counsel, consistent with applicable law and the under certain circumstances. 69 12CFR part 30, app. B (national banks). public interest. See Commission Rule 4.9(c), 16 CFR In connection with the proposed 70 OCC Bulletin 2005–35 (Oct. 12, 2005). 4.9(c). rulemaking, the OCC concluded that the 71 OCC AL 2001–4 (April 30, 2001). VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00028 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63745 accounts. They also confirmed that customers or to the safety and As a result of the changes and banks have implemented measures to soundness of the financial institution or clarifications noted above, this section address many of the proposed creditor from identity theft, such as of the final rule is far more flexible and requirements as a result of having to those already developed in connection less burdensome than that in the comply with existing regulations and with the entity’s fraud prevention proposed rules while still fulfilling the guidance. However, commenters also program. statutory mandates enumerated in asserted that the Agencies had • The final rules clarify that a section 114. Moreover, the OCC has underestimated the incremental burden Program (including the Red Flags concluded that the incremental cost of imposed by the proposed rules. They determined to be relevant) may be these final rules and guidelines will not highlighted aspects of the proposal that periodically, rather than continually, impose undue costs and will not have they maintained would have required updated to reflect changes in risks to a significant economic impact on a banks to alter their current practices and customers and to the safety and substantial number of small entities. implement duplicative policies and soundness of the financial institution or Rules Implementing Section 315 procedures. creditor from identity theft. Only a few commenters provided • The rules focus on consumer The proposed regulations estimates of additional burden that accounts, and require a Program to implementing section 315 required a would result from the proposed rules. include only other accounts ‘‘for which user of consumer reports to have Many of these comments stemmed from there is a reasonably foreseeable risk to policies and procedures to enable the a misreading of the requirements of the customers or to the safety and user to form a reasonable belief that it proposed rules. Further, many soundness of the financial institution or knows the identity of the consumer for commenters confused the Agencies’ creditor from identity theft.’’ whom it has obtained a consumer PRA estimates with the Agencies’ • The definition of ‘‘Red Flags’’ no report. The proposed rules also required overall conclusions regarding regulatory longer includes reference to the the user to furnish to the CRA from burden.72 ‘‘possible risk’’ of identity theft and no whom it received the notice of address The OCC believes that the final rules longer incorporates precursors to discrepancy an address for the substantially address the concerns of the identity theft. consumer that the user has reasonably commenters as follows: • The final rules clarify that the Red confirmed is accurate when the user: (1) • The final rules allow a covered Flags in Supplement A are examples Is able to form a reasonable belief that entity to tailor its Program to its size, rather than a mandatory checklist. it knows the identity of the consumer complexity and nature of its operations. • Supplement A includes a Red Flag for whom the consumer report was The final rules and guidelines do not for activity on an inactive account in obtained; (2) establishes or maintains a require the use of any specific place of a separate guideline. continuing relationship with the technology, systems, processes or • The final rules clarify that the consumer; and (3) regularly and in the methodology. Board of Directors or a committee ordinary course of business furnishes • The final rules list the four thereof must approve only the initial information to the CRA from which a elements that must be a part of a written Program. The rules provide a notice of address discrepancy pertaining Program, and the steps that a covered covered entity with the discretion to to the consumer was obtained. determine whether the Board or In connection with the proposed entity must take to administer the management will approve changes to rulemaking the OCC noted that the Program. The rules provide covered the Program and the extent of Board FACT Act already requires CRAs to entities with greater discretion to involvement in oversight of the provide notices of address discrepancy determine how to implement these Program. to users of credit reports. The OCC mandates. • Additional requirements previously • The final rules clarify that only stated that with respect to new relevant staff must be trained to accounts, a national bank already is in the proposed rules are now in required by the CIP rules to ensure that guidelines that are located in Appendix implement the Program, as necessary. • Card issuers may satisfy the it knows the identity of a person J. The guidelines describe various opening a new account and to keep a requirements of this section by verifying policies and procedures that a financial record describing the resolution of any the address at the time the address institution or creditor must consider substantive discrepancy discovered change notification is received, whether and include in its Program, where during the verification process. The or not the notification is linked to a appropriate, to satisfy the requirements OCC also stated that as a matter of good request for an additional or replacement of the final rules. The preamble to the business practice, most national banks card—building on issuers’ existing rules explains that an institution or currently have policies and procedures procedures. creditor may determine that particular • Covered entities need not comply in place to respond to notices of address guidelines are not appropriate to with the final rules until November 1, discrepancy when they are provided in incorporate into its Program as long as 2008. connection with both new and existing its Program contains reasonable policies The Agencies did consider whether it accounts, by furnishing an address for and procedures to meet the specific would be appropriate to extend different the consumer that the bank has requirements of the final rules. treatment or exempt small covered reasonably confirmed is accurate to the • The guidelines clarify that a entities from the requirements of this CRA from which it received the notice covered entity need not create duplicate section of the final rulemaking. The of address discrepancy. policies and procedures and may Agencies note that identity theft can The OCC specifically requested incorporate into its Program, as occur in small entities as well as large comment on whether the proposed appropriate, its existing processes that ones. The Agencies do not believe that requirements differ from small banks’ control reasonably foreseeable risks to jlentini on PROD1PC65 with RULES4 an exemption for small entities is current practices and whether the 72 The PRA focuses more narrowly on the time, appropriate given the flexibility built proposed requirements on users of effort, and financial resources expended by persons into the final rules and guidelines and consumer reports to have policies and to generate, maintain, or provide information to or the importance of the statutory goals procedures to respond to the receipt of for a Federal agency. See 44 U.S.C. 3501 et seq. and mandate of section 114. an address discrepancy could be altered VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00029 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63746 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations to minimize any burden imposed to the 114 of the FACT Act amends section 3. Description and estimate of small extent consistent with the requirements 615 of the FCRA and directs the Board, entities affected by the final rule. of the FACT Act. together with the other Agencies, to The final rule applies to all banks that Many suggestions received in issue joint regulations and guidelines are members of the Federal Reserve response to this solicitation for regarding the detection, prevention, and System (other than national banks) and comment would have required a mitigation of identity theft, including their respective operating subsidiaries, statutory change. However, many special regulations requiring debit and branches and Agencies of foreign banks commenters noted that section 315 does credit card issuers to validate (other than Federal branches, Federal not require the reporting of a confirmed notifications of changes of address Agencies, and insured State branches of address to a CRA for a notice of address under certain circumstances. Section foreign banks), commercial lending discrepancy received for an existing 315 of the FACT Act adds section companies owned or controlled by account. These commenters stated that 605(h)(2) to the FCRA and requires the foreign banks, and organizations the level of regulatory burden imposed Agencies to issue joint regulations that operating under section 25 or 25A of the by this requirement would be significant provide guidance regarding reasonable Federal Reserve Act (12 U.S.C. 601 et and would force users to reconcile and policies and procedures that a user of a seq., and 611 et seq.). The Board’s rule verify addresses millions of times a year consumer report should employ when will apply to the following institutions in connection with routine account the user receives a notice of address (numbers approximate): State member maintenance. Commenters maintained discrepancy. The Board received no banks (881), operating subsidiaries that that this would result in enormous costs comments on the reasons for the are not functionally regulated with in that provide relatively little benefit to proposed rule. The Board is adopting the meaning of section 5(c)(5) of the consumers. The final rules address these the final rule to implement sections 114 Bank Holding Company Act of 1956, as comments and accordingly, under the and 315 of the FACT Act. The amended (877), U.S. branches and rules implementing section 315, a user SUPPLEMENTARY INFORMATION above agencies of foreign banks (219), is not obligated to furnish a confirmed contains information on the objectives commercial lending companies owned address for the consumer to the CRA in of the final rule. or controlled by foreign banks (3), and connection with existing accounts. 2. Summary of issues raised by Edge and agreement corporations (64), Although, a bank will likely have to comments in response to the initial for a total of approximately 2,044 modify its existing procedures to add a regulatory flexibility analysis. institutions. The Board estimates that new procedure for promptly reporting to In accordance with Section 3(a) of the more than 1,448 of these institutions CRAs the reconciled address for new RFA, the Board conducted an initial could be considered small entities with deposit accounts, the OCC has regulatory flexibility analysis in assets of $165 million or less. concluded that the final rules connection with the proposed rule. One 4. Recordkeeping, reporting, and other implementing section 315 will not commenter, the Mortgage Bankers compliance requirements. impose undue costs on national banks Association (MBA), responded to the Section 114 requires the Board to and will have not have a significant initial regulatory flexibility analysis and prescribe regulations that require economic impact on a substantial stated that contrary to the Agencies’ financial institutions and creditors to number of small entities. Finally, as belief, the proposed rule would have a establish reasonable policies and mentioned earlier, the final rules significant economic impact on a procedures to implement guidelines provide a transition period and do not substantial number of affected small established by the Board and other require covered entities to fully comply entities. The MBA stated that federal agencies that address identity with these requirements until November commercial and multifamily mortgage theft with respect to account holders 1, 2008. lenders should not be subject to the and customers. This would be Board: The Board prepared an initial proposed rule because it would implemented by requiring a covered regulatory flexibility analysis as constitute useless regulatory burden. financial institution or creditor to create required by the Regulatory Flexibility Three commenters (Independent an Identity Theft Prevention Program Act (RFA) (5 U.S.C. 601 et seq.) in Community Bankers of America, The that detects, prevents and mitigates the connection with the July 18, 2006 Financial Services Roundtable and risk of identity theft applicable to its proposed rule. The Board received one BITS, and KeyCorp) believed that the accounts. comment on its regulatory flexibility Board and the other Agencies had Section 114 also requires the Board to analysis. underestimated the costs of compliance. adopt regulations applicable to credit Under Section 605(b) of the RFA, 5 The issues raised by these commenters and debit card issuers to implement U.S.C. 605(b), the regulatory flexibility did not apply uniquely to small entities policies and procedures to assess the analysis otherwise required under and are described in the Paperwork validity of change of address requests. Section 604 of the RFA is not required Reduction Act section above. The final rule implements this by if an agency certifies, along with a Some small financial institutions requiring credit and debit card issuers to statement providing the factual basis for expressed concern about the flexibility establish reasonable policies and such certification, that the rule will not granted by the proposal. As stated in the procedures to assess the validity of a have a significant economic impact on Overview of Proposal and Comments change of address if it receives a substantial number of small entities. Received, these commenters preferred to notification of a change of address for a Based on its analysis and for the reasons have more structured guidance that debit or credit card account and, within stated below, the Board certifies that describes how to develop and a short period of time afterwards (during this final rule will not have a significant implement a Program and what they at least the first 30 days after it receives economic impact on a substantial would need to do to achieve such notification), the issuer receives a number of small entities. compliance. In addition, one commenter request for an additional or replacement jlentini on PROD1PC65 with RULES4 1. Statement of the need for, and expressed concern that smaller card for the same account. objectives of, the final rule. institutions would be particularly Section 315 requires the Board to The FACT Act amends the FCRA and burdened by the proposal’s requirement prescribe regulations that provide was enacted, in part, for the purpose of that the Program be designed to address guidance regarding the reasonable helping to reduce identity theft. Section changing identity risks ‘‘as they arise.’’ policies and procedures that a user of VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00030 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63747 consumers’ reports should employ to approximately 3,260 of which are small basis for such certification, the rule will verify the identity of a consumer when entities. The rule is drafted in a flexible not have a significant economic impact a consumer reporting agency provides a manner that allows institutions to on a substantial number of small notice of address discrepancy with the develop and implement different types entities. The Small Business consumer reporting agency in certain of programs based upon their size, Administration has defined ‘‘small circumstances. The final rule requires complexity, and the nature and scope of entities’’ to include savings associations users of consumer reports to develop their activities. The final rules and with total assets of $165 million or less. and implement reasonable policies and guidelines do not require the use of any 13 CFR 121.201. procedures for verifying the identity of specific technology, systems, processes The rule will implement section 114 a consumer for whom it has obtained a or methodology. The guidelines clarify that a covered and 315 of the FACT Act and will apply consumer report and for whom it entity need not create duplicate policies to all savings associations (and federal receives a notice of address discrepancy and procedures and may incorporate savings associations operating and to reconcile an address discrepancy with the appropriate consumer into its Program, as appropriate, its subsidiaries that are not functionally reporting agency in certain existing processes that control regulated within the meaning of section circumstances. reasonably foreseeable risks to 5(c)(5) of the Bank Holding Company 5. Steps taken to minimize the customers or to the safety and Act), 424 of which have assets of less economic impact on small entities. soundness of the financial institution or than or equal to $165 million. Based on The Board and the other Agencies creditor from identity theft, such as its analysis and for the reasons stated have attempted to minimize the those already developed in connection below, OTS certifies that this final economic impact on small entities by with the entity’s fraud prevention rulemaking will not have a significant providing more flexibility in developing program. The FDIC believes that many economic impact on a substantial a Program and moving certain detail institutions have already implemented a number of small entities. contained in the proposed regulations to significant portion of the detection and Rules Implementing Section 114 the guidelines. In addition, to allow mitigation efforts required by the rule. small entities and creditors to tailor With respect to the portion of the rule The proposed regulations their Programs to their operations, the covering card issuers, those entities may implementing section 114 required the final rules provide that the Program satisfy the requirements of this section development and establishment of a must be appropriate to the size and by verifying the address at the time the written identity theft prevention complexity of the financial institution address change notification is received, program to detect, prevent, and mitigate or creditor and the nature and scope of whether or not the notification is linked identity theft. The proposed regulations its activities. The Board has also to a request for an additional or also required card issuers to assess the eliminated the requirement for replacement card—building on issuers’’ validity of a notice of address change institutions to update their Program in existing procedures. under certain circumstances. response to changing identity theft risks Under the final rule implementing ‘‘as they arise.’’ The final rule instead FACT Act Section 315, a user of In connection with the proposed requires ‘‘periodic’’ updating. consumer reports (which constitutes rulemaking, OTS concluded that the FDIC: The FDIC prepared an initial most, if not all, FDIC-insured state proposed regulations implementing regulatory flexibility analysis as nonmember banks) must have policies section 114, if adopted as proposed, required by the Regulatory Flexibility and procedures to enable the user to would not impose undue costs on Act (RFA) (5 U.S.C. 601 et seq.) in form a reasonable belief that it knows savings associations and would not have connection with the July 18, 2006 the identity of the consumer for whom a substantial economic impact on a proposed rule. Under Section 605(b) of it has obtained a consumer report. substantial number of small savings the RFA, 5 U.S.C. 605(b), the regulatory Although, a bank will likely have to associations. OTS noted that savings flexibility analysis otherwise required modify its existing procedures to add a associations already employ a variety of under Section 604 of the RFA is not new procedure for promptly reporting to measures that satisfy the requirements required if an agency certifies, along consumer reporting agencies the of the rulemaking because (1) such with a statement providing the factual reconciled address for new deposit measures are a good business practice basis for such certification, that the rule accounts, the FDIC has concluded that and generally are a part of a thrift’s will not have a significant economic the final rules implementing section efforts to reduce losses due to fraud, and impact on a substantial number of small 315—which only obligates a user to (2) savings associations already comply entities (defined for purposes of the furnish a confirmed address for the with other regulations and guidance that RFA to include banks with less than consumer to the consumer reporting relate to information security, $165 in assets). Based on its analysis agency in connection with new, and not authentication, identity theft, and and for the reasons stated below, the existing, accounts—will not impose response programs. For example, FDIC certifies that this final rule will undue costs on banks and will not have savings associations are already subject not have a significant economic impact a significant economic impact on a to CIP rules requiring them to verify the on a substantial number of small entities substantial number of small entities. identity of a person opening a new Under the final rule implementing Moreover, the final rules provide a account 73 and already have various FACT Act Section 114, financial transition period and do not require systems in place to detect certain institutions and creditors must have a covered entities to fully comply with patterns, practices and specific activities written program that includes controls these requirements until November 1, that indicate the possible existence of to address the identity theft risks they 2008. identity theft in connection with the have identified. Credit and debit card OTS: Under section 605(b) of the opening of new accounts. Similarly, jlentini on PROD1PC65 with RULES4 issuers must also have additional Regulatory Flexibility Act (RFA), 5 savings associations complying with the policies and procedures to assess the U.S.C. 605(b), OTS must either publish ‘‘Interagency Guidelines Establishing validity of change of address requests. a Final Regulatory Flexibility Analysis The final rule would apply to all (FRFA) for a final rule or certify, along 73 31 CFR 103.121; 12 CFR 563.177 (savings FDIC-insured state nonmember banks, with a statement providing the factual associations). VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00031 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63748 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations Information Security Standards’’ 74 and OTS believes that the final rules • Supplement A includes a Red Flag guidance recently issued by the FFIEC substantially address the concerns of the for activity on an inactive account in titled ‘‘Authentication in an Internet commenters as follows: place of a separate guideline. Banking Environment’’ 75 already have • The final rules allow a covered • The final rules clarify that the policies and procedures in place to entity to tailor its Program to its size, Board of Directors or a committee detect attempted and actual intrusions complexity and nature of its operations. thereof must approve only the initial into customer information systems and The final rules and guidelines do not written Program. The rules provide a to detect patterns, practices and specific require the use of any specific covered entity with the discretion to activities that indicate the possible technology, systems, processes or determine whether the Board or existence of identity theft in connection methodology. management will approve changes to with existing accounts. Savings • The final rules list the four the Program and the extent of Board associations complying with OTS’s elements that must be a part of a involvement in oversight of the guidance on ‘‘Identity Theft and Pretext Program, and the steps that a covered Program. Calling’’ 76 already have policies and entity must take to administer the • The final rules clarify that only procedures to verify the validity of Program. The rules provide covered relevant staff must be trained to change of address requests on existing entities with greater discretion to implement the Program, as necessary. accounts. determine how to implement these • Card issuers may satisfy the Nonetheless, OTS specifically mandates. requirements of this section by verifying requested comment and specific data on • Additional requirements previously the address at the time the address the size of the incremental burden in the proposed rules are now in change notification is received, whether creating an identity theft prevention guidelines that are located in Appendix or not the notification is linked to a program would have on small saving J. The guidelines describe various request for an additional or replacement associations, given their current policies and procedures that a financial card—building on issuers’ existing practices and compliance with existing institution or creditor must consider procedures. requirements. OTS also requested and include in its Program, where • Covered entities need not comply comment on how the final regulations appropriate, to satisfy the requirements with the final rules until November 1, might minimize any burden imposed to of the final rules. The preamble to the 2008. rules explains that an institution or The Agencies did consider whether it the extent consistent with the creditor may determine that particular would be appropriate to extend different requirements of the FACT Act. guidelines are not appropriate to treatment or exempt small covered Commenters confirmed that the incorporate into its Program as long as entities from the requirements of this proposed regulations implementing its Program contains reasonable policies section of the final rulemaking. The section 114 of the FACT Act are and procedures to meet the specific Agencies note that identity theft can consistent with savings associations’ requirements of the final rules. occur in small entities as well as large usual and customary business practices • The guidelines clarify that a ones. The Agencies do not believe that used to minimize losses due to fraud in covered entity need not create duplicate an exemption for small entities is connection with new and existing policies and procedures and may appropriate given the flexibility built accounts. They also confirmed that incorporate into its Program, as into the final rules and guidelines and savings associations have implemented appropriate, its existing processes that the importance of the statutory goals measures to address many of the control reasonably foreseeable risks to and mandate of section 114. proposed requirements as a result of As a result of the changes and customers or to the safety and having to comply with existing clarifications noted above, this section soundness of the financial institution or regulations and guidance. However, of the final rule is far more flexible and creditor from identity theft, such as commenters also asserted that the less burdensome than that in the those already developed in connection Agencies had underestimated the proposed rules while still fulfilling the with the entity’s fraud prevention incremental burden imposed by the statutory mandates enumerated in program. proposed rules. They highlighted • The final rules clarify that a section 114. Moreover, OTS has aspects of the proposal that they Program (including the Red Flags concluded that the incremental cost of maintained would have required determined to be relevant) may be these final rules and guidelines will not savings associations to alter their periodically, rather than continually, impose undue costs and will not have current practices and implement updated to reflect changes in risks to a significant economic impact on a duplicative policies and procedures. customers and to the safety and substantial number of small entities. Only a few commenters provided soundness of the financial institution or estimates of additional burden that Rules Implementing Section 315 creditor from identity theft. would result from the proposed rules. • The rules focus on consumer The proposed regulations Many of these comments stemmed from accounts, and require a Program to implementing section 315 required a a misreading of the requirements of the include only other accounts ‘‘for which user of consumer reports to have proposed rules. Further, many there is a reasonably foreseeable risk to policies and procedures to enable the commenters confused the Agencies’ customers or to the safety and user to form a reasonable belief that it PRA estimates with the Agencies’ soundness of the financial institution or knows the identity of the consumer for overall conclusions regarding regulatory creditor from identity theft.’’ whom it has obtained a consumer burden.77 • The definition of ‘‘Red Flags’’ no report. The proposed rules also required longer includes reference to the the user to furnish to the CRA from 74 12 CFR part 570, app. B (savings associations). ‘‘possible risk’’ of identity theft and no whom it received the notice of address jlentini on PROD1PC65 with RULES4 75 OTS CEO Letter 228 (Oct. 12, 2005). longer incorporates precursors to discrepancy an address for the 76 OTS CEO Letter 139 (May 4, 2001). 77 The PRA focuses more narrowly on the time, identity theft. consumer that the user has reasonably effort, and financial resources expended by persons • The final rules clarify that the Red confirmed is accurate when the user: (1) to generate, maintain, or provide information to or Flags in Supplement A are examples Is able to form a reasonable belief that for a Federal agency. See 44 U.S.C. 3501 et seq. rather than a mandatory checklist. it knows the identity of the consumer VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00032 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63749 for whom the consumer report was promptly reporting to CRAs the identity theft, and regulations requiring obtained; (2) establishes or maintains a reconciled address for new deposit each financial institution and creditor to continuing relationship with the accounts, OTS has concluded that the establish policies and procedures for consumer; and (3) regularly and in the final rules implementing section 315 implementing the guidelines. In ordinary course of business furnishes will not impose undue costs on savings addition, section 114 requires credit and information to the CRA from which a associations and will have not have a debit card issuers to establish policies notice of address discrepancy pertaining significant economic impact on a and procedures to assess the validity of to the consumer was obtained. substantial number of small entities. a change of address request. Section 315 In connection with the proposed Finally, as mentioned earlier, the final requires the FTC to develop policies and rulemaking OTS noted that the FACT rules provide a transition period and do procedures that a user of consumer Act already requires CRAs to provide not require covered entities to fully reports must employ when such a user notices of address discrepancy to users comply with these requirements until receives a notice of address discrepancy of credit reports. OTS stated that with November 1, 2008. from a consumer reporting agency respect to new accounts, a savings FTC: The Regulatory Flexibility Act described in section 603(p) of the FCRA. association already is required by the (‘‘RFA’’), 5 U.S.C. 601–612, requires that In this action, the FTC promulgates final CIP rules to ensure that it knows the the Commission provide an Initial rules that would implement these identity of a person opening a new Regulatory Flexibility Analysis requirements of the FACT Act. account and to keep a record describing (‘‘IRFA’’) with a proposed rule and a the resolution of any substantive Final Regulatory Flexibility Analysis 2. Significant Issues Received by Public discrepancy discovered during the (‘‘FRFA’’), if any, with the final rule, Comment verification process. OTS also stated unless the Commission certifies that the The Commission received a number that as a matter of good business rule will not have a significant of comments on the effect of the practice, most savings associations economic impact on a substantial proposed regulations. Some of the currently have policies and procedures number of small entities. See 5 U.S.C. comments addressed the effect of the in place to respond to notices of address 603–605. proposed regulations on businesses discrepancy when they are provided in The Commission hereby certifies that generally, and did not identify small connection with both new and existing the final regulations will not have a businesses as a particular category. The accounts, by furnishing an address for significant economic impact on a FTC staff, therefore, has included all the consumer that the association has substantial number of small business comments in this FRFA that raised reasonably confirmed is accurate to the entities. The Commission recognizes potentially significant compliance CRA from which it received the notice that the final regulations will affect a issues for small businesses, regardless of of address discrepancy. substantial number of small businesses. whether the commenter identified small OTS specifically requested comment We do not expect, however, that the businesses as being an affected category. on whether the proposed requirements final regulations will have a significant In drafting its PRA analysis for the differ from small savings associations’ economic impact on these small proposed regulations, FTC staff believed current practices and whether the entities. that because motor vehicle dealers’ proposed requirements on users of The Commission continues to believe loans typically are financed by financial consumer reports to have policies and that a precise estimate of the number of institutions also subject to those procedures to respond to the receipt of small entities that fall under the final regulations, the dealers were likely to an address discrepancy could be altered regulations is not currently feasible. use the latter’s programs as a basis to to minimize any burden imposed to the Based on changes made to the final develop their own. Therefore, although extent consistent with the requirements regulations in response to comments subject to a high risk of identity theft, of the FACT Act. received, however, and the their burden would be less than other Many suggestions received in Commission’s own experience and high-risk entities. Commenters, response to this solicitation for knowledge of industry practices, the however, noted among other concerns comment would have required a Commission also continues to believe that some motor vehicle dealers finance statutory change. However, many that the cost and burden to small their own loans. Thus, FTC staff no commenters noted that section 315 does business entities of complying with the longer is considering motor vehicle not require the reporting of a confirmed final regulations are minimal. dealers separately from other high-risk address to a CRA for a notice of address Accordingly, this document serves as entities. discrepancy received for an existing notice to the Small Business As noted in the PRA analysis, the account. These commenters stated that Administration of the agency’s Agencies continue to believe that many the level of regulatory burden imposed certification of no effect. Nonetheless, of the high-risk entities, as part of their by this requirement would be significant the Commission has decided to publish usual and customary business practices, and would force users to reconcile and a FRFA with these final regulations. already take steps to minimize losses verify addresses millions of times a year Therefore, the Commission has prepared due to fraud. The final rulemaking in connection with routine account the following analysis: clarifies that only relevant staff need be maintenance. Commenters maintained trained to implement the Program, as that this would result in enormous costs 1. Need for and Objectives of the Rule necessary—meaning, for example, that that provide relatively little benefit to The FTC is charged with enforcing the staff already trained as a part of a consumers. The final rules address these requirements of sections 114 and 315 of covered entity’s anti-fraud prevention comments and, accordingly, under the the Fair and Accurate Credit efforts do not need to be re-trained rules implementing section 315, a user Transactions Act of 2003 (FACT Act) except as incrementally needed. is not obligated to furnish a confirmed (15 U.S.C. §§ 1681m(e) and 1681c(h)(2)), Notwithstanding this clarification, in jlentini on PROD1PC65 with RULES4 address for the consumer to the CRA in which require the FTC to establish response to comments received, the connection with existing accounts. guidelines for financial institutions and Agencies are increasing the burden Although, a savings association will creditors identifying patterns, practices, estimates attributable to training from likely have to modify its existing and specific forms of activity, that two to four hours, as is the FTC for high- procedures to add a new procedure for indicate the possible existence of risk entities in their initial year of VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00033 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63750 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations implementing the Program, but FTC conduct a periodic risk assessment to across almost every industry could be staff continues to believe that one hour determine if they covered accounts, they subject to the final rules. For the of recurring annual training remains a will not be required to develop a written majority of these entities, a small reasonable estimate. Program, thereby substantially reducing business is defined by the Small A few commenters believed that FTC the original burden estimate in the Business Administration as one whose staff had underestimated the amount of NPRM for low-risk entities. average annual receipts do not exceed time it would take low-risk entities to The FTC received additional $6.5 million or who have fewer than 500 comply with the proposed regulations. comments on its IRFA requesting that employees.79 These commenters estimated that the the FTC delay implementation of the Section 114: As discussed in the PRA amount of time would range from 6 to final rules for small businesses by a section of this Notice, given the broad 20 hours to create a program and 1 hour minimum of six months, consider scope of section 114’s requirements, it is each to train employees and draft the creating a certification form for low-risk difficult to determine with precision the annual report. The FTC staff believes entities, and develop a small business number of financial institutions and these estimates were based on a compliance guide. The Agencies have creditors that are subject to the FTC’s misunderstanding of the requirements set a mandatory compliance deadline of jurisdiction. There are numerous small of the proposed regulations, including November 1, 2008, thereby providing all businesses under the FTC’s jurisdiction that the list of 31 Red Flags in the entities with well over six months in and there is no formal way to track proposed guidelines was intended to be which to implement the final them; moreover, as a whole, the entities a checklist. The final regulations clarify regulations. The FTC staff will be under the FTC’s jurisdiction are so that the list of Red Flags is illustrative developing a small business compliance varied that there are no general sources only. Moreover, the emphasis of the guide prior to the mandatory that provide a record of their existence. written Program, as required under the compliance deadline of November 1, Nonetheless, FTC staff estimates that the final regulations, is to identify risks of 2008. The FTC staff will consider final regulations implementing section identity theft. To the extent that entities whether to include any model forms in 114 will affect over 3500 financial with consumer accounts determine that such guide. institutions and over 11 million they have a minimal risk of identity The FTC did not receive any creditors 80 subject to the FTC’s theft, they would be tasked only with comments on its IRFA for the proposed jurisdiction, for a combined total of developing a streamlined Program. regulations implementing section 114 approximately 11.1 million affected Therefore, FTC staff does not believe requiring credit and debit card issuers to entities. Of this total, the FTC staff that it would take such an entity 6 to 20 establish policies and procedures to expects that well over 90% of these hours to develop a Program, 1 hour to assess the validity of a change of firms qualify as small businesses under train employees, and 1 hour to draft an address request, including notifying the existing size standards (i.e., $165 annual report on risks of identity theft cardholder or using another means of million in assets for financial which are minimal or non-existent. assessing the validity of the change of institutions and $6.5 million in sales for Nonetheless, FTC staff believes that it address. The FTC staff does not believe many creditors). may have underestimated the time low- that the changes made to the final One commenter acknowledged that risk entities may need to initially apply regulation have altered its original the FTC’s estimates as to the number of the final rule to develop a Program. burden estimates. small entities that will be affected were Thus, FTC staff has increased from 20 The FTC did not receive any accurate, but did not provide precise minutes to 1 hour its previously stated comments on its IRFA relating to the numbers. estimate for this activity. proposed regulations under section 315. The final regulations implementing In addition, the final regulations have 3. Small Entities to Which the Final section 114 also require credit and debit been revised from the proposed Rule Will Apply card issuers to establish policies and regulations to alleviate the burden of procedures to assess the validity of a creating a written Program for entities The final regulations apply to a wide change of address request. Indeed, the that determine that they do not have any variety of business categories under the final regulations require credit and debit covered accounts. The FTC staff Small Business Size Standards. card issuers to notify the cardholder or believes that entities subject to a low Generally, the final regulations would to use another means of assessing the risk of identity theft, but not having apply to financial institutions, creditors, validity of the change of address. FTC consumer accounts, will likely and users of consumer reports. In staff believes that there may be as many determine that they do not have covered particular, entities under FTC’s as 3,764 credit or debit card issuers that accounts. Such entities would not be jurisdiction covered by section 114 fall under the jurisdiction of the FTC required to develop a written Program. include State-chartered credit unions, and that well over 90% of these firms The FTC staff estimates that non-bank lenders, mortgage brokers, qualify as small businesses under approximately 9,191,496 78 of the automobile dealers, utility companies, existing size standards (i.e., $165 10,813,525 low-risk entities subject to telecommunications companies, and million in assets for financial the requirement to create a written any other person that regularly Program under the proposed regulations participates in a credit decision, 79 These numbers represent the size standards for will not have covered accounts under including setting the terms of credit. most retail and service industries ($6.5 million total the final rule. Therefore, although these The section 315 requirements apply to receipts) and manufacturing industries (500 State-chartered credit unions, non-bank employees). A list of the SBA’s size standards for 9,191,496 low-risk entities will have to all industries can be found at http://www.sba.gov/ lenders, insurers, landlords, employers, size/summary-whatis.html. 78 This estimate is derived from an analysis of a mortgage brokers, automobile dealers, 80 This estimate is derived from census data of database of U.S. businesses based on NAICS codes collection agencies, and any other U.S. businesses based on NAICS codes for jlentini on PROD1PC65 with RULES4 for businesses that market goods or services to person who requests a consumer report businesses that market goods or services to consumers or other businesses, net of the number from a consumer reporting agency consumers and businesses. 2003 County Business of creditors subject to the FTC’s jurisdiction, an Patterns, U.S. Census Bureau (http:// estimated subset of which comprise anticipated described in section 603(p) of the FCRA. censtats.census.gov/cgi- bin/cbpnaic/cbpsel.pl); and low-risk entities not having covered accounts under Given the coverage of the final rules, 2002 Economic Census, Bureau (http:// the final rule. a very large number of small entities www.census.gov/econ/census02/). VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00034 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63751 institutions and $6.5 million in sales for associated with the final regulations entities should not be significant, many creditors). will be significant as explained below. however. The Commission did not receive any Section 114: The FTC staff estimates In calculating the costs, FTC staff comments to the IRFA on the latter that there may be as many as 90% of the assumes that for all entities, credit or debit card issuers that would businesses affected by the proposed professional technical personnel and/or allow it to determine the precise rules under section 114 that are subject managerial personnel will conduct the number of small entities that will be to a high risk of identity theft that periodic risk assessment, create and affected. qualify as small businesses. It is likely Section 315: As discussed in the PRA implement the Program, prepare the that many such entities already engage annual report, train employees, and section of this Notice, given the broad in various activities to minimize losses scope of section 315’s requirements, it is assess the validity of a change of due to fraud as part of their usual and address request. difficult to determine with precision the customary business practices. number of users of consumer reports Accordingly, the impact of the proposed Section 315: The final regulations that are subject to the FTC’s jurisdiction. requirements would be merely implementing section 315 provide There are numerous small businesses incremental and not significant. In guidance regarding reasonable policies under the FTC’s jurisdiction and there particular, the rule will direct many of and procedures that a user of consumer is no formal way to track them; these entities to consolidate their reports must employ when a user moreover, as a whole, the entities under existing policies and procedures into a receives a notice of address discrepancy the FTC’s jurisdiction are so varied that written Program and may require some from a consumer reporting agency. The there are no general sources that provide additional staff training. final regulations also require a user of a record of their existence. Nonetheless, The FTC expects that well over 90% consumer reports to furnish an address FTC staff estimates that the final of the businesses affected by the that the user has reasonably confirmed regulations implementing section 315 proposed rules under section 114 that is accurate to the consumer reporting will affect approximately 1.6 million are subject to a low risk of identity theft agency from which it receives a notice users of consumer reports subject to the qualify as small businesses under of address discrepancy, but only to the FTC’s jurisdiction 81 and that well over existing size standards (i.e., $165 extent that such user regularly and in 90% of these firms qualify as small million in assets for financial the ordinary course of business businesses under existing size standards institutions and $6.5 million in sales for furnishes information to such consumer (i.e., $165 million in assets for financial many creditors). The final requirements reporting agency. The FTC staff believes institutions and $6.5 million in sales for are drafted in a flexible manner that that the impacts on users of consumer many creditors). limits the burden on a substantial reports that are small businesses will The Commission did not receive any majority of low-risk entities to not be significant. As discussed in the comments to the IRFA on the proposed conducting periodic risk assessments for PRA section of the NPRM, the FTC staff regulations under Section 315 that covered accounts, and allows the believes that it will not take users of would allow it to determine the precise remaining minority of low-risk entities consumer reports under FTC number of small entities that will be to develop and implement different jurisdiction a significant amount of time affected. types of programs based upon their size, to develop policies and procedures that 4. Projected Reporting, Recordkeeping complexity, and the nature and scope of they will employ when they receive a and Other Compliance Requirements their activities. As a result, the FTC staff notice of address discrepancy. FTC staff expects that the burden on these low- believes that only 10,000 of such users The final requirements will involve risk entities will be minimal (i.e., not of consumer reports furnish information some increased costs for affected significant). The final regulations would to consumer reporting agencies as part parties. Most of these costs will be require low-risk entities that have of their usual and customary business incurred by those required to conduct covered accounts that have no existing practices and that approximately 20% of periodic risk assessments, and draft identity theft procedures to state in these entities qualify as small identity theft Programs and annual writing their low-risk of identity theft, businesses. Therefore, the staff estimates reports. There will also be costs train staff to be attentive to future risks that 2,000 small businesses will be associated with training, and for credit of identity theft, and, if appropriate, affected by this portion of the final and debit card issuers to establish prepare an annual report. The FTC staff regulation that requires furnishing the policies and procedures to assess the believes that, for the affected low-risk correct address. As discussed in the validity of a change of address request. entities, such activities will be not be PRA section of this NPRM, FTC staff In addition, there will be costs related complex or resource-intensive tasks. to developing reasonable policies and estimates that it will not take such users The final regulations implementing of consumer reports a significant procedures that a user of consumer section 114 also require credit and debit amount of time to develop the policies reports must employ when a user card issuers to establish policies and receives a notice of address discrepancy and procedures for furnishing the procedures to assess the validity of a from a consumer reporting agency, and correct address to the consumer change of address request. It is likely for furnishing an address that the user reporting agencies pursuant to the final that most of the entities have automated has reasonably confirmed is accurate. regulations for implementing section the process of notifying the cardholder The Commission does not expect, 315. The FTC staff estimates that the or using other means to assess the however, that the increased costs costs associated with these impacts will validity of the change of address such that implementation will pose no not be significant. 81 This estimate is derived from census data of U.S. businesses based on NAICS codes for further burden. For those that do not, In calculating these costs, FTC staff jlentini on PROD1PC65 with RULES4 businesses that market goods or services to the FTC staff expects that a small assumes that the policies and consumers and businesses. 2003 County Business number of such entities (100) will need procedures for notice of address Patterns, U.S. Census Bureau (http:// censtats.census.gov/cgi-bin/cbpnaic/cbpsel.pl); and to develop policies and procedures to discrepancy and furnishing the correct 2002 Economic Census, Bureau (http:// assess the validity of a change of address will be set up by administrative www.census.gov/econ/census02/). address request. The impacts on such support personnel. VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00035 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63752 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 5. Steps Taken To Minimize Significant fundamental federalism principles, the H. NCUA: Small Business Regulatory Economic Impact of the Rule on Small NCUA, an independent regulatory Enforcement Fairness Act of 1996 Entities agency as defined in 44 U.S.C. 3502(5) (SBREFA) Determination The Commission considered whether voluntarily complies with the Executive A SBREFA (Pub. L. 104–121) any significant alternatives, consistent Order. These final rules apply only to reporting requirement is triggered in with the purposes of the FACT Act, federally chartered credit unions and instances where NCUA issues a final could further minimize the final would not have substantial direct effects rule as defined by section 551 of the regulations’ impact on small entities. on the States, on the connection Administrative Procedure Act, 5 U.S.C. The FTC asked for comment on this between the national government and 551. NCUA has determined this final issue. The final requirements are drafted the States, or on the distribution of rule is not a major rule for purposes of in a flexible manner that limits the power and responsibilities among the SBREFA and the Office of Management burden on a substantial majority of low- various levels of government. The and Budget (OMB) has concurred. risk entities to conducting periodic risk NCUA has determined that these final assessments for covered accounts and rules do not constitute a policy that has I. Plain Language allows the remaining minority of low- federalism implications for purposes of risk entities to develop and implement Section 722 of the Gramm-Leach- the Executive Order. Bliley Act (12 U.S.C. 4809) requires the different types of programs based upon their size, complexity, and the nature F. OCC and OTS Unfunded Mandates Federal banking agencies and the NCUA and scope of their activities. In addition, Reform Act of 1995 Determination to use ‘‘plain language’’ in all proposed a commenter requested that the FTC and final rules published in the Federal delay implementation of the final rules Section 202 of the Unfunded Register. The Agencies received no for small businesses by a minimum of Mandates Reform Act of 1995, Public comments on how to make the rules six months, produce a shortened Red Law 104–4 (Unfunded Mandates Act) easier to understand, and believe the Flags list, consider creating a requests that an agency prepare a final rules are presented in a clear and certification form for low-risk entities, budgetary impact statement before straightforward manner. and develop a small business promulgating a rule that includes a List of Subjects compliance guide. The Agencies have federal mandate that may result in set a mandatory compliance deadline of expenditure by State, local, and tribal 12 CFR Part 41 November 1, 2008, thereby providing all governments, in the aggregate, or by the Banks, banking, Consumer protection, entities with well over six months in private section, of $100 million or more National Banks, Reporting and which to implement the final in any one year. If a budgetary impact recordkeeping requirements. regulations. As discussed in the PRA statement is required, section 205, of the analysis infra, the Agencies have Unfunded Mandates Act also requires 12 CFR Part 222 clarified that the Red Flags Supplement an agency to identify and consider a is illustrative only, and is not intended Banks, banking, Holding companies, reasonable number of regulatory to be used as a checklist. Therefore, the state member banks. alternatives before promulgating a rule. Agencies did not consider it necessary The OCC and OTS each has 12 CFR Part 334 to alter the Red Flags listed. The FTC determined that this rule will not result staff will be developing a small business Administrative practice and in expenditures by State, local, and procedure, Bank deposit insurance, compliance guide prior to the tribal governments, or by the private Banks, banking, Reporting and mandatory compliance deadline of sector, of $100 million or more. National recordkeeping requirements, Safety and November 1, 2008. The FTC staff will banks and savings associations already soundness. consider whether to include any model forms in such guide. employ a variety of measures that satisfy the requirements of the final rulemaking 12 CFR Part 364 C. OCC and OTS Executive Order 12866 because, as described earlier, these are Administrative practice and Determination usual and customary business practices procedure, Bank deposit insurance, The OCC and the OTS each have to minimize losses due to fraud, or Banks, banking, Reporting and independently determined that the final because, as described earlier, they recordkeeping requirements, Safety and rule is not a ‘‘significant regulatory already comply with other existing Soundness. action’’ as defined in Executive Order regulations and guidance that relate to 12866 because the annual effect on the information security, authentication, 12 CFR Part 571 economy is less than $100 million. identity theft, and response programs. Consumer protection, Credit, Fair Accordingly, a regulatory assessment is Accordingly, neither the OCC not the Credit Reporting Act, Privacy, Reporting not required. OTS has prepared a budgetary impact and recordkeeping requirements, D. OCC and OTS Executive Order 13132 statement or specifically addressed the Savings associations. Determination regulatory alternatives considered. 12 CFR Part 717 The OCC and the OTS each has G. NCUA: The Treasury and General determined that these final rules do not Government Appropriations Act, 1999— Consumer protection, Credit unions, have any federalism implications for Assessment of Federal Regulations and Fair credit reporting, Privacy, Reporting purposes of Executive Order 13132. Policies on Families and recordkeeping requirements. E. NCUA Executive Order 13132 16 CFR Part 681 The NCUA has determined that these Determination jlentini on PROD1PC65 with RULES4 final rules will not affect family well- Fair Credit Reporting Act, Consumer Executive Order 13132 encourages being within the meaning of section 654 reports, Consumer report users, independent regulatory agencies to of the Treasury and General Consumer reporting agencies, Credit, consider the impact of their actions on Government Appropriations Act, 1999, Creditors, Information furnishers, State and local interests. In adherence to Pub. L. 105–277, 112 Stat. 2681 (1998). Identity theft, Trade practices. VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00036 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63753 Department of the Treasury (b) Definition. For purposes of this (ii) Reviewing its own records to section, a notice of address discrepancy verify the address of the consumer; Office of the Comptroller of the (iii) Verifying the address through means a notice sent to a user by a Currency third-party sources; or consumer reporting agency pursuant to 12 CFR Chapter I 15 U.S.C. 1681c(h)(1), that informs the (iv) Using other reasonable means. user of a substantial difference between (3) Timing. The policies and Authority and Issuance procedures developed in accordance the address for the consumer that the I For the reasons discussed in the joint user provided to request the consumer with paragraph (d)(1) of this section preamble, the Office of the Comptroller report and the address(es) in the must provide that the user will furnish of the Currency amends Part 41 of title agency’s file for the consumer. the consumer’s address that the user has 12, chapter I, of the Code of Federal (c) Reasonable belief. (1) Requirement reasonably confirmed is accurate to the Regulations as follows: to form a reasonable belief. A user must consumer reporting agency as part of the develop and implement reasonable information it regularly furnishes for the PART 41—FAIR CREDIT REPORTING policies and procedures designed to reporting period in which it establishes enable the user to form a reasonable a relationship with the consumer. I 1. The authority citation for part 41 continues to read as follows: belief that a consumer report relates to I 6. Add Subpart J to part 41 to read as the consumer about whom it has follows: Authority: 12 U.S.C. 1 et seq., 24 (Seventh), requested the report, when the user 93a, 481, 484, and 1818; 15 U.S.C. 1681a, Subpart J—Identity Theft Red Flags receives a notice of address discrepancy. 1681b, 1681c, 1681m, 1681s, 1681s–3, 1681t, (2) Examples of reasonable policies Sec. 1681w, Sec. 214, Pub. L. 108–159, 117 Stat. 41.90 Duties regarding the detection, 1952. and procedures. (i) Comparing the prevention, and mitigation of identity information in the consumer report theft. Subpart A—General Provisions provided by the consumer reporting 41.91 Duties of card issuers regarding agency with information the user: changes of address. I 2. Section 41.1 is added to read as (A) Obtains and uses to verify the follows: consumer’s identity in accordance with Subpart J—Identity Theft Red Flags the requirements of the Customer § 41.1 Purpose. Information Program (CIP) rules § 41.90 Duties regarding the detection, (a) Purpose. The purpose of this part implementing 31 U.S.C. 5318(l) (31 CFR prevention, and mitigation of identity theft. is to establish standards for national 103.121); (a) Scope. This section applies to a banks regarding consumer report (B) Maintains in its own records, such financial institution or creditor that is a information. In addition, the purpose of as applications, change of address national bank, Federal branch or agency this part is to specify the extent to notifications, other customer account of a foreign bank, and any of their which national banks may obtain, use, records, or retained CIP documentation; operating subsidiaries that are not or share certain information. This part or functionally regulated within the also contains a number of measures (C) Obtains from third-party sources; meaning of section 5(c)(5) of the Bank national banks must take to combat or Holding Company Act of 1956, as consumer fraud and related crimes, (ii) Verifying the information in the amended (12 U.S.C. 1844(c)(5)). including identity theft. consumer report provided by the (b) Definitions. For purposes of this (b) [Reserved] consumer reporting agency with the section and Appendix J, the following I 3. Amend § 41.3 by revising the consumer. definitions apply: introductory text to read as follows: (d) Consumer’s address. (1) (1) Account means a continuing Requirement to furnish consumer’s relationship established by a person § 41.3 Definitions. address to a consumer reporting agency. with a financial institution or creditor to For purposes of this part, unless A user must develop and implement obtain a product or service for personal, explicitly stated otherwise: reasonable policies and procedures for family, household or business purposes. * * * * * furnishing an address for the consumer Account includes: that the user has reasonably confirmed (i) An extension of credit, such as the I 4. Revise the heading for Subpart I to is accurate to the consumer reporting purchase of property or services read as follows: agency from whom it received the involving a deferred payment; and Subpart I—Duties of Users of notice of address discrepancy when the (ii) A deposit account. Consumer Reports Regarding Address user: (2) The term board of directors Discrepancies and Records Disposal (i) Can form a reasonable belief that includes: the consumer report relates to the (i) In the case of a branch or agency I 5. Add § 41.82 to read as follows: consumer about whom the user of a foreign bank, the managing official requested the report; in charge of the branch or agency; and § 41.82 Duties of users regarding address (ii) Establishes a continuing (ii) In the case of any other creditor discrepancies. relationship with the consumer; and that does not have a board of directors, (a) Scope. This section applies to a (iii) Regularly and in the ordinary a designated employee at the level of user of consumer reports (user) that course of business furnishes information senior management. receives a notice of address discrepancy to the consumer reporting agency from (3) Covered account means: from a consumer reporting agency, and which the notice of address discrepancy (i) An account that a financial that is a national bank, Federal branch relating to the consumer was obtained. institution or creditor offers or or agency of a foreign bank, or any of (2) Examples of confirmation maintains, primarily for personal, jlentini on PROD1PC65 with RULES4 their operating subsidiaries that are not methods. The user may reasonably family, or household purposes, that functionally regulated within the confirm an address is accurate by: involves or is designed to permit meaning of section 5(c)(5) of the Bank (i) Verifying the address with the multiple payments or transactions, such Holding Company Act of 1956, as consumer about whom it has requested as a credit card account, mortgage loan, amended (12 U.S.C. 1844(c)(5)). the report; automobile loan, margin account, cell VerDate Aug<31>2005 21:43 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00037 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63754 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations phone account, utility account, (i) Identify relevant Red Flags for the implement reasonable policies and checking account, or savings account; covered accounts that the financial procedures to assess the validity of a and institution or creditor offers or change of address if it receives (ii) Any other account that the maintains, and incorporate those Red notification of a change of address for a financial institution or creditor offers or Flags into its Program; consumer’s debit or credit card account maintains for which there is a (ii) Detect Red Flags that have been and, within a short period of time reasonably foreseeable risk to customers incorporated into the Program of the afterwards (during at least the first 30 or to the safety and soundness of the financial institution or creditor; days after it receives such notification), financial institution or creditor from (iii) Respond appropriately to any Red the card issuer receives a request for an identity theft, including financial, Flags that are detected pursuant to additional or replacement card for the operational, compliance, reputation, or paragraph (d)(2)(ii) of this section to same account. Under these litigation risks. prevent and mitigate identity theft; and circumstances, the card issuer may not (4) Credit has the same meaning as in (iv) Ensure the Program (including the issue an additional or replacement card, 15 U.S.C. 1681a(r)(5). Red Flags determined to be relevant) is until, in accordance with its reasonable (5) Creditor has the same meaning as updated periodically, to reflect changes policies and procedures and for the in 15 U.S.C. 1681a(r)(5), and includes in risks to customers and to the safety purpose of assessing the validity of the lenders such as banks, finance and soundness of the financial change of address, the card issuer: companies, automobile dealers, institution or creditor from identity (1)(i) Notifies the cardholder of the mortgage brokers, utility companies, theft. request: and telecommunications companies. (e) Administration of the Program. (A) At the cardholder’s former (6) Customer means a person that has Each financial institution or creditor address; or a covered account with a financial that is required to implement a Program (B) By any other means of institution or creditor. must provide for the continued communication that the card issuer and (7) Financial institution has the same administration of the Program and must: the cardholder have previously agreed meaning as in 15 U.S.C. 1681a(t). (1) Obtain approval of the initial to use; and (8) Identity theft has the same written Program from either its board of (ii) Provides to the cardholder a meaning as in 16 CFR 603.2(a). directors or an appropriate committee of reasonable means of promptly reporting (9) Red Flag means a pattern, practice, the board of directors; incorrect address changes; or or specific activity that indicates the (2) Involve the board of directors, an (2) Otherwise assesses the validity of possible existence of identity theft. appropriate committee thereof, or a the change of address in accordance (10) Service provider means a person designated employee at the level of with the policies and procedures the that provides a service directly to the senior management in the oversight, card issuer has established pursuant to financial institution or creditor. development, implementation and § 41.90 of this part. (c) Periodic Identification of Covered administration of the Program; (d) Alternative timing of address Accounts. Each financial institution or (3) Train staff, as necessary, to validation. A card issuer may satisfy the creditor must periodically determine effectively implement the Program; and requirements of paragraph (c) of this (4) Exercise appropriate and effective section if it validates an address whether it offers or maintains covered oversight of service provider pursuant to the methods in paragraph accounts. As a part of this arrangements. (c)(1) or (c)(2) of this section when it determination, a financial institution or (f) Guidelines. Each financial receives an address change notification, creditor must conduct a risk assessment institution or creditor that is required to before it receives a request for an to determine whether it offers or implement a Program must consider the additional or replacement card. maintains covered accounts described guidelines in Appendix J of this part (e) Form of notice. Any written or in paragraph (b)(3)(ii) of this section, and include in its Program those electronic notice that the card issuer taking into consideration: guidelines that are appropriate. provides under this paragraph must be (1) The methods it provides to open its accounts; § 41.91 Duties of card issuers regarding clear and conspicuous and provided (2) The methods it provides to access changes of address. separately from its regular its accounts; and (a) Scope. This section applies to an correspondence with the cardholder. (3) Its previous experiences with issuer of a debit or credit card (card Appendices D–I [Reserved] identity theft. issuer) that is a national bank, Federal (d) Establishment of an Identity Theft branch or agency of a foreign bank, and I 7. Add and reserve appendices D Prevention Program. (1) Program any of their operating subsidiaries that through I to part 41. requirement. Each financial institution are not functionally regulated within the I 8. Add Appendix J to part 41 to read or creditor that offers or maintains one meaning of section 5(c)(5) of the Bank as follows: or more covered accounts must develop Holding Company Act of 1956, as and implement a written Identity Theft Appendix J to Part 41—Interagency amended (12 U.S.C. 1844(c)(5)). Prevention Program (Program) that is Guidelines on Identity Theft Detection, (b) Definitions. For purposes of this designed to detect, prevent, and mitigate Prevention, and Mitigation section: identity theft in connection with the (1) Cardholder means a consumer Section 41.90 of this part requires each opening of a covered account or any who has been issued a credit or debit financial institution and creditor that offers existing covered account. The Program card. or maintains one or more covered accounts, must be appropriate to the size and (2) Clear and conspicuous means as defined in § 41.90(b)(3) of this part, to complexity of the financial institution develop and provide for the continued reasonably understandable and administration of a written Program to detect, jlentini on PROD1PC65 with RULES4 or creditor and the nature and scope of designed to call attention to the nature prevent, and mitigate identity theft in its activities. and significance of the information connection with the opening of a covered (2) Elements of the Program. The presented. account or any existing covered account. Program must include reasonable (c) Address validation requirements. These guidelines are intended to assist policies and procedures to: A card issuer must establish and financial institutions and creditors in the VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00038 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63755 formulation and maintenance of a Program IV. Preventing and Mitigating Identity Theft administration of its Program should report that satisfies the requirements of § 41.90 of The Program’s policies and procedures to the board of directors, an appropriate this part. should provide for appropriate responses to committee of the board, or a designated I. The Program the Red Flags the financial institution or employee at the level of senior management, In designing its Program, a financial creditor has detected that are commensurate at least annually, on compliance by the institution or creditor may incorporate, as with the degree of risk posed. In determining financial institution or creditor with § 41.90 appropriate, its existing policies, procedures, an appropriate response, a financial of this part. and other arrangements that control institution or creditor should consider (2) Contents of report. The report should reasonably foreseeable risks to customers or aggravating factors that may heighten the risk address material matters related to the to the safety and soundness of the financial of identity theft, such as a data security Program and evaluate issues such as: the institution or creditor from identity theft. incident that results in unauthorized access effectiveness of the policies and procedures to a customer’s account records held by the of the financial institution or creditor in II. Identifying Relevant Red Flags financial institution, creditor, or third party, addressing the risk of identity theft in (a) Risk Factors. A financial institution or or notice that a customer has provided connection with the opening of covered creditor should consider the following factors information related to a covered account held accounts and with respect to existing covered in identifying relevant Red Flags for covered by the financial institution or creditor to accounts; service provider arrangements; accounts, as appropriate: someone fraudulently claiming to represent (1) The types of covered accounts it offers significant incidents involving identity theft the financial institution or creditor or to a or maintains; and management’s response; and fraudulent website. Appropriate responses (2) The methods it provides to open its recommendations for material changes to the may include the following: covered accounts; (a) Monitoring a covered account for Program. (3) The methods it provides to access its evidence of identity theft; (c) Oversight of service provider covered accounts; and (b) Contacting the customer; arrangements. Whenever a financial (4) Its previous experiences with identity (c) Changing any passwords, security institution or creditor engages a service theft. codes, or other security devices that permit provider to perform an activity in connection (b) Sources of Red Flags. Financial access to a covered account; with one or more covered accounts the institutions and creditors should incorporate (d) Reopening a covered account with a financial institution or creditor should take relevant Red Flags from sources such as: new account number; steps to ensure that the activity of the service (1) Incidents of identity theft that the (e) Not opening a new covered account; provider is conducted in accordance with financial institution or creditor has (f) Closing an existing covered account; reasonable policies and procedures designed experienced; (g) Not attempting to collect on a covered to detect, prevent, and mitigate the risk of (2) Methods of identity theft that the account or not selling a covered account to identity theft. For example, a financial financial institution or creditor has identified a debt collector; institution or creditor could require the that reflect changes in identity theft risks; (h) Notifying law enforcement; or service provider by contract to have policies and (i) Determining that no response is and procedures to detect relevant Red Flags (3) Applicable supervisory guidance. warranted under the particular (c) Categories of Red Flags. The Program that may arise in the performance of the circumstances. service provider’s activities, and either report should include relevant Red Flags from the following categories, as appropriate. V. Updating the Program the Red Flags to the financial institution or Examples of Red Flags from each of these Financial institutions and creditors should creditor, or to take appropriate steps to categories are appended as Supplement A to update the Program (including the Red Flags prevent or mitigate identity theft. this Appendix J. determined to be relevant) periodically, to VII. Other Applicable Legal Requirements (1) Alerts, notifications, or other warnings reflect changes in risks to customers or to the Financial institutions and creditors should received from consumer reporting agencies or safety and soundness of the financial service providers, such as fraud detection institution or creditor from identity theft, be mindful of other related legal services; based on factors such as: requirements that may be applicable, such as: (2) The presentation of suspicious (a) The experiences of the financial (a) For financial institutions and creditors documents; institution or creditor with identity theft; that are subject to 31 U.S.C. 5318(g), filing a (3) The presentation of suspicious personal (b) Changes in methods of identity theft; Suspicious Activity Report in accordance identifying information, such as a suspicious (c) Changes in methods to detect, prevent, with applicable law and regulation; address change; and mitigate identity theft; (b) Implementing any requirements under (4) The unusual use of, or other suspicious (d) Changes in the types of accounts that 15 U.S.C. 1681c–1(h) regarding the activity related to, a covered account; and the financial institution or creditor offers or circumstances under which credit may be (5) Notice from customers, victims of maintains; and extended when the financial institution or identity theft, law enforcement authorities, or (e) Changes in the business arrangements creditor detects a fraud or active duty alert; other persons regarding possible identity of the financial institution or creditor, (c) Implementing any requirements for theft in connection with covered accounts including mergers, acquisitions, alliances, furnishers of information to consumer held by the financial institution or creditor. joint ventures, and service provider reporting agencies under 15 U.S.C. 1681s–2, III. Detecting Red Flags arrangements. for example, to correct or update inaccurate The Program’s policies and procedures VI. Methods for Administering the Program or incomplete information, and to not report should address the detection of Red Flags in (a) Oversight of Program. Oversight by the information that the furnisher has reasonable connection with the opening of covered board of directors, an appropriate committee cause to believe is inaccurate; and accounts and existing covered accounts, such of the board, or a designated employee at the (d) Complying with the prohibitions in 15 as by: level of senior management should include: U.S.C. 1681m on the sale, transfer, and (a) Obtaining identifying information (1) Assigning specific responsibility for the placement for collection of certain debts about, and verifying the identity of, a person Program’s implementation; resulting from identity theft. opening a covered account, for example, (2) Reviewing reports prepared by staff Supplement A to Appendix J using the policies and procedures regarding regarding compliance by the financial identification and verification set forth in the institution or creditor with § 41.90 of this In addition to incorporating Red Flags from Customer Identification Program rules part; and the sources recommended in section II.b. of implementing 31 U.S.C. 5318(l) (31 CFR (3) Approving material changes to the the Guidelines in Appendix J of this part, jlentini on PROD1PC65 with RULES4 103.121); and Program as necessary to address changing each financial institution or creditor may (b) Authenticating customers, monitoring identity theft risks. consider incorporating into its Program, transactions, and verifying the validity of (b) Reports. (1) In general. Staff of the whether singly or in combination, Red Flags change of address requests, in the case of financial institution or creditor responsible from the following illustrative examples in existing covered accounts. for development, implementation, and connection with covered accounts: VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00039 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63756 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations Alerts, Notifications or Warnings from a internal or third-party sources used by the 24. The financial institution or creditor is Consumer Reporting Agency financial institution or creditor. For example: notified that the customer is not receiving 1. A fraud or active duty alert is included a. The address on an application is paper account statements. with a consumer report. fictitious, a mail drop, or a prison; or 25. The financial institution or creditor is 2. A consumer reporting agency provides a b. The phone number is invalid, or is notified of unauthorized charges or notice of credit freeze in response to a associated with a pager or answering service. transactions in connection with a customer’s request for a consumer report. 14. The SSN provided is the same as that covered account. 3. A consumer reporting agency provides a submitted by other persons opening an Notice From Customers, Victims of Identity notice of address discrepancy, as defined in account or other customers. Theft, Law Enforcement Authorities, or Other § 41.82(b) of this part. 15. The address or telephone number Persons Regarding Possible Identity Theft in 4. A consumer report indicates a pattern of provided is the same as or similar to the Connection With Covered Accounts Held by activity that is inconsistent with the history account number or telephone number the Financial Institution or Creditor and usual pattern of activity of an applicant submitted by an unusually large number of 26. The financial institution or creditor is or customer, such as: other persons opening accounts or other notified by a customer, a victim of identity a. A recent and significant increase in the customers. theft, a law enforcement authority, or any volume of inquiries; 16. The person opening the covered other person that it has opened a fraudulent b. An unusual number of recently account or the customer fails to provide all account for a person engaged in identity established credit relationships; required personal identifying information on theft. c. A material change in the use of credit, an application or in response to notification especially with respect to recently that the application is incomplete. Board of Governors of the Federal established credit relationships; or 17. Personal identifying information Reserve System d. An account that was closed for cause or provided is not consistent with personal identified for abuse of account privileges by identifying information that is on file with 12 CFR Chapter II. a financial institution or creditor. the financial institution or creditor. Authority and Issuance 18. For financial institutions and creditors Suspicious Documents that use challenge questions, the person I For the reasons set forth in the joint 5. Documents provided for identification opening the covered account or the customer preamble, part 222 of title 12, chapter II, appear to have been altered or forged. cannot provide authenticating information of the Code of Federal Regulations is 6. The photograph or physical description beyond that which generally would be amended as follows: on the identification is not consistent with available from a wallet or consumer report. the appearance of the applicant or customer presenting the identification. Unusual Use of, or Suspicious Activity PART 222—FAIR CREDIT REPORTING 7. Other information on the identification Related to, the Covered Account (REGULATION V) is not consistent with information provided 19. Shortly following the notice of a change I 1. The authority citation for part 222 by the person opening a new covered account of address for a covered account, the institution or creditor receives a request for continues to read as follows: or customer presenting the identification. 8. Other information on the identification a new, additional, or replacement card or a Authority: 15 U.S.C. 1681a, 1681b, 1681c, is not consistent with readily accessible cell phone, or for the addition of authorized 1681m, 1681s, 1681s–2, 1681s–3, 1681t, and information that is on file with the financial users on the account. 1681w; Secs. 3 and 214, Pub. L. 108–159, 117 institution or creditor, such as a signature 20. A new revolving credit account is used Stat. 1952. card or a recent check. in a manner commonly associated with 9. An application appears to have been known patterns of fraud patterns. For Subpart A—General Provisions altered or forged, or gives the appearance of example: having been destroyed and reassembled. a. The majority of available credit is used I 2. Section 222.3 is amended by for cash advances or merchandise that is revising the introductory text to read as Suspicious Personal Identifying Information easily convertible to cash (e.g., electronics follows: 10. Personal identifying information equipment or jewelry); or provided is inconsistent when compared b. The customer fails to make the first § 222.3 Definitions. against external information sources used by payment or makes an initial payment but no For purposes of this part, unless the financial institution or creditor. For subsequent payments. explicitly stated otherwise: example: 21. A covered account is used in a manner * * * * * a. The address does not match any address that is not consistent with established I 3. The heading for Subpart I is revised in the consumer report; or patterns of activity on the account. There is, b. The Social Security Number (SSN) has for example: to read as follows: not been issued, or is listed on the Social a. Nonpayment when there is no history of Security Administration’s Death Master File. late or missed payments; Subpart I—Duties of Users of 11. Personal identifying information b. A material increase in the use of Consumer Reports Regarding Address provided by the customer is not consistent available credit; Discrepancies and Records Disposal with other personal identifying information c. A material change in purchasing or provided by the customer. For example, there spending patterns; I 4. A new § 222.82 is added to read as is a lack of correlation between the SSN d. A material change in electronic fund follows: range and date of birth. transfer patterns in connection with a deposit 12. Personal identifying information account; or § 222.82 Duties of users regarding address provided is associated with known e. A material change in telephone call discrepancies. fraudulent activity as indicated by internal or patterns in connection with a cellular phone (a) Scope. This section applies to a third-party sources used by the financial account. user of consumer reports (user) that institution or creditor. For example: 22. A covered account that has been receives a notice of address discrepancy a. The address on an application is the inactive for a reasonably lengthy period of from a consumer reporting agency, and same as the address provided on a fraudulent time is used (taking into consideration the that is a member bank of the Federal application; or type of account, the expected pattern of usage Reserve System (other than a national b. The phone number on an application is and other relevant factors). jlentini on PROD1PC65 with RULES4 the same as the number provided on a 23. Mail sent to the customer is returned bank) and its respective operating fraudulent application. repeatedly as undeliverable although subsidiaries, a branch or agency of a 13. Personal identifying information transactions continue to be conducted in foreign bank (other than a Federal provided is of a type commonly associated connection with the customer’s covered branch, Federal agency, or insured State with fraudulent activity as indicated by account. branch of a foreign bank), commercial VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00040 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63757 lending company owned or controlled (2) Examples of confirmation a designated employee at the level of by a foreign bank, and an organization methods. The user may reasonably senior management. operating under section 25 or 25A of the confirm an address is accurate by: (3) Covered account means: Federal Reserve Act (12 U.S.C. 601 et (i) Verifying the address with the (i) An account that a financial seq., and 611 et seq.). consumer about whom it has requested institution or creditor offers or (b) Definition. For purposes of this the report; maintains, primarily for personal, section, a notice of address discrepancy (ii) Reviewing its own records to family, or household purposes, that means a notice sent to a user by a verify the address of the consumer; involves or is designed to permit consumer reporting agency pursuant to (iii) Verifying the address through multiple payments or transactions, such 15 U.S.C. 1681c(h)(1), that informs the third-party sources; or as a credit card account, mortgage loan, user of a substantial difference between (iv) Using other reasonable means. automobile loan, margin account, cell the address for the consumer that the (3) Timing. The policies and phone account, utility account, user provided to request the consumer procedures developed in accordance checking account, or savings account; report and the address(es) in the with paragraph (d)(1) of this section and agency’s file for the consumer. must provide that the user will furnish (ii) Any other account that the (c) Reasonable belief. (1) Requirement the consumer’s address that the user has financial institution or creditor offers or to form a reasonable belief. A user must reasonably confirmed is accurate to the maintains for which there is a develop and implement reasonable consumer reporting agency as part of the reasonably foreseeable risk to customers policies and procedures designed to information it regularly furnishes for the or to the safety and soundness of the enable the user to form a reasonable reporting period in which it establishes financial institution or creditor from belief that a consumer report relates to a relationship with the consumer. identity theft, including financial, the consumer about whom it has I 5. A new Subpart J is added to part operational, compliance, reputation, or requested the report, when the user 222 to read as follows: litigation risks. receives a notice of address discrepancy. (4) Credit has the same meaning as in Subpart J—Identity Theft Red Flags (2) Examples of reasonable policies 15 U.S.C. 1681a(r)(5). Sec. (5) Creditor has the same meaning as and procedures. (i) Comparing the 222.90 Duties regarding the detection, information in the consumer report in 15 U.S.C. 1681a(r)(5), and includes prevention, and mitigation of identity lenders such as banks, finance provided by the consumer reporting theft. agency with information the user: 222.91 Duties of card issuers regarding companies, automobile dealers, (A) Obtains and uses to verify the changes of address. mortgage brokers, utility companies, consumer’s identity in accordance with and telecommunications companies. the requirements of the Customer Subpart J—Identity Theft Red Flags (6) Customer means a person that has Information Program (CIP) rules a covered account with a financial § 222.90 Duties regarding the detection, institution or creditor. implementing 31 U.S.C. 5318(l) (31 CFR prevention, and mitigation of identity theft. (7) Financial institution has the same 103.121); (a) Scope. This section applies to meaning as in 15 U.S.C. 1681a(t). (B) Maintains in its own records, such financial institutions and creditors that (8) Identity theft has the same as applications, change of address are member banks of the Federal meaning as in 16 CFR 603.2(a). notifications, other customer account Reserve System (other than national (9) Red Flag means a pattern, practice, records, or retained CIP documentation; banks) and their respective operating or specific activity that indicates the or subsidiaries, branches and agencies of possible existence of identity theft. (C) Obtains from third-party sources; foreign banks (other than Federal (10) Service provider means a person or branches, Federal agencies, and insured that provides a service directly to the (ii) Verifying the information in the State branches of foreign banks), financial institution or creditor. consumer report provided by the commercial lending companies owned (c) Periodic Identification of Covered consumer reporting agency with the or controlled by foreign banks, and Accounts. Each financial institution or consumer. organizations operating under section creditor must periodically determine (d) Consumer’s address. (1) 25 or 25A of the Federal Reserve Act (12 whether it offers or maintains covered Requirement to furnish consumer’s U.S.C. 601 et seq., and 611 et seq.). accounts. As a part of this address to a consumer reporting agency. (b) Definitions. For purposes of this determination, a financial institution or A user must develop and implement section and Appendix J, the following creditor must conduct a risk assessment reasonable policies and procedures for definitions apply: to determine whether it offers or furnishing an address for the consumer (1) Account means a continuing maintains covered accounts described that the user has reasonably confirmed relationship established by a person in paragraph (b)(3)(ii) of this section, is accurate to the consumer reporting with a financial institution or creditor to taking into consideration: agency from whom it received the obtain a product or service for personal, (1) The methods it provides to open notice of address discrepancy when the family, household or business purposes. its accounts; user: Account includes: (2) The methods it provides to access (i) Can form a reasonable belief that (i) An extension of credit, such as the its accounts; and the consumer report relates to the purchase of property or services (3) Its previous experiences with consumer about whom the user involving a deferred payment; and identity theft. requested the report; (ii) A deposit account. (d) Establishment of an Identity Theft (ii) Establishes a continuing (2) The term board of directors Prevention Program. (1) Program relationship with the consumer; and includes: requirement. Each financial institution jlentini on PROD1PC65 with RULES4 (iii) Regularly and in the ordinary (i) In the case of a branch or agency or creditor that offers or maintains one course of business furnishes information of a foreign bank, the managing official or more covered accounts must develop to the consumer reporting agency from in charge of the branch or agency; and and implement a written Identity Theft which the notice of address discrepancy (ii) In the case of any other creditor Prevention Program (Program) that is relating to the consumer was obtained. that does not have a board of directors, designed to detect, prevent, and mitigate VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00041 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63758 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations identity theft in connection with the designed to call attention to the nature prevent, and mitigate identity theft in opening of a covered account or any and significance of the information connection with the opening of a covered existing covered account. The Program presented. account or any existing covered account. (c) Address validation requirements. These guidelines are intended to assist must be appropriate to the size and financial institutions and creditors in the complexity of the financial institution A card issuer must establish and formulation and maintenance of a Program or creditor and the nature and scope of implement reasonable policies and that satisfies the requirements of § 222.90 of its activities. procedures to assess the validity of a this part. (2) Elements of the Program. The change of address if it receives I. The Program Program must include reasonable notification of a change of address for a In designing its Program, a financial policies and procedures to: consumer’s debit or credit card account institution or creditor may incorporate, as (i) Identify relevant Red Flags for the and, within a short period of time appropriate, its existing policies, procedures, covered accounts that the financial afterwards (during at least the first 30 and other arrangements that control institution or creditor offers or days after it receives such notification), reasonably foreseeable risks to customers or maintains, and incorporate those Red the card issuer receives a request for an to the safety and soundness of the financial Flags into its Program; additional or replacement card for the institution or creditor from identity theft. (ii) Detect Red Flags that have been same account. Under these II. Identifying Relevant Red Flags incorporated into the Program of the circumstances, the card issuer may not (a) Risk Factors. A financial institution or financial institution or creditor; issue an additional or replacement card, creditor should consider the following factors (iii) Respond appropriately to any Red until, in accordance with its reasonable in identifying relevant Red Flags for covered Flags that are detected pursuant to policies and procedures and for the accounts, as appropriate: paragraph (d)(2)(ii) of this section to purpose of assessing the validity of the (1) The types of covered accounts it offers prevent and mitigate identity theft; and change of address, the card issuer: or maintains; (iv) Ensure the Program (including the (1)(i) Notifies the cardholder of the (2) The methods it provides to open its Red Flags determined to be relevant) is request: covered accounts; updated periodically, to reflect changes (3) The methods it provides to access its (A) At the cardholder’s former covered accounts; and in risks to customers and to the safety address; or (4) Its previous experiences with identity and soundness of the financial (B) By any other means of theft. institution or creditor from identity communication that the card issuer and (b) Sources of Red Flags. Financial theft. the cardholder have previously agreed institutions and creditors should incorporate (e) Administration of the Program. to use; and relevant Red Flags from sources such as: Each financial institution or creditor (ii) Provides to the cardholder a (1) Incidents of identity theft that the that is required to implement a Program reasonable means of promptly reporting financial institution or creditor has must provide for the continued incorrect address changes; or experienced; administration of the Program and must: (2) Otherwise assesses the validity of (2) Methods of identity theft that the the change of address in accordance financial institution or creditor has identified (1) Obtain approval of the initial that reflect changes in identity theft risks; written Program from either its board of with the policies and procedures the and directors or an appropriate committee of card issuer has established pursuant to (3) Applicable supervisory guidance. the board of directors; § 222.90 of this part. (c) Categories of Red Flags. The Program (2) Involve the board of directors, an (d) Alternative timing of address should include relevant Red Flags from the appropriate committee thereof, or a validation. A card issuer may satisfy the following categories, as appropriate. designated employee at the level of requirements of paragraph (c) of this Examples of Red Flags from each of these senior management in the oversight, section if it validates an address categories are appended as Supplement A to development, implementation and pursuant to the methods in paragraph this Appendix J. (c)(1) or (c)(2) of this section when it (1) Alerts, notifications, or other warnings administration of the Program; received from consumer reporting agencies or (3) Train staff, as necessary, to receives an address change notification, service providers, such as fraud detection effectively implement the Program; and before it receives a request for an services; (4) Exercise appropriate and effective additional or replacement card. (2) The presentation of suspicious oversight of service provider (e) Form of notice. Any written or documents; arrangements. electronic notice that the card issuer (3) The presentation of suspicious personal (f) Guidelines. Each financial provides under this paragraph must be identifying information, such as a suspicious institution or creditor that is required to clear and conspicuous and provided address change; implement a Program must consider the separately from its regular (4) The unusual use of, or other suspicious guidelines in Appendix J of this part correspondence with the cardholder. activity related to, a covered account; and (5) Notice from customers, victims of and include in its Program those Appendices D–I [Reserved] identity theft, law enforcement authorities, or guidelines that are appropriate. other persons regarding possible identity I 6. Appendices D through I to part 222 theft in connection with covered accounts § 222.91 Duties of card issuers regarding are added and reserved. held by the financial institution or creditor. changes of address. I 7. A new Appendix J is added to part III. Detecting Red Flags (a) Scope. This section applies to a 222 to read as follows: The Program’s policies and procedures person described in § 222.90(a) that issues a debit or credit card (card Appendix J to Part 222—Interagency should address the detection of Red Flags in issuer). Guidelines on Identity Theft Detection, connection with the opening of covered (b) Definitions. For purposes of this accounts and existing covered accounts, such Prevention, and Mitigation as by: section: Section 222.90 of this part requires each (a) Obtaining identifying information jlentini on PROD1PC65 with RULES4 (1) Cardholder means a consumer financial institution and creditor that offers about, and verifying the identity of, a person who has been issued a credit or debit or maintains one or more covered accounts, opening a covered account, for example, card. as defined in § 222.90(b)(3) of this part, to using the policies and procedures regarding (2) Clear and conspicuous means develop and provide for the continued identification and verification set forth in the reasonably understandable and administration of a written Program to detect, Customer Identification Program rules VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00042 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63759 implementing 31 U.S.C. 5318(l) (31 CFR (3) Approving material changes to the whether singly or in combination, Red Flags 103.121); and Program as necessary to address changing from the following illustrative examples in (b) Authenticating customers, monitoring identity theft risks. connection with covered accounts: transactions, and verifying the validity of (b) Reports. (1) In general. Staff of the change of address requests, in the case of Alerts, Notifications or Warnings from a financial institution or creditor responsible existing covered accounts. Consumer Reporting Agency for development, implementation, and IV. Preventing and Mitigating Identity Theft administration of its Program should report 1. A fraud or active duty alert is included to the board of directors, an appropriate with a consumer report. The Program’s policies and procedures committee of the board, or a designated 2. A consumer reporting agency provides a should provide for appropriate responses to employee at the level of senior management, notice of credit freeze in response to a the Red Flags the financial institution or at least annually, on compliance by the request for a consumer report. creditor has detected that are commensurate financial institution or creditor with § 222.90 3. A consumer reporting agency provides a with the degree of risk posed. In determining of this part. notice of address discrepancy, as defined in an appropriate response, a financial § 222.82(b) of this part. (2) Contents of report. The report should institution or creditor should consider 4. A consumer report indicates a pattern of address material matters related to the aggravating factors that may heighten the risk activity that is inconsistent with the history Program and evaluate issues such as: the of identity theft, such as a data security and usual pattern of activity of an applicant effectiveness of the policies and procedures incident that results in unauthorized access or customer, such as: of the financial institution or creditor in to a customer’s account records held by the a. A recent and significant increase in the addressing the risk of identity theft in financial institution, creditor, or third party, volume of inquiries; connection with the opening of covered or notice that a customer has provided b. An unusual number of recently accounts and with respect to existing covered information related to a covered account held established credit relationships; by the financial institution or creditor to accounts; service provider arrangements; significant incidents involving identity theft c. A material change in the use of credit, someone fraudulently claiming to represent especially with respect to recently the financial institution or creditor or to a and management’s response; and recommendations for material changes to the established credit relationships; or fraudulent website. Appropriate responses d. An account that was closed for cause or may include the following: Program. (c) Oversight of service provider identified for abuse of account privileges by (a) Monitoring a covered account for a financial institution or creditor. evidence of identity theft; arrangements. Whenever a financial (b) Contacting the customer; institution or creditor engages a service Suspicious Documents (c) Changing any passwords, security provider to perform an activity in connection with one or more covered accounts the 5. Documents provided for identification codes, or other security devices that permit appear to have been altered or forged. access to a covered account; financial institution or creditor should take steps to ensure that the activity of the service 6. The photograph or physical description (d) Reopening a covered account with a on the identification is not consistent with new account number; provider is conducted in accordance with reasonable policies and procedures designed the appearance of the applicant or customer (e) Not opening a new covered account; presenting the identification. (f) Closing an existing covered account; to detect, prevent, and mitigate the risk of identity theft. For example, a financial 7. Other information on the identification (g) Not attempting to collect on a covered is not consistent with information provided account or not selling a covered account to institution or creditor could require the service provider by contract to have policies by the person opening a new covered account a debt collector; or customer presenting the identification. (h) Notifying law enforcement; or and procedures to detect relevant Red Flags that may arise in the performance of the 8. Other information on the identification (i) Determining that no response is is not consistent with readily accessible warranted under the particular service provider’s activities, and either report the Red Flags to the financial institution or information that is on file with the financial circumstances. institution or creditor, such as a signature creditor, or to take appropriate steps to V. Updating the Program prevent or mitigate identity theft. card or a recent check. Financial institutions and creditors should 9. An application appears to have been VII. Other Applicable Legal Requirements altered or forged, or gives the appearance of update the Program (including the Red Flags determined to be relevant) periodically, to Financial institutions and creditors should having been destroyed and reassembled. reflect changes in risks to customers or to the be mindful of other related legal requirements that may be applicable, such as: Suspicious Personal Identifying Information safety and soundness of the financial institution or creditor from identity theft, (a) For financial institutions and creditors 10. Personal identifying information based on factors such as: that are subject to 31 U.S.C. 5318(g), filing a provided is inconsistent when compared (a) The experiences of the financial Suspicious Activity Report in accordance against external information sources used by institution or creditor with identity theft; with applicable law and regulation; the financial institution or creditor. For (b) Changes in methods of identity theft; (b) Implementing any requirements under example: (c) Changes in methods to detect, prevent, 15 U.S.C. 1681c–1(h) regarding the a. The address does not match any address and mitigate identity theft; circumstances under which credit may be in the consumer report; or (d) Changes in the types of accounts that extended when the financial institution or b. The Social Security Number (SSN) has the financial institution or creditor offers or creditor detects a fraud or active duty alert; not been issued, or is listed on the Social maintains; and (c) Implementing any requirements for Security Administration’s Death Master File. (e) Changes in the business arrangements furnishers of information to consumer 11. Personal identifying information of the financial institution or creditor, reporting agencies under 15 U.S.C. 1681s–2, provided by the customer is not consistent including mergers, acquisitions, alliances, for example, to correct or update inaccurate with other personal identifying information joint ventures, and service provider or incomplete information, and to not report provided by the customer. For example, there arrangements. information that the furnisher has reasonable is a lack of correlation between the SSN cause to believe is inaccurate; and range and date of birth. VI. Methods for Administering the Program (d) Complying with the prohibitions in 15 12. Personal identifying information (a) Oversight of Program. Oversight by the U.S.C. 1681m on the sale, transfer, and provided is associated with known board of directors, an appropriate committee placement for collection of certain debts fraudulent activity as indicated by internal or of the board, or a designated employee at the resulting from identity theft. third-party sources used by the financial level of senior management should include: institution or creditor. For example: (1) Assigning specific responsibility for the Supplement A to Appendix J a. The address on an application is the jlentini on PROD1PC65 with RULES4 Program’s implementation; In addition to incorporating Red Flags from same as the address provided on a fraudulent (2) Reviewing reports prepared by staff the sources recommended in section II.b. of application; or regarding compliance by the financial the Guidelines in Appendix J of this part, b. The phone number on an application is institution or creditor with § 222.90 of this each financial institution or creditor may the same as the number provided on a part; and consider incorporating into its Program, fraudulent application. VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00043 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63760 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 13. Personal identifying information transactions continue to be conducted in (b) Definition. For purposes of this provided is of a type commonly associated connection with the customer’s covered section, a notice of address discrepancy with fraudulent activity as indicated by account. means a notice sent to a user by a internal or third-party sources used by the 24. The financial institution or creditor is notified that the customer is not receiving consumer reporting agency pursuant to financial institution or creditor. For example: a. The address on an application is paper account statements. 15 U.S.C. 1681c(h)(1), that informs the fictitious, a mail drop, or a prison; or 25. The financial institution or creditor is user of a substantial difference between b. The phone number is invalid, or is notified of unauthorized charges or the address for the consumer that the associated with a pager or answering service. transactions in connection with a customer’s user provided to request the consumer 14. The SSN provided is the same as that covered account. report and the address(es) in the submitted by other persons opening an agency’s file for the consumer. Notice from Customers, Victims of Identity account or other customers. (c) Reasonable belief. (1) Requirement Theft, Law Enforcement Authorities, or Other 15. The address or telephone number to form a reasonable belief. A user must Persons Regarding Possible Identity Theft in provided is the same as or similar to the Connection with Covered Accounts Held by develop and implement reasonable account number or telephone number the Financial Institution or Creditor policies and procedures designed to submitted by an unusually large number of other persons opening accounts or other 26. The financial institution or creditor is enable the user to form a reasonable customers. notified by a customer, a victim of identity belief that a consumer report relates to 16. The person opening the covered theft, a law enforcement authority, or any the consumer about whom it has account or the customer fails to provide all other person that it has opened a fraudulent requested the report, when the user required personal identifying information on account for a person engaged in identity receives a notice of address discrepancy. an application or in response to notification theft. (2) Examples of reasonable policies that the application is incomplete. Federal Deposit Insurance Corporation and procedures. (i) Comparing the 17. Personal identifying information information in the consumer report provided is not consistent with personal 12 CFR Chapter III identifying information that is on file with provided by the consumer reporting the financial institution or creditor. Authority and Issuance agency with information the user: 18. For financial institutions and creditors (A) Obtains and uses to verify the I For the reasons discussed in the joint that use challenge questions, the person consumer’s identity in accordance with preamble, the Federal Deposit Insurance opening the covered account or the customer the requirements of the Customer Corporation is amending 12 CFR parts cannot provide authenticating information Information Program (CIP) rules beyond that which generally would be 334 and 364 of title 12, Chapter III, of implementing 31 U.S.C. 5318(l) (31 CFR available from a wallet or consumer report. the Code of Federal Regulations as 103.121); follows: (B) Maintains in its own records, such Unusual Use of, or Suspicious Activity Related to, the Covered Account PART 334—FAIR CREDIT REPORTING as applications, change of address 19. Shortly following the notice of a change notifications, other customer account of address for a covered account, the I 1. The authority citation for part 334 records, or retained CIP documentation; institution or creditor receives a request for is revised to read as follows: or a new, additional, or replacement card or a Authority: 12 U.S.C. 1818, 1819 (Tenth) (C) Obtains from third-party sources; cell phone, or for the addition of authorized and 1831p–1; 15 U.S.C. 1681a, 1681b, 1681c, or users on the account. 1681m, 1681s, 1681s–3, 1681t, 1681w, 6801 (ii) Verifying the information in the 20. A new revolving credit account is used and 6805, Pub. L. 108–159, 117 Stat. 1952. consumer report provided by the in a manner commonly associated with consumer reporting agency with the known patterns of fraud patterns. For Subpart A—General Provisions consumer. example: (d) Consumer’s address. (1) a. The majority of available credit is used I 2. Amend § 334.3 by revising the Requirement to furnish consumer’s for cash advances or merchandise that is introductory text to read as follows: address to a consumer reporting agency. easily convertible to cash (e.g., electronics equipment or jewelry); or § 334.3 Definitions. A user must develop and implement b. The customer fails to make the first For purposes of this part, unless reasonable policies and procedures for payment or makes an initial payment but no explicitly stated otherwise: furnishing an address for the consumer subsequent payments. that the user has reasonably confirmed 21. A covered account is used in a manner * * * * * is accurate to the consumer reporting that is not consistent with established I 3. Revise the heading for Subpart I as agency from whom it received the patterns of activity on the account. There is, shown below. notice of address discrepancy when the for example: Subpart I—Duties of Users of user: a. Nonpayment when there is no history of Consumer Reports Regarding Address (i) Can form a reasonable belief that late or missed payments; b. A material increase in the use of Discrepancies and Records Disposal the consumer report relates to the available credit; consumer about whom the user c. A material change in purchasing or I 4. Add § 334.82 to read as follows: requested the report; spending patterns; (ii) Establishes a continuing d. A material change in electronic fund § 334.82 Duties of users regarding address relationship with the consumer; and transfer patterns in connection with a deposit discrepancies. (iii) Regularly and in the ordinary account; or (a) Scope. This section applies to a course of business furnishes information e. A material change in telephone call user of consumer reports (user) that to the consumer reporting agency from patterns in connection with a cellular phone receives a notice of address discrepancy which the notice of address discrepancy account. from a consumer reporting agency and relating to the consumer was obtained. 22. A covered account that has been that is an insured state nonmember inactive for a reasonably lengthy period of (2) Examples of confirmation jlentini on PROD1PC65 with RULES4 time is used (taking into consideration the bank, insured state licensed branch of a methods. The user may reasonably type of account, the expected pattern of usage foreign bank, or a subsidiary of such confirm an address is accurate by: and other relevant factors). entities (except brokers, dealers, persons (i) Verifying the address with the 23. Mail sent to the customer is returned providing insurance, investment consumer about whom it has requested repeatedly as undeliverable although companies, and investment advisers). the report; VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00044 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63761 (ii) Reviewing its own records to checking account, or savings account; institution or creditor offers or verify the address of the consumer; and maintains, and incorporate those Red (iii) Verifying the address through (ii) Any other account that the Flags into its Program; third-party sources; or financial institution or creditor offers or (ii) Detect Red Flags that have been (iv) Using other reasonable means. maintains for which there is a incorporated into the Program of the (3) Timing. The policies and reasonably foreseeable risk to customers financial institution or creditor; procedures developed in accordance or to the safety and soundness of the (iii) Respond appropriately to any Red with paragraph (d)(1) of this section financial institution or creditor from Flags that are detected pursuant to must provide that the user will furnish identity theft, including financial, paragraph (d)(2)(ii) of this section to the consumer’s address that the user has operational, compliance, reputation, or prevent and mitigate identity theft; and reasonably confirmed is accurate to the litigation risks. (iv) Ensure the Program (including the consumer reporting agency as part of the (4) Credit has the same meaning as in Red Flags determined to be relevant) is information it regularly furnishes for the 15 U.S.C. 1681a(r)(5). updated periodically, to reflect changes reporting period in which it establishes (5) Creditor has the same meaning as in risks to customers and to the safety a relationship with the consumer. in 15 U.S.C. 1681a(r)(5), and includes and soundness of the financial I 5. Add Subpart J to part 334 to read lenders such as banks, finance institution or creditor from identity as follows: companies, automobile dealers, theft. mortgage brokers, utility companies, (e) Administration of the Program. Subpart J—Identity Theft Red Flags and telecommunications companies. Each financial institution or creditor Sec. (6) Customer means a person that has that is required to implement a Program 334.90 Duties regarding the detection, a covered account with a financial must provide for the continued prevention, and mitigation of identity institution or creditor. administration of the Program and must: theft. (7) Financial institution has the same 334.91 Duties of card issuers regarding (1) Obtain approval of the initial changes of address. meaning as in 15 U.S.C. 1681a(t). written Program from either its board of (8) Identity theft has the same directors or an appropriate committee of Subpart J—Identity Theft Red Flags meaning as in 16 CFR 603.2(a). the board of directors; (9) Red Flag means a pattern, practice, (2) Involve the board of directors, an § 334.90 Duties regarding the detection, or specific activity that indicates the appropriate committee thereof, or a prevention, and mitigation of identity theft. possible existence of identity theft. designated employee at the level of (a) Scope. This section applies to a (10) Service provider means a person senior management in the oversight, financial institution or creditor that is that provides a service directly to the development, implementation and an insured state nonmember bank, financial institution or creditor. administration of the Program; insured state licensed branch of a (c) Periodic Identification of Covered (3) Train staff, as necessary, to foreign bank, or a subsidiary of such Accounts. Each financial institution or effectively implement the Program; and entities (except brokers, dealers, persons creditor must periodically determine (4) Exercise appropriate and effective providing insurance, investment whether it offers or maintains covered oversight of service provider companies, and investment advisers). accounts. As a part of this arrangements. (b) Definitions. For purposes of this determination, a financial institution or (f) Guidelines. Each financial section and Appendix J, the following creditor must conduct a risk assessment institution or creditor that is required to definitions apply: to determine whether it offers or implement a Program must consider the (1) Account means a continuing maintains covered accounts described guidelines in Appendix J of this part relationship established by a person in paragraph (b)(3)(ii) of this section, and include in its Program those with a financial institution or creditor to taking into consideration: guidelines that are appropriate. obtain a product or service for personal, (1) The methods it provides to open family, household or business purposes. its accounts; § 334.91 Duties of card issuers regarding Account includes: (2) The methods it provides to access changes of address. (i) An extension of credit, such as the its accounts; and (a) Scope. This section applies to an purchase of property or services (3) Its previous experiences with issuer of a debit or credit card (card involving a deferred payment; and identity theft. issuer) that is an insured state (ii) A deposit account. (d) Establishment of an Identity Theft nonmember bank, insured state licensed (2) The term board of directors Prevention Program—(1) Program branch of a foreign bank, or a subsidiary includes: requirement. Each financial institution of such entities (except brokers, dealers, (i) In the case of a branch or agency or creditor that offers or maintains one persons providing insurance, of a foreign bank, the managing official or more covered accounts must develop investment companies, and investment in charge of the branch or agency; and and implement a written Identity Theft advisers). (ii) In the case of any other creditor Prevention Program (Program) that is (b) Definitions. For purposes of this that does not have a board of directors, designed to detect, prevent, and mitigate section: a designated employee at the level of identity theft in connection with the (1) Cardholder means a consumer senior management. opening of a covered account or any who has been issued a credit or debit (3) Covered account means: existing covered account. The Program card. (i) An account that a financial must be appropriate to the size and (2) Clear and conspicuous means institution or creditor offers or complexity of the financial institution reasonably understandable and maintains, primarily for personal, or creditor and the nature and scope of designed to call attention to the nature family, or household purposes, that its activities. and significance of the information jlentini on PROD1PC65 with RULES4 involves or is designed to permit (2) Elements of the Program. The presented. multiple payments or transactions, such Program must include reasonable (c) Address validation requirements. as a credit card account, mortgage loan, policies and procedures to: A card issuer must establish and automobile loan, margin account, cell (i) Identify relevant Red Flags for the implement reasonable policies and phone account, utility account, covered accounts that the financial procedures to assess the validity of a VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00045 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63762 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations change of address if it receives I. The Program creditor has detected that are commensurate notification of a change of address for a In designing its Program, a financial with the degree of risk posed. In determining consumer’s debit or credit card account institution or creditor may incorporate, as an appropriate response, a financial appropriate, its existing policies, procedures, institution or creditor should consider and, within a short period of time and other arrangements that control aggravating factors that may heighten the risk afterwards (during at least the first 30 of identity theft, such as a data security reasonably foreseeable risks to customers or days after it receives such notification), to the safety and soundness of the financial incident that results in unauthorized access the card issuer receives a request for an institution or creditor from identity theft. to a customer’s account records held by the additional or replacement card for the financial institution, creditor, or third party, II. Identifying Relevant Red Flags same account. Under these or notice that a customer has provided circumstances, the card issuer may not (a) Risk Factors. A financial institution or information related to a covered account held creditor should consider the following factors by the financial institution or creditor to issue an additional or replacement card, in identifying relevant Red Flags for covered until, in accordance with its reasonable someone fraudulently claiming to represent accounts, as appropriate: the financial institution or creditor or to a policies and procedures and for the (1) The types of covered accounts it offers fraudulent Web site. Appropriate responses purpose of assessing the validity of the or maintains; may include the following: change of address, the card issuer: (2) The methods it provides to open its (a) Monitoring a covered account for (1)(i) Notifies the cardholder of the covered accounts; evidence of identity theft; request: (3) The methods it provides to access its (b) Contacting the customer; covered accounts; and (c) Changing any passwords, security (A) At the cardholder’s former (4) Its previous experiences with identity address; or codes, or other security devices that permit theft. access to a covered account; (B) By any other means of (b) Sources of Red Flags. Financial (d) Reopening a covered account with a communication that the card issuer and institutions and creditors should incorporate new account number; the cardholder have previously agreed relevant Red Flags from sources such as: (e) Not opening a new covered account; to use; and (1) Incidents of identity theft that the (f) Closing an existing covered account; (ii) Provides to the cardholder a financial institution or creditor has (g) Not attempting to collect on a covered experienced; account or not selling a covered account to reasonable means of promptly reporting (2) Methods of identity theft that the incorrect address changes; or a debt collector; financial institution or creditor has identified (2) Otherwise assesses the validity of (h) Notifying law enforcement; or that reflect changes in identity theft risks; (i) Determining that no response is the change of address in accordance and warranted under the particular with the policies and procedures the (3) Applicable supervisory guidance. circumstances. card issuer has established pursuant to (c) Categories of Red Flags. The Program should include relevant Red Flags from the V. Updating the Program. § 334.90 of this part. following categories, as appropriate. Financial institutions and creditors should (d) Alternative timing of address Examples of Red Flags from each of these validation. A card issuer may satisfy the update the Program (including the Red Flags categories are appended as Supplement A to determined to be relevant) periodically, to requirements of paragraph (c) of this this Appendix J. reflect changes in risks to customers or to the section if it validates an address (1) Alerts, notifications, or other warnings safety and soundness of the financial pursuant to the methods in paragraph received from consumer reporting agencies or institution or creditor from identity theft, (c)(1) or (c)(2) of this section when it service providers, such as fraud detection based on factors such as: receives an address change notification, services; (a) The experiences of the financial (2) The presentation of suspicious institution or creditor with identity theft; before it receives a request for an documents; additional or replacement card. (b) Changes in methods of identity theft; (3) The presentation of suspicious personal (c) Changes in methods to detect, prevent, (e) Form of notice. Any written or identifying information, such as a suspicious and mitigate identity theft; electronic notice that the card issuer address change; (d) Changes in the types of accounts that provides under this paragraph must be (4) The unusual use of, or other suspicious the financial institution or creditor offers or clear and conspicuous and provided activity related to, a covered account; and maintains; and separately from its regular (5) Notice from customers, victims of (e) Changes in the business arrangements identity theft, law enforcement authorities, or correspondence with the cardholder. of the financial institution or creditor, other persons regarding possible identity including mergers, acquisitions, alliances, Appendices D–I [Reserved] theft in connection with covered accounts joint ventures, and service provider held by the financial institution or creditor. arrangements. I 6. Add and reserve appendices D III. Detecting Red Flags. through I to part 334. VI. Methods for Administering the Program The Program’s policies and procedures I 7. Add Appendix J to part 334 to read (a) Oversight of Program. Oversight by the should address the detection of Red Flags in board of directors, an appropriate committee as follows: connection with the opening of covered of the board, or a designated employee at the accounts and existing covered accounts, such Appendix J to Part 334—Interagency level of senior management should include: as by: Guidelines on Identity Theft Detection, (1) Assigning specific responsibility for the (a) Obtaining identifying information Prevention, and Mitigation Program’s implementation; about, and verifying the identity of, a person (2) Reviewing reports prepared by staff opening a covered account, for example, Section 334.90 of this part requires each using the policies and procedures regarding regarding compliance by the financial financial institution and creditor that offers identification and verification set forth in the institution or creditor with § 334.90 of this or maintains one or more covered accounts, Customer Identification Program rules part; and as defined in § 334.90(b)(3) of this part, to implementing 31 U.S.C. 5318(l)(31 CFR (3) Approving material changes to the develop and provide for the continued 103.121); and Program as necessary to address changing administration of a written Program to detect, (b) Authenticating customers, monitoring identity theft risks. prevent, and mitigate identity theft in transactions, and verifying the validity of (b) Reports. (1) In general. Staff of the connection with the opening of a covered change of address requests, in the case of financial institution or creditor responsible account or any existing covered account. for development, implementation, and jlentini on PROD1PC65 with RULES4 existing covered accounts. These guidelines are intended to assist administration of its Program should report financial institutions and creditors in the IV. Preventing and Mitigating Identity Theft. to the board of directors, an appropriate formulation and maintenance of a Program The Program’s policies and procedures committee of the board, or a designated that satisfies the requirements of § 334.90 of should provide for appropriate responses to employee at the level of senior management, this part. the Red Flags the financial institution or at least annually, on compliance by the VerDate Aug<31>2005 21:43 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00046 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63763 financial institution or creditor with § 334.90 3. A consumer reporting agency provides a 14. The SSN provided is the same as that of this part. notice of address discrepancy, as defined in submitted by other persons opening an (2) Contents of report. The report should § 334.82(b) of this part. account or other customers. address material matters related to the 4. A consumer report indicates a pattern of 15. The address or telephone number Program and evaluate issues such as: the activity that is inconsistent with the history provided is the same as or similar to the effectiveness of the policies and procedures and usual pattern of activity of an applicant account number or telephone number of the financial institution or creditor in or customer, such as: submitted by an unusually large number of addressing the risk of identity theft in a. A recent and significant increase in the other persons opening accounts or other connection with the opening of covered volume of inquiries; customers. accounts and with respect to existing covered b. An unusual number of recently 16. The person opening the covered accounts; service provider arrangements; established credit relationships; account or the customer fails to provide all significant incidents involving identity theft required personal identifying information on c. A material change in the use of credit, and management’s response; and an application or in response to notification especially with respect to recently recommendations for material changes to the that the application is incomplete. established credit relationships; or 17. Personal identifying information Program. d. An account that was closed for cause or provided is not consistent with personal (c) Oversight of service provider identified for abuse of account privileges by identifying information that is on file with arrangements. Whenever a financial a financial institution or creditor. the financial institution or creditor. institution or creditor engages a service provider to perform an activity in connection Suspicious Documents 18. For financial institutions and creditors with one or more covered accounts the that use challenge questions, the person 5. Documents provided for identification opening the covered account or the customer financial institution or creditor should take appear to have been altered or forged. cannot provide authenticating information steps to ensure that the activity of the service provider is conducted in accordance with 6. The photograph or physical description beyond that which generally would be reasonable policies and procedures designed on the identification is not consistent with available from a wallet or consumer report. to detect, prevent, and mitigate the risk of the appearance of the applicant or customer presenting the identification. Unusual Use of, or Suspicious Activity identity theft. For example, a financial Related to, the Covered Account institution or creditor could require the 7. Other information on the identification service provider by contract to have policies is not consistent with information provided 19. Shortly following the notice of a change and procedures to detect relevant Red Flags by the person opening a new covered account of address for a covered account, the that may arise in the performance of the or customer presenting the identification. institution or creditor receives a request for service provider’s activities, and either report 8. Other information on the identification a new, additional, or replacement card or a the Red Flags to the financial institution or is not consistent with readily accessible cell phone, or for the addition of authorized creditor, or to take appropriate steps to information that is on file with the financial users on the account. prevent or mitigate identity theft. institution or creditor, such as a signature 20. A new revolving credit account is used card or a recent check. in a manner commonly associated with VII. Other Applicable Legal Requirements known patterns of fraud patterns. For 9. An application appears to have been Financial institutions and creditors should altered or forged, or gives the appearance of example: be mindful of other related legal having been destroyed and reassembled. a. The majority of available credit is used requirements that may be applicable, such as: for cash advances or merchandise that is (a) For financial institutions and creditors Suspicious Personal Identifying Information easily convertible to cash (e.g., electronics that are subject to 31 U.S.C. 5318(g), filing a 10. Personal identifying information equipment or jewelry); or Suspicious Activity Report in accordance provided is inconsistent when compared b. The customer fails to make the first with applicable law and regulation; against external information sources used by payment or makes an initial payment but no (b) Implementing any requirements under the financial institution or creditor. For subsequent payments. 15 U.S.C. 1681c–1(h) regarding the example: 21. A covered account is used in a manner circumstances under which credit may be a. The address does not match any address that is not consistent with established extended when the financial institution or in the consumer report; or patterns of activity on the account. There is, creditor detects a fraud or active duty alert; b. The Social Security Number (SSN) has for example: (c) Implementing any requirements for not been issued, or is listed on the Social a. Nonpayment when there is no history of furnishers of information to consumer Security Administration’s Death Master File. late or missed payments; reporting agencies under 15 U.S.C. 1681s–2, 11. Personal identifying information b. A material increase in the use of for example, to correct or update inaccurate available credit; provided by the customer is not consistent or incomplete information, and to not report c. A material change in purchasing or with other personal identifying information information that the furnisher has reasonable spending patterns; provided by the customer. For example, there cause to believe is inaccurate; and d. A material change in electronic fund is a lack of correlation between the SSN (d) Complying with the prohibitions in 15 transfer patterns in connection with a deposit range and date of birth. U.S.C. 1681m on the sale, transfer, and account; or 12. Personal identifying information e. A material change in telephone call placement for collection of certain debts provided is associated with known patterns in connection with a cellular phone resulting from identity theft. fraudulent activity as indicated by internal or account. Supplement A to Appendix J third-party sources used by the financial 22. A covered account that has been In addition to incorporating Red Flags from institution or creditor. For example: inactive for a reasonably lengthy period of the sources recommended in section II.b. of a. The address on an application is the time is used (taking into consideration the the Guidelines in Appendix J of this part, same as the address provided on a fraudulent type of account, the expected pattern of usage each financial institution or creditor may application; or and other relevant factors). consider incorporating into its Program, b. The phone number on an application is 23. Mail sent to the customer is returned whether singly or in combination, Red Flags the same as the number provided on a repeatedly as undeliverable although from the following illustrative examples in fraudulent application. transactions continue to be conducted in connection with covered accounts: 13. Personal identifying information connection with the customer’s covered provided is of a type commonly associated account. Alerts, Notifications or Warnings from a with fraudulent activity as indicated by 24. The financial institution or creditor is Consumer Reporting Agency internal or third-party sources used by the notified that the customer is not receiving jlentini on PROD1PC65 with RULES4 1. A fraud or active duty alert is included financial institution or creditor. For example: paper account statements. with a consumer report. a. The address on an application is 25. The financial institution or creditor is 2. A consumer reporting agency provides a fictitious, a mail drop, or a prison; or notified of unauthorized charges or notice of credit freeze in response to a b. The phone number is invalid, or is transactions in connection with a customer’s request for a consumer report. associated with a pager or answering service. covered account. VerDate Aug<31>2005 21:43 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00047 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63764 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations Notice From Customers, Victims of Identity (ii) The scope of § 571.83 of Subpart the requirements of the Customer Theft, Law Enforcement Authorities, or Other I of this part is stated in § 571.83(a) of Information Program (CIP) rules Persons Regarding Possible Identity Theft in this part. implementing 31 U.S.C. 5318(l) (31 CFR Connection With Covered Accounts Held by (10)(i) The scope of § 571.90 of 103.121); the Financial Institution or Creditor Subpart J of this part is stated in (B) Maintains in its own records, such 26. The financial institution or creditor is § 571.90(a) of this part. as applications, change of address notified by a customer, a victim of identity (ii) The scope of § 571.91 of Subpart notifications, other customer account theft, a law enforcement authority, or any J of this part is stated in § 571.91(a) of records, or retained CIP documentation; other person that it has opened a fraudulent account for a person engaged in identity this part. or theft. I 3. Amend § 571.3 by: (C) Obtains from third-party sources; I a. Removing paragraph (o); and or PART 364—STANDARDS FOR SAFETY I b. Revising the introductory text to (ii) Verifying the information in the AND SOUNDNESS read as follows: consumer report provided by the consumer reporting agency with the I 8. The authority citation for part 364 § 571.3 Definitions. consumer. is revised to read as follows: For purposes of this part, unless (d) Consumer’s address. (1) explicitly stated otherwise: Requirement to furnish consumer’s Authority: 12 U.S.C. 1818 and 1819 (Tenth), 1831p–1; 15 U.S.C. 1681b, 1681s, * * * * * address to a consumer reporting agency. 1681w, 6801(b), 6805(b)(1). I 4. Revise the heading for Subpart I as A user must develop and implement shown below. reasonable policies and procedures for I 9. Add the following sentence at the furnishing an address for the consumer end of § 364.101(b): Subpart I—Duties of Users of that the user has reasonably confirmed § 364.101 Standards for safety and Consumer Reports Regarding Address is accurate to the consumer reporting soundness. Discrepancies and Records Disposal agency from whom it received the * * * * * notice of address discrepancy when the I 5. Add § 571.82 to read as follows: user: (b) * * * The interagency regulations and guidelines on identity theft (i) Can form a reasonable belief that § 571.82 Duties of users regarding address detection, prevention, and mitigation discrepancies. the consumer report relates to the prescribed pursuant to section 114 of consumer about whom the user (a) Scope. This section applies to a requested the report; the Fair and Accurate Credit user of consumer reports (user) that (ii) Establishes a continuing Transactions Act of 2003, 15 U.S.C. receives a notice of address discrepancy relationship with the consumer; and 1681m(e), are set forth in §§ 334.90, from a consumer reporting agency, and (iii) Regularly and in the ordinary 334.91, and Appendix J of part 334. that is a savings association whose course of business furnishes information DEPARTMENT OF THE TREASURY deposits are insured by the Federal to the consumer reporting agency from Deposit Insurance Corporation or, in which the notice of address discrepancy Office of Thrift Supervision accordance with § 559.3(h)(1) of this relating to the consumer was obtained. 12 CFR Chapter V chapter, a federal savings association (2) Examples of confirmation operating subsidiary that is not methods. The user may reasonably Authority and Issuance functionally regulated within the confirm an address is accurate by: meaning of section 5(c)(5) of the Bank (i) Verifying the address with the I For the reasons discussed in the joint Holding Company Act of 1956, as consumer about whom it has requested preamble, the Office of Thrift amended (12 U.S.C. 1844(c)(5)). the report; Supervision is amending part 571 of (b) Definition. For purposes of this (ii) Reviewing its own records to title 12, chapter V, of the Code of section, a notice of address discrepancy verify the address of the consumer; Federal Regulations as follows: means a notice sent to a user by a (iii) Verifying the address through PART 571—FAIR CREDIT REPORTING consumer reporting agency pursuant to third-party sources; or 15 U.S.C. 1681c(h)(1), that informs the (iv) Using other reasonable means. I 1. Revise the authority citation for part user of a substantial difference between (3) Timing. The policies and 571 to read as follows: the address for the consumer that the procedures developed in accordance Authority: 12 U.S.C. 1462a, 1463, 1464, user provided to request the consumer with paragraph (d)(1) of this section 1467a, 1828, 1831p–1, and 1881–1884; 15 report and the address(es) in the must provide that the user will furnish U.S.C. 1681b, 1681c, 1681m, 1681s, 1681s–1, agency’s file for the consumer. the consumer’s address that the user has 1681t and 1681w; 15 U.S.C. 6801 and 6805; (c) Reasonable belief. (1) Requirement reasonably confirmed is accurate to the Sec. 214 Pub. L. 108–159, 117 Stat. 1952. to form a reasonable belief. A user must consumer reporting agency as part of the develop and implement reasonable information it regularly furnishes for the Subpart A—General Provisions policies and procedures designed to reporting period in which it establishes enable the user to form a reasonable a relationship with the consumer. I 2. Amend § 571.1 by revising belief that a consumer report relates to paragraph (b)(9) and adding a new I 6. Amend § 571.83 by: the consumer about whom it has I a. Redesignating paragraphs (a) and paragraph (b)(10) to read as follows: requested the report, when the user (b) as paragraphs (b) and (c), § 571.1 Purpose and Scope. receives a notice of address discrepancy. respectively. (2) Examples of reasonable policies I b. Adding a new paragraph (a) to read * * * * * and procedures. (i) Comparing the as follows: (b) scope. jlentini on PROD1PC65 with RULES4 information in the consumer report * * * * * provided by the consumer reporting § 571.83 Disposal of consumer (9)(i) The scope of § 571.82 of Subpart agency with information the user: information. I of this part is stated in § 571.82(a) of (A) Obtains and uses to verify the (a) Scope. This section applies to this part. consumer’s identity in accordance with savings associations whose deposits are VerDate Aug<31>2005 21:43 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00048 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63765 insured by the Federal Deposit maintains for which there is a (ii) Detect Red Flags that have been Insurance Corporation and federal reasonably foreseeable risk to customers incorporated into the Program of the savings association operating or to the safety and soundness of the financial institution or creditor; subsidiaries in accordance with financial institution or creditor from (iii) Respond appropriately to any Red § 559.3(h)(1) of this chapter (defined as identity theft, including financial, Flags that are detected pursuant to ‘‘you’’). operational, compliance, reputation, or paragraph (d)(2)(ii) of this section to * * * * * litigation risks. prevent and mitigate identity theft; and I 7. Add Subpart J to part 571 to read (4) Credit has the same meaning as in (iv) Ensure the Program (including the as follows: 15 U.S.C. 1681a(r)(5). Red Flags determined to be relevant) is (5) Creditor has the same meaning as updated periodically, to reflect changes Subpart J—Identity Theft Red Flags in risks to customers and to the safety in 15 U.S.C. 1681a(r)(5), and includes Sec. lenders such as banks, finance and soundness of the financial 571.90 Duties regarding the detection, companies, automobile dealers, institution or creditor from identity prevention, and mitigation of identity theft. theft. mortgage brokers, utility companies, and telecommunications companies. (e) Administration of the Program. 571.91 Duties of card issuers regarding changes of address. (6) Customer means a person that has Each financial institution or creditor a covered account with a financial that is required to implement a Program Subpart J—Identity Theft Red Flags institution or creditor. must provide for the continued (7) Financial institution has the same administration of the Program and must: § 571.90 Duties regarding the detection, (1) Obtain approval of the initial meaning as in 15 U.S.C. 1681a(t). prevention, and mitigation of identity theft. written Program from either its board of (8) Identity theft has the same (a) Scope. This section applies to a meaning as in 16 CFR 603.2(a). directors or an appropriate committee of financial institution or creditor that is a (9) Red Flag means a pattern, practice, the board of directors; savings association whose deposits are or specific activity that indicates the (2) Involve the board of directors, an insured by the Federal Deposit possible existence of identity theft. appropriate committee thereof, or a Insurance Corporation or, in accordance (10) Service provider means a person designated employee at the level of with § 559.3(h)(1) of this chapter, a that provides a service directly to the senior management in the oversight, federal savings association operating financial institution or creditor. development, implementation and subsidiary that is not functionally (c) Periodic Identification of Covered administration of the Program; regulated within the meaning of section Accounts. Each financial institution or (3) Train staff, as necessary, to 5(c)(5) of the Bank Holding Company creditor must periodically determine effectively implement the Program; and Act of 1956, as amended (12 U.S.C. whether it offers or maintains covered (4) Exercise appropriate and effective 1844(c)(5)). accounts. As a part of this oversight of service provider (b) Definitions. For purposes of this arrangements. determination, a financial institution or section and Appendix J, the following (f) Guidelines. Each financial creditor must conduct a risk assessment definitions apply: institution or creditor that is required to to determine whether it offers or (1) Account means a continuing implement a Program must consider the maintains covered accounts described relationship established by a person guidelines in Appendix J of this part in paragraph (b)(3)(ii) of this section, with a financial institution or creditor to and include in its Program those taking into consideration: obtain a product or service for personal, guidelines that are appropriate. (1) The methods it provides to open family, household or business purposes. its accounts; § 571.91 Duties of card issuers regarding Account includes: (i) An extension of credit, such as the (2) The methods it provides to access changes of address. purchase of property or services its accounts; and (a) Scope. This section applies to an involving a deferred payment; and (3) Its previous experiences with issuer of a debit or credit card (card (ii) A deposit account. identity theft. issuer) that is a savings association (2) The term board of directors (d) Establishment of an Identity Theft whose deposits are insured by the includes: Prevention Program. (1) Program Federal Deposit Insurance Corporation (i) In the case of a branch or agency requirement. Each financial institution or, in accordance with § 559.3(h)(1) of of a foreign bank, the managing official or creditor that offers or maintains one this chapter, a federal savings in charge of the branch or agency; and or more covered accounts must develop association operating subsidiary that is (ii) In the case of any other creditor and implement a written Identity Theft not functionally regulated within the that does not have a board of directors, Prevention Program (Program) that is meaning of section 5(c)(5) of the Bank a designated employee at the level of designed to detect, prevent, and mitigate Holding Company Act of 1956, as senior management. identity theft in connection with the amended (12 U.S.C. 1844(c)(5)). (3) Covered account means: opening of a covered account or any (b) Definitions. For purposes of this (i) An account that a financial existing covered account. The Program section: institution or creditor offers or must be appropriate to the size and (1) Cardholder means a consumer maintains, primarily for personal, complexity of the financial institution who has been issued a credit or debit family, or household purposes, that or creditor and the nature and scope of card. involves or is designed to permit its activities. (2) Clear and conspicuous means multiple payments or transactions, such (2) Elements of the Program. The reasonably understandable and as a credit card account, mortgage loan, Program must include reasonable designed to call attention to the nature automobile loan, margin account, cell policies and procedures to: and significance of the information jlentini on PROD1PC65 with RULES4 phone account, utility account, (i) Identify relevant Red Flags for the presented. checking account, or savings account; covered accounts that the financial (c) Address validation requirements. and institution or creditor offers or A card issuer must establish and (ii) Any other account that the maintains, and incorporate those Red implement reasonable policies and financial institution or creditor offers or Flags into its Program; procedures to assess the validity of a VerDate Aug<31>2005 21:43 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00049 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63766 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations change of address if it receives I. The Program the Red Flags the financial institution or notification of a change of address for a In designing its Program, a financial creditor has detected that are commensurate consumer’s debit or credit card account institution or creditor may incorporate, as with the degree of risk posed. In determining appropriate, its existing policies, procedures, an appropriate response, a financial and, within a short period of time and other arrangements that control institution or creditor should consider afterwards (during at least the first 30 aggravating factors that may heighten the risk days after it receives such notification), reasonably foreseeable risks to customers or to the safety and soundness of the financial of identity theft, such as a data security the card issuer receives a request for an institution or creditor from identity theft. incident that results in unauthorized access additional or replacement card for the to a customer’s account records held by the II. Identifying Relevant Red Flags financial institution, creditor, or third party, same account. Under these circumstances, the card issuer may not (a) Risk Factors. A financial institution or or notice that a customer has provided issue an additional or replacement card, creditor should consider the following factors information related to a covered account held in identifying relevant Red Flags for covered by the financial institution or creditor to until, in accordance with its reasonable accounts, as appropriate: someone fraudulently claiming to represent policies and procedures and for the (1) The types of covered accounts it offers the financial institution or creditor or to a purpose of assessing the validity of the or maintains; fraudulent website. Appropriate responses change of address, the card issuer: (2) The methods it provides to open its may include the following: (1)(i) Notifies the cardholder of the covered accounts; (a) Monitoring a covered account for request: (3) The methods it provides to access its evidence of identity theft; (A) At the cardholder’s former covered accounts; and (b) Contacting the customer; address; or (4) Its previous experiences with identity (c) Changing any passwords, security (B) By any other means of theft. codes, or other security devices that permit (b) Sources of Red Flags. Financial access to a covered account; communication that the card issuer and institutions and creditors should incorporate the cardholder have previously agreed (d) Reopening a covered account with a relevant Red Flags from sources such as: new account number; to use; and (1) Incidents of identity theft that the (e) Not opening a new covered account; (ii) Provides to the cardholder a financial institution or creditor has (f) Closing an existing covered account; reasonable means of promptly reporting experienced; (g) Not attempting to collect on a covered incorrect address changes; or (2) Methods of identity theft that the account or not selling a covered account to (2) Otherwise assesses the validity of financial institution or creditor has identified a debt collector; the change of address in accordance that reflect changes in identity theft risks; (h) Notifying law enforcement; or with the policies and procedures the and (i) Determining that no response is (3) Applicable supervisory guidance. warranted under the particular card issuer has established pursuant to (c) Categories of Red Flags. The Program § 571.90 of this part. circumstances. should include relevant Red Flags from the (d) Alternative timing of address following categories, as appropriate. V. Updating the Program validation. A card issuer may satisfy the Examples of Red Flags from each of these Financial institutions and creditors should requirements of paragraph (c) of this categories are appended as Supplement A to update the Program (including the Red Flags section if it validates an address this Appendix J. determined to be relevant) periodically, to pursuant to the methods in paragraph (1) Alerts, notifications, or other warnings reflect changes in risks to customers or to the (c)(1) or (c)(2) of this section when it received from consumer reporting agencies or safety and soundness of the financial service providers, such as fraud detection institution or creditor from identity theft, receives an address change notification, services; based on factors such as: before it receives a request for an (2) The presentation of suspicious (a) The experiences of the financial additional or replacement card. documents; institution or creditor with identity theft; (e) Form of notice. Any written or (3) The presentation of suspicious personal (b) Changes in methods of identity theft; electronic notice that the card issuer identifying information, such as a suspicious (c) Changes in methods to detect, prevent, provides under this paragraph must be address change; and mitigate identity theft; clear and conspicuous and provided (4) The unusual use of, or other suspicious (d) Changes in the types of accounts that separately from its regular activity related to, a covered account; and the financial institution or creditor offers or (5) Notice from customers, victims of maintains; and correspondence with the cardholder. identity theft, law enforcement authorities, or (e) Changes in the business arrangements Appendices D–I [Reserved] other persons regarding possible identity of the financial institution or creditor, theft in connection with covered accounts including mergers, acquisitions, alliances, I 8. Add and reserve appendices D held by the financial institution or creditor. joint ventures, and service provider through I to part 571. III. Detecting Red Flags arrangements. I 9. Add Appendix J to part 571 to read The Program’s policies and procedures VI. Methods for Administering the Program as follows: should address the detection of Red Flags in (a) Oversight of Program. Oversight by the connection with the opening of covered board of directors, an appropriate committee Appendix J to Part 571—Interagency accounts and existing covered accounts, such Guidelines on Identity Theft Detection, of the board, or a designated employee at the as by: level of senior management should include: Prevention, and Mitigation (a) Obtaining identifying information (1) Assigning specific responsibility for the about, and verifying the identity of, a person Section 571.90 of this part requires each Program’s implementation; opening a covered account, for example, financial institution and creditor that offers (2) Reviewing reports prepared by staff using the policies and procedures regarding or maintains one or more covered accounts, regarding compliance by the financial identification and verification set forth in the as defined in § 571.90(b)(3) of this part, to institution or creditor with § 571.90 of this Customer Identification Program rules develop and provide for the continued implementing 31 U.S.C. 5318(l) (31 CFR part; and administration of a written Program to detect, 103.121); and (3) Approving material changes to the prevent, and mitigate identity theft in (b) Authenticating customers, monitoring Program as necessary to address changing connection with the opening of a covered transactions, and verifying the validity of identity theft risks. account or any existing covered account. (b) Reports. (1) In general. Staff of the jlentini on PROD1PC65 with RULES4 change of address requests, in the case of These guidelines are intended to assist existing covered accounts. financial institution or creditor responsible financial institutions and creditors in the for development, implementation, and formulation and maintenance of a Program IV. Preventing and Mitigating Identity Theft administration of its Program should report that satisfies the requirements of § 571.90 of The Program’s policies and procedures to the board of directors, an appropriate this part. should provide for appropriate responses to committee of the board, or a designated VerDate Aug<31>2005 21:43 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00050 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63767 employee at the level of senior management, 2. A consumer reporting agency provides a b. The phone number is invalid, or is at least annually, on compliance by the notice of credit freeze in response to a associated with a pager or answering service. financial institution or creditor with § 571.90 request for a consumer report. 14. The SSN provided is the same as that of this part. 3. A consumer reporting agency provides a submitted by other persons opening an (2) Contents of report. The report should notice of address discrepancy, as defined in account or other customers. address material matters related to the § 571.82(b) of this part. 15. The address or telephone number Program and evaluate issues such as: the 4. A consumer report indicates a pattern of provided is the same as or similar to the effectiveness of the policies and procedures activity that is inconsistent with the history account number or telephone number of the financial institution or creditor in and usual pattern of activity of an applicant submitted by an unusually large number of addressing the risk of identity theft in or customer, such as: other persons opening accounts or other connection with the opening of covered a. A recent and significant increase in the customers. accounts and with respect to existing covered volume of inquiries; 16. The person opening the covered accounts; service provider arrangements; b. An unusual number of recently account or the customer fails to provide all significant incidents involving identity theft established credit relationships; required personal identifying information on c. A material change in the use of credit, an application or in response to notification and management’s response; and especially with respect to recently that the application is incomplete. recommendations for material changes to the established credit relationships; or 17. Personal identifying information Program. d. An account that was closed for cause or provided is not consistent with personal (c) Oversight of service provider identifying information that is on file with arrangements. Whenever a financial identified for abuse of account privileges by a financial institution or creditor. the financial institution or creditor. institution or creditor engages a service 18. For financial institutions and creditors provider to perform an activity in connection Suspicious Documents that use challenge questions, the person with one or more covered accounts the opening the covered account or the customer financial institution or creditor should take 5. Documents provided for identification appear to have been altered or forged. cannot provide authenticating information steps to ensure that the activity of the service beyond that which generally would be provider is conducted in accordance with 6. The photograph or physical description on the identification is not consistent with available from a wallet or consumer report. reasonable policies and procedures designed to detect, prevent, and mitigate the risk of the appearance of the applicant or customer Unusual Use of, or Suspicious Activity identity theft. For example, a financial presenting the identification. Related to, the Covered Account institution or creditor could require the 7. Other information on the identification 19. Shortly following the notice of a change service provider by contract to have policies is not consistent with information provided of address for a covered account, the and procedures to detect relevant Red Flags by the person opening a new covered account institution or creditor receives a request for that may arise in the performance of the or customer presenting the identification. a new, additional, or replacement card or a service provider’s activities, and either report 8. Other information on the identification cell phone, or for the addition of authorized the Red Flags to the financial institution or is not consistent with readily accessible users on the account. creditor, or to take appropriate steps to information that is on file with the financial 20. A new revolving credit account is used prevent or mitigate identity theft. institution or creditor, such as a signature in a manner commonly associated with card or a recent check. known patterns of fraud patterns. For VII. Other Applicable Legal Requirements 9. An application appears to have been example: Financial institutions and creditors should altered or forged, or gives the appearance of a. The majority of available credit is used be mindful of other related legal having been destroyed and reassembled. for cash advances or merchandise that is requirements that may be applicable, such as: easily convertible to cash (e.g., electronics Suspicious Personal Identifying Information (a) For financial institutions and creditors equipment or jewelry); or that are subject to 31 U.S.C. 5318(g), filing a 10. Personal identifying information b. The customer fails to make the first Suspicious Activity Report in accordance provided is inconsistent when compared payment or makes an initial payment but no with applicable law and regulation; against external information sources used by subsequent payments. (b) Implementing any requirements under the financial institution or creditor. For 21. A covered account is used in a manner 15 U.S.C. 1681c–1(h) regarding the example: that is not consistent with established circumstances under which credit may be a. The address does not match any address patterns of activity on the account. There is, extended when the financial institution or in the consumer report; or for example: creditor detects a fraud or active duty alert; b. The Social Security Number (SSN) has a. Nonpayment when there is no history of (c) Implementing any requirements for not been issued, or is listed on the Social late or missed payments; furnishers of information to consumer Security Administration’s Death Master File. b. A material increase in the use of reporting agencies under 15 U.S.C. 1681s–2, 11. Personal identifying information available credit; for example, to correct or update inaccurate provided by the customer is not consistent c. A material change in purchasing or or incomplete information, and to not report with other personal identifying information spending patterns; information that the furnisher has reasonable provided by the customer. For example, there d. A material change in electronic fund cause to believe is inaccurate; and is a lack of correlation between the SSN transfer patterns in connection with a deposit (d) Complying with the prohibitions in 15 range and date of birth. account; or U.S.C. 1681m on the sale, transfer, and 12. Personal identifying information e. A material change in telephone call placement for collection of certain debts provided is associated with known patterns in connection with a cellular phone resulting from identity theft. fraudulent activity as indicated by internal or account. third-party sources used by the financial 22. A covered account that has been Supplement A to Appendix J institution or creditor. For example: inactive for a reasonably lengthy period of In addition to incorporating Red Flags from a. The address on an application is the time is used (taking into consideration the the sources recommended in section II.b. of same as the address provided on a fraudulent type of account, the expected pattern of usage the Guidelines in Appendix J of this part, application; or and other relevant factors). each financial institution or creditor may b. The phone number on an application is 23. Mail sent to the customer is returned consider incorporating into its Program, the same as the number provided on a repeatedly as undeliverable although whether singly or in combination, Red Flags fraudulent application. transactions continue to be conducted in from the following illustrative examples in 13. Personal identifying information connection with the customer’s covered connection with covered accounts: provided is of a type commonly associated account. jlentini on PROD1PC65 with RULES4 with fraudulent activity as indicated by 24. The financial institution or creditor is Alerts, Notifications or Warnings from a internal or third-party sources used by the notified that the customer is not receiving Consumer Reporting Agency financial institution or creditor. For example: paper account statements. 1. A fraud or active duty alert is included a. The address on an application is 25. The financial institution or creditor is with a consumer report. fictitious, a mail drop, or a prison; or notified of unauthorized charges or VerDate Aug<31>2005 21:43 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00051 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63768 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations transactions in connection with a customer’s reasonable policies and procedures reporting period in which it establishes covered account. designed to enable the user to form a a relationship with the consumer. Notice from Customers, Victims of Identity reasonable belief that a consumer report I 5. Add Subpart J to part 717 to read Theft, Law Enforcement Authorities, or Other relates to the consumer about whom it as follows: Persons Regarding Possible Identity Theft in has requested the report, when the user Subpart J—Identity Theft Red Flags Connection With Covered Accounts Held by receives a notice of address discrepancy. the Financial Institution or Creditor (2) Examples of reasonable policies Sec. and procedures. (i) Comparing the 717.90 Duties regarding the detection, 26. The financial institution or creditor is prevention, and mitigation of identity notified by a customer, a victim of identity information in the consumer report theft. theft, a law enforcement authority, or any provided by the consumer reporting 717.91 Duties of card issuers regarding other person that it has opened a fraudulent agency with information the user: changes of address. account for a person engaged in identity (A) Obtains and uses to verify the theft. consumer’s identity in accordance with Subpart J—Identity Theft Red Flags National Credit Union Administration the requirements of the Customer § 717.90 Duties regarding the detection, 12 CFR Chapter VII Information Program (CIP) rules prevention, and mitigation of identity theft. implementing 31 U.S.C. 5318(l) (31 CFR Authority and Issuance 103.121); (a) Scope. This section applies to a (B) Maintains in its own records, such financial institution or creditor that is a I For the reasons discussed in the joint as applications, change of address federal credit union. preamble, the National Credit Union (b) Definitions. For purposes of this Administration is amending part 717 of notifications, other member account section and Appendix J, the following title 12, chapter VII, of the Code of records, or retained CIP documentation; definitions apply: Federal Regulations as follows: or (1) Account means a continuing (C) Obtains from third-party sources; PART 717—FAIR CREDIT REPORTING relationship established by a person or with a federal credit union to obtain a (ii) Verifying the information in the I 1. The authority citation for part 717 product or service for personal, family, consumer report provided by the is revised to read as follows: household or business purposes. consumer reporting agency with the Authority: 12 U.S.C. 1751 et seq.; 15 U.S.C. Account includes: consumer. 1681a, 1681b, 1681c, 1681m, 1681s, 1681s– (i) An extension of credit, such as the (d) Consumer’s address—(1) 1, 1681t, 1681w, 6801 and 6805, Pub. L. 108– purchase of property or services Requirement to furnish consumer’s 159, 117 Stat. 1952. involving a deferred payment; and address to a consumer reporting agency. (ii) A share or deposit account. Subpart A—General Provisions A user must develop and implement (2) The term board of directors refers reasonable policies and procedures for to a federal credit union’s board of I 2. Amend § 717.3 by revising the furnishing an address for the consumer directors. introductory text to read as follows: that the user has reasonably confirmed (3) Covered account means: is accurate to the consumer reporting (i) An account that a federal credit § 717.3 Definitions. agency from whom it received the union offers or maintains, primarily for For purposes of this part, unless notice of address discrepancy when the personal, family, or household explicitly stated otherwise: user: purposes, that involves or is designed to * * * * * (i) Can form a reasonable belief that permit multiple payments or I 3. Revise the heading for Subpart I as the consumer report relates to the transactions, such as a credit card shown below. consumer about whom the user account, mortgage loan, automobile requested the report; loan, checking account, or share Subpart I—Duties of Users of (ii) Establishes a continuing account; and Consumer Reports Regarding Address relationship with the consumer; and (ii) Any other account that the federal Discrepancies and Records Disposal (iii) Regularly and in the ordinary credit union offers or maintains for course of business furnishes information which there is a reasonably foreseeable I 4. Add § 717.82 to read as follows: to the consumer reporting agency from risk to members or to the safety and which the notice of address discrepancy soundness of the federal credit union § 717.82 Duties of users regarding address relating to the consumer was obtained. discrepancies. from identity theft, including financial, (2) Examples of confirmation operational, compliance, reputation, or (a) Scope. This section applies to a methods. The user may reasonably litigation risks. user of consumer reports (user) that confirm an address is accurate by: (4) Credit has the same meaning as in receives a notice of address discrepancy (i) Verifying the address with the 15 U.S.C. 1681a(r)(5). from a consumer reporting agency, and consumer about whom it has requested (5) Creditor has the same meaning as that is federal credit union. the report; in 15 U.S.C. 1681a(r)(5). (b) Definition. For purposes of this (ii) Reviewing its own records to (6) Customer means a member that section, a notice of address discrepancy verify the address of the consumer; has a covered account with a federal means a notice sent to a user by a (iii) Verifying the address through credit union. consumer reporting agency pursuant to third-party sources; or (7) Financial institution has the same 15 U.S.C. 1681c(h)(1), that informs the (iv) Using other reasonable means. meaning as in 15 U.S.C. 1681a(t). user of a substantial difference between (3) Timing. The policies and (8) Identity theft has the same the address for the consumer that the procedures developed in accordance meaning as in 16 CFR 603.2(a). user provided to request the consumer with paragraph (d)(1) of this section (9) Red Flag means a pattern, practice, jlentini on PROD1PC65 with RULES4 report and the address(es) in the must provide that the user will furnish or specific activity that indicates the agency’s file for the consumer. the consumer’s address that the user has possible existence of identity theft. (c) Reasonable belief—(1) reasonably confirmed is accurate to the (10) Service provider means a person Requirement to form a reasonable belief. consumer reporting agency as part of the that provides a service directly to the A user must develop and implement information it regularly furnishes for the federal credit union. VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00052 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63769 (c) Periodic Identification of Covered (4) Exercise appropriate and effective provides under this paragraph must be Accounts. Each federal credit union oversight of service provider clear and conspicuous and provided must periodically determine whether it arrangements. separately from its regular offers or maintains covered accounts. As (f) Guidelines. Each federal credit correspondence with the cardholder. a part of this determination, a federal union that is required to implement a Program must consider the guidelines in Appendices D–I [Reserved] credit union must conduct a risk assessment to determine whether it Appendix J of this part and include in I 6. Add and reserve appendices D offers or maintains covered accounts its Program those guidelines that are through I to part 717. described in paragraph (b)(3)(ii) of this appropriate. I 7. Add Appendix J to part 717 to read section, taking into consideration: § 717.91 Duties of card issuers regarding as follows: (1) The methods it provides to open changes of address. its accounts; Appendix J to Part 717—Interagency (2) The methods it provides to access (a) Scope. This section applies to an Guidelines on Identity Theft Detection, its accounts; and issuer of a debit or credit card (card Prevention, and Mitigation (3) Its previous experiences with issuer) that is a federal credit union. (b) Definitions. For purposes of this Section 717.90 of this part requires each identity theft. federal credit union that offers or maintains (d) Establishment of an Identity Theft section: one or more covered accounts, as defined in (1) Cardholder means a member who § 717.90(b)(3) of this part, to develop and Prevention Program. (1) Program has been issued a credit or debit card. provide for the continued administration of requirement. Each federal credit union (2) Clear and conspicuous means that offers or maintains one or more a written Program to detect, prevent, and reasonably understandable and mitigate identity theft in connection with the covered accounts must develop and designed to call attention to the nature opening of a covered account or any existing implement a written Identity Theft and significance of the information covered account. These guidelines are Prevention Program (Program) that is presented. intended to assist federal credit unions in the designed to detect, prevent, and mitigate (c) Address validation requirements. formulation and maintenance of a Program identity theft in connection with the A card issuer must establish and that satisfies the requirements of § 717.90 of opening of a covered account or any this part. implement reasonable policies and existing covered account. The Program procedures to assess the validity of a I. The Program must be appropriate to the size and change of address if it receives In designing its Program, a federal credit complexity of the federal credit union notification of a change of address for a union may incorporate, as appropriate, its and the nature and scope of its member’s debit or credit card account existing policies, procedures, and other activities. arrangements that control reasonably and, within a short period of time (2) Elements of the Program. The foreseeable risks to members or to the safety afterwards (during at least the first 30 and soundness of the federal credit union Program must include reasonable days after it receives such notification), from identity theft. policies and procedures to: the card issuer receives a request for an (i) Identify relevant Red Flags for the II. Identifying Relevant Red Flags additional or replacement card for the covered accounts that the federal credit same account. Under these (a) Risk Factors. A federal credit union union offers or maintains, and should consider the following factors in circumstances, the card issuer may not identifying relevant Red Flags for covered incorporate those Red Flags into its issue an additional or replacement card, accounts, as appropriate: Program; until, in accordance with its reasonable (1) The types of covered accounts it offers (ii) Detect Red Flags that have been policies and procedures and for the or maintains; incorporated into the Program of the purpose of assessing the validity of the (2) The methods it provides to open its federal credit union; change of address, the card issuer: covered accounts; (iii) Respond appropriately to any Red (1)(i) Notifies the cardholder of the (3) The methods it provides to access its Flags that are detected pursuant to request: covered accounts; and paragraph (d)(2)(ii) of this section to (A) At the cardholder’s former (4) Its previous experiences with identity prevent and mitigate identity theft; and theft. address; or (b) Sources of Red Flags. Federal credit (iv) Ensure the Program (including the (B) By any other means of unions should incorporate relevant Red Flags Red Flags determined to be relevant) is communication that the card issuer and from sources such as: updated periodically, to reflect changes the cardholder have previously agreed (1) Incidents of identity theft that the in risks to members and to the safety to use; and federal credit union has experienced; and soundness of the federal credit (ii) Provides to the cardholder a (2) Methods of identity theft that the union from identity theft. reasonable means of promptly reporting federal credit union has identified that reflect (e) Administration of the Program. incorrect address changes; or changes in identity theft risks; and Each federal credit union that is (2) Otherwise assesses the validity of (3) Applicable supervisory guidance. required to implement a Program must the change of address in accordance (c) Categories of Red Flags. The Program should include relevant Red Flags from the provide for the continued with the policies and procedures the following categories, as appropriate. administration of the Program and must: card issuer has established pursuant to Examples of Red Flags from each of these (1) Obtain approval of the initial § 717.90 of this part. categories are appended as Supplement A to written Program from either its board of (d) Alternative timing of address this Appendix J. directors or an appropriate committee of validation. A card issuer may satisfy the (1) Alerts, notifications, or other warnings the board of directors; requirements of paragraph (c) of this received from consumer reporting agencies or (2) Involve the board of directors, an section if it validates an address service providers, such as fraud detection appropriate committee thereof, or a pursuant to the methods in paragraph services; designated employee at the level of (2) The presentation of suspicious (c)(1) or (c)(2) of this section when it documents; jlentini on PROD1PC65 with RULES4 senior management in the oversight, receives an address change notification, (3) The presentation of suspicious personal development, implementation and before it receives a request for an identifying information, such as a suspicious administration of the Program; additional or replacement card. address change; (3) Train staff, as necessary, to (e) Form of notice. Any written or (4) The unusual use of, or other suspicious effectively implement the Program; and electronic notice that the card issuer activity related to, a covered account; and VerDate Aug<31>2005 21:43 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00053 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63770 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations (5) Notice from members, victims of (e) Changes in the business arrangements (d) Complying with the prohibitions in 15 identity theft, law enforcement authorities, or of the federal credit union, including U.S.C. 1681m on the sale, transfer, and other persons regarding possible identity mergers, acquisitions, alliances, joint placement for collection of certain debts theft in connection with covered accounts ventures, and service provider arrangements. resulting from identity theft. held by the federal credit union. VI. Methods for Administering the Program Supplement A to Appendix J III. Detecting Red Flags (a) Oversight of Program. Oversight by the In addition to incorporating Red Flags from The Program’s policies and procedures board of directors, an appropriate committee the sources recommended in section II.b. of should address the detection of Red Flags in of the board, or a designated employee at the the Guidelines in Appendix J of this part, connection with the opening of covered level of senior management should include: each federal credit union may consider accounts and existing covered accounts, such (1) Assigning specific responsibility for the incorporating into its Program, whether as by: Program’s implementation; singly or in combination, Red Flags from the (a) Obtaining identifying information (2) Reviewing reports prepared by staff following illustrative examples in connection about, and verifying the identity of, a person regarding compliance by the federal credit with covered accounts: opening a covered account, for example, union with § 717.90 of this part; and using the policies and procedures regarding (3) Approving material changes to the Alerts, Notifications or Warnings From a identification and verification set forth in the Program as necessary to address changing Consumer Reporting Agency Customer Identification Program rules identity theft risks. 1. A fraud or active duty alert is included implementing 31 U.S.C. 5318(l) (31 CFR (b) Reports. (1) In general. Staff of the with a consumer report. 103.121); and federal credit union responsible for 2. A consumer reporting agency provides a (b) Authenticating members, monitoring development, implementation, and notice of credit freeze in response to a transactions, and verifying the validity of administration of its Program should report request for a consumer report. change of address requests, in the case of to the board of directors, an appropriate committee of the board, or a designated 3. A consumer reporting agency provides a existing covered accounts. employee at the level of senior management, notice of address discrepancy, as defined in IV. Preventing and Mitigating Identity Theft § 717.82(b) of this part. at least annually, on compliance by the The Program’s policies and procedures federal credit union with § 717.90 of this 4. A consumer report indicates a pattern of should provide for appropriate responses to part. activity that is inconsistent with the history the Red Flags the federal credit union has (2) Contents of report. The report should and usual pattern of activity of an applicant detected that are commensurate with the address material matters related to the or member, such as: degree of risk posed. In determining an Program and evaluate issues such as: the a. A recent and significant increase in the appropriate response, a federal credit union effectiveness of the policies and procedures volume of inquiries; should consider aggravating factors that may of the federal credit union in addressing the b. An unusual number of recently heighten the risk of identity theft, such as a risk of identity theft in connection with the established credit relationships; data security incident that results in opening of covered accounts and with c. A material change in the use of credit, unauthorized access to a member’s account respect to existing covered accounts; service especially with respect to recently records held by the federal credit union or a provider arrangements; significant incidents established credit relationships; or third party, or notice that a member has involving identity theft and management’s d. An account that was closed for cause or provided information related to a covered response; and recommendations for material identified for abuse of account privileges by account held by the federal credit union to changes to the Program. a financial institution or creditor. someone fraudulently claiming to represent (c) Oversight of service provider Suspicious Documents the federal credit union or to a fraudulent arrangements. Whenever a federal credit website. Appropriate responses may include union engages a service provider to perform 5. Documents provided for identification the following: an activity in connection with one or more appear to have been altered or forged. (a) Monitoring a covered account for covered accounts the federal credit union 6. The photograph or physical description evidence of identity theft; should take steps to ensure that the activity on the identification is not consistent with (b) Contacting the member; of the service provider is conducted in the appearance of the applicant or member (c) Changing any passwords, security accordance with reasonable policies and presenting the identification. codes, or other security devices that permit procedures designed to detect, prevent, and 7. Other information on the identification access to a covered account; mitigate the risk of identity theft. For is not consistent with information provided (d) Reopening a covered account with a example, a federal credit union could require by the person opening a new covered account new account number; the service provider by contract to have or member presenting the identification. (e) Not opening a new covered account; policies and procedures to detect relevant 8. Other information on the identification (f) Closing an existing covered account; Red Flags that may arise in the performance is not consistent with readily accessible (g) Not attempting to collect on a covered of the service provider’s activities, and either information that is on file with the federal account or not selling a covered account to report the Red Flags to the federal credit credit union, such as a signature card or a a debt collector; union, or to take appropriate steps to prevent recent check. (h) Notifying law enforcement; or or mitigate identity theft. 9. An application appears to have been (i) Determining that no response is altered or forged, or gives the appearance of VII. Other Applicable Legal Requirements warranted under the particular having been destroyed and reassembled. circumstances. Federal credit unions should be mindful of other related legal requirements that may be Suspicious Personal Identifying Information V. Updating the Program applicable, such as: 10. Personal identifying information Federal credit unions should update the (a) Filing a Suspicious Activity Report provided is inconsistent when compared Program (including the Red Flags determined under 31 U.S.C. 5318(g) and 12 CFR 748.1(c); against external information sources used by to be relevant) periodically, to reflect changes (b) Implementing any requirements under the federal credit union. For example: in risks to members or to the safety and 15 U.S.C. 1681c–1(h) regarding the a. The address does not match any address soundness of the federal credit union from circumstances under which credit may be in the consumer report; or identity theft, based on factors such as: extended when the federal credit union b. The Social Security Number (SSN) has (a) The experiences of the federal credit detects a fraud or active duty alert; not been issued, or is listed on the Social union with identity theft; (c) Implementing any requirements for Security Administration’s Death Master File. (b) Changes in methods of identity theft; furnishers of information to consumer 11. Personal identifying information jlentini on PROD1PC65 with RULES4 (c) Changes in methods to detect, prevent, reporting agencies under 15 U.S.C. 1681s–2, provided by the member is not consistent and mitigate identity theft; for example, to correct or update inaccurate with other personal identifying information (d) Changes in the types of accounts that or incomplete information, and to not report provided by the member. For example, there the federal credit union offers or maintains; information that the furnisher has reasonable is a lack of correlation between the SSN and cause to believe is inaccurate; and range and date of birth. VerDate Aug<31>2005 21:43 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00054 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63771 12. Personal identifying information e. A material change in telephone call report and the address(es) in the provided is associated with known patterns in connection with a cellular phone agency’s file for the consumer. fraudulent activity as indicated by internal or account. (c) Reasonable belief. (1) Requirement third-party sources used by the federal credit 22. A covered account that has been union. For example: inactive for a reasonably lengthy period of to form a reasonable belief. A user must a. The address on an application is the time is used (taking into consideration the develop and implement reasonable same as the address provided on a fraudulent type of account, the expected pattern of usage policies and procedures designed to application; or and other relevant factors). enable the user to form a reasonable b. The phone number on an application is 23. Mail sent to the member is returned belief that a consumer report relates to the same as the number provided on a repeatedly as undeliverable although the consumer about whom it has fraudulent application. transactions continue to be conducted in requested the report, when the user 13. Personal identifying information connection with the member’s covered provided is of a type commonly associated receives a notice of address discrepancy. account. with fraudulent activity as indicated by 24. The federal credit union is notified that (2) Examples of reasonable policies internal or third-party sources used by the the member is not receiving paper account and procedures. (i) Comparing the federal credit union. For example: statements. information in the consumer report a. The address on an application is 25. The federal credit union is notified of provided by the consumer reporting fictitious, a mail drop, or prison; or unauthorized charges or transactions in agency with information the user: b. The phone number is invalid, or is connection with a member’s covered (A) Obtains and uses to verify the associated with a pager or answering service. account. 14. The SSN provided is the same as that consumer’s identity in accordance with submitted by other persons opening an Notice From Members, Victims of Identity the requirements of the Customer account or other members. Theft, Law Enforcement Authorities, or Other Information Program (CIP) rules 15. The address or telephone number Persons Regarding Possible Identity Theft in implementing 31 U.S.C. 5318(l) (31 CFR provided is the same as or similar to the Connection With Covered Accounts Held by 103.121); account number or telephone number the Federal Credit Union (B) Maintains in its own records, such submitted by an unusually large number of 26. The federal credit union is notified by as applications, change of address other persons opening accounts or other a member, a victim of identity theft, a law notifications, other customer account members. enforcement authority, or any other person 16. The person opening the covered records, or retained CIP documentation; that it has opened a fraudulent account for account or the member fails to provide all a person engaged in identity theft. or required personal identifying information on (C) Obtains from third-party sources; an application or in response to notification FEDERAL TRADE COMMISSION or that the application is incomplete. 16 CFR Part 681 (ii) Verifying the information in the 17. Personal identifying information consumer report provided by the provided is not consistent with personal Authority and Issuance consumer reporting agency with the identifying information that is on file with I For the reasons discussed in the joint consumer. the federal credit union. 18. For federal credit unions that use preamble, the Commission is adding (d) Consumer’s address. (1) challenge questions, the person opening the part 681 of title 16 of the Code of Requirement to furnish consumer’s covered account or the member cannot Federal Regulations as follows: address to a consumer reporting agency. provide authenticating information beyond A user must develop and implement that which generally would be available from PART 681—IDENTITY THEFT RULES reasonable policies and procedures for a wallet or consumer report. Sec. furnishing an address for the consumer 681.1 Duties of users of consumer reports that the user has reasonably confirmed Unusual Use of, or Suspicious Activity regarding address discrepancies. Related to, the Covered Account 681.2 Duties regarding the detection, is accurate to the consumer reporting 19. Shortly following the notice of a change prevention, and mitigation of identity agency from whom it received the of address for a covered account, the theft. notice of address discrepancy when the institution or creditor receives a request for 681.3 Duties of card issuers regarding user: a new, additional, or replacement card or a changes of address. (i) Can form a reasonable belief that cell phone, or for the addition of authorized the consumer report relates to the users on the account. Appendix A to Part 681—Interagency Guidelines on Identity Theft Detection, consumer about whom the user 20. A new revolving credit account is used requested the report; in a manner commonly associated with Prevention, and Mitigation known patterns of fraud patterns. For (ii) Establishes a continuing Authority: Pub. L. 108–159, sec. 114 and relationship with the consumer; and example: sec. 315; 15 U.S.C. 1681m(e) and 15 U.S.C. a. The majority of available credit is used (iii) Regularly and in the ordinary 1681c(h). for cash advances or merchandise that is course of business furnishes information easily convertible to cash (e.g., electronics § 681.1 Duties of users regarding address to the consumer reporting agency from equipment or jewelry); or discrepancies. which the notice of address discrepancy b. The member fails to make the first relating to the consumer was obtained. (a) Scope. This section applies to payment or makes an initial payment but no users of consumer reports that are (2) Examples of confirmation subsequent payments. 21. A covered account is used in a manner subject to administrative enforcement of methods. The user may reasonably that is not consistent with established the FCRA by the Federal Trade confirm an address is accurate by: patterns of activity on the account. There is, Commission pursuant to 15 U.S.C. (i) Verifying the address with the for example: 1681s(a)(1) (users). consumer about whom it has requested a. Nonpayment when there is no history of (b) Definition. For purposes of this the report; late or missed payments; section, a notice of address discrepancy (ii) Reviewing its own records to b. A material increase in the use of means a notice sent to a user by a verify the address of the consumer; available credit; jlentini on PROD1PC65 with RULES4 consumer reporting agency pursuant to (iii) Verifying the address through c. A material change in purchasing or spending patterns; 15 U.S.C. 1681c(h)(1), that informs the third-party sources; or d. A material change in electronic fund user of a substantial difference between (iv) Using other reasonable means. transfer patterns in connection with a deposit the address for the consumer that the (3) Timing. The policies and account; or user provided to request the consumer procedures developed in accordance VerDate Aug<31>2005 22:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00055 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63772 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations with paragraph (d)(1) of this section (6) Customer means a person that has that is required to implement a Program must provide that the user will furnish a covered account with a financial must provide for the continued the consumer’s address that the user has institution or creditor. administration of the Program and must: reasonably confirmed is accurate to the (7) Financial institution has the same (1) Obtain approval of the initial consumer reporting agency as part of the meaning as in 15 U.S.C. 1681a(t). written Program from either its board of information it regularly furnishes for the (8) Identity theft has the same directors or an appropriate committee of reporting period in which it establishes meaning as in 16 CFR 603.2(a). the board of directors; a relationship with the consumer. (9) Red Flag means a pattern, practice, (2) Involve the board of directors, an or specific activity that indicates the appropriate committee thereof, or a § 681.2 Duties regarding the detection, possible existence of identity theft. prevention, and mitigation of identity theft. designated employee at the level of (10) Service provider means a person senior management in the oversight, (a) Scope. This section applies to that provides a service directly to the development, implementation and financial institutions and creditors that financial institution or creditor. administration of the Program; are subject to administrative (c) Periodic Identification of Covered (3) Train staff, as necessary, to enforcement of the FCRA by the Federal Accounts. Each financial institution or effectively implement the Program; and Trade Commission pursuant to 15 creditor must periodically determine (4) Exercise appropriate and effective U.S.C. 1681s(a)(1). whether it offers or maintains covered oversight of service provider (b) Definitions. For purposes of this accounts. As a part of this arrangements. section, and Appendix A, the following determination, a financial institution or (f) Guidelines. Each financial definitions apply: creditor must conduct a risk assessment institution or creditor that is required to (1) Account means a continuing to determine whether it offers or implement a Program must consider the relationship established by a person maintains covered accounts described guidelines in Appendix A of this part with a financial institution or creditor to in paragraph (b)(3)(ii) of this section, and include in its Program those obtain a product or service for personal, taking into consideration: guidelines that are appropriate. family, household or business purposes. (1) The methods it provides to open Account includes: its accounts; § 681.3 Duties of card issuers regarding (i) An extension of credit, such as the (2) The methods it provides to access changes of address. purchase of property or services its accounts; and (a) Scope. This section applies to a involving a deferred payment; and (3) Its previous experiences with person described in § 681.2(a) that (ii) A deposit account. identity theft. issues a debit or credit card (card (2) The term board of directors (d) Establishment of an Identity Theft issuer). includes: Prevention Program. (1) Program (b) Definitions. For purposes of this requirement. Each financial institution (i) In the case of a branch or agency section: or creditor that offers or maintains one of a foreign bank, the managing official (1) Cardholder means a consumer or more covered accounts must develop in charge of the branch or agency; and who has been issued a credit or debit and implement a written Identity Theft (ii) In the case of any other creditor card. Prevention Program (Program) that is that does not have a board of directors, (2) Clear and conspicuous means designed to detect, prevent, and mitigate a designated employee at the level of reasonably understandable and identity theft in connection with the senior management. designed to call attention to the nature opening of a covered account or any (3) Covered account means: existing covered account. The Program and significance of the information (i) An account that a financial must be appropriate to the size and presented. institution or creditor offers or complexity of the financial institution (c) Address validation requirements. maintains, primarily for personal, or creditor and the nature and scope of A card issuer must establish and family, or household purposes, that its activities. implement reasonable policies and involves or is designed to permit (2) Elements of the Program. The procedures to assess the validity of a multiple payments or transactions, such Program must include reasonable change of address if it receives as a credit card account, mortgage loan, policies and procedures to: notification of a change of address for a automobile loan, margin account, cell (i) Identify relevant Red Flags for the consumer’s debit or credit card account phone account, utility account, covered accounts that the financial and, within a short period of time checking account, or savings account; institution or creditor offers or afterwards (during at least the first 30 and maintains, and incorporate those Red days after it receives such notification), (ii) Any other account that the Flags into its Program; the card issuer receives a request for an financial institution or creditor offers or (ii) Detect Red Flags that have been additional or replacement card for the maintains for which there is a incorporated into the Program of the same account. Under these reasonably foreseeable risk to customers financial institution or creditor; circumstances, the card issuer may not or to the safety and soundness of the (iii) Respond appropriately to any Red issue an additional or replacement card, financial institution or creditor from Flags that are detected pursuant to until, in accordance with its reasonable identity theft, including financial, paragraph (d)(2)(ii) of this section to policies and procedures and for the operational, compliance, reputation, or prevent and mitigate identity theft; and purpose of assessing the validity of the litigation risks. (iv) Ensure the Program (including the change of address, the card issuer: (4) Credit has the same meaning as in Red Flags determined to be relevant) is (1)(i) Notifies the cardholder of the 15 U.S.C. 1681a(r)(5). updated periodically, to reflect changes request: (5) Creditor has the same meaning as in risks to customers and to the safety (A) At the cardholder’s former jlentini on PROD1PC65 with RULES4 in 15 U.S.C. 1681a(r)(5), and includes and soundness of the financial address; or lenders such as banks, finance institution or creditor from identity (B) By any other means of companies, automobile dealers, theft. communication that the card issuer and mortgage brokers, utility companies, (e) Administration of the Program. the cardholder have previously agreed and telecommunications companies. Each financial institution or creditor to use; and VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00056 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63773 (ii) Provides to the cardholder a (3) Applicable supervisory guidance. (i) Determining that no response is reasonable means of promptly reporting (c) Categories of Red Flags. The Program warranted under the particular incorrect address changes; or should include relevant Red Flags from the circumstances. (2) Otherwise assesses the validity of following categories, as appropriate. V. Updating the Program Examples of Red Flags from each of these the change of address in accordance categories are appended as Supplement A to Financial institutions and creditors should with the policies and procedures the this Appendix A. update the Program (including the Red Flags card issuer has established pursuant to (1) Alerts, notifications, or other warnings determined to be relevant) periodically, to § 681.2 of this part. received from consumer reporting agencies or reflect changes in risks to customers or to the (d) Alternative timing of address service providers, such as fraud detection safety and soundness of the financial validation. A card issuer may satisfy the services; institution or creditor from identity theft, (2) The presentation of suspicious based on factors such as: requirements of paragraph (c) of this documents; (a) The experiences of the financial section if it validates an address institution or creditor with identity theft; pursuant to the methods in paragraph (3) The presentation of suspicious personal identifying information, such as a suspicious (b) Changes in methods of identity theft; (c)(1) or (c)(2) of this section when it address change; (c) Changes in methods to detect, prevent, receives an address change notification, (4) The unusual use of, or other suspicious and mitigate identity theft; before it receives a request for an activity related to, a covered account; and (d) Changes in the types of accounts that additional or replacement card. (5) Notice from customers, victims of the financial institution or creditor offers or (e) Form of notice. Any written or identity theft, law enforcement authorities, or maintains; and electronic notice that the card issuer other persons regarding possible identity (e) Changes in the business arrangements theft in connection with covered accounts of the financial institution or creditor, provides under this paragraph must be including mergers, acquisitions, alliances, clear and conspicuous and provided held by the financial institution or creditor. joint ventures, and service provider separately from its regular III. Detecting Red Flags arrangements. correspondence with the cardholder. The Program’s policies and procedures VI. Methods for Administering the Program should address the detection of Red Flags in Appendix A to Part 681—Interagency connection with the opening of covered (a) Oversight of Program. Oversight by the Guidelines on Identity Theft Detection, accounts and existing covered accounts, such board of directors, an appropriate committee Prevention, and Mitigation as by: of the board, or a designated employee at the (a) Obtaining identifying information level of senior management should include: Section 681.2 of this part requires each (1) Assigning specific responsibility for the financial institution and creditor that offers about, and verifying the identity of, a person opening a covered account, for example, Program’s implementation; or maintains one or more covered accounts, (2) Reviewing reports prepared by staff as defined in § 681.2(b)(3) of this part, to using the policies and procedures regarding identification and verification set forth in the regarding compliance by the financial develop and provide for the continued institution or creditor with § 681.2 of this administration of a written Program to detect, Customer Identification Program rules implementing 31 U.S.C. 5318(l) (31 CFR part; and prevent, and mitigate identity theft in (3) Approving material changes to the connection with the opening of a covered 103.121); and (b) Authenticating customers, monitoring Program as necessary to address changing account or any existing covered account. identity theft risks. These guidelines are intended to assist transactions, and verifying the validity of change of address requests, in the case of (b) Reports. (1) In general. Staff of the financial institutions and creditors in the financial institution or creditor responsible formulation and maintenance of a Program existing covered accounts. for development, implementation, and that satisfies the requirements of § 681.2 of IV. Preventing and Mitigating Identity Theft administration of its Program should report this part. The Program’s policies and procedures to the board of directors, an appropriate I. The Program should provide for appropriate responses to committee of the board, or a designated In designing its Program, a financial the Red Flags the financial institution or employee at the level of senior management, institution or creditor may incorporate, as creditor has detected that are commensurate at least annually, on compliance by the appropriate, its existing policies, procedures, with the degree of risk posed. In determining financial institution or creditor with § 681.2 and other arrangements that control an appropriate response, a financial of this part. reasonably foreseeable risks to customers or institution or creditor should consider (2) Contents of report. The report should to the safety and soundness of the financial aggravating factors that may heighten the risk address material matters related to the institution or creditor from identity theft. of identity theft, such as a data security Program and evaluate issues such as: The incident that results in unauthorized access effectiveness of the policies and procedures II. Identifying Relevant Red Flags to a customer’s account records held by the of the financial institution or creditor in (a) Risk Factors. A financial institution or financial institution, creditor, or third party, addressing the risk of identity theft in creditor should consider the following factors or notice that a customer has provided connection with the opening of covered in identifying relevant Red Flags for covered information related to a covered account held accounts and with respect to existing covered accounts, as appropriate: by the financial institution or creditor to accounts; service provider arrangements; (1) The types of covered accounts it offers someone fraudulently claiming to represent significant incidents involving identity theft or maintains; the financial institution or creditor or to a and management’s response; and (2) The methods it provides to open its fraudulent website. Appropriate responses recommendations for material changes to the covered accounts; may include the following: Program. (3) The methods it provides to access its (a) Monitoring a covered account for (c) Oversight of service provider covered accounts; and evidence of identity theft; arrangements. Whenever a financial (4) Its previous experiences with identity (b) Contacting the customer; institution or creditor engages a service theft. (c) Changing any passwords, security provider to perform an activity in connection (b) Sources of Red Flags. Financial codes, or other security devices that permit with one or more covered accounts the institutions and creditors should incorporate access to a covered account; financial institution or creditor should take relevant Red Flags from sources such as: (d) Reopening a covered account with a steps to ensure that the activity of the service (1) Incidents of identity theft that the new account number; provider is conducted in accordance with financial institution or creditor has (e) Not opening a new covered account; reasonable policies and procedures designed jlentini on PROD1PC65 with RULES4 experienced; (f) Closing an existing covered account; to detect, prevent, and mitigate the risk of (2) Methods of identity theft that the (g) Not attempting to collect on a covered identity theft. For example, a financial financial institution or creditor has identified account or not selling a covered account to institution or creditor could require the that reflect changes in identity theft risks; a debt collector; service provider by contract to have policies and (h) Notifying law enforcement; or and procedures to detect relevant Red Flags VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00057 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • 63774 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations that may arise in the performance of the 8. Other information on the identification a new, additional, or replacement card or a service provider’s activities, and either report is not consistent with readily accessible cell phone, or for the addition of authorized the Red Flags to the financial institution or information that is on file with the financial users on the account. creditor, or to take appropriate steps to institution or creditor, such as a signature 20. A new revolving credit account is used prevent or mitigate identity theft. card or a recent check. in a manner commonly associated with VII. Other Applicable Legal Requirements 9. An application appears to have been known patterns of fraud patterns. For altered or forged, or gives the appearance of example: Financial institutions and creditors should having been destroyed and reassembled. a. The majority of available credit is used be mindful of other related legal for cash advances or merchandise that is requirements that may be applicable, such as: Suspicious Personal Identifying Information easily convertible to cash (e.g., electronics (a) For financial institutions and creditors 10. Personal identifying information equipment or jewelry); or that are subject to 31 U.S.C. 5318(g), filing a provided is inconsistent when compared b. The customer fails to make the first Suspicious Activity Report in accordance against external information sources used by payment or makes an initial payment but no with applicable law and regulation; the financial institution or creditor. For subsequent payments. (b) Implementing any requirements under example: 21. A covered account is used in a manner 15 U.S.C. 1681c–1(h) regarding the a. The address does not match any address that is not consistent with established circumstances under which credit may be in the consumer report; or patterns of activity on the account. There is, extended when the financial institution or b. The Social Security Number (SSN) has for example: creditor detects a fraud or active duty alert; not been issued, or is listed on the Social a. Nonpayment when there is no history of (c) Implementing any requirements for Security Administration’s Death Master File. late or missed payments; furnishers of information to consumer 11. Personal identifying information b. A material increase in the use of reporting agencies under 15 U.S.C. 1681s–2, provided by the customer is not consistent available credit; for example, to correct or update inaccurate c. A material change in purchasing or with other personal identifying information or incomplete information, and to not report spending patterns; provided by the customer. For example, there information that the furnisher has reasonable d. A material change in electronic fund is a lack of correlation between the SSN cause to believe is inaccurate; and transfer patterns in connection with a deposit range and date of birth. (d) Complying with the prohibitions in 15 account; or 12. Personal identifying information U.S.C. 1681m on the sale, transfer, and e. A material change in telephone call provided is associated with known placement for collection of certain debts patterns in connection with a cellular phone fraudulent activity as indicated by internal or resulting from identity theft. account. third-party sources used by the financial Supplement A to Appendix A institution or creditor. For example: 22. A covered account that has been a. The address on an application is the inactive for a reasonably lengthy period of In addition to incorporating Red Flags from time is used (taking into consideration the the sources recommended in section II.b. of same as the address provided on a fraudulent application; or type of account, the expected pattern of usage the Guidelines in Appendix A of this part, and other relevant factors). each financial institution or creditor may b. The phone number on an application is the same as the number provided on a 23. Mail sent to the customer is returned consider incorporating into its Program, repeatedly as undeliverable although whether singly or in combination, Red Flags fraudulent application. 13. Personal identifying information transactions continue to be conducted in from the following illustrative examples in connection with the customer’s covered connection with covered accounts: provided is of a type commonly associated with fraudulent activity as indicated by account. Alerts, Notifications or Warnings from a internal or third-party sources used by the 24. The financial institution or creditor is Consumer Reporting Agency financial institution or creditor. For example: notified that the customer is not receiving a. The address on an application is paper account statements. 1. A fraud or active duty alert is included fictitious, a mail drop, or a prison; or 25. The financial institution or creditor is with a consumer report. 2. A consumer reporting agency provides a b. The phone number is invalid, or is notified of unauthorized charges or notice of credit freeze in response to a associated with a pager or answering service. transactions in connection with a customer’s request for a consumer report. 14. The SSN provided is the same as that covered account. 3. A consumer reporting agency provides a submitted by other persons opening an Notice from Customers, Victims of Identity notice of address discrepancy, as defined in account or other customers. Theft, Law Enforcement Authorities, or Other § 681.1(b) of this part. 15. The address or telephone number Persons Regarding Possible Identity Theft in 4. A consumer report indicates a pattern of provided is the same as or similar to the Connection With Covered Accounts Held by activity that is inconsistent with the history account number or telephone number the Financial Institution or Creditor and usual pattern of activity of an applicant submitted by an unusually large number of 26. The financial institution or creditor is or customer, such as: other persons opening accounts or other notified by a customer, a victim of identity a. A recent and significant increase in the customers. theft, a law enforcement authority, or any volume of inquiries; 16. The person opening the covered other person that it has opened a fraudulent b. An unusual number of recently account or the customer fails to provide all account for a person engaged in identity established credit relationships; required personal identifying information on theft. c. A material change in the use of credit, an application or in response to notification especially with respect to recently that the application is incomplete. Dated: October 5, 2007. established credit relationships; or 17. Personal identifying information John C. Dugan, d. An account that was closed for cause or provided is not consistent with personal Comptroller of the Currency. identified for abuse of account privileges by identifying information that is on file with a financial institution or creditor. the financial institution or creditor. By order of the Board of Governors of the 18. For financial institutions and creditors Federal Reserve System, October 29, 2007. Suspicious Documents Jennifer J. Johnson, that use challenge questions, the person 5. Documents provided for identification opening the covered account or the customer Secretary of the Board. appear to have been altered or forged. cannot provide authenticating information 6. The photograph or physical description beyond that which generally would be Dated at Washington, DC, this 16th day of on the identification is not consistent with available from a wallet or consumer report. October, 2007. the appearance of the applicant or customer By order of the Board of Directors. jlentini on PROD1PC65 with RULES4 presenting the identification. Unusual Use of, or Suspicious Activity Related to, the Covered Account Federal Deposit Insurance Corporation. 7. Other information on the identification Robert E. Feldman, is not consistent with information provided 19. Shortly following the notice of a change by the person opening a new covered account of address for a covered account, the Executive Secretary. or customer presenting the identification. institution or creditor receives a request for Dated: October 24, 2007. VerDate Aug<31>2005 22:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00058 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
    • Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63775 By the Office of Thrift Supervision. John M. Reich, Director. By order of the National Credit Union Administration Board, October 15, 2007. Mary Rupp, Secretary of the Board. By direction of the Commission. Donald S. Clark, Secretary. [FR Doc. 07–5453 Filed 11–8–07; 8:45 am] BILLING CODE 4810–33–P; 6210–01–P; 6714–01–P; 6720–01–P; 7535–01–P; 6750–01–P jlentini on PROD1PC65 with RULES4 VerDate Aug<31>2005 21:43 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00059 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4