Rule: Fair and Accurate Credit Transactions Act: Identity Theft Red Flags and Address Discrepancies

Friday,
November 9, 2007
Part IV
Department of the Treasury

Office of the Comptroller of the
Currency
12 CFR Part 41
Federal Reserve System

12 CFR Part 222
Federal Deposit Insurance

Corporation
12 CFR Parts 334 and 364
Department of the Treasury

Office of Thrift Supervision
12 CFR Part 571
National Credit Union

Administration
12 CFR Part 717
Federal Trade Commission

16 CFR Part 681
Identity Theft Red Flags and Address

Discrepancies Under the Fair and
Accurate Credit Transactions Act of 2003;
Final Rule
jlentini on PROD1PC65 with RULES4
VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00001 Fmt 4737 Sfmt 4737 E:\FR\FM\09NOR4.SGM 09NOR4
63718 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations
DEPARTMENT OF THE TREASURY and mitigate identity theft in connection Office of Thrift Supervision, 1700 G
with the opening of certain accounts or Street, NW., Washington, DC 20552.
Office of the Comptroller of the certain existing accounts. In addition, NCUA: Regina M. Metz, Staff
Currency the Agencies are issuing guidelines to Attorney, Office of General Counsel,
assist financial institutions and (703) 518–6540, National Credit Union
12 CFR Part 41 creditors in the formulation and Administration, 1775 Duke Street,
[Docket ID OCC–2007–0017]
maintenance of a Program that satisfies Alexandria, VA 22314–3428.
the requirements of the rules. The rules FTC: Naomi B. Lefkovitz, Attorney, or
RIN 1557–AC87 implementing section 114 also require Pavneet Singh, Attorney, Division of
credit and debit card issuers to assess Privacy and Identity Protection, Bureau
FEDERAL RESERVE SYSTEM the validity of notifications of changes of Consumer Protection, (202) 326–
of address under certain circumstances. 2252, Federal Trade Commission, 600
12 CFR Part 222 Additionally, the Agencies are issuing Pennsylvania Avenue, NW., Washington
[Docket No. R–1255] joint rules under section 315 that DC 20580.
provide guidance regarding reasonable SUPPLEMENTARY INFORMATION:
FEDERAL DEPOSIT INSURANCE policies and procedures that a user of
CORPORATION consumer reports must employ when a I. Introduction
consumer reporting agency sends the The President signed the FACT Act
12 CFR Parts 334 and 364 user a notice of address discrepancy. into law on December 4, 2003.1 The
DATES: The joint final rules and FACT Act added several new provisions
RIN 3064–AD00
guidelines are effective January 1, 2008. to the Fair Credit Reporting Act of 1970
DEPARTMENT OF THE TREASURY The mandatory compliance date for this (FCRA), 15 U.S.C. 1681 et seq. Section
rule is November 1, 2008. 114 of the FACT Act, 15 U.S.C.
Office of Thrift Supervision 1681m(e), amends section 615 of the
FOR FURTHER INFORMATION CONTACT:
FCRA, and directs the Agencies to issue
OCC: Amy Friend, Assistant Chief joint regulations and guidelines
12 CFR Part 571 Counsel, (202) 874–5200; Deborah Katz, regarding the detection, prevention, and
[Docket No. OTS–2007–0019] Senior Counsel, or Andra Shuster, mitigation of identity theft, including
Special Counsel, Legislative and special regulations requiring debit and
RIN 1550–AC04 Regulatory Activities Division, (202) credit card issuers to validate
874–5090; Paul Utterback, Compliance notifications of changes of address
NATIONAL CREDIT UNION
Specialist, Compliance Department, under certain circumstances.2 Section
ADMINISTRATION
(202) 874–5461; or Aida Plaza Carter, 315 of the FACT Act, 15 U.S.C.
Director, Bank Information Technology, 1681c(h), adds a new section 605(h)(2)
12 CFR Part 717
(202) 874–4740, Office of the to the FCRA requiring the Agencies to
Comptroller of the Currency, 250 E issue joint regulations that provide
FEDERAL TRADE COMMISSION
Street, SW., Washington, DC 20219. guidance regarding reasonable policies
16 CFR Part 681 Board: David A. Stein or Ky Tran- and procedures that a user of a
Trong, Counsels, or Amy Burke, consumer report should employ when
RIN 3084–AA94 Attorney, Division of Consumer and the user receives a notice of address
Community Affairs, (202) 452–3667; discrepancy.
Identity Theft Red Flags and Address Kara L. Handzlik, Attorney, Legal On July 18, 2006, the Agencies
Discrepancies Under the Fair and Division, (202) 452–3852; or John published a joint notice of proposed
Accurate Credit Transactions Act of Gibbons, Supervisory Financial Analyst, rulemaking (NPRM) in the Federal
2003 Division of Banking Supervision and Register (71 FR 40786) proposing rules
AGENCIES: Office of the Comptroller of Regulation, (202) 452–6409, Board of and guidelines to implement section
the Currency, Treasury (OCC); Board of Governors of the Federal Reserve 114 and proposing rules to implement
Governors of the Federal Reserve System, 20th and C Streets, NW., section 315 of the FACT Act. The public
System (Board); Federal Deposit Washington, DC 20551. comment period closed on September
Insurance Corporation (FDIC); Office of FDIC: Jeffrey M. Kopchik, Senior 18, 2006. The Agencies collectively
Thrift Supervision, Treasury (OTS); Policy Analyst, (202) 898–3872, or received a total of 129 comments in
National Credit Union Administration David P. Lafleur, Policy Analyst, (202) response to the NPRM, although many
(NCUA); and Federal Trade Commission 898–6569, Division of Supervision and commenters sent copies of the same
(FTC or Commission). Consumer Protection; Richard M. letter to each of the Agencies. The
ACTION: Joint final rules and guidelines.
Schwartz, Counsel, (202) 898–7424, or comments included 63 from financial
Richard B. Foley, Counsel, (202) 898– institutions, 12 from financial
SUMMARY: The OCC, Board, FDIC, OTS, 3784, Legal Division, Federal Deposit institution holding companies, 23 from
NCUA and FTC (the Agencies) are Insurance Corporation, 550 17th Street, financial institution trade associations,
jointly issuing final rules and guidelines NW., Washington, DC 20429. 12 from individuals, nine from other
implementing section 114 of the Fair OTS: Ekita Mitchell, Consumer trade associations, five from other
and Accurate Credit Transactions Act of Regulations Analyst, Compliance and business entities, three from consumer
2003 (FACT Act) and final rules Consumer Protection, (202) 906–6451;
implementing section 315 of the FACT Kathleen M. McNulty, Technology 1 Pub. L. 108–159.
Act. The rules implementing section Program Manager, Information 2 Section 111 of the FACT Act defines ‘‘identity
114 require each financial institution or Technology Risk Management, (202) theft’’ as ‘‘a fraud committed using the identifying
information of another person, subject to such
creditor to develop and implement a 906–6322; or Richard Bennett, Senior further definition as the [Federal Trade]
written Identity Theft Prevention Compliance Counsel, Regulations and Commission may prescribe, by regulation.’’ 15
Program (Program) to detect, prevent, Legislation Division, (202) 906–7409, U.S.C. 1681a(q)(3).
Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63719
groups,3 one from a member of indicators of a possible risk of identity commenters suggested that the
Congress, and one from the United theft (Red Flags), including indicators regulations and guidelines take the form
States Small Business Administration from among those listed in the of broad objectives modeled on the
(SBA). guidelines. To promote flexibility and objectives set forth in the ‘‘Interagency
responsiveness to the changing nature of Guidelines Establishing Information
II. Section 114 of the FACT Act
identity theft, the proposed rules also Security Standards’’ (Information
A. Red Flag Regulations and Guidelines stated that covered entities would need Security Standards).7 A few financial
1. Background to include in their Programs relevant institution commenters asserted that the
Red Flags from applicable supervisory primary cause of identity theft is the
Section 114 of the FACT Act requires guidance, their own experiences, and lack of care on the part of the consumer.
the Agencies to jointly issue guidelines methods that the entity had identified They stated that consumers should be
for financial institutions and creditors that reflect changes in identity theft held responsible for protecting their
regarding identity theft with respect to risks. own identifying information.
their account holders and customers. The Agencies invited comment on all The Agencies have modified the
Section 114 also directs the Agencies to aspects of the proposed regulations and proposed rules and guidelines in light of
prescribe joint regulations requiring guidelines implementing section 114, the comments received. An overview of
each financial institution and creditor to and specifically requested comment on the final rules, guidelines, and
establish reasonable policies and whether the elements described in supplement, a discussion of the
procedures for implementing the section 114 had been properly allocated comments, and the specific manner in
guidelines, to identify possible risks to between the proposed regulations and which the proposed rules and
account holders or customers or to the the proposed guidelines. guidelines have been modified, follows.
safety and soundness of the institution Consumer groups maintained that the
or ‘‘customer.’’4 proposed regulations provided too 3. Overview of final rules and
In developing the guidelines, the much discretion to financial institutions guidelines
Agencies must identify patterns, and creditors to decide which accounts The Agencies are issuing final rules
practices, and specific forms of activity and Red Flags to include in their and guidelines that provide both
that indicate the possible existence of Programs and how to respond to those flexibility and more guidance to
identity theft. The guidelines must be Red Flags. These commenters stated that financial institutions and creditors. The
updated as often as necessary, and the flexible and risk-based approach final rules also require the Program to
cannot be inconsistent with the policies taken in the proposed rulemaking address accounts where identity theft is
and procedures issued under section would permit ‘‘business as usual.’’
326 of the USA PATRIOT Act,5 31 most likely to occur. The final rules
Some small financial institutions also describe which financial institutions
U.S.C. 5318(l), that require verification expressed concern about the flexibility
of the identity of persons opening new and creditors are required to have a
afforded by the proposal. These Program, the objectives of the Program,
accounts. The Agencies also must commenters stated that they preferred to
consider including reasonable the elements that the Program must
have clearer, more structured guidance contain, and how the Program must be
guidelines that would apply when a describing exactly how to develop and
transaction occurs in connection with a administered.
implement a Program and what they Under the final rules, only those
consumer’s credit or deposit account would need to do to achieve
that has been inactive for two years. financial institutions and creditors that
compliance. offer or maintain ‘‘covered accounts’’
These guidelines would provide that in Most commenters, however, including
such circumstances, a financial must develop and implement a written
many financial institutions and Program. A covered account is (1) an
institution or creditor ‘‘shall follow creditors, asserted that the proposal was
reasonable policies and procedures’’ for account primarily for personal, family,
overly prescriptive, contained or household purposes, that involves or
notifying the consumer, ‘‘in a manner requirements beyond those mandated in
reasonably designed to reduce the is designed to permit multiple payments
the FACT Act, would be costly and or transactions, or (2) any other account
likelihood of identity theft.’’ burdensome to implement, and would for which there is a reasonably
2. Overview of Proposal and Comments complicate the existing efforts of foreseeable risk to customers or the
Received financial institutions and creditors to safety and soundness of the financial
The Agencies proposed to implement detect and prevent identity theft. Some institution or creditor from identity
section 114 through regulations industry commenters asserted that the theft. Each financial institution and
requiring each financial institution and rulemaking was unnecessary because creditor must periodically determine
creditor to implement a written Program large businesses, such as banks and whether it offers or maintains a
to detect, prevent and mitigate identity telecommunications companies, already ‘‘covered account.’’
theft in connection with the opening of are motivated to prevent identity theft
The final regulations provide that the
an account or any existing account. The and other forms of fraud in order to
Program must be designed to detect,
Agencies also proposed guidelines that limit their own financial losses.
prevent, and mitigate identity theft in
identified 31 patterns, practices, and Financial institution commenters
connection with the opening of a
specific forms of activity that indicate a maintained that they are already doing
covered account or any existing covered
possible risk of identity theft. The most of what would be required by the
account. In addition, the Program must
proposed regulations required each proposal as a result of having to comply
be tailored to the entity’s size,
financial institution and creditor to with the customer identification
complexity and nature of its operations.
incorporate into its Program relevant program (CIP) regulations implementing
section 326 of the USA PATRIOT Act 6
7 12 CFR part 30, app. B (national banks); 12 CFR

3 One of these letters represented the comments and other existing requirements. These part 208, app. D–2 and part 225, app. F (state
of five consumer groups. member banks and holding companies); 12 CFR
4 Use of the term ‘‘customer,’’ here, appears to be 6 See, e.g., 31 CFR 103.121 (applicable to banks, part 364, app. B (state non-member banks); 12 CFR
a drafting error and likely should read ‘‘creditor.’’ thrifts and credit unions and certain non-federally part 570, app. B (savings associations); 12 CFR part
5 Pub. L. 107–56. regulated banks). 748, App. A (credit unions).
The final regulations list the four 4. Section-by-Section Analysis 8 Agencies use the term ‘‘continuing
basic elements that must be included in relationship’’ instead, and define this
Sectionl.90(a) Purpose and Scope
the Program of a financial institution or phrase in a manner consistent with the
creditor. The Program must contain Proposed §l.90(a) described the Agencies’’ privacy rules 10
‘‘reasonable policies and procedures’’ statutory authority for the proposed implementing Title V of the Gramm-
to: regulations, namely, section 114 of the Leach-Bliley Act (GLBA), 15 U.S.C.
FACT Act. It also defined the scope of 6801.11 These commenters urged that
• Identify relevant Red Flags for this section; each of the Agencies the definition of ‘‘account’’ not be
covered accounts and incorporate those proposed tailoring this paragraph to expanded to include relationships that
Red Flags into the Program; describe those entities to which this are not ‘‘continuing.’’ They stated that it
• Detect Red Flags that have been section would apply. The Agencies would be very burdensome to gather
incorporated into the Program; received no comments on this section, and maintain information on non-
• Respond appropriately to any Red and it is adopted as proposed. customers for one-time transactions.
Flags that are detected to prevent and Sectionl.90(b) Definitions Other commenters suggested defining
mitigate identity theft; and the term ‘‘account’’ in a manner
Proposed §l.90(b) contained consistent with the CIP rules.
• Ensure the Program is updated definitions of various terms that applied Many commenters stated that defining
periodically, to reflect changes in risks to the proposed rules and guidelines. ‘‘account’’ to cover both consumer and
to customers or to the safety and While §l.90(b) of the final rules business accounts was too broad,
soundness of the financial institution or continues to describe the definitions exceeded the scope of the FACT Act,
creditor from identity theft. applicable to the final rules and and would make the regulation too
The regulations also enumerate guidelines, changes have been made to burdensome. These commenters
certain steps that financial institutions address the comments, as follows. recommended limiting the scope of the
and creditors must take to administer Sectionl.90(b)(1) Account. The regulations and guidelines to cover only
Agencies proposed using the term consumer financial services, specifically
the Program. These steps include
‘‘account’’ to describe the relationships accounts established for personal,
obtaining approval of the initial written
covered by section 114 that an account family and household purposes, because
Program by the board of directors or a holder or customer may have with a these types of accounts typically are
committee of the board, ensuring financial institution or creditor.9 The targets of identity theft. They asserted
oversight of the development, proposed definition of ‘‘account’’ was ‘‘a that identity theft has not historically
implementation and administration of continuing relationship established to been common in connection with
the Program, training staff, and provide a financial product or service business or commercial accounts.
overseeing service provider that a financial holding company could Consumer groups maintained that the
arrangements. offer by engaging in an activity that is proposed definition of ‘‘account’’ was
In order to provide financial financial in nature or incidental to such too narrow. They explained that because
institutions and creditors with more a financial activity under section 4(k) of the proposed definition was tied to
flexibility in developing a Program, the the Bank Holding Company Act, 12 financial products and services that can
Agencies have moved certain detail U.S.C. 1843(k).’’ The definition also be offered under the Bank Holding
formerly contained in the proposed gave examples of types of ‘‘accounts.’’ Company Act, it inappropriately
regulations to the guidelines located in Some commenters stated that the excluded certain transactions involving
Appendix J. This detailed guidance regulations do not need a definition of creditors that are not financial
should assist financial institutions and ‘‘account’’ to give effect to their terms. institutions that should be covered by
creditors in the formulation and Some commenters maintained that a the regulations. Some of these
new definition for ‘‘account’’ would be commenters recommended that the
maintenance of a Program that satisfies
confusing as this term is already defined definition of ‘‘account’’ include any
the requirements of the regulations to
inconsistently in several regulations and relationship with a financial institution
detect, prevent, and mitigate identity in section 615(e) of the FCRA. These or creditor in which funds could be
theft. Each financial institution or commenters recommended that the intercepted or credit could be extended,
creditor that is required to implement a as well as any other transaction which
Program must consider the guidelines 8 The OCC, Board, FDIC, OTS and NCUA are
could obligate an individual or other
and include in its Program those placing the regulations and guidelines covered entity, including transactions
guidelines that are appropriate. The implementing section 114 in the part of their
regulations that implement the FCRA—12 CFR that do not result in a continuing
guidelines provide policies and parts 41, 222, 334, 571, and 717, respectively. In relationship. Others suggested that there
procedures for use by institutions and addition, the FDIC cross-references the regulations should be no flexibility to exclude any
creditors, where appropriate, to satisfy and guidelines in 12 CFR part 364. For ease of account that is held by an individual or
reference, the discussion in this preamble uses the
the requirements of the final rules, shared numerical suffix of each of these agency’s which generates information about
including the four elements listed regulations. The FTC also is placing the final individuals that reflects on their
above. While an institution or creditor regulations and guidelines in the part of its financial or credit reputations.
may determine that particular regulations implementing the FCRA, specifically 16 The Agencies have modified the
CFR part 681. However, the FTC uses different
guidelines are not appropriate to numerical suffixes that equate to the numerical definition of ‘‘account’’ to address these
incorporate into its Program, the suffixes discussed in the preamble as follows: comments. First, the final rules now
Program must nonetheless contain preamble suffix .82 = FTC suffix .1, preamble suffix apply to ‘‘covered accounts,’’ a term that
.90 = FTC suffix .2, and preamble suffix .91 = FTC the Agencies have added to the
reasonable policies and procedures to suffix .3. In addition, Appendix J referenced in the
meet the specific requirements of the definition section to eliminate
preamble is the FTC’s Appendix A.

final rules. The illustrative examples of 9 The Agencies acknowledged that section 114
10 See 12 CFR 40 (OCC); 12 CFR 216 (Board); 12
Red Flags formerly in Appendix J are does not use the term ‘‘account’’ and, in other
contexts, the FCRA defines the term ‘‘account’’ CFR 332 (FDIC); 12 CFR 573 (OTS); 12 CFR 716
now listed in a supplement to the narrowly to describe certain consumer deposit or (NCUA); and 16 CFR 313 (FTC).
guidelines. asset accounts. See 15 U.S.C. 1681a(r)(4). 11 Pub. L. 106–102.
confusion between these rules and other established, but also to account The Agencies recognize that
rules that apply to an ‘‘account.’’ The openings, when a relationship has not consumer accounts are presently the
Agencies have retained a definition of yet been established. most common target of identity theft
‘‘account’’ simply to clarify and provide Sectionl.90(b)(2) Board of Directors. and acknowledge that Congress
context for the definition of ‘‘covered The proposed regulations discussed the expected the final regulation to address
account.’’ role of the board of directors of a risks of identity theft to consumers.13
Section 114 provides broad discretion financial institution or creditor. For For this reason, the final rules require
to the Agencies to prescribe regulations financial institutions and creditors each Program to cover accounts
and guidelines to address identity theft. covered by the regulations that do not established primarily for personal,
The terminology in section 114 is not have boards of directors, the proposed family or household purposes, that
confined to ‘‘consumer’’ accounts. regulations defined ‘‘board of directors’’ involve or are designed to permit
While identity theft primarily has been to include, in the case of a branch or multiple payments or transactions, i.e.,
directed at consumers, the Agencies are agency of a foreign bank, the managing consumer accounts. As discussed above
aware that small businesses also have official in charge of the branch or in connection with the definition of
been targets of identity theft. Over time, agency. For other creditors that do not ‘‘account,’’ the final rules also require
identity theft could expand to affect have boards of directors, the proposed the Programs of financial institutions
other types of accounts. Thus, the regulations defined ‘‘board of directors’’ and creditors to cover any other type of
definition of ‘‘account’’ in §l.90(b)(1) as a designated employee. account that the institution or creditor
of the final rules continues to cover any Consumer groups objected to the offers or maintains for which there is a
relationship to obtain a product or proposed definition as it applied to reasonably foreseeable risk from identity
service that an account holder or creditors that do not have boards of theft.
customer may have with a financial directors. These commenters Accordingly, the definition of
institution or creditor.12 Through recommended that for these entities, ‘‘covered account’’ is divided into two
examples, the definition makes clear ‘‘board of directors’’ should be defined parts. The first part refers to ‘‘an account
that the purchase of property or services as a designated employee at the level of that a financial institution or creditor
involving a deferred payment is senior management. They asserted that offers or maintains, primarily for
considered to be an account. otherwise, institutions that do not have personal, family, or household
Although the definition of ‘‘account’’ a board of directors would be given an purposes, that involves or is designed to
includes business accounts, the risk- unfair advantage for purposes of the permit multiple payments or
based nature of the final rules allows substantive provisions of the rules, transactions.’’ The definition provides
each financial institution or creditor because they would be permitted to examples to illustrate that these types of
flexibility to determine which business assign any employee to fulfill the role of consumer accounts include, ‘‘a credit
accounts will be covered by its Program the ‘‘board of directors.’’ card account, mortgage loan, automobile
through a risk evaluation process. The Agencies agree this important loan, margin account, cell phone
The Agencies also recognize that a role should be performed by an account, utility account, checking
person may establish a relationship with employee at the level of senior account, or savings account.’’14
a creditor, such as an automobile dealer management, rather than any designated The second part of the definition
or a telecommunications provider, employee. Accordingly, the definition of refers to ‘‘any other account that the
primarily to obtain a product or service ‘‘board of directors’’ has been revised in financial institution or creditor offers or
that is not financial in nature. To make § l.90(b)(2) of the final rules so that, in maintains for which there is a
clear that an ‘‘account’’ includes the case of a creditor that does not have reasonably foreseeable risk to customers
relationships with creditors that are not a board of directors, the term ‘‘board of or to the safety and soundness of the
financial institutions, the definition is directors’’ means ‘‘a designated financial institution or creditor from
no longer tied to the provision of employee at the level of senior identity theft, including financial,
‘‘financial’’ products and services. management.’’ operational, compliance, reputation, or
Accordingly, the Agencies have deleted Section l.90(b)(3) Covered Account. litigation risks.’’ This part of the
the reference to the Bank Holding As mentioned previously, the Agencies definition reflects the Agencies’ belief
Company Act. have added a new definition of that other types of accounts, such as
The definition of ‘‘account’’ still
‘‘covered account’’ in § l.90(b)(3) to small business accounts or sole
includes the words ‘‘continuing proprietorship accounts, may be
describe the type of ‘‘account’’ covered
relationship.’’ The Agencies have vulnerable to identity theft, and,
by the final rules. The proposed rules
determined that, at this time, the burden therefore, should be considered for
would have provided a financial
that would be imposed upon financial coverage by the Program of a financial
institution or creditor with broad
institutions and creditors by a institution or creditor.
flexibility to apply its Program to those
requirement to detect, prevent and In response to the proposed definition
accounts that it determined were
mitigate identity theft in connection of ‘‘account,’’ a trade association
vulnerable to the risk of identity theft,
with single, non-continuing transactions representing credit unions suggested
and did not mandate coverage of any
by non-customers would outweigh the that the term ‘‘customer’’ in the
particular type of account.
benefits of such a requirement. The definition be revised to refer to
Consumer group commenters urged
Agencies recognize, however, that
the Agencies to limit the discretion
identity theft may occur at the time of 13 See S. Rep. No. 108–166 at 13 (Oct. 17, 2003)
afforded to financial institutions and
account opening. Therefore, as detailed (accompanying S. 1753).
creditors by requiring them to cover
below, the obligations of the final rule 14 These examples reflect the fact that the rules
consumer accounts in their Programs. are applicable to a variety of financial institutions
apply not only to existing accounts,
While seeking to preserve their and creditors. They are not intended to confer any
where a relationship already has been additional powers on covered entities. Nonetheless,
discretion, many industry commenters
some of the Agencies have chosen to limit the
12 Accordingly, the definition of ‘‘account’’ still requested that the Agencies limit the examples in their rule texts to those products
applies to fiduciary, agency, custodial, brokerage final rules to consumer accounts, where covered entities subject to their jurisdiction are
and investment advisory activities. identity theft is most likely to occur. legally permitted to offer.
‘‘member’’ to better reflect the that the Agencies chose this broad individual who has a consumer account
ownership structure of some financial definition because, in addition to will always be a ‘‘customer.’’ A
institutions or to ‘‘consumer’’ to include individuals, various types of entities ‘‘customer’’ may also be a person that
all individuals doing business at all (e.g., small businesses) can be victims of has another type of account for which
types of financial institutions. The identity theft. Under the proposed a financial institution or creditor
definition of ‘‘account’’ in the final rules definition, however, a financial determines there is a reasonably
no longer makes reference to the term institution or creditor would have had foreseeable risk to its customers or to its
‘‘customer’’; however, the definition of the discretion to determine which type own safety and soundness from identity
‘‘covered account’’ continues to employ of customer accounts would be covered theft.
this term, to be consistent with section under its Program, since the proposed The Agencies note that the
114 of the FACT Act, which uses the regulations were risk-based.17 Information Security Standards and the
term ‘‘customer.’’ Of course, in the case As noted above, most industry privacy rules implemented various
of credit unions, the final rules and commenters maintained that including sections of Title V of the GLBA, 15
guidelines will apply to the accounts of all persons, not just consumers, within U.S.C. 6801, which specifically apply
members that are maintained primarily the definition of ‘‘customer’’ would only to customers who are consumers.
for personal, family, or household impose a substantial financial burden By contrast, section 114 does not define
purposes, and those that are otherwise on financial institutions and creditors, the term ‘‘customer.’’ Because the
subject to a reasonably foreseeable risk and make compliance with the Agencies continue to believe that a
of identity theft. regulations more burdensome. These business customer can be a target of
Sections l.90(b)(4) and (b)(5) Credit commenters stated that business identity theft, the final rules contain a
and Creditor. The proposed rules identity theft is rare, and maintained risk-based process designed to ensure
defined these terms by cross-reference that financial institutions and creditors that these types of customers will be
to the relevant sections of the FCRA. should be allowed to direct their fraud covered by the Program of a financial
There were no comments on the prevention resources to the areas of institution or creditor, when the risk of
definition of ‘‘credit’’ and § l.90(b)(4) highest risk. They also noted that identity theft is reasonably foreseeable.
of the final rules adopts the definition businesses are more sophisticated than The definition of ‘‘customer’’ in the
as proposed. consumers, and are in a better position final rules continues to cover only
Some commenters asked the Agencies to protect themselves against fraud than customers that already have accounts.
to clarify that the term ‘‘creditor’’ does consumers, both in terms of prevention The Agencies note, however, that the
not cover third-party debt collectors and in enforcing their legal rights. substantive provisions of the final rules,
who regularly arrange for the extension, Some financial institution described later, require the Program of
renewal, or continuation of credit. commenters were concerned that the a financial institution or creditor to
Section 114 applies to financial broad definition of ‘‘customer’’ would detect, prevent, and mitigate identity
institutions and creditors. Under the create opportunities for commercial theft in connection with the opening of
FCRA, the term ‘‘creditor’’ has the same customers to shift responsibility from a covered account as well as any
meaning as in section 702 of the Equal themselves to the financial institution existing covered account. The final rules
Credit Opportunity Act (ECOA), 15 for not discovering Red Flags and address persons whose identities are
U.S.C. 1691a.15 ECOA defines alerting business customers about used by an imposter to open an account
‘‘creditor’’ to include a person who embezzlement or other fraudulent in these substantive provisions, rather
arranges for the extension, renewal, or transactions by the commercial than through the definition of
continuation of credit, which in some customer’s own employees. These ‘‘customer.’’
cases could include third-party debt commenters suggested narrowing the Section l.90(b)(7) Financial
collectors. 15 U.S.C. 1691a(e). definition to cover natural persons and Institution. The Agencies received no
Therefore, the Agencies are not to exclude business customers. Some of comments on the proposed definition of
excluding third-party debt collectors these commenters suggested that the ‘‘financial institution.’’ It is adopted in
from the scope of the final rules, and definition of ‘‘customer’’ should be § l.90(b)(7), as proposed, with a cross-
§ l.90(b)(5) of the final rules adopts the consistent with the definition of this reference to the relevant definition in
definition of ‘‘creditor’’ as proposed. term in the Information Security the FCRA.
Section l.90(b)(6) Customer. Section Standards and the Agencies’ privacy Section l.90(b)(8) Identity Theft. The
114 of the FACT Act refers to ‘‘account rules. proposal defined ‘‘identity theft’’ by
holders’’ and ‘‘customers’’ of financial Consumer groups commented that the cross-referencing the FTC’s rule that
institutions and creditors without proposed definition of ‘‘customer’’ was defines ‘‘identity theft’’ for purposes of
defining either of these terms. For ease too narrow. They recommended that the the FCRA.18
of reference, the Agencies proposed to definition be amended, so that the Most industry commenters objected to
use the term ‘‘customer’’ to encompass regulations would not only protect the breadth of the proposed definition of
both ‘‘customers’’ and ‘‘account persons who are already customers of a ‘‘identity theft.’’ They recommended
holders.’’ ‘‘Customer’’ was defined as a financial institution or creditor, but also that the definition include only actual
person that has an account with a persons whose identities are used by an fraud committed using identifying
financial institution or creditor. The imposter to open an account. information of a consumer, and exclude
proposed definition of ‘‘customer’’ Section l.90(b)(6) of the final rule attempted fraud, identity theft
applied to any ‘‘person,’’ defined by the defines ‘‘customer’’ to mean a person committed against businesses, and any
FCRA as any individual, partnership, that has a ‘‘covered account’’ with a identity fraud involving the creation of
corporation, trust, estate, cooperative, financial institution or creditor. Under a fictitious identity using fictitious data
association, government or the definition of ‘‘covered account,’’ an combined with real information from
governmental subdivision or agency, or

17 Proposed § l.90(d)(1) required this 18 69 FR 63922 (Nov. 3, 2004) (codified at 16 CFR
other entity.16 The proposal explained 603.2(a)). Section 111 of the FACT Act added
determination to be substantiated by a risk
evaluation that takes into consideration which several new definitions to the FCRA, including
15 See 15 U.S.C. 1681a(r)(5). customer accounts of the financial institution or ‘‘identity theft,’’ and authorized the FTC to further
16 See 15 U.S.C. 1681a(b). creditor are subject to a risk of identity theft. define this term. See 15 U.S.C. 1681a.
multiple individuals. By contrast, identity theft as ‘‘Red Flags’’ to better consider aggravating factors that may
consumer groups supported a broad position financial institutions and heighten the risk of identity theft in
interpretation of ‘‘identity theft,’’ creditors to stop identity theft at its determining an appropriate response to
including the incorporation of inception. the Red Flags it detects.
‘‘attempted fraud’’ in the definition. Most industry commenters objected to Section l.90(b)(10) Service Provider.
Section l.90(b)(8) of the final rules the broad scope of the definition of The proposed regulations defined
adopts the definition of ‘‘identity theft’’ ‘‘Red Flag,’’ particularly the phrase ‘‘service provider’’ as a person that
as proposed. The Agencies believe that ‘‘possible risk of identity theft.’’ These provides a service directly to the
it is important to ensure that all commenters believed that this definition financial institution or creditor. This
provisions of the FACT Act that address would require financial institutions and definition was based upon the
identity theft are interpreted in a creditors to identify all risks and definition of ‘‘service provider’’ in the
consistent manner. Therefore, the final develop procedures to prevent or Information Security Standards.23
rule continues to define identity theft mitigate them, without regard to the One commenter agreed with this
with reference to the FTC’s regulation, significance of the risk. They asserted definition. However, two other
which as currently drafted provides that that the statute does not support the use commenters stated that the definition
the term ‘‘identity theft’’ means ‘‘a fraud of ‘‘possible risk’’ and suggested was too broad. They suggested
committed or attempted using the defining a ‘‘Red Flag’’ as an indicator of narrowing the definition of ‘‘service
identifying information of another significant, substantial, or the probable provider’’ to persons or entities that
person without authority.’’ 19 The FTC risk of identity theft. These commenters have access to customer information.
defines the term ‘‘identifying stated that this would allow a financial Section l.90(b)(10) of the final rules
information’’ to mean ‘‘any name or institution or creditor to focus adopts the definition as proposed. The
number that may be used, alone or in compliance in areas where it is most Agencies have concluded that defining
conjunction with any other information, needed. ‘‘service provider’’ to include only
to identify a specific person, including Most industry commenters also stated persons that have access to customer
any— that the inclusion of precursors to information would inappropriately
(1) Name, social security number, date identity theft in the definition of ‘‘Red narrow the coverage of the final rules.
of birth, official State or government Flag’’ would make the regulations even The Agencies have interpreted section
issued driver’s license or identification broader and more burdensome. They 114 broadly to require each financial
number, alien registration number, stated that financial institutions and institution and creditor to detect,
government passport number, employer creditors do not have the ability to prevent, and mitigate identity theft not
or taxpayer identification number; detect and respond to precursors, such only in connection with any existing
(2) Unique biometric data, such as as phishing, in the same manner as covered account, but also in connection
fingerprint, voice print, retina or iris other Red Flags that are more indicative with the opening of an account. A
image, or other unique physical of actual ongoing identity theft. financial institution or creditor is
representation; By contrast, consumer groups ultimately responsible for complying
(3) Unique electronic identification supported the inclusion of the phrase with the final rules and guidelines even
number, address, or routing code; or ‘‘possible risk of identity theft’’ and the if it outsources an activity to a third-
(4) Telecommunication identifying reference to precursors in the proposed party service provider. Thus, a financial
information or access device (as defined definition of ‘‘Red Flag.’’ These institution or creditor that uses a service
in 18 U.S.C. 1029(e)). commenters stated that placing provider to open accounts will need to
Thus, under the FTC’s regulation, the emphasis on detecting precursors to provide for the detection, prevention,
creation of a fictitious identity using any identity theft, instead of waiting for and mitigation of identity theft in
single piece of information belonging to proven cases, is the right approach. connection with this activity, even
a real person falls within the definition The Agencies have concluded that the when the service provider has access to
of ‘‘identity theft’’ because such a fraud phrase ‘‘possible risk’’ in the proposed the information of a person who is not
involves ‘‘using the identifying definition of ‘‘Red Flag’’ is confusing yet, and may not become, a ‘‘customer.’’
information of another person without and could unduly burden entities with
authority.’’ 20 limited resources. Therefore, the final Section l.90(c) Periodic Identification
Section l.90(b)(9) Red Flag. The rules define ‘‘Red Flag’’ in § l.90(b)(9) of Covered Accounts
proposed regulations defined ‘‘Red using language derived directly from To simplify compliance with the final
Flag’’ as a pattern, practice, or specific section 114, namely, ‘‘a pattern, rules, the Agencies added a new
activity that indicates the possible risk practice, or specific activity that provision in § l.90(c) that requires each
of identity theft. The preamble to the indicates the possible existence of financial institution and creditor to
proposed rules explained that indicators identity theft.’’ 22 periodically determine whether it offers
of a ‘‘possible risk’’ of identity theft The Agencies continue to believe, or maintains any covered accounts. As
would include precursors to identity however, that financial institutions and a part of this determination, a financial
theft such as phishing,21 and security creditors should consider precursors to institution or creditor must conduct a
breaches involving the theft of personal identity theft in order to stop identity risk assessment to determine whether it
information, which often are a means to theft before it occurs. Therefore, as
acquire the information of another described below, the Agencies have 23 The Information Security Standards define
person for use in committing identity chosen to address precursors directly, ‘‘service provider’’ to mean any person or entity
theft. The preamble explained that the through a substantive provision in that maintains, processes, or otherwise is permitted
Agencies included such precursors to access to customer information or consumer
section IV of the guidelines titled information through the provision of services
‘‘Prevention and Mitigation,’’ rather directly to the financial institution. 12 CFR part 30,
19 See 16 CFR 603.2(a). than through the definition of ‘‘Red app. B (national banks); 12 CFR part 208, app. D–
20 See 16 CFR 603.2(b).
Flag.’’ This provision states that a 2 and part 225, app. F (state member banks and
21 Electronic messages to customers of financial holding companies); 12 CFR part 364, app. B (state
institutions and creditors directing them to provide financial institution or creditor should non-member banks); 12 CFR part 570, app. B
personal information in response to a fraudulent (savings associations); 12 CFR part 748, App. A
e-mail. 22 15 U.S.C. 1681m(c)(2)(A). (credit unions).
offers or maintains covered accounts § l.90(d), which described the conducting safe, sound, and compliant
described in § l.90(b)(3)(ii) (accounts development and implementation of a operations. Some of these commenters
other than consumer accounts), taking Program. It also stated that the Program urged the Agencies to revise the final
into consideration: must address financial, operational, rules and guidelines and adopt an
• The methods it provides to open its compliance, reputation, and litigation approach similar to the Information
accounts; risks and be appropriate to the size and Security Standards which they
• The methods it provides to access complexity of the financial institution characterized as providing institutions
its accounts; and or creditor and the nature and scope of with an outline of issues to consider
• Its previous experiences with its activities. without requiring specific approaches.
identity theft. Some commenters believed that the Although a few commenters believed
Thus, a financial institution or proposed regulations exceeded the that the proposed requirement to update
creditor should consider whether, for scope of section 114 by covering deposit the Program was burdensome and
example, a reasonably foreseeable risk accounts and by requiring a response to should be eliminated, most commenters
of identity theft may exist in connection the risk of identity theft, not just the agreed that the Program should be
with business accounts it offers or identification of the risk of identity designed to address changing risks over
maintains that may be opened or theft. One commenter expressed time. A number of these commenters,
accessed remotely, through methods concern about the application of the however, objected to the requirement
that do not require face-to-face contact, Program to existing accounts. that the Program must be designed to
such as through the internet or The SBA commented that requiring address changing identity theft risks ‘‘as
telephone. In addition, those all small businesses covered by the they arise,’’ as too burdensome a
institutions and creditors that offer or regulations to create a written Program standard. Instead, they recommended
maintain business accounts that have would be overly burdensome. Several that the final regulations require a
been the target of identity theft should financial institution commenters financial institution or creditor to
factor those experiences with identity objected to what they perceived as a reassess periodically whether to adjust
theft into their determination. proposed requirement that financial the types of accounts covered or Red
This provision is modeled on various institutions and creditors have a written Flags to be detected based upon any
process-oriented and risk-based Program solely to address identity theft. changes in the types and methods of
regulations issued by the Agencies, such They recommended that the final identity theft that an institution or
as the Information Security Standards. regulations allow a covered entity to creditor has experienced.
Compliance with this type of regulation simply maintain or expand its existing Section l.90(d) of the final rules
is based upon a regulated entity’s own fraud prevention and information requires each financial institution or
preliminary risk assessment. The risk security programs as long as they creditor that offers or maintains one or
assessment required here directs a included the detection, prevention, and more covered accounts to develop and
financial institution or creditor to mitigation of identity theft. Some of implement a written Program that is
determine, as a threshold matter, these commenters stated that requiring designed to detect, prevent, and mitigate
whether it will need to have a a written program would merely focus identity theft in connection with the
Program.24 If a financial institution or examiner attention on documentation opening of a covered account or any
creditor determines that it does need a and cause financial institutions to existing covered account. To signal that
Program, then this risk assessment will produce needless paperwork. the final rules are flexible, and allow
enable the financial institution or While commenters generally agreed smaller financial institutions and
creditor to identify those accounts the that the Program should be appropriate creditors to tailor their Programs to their
Program must address. This provision to the size and complexity of the operations, the final rules state that the
also requires a financial institution or financial institution or creditor, and the Program must be appropriate to the size
creditor that initially determines that it nature and scope of its activities, many and complexity of the financial
does not need to have a Program to industry commenters objected to the institution or creditor and the nature
reassess periodically whether it must prescriptive nature of this section. They and scope of its activities.
develop and implement a Program in urged the Agencies to provide greater The guidelines are appended to the
light of changes in the accounts that it flexibility to financial institutions and final rules to assist financial institutions
offers or maintains and the various other creditors by allowing them to and creditors in the formulation and
factors set forth in the provision. implement their own procedures as maintenance of a Program that satisfies
opposed to those provided in the the requirements of the regulation.
Section l.90(d)(1) Identity Theft proposed regulations. Several other Section I of the guidelines, titled ‘‘The
Prevention Program Requirement commenters suggested permitting Program,’’ makes clear that a covered
Proposed § l.90(c) described the financial institutions and creditors to entity may incorporate into its Program,
primary objectives of a Program. It take into account the cost and as appropriate, its existing processes
stated that each financial institution or effectiveness of policies and procedures that control reasonably foreseeable risks
creditor must implement a written and the institution’s history of fraud to customers or to the safety and
Program that includes reasonable when designing its Program. soundness of the financial institution or
policies and procedures to address the Several financial institution creditor from identity theft, such as
risk of identity theft to its customers and commenters maintained that the those already developed in connection
to the safety and soundness of the Program required by the proposed rules with the entity’s fraud prevention
financial institution or creditor, in the was not sufficiently flexible. They program. This will avoid duplication
manner described in proposed maintained that a true risk-based and allow covered entities to benefit
approach would permit institutions to from existing policies and procedures.
24 The Agencies anticipate that some financial prioritize the importance of various The Agencies do not agree with those
institutions and creditors, such as various creditors controls, address the most important commenters who asserted that the scope
regualted by the FTC that solely engage in business-
to-business transactions, will be able to determine
risks first, and accept the good faith of the proposed regulations (and hence
that they do not need to develop and implement a judgments of institutions in the final rules that adopt the identical
Program. differentiating among their options for approach with respect to these issues)
exceed the Agencies’’ statutory The Agencies’ interpretation of The Agencies recognize that requiring
mandate. First, section 114 clearly section 114 is also supported by the a written Program will impose some
permits the Agencies to issue legislative history that indicates burden. However, the Agencies believe
regulations and guidelines that address Congress expected the Agencies to issue the benefit of being able to assess a
more than the mere identification of the regulations and guidelines for the covered entity’s compliance with the
risk of identity theft. Section 114 purposes of ‘‘identifying and preventing final rules by evaluating the adequacy
contains a broad mandate directing the identity theft.’’ 25 and implementation of its written
Agencies to issue guidelines ‘‘regarding Finally, the Agencies’ interpretation Program outweighs the burdens
identity theft’’ and to prescribe of section 114 is broad, based on a imposed by this requirement.
regulations requiring covered entities to public policy perspective that Moreover, although the final rules
establish reasonable policies and regulations and guidelines addressing continue to require a written Program,
procedures for implementing the the identification of the risk of identity as detailed below, the Agencies have
guidelines. Second, two provisions in theft, without addressing the prevention substantially revised the proposal to
section 114 indicate that Congress and mitigation of identity theft, would focus the final rules and guidelines on
expected the Agencies to issue final not be particularly meaningful or reasonably foreseeable risks, make the
regulations and guidelines requiring effective. final rules less prescriptive, and provide
financial institutions and creditors to The Agencies also have concluded financial institutions and creditors with
detect, prevent, and mitigate identity that the scope of section 114 does not more discretion to develop policies and
theft. only apply to credit transactions, but procedures to detect, prevent, and
The first relevant provision is codified mitigate identity theft.
also applies, for example, to deposit
in section 615(e)(1)(C) of the FCRA, Proposed § l.90(c) also provided that
accounts. Section 114 refers to the risk
where Congress addressed a particular the Program must address changing
of identity theft, generally, and not identity theft risks as they arise based
scenario involving card issuers. In that
strictly in connection with credit. upon the experience of the financial
provision, Congress directed the
Because identity theft can and does institution or creditor with identity theft
Agencies to prescribe regulations
occur in connection with various types and changes in: Methods of identity
requiring a card issuer to take specific
of accounts, including deposit accounts, theft; methods to detect, prevent, and
steps to assess the validity of a change
the final rules address identity theft in mitigate identity theft; the types of
of address request when it receives such
a comprehensive manner. accounts the financial institution or
a request and, within a short period of
time, also receives a request for an Furthermore, nothing in section 114 creditor offers; and its business
additional or replacement card. The indicates that the regulations must only arrangements, such as mergers and
regulations must prohibit a card issuer apply to identity theft in connection acquisitions, alliances and joint
from issuing an additional or with account openings. The FTC has ventures, and service provider
replacement card under such defined ‘‘identity theft’’ as ‘‘a fraud arrangements.
circumstances, unless it notifies the committed or attempted using the The Agencies continue to believe that,
cardholder or ‘‘uses other means of identifying information of another to ensure a Program’s continuing
assessing the validity of the change of person without authority.’’ 26 Such effectiveness, it must be updated, at
address in accordance with reasonable fraud may occur in connection with least periodically. However, in order to
policies and procedures established by account openings and with existing simplify the final rules, the Agencies
the card issuer in accordance with the accounts. Section 615(e)(3) states that moved this requirement into the next
regulations prescribed [by the Agencies] the guidelines that the Agencies section, where it is one of the required
* * *.’’ This provision makes clear prescribe ‘‘shall not be inconsistent’’ elements of the Program, as discussed
that Congress contemplated that the with the policies and procedures below.
Agencies’ regulations would require a required under 31 U.S.C. 5318(l), a
reference to the CIP rules which require Development and Implementation of
financial institution or creditor to have
certain financial institutions to verify Identity Theft Prevention Program
policies and procedures not only to
identify Red Flags, but also, to prevent the identity of customers opening new The remaining provisions of the
and mitigate identity theft. accounts. However, the Agencies do not proposed rules were set forth under the
The second relevant provision is read this phrase to prevent them from above-referenced section heading. Many
codified in section 615(e)(2)(B) of the prescribing rules directed at existing commenters asserted that the Agencies
FCRA, and directs the Agencies to accounts. To interpret the provision in should simply articulate certain
consider addressing in the identity theft this manner would solely authorize the objectives and provide financial
guidelines transactions that occur with Agencies to prescribe regulations and institutions and creditors the flexibility
respect to credit or deposit accounts that guidelines identical to and duplicative and discretion to design policies and
have been inactive for more than two of those already issued—making the procedures to fulfill the objectives of the
years. The Agencies must consider Agencies’ regulatory authority in this Program without the level of detail
whether a creditor or financial area superfluous and meaningless.27 required under this section.
institution detecting such activity As described earlier, to ensure that
should ‘‘follow reasonable policies that 25 See S. Rep. No. 108–166 at 13 (Oct. 17, 2003) financial institutions and creditors are
provide for notice to be given to the (accompanying S. 1753). able to design Programs that effectively
consumer in a manner reasonably 26 16 CFR 603.2(a).
address identity theft in a manner
27 The Agencies’ conclusion is also supported by
designed to reduce the likelihood of tailored to their own operations, the
case law interpreting similar terminology, albeit in
identity theft with respect to such a different context, finding that ‘‘inconsistent’’
Agencies have made significant changes
account.’’ This provision signals that the means it is impossible to comply with two laws in the proposal by deleting whole
Agencies are authorized to prescribe simultaneously, or one law frustrates the purposes provisions or moving them into the
regulations and guidelines that and objectives of another. See, e.g., Davenport v. guidelines in Appendix J. More
Farmers Ins. Group, 378 F.3d 839 (8th Cir. 2004);
comprehensively address identity Retail Credit Co. v. Dade County, Florida, 393 F.
specifically, the Agencies abbreviated
theft—in a manner that goes beyond the Supp. 577 (S.D. Fla. 1975); Alexiou v. Brad Benson the proposed requirements formerly
mere identification of possible risks. Mitsubishi, 127 F. Supp.2d 557 (D.N.J. 2000). located in the provisions titled
‘‘Identification and Evaluation of Red the possible risk of identity theft to Appendix J that were obsolete or not
Flags’’ and ‘‘Identity Theft Prevention customers or to the safety and appropriate for their activities.
and Mitigation’’ and have placed them soundness of the financial institution or By contrast, consumer groups
under a section of the final rules titled creditor. They criticized the phrase criticized the flexibility and discretion
‘‘Elements of a Program.’’ The proposed ‘‘possible risk’’ as too broad and stated afforded to financial institutions and
requirements on ‘‘Staff Training,’’ that it was unrealistic to impose upon creditors in this section of the proposed
‘‘Oversight of Service Provider covered entities a continuing obligation rules. These commenters urged the
Arrangements,’’ and ‘‘Involvement of to incorporate into their Programs Red Agencies to make certain Red Flags from
Board of Directors and Senior Flags to address virtually any new Appendix J mandatory, such as a fraud
Management’’ are now in a section of identity theft incident or trend and alert on a consumer report.
the final rules titled ‘‘Administration of potential fraud prevention measure. Proposed § l.90(d)(1)(ii) provided
the Program.’’ The guidelines in These commenters stated that this that in order to identify which Red Flags
Appendix J elaborate on these would be a burdensome compliance are relevant to detecting a possible risk
requirements. A discussion of the exercise that would limit flexibility and of identity theft to its customers or to its
comments received on these sections of add costs, which in turn, would take own safety and soundness, the financial
the proposed rules, and the away limited resources from the institution or creditor must consider:
corresponding sections of the final rules ultimate objective of combating identity A. Which of its accounts are subject
and guidelines follows. theft. to a risk of identity theft;
Many commenters objected to the B. The methods it provides to open
Section l.90(d)(2)(i) Element I of the proposed requirement that the Red Flags
Program: Identification of Red Flags these accounts;
identified by a financial institution or C. The methods it provides to access
Proposed § l.90(d)(1)(i) required a creditor reflect changing identity theft these accounts; and
Program to include policies and risks to customers and to the financial D. Its size, location, and customer
procedures to identify which Red Flags, institution or creditor ‘‘as they arise.’’
base.
singly or in combination, are relevant to These commenters requested that the
While some industry commenters
detecting the possible risk of identity final rules permit financial institutions
thought the enumerated factors were
theft to customers or to the safety and and creditors a reasonable amount of
appropriate, other commenters stated
soundness of the financial institution or time to adjust the Red Flags included in
that the factors on the list were not
creditor, using the risk evaluation their Programs.
Some commenters agreed that the necessarily the ones used by financial
described in § l.90(d)(1)(ii). It also institutions to identify risk and were
required the Red Flags identified to enumerated sources of Red Flags were
appropriate. A few commenters stated irrelevant to any determination of
reflect changing identity theft risks to identity theft or actual fraud. These
customers and to the financial that financial institutions and creditors
should not be required to include in commenters maintained that this
institution or creditor as they arise. proposed requirement would require
Proposed § l.90(d)(1)(i) provided that their Programs any Red Flags except for
those set forth in Appendix J or in financial institutions to develop entirely
each financial institution and creditor new programs that may not be as
must incorporate into its Program supervisory guidance, or that they had
experienced. However, most effective or efficient as those designed
relevant Red Flags from Appendix J. by anti-fraud experts. Therefore, they
The preamble to the proposed rules commenters objected to the requirement
that, at a minimum, the Program recommended that the final rules
acknowledged that some Red Flags that provide financial institutions and
are relevant today may become obsolete incorporate any relevant Red Flags from
Appendix J. creditors with wide latitude to
as time passes. The preamble stated that determine what factors they should
the Agencies expected to update Some financial institution
commenters urged deletion of the consider and how they categorize them.
Appendix J periodically,28 but that it These commenters urged the Agencies
may be difficult to do so quickly enough proposed requirement to include a list
of relevant Red Flags in their Program. to refrain from providing a list of factors
to keep pace with rapidly evolving that financial institutions and creditors
patterns of identity theft or as quickly as They stated that a financial institution
should be able to assess which Red would have to consider because a finite
financial institutions and creditors list could limit their ability to adapt to
experience new types of identity theft. Flags are appropriate without having to
justify to an examiner why it failed to new forms of identity theft.
Therefore, proposed § l.90(d)(1)(i) also
include a specific Red Flag on a list. Some commenters suggested that the
provided that each financial institution
Other commenters recommended that risk evaluation include an assessment of
and creditor must incorporate into its
the list of Red Flags in Appendix J be other factors such as the likelihood of
Program relevant Red Flags from
illustrative only. These commenters harm, the cost and operational burden
applicable supervisory guidance,
recommended that a financial of using a particular Red Flag and the
incidents of identity theft that the
institution or creditor be permitted to effectiveness of a particular Red Flag for
financial institution or creditor has
include any Red Flags on its list that it that institution or creditor. Some
experienced, and methods of identity
concludes are appropriate. They commenters suggested that the factors
theft that the financial institution or
suggested that the Agencies encourage refer to the likely risk of identity theft,
creditor has identified that reflect
institutions to review the list of Red while others suggested that the factors
changes in identity theft risks.
Flags, and use their own experience and be modified to refer to the possible risk
Some commenters objected to the
expertise to identify other Red Flags that of identity theft to which each type of
proposed requirement that the Program
become apparent as fraudsters adapt account offered by the financial
contain policies and procedures to
and develop new techniques. They institution or creditor is subject. Other
identify which Red Flags, singly or in
maintained that in this manner, commenters, including a trade

combination, are relevant to detecting
institutions and creditors would be able association representing small financial
28 Section 114 directs the Agencies to update the to identify the appropriate Red Flags institutions, asked the Agencies to
guidelines as often as necessary. See 15 U.S.C. and not waste limited resources and provide guidelines on how to conduct a
1681m(e)(1)(a). effort addressing those Red Flags in risk assessment.
The final rules continue to address Section II of the guidelines also gives flexibility to be able to adapt to rapidly
the identification of relevant Red Flags, examples of sources from which changing risks of identity theft.
but simply state that the first element of financial institutions and creditors
Sections l.90(d)(2)(ii) and (iii)
a Program must be reasonable policies should derive relevant Red Flags, rather
Elements II and III of the Program:
and procedures to identify relevant Red than requiring that the Program
Detection of and Response to Red Flags
Flags for the covered accounts that the incorporate relevant Red Flags strictly
financial institution or creditor offers or from the four sources listed in the Proposed § l.90(d)(2) stated that the
maintains. The final rules also state that proposed rules. Section II states that a Program must include reasonable
a financial institution or creditor must financial institution or creditor should policies and procedures designed to
incorporate these Red Flags into its incorporate into its Program relevant prevent and mitigate identity theft in
Program. Red Flags from sources such as: (1) connection with the opening of an
The final rules do not require policies Incidents of identity theft that the account or any existing account. This
and procedures for identifying which financial institution or creditor has section then described the policies and
Red Flags are relevant to detecting a experienced; (2) methods of identity procedures that the Program must
‘‘possible risk’’ of identity theft. theft that the financial institution or include, some of which related solely to
Moreover, as described below, a covered creditor has identified that reflect account openings while others related to
entity’s obligation to update its Red changes in identity theft risks; and (3) existing accounts.
Flags is now a separate element of the applicable supervisory guidance. Some financial institution
The Agencies have deleted the commenters acknowledged that
Program. The section of the proposed
reference to the Red Flags in Appendix reference to prevention and mitigation
rules describing the various factors that
J as a source. Instead, a separate of identity theft was generally a good
a financial institution or creditor must
provision in section II of the guidelines, objective, but they urged that the final
consider to identify relevant Red Flags,
titled ‘‘Categories of Red Flags,’’ states rules refrain from prescribing how
and the sources from which a financial
that the Program of a financial financial institutions must achieve it.
institution or creditor must derive its
institution or creditor ‘‘should include’’ Others noted that the CIP rules and the
Red Flags, are now in section II of the
relevant Red Flags from five particular Information Security Standards already
guidelines titled ‘‘ Identifying Relevant
categories ‘‘as appropriate.’’ The required many of the steps in the
Red Flags.’’
Agencies have included these proposal. They recommended that the
The Agencies acknowledge that final rules recognize this and clarify that
establishing a finite list of factors that a categories, which summarize the
various types of Red Flags that were compliance with parallel requirements
financial institution or creditor must would be sufficient for compliance
consider when identifying relevant Red previously enumerated in Appendix J,
in order to provide additional non- under these rules.
Flags for covered accounts could limit Section l.90(d)(1) of the final rules
prescriptive guidance regarding the
the ability of a financial institution or requires financial institutions and
identification of relevant Red Flags.
creditor to respond to new forms of creditors to develop and implement a
Section II of the guidelines also notes
identity theft. Therefore, section II of the that ‘‘examples’’ of individual Red Flags written Program to detect, prevent, and
guidelines contains a list of factors that from each of the five categories are mitigate identity theft in connection
a financial institution or creditor appended as Supplement A to with the opening of a covered account
‘‘should consider * * * as Appendix J. The examples in or any existing covered account.
appropriate’’ in identifying relevant Red Supplement A are a list of Red Flags Therefore, the Agencies concluded that
Flags. similar to those found in the proposed it was not necessary to reiterate this
The Agencies also modified the list in rules. The Agencies did not intend for requirement in § l.90(d)(2). The
order to provide more appropriate these examples to be a comprehensive Agencies have deleted the prefatory
examples of factors for consideration by list of all types of identity theft that a language from proposed § l.90(d)(2) on
a financial institution or creditor financial institution or creditor may prevention and mitigation in order to
determining which Red Flags may be experience. When identifying Red Flags, streamline the final rules. The various
relevant. These factors are: financial institutions and creditors must provisions addressing prevention and
• The types of covered accounts it consider the nature of their business mitigation formerly in this section,
offers or maintains; and the type of identity theft to which namely, verification of identity,
• The methods it provides to open its they may be subject. For instance, detection of Red Flags, assessment of
covered accounts; creditors in the health care field may be the risk of Red Flags, and responses to
• The methods it provides to access at risk of medical identity theft (i.e., the risk of identity theft, have been
its covered accounts; and identity theft for the purpose of incorporated into the final rules as
• Its previous experiences with obtaining medical services) and, ‘‘Elements of the Program’’ and into the
identity theft. therefore, must identify Red Flags that guidelines elaborating on these
Thus, for example, Red Flags relevant reflect this risk. provisions. Comments received
to deposit accounts may differ from The Agencies also have decided not to regarding these provisions and the
those relevant to credit accounts, and single out any specific Red Flags as manner in which they have been
those applicable to consumer accounts mandatory for all financial institutions integrated into the final rules and
may differ from those applicable to and creditors. Rather, the final rule guidelines follows.
business accounts. Red Flags continues to follow the risk-based, non-
appropriate for accounts that may be prescriptive approach regarding the Detecting Red Flags
opened or accessed remotely may differ identification of Red Flags that was set Proposed § l.90(d)(2)(i) stated that
from those that require face-to-face forth in the proposal. The Agencies the Program must include reasonable
contact. In addition, a financial recognize that the final rules and policies and procedures to obtain
institution or creditor should consider guidelines cover a wide variety of identifying information about, and
identifying as relevant those Red Flags financial institutions and creditors that verify the identity of, a person opening
that directly relate to its previous offer and maintain many different an account. This provision was
experiences with identity theft. products and services, and require the designed to address the risk of identity
theft to a financial institution or creditor In the final rules, the detection of Red existing policies and procedures and to
that occurs in connection with the Flags is the second element of the develop and implement risk-based
opening of new accounts. Program. The final rules provide that a policies and procedures that detect Red
The proposed rules stated that any Program must contain reasonable Flags in an effective and comprehensive
financial institution or creditor would policies and procedures to detect the manner.
be able to satisfy the proposed Red Flags that a financial institution or
requirement in § l.90(d)(2)(i) by using creditor has incorporated into its Responding to Red Flags
the policies and procedures for identity Program. Proposed § l.90(d)(2)(iii) stated that
verification set forth in the CIP rules. Section III of the guidelines provides to prevent and mitigate identity theft,
The preamble to the proposed rules examples of various means to detect Red the Program must include policies and
explained that although the CIP rules Flags. It states that the Program’s procedures to assess whether the Red
exclude a variety of entities from the policies and procedures should address Flags the financial institution or creditor
definition of ‘‘customer’’ and exclude a the detection of Red Flags in connection detected pursuant to proposed
number of products and relationships with the opening of covered accounts, § l.90(d)(2)(ii) evidence a risk of
from the definition of ‘‘account,’’ 29 the such as by obtaining identifying identity theft. It also stated that a
Agencies were not proposing any information about, and verifying the financial institution or creditor must
exclusions from either of these terms identity of, a person opening a covered have a reasonable basis for concluding
given the risk-based nature of the account, for example, using the policies that a Red Flag (detected) does not
regulations. and procedures regarding identification evidence a risk of identity theft.
Most commenters supported this and verification set forth in the CIP Financial institution commenters
provision. Many of these commenters rules. Section III also states that the expressed concern that this standard
urged the Agencies to include in the Program’s policies and procedures would force an institution to justify to
final rules a clear statement should address the detection of Red examiners why it did not take measures
acknowledging that financial Flags in connection with existing to respond to a particular Red Flag.
institutions and creditors complying covered accounts, such as by Some consumer groups believed it was
with the CIP rules would be deemed to authenticating customers, monitoring appropriate to require a financial
be in compliance with this provision’s transactions, and verifying the validity institution or creditor to have a
requirements. Some of these of change of address requests, in the reasonable basis for concluding that a
commenters encouraged the Agencies to case of existing covered accounts. particular Red Flag detected does not
place the exemptions from the CIP rules Covered entities subject to the CIP evidence a risk of identity theft. Other
in these final rules for consistency in rules, the Federal Financial Institution’s consumer groups believed that this was
implementing both regulatory mandates. Examination Council’s guidance on too weak a standard and that mandating
Some commenters, however, believed authentication,30 the Information the detection of certain Red Flags would
the requirement to verify the identity of Security Standards, and Bank Secrecy be more effective and preventive.
a person opening an account duplicated Act (BSA) rules 31 may already be Some commenters mistakenly read
the requirements in the CIP rules and engaged in detecting Red Flags. These the proposed provision as requiring a
urged elimination of this redundancy. entities may wish to integrate the financial institution or creditor to have
Other entities not already subject to the policies and procedures already a reasonable basis for excluding a Red
CIP rules stated that complying with developed for purposes of complying Flag listed in Appendix J from its
those rules would be very costly and with these issuances into their Program requiring the mandatory review
burdensome. These commenters asked Programs. However, such policies and and analysis of each and every Red Flag.
that the Agencies provide them with procedures may need to be These commenters urged the Agencies
additional guidance regarding the CIP supplemented. For example, the CIP to delete this provision.
rules. rules were written to implement section Proposed § l.90(d)(2)(iv) stated that
Consumer groups were concerned that 326 32 of the USA PATRIOT Act,33 an to prevent and mitigate identity theft,
use of the CIP rules would not Act directed toward facilitating the the Program must include policies and
adequately address identity theft. They prevention, detection, and prosecution procedures that address the risk of
stated that the CIP rules allow accounts of international money laundering and identity theft to the customer, the
to be opened before identity is verified, the financing of terrorism. Certain types financial institution, or creditor,
which is not the proper standard to of ‘‘accounts,’’ ‘‘customers,’’ and commensurate with the degree of risk
prevent identity theft. products are exempted or treated posed. The proposed regulations also
As described below, the Agencies specially in the CIP rules because they provided an illustrative list of measures
have moved verification of the identity pose a lower risk of money laundering that a financial institution or creditor
of persons opening an account into or terrorist financing. Such special could take, including:
section III of the guidelines where it is treatment may not be appropriate to • Monitoring an account for evidence
described as one of the policies and accomplish the broader objective of of identity theft;
procedures that a financial institution or detecting, preventing, and mitigating • Contacting the customer;
creditor should have to detect Red Flags identity theft. Accordingly, the Agencies • Changing any passwords, security
in connection with the opening of a expect all financial institutions and codes, or other security devices that
covered account. creditors to evaluate the adequacy of permit access to a customer’s account;
Proposed § l.90(d)(2)(ii) stated that • Reopening an account with a new
the Program must include reasonable 30 ‘‘Authentication in an Internet Banking account number;
policies and procedures to detect the Environment’’ (October 12, 2005) available at • Not opening a new account;
Red Flags identified pursuant to http://www.ffiec.gov/press/pr101205.htm. • Closing an existing account;
• Notifying law enforcement and, for
paragraph § l.90(d)(1). The Agencies 31 See, e.g. 12 CFR 21.21 (national banks); 12 CFR
208.63 (state member banks); 12 CFR 326.8 (state

did not receive any specific comments non-member banks); 12 CFR 563.177 (savings
those that are subject to 31 U.S.C.
on this provision. associations); and 12 CFR 748.2 (credit unions). 5318(g), filing a Suspicious Activity
32 31 U.S.C. 5318(l). Report in accordance with applicable
29 See, e.g., 31 CFR 103.121(a). 33 Pub. L. 107–56. law and regulation;
• Implementing any requirements § l.90(d)(2)(iv) are now located in inclusion of a fraud alert or active duty
regarding limitations on credit section IV of the guidelines, titled alert in his or her credit file is exercising
extensions under 15 U.S.C. 1681c–1(h), ‘‘Prevention and Mitigation of Identity a right under the FCRA, which is a part
such as declining to issue an additional Theft.’’ Section IV states that the of the CCPA, 15 U.S.C. 1601, et seq.
credit card when the financial Program’s policies and procedures When a credit file contains a fraud or
institution or creditor detects a fraud or should provide for appropriate active duty alert, section 605A of the
active duty alert associated with the responses to the Red Flags the financial FCRA, 15 U.S.C. 1681c–1(h), requires a
opening of an account, or an existing institution or creditor has detected that creditor to take certain steps before
account; or are commensurate with the degree of extending credit, increasing a credit
• Implementing any requirements for risk posed. In addition, as described limit, or issuing an additional card on
furnishers of information to consumer earlier, the final rules do not define Red an existing credit account. For an initial
reporting agencies under 15 U.S.C. Flags to include indicators of a or active duty alert, these steps include
1681s–2, to correct or update inaccurate ‘‘possible risk’’ of identity theft utilizing reasonable policies and
or incomplete information. (including ‘‘precursors’’ to identity procedures to form a reasonable belief
Some commenters agreed that theft). Instead, section IV states that in that the creditor knows the identity of
financial institutions and creditors determining an appropriate response, a the consumer and, where a consumer
should be able to use their own financial institution or creditor should has specified a telephone number for
judgment to determine which measures consider aggravating factors that may identity verification purposes,
to take depending upon the degree of heighten the risk of identity theft, and contacting the consumer at that
risk that is present. However, consumer provides examples of such factors. telephone number or taking reasonable
groups believed that the final rules The Agencies also modified the steps to verify the consumer’s identity
should require notification of examples of appropriate responses as and confirm that the application is not
consumers in every case where a Red follows. First, the Agencies added ‘‘not the result of identity theft, 15 U.S.C.
Flag that requires a response has been attempting to collect on a covered 1681c–1(h)(1)(B).
detected. account or not selling a covered account The purpose of the footnote was to
Other commenters objected to some of to a debt collector’’ as a possible remind financial institutions and
the examples given as measures that response to Red Flags detected. Second, creditors of their legal responsibilities in
financial institutions and creditors the Agencies added ‘‘determining that circumstances where a consumer has
could take to address the risk of identity no response is warranted under the placed a fraud or active duty alert on his
theft. For example, one commenter particular circumstances’’ to make clear or her consumer report. In particular,
objected to the inclusion, as an example, that an appropriate response may be no the Agencies have concerns that in some
of the requirements regarding response, especially, for example, when cases, creditors have adopted policies of
limitations on credit extensions under a financial institution or creditor has a automatically denying credit to
15 U.S.C. 1681c–1(h). The commenter reasonable basis for concluding that the consumers whenever an initial fraud
stated that this statutory provision is Red Flags detected do not evidence a alert or an active duty alert appears on
confusing, useless, and should not be risk of identity theft. an applicant’s consumer report. The
referenced in the final rules. Other In addition, the Agencies moved the Agencies agree that this rulemaking is
commenters suggested that the Agencies proposed examples, that referenced not the appropriate vehicle for
clarify that the inclusion of this responses mandated by statute, to addressing issues under ECOA.
statutory provision in the proposed section VII of the guidelines titled However, the Agencies will continue to
rules as an example of how to address ‘‘Other Applicable Legal Requirements’’ evaluate compliance with ECOA
the risk of identity theft did not make to highlight that certain responses are through their routine examination or
this provision discretionary. legally required. enforcement processes, including issues
The final rules merge the concepts The section of the proposal listing related to fraud and active duty alerts.
previously in proposed § l.90(d)(2)(iii) examples of measures to address the
and § l.90(d)(2)(iv) into the third risk of identity theft included a footnote Section l.90(d)(2)(iv) Element IV of
element of the Program: reasonable that discussed the relationship between the Program: Updating the Program
policies and procedures to respond a consumer’s placement of a fraud or To ensure that the Program of a
appropriately to any Red Flags that are active duty alert on his or her consumer financial institution or creditor remains
detected pursuant to paragraph (d)(2)(ii) report and ECOA, 15 U.S.C. 1691, et seq. effective over time, the final rules
of this section to prevent and mitigate A few commenters objected to this provide a fourth element of the Program:
identity theft. footnote. Some commenters believed policies and procedures to ensure the
In order to ‘‘respond appropriately,’’ it that creditors had a right to deny credit Program (including the Red Flags
is implicit that a financial institution or automatically whenever a fraud or determined to be relevant) is updated
creditor must assess whether the Red active duty alert appears on the periodically to reflect changes in risks to
Flags detected evidence a risk of consumer report of an applicant. Other customers and to the safety and
identity theft, and must have a commenters believed that the footnote soundness of the financial institution or
reasonable basis for concluding that a raised complex issues under the ECOA creditor from identity theft. As
Red Flag does not evidence a risk of and FCRA that required more thorough described earlier, this element replaces
identity theft. Therefore, the Agencies consideration, and questioned the need the requirements formerly in proposed
concluded that it is not necessary to and appropriateness of addressing § l.90(c)(2) which stated that the
specify any such separate assessment, ECOA in the context of this rulemaking. Program must be designed to address
and, accordingly, deleted the language Under ECOA, it is unlawful for a changing identity theft risks as they
from the proposal regarding assessing creditor to discriminate against any arise, and proposed § l.90(d)(1)(i)
Red Flags and addressing the risk of applicant for credit because the which stated that the Red Flags
identity theft. applicant has in good faith exercised included in a covered entity’s Program
Most of the examples of measures for any right under the Consumer Credit must reflect changing identity theft risks
preventing and mitigating identity theft Protection Act (CCPA), 15 U.S.C. to customers and to the financial
previously listed in proposed 1691(a). A consumer who requests the institution or creditor as they arise.
Unlike the proposed provisions, implementation, and maintenance of the insure uniformity of policy throughout
however, this element only requires Program, including assigning specific large organizations.
‘‘periodic’’ updating. The Agencies responsibility for its implementation. Some commenters stated that the
concluded that requiring financial The proposal also provided that persons preparation of reports for board review
institutions and creditors to charged with overseeing the Program would be costly and burdensome. The
immediately and continuously update must review reports prepared at least SBA suggested that the FTC consider a
their Programs would be overly annually by staff regarding compliance one-page certification option for small
burdensome. by the financial institution or creditor low-risk entities to minimize the burden
Section V of the guidelines elaborates with the regulations. of reports. One commenter opined that
on the obligation to ensure that the Proposed § l.90(d)(5)(iii) stated that it would be sufficient if the Agencies
Program is periodically updated. It reports must discuss material matters mandated that covered entities
reiterates the factors previously in related to the Program and evaluate continuously review and evaluate the
proposed § l.90(c)(2) that should cause issues such as: The effectiveness of the policies and procedures they adopted
a financial institution or creditor to policies and procedures of the financial pursuant to the regulations and modify
update its Program, such as its own institution or creditor in addressing the them as necessary. Consumer groups
experiences with identity theft, changes risk of identity theft in connection with suggested that the final rules
in methods of identity theft, changes in the opening of accounts and with specifically require financial
methods to detect, prevent and mitigate respect to existing accounts; service institutions and creditors to adjust their
identity theft, changes in accounts that provider arrangements; significant Programs to address deficiencies raised
it offers or maintains, and changes in its incidents involving identity theft and by their annual reports.
business arrangements. management’s response; and Commenters generally took the
Section l.90(e) Administration of the recommendations for changes in the position that reports to the board, a
Program Program. board committee, or senior management
Some commenters agreed that identity regarding compliance with the final
The final rules group the remaining rules should be prepared at most on a
provisions of the proposed rules under theft is an important issue, and the
board, therefore, should be involved in yearly basis, or when significant
the heading ‘‘Administration of the changes have occurred that alter the
Program,’’ albeit in a different order the overall development, approval, and
oversight of the Program. These institution’s risk. One commenter
than proposed. This section of the final recommended a clarification that any
rules describes the steps that financial commenters suggested that the final
rules make clear that the board need not reporting to the board of material
institutions and creditors must take to information relating to the Program
administer the Program, including: be responsible for the day-to-day
operations of the Program. could be combined with reporting
Obtaining approval of the initial written obligations required under the
Program; ensuring oversight of the Most industry commenters opposed
the proposed requirement that the board Information Security Standards.
development, implementation and Section l.90(e)(1) of the final rules
administration of the Program; training or board committee approve the
Program and receive annual reports continues to require approval of the
staff; and overseeing service provider written Program by the board of
arrangements. about compliance with the Program.
These commenters asserted that the directors or an appropriate committee of
A number of commenters criticized the board. However, to ensure that this
each of the proposed provisions statute does not mandate such
requirements, and that compliance with requirement does not hamper the ability
regarding administration of the Program, of a financial institution or creditor to
arguing they were not specifically these rules did not warrant more board
attention than other regulations. They update its Program in a timely manner,
required by section 114. The Agencies the final rules provide that the board or
believe the mandate in section 114 is asserted that such requirements would
impede the ability of a financial an appropriate committee must approve
broad, and provides the Agencies with only the initial written Program.
an ample basis to issue rules and institution or creditor to keep up with
the fast-paced changes and Thereafter, at the discretion of the
guidelines containing these provisions covered entity, the board, a committee,
because they are critical to ensuring the developments inherent with instances
of fraud and identity theft. They stated or senior management may update the
effectiveness of a Program. Therefore, Program.
the Agencies have retained these that boards of directors should not be
Bank holding companies and their
elements in the final rules and required to consider the minutiae of the
bank and non-bank subsidiaries will be
guidelines with some modifications, as fraud prevention efforts of a financial
governed by the principles articulated
follows. institution or creditor and suggested the
in connection with the banking
task be delegated to senior management
Sections l.90(e)(1) and (2) agencies’’ Information Security
with expertise in this area. Some
Involvement of the Board of Directors Standards:
commenters suggested the final rules
and Senior Management provide a covered entity with the The Agencies agree that subsidiaries
Proposed § l.90(d)(5) highlighted the discretion to assign oversight within a holding company can use the
responsibilities in a manner consistent security program developed at the holding
responsibility of the board of directors
company level. However, if subsidiary
and senior management to develop, with the institution’s own risk institutions choose to use a security program
implement, and oversee the Program. evaluation. developed at the holding company level, the
Proposed § l.90(d)(5)(i) specifically One commenter suggested that the board of directors or an appropriate
required the board of directors or an final rules permit the board of directors committee at each subsidiary institution
appropriate committee of the board to of a holding company to approve and must conduct an independent review to
approve the written Program. Proposed oversee the Program for the entire ensure that the program is suitable and
§ l.90(d)(5)(ii) required that the board, organization. The commenter explained complies with the requirements prescribed
an appropriate committee of the board, that this approach would eliminate the by the subsidiary’s primary regulator * * * .
or senior management be charged with need for redundant actions by a 66 FR 8620 (Feb. 1, 2001) (Preamble to
overseeing the development, multiplicity of boards, and help to final Information Security Standards.)
The Agencies recognize that boards of available to smaller institutions to perform an activity on its behalf and the
directors have many responsibilities and provide training. requirements of the Program applied to
it generally is not feasible for a board to Some financial institution that activity, the financial institution or
involve itself in the detailed oversight, commenters stated that it was not clear creditor would be required to take steps
development, implementation, and why staff training would be specifically designed to ensure the activity is
administration of the Program. required under the final rules, absent a conducted in compliance with a
Accordingly, § l.90(e)(2) of the final specific statutory requirement. They Program that satisfies the regulations.
rules provides discretion to a financial maintained that financial institutions The preamble to the proposed rules
institution or creditor to determine who have sufficient incentives to ensure that explained that this provision would
will be responsible for these aspects of appropriate staff is trained. Other allow a service provider serving
the Program. It states that a financial commenters suggested that the Agencies multiple financial institutions and
institution or creditor must involve the clarify that this provision would only creditors to conduct activities on behalf
board of directors, an appropriate require training for relevant staff and of these entities in accordance with its
committee thereof, or a designated would permit training on identity theft own program to prevent identity theft,
employee at the level of senior that is integrated into overall staff as long as the program meets the
management in the oversight, training on similar or overlapping requirements of the regulations. The
development, implementation, and matters such as fraud prevention. service provider would not need to
administration of the Program. One commenter objected to an apply the particular Program of each
Section VI of the guidelines elaborates example in the preamble to the individual financial institution or
on this provision of the final rules. The proposed rules which stated that staff creditor to whom it is providing
guidelines note that such oversight should be trained to detect ‘‘anomalous services.
wire transfers in connection with a Several commenters asserted it would
should include assigning specific
customer’s deposit account.’’ The be costly and burdensome for financial
responsibility for the Program’s
commenter stated that this example institutions and creditors to ensure third
implementation and reviewing reports
potentially exposed financial party compliance with the final rules
prepared by staff on compliance by the
institutions to significant and and therefore, this provision should be
financial institution or creditor with this
unintended liability, predicting that eliminated. They urged that financial
section. As suggested by commenters,
customers and law enforcement would institutions and creditors be given
the guidelines also state that oversight
use the rules to support claims that maximum flexibility to manage service
should include approving material
financial institutions are responsible for provider relationships.
changes to the Program as necessary to
authorizing transactions by fraudsters. Some financial institution
address changing identity theft risks. commenters also suggested that the
The commenter asserted that financial
Section VI also provides that reports Agencies withdraw this provision. They
institutions do not have systems that
should be prepared at least annually stated that the FACT Act does not
can detect these transactions because
and describes the contents of a report as address this issue and asserted that
they fall outside the usual fraud filter
proposed in § l.90(d)(5)(iii)(B). there already is no doubt that if a
parameters.
These steps are modeled on sections Section l.90(e)(3) of the final rules financial institution delegates any of its
of the Information Security Standards.34 provides that a covered entity must train operations to a third party, the
As noted previously, financial staff, as necessary, to effectively institution will remain responsible for
institutions and creditors subject to implement the Program. There is no related regulatory compliance.
these Standards may combine elements corresponding section of the guidelines. Other commenters stated that it
required under the final rules and The Agencies continue to believe should remain a contractual matter
guidelines, including reports, with those proper training will enable staff to between the parties whether the service
required by the Standards, as they see address the risk of identity theft. provider may implement a program that
fit. However, this provision requires is different from its financial institution
Section l.90(e)(3) Staff Training training of only relevant staff. In client.
addition, staff that has already been Consumer groups asked the Agencies
Proposed § l.90(d)(3) required each trained, for example, as a part of the to ensure that the decision of a financial
financial institution or creditor to train anti-fraud prevention efforts of the institution or creditor to outsource
staff to implement its Program. financial institution or creditor, do not would not lead to lower Red Flag
Consumer groups believed that this need to be re-trained except ‘‘as standards. These commenters suggested
provision should be more detailed and necessary.’’ the final rules state that the Program
specifically require monitoring, The Agencies recognize that some of must also meet the requirements that
oversight, and auditing of a covered the examples, such as detecting would apply if the activity were
entity’s training efforts. By contrast, a ‘‘anomalous wire transfers in performed without the use of a service
number of industry commenters connection with a customer’s deposit provider. They also suggested the final
recommended that the Agencies account’’ may fall outside the usual rules clarify that, in addition to any
withdraw this provision because they fraud filter parameters. However, the responsibility on the service provider
believed it was burdensome. Some of Agencies expect that compliance with imposed by law, regulation, or contract,
these commenters asserted that the the final rules will improve the ability the financial institution or creditor
Agencies had not taken into account the of financial institutions and creditors to would be responsible for a failure to
limited personnel and resources detect, prevent, and mitigate identity comply with the Program.
theft. Most commenters, however, agreed
34 A board approval requirement is also found in with the proposal and stated that a
Section l.90(e)(4) Oversight of Service
the BSA rules of the Federal banking agencies and service provider must have the
the NCUA. See 12 CFR 21.21; (OCC); 12 CFR 208.63 Provider Arrangements flexibility to meet the objectives of the
(Board); 12 CFR 326.8 (FDIC); 12 CFR 563.177
(OTS); and 12 CFR 748.2 (NCUA). Thus, contrary
Proposed § l.90(d)(4) stated that, rules without having to tailor its
to the assertion of some commenters, this rule is whenever a financial institution or services to the Program requirements of
being treated in a manner similar to other rules. creditor engaged a service provider to each company for which it provides
service. These commenters noted that each financial institution or creditor proposed to afford each financial
this proposed approach was the same as that is required to implement a Program institution and creditor flexibility to
that used in the Information Security must consider the guidelines in determine which Red Flags were
Standards. Appendix J and include in its Program relevant for their purposes to detect
The Agencies believe it is important those guidelines that are appropriate. identity theft, including from among
to retain a provision in the final rules Each of the guidelines corresponds to those listed in Appendix J.
addressing service providers to remind a provision of the final rules. As As mentioned previously, consumer
financial institutions and creditors that mentioned earlier, the guidelines were groups criticized the discretion in the
they continue to remain responsible for issued to assist financial institutions proposal that permitted financial
compliance with the final rules, even if and creditors in the development and institutions and creditors to choose Red
they outsource operations to a third implementation of a Program that Flags relevant to detecting the risk of
party. However, the Agencies have satisfies the requirements of the final identity theft based upon the list of
simplified the service provider rules. The guidelines provide policies enumerated factors. These groups urged
provision in the final rules and moved and procedures that financial the Agencies to make certain Red Flags
the remaining parts of proposed institutions and creditors should use, in Appendix J mandatory. In addition,
§ l.90(d)(4) to the guidelines. where appropriate, to satisfy the consumer groups suggested a number of
Section l.90(e)(4) of the final rules regulatory requirements of the final additional Red Flags for inclusion in
provides that a covered entity must rules. While an institution or a creditor Appendix J.
exercise appropriate and effective may determine that a particular Some commenters agreed that the list
oversight of service provider guideline is not appropriate for its of examples of Red Flags was
arrangements, without further circumstances, it nonetheless must appropriate because, in their view, it
elaboration. This provision provides ensure its Program contains reasonable was designed to be flexible. Some
maximum flexibility to financial policies and procedures to fulfill the industry commenters, including a
institutions and creditors in managing requirements of the final rules. This number of small financial institutions,
their service provider arrangements, approach provides financial institutions stated that the Red Flags set forth in
while making clear that a covered entity and creditors with the flexibility to Appendix J would assist them in
cannot escape its obligations to comply determine ‘‘how best to develop and developing and improving their identity
with the final rules and to include in its implement the required policies and theft prevention programs. Other
Program those guidelines that are procedures.’’ 35 commenters suggested deleting the list
appropriate by simply outsourcing an
Supplement A to Appendix J: Examples of Red Flags or modifying the list in a
activity.
Section VI(c) of the guidelines of Red Flags manner appropriate to the nature of
provides that, whenever a financial their own operations.
Section 114 of the FACT Act states The Agencies have retained the list of
institution or creditor engages a service that, in developing the guidelines, the
provider to perform an activity in examples of Red Flags because section
Agencies must identify patterns, 114 states that the Agencies ‘‘shall
connection with one or more covered practices, and specific forms of activity,
accounts, the financial institution or identify patterns, practices, and specific
that indicate the possible existence of forms of activity that indicate the
creditor should take steps to ensure that identity theft. The Agencies proposed
the activity of the service provider is possible existence of identity theft.’’ The
implementing this provision by Agencies also retained the list because
conducted in accordance with requiring the Program of a financial
reasonable policies and procedures some commenters indicated that having
institution or creditor to include examples of Red Flags would be helpful
designed to detect, prevent, and mitigate policies and procedures for the
the risk of identity theft. Thus, the to them. However, the examples of Red
identification and detection of Red Flags Flags are now set forth in a separate
guidelines make clear that a service in connection with an account opening
provider that provides services to supplement to the guidelines. The list of
or an existing account, including from examples is similar to that which the
multiple financial institutions and among those listed in Appendix J.
creditors may do so in accordance with Agencies proposed, however, the Red
The Agencies compiled the Red Flags Flags that the Agencies identified as
its own program to prevent identity enumerated in Appendix J from a
theft, as long as the program meets the precursors to identity theft have been
variety of sources, such as literature on deleted and are now addressed in
requirements of the regulations. The the topic, information from credit
guidelines also provide an example of section IV of the guidelines. Moreover,
bureaus, financial institutions, creditors, in response to a Congressional
how a covered entity may comply with designers of fraud detection software,
this provision. The guidelines state that commenter, the Agencies added, as an
and the Agencies’ own experiences. The example of a Red Flag, an application
a financial institution or creditor could preamble to the proposed rules stated
require the service provider, by contract, that gives the appearance of having been
that some of the Red Flags, by destroyed and reassembled.
to have policies and procedures to themselves, may be reliable indicators
detect relevant Red Flags that may arise The introductory language to the
of identity theft, while others are more
in the performance of the service supplement clarifies that the
reliable when detected in combination
provider’s activities and either report enumerated Red Flags are examples.
with other Red Flags.
the Red Flags to the financial institution Thus, a financial institution or creditor
The preamble to the proposed rules
or creditor or take appropriate steps to may tailor the Red Flags it chooses for
explained that the Agencies recognized
prevent or mitigate identity theft. its Program to its own operations. A
that a wide range of financial
financial institution or creditor will not
Section l.90(f) Consideration of institutions and creditors, and a broad
need to justify to an Agency its failure
Guidelines in Appendix J variety of accounts would be covered by
to include in the Program a specific Red

the regulations. Therefore, the Agencies
The Agencies have added a provision Flag from the list of examples. However,
to the final rules that explains the 35 See H.R. Rep. No. 108–263 at 43 (Sept. 4, 2003) a covered entity will have to account for
relationship of the rules to the (accompanying H.R. 2622); S. Rep. No. 108–166 at the overall effectiveness of a Program
guidelines. Section l.90(f) states that 13 (Oct. 17, 2003) (accompanying S. 1753). that is appropriate to its size and
complexity and the nature and scope of within a short period of time (during at issuer to follow reasonable policies and
its activities. least the first 30 days), receives a procedures to assess the validity of a
request for an additional or replacement change of address, before issuing an
Inactive Accounts
card for the same account, the issuer additional or replacement card. Section
Section 114 also directs the Agencies must follow reasonable policies and 114 provides that a card issuer may
to consider whether to include procedures to assess the validity of the satisfy this requirement by notifying
reasonable guidelines for notifying the change of address through one of three ‘‘the cardholder.’’ The term
consumer when a transaction occurs in methods. The card issuer may not issue ‘‘cardholder’’ is not defined in the FACT
connection with a consumer’s credit or the card unless it: (1) Notifies the Act. The preamble to the proposed rules
deposit account that has been inactive cardholder of the request at the explained that the legislative record
for two years, in order to reduce the cardholder’s former address and relating to this provision indicates that
likelihood of identity theft. The provides the cardholder with a means to ‘‘issuers of credit cards and debit cards
preamble to the proposed rules noted promptly report an incorrect address; (2) who receive a consumer request for an
that the Agencies believed that the two- notifies the cardholder of the address additional or replacement card for an
year limit was not always an accurate change request by another means of existing account’’ may assess the
indicator of identity theft given the wide communication previously agreed to by validity of the request by notifying ‘‘the
variety of credit and deposit accounts the issuer and the cardholder; or (3) cardholder.’’ 36 As the preamble noted,
that would be covered by the provision. uses other means of evaluating the the request, presumably, will be valid if
Therefore, in place of guidelines on validity of the address change in the consumer making the request and
inactive accounts, the Agencies accordance with the reasonable policies the cardholder are one and the same
proposed incorporating a Red Flag on and procedures established by the card ‘‘consumer.’’ Therefore, the proposal
inactive accounts into Appendix J that issuer to comply with the joint defined ‘‘cardholder’’ as a consumer
was flexible and was designed to take regulations described earlier regarding who has been issued a credit or debit
into consideration the type of account, identity theft. card. The preamble to the proposed
the expected pattern of usage of the For this reason, the Agencies also rules also explained that, because
account, and any other relevant factors. proposed special rules that required ‘‘consumer’’ is defined in the FCRA as
Some consumer groups suggested that credit and debit card issuers to assess an ‘‘individual,’’ 37 the proposed
a new section be added to the guidelines the validity of change of address regulations applied to any request for an
requiring notice to the consumer when notifications by notifying the cardholder additional or replacement card by an
a transaction occurs in connection with or through certain other means. The individual, including a card for a
a consumer’s credit or deposit account proposed regulations stated that a business purpose, such as a corporate
that has been inactive for two years financial institution or creditor that is a card.
unless this pattern would be expected card issuer may incorporate the Some commenters asked the Agencies
for a particular type of account. Other requirements of § l.91 into its Program. to clarify that this definition does not
commenters agreed with the Agencies’ As described in the section-by-section apply to holders of stored value cards,
proposal to simply make activity on an analysis that follows, commenters such as payroll and gift cards, or to
inactive account a Red Flag. They also generally requested changes that would cards used to access a home equity line
agreed that the Agencies should not use make the proposed rules more flexible. of credit. Another commenter urged that
two years of inactivity as a hard and fast the final rules exclude credit and debit
rule, and allow financial institutions 2. Section-by-Section Analysis cards for a business purpose.
The final rules continue to define
and creditors to use their own standards Section l.91(a) Scope
to determine when an account is ‘‘cardholder’’ as a consumer who has
inactive. The proposed rules stated that this been issued a credit or debit card. Both
In the final rules, the Agencies section applies to a person, described in ‘‘credit card’’ and ‘‘debit card’’ are
continue to list activity on an inactive proposed § l.90(a), that issues a debit defined in section 603(r) of the FCRA. 38
account as a Red Flag. Given the variety or credit card. The Agencies did not The definition of ‘‘credit card’’ is
of covered accounts to which the final receive any comments on this section. defined by cross-reference to section
rules and guidelines will apply, the In the final rules, for clarity, the 103 of the Truth in Lending Act, 15
Agencies concluded that the two-year Agencies deleted the cross-reference to U.S.C. 1601, et seq. 39 The definition of
period suggested in section 114 would § l.90(a). Each Agency also revised its ‘‘debit card’’ is any card issued by a
scope paragraph to list the entities over financial institution to a consumer for
not necessarily be a useful indicator of
which it has jurisdiction that are subject use in initiating an electronic fund
identity theft. Therefore, the Agencies
have not included a provision in the to § l.91. Under the final rules, section transfer from the account of the
guidelines regarding notification when a l.91 applies to any debit or credit card consumer at such financial institution
issuer (card issuer) that is subject to an for the purposes of transferring money
transaction occurs in connection with a
Agency’s jurisdiction. between accounts or obtaining money,
consumer’s credit or deposit account
property, labor, or services. 40
that has been inactive for two years. Section l.91(b) Definitions Section 603(r) of the FCRA provides
B. Special Rules for Card Issuers The proposed rules included two that ‘‘account’’ and ‘‘electronic fund
definitions solely applicable to the transfer’’ have the same meaning as
1. Background those terms have in the Electronic
special rules for card issuers:
Section 114 also requires the Agencies ‘‘cardholder’’ and ‘‘clear and Funds Transfer Act (EFTA), 15 U.S.C.
to prescribe joint regulations generally conspicuous.’’ Section l.91(b) of the
requiring credit and debit card issuers to final rules also contains these 36 See 149 Cong. Rec. E2513 (daily ed. December
assess the validity of change of address 8, 2003) (statement of Rep. Oxley) (emphasis
definitions as follows. added).
notifications. In particular, these
regulations must ensure that if the card Section l.91(b)(1) Cardholder 37 15 U.S.C. 1681a(c).
38 15 U.S.C. 1681a.
issuer receives a notice of change of Under section 114, the Agencies must 39 See 15 U.S.C. 1681a(r)(2).
address for an existing account and, prescribe regulations requiring a card 40 15 U.S.C. 1681a(r)(3).
1693, et seq. The EFTA, and Regulation Sections l.91(c) and (d) Address assessing the validity of the change of
E, 12 CFR part 205, govern electronic Validation address in accordance with the policies
fund transfers. In contrast to section Proposed § l.91(c) simply restated and procedures the card issuer
603(r) of the FCRA, neither the EFTA the statutory requirements described establishes pursuant to § l.90.
nor Regulation E defines the term ‘‘debit above with some minor stylistic Commenters also asked the Agencies
card.’’ Instead, coverage under the EFTA changes. A number of commenters to clarify that the obligation to assess
and Regulation E depends upon noted that the requirements of this the validity of a request for an address
whether electronic fund transfers can be section would be difficult and change is not triggered unless the card
made to or from an ‘‘account,’’ meaning expensive to implement. They stated issuer actually changes the cardholder’s
a checking, savings, or other consumer that millions of address changes are address.
asset account established primarily for Some commenters asked the Agencies
processed every year, though very few
personal, family or household purposes. to clarify whether electronic notices
turn out to be fraudulent.
The Board recently issued a final rule By contrast, consumer groups would be acceptable if the cardholder
expanding the definition of ‘‘account’’ suggested that the final regulations had previously contracted for electronic
under Regulation E to cover payroll card should require the card issuer to notify communications. Consumer groups
accounts. 41 Therefore, a holder of a the consumer of a request for an address recommended electronic notification be
payroll card is a ‘‘cardholder’’ for change followed by the request for an permitted only when the consumer
purposes of § l.91(b)(1), provided that additional or replacement card, unless consents in accordance with the E-Sign
the card issuer is a ‘‘financial there are special circumstances that Act.
institution’’ as defined in section 603(t) prevent doing so in a timely manner. The Agencies note that the statutory
of the FCRA. Many commenters recommended that provision being implemented here is
The Board decided not to cover other quite specific. Congress mandated that
the final rules provide credit and debit
types of prepaid cards as accounts the requirements set forth in section
card issuers with greater flexibility to
under Regulation E at the time it issued 615(e)(1)(C) of the FCRA apply to
verify address changes. For example,
the payroll card rule. Therefore, the notifications of changes of address,
they stated it is not clear that an address
definition of ‘‘cardholder’’ does not which would necessarily include both
change linked with a request for an
include the holder of a gift card or other those received directly from consumers
additional card is a significant indicator
prepaid card product, unless and until and those received from the Postal
of identity theft. Therefore, they
the Board elects to cover such cards as Service. Congress also statutorily
recommended the rules (1) specifically
accounts under Regulation E. provided various methods to card
The definition of ‘‘cardholder’’ would permit card issuers to satisfy the
requirements of this section by verifying issuers for assessing the validity of a
also include a recipient of a home change of address. 43 Accordingly, the
equity loan if the holder is able to access the address at the time the address
change notification is received, whether final rules reflect these methods.
the proceeds of the loan with a credit or Under § l.91(c) of the final rules, a
debit card within the meaning of 15 or not the notification is linked to a
request for an additional or replacement card issuer that receives an address
U.S.C. 1681a(r). change notification and, within at least
Identity theft may occur in connection card; or (2) verify the address whenever
a request for an additional or 30 days, a request for an additional or
with a card that a consumer uses for a
replacement card is made, whether or replacement card, may not issue an
business purpose and may affect the
not the card issuer receives notification additional or replacement card until it
consumer’s personal credit standing.
of an address change. has notified the cardholder or has
Additionally, the definition of
One commenter suggested that the otherwise assessed the validity of the
‘‘consumer’’ under the FCRA is simply
rules should only apply to card issuers change of address in accordance with
an ‘‘individual.’’ 42 For this reason, the
that receive direct notification of an the policies and procedures the card
Agencies continue to believe that the
address change rather than an address issuer has established pursuant to
protections of this provision must
change notification from the U.S. Postal § l.90. The Agencies have concluded
extend to consumers who hold a card
Service. The commenter asserted that that card issuers should be granted
for a personal, household, family or
there is a higher risk of fraud with a additional flexibility. Therefore,
business purpose.
direct request for a change of address. § l.91(d) clarifies that a card issuer may
Section l.91(b)(2) Clear and Consumer groups also recommended satisfy the requirements of § l.91(c) by
conspicuous that the Agencies set a period longer validating an address, according to the
The second proposed definition was than the 30-day minimum for card methods set forth in § l.91(c)(1) or (2),
for the phrase ‘‘clear and conspicuous.’’ issuers to be on alert after an address when it receives an address change
Proposed § l.91 included a provision change request. These commenters notification, before it receives a request
that required any written or electronic recommended that, because of billing for an additional or replacement card.
notice provided by a card issuer to the cycles and the time it takes to issue a The rules do not require a card issuer
consumer pursuant to the regulations to new card, an issuer should be required that issues an additional or replacement
be given in a ‘‘clear and conspicuous to assess the validity of an address card to validate an address whenever it
manner.’’ The proposed regulations change if it receives a request for an receives a request for such a card,
defined ‘‘clear and conspicuous’’ based additional or replacement card within at because section 114 only requires the
on the definition of this phrase found in least 90 days after the request for the validation of an address when the card
the Agencies’ privacy rules. address change. issuer also has received a notification of
The Agencies received no comments Some commenters asked the Agencies a change of address.
on the phrase ‘‘clear and conspicuous,’’ to clarify what ‘‘other means’’ would be
and have adopted the definition as acceptable in assessing the validity of a 43 See S. Rep. No. 108–166 at 14 (October 17,
2003)(accompanying S. 1753)(stating that a card

proposed in § l.91(b)(2). change in address. One commenter
issuer may rely on authentication procedures that
stated that it is not cost effective to do not involve a separate communication with the
41 See 71 FR 51,437 (August 10, 2006). contact the customer, therefore, most cardholder so long as the issuer has reasonably
42 15 U.S.C. 1681a(c). card issuers would use ‘‘other means’’ of assessed the validity of the address change.)
The Agencies also revised § l.91 to procedures the card issuer has continuing relationship with the
clarify that a card issuer must provide established. consumer and regularly and in the
to the cardholder a ‘‘reasonable’’ means A few commenters recommended that ordinary course of business furnishes
of promptly reporting incorrect address this proposed requirement apply only if information to the CRA.
changes whenever the card issuer the issuer notifies the cardholder of the
B. Section-by-Section Analysis
notifies the cardholder of the request for change of address request at the
an additional or replacement card. 44 cardholder’s former address. These Section l.82(a) Scope
The Agencies declined to adopt the commenters stated that, otherwise, the Proposed § l.82(a) noted that the
recommendation that an issuer assess provision would prohibit other types of scope of section 315 differs from the
the validity of an address change if it notices, such as those in periodic scope of section 114 and explained that
receives a request for an additional or statements. Another commenter stated section 315 applies to ‘‘users of
replacement card within ‘‘at least 90 that this provision was not necessary consumer reports’’ and ‘‘persons
days’’ after an address change because card issuers would send such requesting consumer reports’’
notification, as ‘‘at least 30 days’’ may notices separately in any event. (hereinafter referred to as ‘‘users’’), as
be a reasonable period of time in some The Agencies are not convinced that
opposed to financial institutions and
cases. However, a card issuer that does such a notice would be provided
creditors. Therefore, section 315 does
not validate an address when it receives separately from a card issuer’s regular
not apply to a financial institution or
an address change notification may find correspondence with the cardholder
creditor that does not use consumer
it prudent to validate the address before unless required. Moreover, the Agencies
reports. The Agencies did not receive
issuing an additional or replacement do not agree that this requirement
any comments on this section and have
card, even when it receives a request for should apply only if a card issuer
adopted it as proposed in the final rules.
such a card more than 30 days after the chooses to notify the cardholder of the
notification of address change. In sum, change of address request at the Section l.82(b) Definition
the Agencies expect card issuers to cardholder’s former address in
Proposed § l.82(b) defined ‘‘notice of
exercise diligence commensurate with accordance with § l.91(c)(1). Even
address discrepancy’’ as ‘‘a notice sent
their own experiences with identity where the card issuer and cardholder
to a user of a consumer report by a CRA
theft. agree to some other means for notice,
The Agencies also confirm that a card pursuant to 15 U.S.C. 1681c(h)(1), that
this alternative means does not change
issuer is not obligated to assess the informs the user of a substantial
the important nature of the notice.
difference between the address for the
validity of a notification of an address Therefore, § l.91(e) of the final rules
change after receiving a request for an consumer provided by the user in
provides that any written or electronic
additional or replacement card if it requesting the consumer report and the
notice that the card issuer provides
previously determined not to change the address or addresses the CRA has in the
under this paragraph must be clear and
cardholder’s address because the consumer’s file.’’ 46
conspicuous, and provided separately
address change request was In the preamble to the proposed rules,
from its regular correspondence with
fraudulent. 45 the Agencies noted that section
the cardholder.
605(h)(1) requiring CRAs to provide
Section l.91(e) Form of Notice III. Section 315 of the FACT Act notices of address discrepancy became
In the preamble to the proposed rules, effective on December 1, 2004. To the
A. Background
the Agencies noted that Congress had extent CRAs each have developed their
singled out this scenario involving card Section 315 of the FACT Act amends own standards for delivery of notices of
issuers and placed it in section 114 section 605 of the FCRA, 15 U.S.C. address discrepancy, the proposal noted
because it is perceived to be a possible 1681c, by adding a new subsection (h). that it is important for users to be able
indicator of identity theft. To highlight Section 605(h)(1) requires that, when to recognize and receive notices of
the important and urgent nature of providing a consumer report to a person address discrepancy, especially if they
notice that a consumer receives from a that requests the report (the user), a are being delivered electronically by
card issuer pursuant to § l.91(c), the nationwide consumer reporting agency, CRAs. For example, CRAs may provide
Agencies also proposed requiring that as defined in section 603(p) of the consumer reports with some type of a
any written or electronic notice that a FCRA, (CRA) must provide a notice of code to indicate an address discrepancy.
card issuer provides under this the existence of a discrepancy if the Users must be prepared to recognize the
paragraph must be clear and address provided by the user in its code as an indication of an address
conspicuous and provided separately request ‘‘substantially differs’’ from the discrepancy.
from its regular correspondence with address the CRA has in the consumer’s While some commenters agreed with
the cardholder. The preamble to the file. the proposed definition, a number of
proposed rules stated that a card issuer Section 605(h)(2) requires the commenters suggested that the Agencies
could also provide notice orally, in Agencies to issue joint regulations that clarify that only a ‘‘substantial’’
accordance with the policies and provide guidance regarding reasonable discrepancy would trigger the
policies and procedures a user of a requirements in this provision and that
44 See S. Rep. No. 108–166 at 14 (October 17, consumer report should employ when obvious errors would not. Some
2003) (accompanying S. 1753) (stating that a means the user receives a notice of address commenters also suggested that the
of reporting an incorrect change could be through discrepancy. These regulations must Agencies provide examples of what
the mail, by telephone, or electronically.) describe reasonable policies and
45 This position is consistent with the legislative constitutes a ‘‘substantial difference.’’
history of this section. See S. Rep. No. 108–166 at
procedures for a user of a consumer One commenter stated that users should
14 (Oct. 17, 2003) (accompanying S. 1753) (stating report to employ to (i) enable it to form be able to determine when there is a
that it would not be necessary for the card issuer a reasonable belief that the user knows substantial difference.
to take these steps ‘‘if, despite receiving a request the identity of the person for whom it
for an address change, the issuer did not actually
change the cardholder’s address for any reason (e.g.,
has obtained a consumer report, and (ii) 46 All other terms used in this section have the
the card issuer had previously determined that the reconcile the address of the consumer same meanings as set forth in the FCRA (15 U.S.C.
request for an address change was invalid)’’). with the CRA, if the user establishes a 1681a).
As noted earlier, section 605(h)(1) regulations by simply determining it policies and procedures to verify the
requires a CRA to send a notice of cannot form a reasonable belief would identity of the consumer. This provision
address discrepancy when it determines allow the user to open an account, took into consideration the fact that
that the address provided to the CRA by effectively rendering the statute many users already may be subject to
a user ‘‘substantially differs’’ from the meaningless. the CIP rules, and have in place
address the CRA has in the consumer’s The purpose of section 315 is to procedures to comply with those rules,
file. The phrase ‘‘substantially differs’’ enhance the accuracy of consumer at least with respect to the opening of
is not defined in the statute. Instead, the information, specifically to ensure that accounts. Thus, a user could rely upon
statute allows each CRA to construe this the user has obtained the correct its existing CIP policies and procedures
phrase as it chooses and, accordingly, to consumer report for the consumer about to satisfy this requirement, so long as it
set the standard it will use to determine whom it has requested such a report. To applied them in all situations where it
when it will send a notice of address implement this concept more clearly, receives a notice of address discrepancy.
discrepancy. § l.82(c) of the final rules provides that The proposal also stated that any user,
As required by section 605(h)(2), this a user must develop and implement such as a landlord or employer, may
rulemaking focuses on the obligations of reasonable policies and procedures adopt the CIP rules and apply them in
users that receive a notice of address designed to enable the user to form a all situations where it receives a notice
discrepancy from a CRA. The statute reasonable belief that a consumer report of address discrepancy to meet this
does not indicate that the Agencies are relates to the consumer about whom it requirement, even if it is not subject to
to define the phrase ‘‘substantially has requested the report when the user a CIP rule.
differs’’ for CRAs or to permit users to receives a notice of address The Agencies requested comment on
define that phrase themselves. discrepancy.47 whether the CIP procedures would be
Therefore, the final rules adopt the The Agencies do not agree with sufficient to enable a user that receives
proposed definition of ‘‘notice of commenters who suggested that the a notice of address discrepancy with a
address discrepancy’’ without change. proposed provision should apply only consumer report to form a reasonable
in connection with the establishment of belief that it knows the identity of the
Section l.82(c) Requirement to form a a continuing relationship with a consumer for whom it obtained the
reasonable belief consumer, in other words, when a user report, both in connection with the
Proposed § l.82(c) implemented the is opening a new account. The statutory opening of an account, as well as in
requirement in section 605(h)(2)(B)(i) requirement in section 605(h)(2)(B)(i) other circumstances where a user
that the Agencies prescribe regulations that a user form a reasonable belief that obtains a consumer report, such as
describing reasonable policies and it knows the identity of the consumer when a user requests a consumer report
procedures to enable the user to form a for whom it obtained a consumer report to determine whether to increase the
reasonable belief that the user knows applies whether or not the user consumer’s credit line, or in the case of
‘‘the identity of the person to whom the subsequently establishes a continuing a landlord or employer, to determine a
consumer report pertains’’ when the relationship with the consumer. This is consumer’s eligibility to rent housing or
user receives a notice of address in contrast to the additional statutory for employment.
discrepancy. Proposed § l.82(c) stated requirement in section 605(h)(2)(B)(ii) Many commenters supported the use
that a user must develop and implement that a user reconcile the address of the of CIP to satisfy this requirement. Some
reasonable policies and procedures for consumer with the CRA, only when the commenters, however, asked the
‘‘verifying the identity of the consumer user establishes a continuing Agencies to clarify that once a
for whom it has obtained a consumer relationship with the consumer. consumer’s identity was verified using
report’’ whenever it receives a notice of In addition, a user may receive a CIP, it would not be necessary to re-
address discrepancy. The proposal notice of address discrepancy with a verify that consumer’s identity under
stated further that these policies and consumer report, both in connection this provision.
procedures must be designed to enable with the opening of an account and in Some commenters found the
the user to form a reasonable belief that other circumstances when the user proposal’s preamble language confusing.
it knows the identity of the consumer already has a relationship with the These commenters did not understand
for whom it has obtained a consumer consumer, such as when the consumer why a user would need to use its CIP
report, or determine that it cannot do so. applies for an increased credit line. The policies in every situation where a
A number of commenters stated that Agencies believe it is important for a notice of address discrepancy was
the statutory requirement that a user user to form a reasonable belief that a received in order to comply with this
form a reasonable belief that it knows consumer report relates to the consumer requirement; they felt that it might be
the identity of the consumer for whom about whom it has requested the report possible to form a reasonable belief
it obtained a consumer report should in both of these cases. Accordingly, the without using CIP in some
only apply in situations where the user final rules do not limit this provision circumstances.
establishes a continuing relationship solely to the establishment of new Other commenters noted that the CIP
with the consumer. accounts. rules, which were issued for different
A consumer group suggested that the Proposed § l.82(c) also provided that purposes, are not the appropriate
language in the proposed regulation if a user employs the policies and standard for investigating a consumer’s
permitting a user to determine that it procedures regarding identification and identity after a notice of address
cannot form a reasonable belief of the verification set forth in the CIP rules,48 discrepancy because those rules permit
identity of the consumer should be it would satisfy the requirement to have verification of an address to occur after
deleted because the statute specifically an account is opened and do not require
requires a reasonable belief to be 47 The Agencies acknowledge that an address contacting the consumer. One
formed. This commenter stated that the discrepancy also may be an indicator of identity commenter stated that it was not clear
purpose of the statute was to reduce the theft. To address this problem, the Agencies whether a user relying on the CIP rules
included address discrepancies as an example of a
number of new accounts opened using Red Flag in connection with the Identity Theft Red to satisfy the obligations under the
false addresses, and that permitting a Flag regulations. regulation must comply with some or all
user to satisfy its obligations under the 48 See, e.g., 31 CFR 103.121(b)(2)(i) and (ii). of the requirements in the CIP rules,
including those that require policies and the FCRA, a notice of address the statute. They also noted that users
procedures to address circumstances discrepancy may be a Red Flag and often do not obtain full consumer
when a user cannot form a reasonable require an appropriate response to reports for existing customers—just
belief it knows the identity of the prevent and mitigate identity theft credit scores. These commenters noted
consumer. under the user’s Identity Theft that limited reports often do not contain
The Agencies believe that comparing Prevention Program. an address for a customer. Some
information provided by a CRA to commenters also felt existing
information the user obtains and uses Section l.82(d)(1) Requirement To
relationships should be excluded
(or has obtained and used) to verify a Furnish Consumer’s Address to a
because users already would have
consumer’s identity pursuant to the Consumer Reporting Agency
verified a consumer’s address at the
requirements set forth in the CIP rules Proposed § l.82(d)(1) provided that a time of account opening.
is an appropriate way to satisfy this user must develop and implement The Agencies have modified this
obligation, particularly in connection reasonable policies and procedures for section as follows. The final rules
with the opening of a new account. furnishing to the CRA from whom it continue to provide that a user must
However, when a user receives a notice received the notice of address develop and implement reasonable
of address discrepancy in connection discrepancy an address for the policies and procedures for furnishing
with an existing account, after already consumer that the user has reasonably an address for the consumer that the
having identified and verified the confirmed is accurate when the user has reasonably confirmed is
consumer in accordance with the CIP following three conditions are satisfied. accurate to the CRA when three
rules, the Agencies would not expect a The first condition, in proposed conditions are present. The first
user to employ the CIP procedures § l.82(d)(1)(i), was that the user must condition, in § _.82(d)(1)(i), has been
again. To address this issue and provide be able to form a reasonable belief that revised to be consistent with the earlier
users with flexibility, § l.82(c) of the it knows the identity of the consumer changes in section § _.82(c) that focus
final rule provides examples of for whom the consumer report was more narrowly on accuracy and require
reasonable policies and procedures that obtained. This condition would have that a user form a reasonable belief that
a user may employ to enable the user to ensured the user would furnish a new a consumer report relates to the
form a reasonable belief that a consumer address for the consumer to the CRA consumer about whom it requested the
report relates to the consumer about only after the user had formed a report. The second condition, in
whom it has requested the report. These reasonable belief that it knew the § _.82(d)(1)(ii), now applies only to new
examples include comparing identity of the consumer, using the accounts and states that a confirmed
information provided by the CRA with policies and procedures set forth in address must be furnished if the user
information the user: (1) Obtains and paragraph § l.82(c). ‘‘establishes’’ a continuing relationship
uses to verify the consumer’s identity in The second condition, in proposed with the consumer. The reference to ‘‘or
accordance with the requirements of the § l.82(d)(1)(ii), was that the user maintains’’ a continuing relationship
CIP rules; (2) maintains in its own furnish the address to the CRA if it has been deleted. The Agencies agree
records, such as applications, change of establishes or maintains a continuing with commenters that section
address notifications, other customer relationship with the consumer. Section 605(h)(2)(B)(ii) does not require the
account records, or retained CIP 315 specifically requires that the user reporting of a confirmed address to a
documentation; or (3) obtains from furnish the consumer’s address to the CRA in connection with existing
third-party sources. Another example is CRA if the user establishes a continuing relationships. The Agencies have
to verify the information in the relationship with the consumer. concluded that users are more likely
consumer report provided by the CRA Therefore, proposed § l.82(d)(1)(ii) than a CRA to have an accurate address
with the consumer. reiterated this requirement. However, for an existing customer and, therefore,
If a user cannot establish a reasonable because a user also may obtain a notice should not be required by these rules to
belief that the consumer report relates to of address discrepancy in connection take additional steps to confirm the
the consumer about whom it has with a consumer with whom it already accuracy of the customer’s address.
requested the report, the Agencies has an existing relationship, the Users already have an ongoing duty to
expect the user will not use that report. proposal also provided that the user correct and update information for their
While section 605(h)(2)(B)(i) is silent on must furnish the consumer’s address to existing customers under section 623 of
this point, other laws may be applicable the CRA from whom the user has the FCRA, 15 U.S.C. 1681s–2.
in such a situation. For example, in the received a notice of address discrepancy Accordingly, under the final rules, the
case of account openings, a user that is when the user maintains a continuing obligation to furnish a confirmed
subject to the CIP rules generally will relationship with the consumer. address for the consumer to the CRA is
need to document how it has resolved Finally, the third condition, in applicable only to new relationships.
the discrepancy between the address proposed § _.82(d)(1)(iii), provided that The third condition, in § _.82(d)(1)(iii),
provided by the consumer and the if the user regularly and in the ordinary has been adopted in the final rule
address in the consumer report.49 If the course of business furnishes information without substantive change.
user cannot establish a reasonable belief to the CRA from which a notice of
address discrepancy pertaining to the Section l.82(d)(2) Requirement To
that it knows the true identity of the
consumer was obtained, the consumer’s Confirm Consumer’s Address
consumer, it will need to implement the
policies and procedures for addressing address must be communicated to the In the preamble to the proposal, the
these circumstances as required by the CRA as part of the information the user Agencies noted that section 315 requires
CIP rules, which may involve not regularly provides. them to prescribe regulations describing
opening an account or closing an A majority of commenters reasonable policies and procedures for a
account.50 If a user is a ‘‘financial recommended that the requirement to user ‘‘to reconcile the address of the
institution’’ or ‘‘creditor’’ as defined by furnish a confirmed address should not consumer’’ about whom it has obtained
apply to existing accounts. These a notice of address discrepancy with the
49 See, e.g., 31 CFR 103.121(b)(3)(i)(D). commenters maintained that such a CRA ‘‘by furnishing such address’’ to
50 See, e.g., 31 CFR 103.121(b)(2)(iii). requirement would exceed the scope of the CRA. (Emphasis added.) The
Agencies noted that, even when the user purpose. The Agencies believe the the user both establishes a continuing
is able to form a reasonable belief that options for confirmation listed in the relationship with the consumer and
it knows the identity of the consumer, regulation provide sufficient flexibility forms a reasonable belief that it knows
there may be many reasons the initial for users to confirm consumers’ the identity of the consumer to whom
address furnished by the consumer is addresses. For this reason, they have the consumer report relates. Typically,
incorrect. For example, a consumer may been adopted in the final rule as the CIP rules permit an account to be
have provided the address of a proposed, with minor technical opened (i.e., relationship to be
secondary residence or inadvertently changes. Section l.82(d)(2)(i) has been established) if certain identifying
reversed a street number. To ensure that revised to conform the language with information is provided. Verification to
the address furnished to the CRA is § l.82(c). Section l.82(d)(2)(ii) has establish the true identity of the
accurate, the Agencies proposed to been revised to emphasize the customer is required within a
interpret the phrase, ‘‘such address,’’ as verification of the consumer’s address reasonable period of time after the
an address the user has reasonably rather than the review of the user’s account has been opened. As explained
confirmed is accurate. This records to determine whether the in the preamble to the proposed rules,
interpretation would have required a address given by the consumer is the to satisfy the requirements of both
user to take steps to ‘‘reconcile’’ the same. § l.82(d)(1) and § l.82(d)(3)(i), a user
address it initially received from the Section l.82(d)(3) Timing employing the CIP rules would have to
consumer when it receives a notice of verify the identity of the consumer
address discrepancy, rather than simply Section 315 specifies when a user
must furnish the consumer’s address to using the identifying information it
furnishing the initial address it received obtained in accordance with the CIP
from the consumer to the CRA. the CRA. It states that this information
must be furnished for the reporting rules within the same reporting period
Proposed § l.82(d)(2) contained the that the user opens the account and
period in which the user’s relationship
following list of illustrative measures establishes a continuing relationship
with the consumer is established.
that a user may employ to reasonably with the consumer.
Accordingly, proposed § l.82(d)(3)(i)
confirm the accuracy of the consumer’s The Agencies requested comment on
stated that, with respect to new
address: whether the timing for responding to
• Verifying the address with the relationships, the policies and
procedures a user develops in notices of address discrepancy received
person to whom the consumer report
pertains; accordance with § l.82(d)(1) must in connection with newly established
• Reviewing its own records of the provide that a user will furnish the relationships and in connection with
address provided to request the consumer’s address that it has circumstances other than newly
consumer report; reasonably confirmed to the CRA as part established relationships is appropriate.
• Verifying the address through third- of the information it regularly furnishes One commenter objected to the
party sources; or for the reporting period in which it requirement that a user employing the
• Using other reasonable means. establishes a relationship with the CIP rules would have to both establish
The Agencies solicited comment on consumer. a continuing relationship and a
whether these examples were necessary, The proposed rule also addressed reasonable belief that it knows the
or whether different or additional other situations when a user may consumer’s identity during the same
examples should be listed. receive a notice of address discrepancy. reporting period. A few commenters
A number of commenters stated that Proposed § l.82(d)(3)(ii) stated that in noted that the timing for reporting
requiring a user to confirm the address other circumstances, such as when the should simply be ‘‘reasonable,’’ such as
furnished exceeded the scope of the user already has an existing relationship the next reporting cycle.
statute. They asserted that the benefit of with the consumer, the user should Because the Agencies have
improvements in the accuracy of furnish this information for the determined that the requirement to
addresses and the prevention of identity reporting period in which the user has furnish a confirmed address will apply
theft would not outweigh the additional reasonably confirmed the accuracy of only to newly established accounts, the
burden of this requirement. A few the address of the consumer for whom Agencies have revised § l.82(d)(3) to
commenters noted that complying with it has obtained a consumer report.
The Agencies also noted that, in order remove the references to the timing for
the CIP rules should be sufficient to
to satisfy the requirements of both furnishing reports in connection with
verify the address. Commenters also felt
§ l.82(d)(1) and § l.82(d)(3)(i), a user other accounts, contained in the
that users should have the flexibility to
employing the CIP rules would have to proposal. The final rules reflect the
establish their own validation processes
establish a continuing relationship and language in section 605(h)(2)(B)(ii), and
based on risk.
As stated earlier, the Agencies believe verify the identity of the consumer state that a user’s policies and
the purpose of the statute is to enhance during the same reporting period. procedures must provide that the user
the accuracy of information relating to The Agencies recognized the timing will furnish the consumer’s address that
consumers by requiring the user to provision for newly established the user has reasonably confirmed is
furnish an address that the user has relationships could be problematic for accurate to the consumer reporting
reasonably confirmed is accurate.51 users hoping to take full advantage of agency as part of the information it
Simply providing the CRA with the the flexibility in timing for verification regularly furnishes for the reporting
initial address supplied to the user by of identity afforded by the CIP rules. As period in which it establishes a
the consumer, and which caused the required by statute, proposed relationship with the consumer.
CRA to send a notice of address § l.82(d)(3)(i) stated that the reconciled A timing issue still exists for a user
discrepancy, would not serve this address must be furnished for the that chooses to compare the information
reporting period in which the user in the consumer report with information
51 This requirement is consistent with the establishes a relationship with the that the user obtains and uses to verify
legislative history which provides that this section consumer. Proposed § l.82(d)(1), which the consumer’s identity in accordance
is intended to obligate the user to utilize reasonable
policies and procedures to resolve discrepancies.
also mirrored the requirement of the with the CIP rules for the purpose of
See H.R. Rep. No. 108–263 at 46 (Sept. 4, 2003) statute, required the reconciled address forming a reasonable belief that a
(accompanying H.R. 2622). to be furnished to the CRA only when consumer report relates to the consumer
about whom it has requested the report. final rules. These commenters felt they guidance, and thus may need more time
However, the Agencies believe that the needed time to take an inventory of to implement the final rules and
benefits of being able to use CIP for this their existing systems and develop new guidelines. Therefore, the Agencies are
purpose should outweigh any additional programs necessary for compliance. providing covered entities with a
burden of having to establish a Some commenters noted that they likely transition period to comply with the
reasonable belief that a consumer report would use technological solutions to requirements contained in the final
relates to the consumer about whom it comply with the rules and that it is rulemaking.
has requested the report within the necessary to schedule such projects well
VI. Regulatory Analysis
same reporting period that the user in advance. Commenters also noted that
opens the account and establishes a compliance with the final rules may A. Paperwork Reduction Act
continuing relationship with the require systemic and operational In accordance with the requirements
consumer. changes across business lines and could of the Paperwork Reduction Act of 1995
affect relationships with vendors and (PRA) (44 U.S.C. 3501 et seq., 5 CFR
IV. General Provisions third party service providers that would part 1320 Appendix A.1), the Agencies
The OCC, the Board, the FDIC, the require time to change. have reviewed the final rulemaking and
OTS, and the NCUA 52 proposed to Neither section 114 nor section 315 of determined that it contains collections
amend the first sentence in § l.3, the FACT Act specifically addresses the of information subject to the PRA. The
which contains the definitions that are effective date of the regulations issued Board made this determination under
applicable throughout this part. This pursuant to these sections. Under the authority delegated to the Board by the
sentence stated that the list of Administrative Procedure Act (APA), 5 Office of Management and Budget
definitions in § l.3 apply throughout U.S.C. 553(d), agencies must generally (OMB). The information collection
the part ‘‘unless the context requires publish a substantive rule not less than requirements in the final rulemaking
otherwise.’’ These agencies proposed to 30 days before its effective date. In may be found in 12 CFR 41.82, 41.90,
amend this introductory sentence to addition, under section 302 of the Riegle 41.91, 222.82, 222.90, 222.91, 334.82,
make clear that the definitions in § l.3 Community Development and 334.90, 334.91, 571.82, 571.90, 571.91,
apply ‘‘for purposes of this part, unless Regulatory Improvement Act of 1994 717.82, 717.90; and 717.91; and 16 CFR
explicitly stated otherwise.’’ Thus, these (CDRIA),53 rules issued by the Federal 681.1, 681.2, and 681.3.
definitions apply throughout the part banking agencies that impose additional An agency may not conduct or
unless defined differently in an reporting, disclosure, or other new sponsor, and a respondent is not
individual subpart. There were no requirements on financial institutions required to respond to, an information
comments on this proposal, and the generally will take effect on the first day collection unless it displays a currently
change to § l.3 is adopted as proposed. of a calendar quarter that begins on or valid OMB control number. The
OTS proposed nonsubstantive, after the date on which the regulations information collection requirements
technical changes to its rule sections on are published in the Federal Register. contained in this joint final rule were
purpose and scope (§ 571.1) and Because these final rules are substantive submitted by the OCC, FDIC, OTS,
disposal of consumer information and impose additional requirements on NCUA, and FTC to OMB for review and
(§ 571.83). OTS explained that these financial institutions, the Agencies have approval under the Paperwork
changes were necessary in light of the provided for an effective date of Reduction Act of 1995. OMB assigned
proposed incorporation of the address [January 1, 2008], consistent with the the following control numbers to the
discrepancy section into subpart I. APA and CDRIA. collections of information: OMB Control
There were no comments on these At the same time, the Agencies have
Nos. 1557–0237 (OCC), 3064–0152
proposed changes and they are adopted determined that it is appropriate to
(FDIC), 1550–0113 (OTS), 3133–0175
substantially as proposed. Further, since provide all covered entities with a
(NCUA), and 3084–0137 (FTC). The
these changes render the definition of delayed compliance date of November
Board’s OMB Control No. is 7100–
‘‘you’’ in § 571.3(o) superfluous, OTS is 1, 2008, to comply with the
0308.54
removing that definition. requirements of the final rulemaking.
The OCC’s final rules add a purpose Some financial institutions and Description of the Collection
section at § 41.1. The final rules are creditors already employ a variety of Section 114: The proposed rules
simply restoring the purpose section of measures that satisfy the requirements implementing section 114 required each
part 41 that was inadvertently deleted of the final rulemaking because these financial institution and creditor to (1)
when ‘‘subpart D-Medical Information’’ are usual and customary business create an Identity Theft Prevention
was added to this part. practices to minimize losses due to Program (Program); (2) report to the
fraud, or as a result of already board of directors, a committee thereof
V. Effective Date complying with other existing or senior management, at least annually,
The Agencies received a number of regulations and guidance that relate to on compliance with the proposed
comments regarding the effective date of information security, authentication, regulations; and (3) train staff to
the final regulations and guidelines, identity theft, and response programs. implement the Program.
although the proposed rulemaking did However, the Agencies recognize that In addition, the proposed rules
not address this issue. While consumer these entities may still need time to required each credit and debit card
groups recommended that the effective evaluate their existing programs, and to issuer (card issuer) to establish policies
date for compliance with the regulations integrate appropriate elements from and procedures to (1) assess the validity
be the minimum time allowed by law, them into the Program and into the
many financial institutions and other policies and procedures required 54 The information collections (ICs) in this rule
creditors requested the time for by this final rulemaking. Further, the will be incorporated with the Board’s Disclosure
compliance be extended from between Agencies recognize that some covered Requirements Associated with Regulation V (OMB
entities have not previously been No. 7100–0308). The burden estimates provided in
12 to 24 months from issuance of the this rule pertain only to the ICs associated with this
subject to any related regulations or final rulemaking. The current OMB inventory for
52 The equivalent language for the FTC already Regulation V is available at: http://www.reginfo.gov/
exists in 16 CFR 603.1. 53 Pub. L. 103–325; 12 U.S.C. § 4802(b). public/do/PRAMain.
of a change of address notification many financial institutions and The final rulemaking also clarifies
before honoring a request for an creditors already have implemented that only relevant staff need be trained
additional or replacement card received some of the requirements of the final to implement the Program, as
during at least the first 30 days after it rules implementing section 114 as a necessary—meaning that staff already
receives the notification; and (2) notify result of having to comply with other trained, for example, as a part of a
the cardholder in writing, electronically, existing regulations and guidance, such covered entity’s anti-fraud prevention
or orally, or use another means of as the CIP regulations implementing efforts do not need to be re-trained
assessing the validity of the change of section 326 of the USA PATRIOT Act, except as necessary. Despite this
address. 31 U.S.C. 5318(l) that require clarification, in response to comments
Section 315: The proposed rules verification of the identity of persons received, the Agencies are increasing
implementing section 315 required each opening new accounts),55 the the burden estimates attributable to
user of consumer reports to (1) develop Information Security Standards that training from two to four hours.
reasonable policies and procedures it implement section 501(b) of the Gramm- The Agencies’ estimates attribute all
would employ when it receives a notice Leach-Bliley Act (GLBA), 15 U.S.C. burden to covered entities, which are
of address discrepancy from a CRA; and 6801, and section 216 of the FACT Act, entities directly subject to the
(2) to furnish an address the user 15 U.S.C. 1681w,56 and guidance issued requirements of the final rulemaking. A
reasonably confirmed is accurate to the by the Agencies or the Federal Financial covered entity that outsources activities
CRA from which it receives a notice of Institutions Examination Council to a third-party service provider is, in
address discrepancy. regarding information security, effect, reallocating to that service
The information collections in the provider the burden that it would
authentication, identity theft, and
final rulemaking are the same as those otherwise have carried itself. Under
response programs.57 The final
in the proposal. these circumstances, burden is, by
rulemaking underscores the ability of a
contract, shifted from the covered entity
Comments Received financial institution or creditor to
to the service provider, but the total
The Agencies sought comment on the incorporate into its Program its existing
amount of burden is not increased.
burden estimates for the information processes that control reasonably Thus, third-party service provider
collections described in the proposal. foreseeable risks to customers or to its burden is already included in the
The Agencies received approximately own safety and soundness from identity burden estimates provided for covered
129 comments on the proposed theft, such as those already developed entities.
rulemaking. Most commenters in connection with the covered entity’s The Agencies continue to believe that
maintained that proposal would impose fraud prevention program. Thus, the card issuers already assess the validity
additional regulatory burden and burden estimate attributable to the of change of address requests and, for
asserted that the estimates of the cost of creation of a Program is unchanged. the most part, have automated the
compliance should be considerably process of notifying the cardholder or
higher than the Agencies projected. A 55 See, e.g., 31 CFR 103.121 (banks, savings
using other means to assess the validity
few of these commenters specifically associations, credit unions, and certain non- of changes of address. Further, as
federally regulated banks); 31 CFR 103.122 (broker-
addressed PRA burden, however, they dealers); 31 CFR 103.123 (futures commission commenters requested, the final
did not provide specific estimates of merchants). rulemaking clarifies that card issuers
additional burden hours that would 56 12 CFR part 30, app. B (national banks); 12 CFR may satisfy the requirements of this
result from the proposal. Some of these part 208, app. D–2 and part 225, app. F (state section by verifying the address at the
member banks and holding companies); 12 CFR
commenters stated that staff training part 364, app. B (state non-member banks); 12 CFR
time the address change notification is
estimates were significantly part 570, app. B (savings associations); 12 CFR part received, before a request for an
underestimated. Other commenters 748, app. A and B, and 12 CFR 717 (credit unions); additional or replacement card.
stated that the costs of compliance 16 CFR part 314 (financial institutions that are not Therefore, the estimates attributable to
regulated by the Board, FDIC, NCUA, OCC and this portion of the rulemaking are
failed to consider the cost to third-party OTS).
service providers that the commenters 57 See, e.g., 12 CFR part 30, supp. A to app. B unchanged.
characterized as being required to (national banks); 12 CFR part 208, supp. A to app. Regarding the final rules
implement the Program. D–2 and part 225, supp. A to app. F (state member implementing section 315, the Agencies
banks and holding companies); 12 CFR part 364, recognize that users of consumer reports
Explanation of Burden Estimates Under supp. A to app. B (state non-member banks); 12 CFR will need to develop policies and
the Final Rulemaking part 570, supp. A to app. B (savings associations);
12 CFR 748, app. A and B (credit unions); Federal procedures to employ upon receiving a
The Agencies believe that many of the Financial Institutions Examination Council (FFIEC) notice of address discrepancy in order
comments received regarding burden Information Technology Examination Handbook’s to: (1) Ensure that the user has obtained
stemmed from commenters’ misreading Information Security Booklet (the ‘‘IS Booklet’’) the correct consumer report for the
available at http://www.ffiec.gov/guides.htm; FFIEC
of the requirements of the proposed ‘‘Authentication in an Internet Banking consumer; and (2) confirm the accuracy
rulemaking. The final rulemaking Environment’’ available at http://www.ffiec.gov/ of the address the user furnishes to the
clarifies these requirements, including pdf/authentication_guidance.pdf; Board SR 01–11 CRA. However, under the final rules, a
those that relate to the information (Supp) (Apr. 26, 2001) available at: http:// user only must furnish a confirmed
www.federalreserve.gov/boarddocs/srletters/2001/
collections. It also differs from the sr0111.htm; ‘‘Guidance on Identity Theft and address to a CRA for new relationships.
proposal as described below. Pretext Calling,’’ OCC AL 2001–4 (April 30, 2001); Thus, the required policies and
The Agencies continue to believe that ‘‘Identity Theft and Pretext Calling,’’ OTS CEO procedures will no longer need to
most covered entities already employ a Letter #139 (May 4, 2001); NCUA Letter to Credit address the furnishing of confirmed
Unions 01–CU–09, ‘‘Identity Theft and Pretext
variety of measures to detect and Calling’’ (Sept. 2001); OCC 2005–24, ‘‘Threats from addresses for existing relationships, and
address identity theft that are required Fraudulent Bank Web Sites: Risk Mitigation and users will not need to furnish to the
by section 114 of the final rulemaking Response Guidance for Web Site Spoofing CRA in connection with existing
because these are usual and customary Incidents,’’ (July 1, 2005); ‘‘Phishing and E-mail relationships an address the user
Scams,’’ OTS CEO Letter #193 (Mar. 8, 2004);
business practices that they employ to NCUA Letter to Credit Unions 04–CU–12, reasonably confirmed is accurate.
minimize losses due to fraud. In ‘‘Phishing Guidance for Credit Unions’’ (Sept. The Agencies believe that users of
addition, the Agencies believe that 2004). credit reports covered by the final rules,
on a regular basis, already furnish Board: will affect over 3,500 financial
information to CRAs in response to Number of respondents: 1,172. institutions 61 and over 11 million
notices of address discrepancy because Total Estimated Annual Burden: creditors 62 subject to the FTC’s
it is a usual and customary business 48,052. jurisdiction, for a combined total of
practice—except in connection with FDIC: approximately 11.1 million affected
new deposit relationships. For the Number of respondents: 5,260. entities. As detailed below, FTC staff
proposed rulemaking, the Agencies had Total Estimated Annual Burden: estimates that the average annual
estimated that there would be no 215,660 hours. information collection burden during
implementation burden associated with OTS: the three-year period for which OMB
furnishing confirmed addresses to Number of respondents: 832. clearance was sought will be 4,466,000
CRAs. However, as the result of Total Estimated Annual Burden: hours (rounded to the nearest
additional research, the Agencies now 34,112. thousand). The estimated annual labor
believe that some burden should be NCUA: cost associated with this burden is
attributable to this collection, to account Number of respondents: 5,103. $142,925,000 (rounded to the nearest
for information furnished to CRAs for Total Estimated Annual Burden: thousand).
new deposit relationships. Because this 209,223. For the proposed rule, FTC staff had
burden is offset by the reduction in FTC Estimated Burden:58 divided affected entities into two
burden described above, the estimates Section 114: categories: entities that are subject to a
for the collections attributable to the Estimated Hours Burden: high risk of identity theft and entities
final rules implementing section 315 As discussed above, the final that are subject to a low risk of identity
remain unchanged. regulations require financial institutions theft. Based on comments as well as
The Agencies continue to believe that and creditors to conduct a risk changes in the final rule, FTC staff
25 hours to develop a Program, four assessment periodically to determine believes that the affected entities can be
hours to prepare an annual report, four whether they have covered accounts, categorized in three groups, based on
hours to develop policies and which include, at a minimum, the nature of their businesses: entities
procedures to assess the validity of consumer accounts. If the financial subject to a high risk of identity theft,
changes of address, and four hours to institutions and creditors determine that entities subject to a low risk of identity
develop policies and procedures to they have covered accounts, the final theft, but having consumer accounts
respond to notices of address regulations require them to create a that will require them to have a written
discrepancy, are reasonable estimates. written Identity Theft Prevention Program, and entities subject to a low
The potential respondents are Program (Program) and they should risk of identity theft, but not having
national banks and Federal branches report to the board of directors, a consumer accounts.63
and agencies of foreign banks and committee thereof, or senior
management at least annually on A. High-Risk Entities
certain of their subsidiaries (OCC); state
member banks, uninsured state agencies compliance with the final regulations. In drafting its PRA analysis for the
and branches of foreign banks, The FCRA defines ‘‘creditor’’ to have proposed regulations, FTC staff believed
commercial lending companies owned the same meaning as in section 702 of that because motor vehicle dealers’’
or controlled by foreign banks, and Edge the Equal Credit Opportunity Act loans typically are financed by financial
and agreement corporations (Board); (ECOA).59 Under Regulation B, which institutions also subject to those
insured nonmember banks, insured state implements the ECOA, a creditor means regulations, the dealers were likely to
branches of foreign banks, and certain of a person who regularly participates in a use the latter’s programs as a basis to
their subsidiaries (FDIC); savings credit decision, including setting the develop their own. Therefore, although
associations and certain of their terms of credit. Regulation B defines subject to a high risk of identity theft,
subsidiaries (OTS); Federally-chartered credit as a transaction in which the their burden would be less than other
credit unions (NCUA); state-chartered party has a right to defer payment of a high-risk entities. Commenters,
credit unions, non-bank lenders, debt, regardless of whether the credit is however, noted among other concerns
mortgage brokers, motor vehicle dealers, for personal or commercial purposes.60 that some motor vehicle dealers finance
utility companies, and any other person Given the broad scope of entities
61 Under the FCRA, the only financial institutions
that regularly participates in a credit covered, it is difficult to determine
over which the FTC has jurisdiction are state-
decision, including setting the terms of precisely the number of financial chartered credit unions. 15 U.S.C. 1681s. As of
credit (FTC). institutions and creditors that are December 31, 2005, there were 3,302 state-chartered
subject to the FTC’s jurisdiction. There federally-insured credit unions and 362 state-
Burden Estimates are numerous small businesses under chartered nonfederally insured credit unions,
totaling 3,664 financial institutions. See
The Agencies estimate the annual the FTC’s jurisdiction, and there is no www.ncua.gov/news/quick_facts/quick_facts.html
burden per respondent is 41 hours (25 formal way to track them; moreover, as and ‘‘Disclosures for Non-Federally Insured
hours to develop a Program, four hours a whole, the entities under the FTC’s Depository Institutions under the Federal Deposit
to prepare an annual report, four hours jurisdiction are so varied that there are Insurance Corporation Improvement Act (FDICIA),’’
70 FR 12823 (Mar. 16, 2005).
for training, four hours for developing no general sources that provide a record 62 This estimate is derived from an analysis of a
policies and procedures to assess the of their existence. Nonetheless, FTC database of U.S. businesses based on NAICS codes
validity of changes of address, and four staff estimates that the proposed for businesses that market goods or services to
hours for developing policies and regulations implementing section 114 consumers or other businesses, which totaled
11,076,463 creditors subject to the FTC’s
procedures to respond to notices of jurisdiction.
address discrepancy). The Agencies 58 Due to the varied nature of the entities subject
63 In general, high-risk entities may provide
attribute total burden to covered entities to the jurisdiction of the FTC, this Estimated consumer financial services or other goods or
Burden section reflects only the view of the FTC. services of value to identity thieves such as
as follows: The banking regulatory agencies have jointly
OCC: telecommunication services or goods that are easily
prepared a separate analysis. convertible to cash, whereas low-risk entities may
Number of respondents: 1,806. 59 U.S.C. 1681a(r)(5).
do business primarily with other businesses or
Total estimated annual burden: 60 Regulation B Equal Credit Opportunity, 12 CFR provide non-financial services or goods that are not
74,046. 202 (as amended effective Apr. 15, 2003). easily convertible to cash.
their own loans. Thus, for this burden annual report on risks of identity theft annual burden over 3-year clearance
estimate, FTC staff no longer is which are minimal or non-existent. period for preparing annual report
considering motor vehicle dealers Nonetheless, FTC staff believes that it ((4+1+1)/3)], for a total of 3,466,000
separately from other high-risk entities. may have underestimated the time low- hours (rounded to the nearest
As noted above, the Agencies risk entities may need to initially apply thousand); and 1,622,029 low-risk
continue to believe that many of the the final rule to develop a Program. entities that have consumer accounts
high-risk entities, as part of their usual Thus, FTC staff has increased from 20 subject to the FTC’s jurisdiction at an
and customary business practices, minutes to 1 hour its previously stated average annual burden of approximately
already take steps to minimize losses estimate for this activity. 37 minutes per entity [average annual
due to fraud. The final rulemaking The final regulations have been
burden over 3-year clearance period for
clarifies that only relevant staff need be revised from the proposed regulations to
trained to implement the Program, as alleviate the burden of creating a written creation and implementation of
necessary meaning, for example, that Program for entities that determine that streamlined Program ((60+5+5)/3) plus
staff already trained as a part of a they do not have any covered accounts. average annual burden over 3-year
covered entity’s anti-fraud prevention The FTC staff believes that entities clearance period for staff training
efforts do not need to be re-trained subject to a low risk of identity theft, but ((10+5+5)/3) plus average annual
except as incrementally needed. not having consumer accounts, will burden over 3-year clearance period for
Notwithstanding this clarification, in likely determine that they do not have preparing annual report ((10+5+5)/3],
response to comments received, the covered accounts. Such entities would for a total of 1,000,000 hours (rounded
Agencies are increasing the burden not be required to develop a written to the nearest thousand).
estimates attributable to training from Program, and thus will not incur PRA The proposed regulations
two to four hours, as is the FTC for high- burden. The FTC staff estimates that implementing Section 114 also require
risk entities in their initial year of approximately 9,191,496 64 of the credit and debit card issuers to establish
implementing the Program, but FTC 10,813,525 low-risk entities subject to policies and procedures to assess the
staff continues to believe that one hour the requirement to create a written validity of a change of address request,
of recurring annual training remains a Program under the proposed regulations
reasonable estimate. including notifying the cardholder or
will not have covered accounts under using another means of assessing the
The FTC staff maintains its estimate the final rule. Therefore, these 9,191,496
of 25 hours for high-risk entities to validity of the change of address. The
low-risk entities will not be required to
create and implement a written FTC received no comments on its
develop a written Program, thereby
Program, with an annual recurring burden estimates in the NPRM and FTC
substantially reducing the original
burden of 1 hour. As before, FTC staff burden hours estimate in the NPRM for staff does not believe that the changes
anticipates that these entities will low-risk entities. made to the final regulation have altered
incorporate policies and procedures that The FTC staff believes that for entities its original burden estimates.
they likely already have in place. The subject to a low risk of identity theft, but Accordingly, FTC staff maintains that it
FTC staff continues to believe that having consumer accounts that will will take 100 credit or debit card issuers
preparation of an annual report will take require them to have a written Program, 4 hours to develop and implement
high-risk entities 4 hours initially, with it will take such entities 1 hour to policies and procedures to assess the
an annual recurring burden of 1 hour. review the final regulations and create validity of a change of address request
B. Low-Risk Entities a streamlined Program, with an annual for a total burden of 400 hours.
recurring burden of 5 minutes. The FTC Estimated Cost Burden:
A few commenters believed that FTC staff believes that training staff to be
staff had underestimated the amount of The FTC staff derived labor costs by
attentive to any future risks of identity
time it would take low-risk entities to applying appropriate estimated hourly
theft will take low-risk entities 10
comply with the proposed regulations. cost figures to the burden hours
minutes, with an annual recurring
These commenters estimated that the described above. It is difficult to
burden of 5 minutes. The FTC staff
amount of time would range from 6 to calculate with precision the labor costs
believes that preparing an annual report
20 hours to create a program and 1 hour associated with the proposed
will take low-risk entities 10 minutes,
each to train employees and draft the regulations, as they entail varying
with an annual recurring burden of 5
annual report. The FTC staff believes compensation levels of management
minutes.
these estimates were based on a Accordingly, FTC staff estimates that and/or technical staff among companies
misunderstanding of the requirements the final regulations implementing of different sizes. In the NPRM, FTC
of the proposed regulations, including section 114 affect the following: 266,602 staff had estimated that low-risk entities
that the list of 31 Red Flags in the high-risk entities subject to the FTC’s would use administrative support
proposed guidelines was intended to be jurisdiction at an average annual burden personnel at an hourly cost of $16.00. A
a checklist. The final regulations clarify of 13 hours per entity [average annual few commenters disagreed that low-risk
that the list of Red Flags is illustrative burden over 3-year clearance period for entities would use administrative
only. Moreover, the emphasis of the creation and implementation of Program support personnel, arguing instead that
written Program, as required under the ((25+1+1)/3) plus average annual the Program would be implemented at
final regulations, is to identify risks of burden over 3-year clearance period for
identity theft. To the extent that entities a managerial level, and the labor cost
staff training ((4+1+1)/3) plus average should be at least $32.00 and possibly
with consumer accounts determine that
they have a minimal risk of identity even $48.00. Therefore, in calculating
64 This estimate is derived from an analysis of a
theft, they would be tasked only with the cost figures, FTC staff assumes that
database of U.S. businesses based on NAICS codes
for all entities, professional technical
developing a streamlined Program. for businesses that market goods or services to

Therefore, the FTC staff does not believe consumers or other businesses, net of the number personnel and/or managerial personnel
of creditors subject to the FTC’s jurisdiction, an will create and implement the Program,
that it would take such an entity 6 to 20 estimated subset of which comprise anticipated
hours to develop a Program, 1 hour to low-risk entities not having covered accounts under
prepare the annual report, train
train employees, and 1 hour to draft an the final rule. employees, and assess the validity of a
change of address request, at an hourly inspect and photocopy the comments at federal/propose/html including any
rate of $32.00.65 the OCC’s Public Information Room, 250 personal information provided.
Based on the above estimates and E Street, SW., Washington, DC 20219. Comments may be inspected at the FDIC
assumptions, the total annual labor For security reasons, the OCC requires Public Information Center, Room 100,
costs for all categories of covered that visitors make an appointment to 801 17th Street, NW., Washington, DC,
entities under the final regulations inspect comments. You may do so by between 9 a.m. and 4:30 p.m. on
implementing section 114 are calling 202–874–5043. Upon arrival, business days.
$142,925,000 (rounded to the nearest visitors will be required to present valid OTS: Information Collection
thousand) [(3,466,000 hours + 400 hours government-issued photo identification Comments, Chief Counsel’s Office,
+ 1,000,000 hours) x $32.00)]. and submit to security screening in Office of Thrift Supervision, 1700 G
Section 315: order to inspect and photocopy Street, NW., Washington, DC 20552;
Estimated Hours Burden: comments.
The Commission did not receive any send a facsimile transmission to (202)
Board: You may submit comments, 906–6518; or send an e-mail to related
comments relating to its original burden identified by R–1255, by any of the
estimates for the information collection index on the OTS Internet site at http://
following methods: www.ots.treas.gov. In addition,
requirements under section 315. Agency Web site: http://
Although the final regulations were interested persons may inspect the
www.federalreserve.gov. Follow the comments at the Public Reading Room,
modified such that they no longer instructions for submitting comments
require users to furnish a confirmed 1700 G Street, NW., by appointment. To
on http://www.federalreserve.gov/ make an appointment, call (202) 906–
address to a CRA for existing generalinfo/foia/ProposedRegs.cfm.
relationships, FTC staff does not believe 5922, send an e-mail to
Federal eRulemaking Portal: http:// publicinfo@ots.treas.gov, or send a
that this modification will significantly www.regulations.gov. Follow the
alter its original burden estimates. facsimile transmission to (202) 906–
instructions for submitting comments. 7755.
Therefore, FTC staff burden estimates E-mail:
remain unchanged under section 315 regs.comments@federalreserve.gov. NCUA: You may submit comments by
from the estimates proposed in the Include docket number in the subject any of the following methods (Please
NPRM. Accordingly, FTC staff estimates line of the message. send comments by one method only):
that the average annual information Fax: 202–452–3819 or 202–452–3102. Federal eRulemaking Portal: http://
collection burden during the three-year Mail: Jennifer J. Johnson, Secretary, www.regulations.gov.
period for which OMB clearance was Board of Governors of the Federal Follow the instructions for submitting
sought will be 831,000 hours (rounded Reserve System, 20th Street and comments.
to the nearest thousand). The FTC staff Constitution Avenue, NW., Washington, NCUA Web site: http://
continues to assume that the policies DC 20551. www.ncua.gov/
and procedures for notice of address All public comments are available RegulationsOpinionsLaws/
discrepancy and furnishing the correct from the Board’s Web site at http:// proposedregs/proposedregs.html.
address will be set up by administrative www.federalreserve.gov/generalinfo/ Follow the instructions for submitting
support personnel at an hourly rate of foia/ProposedRegs.cfm as submitted, comments.
$16.66 Thus, the estimated annual labor unless modified for technical reasons.
cost associated with this burden is Accordingly, your comments will not be E-mail: Address to
$13,296,000 (rounded to the nearest edited to remove any identifying or regcomments@ncua.gov. Include ‘‘[Your
thousand). contact information. Public comments name] Comments on -,’’ in the e-mail
The Agencies have a continuing may also be viewed electronically or in subject line.
interest in the public’s opinions of our paper form in Room MP–500 of the Fax: (703) 518–6319. Use the subject
collections of information. At any time, Board’s Martin Building (20th and C line described above for e-mail.
comments regarding the burden Streets, NW.) between 9 a.m. and 5 p.m. Mail: Address to Mary F. Rupp,
estimate, or any other aspect of this on weekdays. Secretary of the Board, National Credit
collection of information, including FDIC: You may submit written Union Administration, 1775 Duke
suggestions for reducing the burden, comments, which should refer to 3064– Street, Alexandria, VA 22314–3428.
may be sent to: AD00, by any of the following methods: Hand Delivery/Courier: Same as mail
OCC: Communications Division, Agency Web site: http:// address.
Office of the Comptroller of the www.fdic.gov/regulations/laws/federal/ Additionally, commenters may send a
Currency, Public Information Room, propose.html. copy of their comments to the OMB
Mail stop 1–5, Attention: 1557–0237, Follow the instructions for submitting desk officer for the OCC, Board, FDIC,
250 E Street, SW., Washington, DC comments on the FDIC Web site. OTS, and NCUA by mail to the Office
20219. In addition, comments may be Federal eRulemaking Portal: http:// of Information and Regulatory Affairs,
sent by fax to 202–874–4448, or by www.regulations.gov. Follow the U.S. Office of Management and Budget,
electronic mail to instructions for submitting comments. New Executive Office Building, Room
regs.comments@occ.treas.gov. You can E-mail: Comments@FDIC.gov.
10235, 725 17th Street, NW.,
Mail: Robert E. Feldman, Executive
Washington, DC 20503, or by fax to
65 The cost is derived from a mid-range among the Secretary, Attention: Comments, FDIC,
reported 2006 Bureau of Labor Statistics rates for (202) 395–6974.
550 17th Street, NW., Washington, DC
likely positions within the professional technical
20429. FTC: Comments should refer to ‘‘The
and managerial categories. See June 2006 Bureau of Red Flags Rule: Project No. R611019,’’
Labor Statistics National Compensation Survey for Hand Delivery/Courier: Guard station
occupational wages in the United States at http:// at the rear of the 550 17th Street and may be submitted by any of the
following methods. However, if the
www.bls.gov/ncs/ocs/sp/ncbl0910.pdf (‘‘June 2006 Building (located on F Street) on

BLS NCS Survey’’).
business days between 7 a.m. and 5 p.m. comment contains any material for
66 This hourly wage is a conservative inflation-
Public Inspection: All comments which confidential treatment is
adjusted updating of hourly mean wages ($14.86)
shown for administrative support personnel in the received will be posted without change requested, it must be filed in paper
June 2006 BLS NCS Survey. to http://www.fdic.gov/regulations/laws/ form, and the first page of the document
must be clearly labeled http://www.ftc.gov/os/ proposed regulations implementing

‘‘Confidential.’’ 67 publiccomments.htm. As a matter of section 114, if adopted as proposed,
E-mail: Comments filed in electronic discretion, the FTC makes every effort to would not impose undue costs on
form should be submitted by clicking on remove home contact information for national banks and would not have a
the following Web link: https:// individuals from the public comments it substantial economic impact on a
secure.commentworks.com/ftc-redflags receives before placing those comments substantial number of small national
and following the instructions on the on the FTC Web site. More information, banks. The OCC noted that national
Web-based form. To ensure that the including routine uses permitted by the banks already employ a variety of
Commission considers an electronic Privacy Act, may be found in the FTC’s measures that satisfy the requirements
comment, you must file it on the Web- privacy policy, at http://www.ftc.gov/ of the rulemaking because (1) such
based form at https:// ftc/privacy.htm. measures are a good business practice
secure.commentworks.com/ftc-redflags. Members of the public also can and generally are a part of a bank’s
Federal eRulemaking Portal: If this request additional information or a copy efforts to reduce losses due to fraud, and
notice appears at http:// of the collection from: (2) national banks already comply with
www.regulations.gov, you may also file OCC: Mary Gottlieb, OCC Clearance other regulations and guidance that
an electronic comment through that Officer, (202) 874–5090, Legislative and relate to information security,
Web site. The Commission will consider Regulatory Activities Division, Office of authentication, identity theft, and
all comments that regulations.gov the Comptroller of the Currency, 250 E response programs. For example,
forwards to it. Street, SW., Washington, DC 20219. national banks are already subject to CIP
Mail or Hand Delivery: A comment Board: Michelle Shore, Clearance rules requiring them to verify the
filed in paper form should include ‘‘The Officer, Division of Research and identity of a person opening a new
Red Flags Rule, Project No. R611019,’’ Statistics (202) 452–3829. account 68 and already have various
both in the text and on the envelope and FDIC: Steven F. Hanft, Clearance systems in place to detect certain
should be mailed or delivered, with two Officer, Legal Division, (202–898–3907). patterns, practices and specific activities
complete copies, to the following OTS: Ira L. Mills, OTS Clearance that indicate the possible existence of
address: Federal Trade Commission/ Officer, Litigation Division, Chief identity theft in connection with the
Office of the Secretary, Room H–135 Counsel’s Office, at opening of new accounts. Similarly,
(Annex M), 600 Pennsylvania Avenue, Ira.Mills@ots.treas.gov, (202) 906–6531, national banks complying with the
NW., Washington, DC 20580. Because or facsimile number (202) 906–6518. ‘‘Interagency Guidelines Establishing
paper mail in the Washington area and NCUA: Regina M. Metz, Staff Information Security Standards’’ 69 and
at the Commission is subject to delay, Attorney, Office of General Counsel, guidance recently issued by the FFIEC
please consider submitting your (703) 518–6540. titled ‘‘Authentication in an Internet
comments in electronic form, as FTC: See FOR FURTHER INFORMATION Banking Environment’’ 70 already have
prescribed above. The FTC is requesting CONTACT above. policies and procedures in place to
that any comment filed in paper form be detect attempted and actual intrusions
sent by courier or overnight service, if B. Regulatory Flexibility Act
into customer information systems and
possible. OCC: Under section 605(b) of the to detect patterns, practices and specific
Comments on any proposed filing, Regulatory Flexibility Act (RFA), 5 activities that indicate the possible
recordkeeping, or disclosure U.S.C. 605(b), the OCC must either existence of identity theft in connection
requirements that are subject to publish a Final Regulatory Flexibility with existing accounts. Banks
paperwork burden review under the Analysis (FRFA) for a final rule or complying with the OCC’s ‘‘Guidance
Paperwork Reduction Act should certify, along with a statement providing on Identity Theft and Pretext Calling’’ 71
additionally be submitted to: Office of the factual basis for such certification, already have policies and procedures to
Management and Budget, Attention: the rule will not have a significant verify the validity of change of address
Desk Officer for the Federal Trade economic impact on a substantial requests on existing accounts.
Commission. Comments should be number of small entities. The Small Nonetheless, the OCC specifically
submitted via facsimile to (202) 395– Business Administration has defined requested comment and specific data on
6974 because U.S. Postal Mail is subject ‘‘small entities’’ for banking purposes as the size of the incremental burden
to lengthy delays due to heightened a bank or savings institution with assets creating an identity theft prevention
security precautions. of $165 million or less. See 13 CFR program would have on small national
The FTC Act and other laws the 121.201. banks, given banks’’ current practices
Commission administers permit the Based on its analysis and for the and compliance with existing
collection of public comments to reasons stated below, the OCC certifies requirements. The OCC also requested
consider and use in this proceeding as that this final rulemaking will not have comment on how the final regulations
appropriate. All timely and responsive a significant economic impact on a might minimize any burden imposed to
public comments, whether filed in substantial number of small entities. the extent consistent with the
paper or electronic form, will be
Rules Implementing Section 114 requirements of the FACT Act.
considered by the Commission, and will
Commenters confirmed that the
be available to the public on the FTC The proposed regulations proposed regulations implementing
Web site, to the extent practicable, at implementing section 114 required the section 114 of the FACT Act are
development and establishment of a consistent with banks’’ usual and
67 Commission Rule 4.2(d), 16 CFR 4.2(d). The
written identity theft prevention customary business practices used to
comment must be accompanied by an explicit
request for confidential treatment, including the program to detect, prevent, and mitigate minimize losses due to fraud in
factual and legal basis for the request, and must identity theft. The proposed regulations connection with new and existing
identify the specific portions of the comment to be also required card issuers to assess the
withheld from the public record. The request will validity of a notice of address change 68 31
be granted or denied by the Commission’s General CFR 103.121; 12 CFR 21.21 (national banks).
Counsel, consistent with applicable law and the under certain circumstances. 69 12CFR part 30, app. B (national banks).
public interest. See Commission Rule 4.9(c), 16 CFR In connection with the proposed 70 OCC Bulletin 2005–35 (Oct. 12, 2005).
4.9(c). rulemaking, the OCC concluded that the 71 OCC AL 2001–4 (April 30, 2001).
accounts. They also confirmed that customers or to the safety and As a result of the changes and
banks have implemented measures to soundness of the financial institution or clarifications noted above, this section
address many of the proposed creditor from identity theft, such as of the final rule is far more flexible and
requirements as a result of having to those already developed in connection less burdensome than that in the
comply with existing regulations and with the entity’s fraud prevention proposed rules while still fulfilling the
guidance. However, commenters also program. statutory mandates enumerated in
asserted that the Agencies had • The final rules clarify that a section 114. Moreover, the OCC has
underestimated the incremental burden Program (including the Red Flags concluded that the incremental cost of
imposed by the proposed rules. They determined to be relevant) may be these final rules and guidelines will not
highlighted aspects of the proposal that periodically, rather than continually, impose undue costs and will not have
they maintained would have required updated to reflect changes in risks to a significant economic impact on a
banks to alter their current practices and customers and to the safety and substantial number of small entities.
implement duplicative policies and soundness of the financial institution or Rules Implementing Section 315
procedures. creditor from identity theft.
Only a few commenters provided • The rules focus on consumer The proposed regulations
estimates of additional burden that accounts, and require a Program to implementing section 315 required a
would result from the proposed rules. include only other accounts ‘‘for which user of consumer reports to have
Many of these comments stemmed from there is a reasonably foreseeable risk to policies and procedures to enable the
a misreading of the requirements of the customers or to the safety and user to form a reasonable belief that it
proposed rules. Further, many soundness of the financial institution or knows the identity of the consumer for
commenters confused the Agencies’ creditor from identity theft.’’ whom it has obtained a consumer
PRA estimates with the Agencies’ • The definition of ‘‘Red Flags’’ no report. The proposed rules also required
overall conclusions regarding regulatory longer includes reference to the the user to furnish to the CRA from
burden.72 ‘‘possible risk’’ of identity theft and no whom it received the notice of address
The OCC believes that the final rules longer incorporates precursors to discrepancy an address for the
substantially address the concerns of the identity theft. consumer that the user has reasonably
commenters as follows: • The final rules clarify that the Red confirmed is accurate when the user: (1)
• The final rules allow a covered Flags in Supplement A are examples Is able to form a reasonable belief that
entity to tailor its Program to its size, rather than a mandatory checklist. it knows the identity of the consumer
complexity and nature of its operations. • Supplement A includes a Red Flag for whom the consumer report was
The final rules and guidelines do not for activity on an inactive account in obtained; (2) establishes or maintains a
require the use of any specific place of a separate guideline. continuing relationship with the
technology, systems, processes or • The final rules clarify that the consumer; and (3) regularly and in the
methodology. Board of Directors or a committee ordinary course of business furnishes
• The final rules list the four thereof must approve only the initial information to the CRA from which a
elements that must be a part of a written Program. The rules provide a notice of address discrepancy pertaining
Program, and the steps that a covered covered entity with the discretion to to the consumer was obtained.
determine whether the Board or In connection with the proposed
entity must take to administer the
management will approve changes to rulemaking the OCC noted that the
Program. The rules provide covered
the Program and the extent of Board FACT Act already requires CRAs to
entities with greater discretion to
involvement in oversight of the provide notices of address discrepancy
determine how to implement these
Program. to users of credit reports. The OCC
mandates.
• Additional requirements previously • The final rules clarify that only stated that with respect to new
relevant staff must be trained to accounts, a national bank already is
in the proposed rules are now in required by the CIP rules to ensure that
guidelines that are located in Appendix implement the Program, as necessary.
• Card issuers may satisfy the it knows the identity of a person
J. The guidelines describe various opening a new account and to keep a
requirements of this section by verifying
policies and procedures that a financial record describing the resolution of any
the address at the time the address
institution or creditor must consider substantive discrepancy discovered
change notification is received, whether
and include in its Program, where during the verification process. The
or not the notification is linked to a
appropriate, to satisfy the requirements OCC also stated that as a matter of good
request for an additional or replacement
of the final rules. The preamble to the business practice, most national banks
card—building on issuers’ existing
rules explains that an institution or currently have policies and procedures
procedures.
creditor may determine that particular • Covered entities need not comply in place to respond to notices of address
guidelines are not appropriate to with the final rules until November 1, discrepancy when they are provided in
incorporate into its Program as long as 2008. connection with both new and existing
its Program contains reasonable policies The Agencies did consider whether it accounts, by furnishing an address for
and procedures to meet the specific would be appropriate to extend different the consumer that the bank has
requirements of the final rules. treatment or exempt small covered reasonably confirmed is accurate to the
• The guidelines clarify that a entities from the requirements of this CRA from which it received the notice
covered entity need not create duplicate section of the final rulemaking. The of address discrepancy.
policies and procedures and may Agencies note that identity theft can The OCC specifically requested
incorporate into its Program, as occur in small entities as well as large comment on whether the proposed
appropriate, its existing processes that ones. The Agencies do not believe that requirements differ from small banks’
control reasonably foreseeable risks to
an exemption for small entities is current practices and whether the

72 The PRA focuses more narrowly on the time,
appropriate given the flexibility built proposed requirements on users of
effort, and financial resources expended by persons
into the final rules and guidelines and consumer reports to have policies and
to generate, maintain, or provide information to or the importance of the statutory goals procedures to respond to the receipt of
for a Federal agency. See 44 U.S.C. 3501 et seq. and mandate of section 114. an address discrepancy could be altered
to minimize any burden imposed to the 114 of the FACT Act amends section 3. Description and estimate of small
extent consistent with the requirements 615 of the FCRA and directs the Board, entities affected by the final rule.
of the FACT Act. together with the other Agencies, to The final rule applies to all banks that
Many suggestions received in issue joint regulations and guidelines are members of the Federal Reserve
response to this solicitation for regarding the detection, prevention, and System (other than national banks) and
comment would have required a mitigation of identity theft, including their respective operating subsidiaries,
statutory change. However, many special regulations requiring debit and branches and Agencies of foreign banks
commenters noted that section 315 does credit card issuers to validate (other than Federal branches, Federal
not require the reporting of a confirmed notifications of changes of address Agencies, and insured State branches of
address to a CRA for a notice of address under certain circumstances. Section foreign banks), commercial lending
discrepancy received for an existing 315 of the FACT Act adds section companies owned or controlled by
account. These commenters stated that 605(h)(2) to the FCRA and requires the foreign banks, and organizations
the level of regulatory burden imposed Agencies to issue joint regulations that operating under section 25 or 25A of the
by this requirement would be significant provide guidance regarding reasonable Federal Reserve Act (12 U.S.C. 601 et
and would force users to reconcile and policies and procedures that a user of a seq., and 611 et seq.). The Board’s rule
verify addresses millions of times a year consumer report should employ when will apply to the following institutions
in connection with routine account the user receives a notice of address (numbers approximate): State member
maintenance. Commenters maintained discrepancy. The Board received no banks (881), operating subsidiaries that
that this would result in enormous costs comments on the reasons for the are not functionally regulated with in
that provide relatively little benefit to proposed rule. The Board is adopting the meaning of section 5(c)(5) of the
consumers. The final rules address these the final rule to implement sections 114 Bank Holding Company Act of 1956, as
comments and accordingly, under the and 315 of the FACT Act. The amended (877), U.S. branches and
rules implementing section 315, a user SUPPLEMENTARY INFORMATION above agencies of foreign banks (219),
is not obligated to furnish a confirmed contains information on the objectives commercial lending companies owned
address for the consumer to the CRA in of the final rule. or controlled by foreign banks (3), and
connection with existing accounts. 2. Summary of issues raised by Edge and agreement corporations (64),
Although, a bank will likely have to comments in response to the initial for a total of approximately 2,044
modify its existing procedures to add a regulatory flexibility analysis. institutions. The Board estimates that
new procedure for promptly reporting to In accordance with Section 3(a) of the more than 1,448 of these institutions
CRAs the reconciled address for new RFA, the Board conducted an initial could be considered small entities with
deposit accounts, the OCC has regulatory flexibility analysis in assets of $165 million or less.
concluded that the final rules connection with the proposed rule. One 4. Recordkeeping, reporting, and other
implementing section 315 will not commenter, the Mortgage Bankers compliance requirements.
impose undue costs on national banks Association (MBA), responded to the Section 114 requires the Board to
and will have not have a significant initial regulatory flexibility analysis and prescribe regulations that require
economic impact on a substantial stated that contrary to the Agencies’ financial institutions and creditors to
number of small entities. Finally, as belief, the proposed rule would have a establish reasonable policies and
mentioned earlier, the final rules significant economic impact on a procedures to implement guidelines
provide a transition period and do not substantial number of affected small established by the Board and other
require covered entities to fully comply entities. The MBA stated that federal agencies that address identity
with these requirements until November commercial and multifamily mortgage theft with respect to account holders
1, 2008. lenders should not be subject to the and customers. This would be
Board: The Board prepared an initial proposed rule because it would implemented by requiring a covered
regulatory flexibility analysis as constitute useless regulatory burden. financial institution or creditor to create
required by the Regulatory Flexibility Three commenters (Independent an Identity Theft Prevention Program
Act (RFA) (5 U.S.C. 601 et seq.) in Community Bankers of America, The that detects, prevents and mitigates the
connection with the July 18, 2006 Financial Services Roundtable and risk of identity theft applicable to its
proposed rule. The Board received one BITS, and KeyCorp) believed that the accounts.
comment on its regulatory flexibility Board and the other Agencies had Section 114 also requires the Board to
analysis. underestimated the costs of compliance. adopt regulations applicable to credit
Under Section 605(b) of the RFA, 5 The issues raised by these commenters and debit card issuers to implement
U.S.C. 605(b), the regulatory flexibility did not apply uniquely to small entities policies and procedures to assess the
analysis otherwise required under and are described in the Paperwork validity of change of address requests.
Section 604 of the RFA is not required Reduction Act section above. The final rule implements this by
if an agency certifies, along with a Some small financial institutions requiring credit and debit card issuers to
statement providing the factual basis for expressed concern about the flexibility establish reasonable policies and
such certification, that the rule will not granted by the proposal. As stated in the procedures to assess the validity of a
have a significant economic impact on Overview of Proposal and Comments change of address if it receives
a substantial number of small entities. Received, these commenters preferred to notification of a change of address for a
Based on its analysis and for the reasons have more structured guidance that debit or credit card account and, within
stated below, the Board certifies that describes how to develop and a short period of time afterwards (during
this final rule will not have a significant implement a Program and what they at least the first 30 days after it receives
economic impact on a substantial would need to do to achieve such notification), the issuer receives a
number of small entities. compliance. In addition, one commenter request for an additional or replacement
1. Statement of the need for, and expressed concern that smaller card for the same account.
objectives of, the final rule. institutions would be particularly Section 315 requires the Board to
The FACT Act amends the FCRA and burdened by the proposal’s requirement prescribe regulations that provide
was enacted, in part, for the purpose of that the Program be designed to address guidance regarding the reasonable
helping to reduce identity theft. Section changing identity risks ‘‘as they arise.’’ policies and procedures that a user of
consumers’ reports should employ to approximately 3,260 of which are small basis for such certification, the rule will
verify the identity of a consumer when entities. The rule is drafted in a flexible not have a significant economic impact
a consumer reporting agency provides a manner that allows institutions to on a substantial number of small
notice of address discrepancy with the develop and implement different types entities. The Small Business
consumer reporting agency in certain of programs based upon their size, Administration has defined ‘‘small
circumstances. The final rule requires complexity, and the nature and scope of entities’’ to include savings associations
users of consumer reports to develop their activities. The final rules and with total assets of $165 million or less.
and implement reasonable policies and guidelines do not require the use of any 13 CFR 121.201.
procedures for verifying the identity of specific technology, systems, processes
The rule will implement section 114
a consumer for whom it has obtained a or methodology.
The guidelines clarify that a covered and 315 of the FACT Act and will apply
consumer report and for whom it
entity need not create duplicate policies to all savings associations (and federal
receives a notice of address discrepancy
and procedures and may incorporate savings associations operating
and to reconcile an address discrepancy
with the appropriate consumer into its Program, as appropriate, its subsidiaries that are not functionally
reporting agency in certain existing processes that control regulated within the meaning of section
circumstances. reasonably foreseeable risks to 5(c)(5) of the Bank Holding Company
5. Steps taken to minimize the customers or to the safety and Act), 424 of which have assets of less
economic impact on small entities. soundness of the financial institution or than or equal to $165 million. Based on
The Board and the other Agencies creditor from identity theft, such as its analysis and for the reasons stated
have attempted to minimize the those already developed in connection below, OTS certifies that this final
economic impact on small entities by with the entity’s fraud prevention rulemaking will not have a significant
providing more flexibility in developing program. The FDIC believes that many economic impact on a substantial
a Program and moving certain detail institutions have already implemented a number of small entities.
contained in the proposed regulations to significant portion of the detection and Rules Implementing Section 114
the guidelines. In addition, to allow mitigation efforts required by the rule.
small entities and creditors to tailor With respect to the portion of the rule The proposed regulations
their Programs to their operations, the covering card issuers, those entities may implementing section 114 required the
final rules provide that the Program satisfy the requirements of this section development and establishment of a
must be appropriate to the size and by verifying the address at the time the written identity theft prevention
complexity of the financial institution address change notification is received, program to detect, prevent, and mitigate
or creditor and the nature and scope of whether or not the notification is linked identity theft. The proposed regulations
its activities. The Board has also to a request for an additional or also required card issuers to assess the
eliminated the requirement for replacement card—building on issuers’’ validity of a notice of address change
institutions to update their Program in existing procedures. under certain circumstances.
response to changing identity theft risks Under the final rule implementing
‘‘as they arise.’’ The final rule instead FACT Act Section 315, a user of In connection with the proposed
requires ‘‘periodic’’ updating. consumer reports (which constitutes rulemaking, OTS concluded that the
FDIC: The FDIC prepared an initial most, if not all, FDIC-insured state proposed regulations implementing
regulatory flexibility analysis as nonmember banks) must have policies section 114, if adopted as proposed,
required by the Regulatory Flexibility and procedures to enable the user to would not impose undue costs on
Act (RFA) (5 U.S.C. 601 et seq.) in form a reasonable belief that it knows savings associations and would not have
connection with the July 18, 2006 the identity of the consumer for whom a substantial economic impact on a
proposed rule. Under Section 605(b) of it has obtained a consumer report. substantial number of small savings
the RFA, 5 U.S.C. 605(b), the regulatory Although, a bank will likely have to associations. OTS noted that savings
flexibility analysis otherwise required modify its existing procedures to add a associations already employ a variety of
under Section 604 of the RFA is not new procedure for promptly reporting to measures that satisfy the requirements
required if an agency certifies, along consumer reporting agencies the of the rulemaking because (1) such
with a statement providing the factual reconciled address for new deposit measures are a good business practice
basis for such certification, that the rule accounts, the FDIC has concluded that and generally are a part of a thrift’s
will not have a significant economic the final rules implementing section efforts to reduce losses due to fraud, and
impact on a substantial number of small 315—which only obligates a user to (2) savings associations already comply
entities (defined for purposes of the furnish a confirmed address for the with other regulations and guidance that
RFA to include banks with less than consumer to the consumer reporting relate to information security,
$165 in assets). Based on its analysis agency in connection with new, and not authentication, identity theft, and
and for the reasons stated below, the existing, accounts—will not impose response programs. For example,
FDIC certifies that this final rule will undue costs on banks and will not have savings associations are already subject
not have a significant economic impact a significant economic impact on a to CIP rules requiring them to verify the
on a substantial number of small entities substantial number of small entities. identity of a person opening a new
Under the final rule implementing Moreover, the final rules provide a account 73 and already have various
FACT Act Section 114, financial transition period and do not require systems in place to detect certain
institutions and creditors must have a covered entities to fully comply with patterns, practices and specific activities
written program that includes controls these requirements until November 1, that indicate the possible existence of
to address the identity theft risks they 2008. identity theft in connection with the
have identified. Credit and debit card OTS: Under section 605(b) of the opening of new accounts. Similarly,
issuers must also have additional Regulatory Flexibility Act (RFA), 5 savings associations complying with the
policies and procedures to assess the U.S.C. 605(b), OTS must either publish ‘‘Interagency Guidelines Establishing
validity of change of address requests. a Final Regulatory Flexibility Analysis
The final rule would apply to all (FRFA) for a final rule or certify, along 73 31 CFR 103.121; 12 CFR 563.177 (savings
FDIC-insured state nonmember banks, with a statement providing the factual associations).
Information Security Standards’’ 74 and OTS believes that the final rules • Supplement A includes a Red Flag
guidance recently issued by the FFIEC substantially address the concerns of the for activity on an inactive account in
titled ‘‘Authentication in an Internet commenters as follows: place of a separate guideline.
Banking Environment’’ 75 already have • The final rules allow a covered • The final rules clarify that the
policies and procedures in place to entity to tailor its Program to its size, Board of Directors or a committee
detect attempted and actual intrusions complexity and nature of its operations. thereof must approve only the initial
into customer information systems and The final rules and guidelines do not written Program. The rules provide a
to detect patterns, practices and specific require the use of any specific covered entity with the discretion to
activities that indicate the possible technology, systems, processes or determine whether the Board or
existence of identity theft in connection methodology. management will approve changes to
with existing accounts. Savings • The final rules list the four the Program and the extent of Board
associations complying with OTS’s elements that must be a part of a involvement in oversight of the
guidance on ‘‘Identity Theft and Pretext Program, and the steps that a covered Program.
Calling’’ 76 already have policies and entity must take to administer the • The final rules clarify that only
procedures to verify the validity of Program. The rules provide covered relevant staff must be trained to
change of address requests on existing entities with greater discretion to implement the Program, as necessary.
accounts. determine how to implement these • Card issuers may satisfy the
Nonetheless, OTS specifically mandates. requirements of this section by verifying
requested comment and specific data on • Additional requirements previously the address at the time the address
the size of the incremental burden in the proposed rules are now in change notification is received, whether
creating an identity theft prevention guidelines that are located in Appendix or not the notification is linked to a
program would have on small saving J. The guidelines describe various request for an additional or replacement
associations, given their current policies and procedures that a financial card—building on issuers’ existing
practices and compliance with existing institution or creditor must consider procedures.
requirements. OTS also requested and include in its Program, where • Covered entities need not comply
comment on how the final regulations appropriate, to satisfy the requirements with the final rules until November 1,
might minimize any burden imposed to of the final rules. The preamble to the 2008.
rules explains that an institution or The Agencies did consider whether it
the extent consistent with the
creditor may determine that particular would be appropriate to extend different
requirements of the FACT Act.
guidelines are not appropriate to treatment or exempt small covered
Commenters confirmed that the
incorporate into its Program as long as entities from the requirements of this
proposed regulations implementing
its Program contains reasonable policies section of the final rulemaking. The
section 114 of the FACT Act are
and procedures to meet the specific Agencies note that identity theft can
consistent with savings associations’
requirements of the final rules. occur in small entities as well as large
usual and customary business practices
• The guidelines clarify that a ones. The Agencies do not believe that
used to minimize losses due to fraud in
covered entity need not create duplicate an exemption for small entities is
connection with new and existing
policies and procedures and may appropriate given the flexibility built
accounts. They also confirmed that
incorporate into its Program, as into the final rules and guidelines and
savings associations have implemented
appropriate, its existing processes that the importance of the statutory goals
measures to address many of the
control reasonably foreseeable risks to and mandate of section 114.
proposed requirements as a result of As a result of the changes and
customers or to the safety and
having to comply with existing clarifications noted above, this section
soundness of the financial institution or
regulations and guidance. However, of the final rule is far more flexible and
creditor from identity theft, such as
commenters also asserted that the less burdensome than that in the
those already developed in connection
Agencies had underestimated the proposed rules while still fulfilling the
with the entity’s fraud prevention
incremental burden imposed by the statutory mandates enumerated in
program.
proposed rules. They highlighted • The final rules clarify that a section 114. Moreover, OTS has
aspects of the proposal that they Program (including the Red Flags concluded that the incremental cost of
maintained would have required determined to be relevant) may be these final rules and guidelines will not
savings associations to alter their periodically, rather than continually, impose undue costs and will not have
current practices and implement updated to reflect changes in risks to a significant economic impact on a
duplicative policies and procedures. customers and to the safety and substantial number of small entities.
Only a few commenters provided soundness of the financial institution or
estimates of additional burden that Rules Implementing Section 315
creditor from identity theft.
would result from the proposed rules. • The rules focus on consumer The proposed regulations
Many of these comments stemmed from accounts, and require a Program to implementing section 315 required a
a misreading of the requirements of the include only other accounts ‘‘for which user of consumer reports to have
proposed rules. Further, many there is a reasonably foreseeable risk to policies and procedures to enable the
commenters confused the Agencies’ customers or to the safety and user to form a reasonable belief that it
PRA estimates with the Agencies’ soundness of the financial institution or knows the identity of the consumer for
overall conclusions regarding regulatory creditor from identity theft.’’ whom it has obtained a consumer
burden.77 • The definition of ‘‘Red Flags’’ no report. The proposed rules also required
longer includes reference to the the user to furnish to the CRA from
74 12 CFR part 570, app. B (savings associations). ‘‘possible risk’’ of identity theft and no whom it received the notice of address
75 OTS CEO Letter 228 (Oct. 12, 2005). longer incorporates precursors to discrepancy an address for the
76 OTS CEO Letter 139 (May 4, 2001).
77 The PRA focuses more narrowly on the time,
identity theft. consumer that the user has reasonably
effort, and financial resources expended by persons
• The final rules clarify that the Red confirmed is accurate when the user: (1)
to generate, maintain, or provide information to or Flags in Supplement A are examples Is able to form a reasonable belief that
for a Federal agency. See 44 U.S.C. 3501 et seq. rather than a mandatory checklist. it knows the identity of the consumer
for whom the consumer report was promptly reporting to CRAs the identity theft, and regulations requiring
obtained; (2) establishes or maintains a reconciled address for new deposit each financial institution and creditor to
continuing relationship with the accounts, OTS has concluded that the establish policies and procedures for
consumer; and (3) regularly and in the final rules implementing section 315 implementing the guidelines. In
ordinary course of business furnishes will not impose undue costs on savings addition, section 114 requires credit and
information to the CRA from which a associations and will have not have a debit card issuers to establish policies
notice of address discrepancy pertaining significant economic impact on a and procedures to assess the validity of
to the consumer was obtained. substantial number of small entities. a change of address request. Section 315
In connection with the proposed Finally, as mentioned earlier, the final requires the FTC to develop policies and
rulemaking OTS noted that the FACT rules provide a transition period and do procedures that a user of consumer
Act already requires CRAs to provide not require covered entities to fully reports must employ when such a user
notices of address discrepancy to users comply with these requirements until receives a notice of address discrepancy
of credit reports. OTS stated that with November 1, 2008. from a consumer reporting agency
respect to new accounts, a savings FTC: The Regulatory Flexibility Act described in section 603(p) of the FCRA.
association already is required by the (‘‘RFA’’), 5 U.S.C. 601–612, requires that In this action, the FTC promulgates final
CIP rules to ensure that it knows the the Commission provide an Initial rules that would implement these
identity of a person opening a new Regulatory Flexibility Analysis requirements of the FACT Act.
account and to keep a record describing (‘‘IRFA’’) with a proposed rule and a
the resolution of any substantive Final Regulatory Flexibility Analysis 2. Significant Issues Received by Public
discrepancy discovered during the (‘‘FRFA’’), if any, with the final rule, Comment
verification process. OTS also stated unless the Commission certifies that the The Commission received a number
that as a matter of good business rule will not have a significant of comments on the effect of the
practice, most savings associations economic impact on a substantial proposed regulations. Some of the
currently have policies and procedures number of small entities. See 5 U.S.C. comments addressed the effect of the
in place to respond to notices of address 603–605. proposed regulations on businesses
discrepancy when they are provided in The Commission hereby certifies that generally, and did not identify small
connection with both new and existing the final regulations will not have a businesses as a particular category. The
accounts, by furnishing an address for significant economic impact on a FTC staff, therefore, has included all
the consumer that the association has substantial number of small business comments in this FRFA that raised
reasonably confirmed is accurate to the entities. The Commission recognizes potentially significant compliance
CRA from which it received the notice that the final regulations will affect a issues for small businesses, regardless of
of address discrepancy. substantial number of small businesses. whether the commenter identified small
OTS specifically requested comment We do not expect, however, that the businesses as being an affected category.
on whether the proposed requirements final regulations will have a significant In drafting its PRA analysis for the
differ from small savings associations’ economic impact on these small proposed regulations, FTC staff believed
current practices and whether the entities. that because motor vehicle dealers’
proposed requirements on users of The Commission continues to believe loans typically are financed by financial
consumer reports to have policies and that a precise estimate of the number of institutions also subject to those
procedures to respond to the receipt of small entities that fall under the final regulations, the dealers were likely to
an address discrepancy could be altered regulations is not currently feasible. use the latter’s programs as a basis to
to minimize any burden imposed to the Based on changes made to the final develop their own. Therefore, although
extent consistent with the requirements regulations in response to comments subject to a high risk of identity theft,
of the FACT Act. received, however, and the their burden would be less than other
Many suggestions received in Commission’s own experience and high-risk entities. Commenters,
response to this solicitation for knowledge of industry practices, the however, noted among other concerns
comment would have required a Commission also continues to believe that some motor vehicle dealers finance
statutory change. However, many that the cost and burden to small their own loans. Thus, FTC staff no
commenters noted that section 315 does business entities of complying with the longer is considering motor vehicle
not require the reporting of a confirmed final regulations are minimal. dealers separately from other high-risk
address to a CRA for a notice of address Accordingly, this document serves as entities.
discrepancy received for an existing notice to the Small Business As noted in the PRA analysis, the
account. These commenters stated that Administration of the agency’s Agencies continue to believe that many
the level of regulatory burden imposed certification of no effect. Nonetheless, of the high-risk entities, as part of their
by this requirement would be significant the Commission has decided to publish usual and customary business practices,
and would force users to reconcile and a FRFA with these final regulations. already take steps to minimize losses
verify addresses millions of times a year Therefore, the Commission has prepared due to fraud. The final rulemaking
in connection with routine account the following analysis: clarifies that only relevant staff need be
maintenance. Commenters maintained trained to implement the Program, as
that this would result in enormous costs 1. Need for and Objectives of the Rule necessary—meaning, for example, that
that provide relatively little benefit to The FTC is charged with enforcing the staff already trained as a part of a
consumers. The final rules address these requirements of sections 114 and 315 of covered entity’s anti-fraud prevention
comments and, accordingly, under the the Fair and Accurate Credit efforts do not need to be re-trained
rules implementing section 315, a user Transactions Act of 2003 (FACT Act) except as incrementally needed.
is not obligated to furnish a confirmed (15 U.S.C. §§ 1681m(e) and 1681c(h)(2)), Notwithstanding this clarification, in
address for the consumer to the CRA in which require the FTC to establish response to comments received, the
connection with existing accounts. guidelines for financial institutions and Agencies are increasing the burden
Although, a savings association will creditors identifying patterns, practices, estimates attributable to training from
likely have to modify its existing and specific forms of activity, that two to four hours, as is the FTC for high-
procedures to add a new procedure for indicate the possible existence of risk entities in their initial year of
implementing the Program, but FTC conduct a periodic risk assessment to across almost every industry could be
staff continues to believe that one hour determine if they covered accounts, they subject to the final rules. For the
of recurring annual training remains a will not be required to develop a written majority of these entities, a small
reasonable estimate. Program, thereby substantially reducing business is defined by the Small
A few commenters believed that FTC the original burden estimate in the Business Administration as one whose
staff had underestimated the amount of NPRM for low-risk entities. average annual receipts do not exceed
time it would take low-risk entities to The FTC received additional $6.5 million or who have fewer than 500
comply with the proposed regulations. comments on its IRFA requesting that employees.79
These commenters estimated that the the FTC delay implementation of the Section 114: As discussed in the PRA
amount of time would range from 6 to final rules for small businesses by a section of this Notice, given the broad
20 hours to create a program and 1 hour minimum of six months, consider scope of section 114’s requirements, it is
each to train employees and draft the creating a certification form for low-risk difficult to determine with precision the
annual report. The FTC staff believes entities, and develop a small business number of financial institutions and
these estimates were based on a compliance guide. The Agencies have creditors that are subject to the FTC’s
misunderstanding of the requirements set a mandatory compliance deadline of jurisdiction. There are numerous small
of the proposed regulations, including November 1, 2008, thereby providing all businesses under the FTC’s jurisdiction
that the list of 31 Red Flags in the entities with well over six months in and there is no formal way to track
proposed guidelines was intended to be which to implement the final them; moreover, as a whole, the entities
a checklist. The final regulations clarify regulations. The FTC staff will be under the FTC’s jurisdiction are so
that the list of Red Flags is illustrative developing a small business compliance varied that there are no general sources
only. Moreover, the emphasis of the guide prior to the mandatory that provide a record of their existence.
written Program, as required under the compliance deadline of November 1, Nonetheless, FTC staff estimates that the
final regulations, is to identify risks of 2008. The FTC staff will consider final regulations implementing section
identity theft. To the extent that entities whether to include any model forms in 114 will affect over 3500 financial
with consumer accounts determine that such guide. institutions and over 11 million
they have a minimal risk of identity The FTC did not receive any creditors 80 subject to the FTC’s
theft, they would be tasked only with comments on its IRFA for the proposed jurisdiction, for a combined total of
developing a streamlined Program. regulations implementing section 114 approximately 11.1 million affected
Therefore, FTC staff does not believe requiring credit and debit card issuers to entities. Of this total, the FTC staff
that it would take such an entity 6 to 20 establish policies and procedures to expects that well over 90% of these
hours to develop a Program, 1 hour to assess the validity of a change of firms qualify as small businesses under
train employees, and 1 hour to draft an address request, including notifying the existing size standards (i.e., $165
annual report on risks of identity theft cardholder or using another means of million in assets for financial
which are minimal or non-existent. assessing the validity of the change of institutions and $6.5 million in sales for
Nonetheless, FTC staff believes that it address. The FTC staff does not believe many creditors).
may have underestimated the time low- that the changes made to the final One commenter acknowledged that
risk entities may need to initially apply regulation have altered its original the FTC’s estimates as to the number of
the final rule to develop a Program. burden estimates. small entities that will be affected were
Thus, FTC staff has increased from 20 The FTC did not receive any accurate, but did not provide precise
minutes to 1 hour its previously stated comments on its IRFA relating to the numbers.
estimate for this activity. proposed regulations under section 315. The final regulations implementing
In addition, the final regulations have 3. Small Entities to Which the Final section 114 also require credit and debit
been revised from the proposed Rule Will Apply card issuers to establish policies and
regulations to alleviate the burden of procedures to assess the validity of a
creating a written Program for entities The final regulations apply to a wide
change of address request. Indeed, the
that determine that they do not have any variety of business categories under the
final regulations require credit and debit
covered accounts. The FTC staff Small Business Size Standards.
card issuers to notify the cardholder or
believes that entities subject to a low Generally, the final regulations would
to use another means of assessing the
risk of identity theft, but not having apply to financial institutions, creditors,
validity of the change of address. FTC
consumer accounts, will likely and users of consumer reports. In
staff believes that there may be as many
determine that they do not have covered particular, entities under FTC’s
as 3,764 credit or debit card issuers that
accounts. Such entities would not be jurisdiction covered by section 114
fall under the jurisdiction of the FTC
required to develop a written Program. include State-chartered credit unions,
and that well over 90% of these firms
The FTC staff estimates that non-bank lenders, mortgage brokers,
qualify as small businesses under
approximately 9,191,496 78 of the automobile dealers, utility companies,
existing size standards (i.e., $165
10,813,525 low-risk entities subject to telecommunications companies, and
million in assets for financial
the requirement to create a written any other person that regularly
Program under the proposed regulations participates in a credit decision, 79 These numbers represent the size standards for
will not have covered accounts under including setting the terms of credit. most retail and service industries ($6.5 million total
the final rule. Therefore, although these The section 315 requirements apply to receipts) and manufacturing industries (500
State-chartered credit unions, non-bank employees). A list of the SBA’s size standards for
9,191,496 low-risk entities will have to all industries can be found at http://www.sba.gov/
lenders, insurers, landlords, employers, size/summary-whatis.html.
78 This estimate is derived from an analysis of a mortgage brokers, automobile dealers, 80 This estimate is derived from census data of
database of U.S. businesses based on NAICS codes collection agencies, and any other U.S. businesses based on NAICS codes for
for businesses that market goods or services to person who requests a consumer report businesses that market goods or services to
consumers or other businesses, net of the number from a consumer reporting agency consumers and businesses. 2003 County Business
of creditors subject to the FTC’s jurisdiction, an Patterns, U.S. Census Bureau (http://
estimated subset of which comprise anticipated described in section 603(p) of the FCRA. censtats.census.gov/cgi- bin/cbpnaic/cbpsel.pl); and
low-risk entities not having covered accounts under Given the coverage of the final rules, 2002 Economic Census, Bureau (http://
the final rule. a very large number of small entities www.census.gov/econ/census02/).
institutions and $6.5 million in sales for associated with the final regulations entities should not be significant,
many creditors). will be significant as explained below. however.
The Commission did not receive any Section 114: The FTC staff estimates In calculating the costs, FTC staff
comments to the IRFA on the latter that there may be as many as 90% of the assumes that for all entities,
credit or debit card issuers that would businesses affected by the proposed professional technical personnel and/or
allow it to determine the precise rules under section 114 that are subject managerial personnel will conduct the
number of small entities that will be to a high risk of identity theft that periodic risk assessment, create and
affected. qualify as small businesses. It is likely
Section 315: As discussed in the PRA implement the Program, prepare the
that many such entities already engage annual report, train employees, and
section of this Notice, given the broad in various activities to minimize losses
scope of section 315’s requirements, it is assess the validity of a change of
due to fraud as part of their usual and address request.
difficult to determine with precision the customary business practices.
number of users of consumer reports Accordingly, the impact of the proposed Section 315: The final regulations
that are subject to the FTC’s jurisdiction. requirements would be merely implementing section 315 provide
There are numerous small businesses incremental and not significant. In guidance regarding reasonable policies
under the FTC’s jurisdiction and there particular, the rule will direct many of and procedures that a user of consumer
is no formal way to track them; these entities to consolidate their reports must employ when a user
moreover, as a whole, the entities under existing policies and procedures into a receives a notice of address discrepancy
the FTC’s jurisdiction are so varied that written Program and may require some from a consumer reporting agency. The
there are no general sources that provide additional staff training. final regulations also require a user of
a record of their existence. Nonetheless, The FTC expects that well over 90% consumer reports to furnish an address
FTC staff estimates that the final of the businesses affected by the that the user has reasonably confirmed
regulations implementing section 315 proposed rules under section 114 that is accurate to the consumer reporting
will affect approximately 1.6 million are subject to a low risk of identity theft agency from which it receives a notice
users of consumer reports subject to the qualify as small businesses under of address discrepancy, but only to the
FTC’s jurisdiction 81 and that well over existing size standards (i.e., $165 extent that such user regularly and in
90% of these firms qualify as small million in assets for financial the ordinary course of business
businesses under existing size standards institutions and $6.5 million in sales for furnishes information to such consumer
(i.e., $165 million in assets for financial many creditors). The final requirements reporting agency. The FTC staff believes
institutions and $6.5 million in sales for are drafted in a flexible manner that that the impacts on users of consumer
many creditors). limits the burden on a substantial reports that are small businesses will
The Commission did not receive any majority of low-risk entities to not be significant. As discussed in the
comments to the IRFA on the proposed conducting periodic risk assessments for PRA section of the NPRM, the FTC staff
regulations under Section 315 that covered accounts, and allows the believes that it will not take users of
would allow it to determine the precise remaining minority of low-risk entities consumer reports under FTC
number of small entities that will be to develop and implement different jurisdiction a significant amount of time
affected. types of programs based upon their size, to develop policies and procedures that
4. Projected Reporting, Recordkeeping complexity, and the nature and scope of they will employ when they receive a
and Other Compliance Requirements their activities. As a result, the FTC staff notice of address discrepancy. FTC staff
expects that the burden on these low- believes that only 10,000 of such users
The final requirements will involve
risk entities will be minimal (i.e., not of consumer reports furnish information
some increased costs for affected
significant). The final regulations would to consumer reporting agencies as part
parties. Most of these costs will be
require low-risk entities that have of their usual and customary business
incurred by those required to conduct
covered accounts that have no existing practices and that approximately 20% of
periodic risk assessments, and draft
identity theft procedures to state in these entities qualify as small
identity theft Programs and annual
writing their low-risk of identity theft, businesses. Therefore, the staff estimates
reports. There will also be costs
train staff to be attentive to future risks that 2,000 small businesses will be
associated with training, and for credit
of identity theft, and, if appropriate, affected by this portion of the final
and debit card issuers to establish
prepare an annual report. The FTC staff regulation that requires furnishing the
policies and procedures to assess the
believes that, for the affected low-risk correct address. As discussed in the
validity of a change of address request.
entities, such activities will be not be PRA section of this NPRM, FTC staff
In addition, there will be costs related
complex or resource-intensive tasks.
to developing reasonable policies and estimates that it will not take such users
The final regulations implementing of consumer reports a significant
procedures that a user of consumer
section 114 also require credit and debit amount of time to develop the policies
reports must employ when a user
card issuers to establish policies and
receives a notice of address discrepancy and procedures for furnishing the
procedures to assess the validity of a
from a consumer reporting agency, and correct address to the consumer
change of address request. It is likely
for furnishing an address that the user reporting agencies pursuant to the final
that most of the entities have automated
has reasonably confirmed is accurate. regulations for implementing section
the process of notifying the cardholder
The Commission does not expect, 315. The FTC staff estimates that the
or using other means to assess the
however, that the increased costs costs associated with these impacts will
validity of the change of address such
that implementation will pose no not be significant.
81 This estimate is derived from census data of
U.S. businesses based on NAICS codes for further burden. For those that do not, In calculating these costs, FTC staff
businesses that market goods or services to the FTC staff expects that a small assumes that the policies and
consumers and businesses. 2003 County Business number of such entities (100) will need procedures for notice of address
Patterns, U.S. Census Bureau (http://
censtats.census.gov/cgi-bin/cbpnaic/cbpsel.pl); and
to develop policies and procedures to discrepancy and furnishing the correct
2002 Economic Census, Bureau (http:// assess the validity of a change of address will be set up by administrative
www.census.gov/econ/census02/). address request. The impacts on such support personnel.
5. Steps Taken To Minimize Significant fundamental federalism principles, the H. NCUA: Small Business Regulatory
Economic Impact of the Rule on Small NCUA, an independent regulatory Enforcement Fairness Act of 1996
Entities agency as defined in 44 U.S.C. 3502(5) (SBREFA) Determination
The Commission considered whether voluntarily complies with the Executive
A SBREFA (Pub. L. 104–121)
any significant alternatives, consistent Order. These final rules apply only to
reporting requirement is triggered in
with the purposes of the FACT Act, federally chartered credit unions and
instances where NCUA issues a final
could further minimize the final would not have substantial direct effects
rule as defined by section 551 of the
regulations’ impact on small entities. on the States, on the connection Administrative Procedure Act, 5 U.S.C.
The FTC asked for comment on this between the national government and 551. NCUA has determined this final
issue. The final requirements are drafted the States, or on the distribution of rule is not a major rule for purposes of
in a flexible manner that limits the power and responsibilities among the SBREFA and the Office of Management
burden on a substantial majority of low- various levels of government. The and Budget (OMB) has concurred.
risk entities to conducting periodic risk NCUA has determined that these final
assessments for covered accounts and rules do not constitute a policy that has I. Plain Language
allows the remaining minority of low- federalism implications for purposes of
risk entities to develop and implement Section 722 of the Gramm-Leach-
the Executive Order. Bliley Act (12 U.S.C. 4809) requires the
different types of programs based upon
their size, complexity, and the nature F. OCC and OTS Unfunded Mandates Federal banking agencies and the NCUA
and scope of their activities. In addition, Reform Act of 1995 Determination to use ‘‘plain language’’ in all proposed
a commenter requested that the FTC and final rules published in the Federal
delay implementation of the final rules Section 202 of the Unfunded Register. The Agencies received no
for small businesses by a minimum of Mandates Reform Act of 1995, Public comments on how to make the rules
six months, produce a shortened Red Law 104–4 (Unfunded Mandates Act) easier to understand, and believe the
Flags list, consider creating a requests that an agency prepare a final rules are presented in a clear and
certification form for low-risk entities, budgetary impact statement before straightforward manner.
and develop a small business promulgating a rule that includes a List of Subjects
compliance guide. The Agencies have federal mandate that may result in
set a mandatory compliance deadline of expenditure by State, local, and tribal 12 CFR Part 41
November 1, 2008, thereby providing all governments, in the aggregate, or by the
Banks, banking, Consumer protection,
entities with well over six months in private section, of $100 million or more
National Banks, Reporting and
which to implement the final in any one year. If a budgetary impact
recordkeeping requirements.
regulations. As discussed in the PRA statement is required, section 205, of the
analysis infra, the Agencies have Unfunded Mandates Act also requires 12 CFR Part 222
clarified that the Red Flags Supplement an agency to identify and consider a
is illustrative only, and is not intended Banks, banking, Holding companies,
reasonable number of regulatory
to be used as a checklist. Therefore, the state member banks.
alternatives before promulgating a rule.
Agencies did not consider it necessary The OCC and OTS each has 12 CFR Part 334
to alter the Red Flags listed. The FTC determined that this rule will not result
staff will be developing a small business Administrative practice and
in expenditures by State, local, and procedure, Bank deposit insurance,
compliance guide prior to the
tribal governments, or by the private Banks, banking, Reporting and
mandatory compliance deadline of
sector, of $100 million or more. National recordkeeping requirements, Safety and
November 1, 2008. The FTC staff will
banks and savings associations already soundness.
consider whether to include any model
forms in such guide. employ a variety of measures that satisfy
the requirements of the final rulemaking 12 CFR Part 364
C. OCC and OTS Executive Order 12866 because, as described earlier, these are Administrative practice and
Determination usual and customary business practices procedure, Bank deposit insurance,
The OCC and the OTS each have to minimize losses due to fraud, or Banks, banking, Reporting and
independently determined that the final because, as described earlier, they recordkeeping requirements, Safety and
rule is not a ‘‘significant regulatory already comply with other existing Soundness.
action’’ as defined in Executive Order regulations and guidance that relate to
12866 because the annual effect on the information security, authentication, 12 CFR Part 571
economy is less than $100 million. identity theft, and response programs. Consumer protection, Credit, Fair
Accordingly, a regulatory assessment is Accordingly, neither the OCC not the Credit Reporting Act, Privacy, Reporting
not required. OTS has prepared a budgetary impact and recordkeeping requirements,
D. OCC and OTS Executive Order 13132 statement or specifically addressed the Savings associations.
Determination regulatory alternatives considered.
12 CFR Part 717
The OCC and the OTS each has G. NCUA: The Treasury and General
determined that these final rules do not Government Appropriations Act, 1999— Consumer protection, Credit unions,
have any federalism implications for Assessment of Federal Regulations and Fair credit reporting, Privacy, Reporting
purposes of Executive Order 13132. Policies on Families and recordkeeping requirements.
E. NCUA Executive Order 13132 16 CFR Part 681

The NCUA has determined that these
Determination
final rules will not affect family well- Fair Credit Reporting Act, Consumer
Executive Order 13132 encourages being within the meaning of section 654 reports, Consumer report users,
independent regulatory agencies to of the Treasury and General Consumer reporting agencies, Credit,
consider the impact of their actions on Government Appropriations Act, 1999, Creditors, Information furnishers,
State and local interests. In adherence to Pub. L. 105–277, 112 Stat. 2681 (1998). Identity theft, Trade practices.
Department of the Treasury (b) Definition. For purposes of this (ii) Reviewing its own records to
section, a notice of address discrepancy verify the address of the consumer;
Office of the Comptroller of the (iii) Verifying the address through
means a notice sent to a user by a
Currency third-party sources; or
consumer reporting agency pursuant to
12 CFR Chapter I 15 U.S.C. 1681c(h)(1), that informs the (iv) Using other reasonable means.
user of a substantial difference between (3) Timing. The policies and
Authority and Issuance procedures developed in accordance
the address for the consumer that the
■ For the reasons discussed in the joint user provided to request the consumer with paragraph (d)(1) of this section
preamble, the Office of the Comptroller report and the address(es) in the must provide that the user will furnish
of the Currency amends Part 41 of title agency’s file for the consumer. the consumer’s address that the user has
12, chapter I, of the Code of Federal (c) Reasonable belief. (1) Requirement reasonably confirmed is accurate to the
Regulations as follows: to form a reasonable belief. A user must consumer reporting agency as part of the
develop and implement reasonable information it regularly furnishes for the
PART 41—FAIR CREDIT REPORTING policies and procedures designed to reporting period in which it establishes
enable the user to form a reasonable a relationship with the consumer.
■ 1. The authority citation for part 41
continues to read as follows: belief that a consumer report relates to ■ 6. Add Subpart J to part 41 to read as
the consumer about whom it has follows:
Authority: 12 U.S.C. 1 et seq., 24 (Seventh), requested the report, when the user
93a, 481, 484, and 1818; 15 U.S.C. 1681a, Subpart J—Identity Theft Red Flags
receives a notice of address discrepancy.
1681b, 1681c, 1681m, 1681s, 1681s–3, 1681t, (2) Examples of reasonable policies Sec.
1681w, Sec. 214, Pub. L. 108–159, 117 Stat. 41.90 Duties regarding the detection,
1952.
and procedures. (i) Comparing the
prevention, and mitigation of identity
information in the consumer report theft.
Subpart A—General Provisions provided by the consumer reporting 41.91 Duties of card issuers regarding
agency with information the user: changes of address.
■ 2. Section 41.1 is added to read as (A) Obtains and uses to verify the
follows: consumer’s identity in accordance with Subpart J—Identity Theft Red Flags
the requirements of the Customer
§ 41.1 Purpose. Information Program (CIP) rules § 41.90 Duties regarding the detection,
(a) Purpose. The purpose of this part implementing 31 U.S.C. 5318(l) (31 CFR prevention, and mitigation of identity theft.
is to establish standards for national 103.121); (a) Scope. This section applies to a
banks regarding consumer report (B) Maintains in its own records, such financial institution or creditor that is a
information. In addition, the purpose of as applications, change of address national bank, Federal branch or agency
this part is to specify the extent to notifications, other customer account of a foreign bank, and any of their
which national banks may obtain, use, records, or retained CIP documentation; operating subsidiaries that are not
or share certain information. This part or functionally regulated within the
also contains a number of measures (C) Obtains from third-party sources; meaning of section 5(c)(5) of the Bank
national banks must take to combat or Holding Company Act of 1956, as
consumer fraud and related crimes, (ii) Verifying the information in the amended (12 U.S.C. 1844(c)(5)).
including identity theft. consumer report provided by the (b) Definitions. For purposes of this
(b) [Reserved] consumer reporting agency with the section and Appendix J, the following
■ 3. Amend § 41.3 by revising the consumer. definitions apply:
introductory text to read as follows: (d) Consumer’s address. (1) (1) Account means a continuing
Requirement to furnish consumer’s relationship established by a person
§ 41.3 Definitions. address to a consumer reporting agency. with a financial institution or creditor to
For purposes of this part, unless A user must develop and implement obtain a product or service for personal,
explicitly stated otherwise: reasonable policies and procedures for family, household or business purposes.
* * * * * furnishing an address for the consumer Account includes:
that the user has reasonably confirmed (i) An extension of credit, such as the
■ 4. Revise the heading for Subpart I to
is accurate to the consumer reporting purchase of property or services
read as follows:
agency from whom it received the involving a deferred payment; and
Subpart I—Duties of Users of notice of address discrepancy when the (ii) A deposit account.
Consumer Reports Regarding Address user: (2) The term board of directors
Discrepancies and Records Disposal (i) Can form a reasonable belief that includes:
the consumer report relates to the (i) In the case of a branch or agency
■ 5. Add § 41.82 to read as follows: consumer about whom the user of a foreign bank, the managing official
requested the report; in charge of the branch or agency; and
§ 41.82 Duties of users regarding address (ii) Establishes a continuing (ii) In the case of any other creditor
discrepancies. relationship with the consumer; and that does not have a board of directors,
(a) Scope. This section applies to a (iii) Regularly and in the ordinary a designated employee at the level of
user of consumer reports (user) that course of business furnishes information senior management.
receives a notice of address discrepancy to the consumer reporting agency from (3) Covered account means:
from a consumer reporting agency, and which the notice of address discrepancy (i) An account that a financial
that is a national bank, Federal branch relating to the consumer was obtained. institution or creditor offers or
or agency of a foreign bank, or any of (2) Examples of confirmation maintains, primarily for personal,
their operating subsidiaries that are not methods. The user may reasonably family, or household purposes, that
functionally regulated within the confirm an address is accurate by: involves or is designed to permit
meaning of section 5(c)(5) of the Bank (i) Verifying the address with the multiple payments or transactions, such
Holding Company Act of 1956, as consumer about whom it has requested as a credit card account, mortgage loan,
amended (12 U.S.C. 1844(c)(5)). the report; automobile loan, margin account, cell
phone account, utility account, (i) Identify relevant Red Flags for the implement reasonable policies and
checking account, or savings account; covered accounts that the financial procedures to assess the validity of a
and institution or creditor offers or change of address if it receives
(ii) Any other account that the maintains, and incorporate those Red notification of a change of address for a
financial institution or creditor offers or Flags into its Program; consumer’s debit or credit card account
maintains for which there is a (ii) Detect Red Flags that have been and, within a short period of time
reasonably foreseeable risk to customers incorporated into the Program of the afterwards (during at least the first 30
or to the safety and soundness of the financial institution or creditor; days after it receives such notification),
financial institution or creditor from (iii) Respond appropriately to any Red the card issuer receives a request for an
identity theft, including financial, Flags that are detected pursuant to additional or replacement card for the
operational, compliance, reputation, or paragraph (d)(2)(ii) of this section to same account. Under these
litigation risks. prevent and mitigate identity theft; and circumstances, the card issuer may not
(4) Credit has the same meaning as in (iv) Ensure the Program (including the issue an additional or replacement card,
15 U.S.C. 1681a(r)(5). Red Flags determined to be relevant) is until, in accordance with its reasonable
(5) Creditor has the same meaning as updated periodically, to reflect changes policies and procedures and for the
in 15 U.S.C. 1681a(r)(5), and includes in risks to customers and to the safety purpose of assessing the validity of the
lenders such as banks, finance and soundness of the financial change of address, the card issuer:
companies, automobile dealers, institution or creditor from identity (1)(i) Notifies the cardholder of the
mortgage brokers, utility companies, theft. request:
and telecommunications companies. (e) Administration of the Program. (A) At the cardholder’s former
(6) Customer means a person that has Each financial institution or creditor address; or
a covered account with a financial that is required to implement a Program (B) By any other means of
institution or creditor. must provide for the continued communication that the card issuer and
(7) Financial institution has the same administration of the Program and must: the cardholder have previously agreed
meaning as in 15 U.S.C. 1681a(t). (1) Obtain approval of the initial to use; and
(8) Identity theft has the same written Program from either its board of (ii) Provides to the cardholder a
meaning as in 16 CFR 603.2(a). directors or an appropriate committee of reasonable means of promptly reporting
(9) Red Flag means a pattern, practice, the board of directors; incorrect address changes; or
or specific activity that indicates the (2) Involve the board of directors, an (2) Otherwise assesses the validity of
possible existence of identity theft. appropriate committee thereof, or a the change of address in accordance
(10) Service provider means a person designated employee at the level of with the policies and procedures the
that provides a service directly to the senior management in the oversight, card issuer has established pursuant to
financial institution or creditor. development, implementation and § 41.90 of this part.
(c) Periodic Identification of Covered administration of the Program; (d) Alternative timing of address
Accounts. Each financial institution or (3) Train staff, as necessary, to validation. A card issuer may satisfy the
creditor must periodically determine effectively implement the Program; and requirements of paragraph (c) of this
(4) Exercise appropriate and effective section if it validates an address
whether it offers or maintains covered
oversight of service provider pursuant to the methods in paragraph
accounts. As a part of this
arrangements. (c)(1) or (c)(2) of this section when it
determination, a financial institution or
(f) Guidelines. Each financial receives an address change notification,
creditor must conduct a risk assessment
institution or creditor that is required to before it receives a request for an
to determine whether it offers or
implement a Program must consider the additional or replacement card.
maintains covered accounts described
guidelines in Appendix J of this part (e) Form of notice. Any written or
in paragraph (b)(3)(ii) of this section,
and include in its Program those electronic notice that the card issuer
taking into consideration:
guidelines that are appropriate. provides under this paragraph must be
(1) The methods it provides to open
its accounts; § 41.91 Duties of card issuers regarding clear and conspicuous and provided
(2) The methods it provides to access changes of address. separately from its regular
its accounts; and (a) Scope. This section applies to an correspondence with the cardholder.
(3) Its previous experiences with issuer of a debit or credit card (card Appendices D–I [Reserved]
identity theft. issuer) that is a national bank, Federal
(d) Establishment of an Identity Theft branch or agency of a foreign bank, and ■ 7. Add and reserve appendices D
Prevention Program. (1) Program any of their operating subsidiaries that through I to part 41.
requirement. Each financial institution are not functionally regulated within the ■ 8. Add Appendix J to part 41 to read
or creditor that offers or maintains one meaning of section 5(c)(5) of the Bank as follows:
or more covered accounts must develop Holding Company Act of 1956, as
and implement a written Identity Theft Appendix J to Part 41—Interagency
amended (12 U.S.C. 1844(c)(5)).
Prevention Program (Program) that is Guidelines on Identity Theft Detection,
(b) Definitions. For purposes of this
designed to detect, prevent, and mitigate Prevention, and Mitigation
section:
identity theft in connection with the (1) Cardholder means a consumer Section 41.90 of this part requires each
opening of a covered account or any who has been issued a credit or debit financial institution and creditor that offers
existing covered account. The Program card. or maintains one or more covered accounts,
must be appropriate to the size and (2) Clear and conspicuous means as defined in § 41.90(b)(3) of this part, to
complexity of the financial institution develop and provide for the continued
reasonably understandable and
administration of a written Program to detect,
or creditor and the nature and scope of designed to call attention to the nature prevent, and mitigate identity theft in
its activities. and significance of the information connection with the opening of a covered
(2) Elements of the Program. The presented. account or any existing covered account.
Program must include reasonable (c) Address validation requirements. These guidelines are intended to assist
policies and procedures to: A card issuer must establish and financial institutions and creditors in the
formulation and maintenance of a Program IV. Preventing and Mitigating Identity Theft administration of its Program should report
that satisfies the requirements of § 41.90 of The Program’s policies and procedures to the board of directors, an appropriate
this part. should provide for appropriate responses to committee of the board, or a designated
I. The Program the Red Flags the financial institution or employee at the level of senior management,
In designing its Program, a financial creditor has detected that are commensurate at least annually, on compliance by the
institution or creditor may incorporate, as with the degree of risk posed. In determining financial institution or creditor with § 41.90
appropriate, its existing policies, procedures, an appropriate response, a financial of this part.
and other arrangements that control institution or creditor should consider (2) Contents of report. The report should
reasonably foreseeable risks to customers or aggravating factors that may heighten the risk address material matters related to the
to the safety and soundness of the financial of identity theft, such as a data security Program and evaluate issues such as: the
institution or creditor from identity theft. incident that results in unauthorized access effectiveness of the policies and procedures
to a customer’s account records held by the of the financial institution or creditor in
II. Identifying Relevant Red Flags financial institution, creditor, or third party, addressing the risk of identity theft in
(a) Risk Factors. A financial institution or or notice that a customer has provided connection with the opening of covered
creditor should consider the following factors information related to a covered account held accounts and with respect to existing covered
in identifying relevant Red Flags for covered by the financial institution or creditor to accounts; service provider arrangements;
accounts, as appropriate: someone fraudulently claiming to represent
(1) The types of covered accounts it offers significant incidents involving identity theft
the financial institution or creditor or to a
or maintains; and management’s response; and
fraudulent website. Appropriate responses
(2) The methods it provides to open its recommendations for material changes to the
may include the following:
covered accounts; (a) Monitoring a covered account for Program.
(3) The methods it provides to access its evidence of identity theft; (c) Oversight of service provider
covered accounts; and (b) Contacting the customer; arrangements. Whenever a financial
(4) Its previous experiences with identity (c) Changing any passwords, security institution or creditor engages a service
theft. codes, or other security devices that permit provider to perform an activity in connection
(b) Sources of Red Flags. Financial access to a covered account; with one or more covered accounts the
institutions and creditors should incorporate (d) Reopening a covered account with a financial institution or creditor should take
relevant Red Flags from sources such as: new account number; steps to ensure that the activity of the service
(1) Incidents of identity theft that the (e) Not opening a new covered account; provider is conducted in accordance with
financial institution or creditor has (f) Closing an existing covered account; reasonable policies and procedures designed
experienced; (g) Not attempting to collect on a covered to detect, prevent, and mitigate the risk of
(2) Methods of identity theft that the account or not selling a covered account to identity theft. For example, a financial
financial institution or creditor has identified a debt collector; institution or creditor could require the
that reflect changes in identity theft risks; (h) Notifying law enforcement; or service provider by contract to have policies
and (i) Determining that no response is and procedures to detect relevant Red Flags
(3) Applicable supervisory guidance. warranted under the particular
(c) Categories of Red Flags. The Program that may arise in the performance of the
circumstances. service provider’s activities, and either report
should include relevant Red Flags from the
following categories, as appropriate. V. Updating the Program the Red Flags to the financial institution or
Examples of Red Flags from each of these Financial institutions and creditors should creditor, or to take appropriate steps to
categories are appended as Supplement A to update the Program (including the Red Flags prevent or mitigate identity theft.
this Appendix J. determined to be relevant) periodically, to VII. Other Applicable Legal Requirements
(1) Alerts, notifications, or other warnings reflect changes in risks to customers or to the
Financial institutions and creditors should
received from consumer reporting agencies or safety and soundness of the financial
service providers, such as fraud detection institution or creditor from identity theft, be mindful of other related legal
services; based on factors such as: requirements that may be applicable, such as:
(2) The presentation of suspicious (a) The experiences of the financial (a) For financial institutions and creditors
documents; institution or creditor with identity theft; that are subject to 31 U.S.C. 5318(g), filing a
(3) The presentation of suspicious personal (b) Changes in methods of identity theft; Suspicious Activity Report in accordance
identifying information, such as a suspicious (c) Changes in methods to detect, prevent, with applicable law and regulation;
address change; and mitigate identity theft; (b) Implementing any requirements under
(4) The unusual use of, or other suspicious (d) Changes in the types of accounts that 15 U.S.C. 1681c–1(h) regarding the
activity related to, a covered account; and the financial institution or creditor offers or circumstances under which credit may be
(5) Notice from customers, victims of maintains; and extended when the financial institution or
identity theft, law enforcement authorities, or (e) Changes in the business arrangements creditor detects a fraud or active duty alert;
other persons regarding possible identity of the financial institution or creditor, (c) Implementing any requirements for
theft in connection with covered accounts including mergers, acquisitions, alliances, furnishers of information to consumer
held by the financial institution or creditor. joint ventures, and service provider reporting agencies under 15 U.S.C. 1681s–2,
III. Detecting Red Flags arrangements. for example, to correct or update inaccurate
The Program’s policies and procedures VI. Methods for Administering the Program or incomplete information, and to not report
should address the detection of Red Flags in (a) Oversight of Program. Oversight by the information that the furnisher has reasonable
connection with the opening of covered board of directors, an appropriate committee cause to believe is inaccurate; and
accounts and existing covered accounts, such of the board, or a designated employee at the (d) Complying with the prohibitions in 15
as by: level of senior management should include: U.S.C. 1681m on the sale, transfer, and
(a) Obtaining identifying information (1) Assigning specific responsibility for the placement for collection of certain debts
about, and verifying the identity of, a person Program’s implementation; resulting from identity theft.
opening a covered account, for example, (2) Reviewing reports prepared by staff Supplement A to Appendix J
using the policies and procedures regarding regarding compliance by the financial
identification and verification set forth in the institution or creditor with § 41.90 of this In addition to incorporating Red Flags from
Customer Identification Program rules part; and the sources recommended in section II.b. of
implementing 31 U.S.C. 5318(l) (31 CFR (3) Approving material changes to the the Guidelines in Appendix J of this part,
103.121); and Program as necessary to address changing each financial institution or creditor may
(b) Authenticating customers, monitoring identity theft risks. consider incorporating into its Program,
transactions, and verifying the validity of (b) Reports. (1) In general. Staff of the whether singly or in combination, Red Flags
change of address requests, in the case of financial institution or creditor responsible from the following illustrative examples in
existing covered accounts. for development, implementation, and connection with covered accounts:
Alerts, Notifications or Warnings from a internal or third-party sources used by the 24. The financial institution or creditor is
Consumer Reporting Agency financial institution or creditor. For example: notified that the customer is not receiving
1. A fraud or active duty alert is included a. The address on an application is paper account statements.
with a consumer report. fictitious, a mail drop, or a prison; or 25. The financial institution or creditor is
2. A consumer reporting agency provides a b. The phone number is invalid, or is notified of unauthorized charges or
notice of credit freeze in response to a associated with a pager or answering service. transactions in connection with a customer’s
request for a consumer report. 14. The SSN provided is the same as that covered account.
3. A consumer reporting agency provides a submitted by other persons opening an Notice From Customers, Victims of Identity
notice of address discrepancy, as defined in account or other customers. Theft, Law Enforcement Authorities, or Other
§ 41.82(b) of this part. 15. The address or telephone number Persons Regarding Possible Identity Theft in
4. A consumer report indicates a pattern of provided is the same as or similar to the Connection With Covered Accounts Held by
activity that is inconsistent with the history account number or telephone number the Financial Institution or Creditor
and usual pattern of activity of an applicant submitted by an unusually large number of
26. The financial institution or creditor is
or customer, such as: other persons opening accounts or other
notified by a customer, a victim of identity
a. A recent and significant increase in the customers. theft, a law enforcement authority, or any
volume of inquiries; 16. The person opening the covered other person that it has opened a fraudulent
b. An unusual number of recently account or the customer fails to provide all account for a person engaged in identity
established credit relationships; required personal identifying information on theft.
c. A material change in the use of credit, an application or in response to notification
especially with respect to recently that the application is incomplete. Board of Governors of the Federal
established credit relationships; or 17. Personal identifying information Reserve System
d. An account that was closed for cause or provided is not consistent with personal
identified for abuse of account privileges by identifying information that is on file with 12 CFR Chapter II.
a financial institution or creditor. the financial institution or creditor. Authority and Issuance
18. For financial institutions and creditors
Suspicious Documents
that use challenge questions, the person ■ For the reasons set forth in the joint
5. Documents provided for identification opening the covered account or the customer preamble, part 222 of title 12, chapter II,
appear to have been altered or forged. cannot provide authenticating information of the Code of Federal Regulations is
6. The photograph or physical description beyond that which generally would be amended as follows:
on the identification is not consistent with available from a wallet or consumer report.
the appearance of the applicant or customer
presenting the identification.
Unusual Use of, or Suspicious Activity PART 222—FAIR CREDIT REPORTING
7. Other information on the identification Related to, the Covered Account (REGULATION V)
is not consistent with information provided 19. Shortly following the notice of a change ■ 1. The authority citation for part 222
by the person opening a new covered account of address for a covered account, the
institution or creditor receives a request for
continues to read as follows:
or customer presenting the identification.
8. Other information on the identification a new, additional, or replacement card or a Authority: 15 U.S.C. 1681a, 1681b, 1681c,
is not consistent with readily accessible cell phone, or for the addition of authorized 1681m, 1681s, 1681s–2, 1681s–3, 1681t, and
information that is on file with the financial users on the account. 1681w; Secs. 3 and 214, Pub. L. 108–159, 117
institution or creditor, such as a signature 20. A new revolving credit account is used Stat. 1952.
card or a recent check. in a manner commonly associated with
9. An application appears to have been known patterns of fraud patterns. For Subpart A—General Provisions
altered or forged, or gives the appearance of example:
having been destroyed and reassembled. a. The majority of available credit is used ■ 2. Section 222.3 is amended by
for cash advances or merchandise that is revising the introductory text to read as
Suspicious Personal Identifying Information easily convertible to cash (e.g., electronics follows:
10. Personal identifying information equipment or jewelry); or
provided is inconsistent when compared b. The customer fails to make the first § 222.3 Definitions.
against external information sources used by payment or makes an initial payment but no For purposes of this part, unless
the financial institution or creditor. For subsequent payments. explicitly stated otherwise:
example: 21. A covered account is used in a manner * * * * *
a. The address does not match any address that is not consistent with established
■ 3. The heading for Subpart I is revised
in the consumer report; or patterns of activity on the account. There is,
b. The Social Security Number (SSN) has for example: to read as follows:
not been issued, or is listed on the Social a. Nonpayment when there is no history of
Security Administration’s Death Master File. late or missed payments; Subpart I—Duties of Users of
11. Personal identifying information b. A material increase in the use of Consumer Reports Regarding Address
provided by the customer is not consistent available credit; Discrepancies and Records Disposal
with other personal identifying information c. A material change in purchasing or
provided by the customer. For example, there spending patterns; ■ 4. A new § 222.82 is added to read as
is a lack of correlation between the SSN d. A material change in electronic fund follows:
range and date of birth. transfer patterns in connection with a deposit
12. Personal identifying information account; or § 222.82 Duties of users regarding address
provided is associated with known e. A material change in telephone call discrepancies.
fraudulent activity as indicated by internal or patterns in connection with a cellular phone (a) Scope. This section applies to a
third-party sources used by the financial account. user of consumer reports (user) that
institution or creditor. For example: 22. A covered account that has been receives a notice of address discrepancy
a. The address on an application is the inactive for a reasonably lengthy period of from a consumer reporting agency, and
same as the address provided on a fraudulent time is used (taking into consideration the that is a member bank of the Federal
application; or type of account, the expected pattern of usage Reserve System (other than a national
b. The phone number on an application is and other relevant factors).
the same as the number provided on a 23. Mail sent to the customer is returned
bank) and its respective operating
fraudulent application. repeatedly as undeliverable although subsidiaries, a branch or agency of a
13. Personal identifying information transactions continue to be conducted in foreign bank (other than a Federal
provided is of a type commonly associated connection with the customer’s covered branch, Federal agency, or insured State
with fraudulent activity as indicated by account. branch of a foreign bank), commercial
lending company owned or controlled (2) Examples of confirmation a designated employee at the level of
by a foreign bank, and an organization methods. The user may reasonably senior management.
operating under section 25 or 25A of the confirm an address is accurate by: (3) Covered account means:
Federal Reserve Act (12 U.S.C. 601 et (i) Verifying the address with the (i) An account that a financial
seq., and 611 et seq.). consumer about whom it has requested institution or creditor offers or
(b) Definition. For purposes of this the report; maintains, primarily for personal,
section, a notice of address discrepancy (ii) Reviewing its own records to family, or household purposes, that
means a notice sent to a user by a verify the address of the consumer; involves or is designed to permit
consumer reporting agency pursuant to (iii) Verifying the address through multiple payments or transactions, such
15 U.S.C. 1681c(h)(1), that informs the third-party sources; or as a credit card account, mortgage loan,
user of a substantial difference between (iv) Using other reasonable means. automobile loan, margin account, cell
the address for the consumer that the (3) Timing. The policies and phone account, utility account,
user provided to request the consumer procedures developed in accordance checking account, or savings account;
report and the address(es) in the with paragraph (d)(1) of this section and
agency’s file for the consumer. must provide that the user will furnish (ii) Any other account that the
(c) Reasonable belief. (1) Requirement the consumer’s address that the user has financial institution or creditor offers or
to form a reasonable belief. A user must reasonably confirmed is accurate to the maintains for which there is a
develop and implement reasonable consumer reporting agency as part of the reasonably foreseeable risk to customers
policies and procedures designed to information it regularly furnishes for the or to the safety and soundness of the
enable the user to form a reasonable reporting period in which it establishes financial institution or creditor from
belief that a consumer report relates to a relationship with the consumer. identity theft, including financial,
the consumer about whom it has ■ 5. A new Subpart J is added to part operational, compliance, reputation, or
requested the report, when the user 222 to read as follows: litigation risks.
receives a notice of address discrepancy. (4) Credit has the same meaning as in
Subpart J—Identity Theft Red Flags
(2) Examples of reasonable policies 15 U.S.C. 1681a(r)(5).
Sec. (5) Creditor has the same meaning as
and procedures. (i) Comparing the 222.90 Duties regarding the detection,
information in the consumer report in 15 U.S.C. 1681a(r)(5), and includes
prevention, and mitigation of identity lenders such as banks, finance
provided by the consumer reporting theft.
agency with information the user: 222.91 Duties of card issuers regarding
companies, automobile dealers,
(A) Obtains and uses to verify the changes of address. mortgage brokers, utility companies,
consumer’s identity in accordance with and telecommunications companies.
the requirements of the Customer Subpart J—Identity Theft Red Flags (6) Customer means a person that has
Information Program (CIP) rules a covered account with a financial
§ 222.90 Duties regarding the detection, institution or creditor.
implementing 31 U.S.C. 5318(l) (31 CFR prevention, and mitigation of identity theft. (7) Financial institution has the same
103.121); (a) Scope. This section applies to meaning as in 15 U.S.C. 1681a(t).
(B) Maintains in its own records, such financial institutions and creditors that (8) Identity theft has the same
as applications, change of address are member banks of the Federal meaning as in 16 CFR 603.2(a).
notifications, other customer account Reserve System (other than national (9) Red Flag means a pattern, practice,
records, or retained CIP documentation; banks) and their respective operating or specific activity that indicates the
or subsidiaries, branches and agencies of possible existence of identity theft.
(C) Obtains from third-party sources; foreign banks (other than Federal (10) Service provider means a person
or branches, Federal agencies, and insured that provides a service directly to the
(ii) Verifying the information in the State branches of foreign banks), financial institution or creditor.
consumer report provided by the commercial lending companies owned (c) Periodic Identification of Covered
consumer reporting agency with the or controlled by foreign banks, and Accounts. Each financial institution or
consumer. organizations operating under section creditor must periodically determine
(d) Consumer’s address. (1) 25 or 25A of the Federal Reserve Act (12 whether it offers or maintains covered
Requirement to furnish consumer’s U.S.C. 601 et seq., and 611 et seq.). accounts. As a part of this
address to a consumer reporting agency. (b) Definitions. For purposes of this determination, a financial institution or
A user must develop and implement section and Appendix J, the following creditor must conduct a risk assessment
reasonable policies and procedures for definitions apply: to determine whether it offers or
furnishing an address for the consumer (1) Account means a continuing maintains covered accounts described
that the user has reasonably confirmed relationship established by a person in paragraph (b)(3)(ii) of this section,
is accurate to the consumer reporting with a financial institution or creditor to taking into consideration:
agency from whom it received the obtain a product or service for personal, (1) The methods it provides to open
notice of address discrepancy when the family, household or business purposes. its accounts;
user: Account includes: (2) The methods it provides to access
(i) Can form a reasonable belief that (i) An extension of credit, such as the its accounts; and
the consumer report relates to the purchase of property or services (3) Its previous experiences with
consumer about whom the user involving a deferred payment; and identity theft.
requested the report; (ii) A deposit account. (d) Establishment of an Identity Theft
(ii) Establishes a continuing (2) The term board of directors Prevention Program. (1) Program
relationship with the consumer; and includes: requirement. Each financial institution
(iii) Regularly and in the ordinary (i) In the case of a branch or agency or creditor that offers or maintains one
course of business furnishes information of a foreign bank, the managing official or more covered accounts must develop
to the consumer reporting agency from in charge of the branch or agency; and and implement a written Identity Theft
which the notice of address discrepancy (ii) In the case of any other creditor Prevention Program (Program) that is
relating to the consumer was obtained. that does not have a board of directors, designed to detect, prevent, and mitigate
identity theft in connection with the designed to call attention to the nature prevent, and mitigate identity theft in
opening of a covered account or any and significance of the information connection with the opening of a covered
existing covered account. The Program presented. account or any existing covered account.
(c) Address validation requirements. These guidelines are intended to assist
must be appropriate to the size and
financial institutions and creditors in the
complexity of the financial institution A card issuer must establish and formulation and maintenance of a Program
or creditor and the nature and scope of implement reasonable policies and that satisfies the requirements of § 222.90 of
its activities. procedures to assess the validity of a this part.
(2) Elements of the Program. The change of address if it receives I. The Program
Program must include reasonable notification of a change of address for a
In designing its Program, a financial
policies and procedures to: consumer’s debit or credit card account
institution or creditor may incorporate, as
(i) Identify relevant Red Flags for the and, within a short period of time appropriate, its existing policies, procedures,
covered accounts that the financial afterwards (during at least the first 30 and other arrangements that control
institution or creditor offers or days after it receives such notification), reasonably foreseeable risks to customers or
maintains, and incorporate those Red the card issuer receives a request for an to the safety and soundness of the financial
Flags into its Program; additional or replacement card for the institution or creditor from identity theft.
(ii) Detect Red Flags that have been same account. Under these II. Identifying Relevant Red Flags
incorporated into the Program of the circumstances, the card issuer may not (a) Risk Factors. A financial institution or
financial institution or creditor; issue an additional or replacement card, creditor should consider the following factors
(iii) Respond appropriately to any Red until, in accordance with its reasonable in identifying relevant Red Flags for covered
Flags that are detected pursuant to policies and procedures and for the accounts, as appropriate:
paragraph (d)(2)(ii) of this section to purpose of assessing the validity of the (1) The types of covered accounts it offers
prevent and mitigate identity theft; and change of address, the card issuer: or maintains;
(iv) Ensure the Program (including the (1)(i) Notifies the cardholder of the (2) The methods it provides to open its
Red Flags determined to be relevant) is request: covered accounts;
updated periodically, to reflect changes (3) The methods it provides to access its
(A) At the cardholder’s former
covered accounts; and
in risks to customers and to the safety address; or (4) Its previous experiences with identity
and soundness of the financial (B) By any other means of theft.
institution or creditor from identity communication that the card issuer and (b) Sources of Red Flags. Financial
theft. the cardholder have previously agreed institutions and creditors should incorporate
(e) Administration of the Program. to use; and relevant Red Flags from sources such as:
Each financial institution or creditor (ii) Provides to the cardholder a (1) Incidents of identity theft that the
that is required to implement a Program reasonable means of promptly reporting financial institution or creditor has
must provide for the continued incorrect address changes; or experienced;
administration of the Program and must: (2) Otherwise assesses the validity of (2) Methods of identity theft that the
the change of address in accordance financial institution or creditor has identified
(1) Obtain approval of the initial
that reflect changes in identity theft risks;
written Program from either its board of with the policies and procedures the and
directors or an appropriate committee of card issuer has established pursuant to (3) Applicable supervisory guidance.
the board of directors; § 222.90 of this part. (c) Categories of Red Flags. The Program
(2) Involve the board of directors, an (d) Alternative timing of address should include relevant Red Flags from the
appropriate committee thereof, or a validation. A card issuer may satisfy the following categories, as appropriate.
designated employee at the level of requirements of paragraph (c) of this Examples of Red Flags from each of these
senior management in the oversight, section if it validates an address categories are appended as Supplement A to
development, implementation and pursuant to the methods in paragraph this Appendix J.
(c)(1) or (c)(2) of this section when it (1) Alerts, notifications, or other warnings
administration of the Program;
received from consumer reporting agencies or
(3) Train staff, as necessary, to receives an address change notification,
service providers, such as fraud detection
effectively implement the Program; and before it receives a request for an services;
(4) Exercise appropriate and effective additional or replacement card. (2) The presentation of suspicious
oversight of service provider (e) Form of notice. Any written or documents;
arrangements. electronic notice that the card issuer (3) The presentation of suspicious personal
(f) Guidelines. Each financial provides under this paragraph must be identifying information, such as a suspicious
institution or creditor that is required to clear and conspicuous and provided address change;
implement a Program must consider the separately from its regular (4) The unusual use of, or other suspicious
guidelines in Appendix J of this part correspondence with the cardholder. activity related to, a covered account; and
(5) Notice from customers, victims of
and include in its Program those
Appendices D–I [Reserved] identity theft, law enforcement authorities, or
guidelines that are appropriate. other persons regarding possible identity
■ 6. Appendices D through I to part 222 theft in connection with covered accounts
§ 222.91 Duties of card issuers regarding
are added and reserved. held by the financial institution or creditor.
changes of address.
■ 7. A new Appendix J is added to part III. Detecting Red Flags
(a) Scope. This section applies to a
222 to read as follows: The Program’s policies and procedures
person described in § 222.90(a) that
issues a debit or credit card (card Appendix J to Part 222—Interagency should address the detection of Red Flags in
issuer). Guidelines on Identity Theft Detection, connection with the opening of covered
(b) Definitions. For purposes of this accounts and existing covered accounts, such
Prevention, and Mitigation
as by:
section: Section 222.90 of this part requires each (a) Obtaining identifying information
(1) Cardholder means a consumer financial institution and creditor that offers about, and verifying the identity of, a person
who has been issued a credit or debit or maintains one or more covered accounts, opening a covered account, for example,
card. as defined in § 222.90(b)(3) of this part, to using the policies and procedures regarding
(2) Clear and conspicuous means develop and provide for the continued identification and verification set forth in the
reasonably understandable and administration of a written Program to detect, Customer Identification Program rules
implementing 31 U.S.C. 5318(l) (31 CFR (3) Approving material changes to the whether singly or in combination, Red Flags
103.121); and Program as necessary to address changing from the following illustrative examples in
(b) Authenticating customers, monitoring identity theft risks. connection with covered accounts:
transactions, and verifying the validity of (b) Reports. (1) In general. Staff of the
change of address requests, in the case of Alerts, Notifications or Warnings from a
financial institution or creditor responsible
existing covered accounts. Consumer Reporting Agency
for development, implementation, and
IV. Preventing and Mitigating Identity Theft administration of its Program should report 1. A fraud or active duty alert is included
to the board of directors, an appropriate with a consumer report.
The Program’s policies and procedures committee of the board, or a designated 2. A consumer reporting agency provides a
should provide for appropriate responses to employee at the level of senior management, notice of credit freeze in response to a
the Red Flags the financial institution or at least annually, on compliance by the request for a consumer report.
creditor has detected that are commensurate financial institution or creditor with § 222.90 3. A consumer reporting agency provides a
with the degree of risk posed. In determining of this part. notice of address discrepancy, as defined in
an appropriate response, a financial § 222.82(b) of this part.
(2) Contents of report. The report should
institution or creditor should consider 4. A consumer report indicates a pattern of
address material matters related to the
aggravating factors that may heighten the risk activity that is inconsistent with the history
Program and evaluate issues such as: the
of identity theft, such as a data security and usual pattern of activity of an applicant
effectiveness of the policies and procedures
incident that results in unauthorized access or customer, such as:
of the financial institution or creditor in
to a customer’s account records held by the a. A recent and significant increase in the
addressing the risk of identity theft in
financial institution, creditor, or third party, volume of inquiries;
connection with the opening of covered
or notice that a customer has provided b. An unusual number of recently
accounts and with respect to existing covered
information related to a covered account held established credit relationships;
by the financial institution or creditor to accounts; service provider arrangements;
significant incidents involving identity theft c. A material change in the use of credit,
someone fraudulently claiming to represent especially with respect to recently
the financial institution or creditor or to a and management’s response; and
recommendations for material changes to the established credit relationships; or
fraudulent website. Appropriate responses d. An account that was closed for cause or
may include the following: Program.
(c) Oversight of service provider identified for abuse of account privileges by
(a) Monitoring a covered account for a financial institution or creditor.
evidence of identity theft; arrangements. Whenever a financial
(b) Contacting the customer; institution or creditor engages a service Suspicious Documents
(c) Changing any passwords, security provider to perform an activity in connection
with one or more covered accounts the 5. Documents provided for identification
codes, or other security devices that permit appear to have been altered or forged.
access to a covered account; financial institution or creditor should take
steps to ensure that the activity of the service 6. The photograph or physical description
(d) Reopening a covered account with a on the identification is not consistent with
new account number; provider is conducted in accordance with
reasonable policies and procedures designed the appearance of the applicant or customer
(e) Not opening a new covered account; presenting the identification.
(f) Closing an existing covered account; to detect, prevent, and mitigate the risk of
identity theft. For example, a financial 7. Other information on the identification
(g) Not attempting to collect on a covered is not consistent with information provided
account or not selling a covered account to institution or creditor could require the
service provider by contract to have policies by the person opening a new covered account
a debt collector; or customer presenting the identification.
(h) Notifying law enforcement; or and procedures to detect relevant Red Flags
that may arise in the performance of the 8. Other information on the identification
(i) Determining that no response is is not consistent with readily accessible
warranted under the particular service provider’s activities, and either report
the Red Flags to the financial institution or information that is on file with the financial
circumstances. institution or creditor, such as a signature
creditor, or to take appropriate steps to
V. Updating the Program prevent or mitigate identity theft. card or a recent check.
Financial institutions and creditors should 9. An application appears to have been
VII. Other Applicable Legal Requirements altered or forged, or gives the appearance of
update the Program (including the Red Flags
determined to be relevant) periodically, to Financial institutions and creditors should having been destroyed and reassembled.
reflect changes in risks to customers or to the be mindful of other related legal
requirements that may be applicable, such as: Suspicious Personal Identifying Information
safety and soundness of the financial
institution or creditor from identity theft, (a) For financial institutions and creditors 10. Personal identifying information
based on factors such as: that are subject to 31 U.S.C. 5318(g), filing a provided is inconsistent when compared
(a) The experiences of the financial Suspicious Activity Report in accordance against external information sources used by
institution or creditor with identity theft; with applicable law and regulation; the financial institution or creditor. For
(b) Changes in methods of identity theft; (b) Implementing any requirements under example:
(c) Changes in methods to detect, prevent, 15 U.S.C. 1681c–1(h) regarding the a. The address does not match any address
and mitigate identity theft; circumstances under which credit may be in the consumer report; or
(d) Changes in the types of accounts that extended when the financial institution or b. The Social Security Number (SSN) has
the financial institution or creditor offers or creditor detects a fraud or active duty alert; not been issued, or is listed on the Social
maintains; and (c) Implementing any requirements for Security Administration’s Death Master File.
(e) Changes in the business arrangements furnishers of information to consumer 11. Personal identifying information
of the financial institution or creditor, reporting agencies under 15 U.S.C. 1681s–2, provided by the customer is not consistent
including mergers, acquisitions, alliances, for example, to correct or update inaccurate with other personal identifying information
joint ventures, and service provider or incomplete information, and to not report provided by the customer. For example, there
arrangements. information that the furnisher has reasonable is a lack of correlation between the SSN
cause to believe is inaccurate; and range and date of birth.
VI. Methods for Administering the Program (d) Complying with the prohibitions in 15 12. Personal identifying information
(a) Oversight of Program. Oversight by the U.S.C. 1681m on the sale, transfer, and provided is associated with known
board of directors, an appropriate committee placement for collection of certain debts fraudulent activity as indicated by internal or
of the board, or a designated employee at the resulting from identity theft. third-party sources used by the financial
level of senior management should include: institution or creditor. For example:
(1) Assigning specific responsibility for the Supplement A to Appendix J a. The address on an application is the
Program’s implementation; In addition to incorporating Red Flags from same as the address provided on a fraudulent
(2) Reviewing reports prepared by staff the sources recommended in section II.b. of application; or
regarding compliance by the financial the Guidelines in Appendix J of this part, b. The phone number on an application is
institution or creditor with § 222.90 of this each financial institution or creditor may the same as the number provided on a
part; and consider incorporating into its Program, fraudulent application.
13. Personal identifying information transactions continue to be conducted in (b) Definition. For purposes of this
provided is of a type commonly associated connection with the customer’s covered section, a notice of address discrepancy
with fraudulent activity as indicated by account. means a notice sent to a user by a
internal or third-party sources used by the 24. The financial institution or creditor is
notified that the customer is not receiving
consumer reporting agency pursuant to
financial institution or creditor. For example:
a. The address on an application is paper account statements. 15 U.S.C. 1681c(h)(1), that informs the
fictitious, a mail drop, or a prison; or 25. The financial institution or creditor is user of a substantial difference between
b. The phone number is invalid, or is notified of unauthorized charges or the address for the consumer that the
associated with a pager or answering service. transactions in connection with a customer’s user provided to request the consumer
14. The SSN provided is the same as that covered account. report and the address(es) in the
submitted by other persons opening an agency’s file for the consumer.
Notice from Customers, Victims of Identity
account or other customers. (c) Reasonable belief. (1) Requirement
Theft, Law Enforcement Authorities, or Other
15. The address or telephone number to form a reasonable belief. A user must
Persons Regarding Possible Identity Theft in
provided is the same as or similar to the
Connection with Covered Accounts Held by develop and implement reasonable
account number or telephone number
the Financial Institution or Creditor policies and procedures designed to
submitted by an unusually large number of
other persons opening accounts or other 26. The financial institution or creditor is enable the user to form a reasonable
customers. notified by a customer, a victim of identity belief that a consumer report relates to
16. The person opening the covered theft, a law enforcement authority, or any the consumer about whom it has
account or the customer fails to provide all other person that it has opened a fraudulent requested the report, when the user
required personal identifying information on account for a person engaged in identity receives a notice of address discrepancy.
an application or in response to notification theft. (2) Examples of reasonable policies
that the application is incomplete. Federal Deposit Insurance Corporation and procedures. (i) Comparing the
17. Personal identifying information information in the consumer report
provided is not consistent with personal 12 CFR Chapter III
identifying information that is on file with
provided by the consumer reporting
the financial institution or creditor.
Authority and Issuance agency with information the user:
18. For financial institutions and creditors (A) Obtains and uses to verify the
■ For the reasons discussed in the joint
that use challenge questions, the person consumer’s identity in accordance with
preamble, the Federal Deposit Insurance
opening the covered account or the customer the requirements of the Customer
Corporation is amending 12 CFR parts
cannot provide authenticating information Information Program (CIP) rules
beyond that which generally would be
334 and 364 of title 12, Chapter III, of
implementing 31 U.S.C. 5318(l) (31 CFR
available from a wallet or consumer report. the Code of Federal Regulations as
103.121);
follows: (B) Maintains in its own records, such
Unusual Use of, or Suspicious Activity
Related to, the Covered Account PART 334—FAIR CREDIT REPORTING as applications, change of address
19. Shortly following the notice of a change notifications, other customer account
of address for a covered account, the
■ 1. The authority citation for part 334 records, or retained CIP documentation;
institution or creditor receives a request for is revised to read as follows: or
a new, additional, or replacement card or a Authority: 12 U.S.C. 1818, 1819 (Tenth) (C) Obtains from third-party sources;
cell phone, or for the addition of authorized and 1831p–1; 15 U.S.C. 1681a, 1681b, 1681c, or
users on the account. 1681m, 1681s, 1681s–3, 1681t, 1681w, 6801 (ii) Verifying the information in the
20. A new revolving credit account is used and 6805, Pub. L. 108–159, 117 Stat. 1952. consumer report provided by the
in a manner commonly associated with consumer reporting agency with the
known patterns of fraud patterns. For Subpart A—General Provisions consumer.
example: (d) Consumer’s address. (1)
a. The majority of available credit is used ■ 2. Amend § 334.3 by revising the Requirement to furnish consumer’s
for cash advances or merchandise that is introductory text to read as follows: address to a consumer reporting agency.
easily convertible to cash (e.g., electronics
equipment or jewelry); or § 334.3 Definitions. A user must develop and implement
b. The customer fails to make the first For purposes of this part, unless reasonable policies and procedures for
payment or makes an initial payment but no explicitly stated otherwise: furnishing an address for the consumer
subsequent payments. that the user has reasonably confirmed
21. A covered account is used in a manner
* * * * *
is accurate to the consumer reporting
that is not consistent with established ■ 3. Revise the heading for Subpart I as
agency from whom it received the
patterns of activity on the account. There is, shown below. notice of address discrepancy when the
for example:
Subpart I—Duties of Users of user:
a. Nonpayment when there is no history of
Consumer Reports Regarding Address (i) Can form a reasonable belief that
late or missed payments;
b. A material increase in the use of Discrepancies and Records Disposal the consumer report relates to the
available credit; consumer about whom the user
c. A material change in purchasing or ■ 4. Add § 334.82 to read as follows: requested the report;
spending patterns; (ii) Establishes a continuing
d. A material change in electronic fund § 334.82 Duties of users regarding address relationship with the consumer; and
transfer patterns in connection with a deposit discrepancies. (iii) Regularly and in the ordinary
account; or (a) Scope. This section applies to a course of business furnishes information
e. A material change in telephone call user of consumer reports (user) that to the consumer reporting agency from
patterns in connection with a cellular phone receives a notice of address discrepancy which the notice of address discrepancy
account. from a consumer reporting agency and relating to the consumer was obtained.
22. A covered account that has been that is an insured state nonmember
inactive for a reasonably lengthy period of
(2) Examples of confirmation
time is used (taking into consideration the

bank, insured state licensed branch of a methods. The user may reasonably
type of account, the expected pattern of usage foreign bank, or a subsidiary of such confirm an address is accurate by:
and other relevant factors). entities (except brokers, dealers, persons (i) Verifying the address with the
23. Mail sent to the customer is returned providing insurance, investment consumer about whom it has requested
repeatedly as undeliverable although companies, and investment advisers). the report;
(ii) Reviewing its own records to checking account, or savings account; institution or creditor offers or
verify the address of the consumer; and maintains, and incorporate those Red
(iii) Verifying the address through (ii) Any other account that the Flags into its Program;
third-party sources; or financial institution or creditor offers or (ii) Detect Red Flags that have been
(iv) Using other reasonable means. maintains for which there is a incorporated into the Program of the
(3) Timing. The policies and reasonably foreseeable risk to customers financial institution or creditor;
procedures developed in accordance or to the safety and soundness of the (iii) Respond appropriately to any Red
with paragraph (d)(1) of this section financial institution or creditor from Flags that are detected pursuant to
must provide that the user will furnish identity theft, including financial, paragraph (d)(2)(ii) of this section to
the consumer’s address that the user has operational, compliance, reputation, or prevent and mitigate identity theft; and
reasonably confirmed is accurate to the litigation risks. (iv) Ensure the Program (including the
consumer reporting agency as part of the (4) Credit has the same meaning as in Red Flags determined to be relevant) is
information it regularly furnishes for the 15 U.S.C. 1681a(r)(5). updated periodically, to reflect changes
reporting period in which it establishes (5) Creditor has the same meaning as in risks to customers and to the safety
a relationship with the consumer. in 15 U.S.C. 1681a(r)(5), and includes and soundness of the financial
■ 5. Add Subpart J to part 334 to read lenders such as banks, finance institution or creditor from identity
as follows: companies, automobile dealers, theft.
mortgage brokers, utility companies, (e) Administration of the Program.
and telecommunications companies. Each financial institution or creditor
Sec. (6) Customer means a person that has that is required to implement a Program
334.90 Duties regarding the detection, a covered account with a financial must provide for the continued
prevention, and mitigation of identity institution or creditor. administration of the Program and must:
theft. (7) Financial institution has the same
334.91 Duties of card issuers regarding
(1) Obtain approval of the initial
changes of address.
meaning as in 15 U.S.C. 1681a(t). written Program from either its board of
(8) Identity theft has the same directors or an appropriate committee of
Subpart J—Identity Theft Red Flags meaning as in 16 CFR 603.2(a). the board of directors;
(9) Red Flag means a pattern, practice, (2) Involve the board of directors, an
§ 334.90 Duties regarding the detection, or specific activity that indicates the appropriate committee thereof, or a
prevention, and mitigation of identity theft. possible existence of identity theft. designated employee at the level of
(a) Scope. This section applies to a (10) Service provider means a person senior management in the oversight,
financial institution or creditor that is that provides a service directly to the development, implementation and
an insured state nonmember bank, financial institution or creditor. administration of the Program;
insured state licensed branch of a (c) Periodic Identification of Covered (3) Train staff, as necessary, to
foreign bank, or a subsidiary of such Accounts. Each financial institution or effectively implement the Program; and
entities (except brokers, dealers, persons creditor must periodically determine (4) Exercise appropriate and effective
providing insurance, investment whether it offers or maintains covered oversight of service provider
companies, and investment advisers). accounts. As a part of this arrangements.
(b) Definitions. For purposes of this determination, a financial institution or (f) Guidelines. Each financial
section and Appendix J, the following creditor must conduct a risk assessment institution or creditor that is required to
definitions apply: to determine whether it offers or implement a Program must consider the
(1) Account means a continuing maintains covered accounts described guidelines in Appendix J of this part
relationship established by a person in paragraph (b)(3)(ii) of this section, and include in its Program those
with a financial institution or creditor to taking into consideration: guidelines that are appropriate.
obtain a product or service for personal, (1) The methods it provides to open
family, household or business purposes. its accounts; § 334.91 Duties of card issuers regarding
Account includes: (2) The methods it provides to access changes of address.
(i) An extension of credit, such as the its accounts; and (a) Scope. This section applies to an
purchase of property or services (3) Its previous experiences with issuer of a debit or credit card (card
involving a deferred payment; and identity theft. issuer) that is an insured state
(ii) A deposit account. (d) Establishment of an Identity Theft nonmember bank, insured state licensed
(2) The term board of directors Prevention Program—(1) Program branch of a foreign bank, or a subsidiary
includes: requirement. Each financial institution of such entities (except brokers, dealers,
(i) In the case of a branch or agency or creditor that offers or maintains one persons providing insurance,
of a foreign bank, the managing official or more covered accounts must develop investment companies, and investment
in charge of the branch or agency; and and implement a written Identity Theft advisers).
(ii) In the case of any other creditor Prevention Program (Program) that is (b) Definitions. For purposes of this
that does not have a board of directors, designed to detect, prevent, and mitigate section:
a designated employee at the level of identity theft in connection with the (1) Cardholder means a consumer
senior management. opening of a covered account or any who has been issued a credit or debit
(3) Covered account means: existing covered account. The Program card.
(i) An account that a financial must be appropriate to the size and (2) Clear and conspicuous means
institution or creditor offers or complexity of the financial institution reasonably understandable and
maintains, primarily for personal, or creditor and the nature and scope of designed to call attention to the nature
family, or household purposes, that its activities. and significance of the information
involves or is designed to permit (2) Elements of the Program. The presented.

multiple payments or transactions, such Program must include reasonable (c) Address validation requirements.
as a credit card account, mortgage loan, policies and procedures to: A card issuer must establish and
automobile loan, margin account, cell (i) Identify relevant Red Flags for the implement reasonable policies and
phone account, utility account, covered accounts that the financial procedures to assess the validity of a
change of address if it receives I. The Program creditor has detected that are commensurate
notification of a change of address for a In designing its Program, a financial with the degree of risk posed. In determining
consumer’s debit or credit card account institution or creditor may incorporate, as an appropriate response, a financial
appropriate, its existing policies, procedures, institution or creditor should consider
and, within a short period of time
and other arrangements that control aggravating factors that may heighten the risk
afterwards (during at least the first 30 of identity theft, such as a data security
reasonably foreseeable risks to customers or
days after it receives such notification), to the safety and soundness of the financial incident that results in unauthorized access
the card issuer receives a request for an institution or creditor from identity theft. to a customer’s account records held by the
additional or replacement card for the financial institution, creditor, or third party,
II. Identifying Relevant Red Flags
same account. Under these or notice that a customer has provided
circumstances, the card issuer may not (a) Risk Factors. A financial institution or information related to a covered account held
creditor should consider the following factors by the financial institution or creditor to
issue an additional or replacement card, in identifying relevant Red Flags for covered
until, in accordance with its reasonable someone fraudulently claiming to represent
accounts, as appropriate: the financial institution or creditor or to a
policies and procedures and for the (1) The types of covered accounts it offers fraudulent Web site. Appropriate responses
purpose of assessing the validity of the or maintains; may include the following:
change of address, the card issuer: (2) The methods it provides to open its (a) Monitoring a covered account for
(1)(i) Notifies the cardholder of the covered accounts; evidence of identity theft;
request: (3) The methods it provides to access its (b) Contacting the customer;
covered accounts; and (c) Changing any passwords, security
(A) At the cardholder’s former (4) Its previous experiences with identity
address; or codes, or other security devices that permit
theft. access to a covered account;
(B) By any other means of (b) Sources of Red Flags. Financial (d) Reopening a covered account with a
communication that the card issuer and institutions and creditors should incorporate new account number;
the cardholder have previously agreed relevant Red Flags from sources such as: (e) Not opening a new covered account;
to use; and (1) Incidents of identity theft that the (f) Closing an existing covered account;
(ii) Provides to the cardholder a financial institution or creditor has (g) Not attempting to collect on a covered
experienced; account or not selling a covered account to
reasonable means of promptly reporting (2) Methods of identity theft that the
incorrect address changes; or a debt collector;
financial institution or creditor has identified
(2) Otherwise assesses the validity of (h) Notifying law enforcement; or
that reflect changes in identity theft risks;
(i) Determining that no response is
the change of address in accordance and
warranted under the particular
with the policies and procedures the (3) Applicable supervisory guidance.
circumstances.
card issuer has established pursuant to (c) Categories of Red Flags. The Program
should include relevant Red Flags from the V. Updating the Program.
§ 334.90 of this part.
following categories, as appropriate. Financial institutions and creditors should
(d) Alternative timing of address Examples of Red Flags from each of these
validation. A card issuer may satisfy the update the Program (including the Red Flags
categories are appended as Supplement A to determined to be relevant) periodically, to
requirements of paragraph (c) of this this Appendix J. reflect changes in risks to customers or to the
section if it validates an address (1) Alerts, notifications, or other warnings safety and soundness of the financial
pursuant to the methods in paragraph received from consumer reporting agencies or institution or creditor from identity theft,
(c)(1) or (c)(2) of this section when it service providers, such as fraud detection based on factors such as:
receives an address change notification, services; (a) The experiences of the financial
(2) The presentation of suspicious institution or creditor with identity theft;
before it receives a request for an documents;
additional or replacement card. (b) Changes in methods of identity theft;
(3) The presentation of suspicious personal (c) Changes in methods to detect, prevent,
(e) Form of notice. Any written or identifying information, such as a suspicious and mitigate identity theft;
electronic notice that the card issuer address change; (d) Changes in the types of accounts that
provides under this paragraph must be (4) The unusual use of, or other suspicious the financial institution or creditor offers or
clear and conspicuous and provided activity related to, a covered account; and maintains; and
separately from its regular (5) Notice from customers, victims of (e) Changes in the business arrangements
identity theft, law enforcement authorities, or
correspondence with the cardholder. of the financial institution or creditor,
other persons regarding possible identity including mergers, acquisitions, alliances,
Appendices D–I [Reserved] theft in connection with covered accounts joint ventures, and service provider
held by the financial institution or creditor. arrangements.
■ 6. Add and reserve appendices D III. Detecting Red Flags.
through I to part 334. VI. Methods for Administering the Program
The Program’s policies and procedures
■ 7. Add Appendix J to part 334 to read (a) Oversight of Program. Oversight by the
should address the detection of Red Flags in
board of directors, an appropriate committee
as follows: connection with the opening of covered
of the board, or a designated employee at the
accounts and existing covered accounts, such
Appendix J to Part 334—Interagency level of senior management should include:
as by:
Guidelines on Identity Theft Detection, (1) Assigning specific responsibility for the
(a) Obtaining identifying information
Prevention, and Mitigation Program’s implementation;
about, and verifying the identity of, a person
(2) Reviewing reports prepared by staff
opening a covered account, for example,
Section 334.90 of this part requires each using the policies and procedures regarding regarding compliance by the financial
financial institution and creditor that offers identification and verification set forth in the institution or creditor with § 334.90 of this
or maintains one or more covered accounts, Customer Identification Program rules part; and
as defined in § 334.90(b)(3) of this part, to implementing 31 U.S.C. 5318(l)(31 CFR (3) Approving material changes to the
develop and provide for the continued 103.121); and Program as necessary to address changing
administration of a written Program to detect, (b) Authenticating customers, monitoring identity theft risks.
prevent, and mitigate identity theft in transactions, and verifying the validity of (b) Reports. (1) In general. Staff of the
connection with the opening of a covered change of address requests, in the case of financial institution or creditor responsible
account or any existing covered account. for development, implementation, and
existing covered accounts.

These guidelines are intended to assist administration of its Program should report
financial institutions and creditors in the IV. Preventing and Mitigating Identity Theft. to the board of directors, an appropriate
formulation and maintenance of a Program The Program’s policies and procedures committee of the board, or a designated
that satisfies the requirements of § 334.90 of should provide for appropriate responses to employee at the level of senior management,
this part. the Red Flags the financial institution or at least annually, on compliance by the
financial institution or creditor with § 334.90 3. A consumer reporting agency provides a 14. The SSN provided is the same as that
of this part. notice of address discrepancy, as defined in submitted by other persons opening an
(2) Contents of report. The report should § 334.82(b) of this part. account or other customers.
address material matters related to the 4. A consumer report indicates a pattern of 15. The address or telephone number
Program and evaluate issues such as: the activity that is inconsistent with the history provided is the same as or similar to the
effectiveness of the policies and procedures and usual pattern of activity of an applicant account number or telephone number
of the financial institution or creditor in or customer, such as: submitted by an unusually large number of
addressing the risk of identity theft in a. A recent and significant increase in the other persons opening accounts or other
connection with the opening of covered volume of inquiries; customers.
accounts and with respect to existing covered b. An unusual number of recently 16. The person opening the covered
accounts; service provider arrangements; established credit relationships; account or the customer fails to provide all
significant incidents involving identity theft required personal identifying information on
c. A material change in the use of credit,
and management’s response; and an application or in response to notification
especially with respect to recently
recommendations for material changes to the that the application is incomplete.
established credit relationships; or 17. Personal identifying information
Program.
(c) Oversight of service provider
identified for abuse of account privileges by identifying information that is on file with
arrangements. Whenever a financial
a financial institution or creditor. the financial institution or creditor.
institution or creditor engages a service
provider to perform an activity in connection Suspicious Documents 18. For financial institutions and creditors
with one or more covered accounts the that use challenge questions, the person
5. Documents provided for identification opening the covered account or the customer
financial institution or creditor should take
appear to have been altered or forged. cannot provide authenticating information
steps to ensure that the activity of the service
provider is conducted in accordance with 6. The photograph or physical description beyond that which generally would be
reasonable policies and procedures designed on the identification is not consistent with available from a wallet or consumer report.
to detect, prevent, and mitigate the risk of the appearance of the applicant or customer
presenting the identification. Unusual Use of, or Suspicious Activity
identity theft. For example, a financial Related to, the Covered Account
institution or creditor could require the 7. Other information on the identification
service provider by contract to have policies is not consistent with information provided 19. Shortly following the notice of a change
and procedures to detect relevant Red Flags by the person opening a new covered account of address for a covered account, the
that may arise in the performance of the or customer presenting the identification. institution or creditor receives a request for
service provider’s activities, and either report 8. Other information on the identification a new, additional, or replacement card or a
the Red Flags to the financial institution or is not consistent with readily accessible cell phone, or for the addition of authorized
creditor, or to take appropriate steps to information that is on file with the financial users on the account.
prevent or mitigate identity theft. institution or creditor, such as a signature 20. A new revolving credit account is used
card or a recent check. in a manner commonly associated with
VII. Other Applicable Legal Requirements known patterns of fraud patterns. For
9. An application appears to have been
Financial institutions and creditors should altered or forged, or gives the appearance of example:
be mindful of other related legal having been destroyed and reassembled. a. The majority of available credit is used
requirements that may be applicable, such as: for cash advances or merchandise that is
(a) For financial institutions and creditors Suspicious Personal Identifying Information easily convertible to cash (e.g., electronics
that are subject to 31 U.S.C. 5318(g), filing a 10. Personal identifying information equipment or jewelry); or
Suspicious Activity Report in accordance provided is inconsistent when compared b. The customer fails to make the first
with applicable law and regulation; against external information sources used by payment or makes an initial payment but no
(b) Implementing any requirements under the financial institution or creditor. For subsequent payments.
15 U.S.C. 1681c–1(h) regarding the example: 21. A covered account is used in a manner
circumstances under which credit may be a. The address does not match any address that is not consistent with established
extended when the financial institution or in the consumer report; or patterns of activity on the account. There is,
creditor detects a fraud or active duty alert; b. The Social Security Number (SSN) has for example:
(c) Implementing any requirements for not been issued, or is listed on the Social a. Nonpayment when there is no history of
furnishers of information to consumer Security Administration’s Death Master File. late or missed payments;
reporting agencies under 15 U.S.C. 1681s–2, 11. Personal identifying information b. A material increase in the use of
for example, to correct or update inaccurate available credit;
provided by the customer is not consistent
or incomplete information, and to not report c. A material change in purchasing or
with other personal identifying information
information that the furnisher has reasonable spending patterns;
provided by the customer. For example, there
cause to believe is inaccurate; and d. A material change in electronic fund
is a lack of correlation between the SSN
(d) Complying with the prohibitions in 15 transfer patterns in connection with a deposit
range and date of birth.
U.S.C. 1681m on the sale, transfer, and account; or
12. Personal identifying information e. A material change in telephone call
placement for collection of certain debts
provided is associated with known patterns in connection with a cellular phone
resulting from identity theft.
fraudulent activity as indicated by internal or account.
Supplement A to Appendix J third-party sources used by the financial 22. A covered account that has been
In addition to incorporating Red Flags from institution or creditor. For example: inactive for a reasonably lengthy period of
the sources recommended in section II.b. of a. The address on an application is the time is used (taking into consideration the
the Guidelines in Appendix J of this part, same as the address provided on a fraudulent type of account, the expected pattern of usage
each financial institution or creditor may application; or and other relevant factors).
consider incorporating into its Program, b. The phone number on an application is 23. Mail sent to the customer is returned
whether singly or in combination, Red Flags the same as the number provided on a repeatedly as undeliverable although
from the following illustrative examples in fraudulent application. transactions continue to be conducted in
connection with covered accounts: 13. Personal identifying information connection with the customer’s covered
provided is of a type commonly associated account.
Alerts, Notifications or Warnings from a with fraudulent activity as indicated by 24. The financial institution or creditor is
Consumer Reporting Agency internal or third-party sources used by the notified that the customer is not receiving
1. A fraud or active duty alert is included financial institution or creditor. For example: paper account statements.
with a consumer report. a. The address on an application is 25. The financial institution or creditor is
2. A consumer reporting agency provides a fictitious, a mail drop, or a prison; or notified of unauthorized charges or
notice of credit freeze in response to a b. The phone number is invalid, or is transactions in connection with a customer’s
request for a consumer report. associated with a pager or answering service. covered account.
Notice From Customers, Victims of Identity (ii) The scope of § 571.83 of Subpart the requirements of the Customer
Theft, Law Enforcement Authorities, or Other I of this part is stated in § 571.83(a) of Information Program (CIP) rules
Persons Regarding Possible Identity Theft in this part. implementing 31 U.S.C. 5318(l) (31 CFR
Connection With Covered Accounts Held by (10)(i) The scope of § 571.90 of 103.121);
the Financial Institution or Creditor
Subpart J of this part is stated in (B) Maintains in its own records, such
26. The financial institution or creditor is § 571.90(a) of this part. as applications, change of address
notified by a customer, a victim of identity (ii) The scope of § 571.91 of Subpart notifications, other customer account
theft, a law enforcement authority, or any
J of this part is stated in § 571.91(a) of records, or retained CIP documentation;
other person that it has opened a fraudulent
account for a person engaged in identity this part. or
theft. ■ 3. Amend § 571.3 by: (C) Obtains from third-party sources;
■ a. Removing paragraph (o); and or
PART 364—STANDARDS FOR SAFETY ■ b. Revising the introductory text to (ii) Verifying the information in the
AND SOUNDNESS read as follows: consumer report provided by the
consumer reporting agency with the
■ 8. The authority citation for part 364 § 571.3 Definitions. consumer.
is revised to read as follows: For purposes of this part, unless (d) Consumer’s address. (1)
explicitly stated otherwise: Requirement to furnish consumer’s
Authority: 12 U.S.C. 1818 and 1819
(Tenth), 1831p–1; 15 U.S.C. 1681b, 1681s, * * * * * address to a consumer reporting agency.
1681w, 6801(b), 6805(b)(1). ■ 4. Revise the heading for Subpart I as A user must develop and implement
shown below. reasonable policies and procedures for
■ 9. Add the following sentence at the
furnishing an address for the consumer
end of § 364.101(b):
Subpart I—Duties of Users of that the user has reasonably confirmed
§ 364.101 Standards for safety and Consumer Reports Regarding Address is accurate to the consumer reporting
soundness. Discrepancies and Records Disposal agency from whom it received the
* * * * * notice of address discrepancy when the
■ 5. Add § 571.82 to read as follows: user:
(b) * * * The interagency regulations
and guidelines on identity theft (i) Can form a reasonable belief that
§ 571.82 Duties of users regarding address
detection, prevention, and mitigation discrepancies.
the consumer report relates to the
prescribed pursuant to section 114 of consumer about whom the user
(a) Scope. This section applies to a requested the report;
the Fair and Accurate Credit user of consumer reports (user) that (ii) Establishes a continuing
Transactions Act of 2003, 15 U.S.C. receives a notice of address discrepancy relationship with the consumer; and
1681m(e), are set forth in §§ 334.90, from a consumer reporting agency, and (iii) Regularly and in the ordinary
334.91, and Appendix J of part 334. that is a savings association whose course of business furnishes information
DEPARTMENT OF THE TREASURY deposits are insured by the Federal to the consumer reporting agency from
Deposit Insurance Corporation or, in which the notice of address discrepancy
Office of Thrift Supervision accordance with § 559.3(h)(1) of this relating to the consumer was obtained.
12 CFR Chapter V chapter, a federal savings association (2) Examples of confirmation
operating subsidiary that is not methods. The user may reasonably
Authority and Issuance functionally regulated within the confirm an address is accurate by:
meaning of section 5(c)(5) of the Bank (i) Verifying the address with the
Holding Company Act of 1956, as consumer about whom it has requested
preamble, the Office of Thrift
amended (12 U.S.C. 1844(c)(5)). the report;
Supervision is amending part 571 of
(b) Definition. For purposes of this (ii) Reviewing its own records to
title 12, chapter V, of the Code of
section, a notice of address discrepancy verify the address of the consumer;
Federal Regulations as follows:
means a notice sent to a user by a (iii) Verifying the address through
PART 571—FAIR CREDIT REPORTING consumer reporting agency pursuant to third-party sources; or
15 U.S.C. 1681c(h)(1), that informs the (iv) Using other reasonable means.
■ 1. Revise the authority citation for part user of a substantial difference between (3) Timing. The policies and
571 to read as follows: the address for the consumer that the procedures developed in accordance
Authority: 12 U.S.C. 1462a, 1463, 1464, user provided to request the consumer with paragraph (d)(1) of this section
1467a, 1828, 1831p–1, and 1881–1884; 15 report and the address(es) in the must provide that the user will furnish
U.S.C. 1681b, 1681c, 1681m, 1681s, 1681s–1, agency’s file for the consumer. the consumer’s address that the user has
1681t and 1681w; 15 U.S.C. 6801 and 6805; (c) Reasonable belief. (1) Requirement reasonably confirmed is accurate to the
Sec. 214 Pub. L. 108–159, 117 Stat. 1952. to form a reasonable belief. A user must consumer reporting agency as part of the
develop and implement reasonable information it regularly furnishes for the
Subpart A—General Provisions policies and procedures designed to reporting period in which it establishes
enable the user to form a reasonable a relationship with the consumer.
■ 2. Amend § 571.1 by revising belief that a consumer report relates to
paragraph (b)(9) and adding a new ■ 6. Amend § 571.83 by:
the consumer about whom it has ■ a. Redesignating paragraphs (a) and
paragraph (b)(10) to read as follows: requested the report, when the user (b) as paragraphs (b) and (c),
§ 571.1 Purpose and Scope. receives a notice of address discrepancy. respectively.
(2) Examples of reasonable policies ■ b. Adding a new paragraph (a) to read
* * * * *
and procedures. (i) Comparing the as follows:
(b) scope.
information in the consumer report

* * * * * provided by the consumer reporting § 571.83 Disposal of consumer
(9)(i) The scope of § 571.82 of Subpart agency with information the user: information.
I of this part is stated in § 571.82(a) of (A) Obtains and uses to verify the (a) Scope. This section applies to
this part. consumer’s identity in accordance with savings associations whose deposits are
insured by the Federal Deposit maintains for which there is a (ii) Detect Red Flags that have been
Insurance Corporation and federal reasonably foreseeable risk to customers incorporated into the Program of the
savings association operating or to the safety and soundness of the financial institution or creditor;
subsidiaries in accordance with financial institution or creditor from (iii) Respond appropriately to any Red
§ 559.3(h)(1) of this chapter (defined as identity theft, including financial, Flags that are detected pursuant to
‘‘you’’). operational, compliance, reputation, or paragraph (d)(2)(ii) of this section to
* * * * * litigation risks. prevent and mitigate identity theft; and
■ 7. Add Subpart J to part 571 to read (4) Credit has the same meaning as in (iv) Ensure the Program (including the
as follows: 15 U.S.C. 1681a(r)(5). Red Flags determined to be relevant) is
(5) Creditor has the same meaning as updated periodically, to reflect changes
Subpart J—Identity Theft Red Flags in risks to customers and to the safety
in 15 U.S.C. 1681a(r)(5), and includes
Sec. lenders such as banks, finance and soundness of the financial
571.90 Duties regarding the detection, companies, automobile dealers, institution or creditor from identity
prevention, and mitigation of identity theft.
theft.
mortgage brokers, utility companies,
and telecommunications companies. (e) Administration of the Program.
571.91 Duties of card issuers regarding
changes of address. (6) Customer means a person that has Each financial institution or creditor
a covered account with a financial that is required to implement a Program
Subpart J—Identity Theft Red Flags institution or creditor. must provide for the continued
(7) Financial institution has the same administration of the Program and must:
§ 571.90 Duties regarding the detection, (1) Obtain approval of the initial
meaning as in 15 U.S.C. 1681a(t).
prevention, and mitigation of identity theft. written Program from either its board of
(8) Identity theft has the same
(a) Scope. This section applies to a meaning as in 16 CFR 603.2(a). directors or an appropriate committee of
financial institution or creditor that is a (9) Red Flag means a pattern, practice, the board of directors;
savings association whose deposits are or specific activity that indicates the (2) Involve the board of directors, an
insured by the Federal Deposit possible existence of identity theft. appropriate committee thereof, or a
Insurance Corporation or, in accordance (10) Service provider means a person designated employee at the level of
with § 559.3(h)(1) of this chapter, a that provides a service directly to the senior management in the oversight,
federal savings association operating financial institution or creditor. development, implementation and
subsidiary that is not functionally (c) Periodic Identification of Covered administration of the Program;
regulated within the meaning of section Accounts. Each financial institution or (3) Train staff, as necessary, to
5(c)(5) of the Bank Holding Company creditor must periodically determine effectively implement the Program; and
Act of 1956, as amended (12 U.S.C. whether it offers or maintains covered (4) Exercise appropriate and effective
1844(c)(5)). accounts. As a part of this oversight of service provider
(b) Definitions. For purposes of this arrangements.
determination, a financial institution or
section and Appendix J, the following (f) Guidelines. Each financial
creditor must conduct a risk assessment
definitions apply: institution or creditor that is required to
to determine whether it offers or
(1) Account means a continuing implement a Program must consider the
maintains covered accounts described
relationship established by a person guidelines in Appendix J of this part
in paragraph (b)(3)(ii) of this section,
with a financial institution or creditor to and include in its Program those
taking into consideration:
obtain a product or service for personal, guidelines that are appropriate.
(1) The methods it provides to open
family, household or business purposes.
its accounts; § 571.91 Duties of card issuers regarding
Account includes:
(i) An extension of credit, such as the (2) The methods it provides to access changes of address.
purchase of property or services its accounts; and (a) Scope. This section applies to an
involving a deferred payment; and (3) Its previous experiences with issuer of a debit or credit card (card
(ii) A deposit account. identity theft. issuer) that is a savings association
(2) The term board of directors (d) Establishment of an Identity Theft whose deposits are insured by the
includes: Prevention Program. (1) Program Federal Deposit Insurance Corporation
(i) In the case of a branch or agency requirement. Each financial institution or, in accordance with § 559.3(h)(1) of
of a foreign bank, the managing official or creditor that offers or maintains one this chapter, a federal savings
in charge of the branch or agency; and or more covered accounts must develop association operating subsidiary that is
(ii) In the case of any other creditor and implement a written Identity Theft not functionally regulated within the
that does not have a board of directors, Prevention Program (Program) that is meaning of section 5(c)(5) of the Bank
a designated employee at the level of designed to detect, prevent, and mitigate Holding Company Act of 1956, as
senior management. identity theft in connection with the amended (12 U.S.C. 1844(c)(5)).
(3) Covered account means: opening of a covered account or any (b) Definitions. For purposes of this
(i) An account that a financial existing covered account. The Program section:
institution or creditor offers or must be appropriate to the size and (1) Cardholder means a consumer
maintains, primarily for personal, complexity of the financial institution who has been issued a credit or debit
family, or household purposes, that or creditor and the nature and scope of card.
involves or is designed to permit its activities. (2) Clear and conspicuous means
multiple payments or transactions, such (2) Elements of the Program. The reasonably understandable and
as a credit card account, mortgage loan, Program must include reasonable designed to call attention to the nature
automobile loan, margin account, cell policies and procedures to: and significance of the information
phone account, utility account, (i) Identify relevant Red Flags for the presented.
checking account, or savings account; covered accounts that the financial (c) Address validation requirements.
and institution or creditor offers or A card issuer must establish and
(ii) Any other account that the maintains, and incorporate those Red implement reasonable policies and
financial institution or creditor offers or Flags into its Program; procedures to assess the validity of a
change of address if it receives I. The Program the Red Flags the financial institution or
notification of a change of address for a In designing its Program, a financial creditor has detected that are commensurate
consumer’s debit or credit card account institution or creditor may incorporate, as with the degree of risk posed. In determining
appropriate, its existing policies, procedures, an appropriate response, a financial
and other arrangements that control institution or creditor should consider
afterwards (during at least the first 30 aggravating factors that may heighten the risk
days after it receives such notification), reasonably foreseeable risks to customers or
to the safety and soundness of the financial of identity theft, such as a data security
the card issuer receives a request for an institution or creditor from identity theft. incident that results in unauthorized access
additional or replacement card for the to a customer’s account records held by the
II. Identifying Relevant Red Flags financial institution, creditor, or third party,
same account. Under these
circumstances, the card issuer may not (a) Risk Factors. A financial institution or or notice that a customer has provided
issue an additional or replacement card, creditor should consider the following factors information related to a covered account held
in identifying relevant Red Flags for covered by the financial institution or creditor to
until, in accordance with its reasonable accounts, as appropriate: someone fraudulently claiming to represent
policies and procedures and for the (1) The types of covered accounts it offers the financial institution or creditor or to a
purpose of assessing the validity of the or maintains; fraudulent website. Appropriate responses
change of address, the card issuer: (2) The methods it provides to open its may include the following:
(1)(i) Notifies the cardholder of the covered accounts; (a) Monitoring a covered account for
request: (3) The methods it provides to access its evidence of identity theft;
(A) At the cardholder’s former covered accounts; and (b) Contacting the customer;
address; or (4) Its previous experiences with identity (c) Changing any passwords, security
(B) By any other means of theft. codes, or other security devices that permit
(b) Sources of Red Flags. Financial access to a covered account;
communication that the card issuer and institutions and creditors should incorporate
the cardholder have previously agreed (d) Reopening a covered account with a
relevant Red Flags from sources such as: new account number;
to use; and (1) Incidents of identity theft that the (e) Not opening a new covered account;
(ii) Provides to the cardholder a financial institution or creditor has (f) Closing an existing covered account;
reasonable means of promptly reporting experienced; (g) Not attempting to collect on a covered
incorrect address changes; or (2) Methods of identity theft that the account or not selling a covered account to
(2) Otherwise assesses the validity of financial institution or creditor has identified a debt collector;
the change of address in accordance that reflect changes in identity theft risks; (h) Notifying law enforcement; or
with the policies and procedures the and (i) Determining that no response is
(3) Applicable supervisory guidance. warranted under the particular
card issuer has established pursuant to (c) Categories of Red Flags. The Program
§ 571.90 of this part. circumstances.
(d) Alternative timing of address following categories, as appropriate. V. Updating the Program
validation. A card issuer may satisfy the Examples of Red Flags from each of these Financial institutions and creditors should
requirements of paragraph (c) of this categories are appended as Supplement A to update the Program (including the Red Flags
section if it validates an address this Appendix J. determined to be relevant) periodically, to
pursuant to the methods in paragraph (1) Alerts, notifications, or other warnings reflect changes in risks to customers or to the
(c)(1) or (c)(2) of this section when it received from consumer reporting agencies or safety and soundness of the financial
service providers, such as fraud detection institution or creditor from identity theft,
receives an address change notification, services; based on factors such as:
before it receives a request for an (2) The presentation of suspicious (a) The experiences of the financial
additional or replacement card. documents; institution or creditor with identity theft;
(e) Form of notice. Any written or (3) The presentation of suspicious personal (b) Changes in methods of identity theft;
electronic notice that the card issuer identifying information, such as a suspicious (c) Changes in methods to detect, prevent,
provides under this paragraph must be address change; and mitigate identity theft;
clear and conspicuous and provided (4) The unusual use of, or other suspicious (d) Changes in the types of accounts that
separately from its regular activity related to, a covered account; and the financial institution or creditor offers or
(5) Notice from customers, victims of maintains; and
correspondence with the cardholder. identity theft, law enforcement authorities, or (e) Changes in the business arrangements
Appendices D–I [Reserved] other persons regarding possible identity of the financial institution or creditor,
theft in connection with covered accounts including mergers, acquisitions, alliances,
■ 8. Add and reserve appendices D held by the financial institution or creditor. joint ventures, and service provider
through I to part 571. III. Detecting Red Flags arrangements.
■ 9. Add Appendix J to part 571 to read The Program’s policies and procedures VI. Methods for Administering the Program
as follows: should address the detection of Red Flags in (a) Oversight of Program. Oversight by the
connection with the opening of covered board of directors, an appropriate committee
Appendix J to Part 571—Interagency accounts and existing covered accounts, such
Guidelines on Identity Theft Detection, of the board, or a designated employee at the
as by: level of senior management should include:
Prevention, and Mitigation (a) Obtaining identifying information (1) Assigning specific responsibility for the
about, and verifying the identity of, a person
Section 571.90 of this part requires each Program’s implementation;
opening a covered account, for example,
financial institution and creditor that offers (2) Reviewing reports prepared by staff
using the policies and procedures regarding
or maintains one or more covered accounts, regarding compliance by the financial
identification and verification set forth in the
as defined in § 571.90(b)(3) of this part, to institution or creditor with § 571.90 of this
Customer Identification Program rules
develop and provide for the continued implementing 31 U.S.C. 5318(l) (31 CFR part; and
administration of a written Program to detect, 103.121); and (3) Approving material changes to the
prevent, and mitigate identity theft in (b) Authenticating customers, monitoring Program as necessary to address changing
connection with the opening of a covered transactions, and verifying the validity of identity theft risks.
account or any existing covered account. (b) Reports. (1) In general. Staff of the
change of address requests, in the case of

These guidelines are intended to assist existing covered accounts. financial institution or creditor responsible
financial institutions and creditors in the for development, implementation, and
formulation and maintenance of a Program IV. Preventing and Mitigating Identity Theft administration of its Program should report
that satisfies the requirements of § 571.90 of The Program’s policies and procedures to the board of directors, an appropriate
this part. should provide for appropriate responses to committee of the board, or a designated
employee at the level of senior management, 2. A consumer reporting agency provides a b. The phone number is invalid, or is
at least annually, on compliance by the notice of credit freeze in response to a associated with a pager or answering service.
financial institution or creditor with § 571.90 request for a consumer report. 14. The SSN provided is the same as that
of this part. 3. A consumer reporting agency provides a submitted by other persons opening an
(2) Contents of report. The report should notice of address discrepancy, as defined in account or other customers.
address material matters related to the § 571.82(b) of this part. 15. The address or telephone number
Program and evaluate issues such as: the 4. A consumer report indicates a pattern of provided is the same as or similar to the
effectiveness of the policies and procedures activity that is inconsistent with the history account number or telephone number
of the financial institution or creditor in and usual pattern of activity of an applicant submitted by an unusually large number of
addressing the risk of identity theft in or customer, such as: other persons opening accounts or other
connection with the opening of covered a. A recent and significant increase in the customers.
accounts and with respect to existing covered volume of inquiries; 16. The person opening the covered
accounts; service provider arrangements; b. An unusual number of recently account or the customer fails to provide all
significant incidents involving identity theft established credit relationships; required personal identifying information on
and management’s response; and
especially with respect to recently that the application is incomplete.
recommendations for material changes to the
established credit relationships; or 17. Personal identifying information
Program.
(c) Oversight of service provider identifying information that is on file with
arrangements. Whenever a financial identified for abuse of account privileges by
a financial institution or creditor. the financial institution or creditor.
institution or creditor engages a service 18. For financial institutions and creditors
provider to perform an activity in connection Suspicious Documents that use challenge questions, the person
with one or more covered accounts the opening the covered account or the customer
financial institution or creditor should take 5. Documents provided for identification
steps to ensure that the activity of the service beyond that which generally would be
provider is conducted in accordance with 6. The photograph or physical description
on the identification is not consistent with available from a wallet or consumer report.
reasonable policies and procedures designed
to detect, prevent, and mitigate the risk of the appearance of the applicant or customer Unusual Use of, or Suspicious Activity
identity theft. For example, a financial presenting the identification. Related to, the Covered Account
institution or creditor could require the 7. Other information on the identification 19. Shortly following the notice of a change
service provider by contract to have policies is not consistent with information provided of address for a covered account, the
and procedures to detect relevant Red Flags by the person opening a new covered account institution or creditor receives a request for
that may arise in the performance of the or customer presenting the identification. a new, additional, or replacement card or a
service provider’s activities, and either report 8. Other information on the identification cell phone, or for the addition of authorized
the Red Flags to the financial institution or is not consistent with readily accessible users on the account.
creditor, or to take appropriate steps to information that is on file with the financial 20. A new revolving credit account is used
prevent or mitigate identity theft. institution or creditor, such as a signature in a manner commonly associated with
card or a recent check. known patterns of fraud patterns. For
VII. Other Applicable Legal Requirements 9. An application appears to have been example:
Financial institutions and creditors should altered or forged, or gives the appearance of a. The majority of available credit is used
be mindful of other related legal having been destroyed and reassembled. for cash advances or merchandise that is
requirements that may be applicable, such as: easily convertible to cash (e.g., electronics
Suspicious Personal Identifying Information
(a) For financial institutions and creditors equipment or jewelry); or
that are subject to 31 U.S.C. 5318(g), filing a 10. Personal identifying information b. The customer fails to make the first
Suspicious Activity Report in accordance provided is inconsistent when compared payment or makes an initial payment but no
with applicable law and regulation; against external information sources used by subsequent payments.
(b) Implementing any requirements under the financial institution or creditor. For 21. A covered account is used in a manner
15 U.S.C. 1681c–1(h) regarding the example: that is not consistent with established
circumstances under which credit may be a. The address does not match any address patterns of activity on the account. There is,
extended when the financial institution or in the consumer report; or for example:
creditor detects a fraud or active duty alert; b. The Social Security Number (SSN) has a. Nonpayment when there is no history of
(c) Implementing any requirements for not been issued, or is listed on the Social late or missed payments;
furnishers of information to consumer Security Administration’s Death Master File. b. A material increase in the use of
reporting agencies under 15 U.S.C. 1681s–2, 11. Personal identifying information available credit;
for example, to correct or update inaccurate provided by the customer is not consistent c. A material change in purchasing or
or incomplete information, and to not report with other personal identifying information spending patterns;
information that the furnisher has reasonable provided by the customer. For example, there d. A material change in electronic fund
cause to believe is inaccurate; and is a lack of correlation between the SSN transfer patterns in connection with a deposit
(d) Complying with the prohibitions in 15 range and date of birth. account; or
U.S.C. 1681m on the sale, transfer, and 12. Personal identifying information e. A material change in telephone call
placement for collection of certain debts provided is associated with known patterns in connection with a cellular phone
resulting from identity theft. fraudulent activity as indicated by internal or account.
third-party sources used by the financial 22. A covered account that has been
Supplement A to Appendix J institution or creditor. For example: inactive for a reasonably lengthy period of
In addition to incorporating Red Flags from a. The address on an application is the time is used (taking into consideration the
the sources recommended in section II.b. of same as the address provided on a fraudulent type of account, the expected pattern of usage
the Guidelines in Appendix J of this part, application; or and other relevant factors).
each financial institution or creditor may b. The phone number on an application is 23. Mail sent to the customer is returned
consider incorporating into its Program, the same as the number provided on a repeatedly as undeliverable although
whether singly or in combination, Red Flags fraudulent application. transactions continue to be conducted in
from the following illustrative examples in 13. Personal identifying information connection with the customer’s covered
connection with covered accounts: provided is of a type commonly associated account.
with fraudulent activity as indicated by 24. The financial institution or creditor is

Alerts, Notifications or Warnings from a internal or third-party sources used by the notified that the customer is not receiving
Consumer Reporting Agency financial institution or creditor. For example: paper account statements.
1. A fraud or active duty alert is included a. The address on an application is 25. The financial institution or creditor is
with a consumer report. fictitious, a mail drop, or a prison; or notified of unauthorized charges or
transactions in connection with a customer’s reasonable policies and procedures reporting period in which it establishes
covered account. designed to enable the user to form a a relationship with the consumer.
Notice from Customers, Victims of Identity reasonable belief that a consumer report ■ 5. Add Subpart J to part 717 to read
Theft, Law Enforcement Authorities, or Other relates to the consumer about whom it as follows:
Persons Regarding Possible Identity Theft in has requested the report, when the user
Connection With Covered Accounts Held by receives a notice of address discrepancy.
the Financial Institution or Creditor (2) Examples of reasonable policies Sec.
and procedures. (i) Comparing the 717.90 Duties regarding the detection,
prevention, and mitigation of identity
notified by a customer, a victim of identity information in the consumer report theft.
theft, a law enforcement authority, or any provided by the consumer reporting 717.91 Duties of card issuers regarding
other person that it has opened a fraudulent agency with information the user: changes of address.
account for a person engaged in identity (A) Obtains and uses to verify the
theft. consumer’s identity in accordance with Subpart J—Identity Theft Red Flags
National Credit Union Administration the requirements of the Customer
§ 717.90 Duties regarding the detection,
12 CFR Chapter VII Information Program (CIP) rules prevention, and mitigation of identity theft.
implementing 31 U.S.C. 5318(l) (31 CFR
Authority and Issuance 103.121); (a) Scope. This section applies to a
(B) Maintains in its own records, such financial institution or creditor that is a
as applications, change of address federal credit union.
preamble, the National Credit Union
Administration is amending part 717 of notifications, other member account
section and Appendix J, the following
title 12, chapter VII, of the Code of records, or retained CIP documentation;
definitions apply:
Federal Regulations as follows: or (1) Account means a continuing
(C) Obtains from third-party sources;
PART 717—FAIR CREDIT REPORTING relationship established by a person
or
with a federal credit union to obtain a
(ii) Verifying the information in the
■ 1. The authority citation for part 717 product or service for personal, family,
consumer report provided by the
is revised to read as follows: household or business purposes.
consumer reporting agency with the
Authority: 12 U.S.C. 1751 et seq.; 15 U.S.C. Account includes:
consumer.
1681a, 1681b, 1681c, 1681m, 1681s, 1681s– (i) An extension of credit, such as the
(d) Consumer’s address—(1)
1, 1681t, 1681w, 6801 and 6805, Pub. L. 108– purchase of property or services
Requirement to furnish consumer’s
159, 117 Stat. 1952. involving a deferred payment; and
address to a consumer reporting agency. (ii) A share or deposit account.
Subpart A—General Provisions A user must develop and implement (2) The term board of directors refers
reasonable policies and procedures for to a federal credit union’s board of
■ 2. Amend § 717.3 by revising the furnishing an address for the consumer directors.
introductory text to read as follows: that the user has reasonably confirmed (3) Covered account means:
is accurate to the consumer reporting (i) An account that a federal credit
§ 717.3 Definitions. agency from whom it received the union offers or maintains, primarily for
For purposes of this part, unless notice of address discrepancy when the personal, family, or household
explicitly stated otherwise: user: purposes, that involves or is designed to
* * * * * (i) Can form a reasonable belief that permit multiple payments or
■ 3. Revise the heading for Subpart I as
the consumer report relates to the transactions, such as a credit card
shown below. consumer about whom the user account, mortgage loan, automobile
requested the report; loan, checking account, or share
Subpart I—Duties of Users of (ii) Establishes a continuing account; and
Consumer Reports Regarding Address relationship with the consumer; and (ii) Any other account that the federal
Discrepancies and Records Disposal (iii) Regularly and in the ordinary credit union offers or maintains for
course of business furnishes information which there is a reasonably foreseeable
■ 4. Add § 717.82 to read as follows: to the consumer reporting agency from risk to members or to the safety and
which the notice of address discrepancy soundness of the federal credit union
§ 717.82 Duties of users regarding address relating to the consumer was obtained.
discrepancies. from identity theft, including financial,
(2) Examples of confirmation operational, compliance, reputation, or
(a) Scope. This section applies to a methods. The user may reasonably litigation risks.
user of consumer reports (user) that confirm an address is accurate by: (4) Credit has the same meaning as in
receives a notice of address discrepancy (i) Verifying the address with the 15 U.S.C. 1681a(r)(5).
from a consumer reporting agency, and consumer about whom it has requested (5) Creditor has the same meaning as
that is federal credit union. the report; in 15 U.S.C. 1681a(r)(5).
(b) Definition. For purposes of this (ii) Reviewing its own records to (6) Customer means a member that
section, a notice of address discrepancy verify the address of the consumer; has a covered account with a federal
means a notice sent to a user by a (iii) Verifying the address through credit union.
consumer reporting agency pursuant to third-party sources; or (7) Financial institution has the same
15 U.S.C. 1681c(h)(1), that informs the (iv) Using other reasonable means. meaning as in 15 U.S.C. 1681a(t).
user of a substantial difference between (3) Timing. The policies and (8) Identity theft has the same
the address for the consumer that the procedures developed in accordance meaning as in 16 CFR 603.2(a).
user provided to request the consumer with paragraph (d)(1) of this section (9) Red Flag means a pattern, practice,
report and the address(es) in the must provide that the user will furnish or specific activity that indicates the
agency’s file for the consumer. the consumer’s address that the user has possible existence of identity theft.
(c) Reasonable belief—(1) reasonably confirmed is accurate to the (10) Service provider means a person
Requirement to form a reasonable belief. consumer reporting agency as part of the that provides a service directly to the
A user must develop and implement information it regularly furnishes for the federal credit union.
(c) Periodic Identification of Covered (4) Exercise appropriate and effective provides under this paragraph must be
Accounts. Each federal credit union oversight of service provider clear and conspicuous and provided
must periodically determine whether it arrangements. separately from its regular
offers or maintains covered accounts. As (f) Guidelines. Each federal credit correspondence with the cardholder.
a part of this determination, a federal union that is required to implement a
Program must consider the guidelines in Appendices D–I [Reserved]
credit union must conduct a risk
assessment to determine whether it Appendix J of this part and include in ■ 6. Add and reserve appendices D
offers or maintains covered accounts its Program those guidelines that are through I to part 717.
described in paragraph (b)(3)(ii) of this appropriate. ■ 7. Add Appendix J to part 717 to read
section, taking into consideration: § 717.91 Duties of card issuers regarding as follows:
(1) The methods it provides to open changes of address.
its accounts; Appendix J to Part 717—Interagency
(2) The methods it provides to access (a) Scope. This section applies to an Guidelines on Identity Theft Detection,
its accounts; and issuer of a debit or credit card (card Prevention, and Mitigation
(3) Its previous experiences with issuer) that is a federal credit union.
(b) Definitions. For purposes of this Section 717.90 of this part requires each
identity theft. federal credit union that offers or maintains
(d) Establishment of an Identity Theft section: one or more covered accounts, as defined in
(1) Cardholder means a member who § 717.90(b)(3) of this part, to develop and
Prevention Program. (1) Program
has been issued a credit or debit card. provide for the continued administration of
requirement. Each federal credit union (2) Clear and conspicuous means
that offers or maintains one or more a written Program to detect, prevent, and
reasonably understandable and mitigate identity theft in connection with the
covered accounts must develop and designed to call attention to the nature opening of a covered account or any existing
implement a written Identity Theft and significance of the information covered account. These guidelines are
Prevention Program (Program) that is presented. intended to assist federal credit unions in the
designed to detect, prevent, and mitigate (c) Address validation requirements. formulation and maintenance of a Program
identity theft in connection with the A card issuer must establish and that satisfies the requirements of § 717.90 of
opening of a covered account or any this part.
implement reasonable policies and
existing covered account. The Program procedures to assess the validity of a I. The Program
must be appropriate to the size and change of address if it receives In designing its Program, a federal credit
complexity of the federal credit union notification of a change of address for a union may incorporate, as appropriate, its
and the nature and scope of its member’s debit or credit card account existing policies, procedures, and other
activities. arrangements that control reasonably
(2) Elements of the Program. The foreseeable risks to members or to the safety
afterwards (during at least the first 30 and soundness of the federal credit union
Program must include reasonable days after it receives such notification), from identity theft.
policies and procedures to: the card issuer receives a request for an
(i) Identify relevant Red Flags for the II. Identifying Relevant Red Flags
additional or replacement card for the
covered accounts that the federal credit same account. Under these (a) Risk Factors. A federal credit union
union offers or maintains, and should consider the following factors in
circumstances, the card issuer may not identifying relevant Red Flags for covered
incorporate those Red Flags into its issue an additional or replacement card, accounts, as appropriate:
Program; until, in accordance with its reasonable (1) The types of covered accounts it offers
(ii) Detect Red Flags that have been policies and procedures and for the or maintains;
incorporated into the Program of the purpose of assessing the validity of the (2) The methods it provides to open its
federal credit union; change of address, the card issuer: covered accounts;
(iii) Respond appropriately to any Red (1)(i) Notifies the cardholder of the (3) The methods it provides to access its
Flags that are detected pursuant to request: covered accounts; and
paragraph (d)(2)(ii) of this section to (A) At the cardholder’s former (4) Its previous experiences with identity
prevent and mitigate identity theft; and theft.
address; or (b) Sources of Red Flags. Federal credit
(iv) Ensure the Program (including the (B) By any other means of unions should incorporate relevant Red Flags
Red Flags determined to be relevant) is communication that the card issuer and from sources such as:
updated periodically, to reflect changes the cardholder have previously agreed (1) Incidents of identity theft that the
in risks to members and to the safety to use; and federal credit union has experienced;
and soundness of the federal credit (ii) Provides to the cardholder a (2) Methods of identity theft that the
union from identity theft. reasonable means of promptly reporting federal credit union has identified that reflect
(e) Administration of the Program. incorrect address changes; or changes in identity theft risks; and
Each federal credit union that is (2) Otherwise assesses the validity of (3) Applicable supervisory guidance.
required to implement a Program must the change of address in accordance (c) Categories of Red Flags. The Program
provide for the continued with the policies and procedures the following categories, as appropriate.
administration of the Program and must: card issuer has established pursuant to Examples of Red Flags from each of these
(1) Obtain approval of the initial § 717.90 of this part. categories are appended as Supplement A to
written Program from either its board of (d) Alternative timing of address this Appendix J.
directors or an appropriate committee of validation. A card issuer may satisfy the (1) Alerts, notifications, or other warnings
the board of directors; requirements of paragraph (c) of this received from consumer reporting agencies or
(2) Involve the board of directors, an section if it validates an address service providers, such as fraud detection
appropriate committee thereof, or a pursuant to the methods in paragraph services;
designated employee at the level of (2) The presentation of suspicious
(c)(1) or (c)(2) of this section when it
documents;
senior management in the oversight, receives an address change notification, (3) The presentation of suspicious personal
development, implementation and before it receives a request for an identifying information, such as a suspicious
administration of the Program; additional or replacement card. address change;
(3) Train staff, as necessary, to (e) Form of notice. Any written or (4) The unusual use of, or other suspicious
effectively implement the Program; and electronic notice that the card issuer activity related to, a covered account; and
(5) Notice from members, victims of (e) Changes in the business arrangements (d) Complying with the prohibitions in 15
identity theft, law enforcement authorities, or of the federal credit union, including U.S.C. 1681m on the sale, transfer, and
other persons regarding possible identity mergers, acquisitions, alliances, joint placement for collection of certain debts
theft in connection with covered accounts ventures, and service provider arrangements. resulting from identity theft.
held by the federal credit union. VI. Methods for Administering the Program Supplement A to Appendix J
III. Detecting Red Flags (a) Oversight of Program. Oversight by the In addition to incorporating Red Flags from
The Program’s policies and procedures board of directors, an appropriate committee the sources recommended in section II.b. of
should address the detection of Red Flags in of the board, or a designated employee at the the Guidelines in Appendix J of this part,
connection with the opening of covered level of senior management should include: each federal credit union may consider
accounts and existing covered accounts, such (1) Assigning specific responsibility for the incorporating into its Program, whether
as by: Program’s implementation;
singly or in combination, Red Flags from the
(a) Obtaining identifying information (2) Reviewing reports prepared by staff
following illustrative examples in connection
about, and verifying the identity of, a person regarding compliance by the federal credit
with covered accounts:
opening a covered account, for example, union with § 717.90 of this part; and
using the policies and procedures regarding (3) Approving material changes to the Alerts, Notifications or Warnings From a
identification and verification set forth in the Program as necessary to address changing Consumer Reporting Agency
Customer Identification Program rules identity theft risks.
1. A fraud or active duty alert is included
implementing 31 U.S.C. 5318(l) (31 CFR (b) Reports. (1) In general. Staff of the
with a consumer report.
103.121); and federal credit union responsible for
2. A consumer reporting agency provides a
(b) Authenticating members, monitoring development, implementation, and
notice of credit freeze in response to a
transactions, and verifying the validity of administration of its Program should report
request for a consumer report.
change of address requests, in the case of to the board of directors, an appropriate
committee of the board, or a designated 3. A consumer reporting agency provides a
existing covered accounts.
employee at the level of senior management, notice of address discrepancy, as defined in
IV. Preventing and Mitigating Identity Theft § 717.82(b) of this part.
at least annually, on compliance by the
The Program’s policies and procedures federal credit union with § 717.90 of this 4. A consumer report indicates a pattern of
should provide for appropriate responses to part. activity that is inconsistent with the history
the Red Flags the federal credit union has (2) Contents of report. The report should and usual pattern of activity of an applicant
detected that are commensurate with the address material matters related to the or member, such as:
degree of risk posed. In determining an Program and evaluate issues such as: the a. A recent and significant increase in the
appropriate response, a federal credit union effectiveness of the policies and procedures volume of inquiries;
should consider aggravating factors that may of the federal credit union in addressing the b. An unusual number of recently
heighten the risk of identity theft, such as a risk of identity theft in connection with the established credit relationships;
data security incident that results in opening of covered accounts and with c. A material change in the use of credit,
unauthorized access to a member’s account respect to existing covered accounts; service especially with respect to recently
records held by the federal credit union or a provider arrangements; significant incidents established credit relationships; or
third party, or notice that a member has involving identity theft and management’s d. An account that was closed for cause or
provided information related to a covered response; and recommendations for material identified for abuse of account privileges by
account held by the federal credit union to changes to the Program. a financial institution or creditor.
someone fraudulently claiming to represent (c) Oversight of service provider Suspicious Documents
the federal credit union or to a fraudulent arrangements. Whenever a federal credit
website. Appropriate responses may include union engages a service provider to perform 5. Documents provided for identification
the following: an activity in connection with one or more appear to have been altered or forged.
(a) Monitoring a covered account for covered accounts the federal credit union 6. The photograph or physical description
evidence of identity theft; should take steps to ensure that the activity on the identification is not consistent with
(b) Contacting the member; of the service provider is conducted in the appearance of the applicant or member
(c) Changing any passwords, security accordance with reasonable policies and presenting the identification.
codes, or other security devices that permit procedures designed to detect, prevent, and 7. Other information on the identification
access to a covered account; mitigate the risk of identity theft. For is not consistent with information provided
(d) Reopening a covered account with a example, a federal credit union could require by the person opening a new covered account
new account number; the service provider by contract to have or member presenting the identification.
(e) Not opening a new covered account; policies and procedures to detect relevant 8. Other information on the identification
(f) Closing an existing covered account; Red Flags that may arise in the performance is not consistent with readily accessible
(g) Not attempting to collect on a covered of the service provider’s activities, and either information that is on file with the federal
account or not selling a covered account to report the Red Flags to the federal credit credit union, such as a signature card or a
a debt collector; union, or to take appropriate steps to prevent recent check.
(h) Notifying law enforcement; or or mitigate identity theft. 9. An application appears to have been
(i) Determining that no response is altered or forged, or gives the appearance of
VII. Other Applicable Legal Requirements
warranted under the particular having been destroyed and reassembled.
circumstances. Federal credit unions should be mindful of
other related legal requirements that may be Suspicious Personal Identifying Information
V. Updating the Program applicable, such as: 10. Personal identifying information
Federal credit unions should update the (a) Filing a Suspicious Activity Report provided is inconsistent when compared
Program (including the Red Flags determined under 31 U.S.C. 5318(g) and 12 CFR 748.1(c); against external information sources used by
to be relevant) periodically, to reflect changes (b) Implementing any requirements under the federal credit union. For example:
in risks to members or to the safety and 15 U.S.C. 1681c–1(h) regarding the a. The address does not match any address
soundness of the federal credit union from circumstances under which credit may be in the consumer report; or
identity theft, based on factors such as: extended when the federal credit union b. The Social Security Number (SSN) has
(a) The experiences of the federal credit detects a fraud or active duty alert; not been issued, or is listed on the Social
union with identity theft; (c) Implementing any requirements for Security Administration’s Death Master File.
(b) Changes in methods of identity theft; furnishers of information to consumer 11. Personal identifying information
(c) Changes in methods to detect, prevent, reporting agencies under 15 U.S.C. 1681s–2, provided by the member is not consistent
and mitigate identity theft; for example, to correct or update inaccurate with other personal identifying information
(d) Changes in the types of accounts that or incomplete information, and to not report provided by the member. For example, there
the federal credit union offers or maintains; information that the furnisher has reasonable is a lack of correlation between the SSN
and cause to believe is inaccurate; and range and date of birth.
12. Personal identifying information e. A material change in telephone call report and the address(es) in the
provided is associated with known patterns in connection with a cellular phone agency’s file for the consumer.
fraudulent activity as indicated by internal or account. (c) Reasonable belief. (1) Requirement
third-party sources used by the federal credit 22. A covered account that has been
union. For example: inactive for a reasonably lengthy period of
to form a reasonable belief. A user must
a. The address on an application is the time is used (taking into consideration the develop and implement reasonable
same as the address provided on a fraudulent type of account, the expected pattern of usage policies and procedures designed to
application; or and other relevant factors). enable the user to form a reasonable
b. The phone number on an application is 23. Mail sent to the member is returned belief that a consumer report relates to
the same as the number provided on a repeatedly as undeliverable although the consumer about whom it has
fraudulent application. transactions continue to be conducted in requested the report, when the user
13. Personal identifying information connection with the member’s covered
provided is of a type commonly associated
receives a notice of address discrepancy.
account.
with fraudulent activity as indicated by 24. The federal credit union is notified that (2) Examples of reasonable policies
internal or third-party sources used by the the member is not receiving paper account and procedures. (i) Comparing the
federal credit union. For example: statements. information in the consumer report
a. The address on an application is 25. The federal credit union is notified of provided by the consumer reporting
fictitious, a mail drop, or prison; or unauthorized charges or transactions in agency with information the user:
b. The phone number is invalid, or is connection with a member’s covered (A) Obtains and uses to verify the
associated with a pager or answering service. account.
14. The SSN provided is the same as that
consumer’s identity in accordance with
submitted by other persons opening an Notice From Members, Victims of Identity the requirements of the Customer
account or other members. Theft, Law Enforcement Authorities, or Other Information Program (CIP) rules
15. The address or telephone number Persons Regarding Possible Identity Theft in implementing 31 U.S.C. 5318(l) (31 CFR
provided is the same as or similar to the Connection With Covered Accounts Held by 103.121);
account number or telephone number the Federal Credit Union (B) Maintains in its own records, such
submitted by an unusually large number of 26. The federal credit union is notified by as applications, change of address
other persons opening accounts or other a member, a victim of identity theft, a law notifications, other customer account
members. enforcement authority, or any other person
16. The person opening the covered records, or retained CIP documentation;
that it has opened a fraudulent account for
account or the member fails to provide all a person engaged in identity theft.
or
required personal identifying information on (C) Obtains from third-party sources;
an application or in response to notification FEDERAL TRADE COMMISSION or
that the application is incomplete. 16 CFR Part 681 (ii) Verifying the information in the
17. Personal identifying information consumer report provided by the
provided is not consistent with personal Authority and Issuance consumer reporting agency with the
identifying information that is on file with
■ For the reasons discussed in the joint consumer.
the federal credit union.
18. For federal credit unions that use preamble, the Commission is adding (d) Consumer’s address. (1)
challenge questions, the person opening the part 681 of title 16 of the Code of Requirement to furnish consumer’s
covered account or the member cannot Federal Regulations as follows: address to a consumer reporting agency.
provide authenticating information beyond A user must develop and implement
that which generally would be available from PART 681—IDENTITY THEFT RULES
reasonable policies and procedures for
a wallet or consumer report. Sec. furnishing an address for the consumer
681.1 Duties of users of consumer reports that the user has reasonably confirmed
Unusual Use of, or Suspicious Activity regarding address discrepancies.
Related to, the Covered Account 681.2 Duties regarding the detection,
is accurate to the consumer reporting
19. Shortly following the notice of a change prevention, and mitigation of identity agency from whom it received the
of address for a covered account, the theft. notice of address discrepancy when the
institution or creditor receives a request for 681.3 Duties of card issuers regarding user:
a new, additional, or replacement card or a changes of address. (i) Can form a reasonable belief that
cell phone, or for the addition of authorized the consumer report relates to the
users on the account. Appendix A to Part 681—Interagency
Guidelines on Identity Theft Detection, consumer about whom the user
20. A new revolving credit account is used requested the report;
in a manner commonly associated with Prevention, and Mitigation
known patterns of fraud patterns. For (ii) Establishes a continuing
Authority: Pub. L. 108–159, sec. 114 and relationship with the consumer; and
example: sec. 315; 15 U.S.C. 1681m(e) and 15 U.S.C.
a. The majority of available credit is used (iii) Regularly and in the ordinary
1681c(h).
for cash advances or merchandise that is course of business furnishes information
easily convertible to cash (e.g., electronics § 681.1 Duties of users regarding address to the consumer reporting agency from
equipment or jewelry); or discrepancies. which the notice of address discrepancy
b. The member fails to make the first relating to the consumer was obtained.
(a) Scope. This section applies to
payment or makes an initial payment but no
users of consumer reports that are (2) Examples of confirmation
subsequent payments.
21. A covered account is used in a manner subject to administrative enforcement of methods. The user may reasonably
that is not consistent with established the FCRA by the Federal Trade confirm an address is accurate by:
patterns of activity on the account. There is, Commission pursuant to 15 U.S.C. (i) Verifying the address with the
for example: 1681s(a)(1) (users). consumer about whom it has requested
a. Nonpayment when there is no history of (b) Definition. For purposes of this the report;
late or missed payments; section, a notice of address discrepancy (ii) Reviewing its own records to
b. A material increase in the use of means a notice sent to a user by a verify the address of the consumer;
available credit;
consumer reporting agency pursuant to (iii) Verifying the address through

c. A material change in purchasing or
spending patterns; 15 U.S.C. 1681c(h)(1), that informs the third-party sources; or
d. A material change in electronic fund user of a substantial difference between (iv) Using other reasonable means.
transfer patterns in connection with a deposit the address for the consumer that the (3) Timing. The policies and
account; or user provided to request the consumer procedures developed in accordance
with paragraph (d)(1) of this section (6) Customer means a person that has that is required to implement a Program
must provide that the user will furnish a covered account with a financial must provide for the continued
the consumer’s address that the user has institution or creditor. administration of the Program and must:
reasonably confirmed is accurate to the (7) Financial institution has the same (1) Obtain approval of the initial
consumer reporting agency as part of the meaning as in 15 U.S.C. 1681a(t). written Program from either its board of
information it regularly furnishes for the (8) Identity theft has the same directors or an appropriate committee of
reporting period in which it establishes meaning as in 16 CFR 603.2(a). the board of directors;
a relationship with the consumer. (9) Red Flag means a pattern, practice, (2) Involve the board of directors, an
or specific activity that indicates the appropriate committee thereof, or a
§ 681.2 Duties regarding the detection, possible existence of identity theft.
prevention, and mitigation of identity theft.
designated employee at the level of
(10) Service provider means a person senior management in the oversight,
(a) Scope. This section applies to that provides a service directly to the development, implementation and
financial institutions and creditors that financial institution or creditor. administration of the Program;
are subject to administrative (c) Periodic Identification of Covered (3) Train staff, as necessary, to
enforcement of the FCRA by the Federal Accounts. Each financial institution or effectively implement the Program; and
Trade Commission pursuant to 15 creditor must periodically determine
(4) Exercise appropriate and effective
U.S.C. 1681s(a)(1). whether it offers or maintains covered
oversight of service provider
(b) Definitions. For purposes of this accounts. As a part of this
arrangements.
section, and Appendix A, the following determination, a financial institution or
(f) Guidelines. Each financial
definitions apply: creditor must conduct a risk assessment
institution or creditor that is required to
(1) Account means a continuing to determine whether it offers or
implement a Program must consider the
relationship established by a person maintains covered accounts described
guidelines in Appendix A of this part
with a financial institution or creditor to in paragraph (b)(3)(ii) of this section,
and include in its Program those
obtain a product or service for personal, taking into consideration:
guidelines that are appropriate.
family, household or business purposes. (1) The methods it provides to open
Account includes: its accounts; § 681.3 Duties of card issuers regarding
(i) An extension of credit, such as the (2) The methods it provides to access changes of address.
purchase of property or services its accounts; and (a) Scope. This section applies to a
involving a deferred payment; and (3) Its previous experiences with person described in § 681.2(a) that
(ii) A deposit account. identity theft. issues a debit or credit card (card
(2) The term board of directors (d) Establishment of an Identity Theft issuer).
includes: Prevention Program. (1) Program
requirement. Each financial institution
(i) In the case of a branch or agency section:
or creditor that offers or maintains one
of a foreign bank, the managing official (1) Cardholder means a consumer
or more covered accounts must develop
in charge of the branch or agency; and who has been issued a credit or debit
and implement a written Identity Theft
(ii) In the case of any other creditor card.
Prevention Program (Program) that is
that does not have a board of directors, (2) Clear and conspicuous means
designed to detect, prevent, and mitigate
a designated employee at the level of reasonably understandable and
identity theft in connection with the
senior management. designed to call attention to the nature
opening of a covered account or any
(3) Covered account means: existing covered account. The Program and significance of the information
(i) An account that a financial must be appropriate to the size and presented.
institution or creditor offers or complexity of the financial institution (c) Address validation requirements.
maintains, primarily for personal, or creditor and the nature and scope of A card issuer must establish and
family, or household purposes, that its activities. implement reasonable policies and
involves or is designed to permit (2) Elements of the Program. The procedures to assess the validity of a
multiple payments or transactions, such Program must include reasonable change of address if it receives
as a credit card account, mortgage loan, policies and procedures to: notification of a change of address for a
automobile loan, margin account, cell (i) Identify relevant Red Flags for the consumer’s debit or credit card account
phone account, utility account, covered accounts that the financial and, within a short period of time
checking account, or savings account; institution or creditor offers or afterwards (during at least the first 30
and maintains, and incorporate those Red days after it receives such notification),
(ii) Any other account that the Flags into its Program; the card issuer receives a request for an
financial institution or creditor offers or (ii) Detect Red Flags that have been additional or replacement card for the
maintains for which there is a incorporated into the Program of the same account. Under these
reasonably foreseeable risk to customers financial institution or creditor; circumstances, the card issuer may not
or to the safety and soundness of the (iii) Respond appropriately to any Red issue an additional or replacement card,
financial institution or creditor from Flags that are detected pursuant to until, in accordance with its reasonable
identity theft, including financial, paragraph (d)(2)(ii) of this section to policies and procedures and for the
operational, compliance, reputation, or prevent and mitigate identity theft; and purpose of assessing the validity of the
litigation risks. (iv) Ensure the Program (including the change of address, the card issuer:
(4) Credit has the same meaning as in Red Flags determined to be relevant) is (1)(i) Notifies the cardholder of the
15 U.S.C. 1681a(r)(5). updated periodically, to reflect changes request:
(5) Creditor has the same meaning as in risks to customers and to the safety (A) At the cardholder’s former
in 15 U.S.C. 1681a(r)(5), and includes and soundness of the financial address; or

lenders such as banks, finance institution or creditor from identity (B) By any other means of
companies, automobile dealers, theft. communication that the card issuer and
mortgage brokers, utility companies, (e) Administration of the Program. the cardholder have previously agreed
and telecommunications companies. Each financial institution or creditor to use; and
(ii) Provides to the cardholder a (3) Applicable supervisory guidance. (i) Determining that no response is
reasonable means of promptly reporting (c) Categories of Red Flags. The Program warranted under the particular
incorrect address changes; or should include relevant Red Flags from the circumstances.
(2) Otherwise assesses the validity of following categories, as appropriate. V. Updating the Program
Examples of Red Flags from each of these
the change of address in accordance categories are appended as Supplement A to Financial institutions and creditors should
with the policies and procedures the this Appendix A. update the Program (including the Red Flags
card issuer has established pursuant to (1) Alerts, notifications, or other warnings determined to be relevant) periodically, to
§ 681.2 of this part. received from consumer reporting agencies or reflect changes in risks to customers or to the
(d) Alternative timing of address service providers, such as fraud detection safety and soundness of the financial
validation. A card issuer may satisfy the services; institution or creditor from identity theft,
(2) The presentation of suspicious based on factors such as:
requirements of paragraph (c) of this
documents; (a) The experiences of the financial
section if it validates an address institution or creditor with identity theft;
pursuant to the methods in paragraph (3) The presentation of suspicious personal
identifying information, such as a suspicious (b) Changes in methods of identity theft;
(c)(1) or (c)(2) of this section when it address change; (c) Changes in methods to detect, prevent,
receives an address change notification, (4) The unusual use of, or other suspicious and mitigate identity theft;
before it receives a request for an activity related to, a covered account; and (d) Changes in the types of accounts that
additional or replacement card. (5) Notice from customers, victims of the financial institution or creditor offers or
(e) Form of notice. Any written or identity theft, law enforcement authorities, or maintains; and
electronic notice that the card issuer other persons regarding possible identity (e) Changes in the business arrangements
theft in connection with covered accounts of the financial institution or creditor,
provides under this paragraph must be including mergers, acquisitions, alliances,
clear and conspicuous and provided held by the financial institution or creditor.
joint ventures, and service provider
separately from its regular III. Detecting Red Flags arrangements.
correspondence with the cardholder. The Program’s policies and procedures VI. Methods for Administering the Program
should address the detection of Red Flags in
Appendix A to Part 681—Interagency connection with the opening of covered (a) Oversight of Program. Oversight by the
Guidelines on Identity Theft Detection, accounts and existing covered accounts, such board of directors, an appropriate committee
Prevention, and Mitigation as by: of the board, or a designated employee at the
(a) Obtaining identifying information level of senior management should include:
Section 681.2 of this part requires each (1) Assigning specific responsibility for the
financial institution and creditor that offers about, and verifying the identity of, a person
opening a covered account, for example, Program’s implementation;
or maintains one or more covered accounts, (2) Reviewing reports prepared by staff
as defined in § 681.2(b)(3) of this part, to using the policies and procedures regarding
identification and verification set forth in the regarding compliance by the financial
develop and provide for the continued institution or creditor with § 681.2 of this
administration of a written Program to detect, Customer Identification Program rules
implementing 31 U.S.C. 5318(l) (31 CFR part; and
prevent, and mitigate identity theft in (3) Approving material changes to the
connection with the opening of a covered 103.121); and
(b) Authenticating customers, monitoring Program as necessary to address changing
account or any existing covered account. identity theft risks.
These guidelines are intended to assist transactions, and verifying the validity of
change of address requests, in the case of (b) Reports. (1) In general. Staff of the
financial institutions and creditors in the financial institution or creditor responsible
formulation and maintenance of a Program existing covered accounts.
for development, implementation, and
that satisfies the requirements of § 681.2 of IV. Preventing and Mitigating Identity Theft administration of its Program should report
this part. The Program’s policies and procedures to the board of directors, an appropriate
I. The Program should provide for appropriate responses to committee of the board, or a designated
In designing its Program, a financial the Red Flags the financial institution or employee at the level of senior management,
institution or creditor may incorporate, as creditor has detected that are commensurate at least annually, on compliance by the
appropriate, its existing policies, procedures, with the degree of risk posed. In determining financial institution or creditor with § 681.2
and other arrangements that control an appropriate response, a financial of this part.
reasonably foreseeable risks to customers or institution or creditor should consider (2) Contents of report. The report should
to the safety and soundness of the financial aggravating factors that may heighten the risk address material matters related to the
institution or creditor from identity theft. of identity theft, such as a data security Program and evaluate issues such as: The
incident that results in unauthorized access effectiveness of the policies and procedures
II. Identifying Relevant Red Flags to a customer’s account records held by the of the financial institution or creditor in
(a) Risk Factors. A financial institution or financial institution, creditor, or third party, addressing the risk of identity theft in
creditor should consider the following factors or notice that a customer has provided connection with the opening of covered
in identifying relevant Red Flags for covered information related to a covered account held accounts and with respect to existing covered
accounts, as appropriate: by the financial institution or creditor to accounts; service provider arrangements;
(1) The types of covered accounts it offers someone fraudulently claiming to represent significant incidents involving identity theft
or maintains; the financial institution or creditor or to a and management’s response; and
(2) The methods it provides to open its fraudulent website. Appropriate responses recommendations for material changes to the
covered accounts; may include the following: Program.
(3) The methods it provides to access its (a) Monitoring a covered account for (c) Oversight of service provider
covered accounts; and evidence of identity theft; arrangements. Whenever a financial
(4) Its previous experiences with identity (b) Contacting the customer; institution or creditor engages a service
theft. (c) Changing any passwords, security provider to perform an activity in connection
(b) Sources of Red Flags. Financial codes, or other security devices that permit with one or more covered accounts the
institutions and creditors should incorporate access to a covered account; financial institution or creditor should take
relevant Red Flags from sources such as: (d) Reopening a covered account with a steps to ensure that the activity of the service
(1) Incidents of identity theft that the new account number; provider is conducted in accordance with
financial institution or creditor has (e) Not opening a new covered account; reasonable policies and procedures designed
experienced; (f) Closing an existing covered account; to detect, prevent, and mitigate the risk of
(2) Methods of identity theft that the (g) Not attempting to collect on a covered identity theft. For example, a financial
financial institution or creditor has identified account or not selling a covered account to institution or creditor could require the
that reflect changes in identity theft risks; a debt collector; service provider by contract to have policies
and (h) Notifying law enforcement; or and procedures to detect relevant Red Flags
that may arise in the performance of the 8. Other information on the identification a new, additional, or replacement card or a
service provider’s activities, and either report is not consistent with readily accessible cell phone, or for the addition of authorized
the Red Flags to the financial institution or information that is on file with the financial users on the account.
creditor, or to take appropriate steps to institution or creditor, such as a signature 20. A new revolving credit account is used
prevent or mitigate identity theft. card or a recent check. in a manner commonly associated with
VII. Other Applicable Legal Requirements 9. An application appears to have been known patterns of fraud patterns. For
altered or forged, or gives the appearance of example:
Financial institutions and creditors should having been destroyed and reassembled. a. The majority of available credit is used
be mindful of other related legal for cash advances or merchandise that is
requirements that may be applicable, such as: Suspicious Personal Identifying Information easily convertible to cash (e.g., electronics
(a) For financial institutions and creditors 10. Personal identifying information equipment or jewelry); or
that are subject to 31 U.S.C. 5318(g), filing a provided is inconsistent when compared b. The customer fails to make the first
Suspicious Activity Report in accordance against external information sources used by payment or makes an initial payment but no
with applicable law and regulation; the financial institution or creditor. For subsequent payments.
(b) Implementing any requirements under example: 21. A covered account is used in a manner
15 U.S.C. 1681c–1(h) regarding the a. The address does not match any address that is not consistent with established
circumstances under which credit may be in the consumer report; or patterns of activity on the account. There is,
extended when the financial institution or b. The Social Security Number (SSN) has for example:
creditor detects a fraud or active duty alert; not been issued, or is listed on the Social a. Nonpayment when there is no history of
(c) Implementing any requirements for Security Administration’s Death Master File. late or missed payments;
furnishers of information to consumer 11. Personal identifying information b. A material increase in the use of
reporting agencies under 15 U.S.C. 1681s–2, provided by the customer is not consistent available credit;
for example, to correct or update inaccurate c. A material change in purchasing or
with other personal identifying information
or incomplete information, and to not report spending patterns;
provided by the customer. For example, there
information that the furnisher has reasonable d. A material change in electronic fund
is a lack of correlation between the SSN
cause to believe is inaccurate; and transfer patterns in connection with a deposit
range and date of birth.
(d) Complying with the prohibitions in 15 account; or
12. Personal identifying information
U.S.C. 1681m on the sale, transfer, and e. A material change in telephone call
provided is associated with known
placement for collection of certain debts patterns in connection with a cellular phone
fraudulent activity as indicated by internal or
resulting from identity theft. account.
third-party sources used by the financial
Supplement A to Appendix A institution or creditor. For example: 22. A covered account that has been
a. The address on an application is the inactive for a reasonably lengthy period of
In addition to incorporating Red Flags from time is used (taking into consideration the
the sources recommended in section II.b. of same as the address provided on a fraudulent
application; or type of account, the expected pattern of usage
the Guidelines in Appendix A of this part, and other relevant factors).
each financial institution or creditor may b. The phone number on an application is
the same as the number provided on a 23. Mail sent to the customer is returned
consider incorporating into its Program, repeatedly as undeliverable although
whether singly or in combination, Red Flags fraudulent application.
13. Personal identifying information transactions continue to be conducted in
from the following illustrative examples in connection with the customer’s covered
connection with covered accounts: provided is of a type commonly associated
with fraudulent activity as indicated by account.
Alerts, Notifications or Warnings from a internal or third-party sources used by the 24. The financial institution or creditor is
Consumer Reporting Agency financial institution or creditor. For example: notified that the customer is not receiving
a. The address on an application is paper account statements.
1. A fraud or active duty alert is included
fictitious, a mail drop, or a prison; or 25. The financial institution or creditor is
with a consumer report.
2. A consumer reporting agency provides a b. The phone number is invalid, or is notified of unauthorized charges or
notice of credit freeze in response to a associated with a pager or answering service. transactions in connection with a customer’s
request for a consumer report. 14. The SSN provided is the same as that covered account.
3. A consumer reporting agency provides a submitted by other persons opening an Notice from Customers, Victims of Identity
notice of address discrepancy, as defined in account or other customers. Theft, Law Enforcement Authorities, or Other
§ 681.1(b) of this part. 15. The address or telephone number Persons Regarding Possible Identity Theft in
4. A consumer report indicates a pattern of provided is the same as or similar to the Connection With Covered Accounts Held by
activity that is inconsistent with the history account number or telephone number the Financial Institution or Creditor
and usual pattern of activity of an applicant submitted by an unusually large number of
or customer, such as: other persons opening accounts or other
notified by a customer, a victim of identity
a. A recent and significant increase in the customers.
theft, a law enforcement authority, or any
volume of inquiries; 16. The person opening the covered
other person that it has opened a fraudulent
b. An unusual number of recently account or the customer fails to provide all
account for a person engaged in identity
established credit relationships; required personal identifying information on
theft.
especially with respect to recently that the application is incomplete. Dated: October 5, 2007.
established credit relationships; or 17. Personal identifying information John C. Dugan,
d. An account that was closed for cause or provided is not consistent with personal Comptroller of the Currency.
identified for abuse of account privileges by identifying information that is on file with
a financial institution or creditor. the financial institution or creditor. By order of the Board of Governors of the
18. For financial institutions and creditors Federal Reserve System, October 29, 2007.
Suspicious Documents Jennifer J. Johnson,
that use challenge questions, the person
5. Documents provided for identification opening the covered account or the customer Secretary of the Board.
6. The photograph or physical description beyond that which generally would be Dated at Washington, DC, this 16th day of
on the identification is not consistent with available from a wallet or consumer report. October, 2007.
the appearance of the applicant or customer By order of the Board of Directors.
presenting the identification. Unusual Use of, or Suspicious Activity

Related to, the Covered Account Federal Deposit Insurance Corporation.
7. Other information on the identification
Robert E. Feldman,
is not consistent with information provided 19. Shortly following the notice of a change
by the person opening a new covered account of address for a covered account, the Executive Secretary.
or customer presenting the identification. institution or creditor receives a request for Dated: October 24, 2007.
By the Office of Thrift Supervision.

John M. Reich,
Director.
By order of the National Credit Union
Administration Board, October 15, 2007.
Mary Rupp,
Secretary of the Board.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 07–5453 Filed 11–8–07; 8:45 am]
BILLING CODE 4810–33–P; 6210–01–P; 6714–01–P;
6720–01–P; 7535–01–P; 6750–01–P

Rule: Fair and Accurate Credit Transactions Act: Identity Theft Red Flags and Address Discrepancies

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Rule: Fair and Accurate Credit Transactions Act: Identity Theft Red Flags and Address Discrepancies

Uploaded by

Copyright:

Available Formats

Friday,

Department of the Treasury

Federal Reserve System

Federal Deposit Insurance

Department of the Treasury

National Credit Union

Federal Trade Commission

Identity Theft Red Flags and Address

7 12 CFR part 30, app. B (national banks); 12 CFR

preamble is the FTC’s Appendix A.

governmental subdivision or agency, or

maintained that in this manner, commenters, including a trade

208.63 (state member banks); 12 CFR 326.8 (state

to include in the Program a specific Red

2003)(accompanying S. 1753)(stating that a card

developing a streamlined Program. for businesses that market goods or services to

www.bls.gov/ncs/ocs/sp/ncbl0910.pdf (‘‘June 2006 Building (located on F Street) on

must be clearly labeled http://www.ftc.gov/os/ proposed regulations implementing

an exemption for small entities is current practices and whether the

E. NCUA Executive Order 13132 16 CFR Part 681

time is used (taking into consideration the

involves or is designed to permit (2) Elements of the Program. The presented.

existing covered accounts.

information in the consumer report

change of address requests, in the case of

with fraudulent activity as indicated by 24. The financial institution or creditor is

consumer reporting agency pursuant to (iii) Verifying the address through

in 15 U.S.C. 1681a(r)(5), and includes and soundness of the financial address; or

presenting the identification. Unusual Use of, or Suspicious Activity

By the Office of Thrift Supervision.

You might also like