Part IV Department of the Treasury
Page content transcription ( If your browser does not render page correctly, please read the page content below )
Friday, November 9, 2007 Part IV Department of the Treasury Office of the Comptroller of the Currency 12 CFR Part 41 Federal Reserve System 12 CFR Part 222 Federal Deposit Insurance Corporation 12 CFR Parts 334 and 364 Department of the Treasury Office of Thrift Supervision 12 CFR Part 571 National Credit Union Administration 12 CFR Part 717 Federal Trade Commission 16 CFR Part 681 Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule
63718 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations DEPARTMENT OF THE TREASURY and mitigate identity theft in connection Office of Thrift Supervision, 1700 G with the opening of certain accounts or Street, NW., Washington, DC 20552. Office of the Comptroller of the certain existing accounts. In addition, NCUA: Regina M. Metz, Staff Currency the Agencies are issuing guidelines to Attorney, Office of General Counsel, assist financial institutions and (703) 518–6540, National Credit Union 12 CFR Part 41 creditors in the formulation and Administration, 1775 Duke Street, [Docket ID OCC–2007–0017] maintenance of a Program that satisfies Alexandria, VA 22314–3428. the requirements of the rules. The rules FTC: Naomi B. Lefkovitz, Attorney, or RIN 1557–AC87 implementing section 114 also require Pavneet Singh, Attorney, Division of credit and debit card issuers to assess Privacy and Identity Protection, Bureau FEDERAL RESERVE SYSTEM the validity of notifications of changes of Consumer Protection, (202) 326– of address under certain circumstances. 2252, Federal Trade Commission, 600 12 CFR Part 222 Additionally, the Agencies are issuing Pennsylvania Avenue, NW., Washington [Docket No. R–1255] joint rules under section 315 that DC 20580. provide guidance regarding reasonable SUPPLEMENTARY INFORMATION: FEDERAL DEPOSIT INSURANCE policies and procedures that a user of CORPORATION consumer reports must employ when a I. Introduction consumer reporting agency sends the The President signed the FACT Act 12 CFR Parts 334 and 364 user a notice of address discrepancy. into law on December 4, 2003.1 The DATES: The joint final rules and FACT Act added several new provisions RIN 3064–AD00 guidelines are effective January 1, 2008. to the Fair Credit Reporting Act of 1970 DEPARTMENT OF THE TREASURY The mandatory compliance date for this (FCRA), 15 U.S.C. 1681 et seq. Section rule is November 1, 2008. 114 of the FACT Act, 15 U.S.C. Office of Thrift Supervision 1681m(e), amends section 615 of the FOR FURTHER INFORMATION CONTACT: FCRA, and directs the Agencies to issue OCC: Amy Friend, Assistant Chief joint regulations and guidelines 12 CFR Part 571 Counsel, (202) 874–5200; Deborah Katz, regarding the detection, prevention, and [Docket No. OTS–2007–0019] Senior Counsel, or Andra Shuster, mitigation of identity theft, including Special Counsel, Legislative and special regulations requiring debit and RIN 1550–AC04 Regulatory Activities Division, (202) credit card issuers to validate 874–5090; Paul Utterback, Compliance notifications of changes of address NATIONAL CREDIT UNION Specialist, Compliance Department, under certain circumstances.2 Section ADMINISTRATION (202) 874–5461; or Aida Plaza Carter, 315 of the FACT Act, 15 U.S.C. Director, Bank Information Technology, 1681c(h), adds a new section 605(h)(2) 12 CFR Part 717 (202) 874–4740, Office of the to the FCRA requiring the Agencies to Comptroller of the Currency, 250 E issue joint regulations that provide FEDERAL TRADE COMMISSION Street, SW., Washington, DC 20219. guidance regarding reasonable policies 16 CFR Part 681 Board: David A. Stein or Ky Tran- and procedures that a user of a Trong, Counsels, or Amy Burke, consumer report should employ when RIN 3084–AA94 Attorney, Division of Consumer and the user receives a notice of address Community Affairs, (202) 452–3667; discrepancy. Identity Theft Red Flags and Address Kara L. Handzlik, Attorney, Legal On July 18, 2006, the Agencies Discrepancies Under the Fair and Division, (202) 452–3852; or John published a joint notice of proposed Accurate Credit Transactions Act of Gibbons, Supervisory Financial Analyst, rulemaking (NPRM) in the Federal 2003 Division of Banking Supervision and Register (71 FR 40786) proposing rules AGENCIES: Office of the Comptroller of Regulation, (202) 452–6409, Board of and guidelines to implement section the Currency, Treasury (OCC); Board of Governors of the Federal Reserve 114 and proposing rules to implement Governors of the Federal Reserve System, 20th and C Streets, NW., section 315 of the FACT Act. The public System (Board); Federal Deposit Washington, DC 20551. comment period closed on September Insurance Corporation (FDIC); Office of FDIC: Jeffrey M. Kopchik, Senior 18, 2006. The Agencies collectively Thrift Supervision, Treasury (OTS); Policy Analyst, (202) 898–3872, or received a total of 129 comments in National Credit Union Administration David P. Lafleur, Policy Analyst, (202) response to the NPRM, although many (NCUA); and Federal Trade Commission 898–6569, Division of Supervision and commenters sent copies of the same (FTC or Commission). Consumer Protection; Richard M. letter to each of the Agencies. The ACTION: Joint final rules and guidelines. Schwartz, Counsel, (202) 898–7424, or comments included 63 from financial Richard B. Foley, Counsel, (202) 898– institutions, 12 from financial SUMMARY: The OCC, Board, FDIC, OTS, 3784, Legal Division, Federal Deposit institution holding companies, 23 from NCUA and FTC (the Agencies) are Insurance Corporation, 550 17th Street, financial institution trade associations, jointly issuing final rules and guidelines NW., Washington, DC 20429. 12 from individuals, nine from other implementing section 114 of the Fair OTS: Ekita Mitchell, Consumer trade associations, five from other and Accurate Credit Transactions Act of Regulations Analyst, Compliance and business entities, three from consumer 2003 (FACT Act) and final rules Consumer Protection, (202) 906–6451; implementing section 315 of the FACT Kathleen M. McNulty, Technology 1 Pub. L. 108–159. Act. The rules implementing section Program Manager, Information 2 Section 111 of the FACT Act defines ‘‘identity 114 require each financial institution or Technology Risk Management, (202) theft’’ as ‘‘a fraud committed using the identifying information of another person, subject to such creditor to develop and implement a 906–6322; or Richard Bennett, Senior further definition as the [Federal Trade] written Identity Theft Prevention Compliance Counsel, Regulations and Commission may prescribe, by regulation.’’ 15 Program (Program) to detect, prevent, Legislation Division, (202) 906–7409, U.S.C. 1681a(q)(3).
Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63719 groups,3 one from a member of indicators of a possible risk of identity commenters suggested that the Congress, and one from the United theft (Red Flags), including indicators regulations and guidelines take the form States Small Business Administration from among those listed in the of broad objectives modeled on the (SBA). guidelines. To promote flexibility and objectives set forth in the ‘‘Interagency responsiveness to the changing nature of Guidelines Establishing Information II. Section 114 of the FACT Act identity theft, the proposed rules also Security Standards’’ (Information A. Red Flag Regulations and Guidelines stated that covered entities would need Security Standards).7 A few financial 1. Background to include in their Programs relevant institution commenters asserted that the Red Flags from applicable supervisory primary cause of identity theft is the Section 114 of the FACT Act requires guidance, their own experiences, and lack of care on the part of the consumer. the Agencies to jointly issue guidelines methods that the entity had identified They stated that consumers should be for financial institutions and creditors that reflect changes in identity theft held responsible for protecting their regarding identity theft with respect to risks. own identifying information. their account holders and customers. The Agencies invited comment on all The Agencies have modified the Section 114 also directs the Agencies to aspects of the proposed regulations and proposed rules and guidelines in light of prescribe joint regulations requiring guidelines implementing section 114, the comments received. An overview of each financial institution and creditor to and specifically requested comment on the final rules, guidelines, and establish reasonable policies and whether the elements described in supplement, a discussion of the procedures for implementing the section 114 had been properly allocated comments, and the specific manner in guidelines, to identify possible risks to between the proposed regulations and which the proposed rules and account holders or customers or to the the proposed guidelines. guidelines have been modified, follows. safety and soundness of the institution Consumer groups maintained that the or ‘‘customer.’’4 proposed regulations provided too 3. Overview of final rules and In developing the guidelines, the much discretion to financial institutions guidelines Agencies must identify patterns, and creditors to decide which accounts The Agencies are issuing final rules practices, and specific forms of activity and Red Flags to include in their and guidelines that provide both that indicate the possible existence of Programs and how to respond to those flexibility and more guidance to identity theft. The guidelines must be Red Flags. These commenters stated that financial institutions and creditors. The updated as often as necessary, and the flexible and risk-based approach final rules also require the Program to cannot be inconsistent with the policies taken in the proposed rulemaking address accounts where identity theft is and procedures issued under section would permit ‘‘business as usual.’’ 326 of the USA PATRIOT Act,5 31 most likely to occur. The final rules Some small financial institutions also describe which financial institutions U.S.C. 5318(l), that require verification expressed concern about the flexibility of the identity of persons opening new and creditors are required to have a afforded by the proposal. These Program, the objectives of the Program, accounts. The Agencies also must commenters stated that they preferred to consider including reasonable the elements that the Program must have clearer, more structured guidance contain, and how the Program must be guidelines that would apply when a describing exactly how to develop and transaction occurs in connection with a administered. implement a Program and what they Under the final rules, only those consumer’s credit or deposit account would need to do to achieve that has been inactive for two years. financial institutions and creditors that compliance. offer or maintain ‘‘covered accounts’’ These guidelines would provide that in Most commenters, however, including such circumstances, a financial must develop and implement a written many financial institutions and Program. A covered account is (1) an institution or creditor ‘‘shall follow creditors, asserted that the proposal was reasonable policies and procedures’’ for account primarily for personal, family, overly prescriptive, contained or household purposes, that involves or notifying the consumer, ‘‘in a manner requirements beyond those mandated in reasonably designed to reduce the is designed to permit multiple payments the FACT Act, would be costly and or transactions, or (2) any other account likelihood of identity theft.’’ burdensome to implement, and would for which there is a reasonably 2. Overview of Proposal and Comments complicate the existing efforts of foreseeable risk to customers or the Received financial institutions and creditors to safety and soundness of the financial The Agencies proposed to implement detect and prevent identity theft. Some institution or creditor from identity section 114 through regulations industry commenters asserted that the theft. Each financial institution and requiring each financial institution and rulemaking was unnecessary because creditor must periodically determine creditor to implement a written Program large businesses, such as banks and whether it offers or maintains a to detect, prevent and mitigate identity telecommunications companies, already ‘‘covered account.’’ theft in connection with the opening of are motivated to prevent identity theft The final regulations provide that the an account or any existing account. The and other forms of fraud in order to Program must be designed to detect, Agencies also proposed guidelines that limit their own financial losses. prevent, and mitigate identity theft in identified 31 patterns, practices, and Financial institution commenters connection with the opening of a specific forms of activity that indicate a maintained that they are already doing covered account or any existing covered possible risk of identity theft. The most of what would be required by the account. In addition, the Program must proposed regulations required each proposal as a result of having to comply be tailored to the entity’s size, financial institution and creditor to with the customer identification complexity and nature of its operations. incorporate into its Program relevant program (CIP) regulations implementing section 326 of the USA PATRIOT Act 6 7 12 CFR part 30, app. B (national banks); 12 CFR 3 One of these letters represented the comments and other existing requirements. These part 208, app. D–2 and part 225, app. F (state of five consumer groups. member banks and holding companies); 12 CFR 4 Use of the term ‘‘customer,’’ here, appears to be 6 See, e.g., 31 CFR 103.121 (applicable to banks, part 364, app. B (state non-member banks); 12 CFR a drafting error and likely should read ‘‘creditor.’’ thrifts and credit unions and certain non-federally part 570, app. B (savings associations); 12 CFR part 5 Pub. L. 107–56. regulated banks). 748, App. A (credit unions).
63720 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations The final regulations list the four 4. Section-by-Section Analysis 8 Agencies use the term ‘‘continuing basic elements that must be included in relationship’’ instead, and define this Sectionl.90(a) Purpose and Scope the Program of a financial institution or phrase in a manner consistent with the creditor. The Program must contain Proposed §l.90(a) described the Agencies’’ privacy rules 10 ‘‘reasonable policies and procedures’’ statutory authority for the proposed implementing Title V of the Gramm- to: regulations, namely, section 114 of the Leach-Bliley Act (GLBA), 15 U.S.C. FACT Act. It also defined the scope of 6801.11 These commenters urged that • Identify relevant Red Flags for this section; each of the Agencies the definition of ‘‘account’’ not be covered accounts and incorporate those proposed tailoring this paragraph to expanded to include relationships that Red Flags into the Program; describe those entities to which this are not ‘‘continuing.’’ They stated that it • Detect Red Flags that have been section would apply. The Agencies would be very burdensome to gather incorporated into the Program; received no comments on this section, and maintain information on non- • Respond appropriately to any Red and it is adopted as proposed. customers for one-time transactions. Flags that are detected to prevent and Sectionl.90(b) Definitions Other commenters suggested defining mitigate identity theft; and the term ‘‘account’’ in a manner Proposed §l.90(b) contained consistent with the CIP rules. • Ensure the Program is updated definitions of various terms that applied Many commenters stated that defining periodically, to reflect changes in risks to the proposed rules and guidelines. ‘‘account’’ to cover both consumer and to customers or to the safety and While §l.90(b) of the final rules business accounts was too broad, soundness of the financial institution or continues to describe the definitions exceeded the scope of the FACT Act, creditor from identity theft. applicable to the final rules and and would make the regulation too The regulations also enumerate guidelines, changes have been made to burdensome. These commenters certain steps that financial institutions address the comments, as follows. recommended limiting the scope of the and creditors must take to administer Sectionl.90(b)(1) Account. The regulations and guidelines to cover only Agencies proposed using the term consumer financial services, specifically the Program. These steps include ‘‘account’’ to describe the relationships accounts established for personal, obtaining approval of the initial written covered by section 114 that an account family and household purposes, because Program by the board of directors or a holder or customer may have with a these types of accounts typically are committee of the board, ensuring financial institution or creditor.9 The targets of identity theft. They asserted oversight of the development, proposed definition of ‘‘account’’ was ‘‘a that identity theft has not historically implementation and administration of continuing relationship established to been common in connection with the Program, training staff, and provide a financial product or service business or commercial accounts. overseeing service provider that a financial holding company could Consumer groups maintained that the arrangements. offer by engaging in an activity that is proposed definition of ‘‘account’’ was In order to provide financial financial in nature or incidental to such too narrow. They explained that because institutions and creditors with more a financial activity under section 4(k) of the proposed definition was tied to flexibility in developing a Program, the the Bank Holding Company Act, 12 financial products and services that can Agencies have moved certain detail U.S.C. 1843(k).’’ The definition also be offered under the Bank Holding formerly contained in the proposed gave examples of types of ‘‘accounts.’’ Company Act, it inappropriately regulations to the guidelines located in Some commenters stated that the excluded certain transactions involving Appendix J. This detailed guidance regulations do not need a definition of creditors that are not financial should assist financial institutions and ‘‘account’’ to give effect to their terms. institutions that should be covered by Some commenters maintained that a the regulations. Some of these creditors in the formulation and new definition for ‘‘account’’ would be commenters recommended that the maintenance of a Program that satisfies confusing as this term is already defined definition of ‘‘account’’ include any the requirements of the regulations to inconsistently in several regulations and relationship with a financial institution detect, prevent, and mitigate identity in section 615(e) of the FCRA. These or creditor in which funds could be theft. Each financial institution or commenters recommended that the intercepted or credit could be extended, creditor that is required to implement a as well as any other transaction which Program must consider the guidelines 8 The OCC, Board, FDIC, OTS and NCUA are could obligate an individual or other and include in its Program those placing the regulations and guidelines covered entity, including transactions guidelines that are appropriate. The implementing section 114 in the part of their regulations that implement the FCRA—12 CFR that do not result in a continuing guidelines provide policies and parts 41, 222, 334, 571, and 717, respectively. In relationship. Others suggested that there procedures for use by institutions and addition, the FDIC cross-references the regulations should be no flexibility to exclude any creditors, where appropriate, to satisfy and guidelines in 12 CFR part 364. For ease of account that is held by an individual or reference, the discussion in this preamble uses the the requirements of the final rules, shared numerical suffix of each of these agency’s which generates information about including the four elements listed regulations. The FTC also is placing the final individuals that reflects on their above. While an institution or creditor regulations and guidelines in the part of its financial or credit reputations. may determine that particular regulations implementing the FCRA, specifically 16 The Agencies have modified the CFR part 681. However, the FTC uses different guidelines are not appropriate to numerical suffixes that equate to the numerical definition of ‘‘account’’ to address these incorporate into its Program, the suffixes discussed in the preamble as follows: comments. First, the final rules now Program must nonetheless contain preamble suffix .82 = FTC suffix .1, preamble suffix apply to ‘‘covered accounts,’’ a term that .90 = FTC suffix .2, and preamble suffix .91 = FTC the Agencies have added to the reasonable policies and procedures to suffix .3. In addition, Appendix J referenced in the meet the specific requirements of the preamble is the FTC’s Appendix A. definition section to eliminate final rules. The illustrative examples of 9 The Agencies acknowledged that section 114 10 See 12 CFR 40 (OCC); 12 CFR 216 (Board); 12 Red Flags formerly in Appendix J are does not use the term ‘‘account’’ and, in other contexts, the FCRA defines the term ‘‘account’’ CFR 332 (FDIC); 12 CFR 573 (OTS); 12 CFR 716 now listed in a supplement to the narrowly to describe certain consumer deposit or (NCUA); and 16 CFR 313 (FTC). guidelines. asset accounts. See 15 U.S.C. 1681a(r)(4). 11 Pub. L. 106–102.
Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63721 confusion between these rules and other established, but also to account The Agencies recognize that rules that apply to an ‘‘account.’’ The openings, when a relationship has not consumer accounts are presently the Agencies have retained a definition of yet been established. most common target of identity theft ‘‘account’’ simply to clarify and provide Sectionl.90(b)(2) Board of Directors. and acknowledge that Congress context for the definition of ‘‘covered The proposed regulations discussed the expected the final regulation to address account.’’ role of the board of directors of a risks of identity theft to consumers.13 Section 114 provides broad discretion financial institution or creditor. For For this reason, the final rules require to the Agencies to prescribe regulations financial institutions and creditors each Program to cover accounts and guidelines to address identity theft. covered by the regulations that do not established primarily for personal, The terminology in section 114 is not have boards of directors, the proposed family or household purposes, that confined to ‘‘consumer’’ accounts. regulations defined ‘‘board of directors’’ involve or are designed to permit While identity theft primarily has been to include, in the case of a branch or multiple payments or transactions, i.e., directed at consumers, the Agencies are agency of a foreign bank, the managing consumer accounts. As discussed above aware that small businesses also have official in charge of the branch or in connection with the definition of been targets of identity theft. Over time, agency. For other creditors that do not ‘‘account,’’ the final rules also require identity theft could expand to affect have boards of directors, the proposed the Programs of financial institutions other types of accounts. Thus, the regulations defined ‘‘board of directors’’ and creditors to cover any other type of definition of ‘‘account’’ in §l.90(b)(1) as a designated employee. account that the institution or creditor of the final rules continues to cover any Consumer groups objected to the offers or maintains for which there is a relationship to obtain a product or proposed definition as it applied to reasonably foreseeable risk from identity service that an account holder or creditors that do not have boards of theft. customer may have with a financial directors. These commenters Accordingly, the definition of institution or creditor.12 Through recommended that for these entities, ‘‘covered account’’ is divided into two examples, the definition makes clear ‘‘board of directors’’ should be defined parts. The first part refers to ‘‘an account that the purchase of property or services as a designated employee at the level of that a financial institution or creditor involving a deferred payment is senior management. They asserted that offers or maintains, primarily for considered to be an account. otherwise, institutions that do not have personal, family, or household Although the definition of ‘‘account’’ a board of directors would be given an purposes, that involves or is designed to includes business accounts, the risk- unfair advantage for purposes of the permit multiple payments or based nature of the final rules allows substantive provisions of the rules, transactions.’’ The definition provides each financial institution or creditor because they would be permitted to examples to illustrate that these types of flexibility to determine which business assign any employee to fulfill the role of consumer accounts include, ‘‘a credit accounts will be covered by its Program the ‘‘board of directors.’’ card account, mortgage loan, automobile through a risk evaluation process. The Agencies agree this important loan, margin account, cell phone The Agencies also recognize that a role should be performed by an account, utility account, checking person may establish a relationship with employee at the level of senior account, or savings account.’’14 a creditor, such as an automobile dealer management, rather than any designated The second part of the definition or a telecommunications provider, employee. Accordingly, the definition of refers to ‘‘any other account that the primarily to obtain a product or service ‘‘board of directors’’ has been revised in financial institution or creditor offers or that is not financial in nature. To make § l.90(b)(2) of the final rules so that, in maintains for which there is a clear that an ‘‘account’’ includes the case of a creditor that does not have reasonably foreseeable risk to customers relationships with creditors that are not a board of directors, the term ‘‘board of or to the safety and soundness of the financial institutions, the definition is directors’’ means ‘‘a designated financial institution or creditor from no longer tied to the provision of employee at the level of senior identity theft, including financial, ‘‘financial’’ products and services. management.’’ operational, compliance, reputation, or Accordingly, the Agencies have deleted Section l.90(b)(3) Covered Account. litigation risks.’’ This part of the the reference to the Bank Holding As mentioned previously, the Agencies definition reflects the Agencies’ belief Company Act. have added a new definition of that other types of accounts, such as The definition of ‘‘account’’ still ‘‘covered account’’ in § l.90(b)(3) to small business accounts or sole includes the words ‘‘continuing proprietorship accounts, may be describe the type of ‘‘account’’ covered relationship.’’ The Agencies have vulnerable to identity theft, and, by the final rules. The proposed rules determined that, at this time, the burden therefore, should be considered for would have provided a financial that would be imposed upon financial coverage by the Program of a financial institution or creditor with broad institutions and creditors by a institution or creditor. flexibility to apply its Program to those requirement to detect, prevent and In response to the proposed definition accounts that it determined were mitigate identity theft in connection of ‘‘account,’’ a trade association vulnerable to the risk of identity theft, with single, non-continuing transactions representing credit unions suggested and did not mandate coverage of any by non-customers would outweigh the that the term ‘‘customer’’ in the particular type of account. benefits of such a requirement. The definition be revised to refer to Consumer group commenters urged Agencies recognize, however, that the Agencies to limit the discretion identity theft may occur at the time of 13 See S. Rep. No. 108–166 at 13 (Oct. 17, 2003) afforded to financial institutions and account opening. Therefore, as detailed (accompanying S. 1753). creditors by requiring them to cover below, the obligations of the final rule 14 These examples reflect the fact that the rules consumer accounts in their Programs. are applicable to a variety of financial institutions apply not only to existing accounts, While seeking to preserve their and creditors. They are not intended to confer any where a relationship already has been additional powers on covered entities. Nonetheless, discretion, many industry commenters some of the Agencies have chosen to limit the 12 Accordingly, the definition of ‘‘account’’ still requested that the Agencies limit the examples in their rule texts to those products applies to fiduciary, agency, custodial, brokerage final rules to consumer accounts, where covered entities subject to their jurisdiction are and investment advisory activities. identity theft is most likely to occur. legally permitted to offer.
63722 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations ‘‘member’’ to better reflect the that the Agencies chose this broad individual who has a consumer account ownership structure of some financial definition because, in addition to will always be a ‘‘customer.’’ A institutions or to ‘‘consumer’’ to include individuals, various types of entities ‘‘customer’’ may also be a person that all individuals doing business at all (e.g., small businesses) can be victims of has another type of account for which types of financial institutions. The identity theft. Under the proposed a financial institution or creditor definition of ‘‘account’’ in the final rules definition, however, a financial determines there is a reasonably no longer makes reference to the term institution or creditor would have had foreseeable risk to its customers or to its ‘‘customer’’; however, the definition of the discretion to determine which type own safety and soundness from identity ‘‘covered account’’ continues to employ of customer accounts would be covered theft. this term, to be consistent with section under its Program, since the proposed The Agencies note that the 114 of the FACT Act, which uses the regulations were risk-based.17 Information Security Standards and the term ‘‘customer.’’ Of course, in the case As noted above, most industry privacy rules implemented various of credit unions, the final rules and commenters maintained that including sections of Title V of the GLBA, 15 guidelines will apply to the accounts of all persons, not just consumers, within U.S.C. 6801, which specifically apply members that are maintained primarily the definition of ‘‘customer’’ would only to customers who are consumers. for personal, family, or household impose a substantial financial burden By contrast, section 114 does not define purposes, and those that are otherwise on financial institutions and creditors, the term ‘‘customer.’’ Because the subject to a reasonably foreseeable risk and make compliance with the Agencies continue to believe that a of identity theft. regulations more burdensome. These business customer can be a target of Sections l.90(b)(4) and (b)(5) Credit commenters stated that business identity theft, the final rules contain a and Creditor. The proposed rules identity theft is rare, and maintained risk-based process designed to ensure defined these terms by cross-reference that financial institutions and creditors that these types of customers will be to the relevant sections of the FCRA. should be allowed to direct their fraud covered by the Program of a financial There were no comments on the prevention resources to the areas of institution or creditor, when the risk of definition of ‘‘credit’’ and § l.90(b)(4) highest risk. They also noted that identity theft is reasonably foreseeable. of the final rules adopts the definition businesses are more sophisticated than The definition of ‘‘customer’’ in the as proposed. consumers, and are in a better position final rules continues to cover only Some commenters asked the Agencies to protect themselves against fraud than customers that already have accounts. to clarify that the term ‘‘creditor’’ does consumers, both in terms of prevention The Agencies note, however, that the not cover third-party debt collectors and in enforcing their legal rights. substantive provisions of the final rules, who regularly arrange for the extension, Some financial institution described later, require the Program of renewal, or continuation of credit. commenters were concerned that the a financial institution or creditor to Section 114 applies to financial broad definition of ‘‘customer’’ would detect, prevent, and mitigate identity institutions and creditors. Under the create opportunities for commercial theft in connection with the opening of FCRA, the term ‘‘creditor’’ has the same customers to shift responsibility from a covered account as well as any meaning as in section 702 of the Equal themselves to the financial institution existing covered account. The final rules Credit Opportunity Act (ECOA), 15 for not discovering Red Flags and address persons whose identities are U.S.C. 1691a.15 ECOA defines alerting business customers about used by an imposter to open an account ‘‘creditor’’ to include a person who embezzlement or other fraudulent in these substantive provisions, rather arranges for the extension, renewal, or transactions by the commercial than through the definition of continuation of credit, which in some customer’s own employees. These ‘‘customer.’’ cases could include third-party debt commenters suggested narrowing the Section l.90(b)(7) Financial collectors. 15 U.S.C. 1691a(e). definition to cover natural persons and Institution. The Agencies received no Therefore, the Agencies are not to exclude business customers. Some of comments on the proposed definition of excluding third-party debt collectors these commenters suggested that the ‘‘financial institution.’’ It is adopted in from the scope of the final rules, and definition of ‘‘customer’’ should be § l.90(b)(7), as proposed, with a cross- § l.90(b)(5) of the final rules adopts the consistent with the definition of this reference to the relevant definition in definition of ‘‘creditor’’ as proposed. term in the Information Security the FCRA. Section l.90(b)(6) Customer. Section Standards and the Agencies’ privacy Section l.90(b)(8) Identity Theft. The 114 of the FACT Act refers to ‘‘account rules. proposal defined ‘‘identity theft’’ by holders’’ and ‘‘customers’’ of financial Consumer groups commented that the cross-referencing the FTC’s rule that institutions and creditors without proposed definition of ‘‘customer’’ was defines ‘‘identity theft’’ for purposes of defining either of these terms. For ease too narrow. They recommended that the the FCRA.18 of reference, the Agencies proposed to definition be amended, so that the Most industry commenters objected to use the term ‘‘customer’’ to encompass regulations would not only protect the breadth of the proposed definition of both ‘‘customers’’ and ‘‘account persons who are already customers of a ‘‘identity theft.’’ They recommended holders.’’ ‘‘Customer’’ was defined as a financial institution or creditor, but also that the definition include only actual person that has an account with a persons whose identities are used by an fraud committed using identifying financial institution or creditor. The imposter to open an account. information of a consumer, and exclude proposed definition of ‘‘customer’’ Section l.90(b)(6) of the final rule attempted fraud, identity theft applied to any ‘‘person,’’ defined by the defines ‘‘customer’’ to mean a person committed against businesses, and any FCRA as any individual, partnership, that has a ‘‘covered account’’ with a identity fraud involving the creation of corporation, trust, estate, cooperative, financial institution or creditor. Under a fictitious identity using fictitious data association, government or the definition of ‘‘covered account,’’ an combined with real information from governmental subdivision or agency, or 17 Proposed § l.90(d)(1) required this 18 69 FR 63922 (Nov. 3, 2004) (codified at 16 CFR other entity.16 The proposal explained 603.2(a)). Section 111 of the FACT Act added determination to be substantiated by a risk evaluation that takes into consideration which several new definitions to the FCRA, including 15 See 15 U.S.C. 1681a(r)(5). customer accounts of the financial institution or ‘‘identity theft,’’ and authorized the FTC to further 16 See 15 U.S.C. 1681a(b). creditor are subject to a risk of identity theft. define this term. See 15 U.S.C. 1681a.
Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63723 multiple individuals. By contrast, identity theft as ‘‘Red Flags’’ to better consider aggravating factors that may consumer groups supported a broad position financial institutions and heighten the risk of identity theft in interpretation of ‘‘identity theft,’’ creditors to stop identity theft at its determining an appropriate response to including the incorporation of inception. the Red Flags it detects. ‘‘attempted fraud’’ in the definition. Most industry commenters objected to Section l.90(b)(10) Service Provider. Section l.90(b)(8) of the final rules the broad scope of the definition of The proposed regulations defined adopts the definition of ‘‘identity theft’’ ‘‘Red Flag,’’ particularly the phrase ‘‘service provider’’ as a person that as proposed. The Agencies believe that ‘‘possible risk of identity theft.’’ These provides a service directly to the it is important to ensure that all commenters believed that this definition financial institution or creditor. This provisions of the FACT Act that address would require financial institutions and definition was based upon the identity theft are interpreted in a creditors to identify all risks and definition of ‘‘service provider’’ in the consistent manner. Therefore, the final develop procedures to prevent or Information Security Standards.23 rule continues to define identity theft mitigate them, without regard to the One commenter agreed with this with reference to the FTC’s regulation, significance of the risk. They asserted definition. However, two other which as currently drafted provides that that the statute does not support the use commenters stated that the definition the term ‘‘identity theft’’ means ‘‘a fraud of ‘‘possible risk’’ and suggested was too broad. They suggested committed or attempted using the defining a ‘‘Red Flag’’ as an indicator of narrowing the definition of ‘‘service identifying information of another significant, substantial, or the probable provider’’ to persons or entities that person without authority.’’ 19 The FTC risk of identity theft. These commenters have access to customer information. defines the term ‘‘identifying stated that this would allow a financial Section l.90(b)(10) of the final rules information’’ to mean ‘‘any name or institution or creditor to focus adopts the definition as proposed. The number that may be used, alone or in compliance in areas where it is most Agencies have concluded that defining conjunction with any other information, needed. ‘‘service provider’’ to include only to identify a specific person, including Most industry commenters also stated persons that have access to customer any— that the inclusion of precursors to information would inappropriately (1) Name, social security number, date identity theft in the definition of ‘‘Red narrow the coverage of the final rules. of birth, official State or government Flag’’ would make the regulations even The Agencies have interpreted section issued driver’s license or identification broader and more burdensome. They 114 broadly to require each financial number, alien registration number, stated that financial institutions and institution and creditor to detect, government passport number, employer creditors do not have the ability to prevent, and mitigate identity theft not or taxpayer identification number; detect and respond to precursors, such only in connection with any existing (2) Unique biometric data, such as as phishing, in the same manner as covered account, but also in connection fingerprint, voice print, retina or iris other Red Flags that are more indicative with the opening of an account. A image, or other unique physical of actual ongoing identity theft. financial institution or creditor is representation; By contrast, consumer groups ultimately responsible for complying (3) Unique electronic identification supported the inclusion of the phrase with the final rules and guidelines even number, address, or routing code; or ‘‘possible risk of identity theft’’ and the if it outsources an activity to a third- (4) Telecommunication identifying reference to precursors in the proposed party service provider. Thus, a financial information or access device (as defined definition of ‘‘Red Flag.’’ These institution or creditor that uses a service in 18 U.S.C. 1029(e)). commenters stated that placing provider to open accounts will need to Thus, under the FTC’s regulation, the emphasis on detecting precursors to provide for the detection, prevention, creation of a fictitious identity using any identity theft, instead of waiting for and mitigation of identity theft in single piece of information belonging to proven cases, is the right approach. connection with this activity, even a real person falls within the definition The Agencies have concluded that the when the service provider has access to of ‘‘identity theft’’ because such a fraud phrase ‘‘possible risk’’ in the proposed the information of a person who is not involves ‘‘using the identifying definition of ‘‘Red Flag’’ is confusing yet, and may not become, a ‘‘customer.’’ information of another person without and could unduly burden entities with authority.’’ 20 limited resources. Therefore, the final Section l.90(c) Periodic Identification Section l.90(b)(9) Red Flag. The rules define ‘‘Red Flag’’ in § l.90(b)(9) of Covered Accounts proposed regulations defined ‘‘Red using language derived directly from To simplify compliance with the final Flag’’ as a pattern, practice, or specific section 114, namely, ‘‘a pattern, rules, the Agencies added a new activity that indicates the possible risk practice, or specific activity that provision in § l.90(c) that requires each of identity theft. The preamble to the indicates the possible existence of financial institution and creditor to proposed rules explained that indicators identity theft.’’ 22 periodically determine whether it offers of a ‘‘possible risk’’ of identity theft The Agencies continue to believe, or maintains any covered accounts. As would include precursors to identity however, that financial institutions and a part of this determination, a financial theft such as phishing,21 and security creditors should consider precursors to institution or creditor must conduct a breaches involving the theft of personal identity theft in order to stop identity risk assessment to determine whether it information, which often are a means to theft before it occurs. Therefore, as acquire the information of another described below, the Agencies have 23 The Information Security Standards define person for use in committing identity chosen to address precursors directly, ‘‘service provider’’ to mean any person or entity theft. The preamble explained that the through a substantive provision in that maintains, processes, or otherwise is permitted Agencies included such precursors to access to customer information or consumer section IV of the guidelines titled information through the provision of services ‘‘Prevention and Mitigation,’’ rather directly to the financial institution. 12 CFR part 30, 19 See 16 CFR 603.2(a). than through the definition of ‘‘Red app. B (national banks); 12 CFR part 208, app. D– 20 See 16 CFR 603.2(b). Flag.’’ This provision states that a 2 and part 225, app. F (state member banks and 21 Electronic messages to customers of financial holding companies); 12 CFR part 364, app. B (state institutions and creditors directing them to provide financial institution or creditor should non-member banks); 12 CFR part 570, app. B personal information in response to a fraudulent (savings associations); 12 CFR part 748, App. A e-mail. 22 15 U.S.C. 1681m(c)(2)(A). (credit unions).
63724 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations offers or maintains covered accounts § l.90(d), which described the conducting safe, sound, and compliant described in § l.90(b)(3)(ii) (accounts development and implementation of a operations. Some of these commenters other than consumer accounts), taking Program. It also stated that the Program urged the Agencies to revise the final into consideration: must address financial, operational, rules and guidelines and adopt an • The methods it provides to open its compliance, reputation, and litigation approach similar to the Information accounts; risks and be appropriate to the size and Security Standards which they • The methods it provides to access complexity of the financial institution characterized as providing institutions its accounts; and or creditor and the nature and scope of with an outline of issues to consider • Its previous experiences with its activities. without requiring specific approaches. identity theft. Some commenters believed that the Although a few commenters believed Thus, a financial institution or proposed regulations exceeded the that the proposed requirement to update creditor should consider whether, for scope of section 114 by covering deposit the Program was burdensome and example, a reasonably foreseeable risk accounts and by requiring a response to should be eliminated, most commenters of identity theft may exist in connection the risk of identity theft, not just the agreed that the Program should be with business accounts it offers or identification of the risk of identity designed to address changing risks over maintains that may be opened or theft. One commenter expressed time. A number of these commenters, accessed remotely, through methods concern about the application of the however, objected to the requirement that do not require face-to-face contact, Program to existing accounts. that the Program must be designed to such as through the internet or The SBA commented that requiring address changing identity theft risks ‘‘as telephone. In addition, those all small businesses covered by the they arise,’’ as too burdensome a institutions and creditors that offer or regulations to create a written Program standard. Instead, they recommended maintain business accounts that have would be overly burdensome. Several that the final regulations require a been the target of identity theft should financial institution commenters financial institution or creditor to factor those experiences with identity objected to what they perceived as a reassess periodically whether to adjust theft into their determination. proposed requirement that financial the types of accounts covered or Red This provision is modeled on various institutions and creditors have a written Flags to be detected based upon any process-oriented and risk-based Program solely to address identity theft. changes in the types and methods of regulations issued by the Agencies, such They recommended that the final identity theft that an institution or as the Information Security Standards. regulations allow a covered entity to creditor has experienced. Compliance with this type of regulation simply maintain or expand its existing Section l.90(d) of the final rules is based upon a regulated entity’s own fraud prevention and information requires each financial institution or preliminary risk assessment. The risk security programs as long as they creditor that offers or maintains one or assessment required here directs a included the detection, prevention, and more covered accounts to develop and financial institution or creditor to mitigation of identity theft. Some of implement a written Program that is determine, as a threshold matter, these commenters stated that requiring designed to detect, prevent, and mitigate whether it will need to have a a written program would merely focus identity theft in connection with the Program.24 If a financial institution or examiner attention on documentation opening of a covered account or any creditor determines that it does need a and cause financial institutions to existing covered account. To signal that Program, then this risk assessment will produce needless paperwork. the final rules are flexible, and allow enable the financial institution or While commenters generally agreed smaller financial institutions and creditor to identify those accounts the that the Program should be appropriate creditors to tailor their Programs to their Program must address. This provision to the size and complexity of the operations, the final rules state that the also requires a financial institution or financial institution or creditor, and the Program must be appropriate to the size creditor that initially determines that it nature and scope of its activities, many and complexity of the financial does not need to have a Program to industry commenters objected to the institution or creditor and the nature reassess periodically whether it must prescriptive nature of this section. They and scope of its activities. develop and implement a Program in urged the Agencies to provide greater The guidelines are appended to the light of changes in the accounts that it flexibility to financial institutions and final rules to assist financial institutions offers or maintains and the various other creditors by allowing them to and creditors in the formulation and factors set forth in the provision. implement their own procedures as maintenance of a Program that satisfies opposed to those provided in the the requirements of the regulation. Section l.90(d)(1) Identity Theft proposed regulations. Several other Section I of the guidelines, titled ‘‘The Prevention Program Requirement commenters suggested permitting Program,’’ makes clear that a covered Proposed § l.90(c) described the financial institutions and creditors to entity may incorporate into its Program, primary objectives of a Program. It take into account the cost and as appropriate, its existing processes stated that each financial institution or effectiveness of policies and procedures that control reasonably foreseeable risks creditor must implement a written and the institution’s history of fraud to customers or to the safety and Program that includes reasonable when designing its Program. soundness of the financial institution or policies and procedures to address the Several financial institution creditor from identity theft, such as risk of identity theft to its customers and commenters maintained that the those already developed in connection to the safety and soundness of the Program required by the proposed rules with the entity’s fraud prevention financial institution or creditor, in the was not sufficiently flexible. They program. This will avoid duplication manner described in proposed maintained that a true risk-based and allow covered entities to benefit approach would permit institutions to from existing policies and procedures. 24 The Agencies anticipate that some financial prioritize the importance of various The Agencies do not agree with those institutions and creditors, such as various creditors controls, address the most important commenters who asserted that the scope regualted by the FTC that solely engage in business- to-business transactions, will be able to determine risks first, and accept the good faith of the proposed regulations (and hence that they do not need to develop and implement a judgments of institutions in the final rules that adopt the identical Program. differentiating among their options for approach with respect to these issues)
Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63725 exceed the Agencies’’ statutory The Agencies’ interpretation of The Agencies recognize that requiring mandate. First, section 114 clearly section 114 is also supported by the a written Program will impose some permits the Agencies to issue legislative history that indicates burden. However, the Agencies believe regulations and guidelines that address Congress expected the Agencies to issue the benefit of being able to assess a more than the mere identification of the regulations and guidelines for the covered entity’s compliance with the risk of identity theft. Section 114 purposes of ‘‘identifying and preventing final rules by evaluating the adequacy contains a broad mandate directing the identity theft.’’ 25 and implementation of its written Agencies to issue guidelines ‘‘regarding Finally, the Agencies’ interpretation Program outweighs the burdens identity theft’’ and to prescribe of section 114 is broad, based on a imposed by this requirement. regulations requiring covered entities to public policy perspective that Moreover, although the final rules establish reasonable policies and regulations and guidelines addressing continue to require a written Program, procedures for implementing the the identification of the risk of identity as detailed below, the Agencies have guidelines. Second, two provisions in theft, without addressing the prevention substantially revised the proposal to section 114 indicate that Congress and mitigation of identity theft, would focus the final rules and guidelines on expected the Agencies to issue final not be particularly meaningful or reasonably foreseeable risks, make the regulations and guidelines requiring effective. final rules less prescriptive, and provide financial institutions and creditors to The Agencies also have concluded financial institutions and creditors with detect, prevent, and mitigate identity that the scope of section 114 does not more discretion to develop policies and theft. only apply to credit transactions, but procedures to detect, prevent, and The first relevant provision is codified mitigate identity theft. also applies, for example, to deposit in section 615(e)(1)(C) of the FCRA, Proposed § l.90(c) also provided that accounts. Section 114 refers to the risk where Congress addressed a particular the Program must address changing of identity theft, generally, and not identity theft risks as they arise based scenario involving card issuers. In that strictly in connection with credit. upon the experience of the financial provision, Congress directed the Because identity theft can and does institution or creditor with identity theft Agencies to prescribe regulations occur in connection with various types and changes in: Methods of identity requiring a card issuer to take specific of accounts, including deposit accounts, theft; methods to detect, prevent, and steps to assess the validity of a change the final rules address identity theft in mitigate identity theft; the types of of address request when it receives such a comprehensive manner. accounts the financial institution or a request and, within a short period of time, also receives a request for an Furthermore, nothing in section 114 creditor offers; and its business additional or replacement card. The indicates that the regulations must only arrangements, such as mergers and regulations must prohibit a card issuer apply to identity theft in connection acquisitions, alliances and joint from issuing an additional or with account openings. The FTC has ventures, and service provider replacement card under such defined ‘‘identity theft’’ as ‘‘a fraud arrangements. circumstances, unless it notifies the committed or attempted using the The Agencies continue to believe that, cardholder or ‘‘uses other means of identifying information of another to ensure a Program’s continuing assessing the validity of the change of person without authority.’’ 26 Such effectiveness, it must be updated, at address in accordance with reasonable fraud may occur in connection with least periodically. However, in order to policies and procedures established by account openings and with existing simplify the final rules, the Agencies the card issuer in accordance with the accounts. Section 615(e)(3) states that moved this requirement into the next regulations prescribed [by the Agencies] the guidelines that the Agencies section, where it is one of the required * * *.’’ This provision makes clear prescribe ‘‘shall not be inconsistent’’ elements of the Program, as discussed that Congress contemplated that the with the policies and procedures below. Agencies’ regulations would require a required under 31 U.S.C. 5318(l), a reference to the CIP rules which require Development and Implementation of financial institution or creditor to have certain financial institutions to verify Identity Theft Prevention Program policies and procedures not only to identify Red Flags, but also, to prevent the identity of customers opening new The remaining provisions of the and mitigate identity theft. accounts. However, the Agencies do not proposed rules were set forth under the The second relevant provision is read this phrase to prevent them from above-referenced section heading. Many codified in section 615(e)(2)(B) of the prescribing rules directed at existing commenters asserted that the Agencies FCRA, and directs the Agencies to accounts. To interpret the provision in should simply articulate certain consider addressing in the identity theft this manner would solely authorize the objectives and provide financial guidelines transactions that occur with Agencies to prescribe regulations and institutions and creditors the flexibility respect to credit or deposit accounts that guidelines identical to and duplicative and discretion to design policies and have been inactive for more than two of those already issued—making the procedures to fulfill the objectives of the years. The Agencies must consider Agencies’ regulatory authority in this Program without the level of detail whether a creditor or financial area superfluous and meaningless.27 required under this section. institution detecting such activity As described earlier, to ensure that should ‘‘follow reasonable policies that 25 See S. Rep. No. 108–166 at 13 (Oct. 17, 2003) financial institutions and creditors are provide for notice to be given to the (accompanying S. 1753). able to design Programs that effectively consumer in a manner reasonably 26 16 CFR 603.2(a). address identity theft in a manner 27 The Agencies’ conclusion is also supported by designed to reduce the likelihood of tailored to their own operations, the case law interpreting similar terminology, albeit in identity theft with respect to such a different context, finding that ‘‘inconsistent’’ Agencies have made significant changes account.’’ This provision signals that the means it is impossible to comply with two laws in the proposal by deleting whole Agencies are authorized to prescribe simultaneously, or one law frustrates the purposes provisions or moving them into the regulations and guidelines that and objectives of another. See, e.g., Davenport v. guidelines in Appendix J. More Farmers Ins. Group, 378 F.3d 839 (8th Cir. 2004); comprehensively address identity Retail Credit Co. v. Dade County, Florida, 393 F. specifically, the Agencies abbreviated theft—in a manner that goes beyond the Supp. 577 (S.D. Fla. 1975); Alexiou v. Brad Benson the proposed requirements formerly mere identification of possible risks. Mitsubishi, 127 F. Supp.2d 557 (D.N.J. 2000). located in the provisions titled
Pages you may also like
You can also read
Next part ... Cancel