Part IV Department of the Treasury

November 9, 2007

Part IV

Department of the Treasury
Office of the Comptroller of the
12 CFR Part 41

Federal Reserve System
12 CFR Part 222

Federal Deposit Insurance
12 CFR Parts 334 and 364

Department of the Treasury
Office of Thrift Supervision
12 CFR Part 571

National Credit Union
12 CFR Part 717

Federal Trade Commission
16 CFR Part 681

Identity Theft Red Flags and Address
Discrepancies Under the Fair and
Accurate Credit Transactions Act of 2003;
Final Rule
63718         Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

DEPARTMENT OF THE TREASURY                   and mitigate identity theft in connection   Office of Thrift Supervision, 1700 G
                                             with the opening of certain accounts or     Street, NW., Washington, DC 20552.
Office of the Comptroller of the             certain existing accounts. In addition,       NCUA: Regina M. Metz, Staff
Currency                                     the Agencies are issuing guidelines to      Attorney, Office of General Counsel,
                                             assist financial institutions and           (703) 518–6540, National Credit Union
12 CFR Part 41                               creditors in the formulation and            Administration, 1775 Duke Street,
[Docket ID OCC–2007–0017]
                                             maintenance of a Program that satisfies     Alexandria, VA 22314–3428.
                                             the requirements of the rules. The rules      FTC: Naomi B. Lefkovitz, Attorney, or
RIN 1557–AC87                                implementing section 114 also require       Pavneet Singh, Attorney, Division of
                                             credit and debit card issuers to assess     Privacy and Identity Protection, Bureau
FEDERAL RESERVE SYSTEM                       the validity of notifications of changes    of Consumer Protection, (202) 326–
                                             of address under certain circumstances.     2252, Federal Trade Commission, 600
12 CFR Part 222                              Additionally, the Agencies are issuing      Pennsylvania Avenue, NW., Washington
[Docket No. R–1255]                          joint rules under section 315 that          DC 20580.
                                             provide guidance regarding reasonable       SUPPLEMENTARY INFORMATION:
FEDERAL DEPOSIT INSURANCE                    policies and procedures that a user of
CORPORATION                                  consumer reports must employ when a         I. Introduction
                                             consumer reporting agency sends the            The President signed the FACT Act
12 CFR Parts 334 and 364                     user a notice of address discrepancy.       into law on December 4, 2003.1 The
                                             DATES: The joint final rules and            FACT Act added several new provisions
RIN 3064–AD00
                                             guidelines are effective January 1, 2008.   to the Fair Credit Reporting Act of 1970
DEPARTMENT OF THE TREASURY                   The mandatory compliance date for this      (FCRA), 15 U.S.C. 1681 et seq. Section
                                             rule is November 1, 2008.                   114 of the FACT Act, 15 U.S.C.
Office of Thrift Supervision                                                             1681m(e), amends section 615 of the
                                             FOR FURTHER INFORMATION CONTACT:
                                                                                         FCRA, and directs the Agencies to issue
                                               OCC: Amy Friend, Assistant Chief          joint regulations and guidelines
12 CFR Part 571                              Counsel, (202) 874–5200; Deborah Katz,      regarding the detection, prevention, and
[Docket No. OTS–2007–0019]                   Senior Counsel, or Andra Shuster,           mitigation of identity theft, including
                                             Special Counsel, Legislative and            special regulations requiring debit and
RIN 1550–AC04                                Regulatory Activities Division, (202)       credit card issuers to validate
                                             874–5090; Paul Utterback, Compliance        notifications of changes of address
                                             Specialist, Compliance Department,          under certain circumstances.2 Section
                                             (202) 874–5461; or Aida Plaza Carter,       315 of the FACT Act, 15 U.S.C.
                                             Director, Bank Information Technology,      1681c(h), adds a new section 605(h)(2)
12 CFR Part 717
                                             (202) 874–4740, Office of the               to the FCRA requiring the Agencies to
                                             Comptroller of the Currency, 250 E          issue joint regulations that provide
                                             Street, SW., Washington, DC 20219.          guidance regarding reasonable policies
16 CFR Part 681                                Board: David A. Stein or Ky Tran-         and procedures that a user of a
                                             Trong, Counsels, or Amy Burke,              consumer report should employ when
RIN 3084–AA94                                Attorney, Division of Consumer and          the user receives a notice of address
                                             Community Affairs, (202) 452–3667;          discrepancy.
Identity Theft Red Flags and Address         Kara L. Handzlik, Attorney, Legal              On July 18, 2006, the Agencies
Discrepancies Under the Fair and             Division, (202) 452–3852; or John           published a joint notice of proposed
Accurate Credit Transactions Act of          Gibbons, Supervisory Financial Analyst,     rulemaking (NPRM) in the Federal
2003                                         Division of Banking Supervision and         Register (71 FR 40786) proposing rules
AGENCIES:  Office of the Comptroller of      Regulation, (202) 452–6409, Board of        and guidelines to implement section
the Currency, Treasury (OCC); Board of       Governors of the Federal Reserve            114 and proposing rules to implement
Governors of the Federal Reserve             System, 20th and C Streets, NW.,            section 315 of the FACT Act. The public
System (Board); Federal Deposit              Washington, DC 20551.                       comment period closed on September
Insurance Corporation (FDIC); Office of        FDIC: Jeffrey M. Kopchik, Senior          18, 2006. The Agencies collectively
Thrift Supervision, Treasury (OTS);          Policy Analyst, (202) 898–3872, or          received a total of 129 comments in
National Credit Union Administration         David P. Lafleur, Policy Analyst, (202)     response to the NPRM, although many
(NCUA); and Federal Trade Commission         898–6569, Division of Supervision and       commenters sent copies of the same
(FTC or Commission).                         Consumer Protection; Richard M.             letter to each of the Agencies. The
ACTION: Joint final rules and guidelines.
                                             Schwartz, Counsel, (202) 898–7424, or       comments included 63 from financial
                                             Richard B. Foley, Counsel, (202) 898–       institutions, 12 from financial
SUMMARY:   The OCC, Board, FDIC, OTS,        3784, Legal Division, Federal Deposit       institution holding companies, 23 from
NCUA and FTC (the Agencies) are              Insurance Corporation, 550 17th Street,     financial institution trade associations,
jointly issuing final rules and guidelines   NW., Washington, DC 20429.                  12 from individuals, nine from other
implementing section 114 of the Fair           OTS: Ekita Mitchell, Consumer             trade associations, five from other
and Accurate Credit Transactions Act of      Regulations Analyst, Compliance and         business entities, three from consumer
2003 (FACT Act) and final rules              Consumer Protection, (202) 906–6451;
implementing section 315 of the FACT         Kathleen M. McNulty, Technology               1 Pub.  L. 108–159.
Act. The rules implementing section          Program Manager, Information                  2 Section   111 of the FACT Act defines ‘‘identity
114 require each financial institution or    Technology Risk Management, (202)           theft’’ as ‘‘a fraud committed using the identifying
                                                                                         information of another person, subject to such
creditor to develop and implement a          906–6322; or Richard Bennett, Senior        further definition as the [Federal Trade]
written Identity Theft Prevention            Compliance Counsel, Regulations and         Commission may prescribe, by regulation.’’ 15
Program (Program) to detect, prevent,        Legislation Division, (202) 906–7409,       U.S.C. 1681a(q)(3).
Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                                                 63719

groups,3 one from a member of                           indicators of a possible risk of identity             commenters suggested that the
Congress, and one from the United                       theft (Red Flags), including indicators               regulations and guidelines take the form
States Small Business Administration                    from among those listed in the                        of broad objectives modeled on the
(SBA).                                                  guidelines. To promote flexibility and                objectives set forth in the ‘‘Interagency
                                                        responsiveness to the changing nature of              Guidelines Establishing Information
II. Section 114 of the FACT Act
                                                        identity theft, the proposed rules also               Security Standards’’ (Information
A. Red Flag Regulations and Guidelines                  stated that covered entities would need               Security Standards).7 A few financial
1. Background                                           to include in their Programs relevant                 institution commenters asserted that the
                                                        Red Flags from applicable supervisory                 primary cause of identity theft is the
   Section 114 of the FACT Act requires                 guidance, their own experiences, and                  lack of care on the part of the consumer.
the Agencies to jointly issue guidelines                methods that the entity had identified                They stated that consumers should be
for financial institutions and creditors                that reflect changes in identity theft                held responsible for protecting their
regarding identity theft with respect to                risks.                                                own identifying information.
their account holders and customers.                       The Agencies invited comment on all                  The Agencies have modified the
Section 114 also directs the Agencies to                aspects of the proposed regulations and               proposed rules and guidelines in light of
prescribe joint regulations requiring                   guidelines implementing section 114,                  the comments received. An overview of
each financial institution and creditor to              and specifically requested comment on                 the final rules, guidelines, and
establish reasonable policies and                       whether the elements described in                     supplement, a discussion of the
procedures for implementing the                         section 114 had been properly allocated               comments, and the specific manner in
guidelines, to identify possible risks to               between the proposed regulations and                  which the proposed rules and
account holders or customers or to the                  the proposed guidelines.                              guidelines have been modified, follows.
safety and soundness of the institution                    Consumer groups maintained that the
or ‘‘customer.’’4                                       proposed regulations provided too                     3. Overview of final rules and
   In developing the guidelines, the                    much discretion to financial institutions             guidelines
Agencies must identify patterns,                        and creditors to decide which accounts                   The Agencies are issuing final rules
practices, and specific forms of activity               and Red Flags to include in their                     and guidelines that provide both
that indicate the possible existence of                 Programs and how to respond to those                  flexibility and more guidance to
identity theft. The guidelines must be                  Red Flags. These commenters stated that               financial institutions and creditors. The
updated as often as necessary, and                      the flexible and risk-based approach                  final rules also require the Program to
cannot be inconsistent with the policies                taken in the proposed rulemaking                      address accounts where identity theft is
and procedures issued under section                     would permit ‘‘business as usual.’’
326 of the USA PATRIOT Act,5 31                                                                               most likely to occur. The final rules
                                                           Some small financial institutions also             describe which financial institutions
U.S.C. 5318(l), that require verification               expressed concern about the flexibility
of the identity of persons opening new                                                                        and creditors are required to have a
                                                        afforded by the proposal. These                       Program, the objectives of the Program,
accounts. The Agencies also must                        commenters stated that they preferred to
consider including reasonable                                                                                 the elements that the Program must
                                                        have clearer, more structured guidance                contain, and how the Program must be
guidelines that would apply when a                      describing exactly how to develop and
transaction occurs in connection with a                                                                       administered.
                                                        implement a Program and what they                        Under the final rules, only those
consumer’s credit or deposit account                    would need to do to achieve
that has been inactive for two years.                                                                         financial institutions and creditors that
                                                        compliance.                                           offer or maintain ‘‘covered accounts’’
These guidelines would provide that in                     Most commenters, however, including
such circumstances, a financial                                                                               must develop and implement a written
                                                        many financial institutions and                       Program. A covered account is (1) an
institution or creditor ‘‘shall follow                  creditors, asserted that the proposal was
reasonable policies and procedures’’ for                                                                      account primarily for personal, family,
                                                        overly prescriptive, contained                        or household purposes, that involves or
notifying the consumer, ‘‘in a manner                   requirements beyond those mandated in
reasonably designed to reduce the                                                                             is designed to permit multiple payments
                                                        the FACT Act, would be costly and                     or transactions, or (2) any other account
likelihood of identity theft.’’                         burdensome to implement, and would                    for which there is a reasonably
2. Overview of Proposal and Comments                    complicate the existing efforts of                    foreseeable risk to customers or the
Received                                                financial institutions and creditors to               safety and soundness of the financial
   The Agencies proposed to implement                   detect and prevent identity theft. Some               institution or creditor from identity
section 114 through regulations                         industry commenters asserted that the                 theft. Each financial institution and
requiring each financial institution and                rulemaking was unnecessary because                    creditor must periodically determine
creditor to implement a written Program                 large businesses, such as banks and                   whether it offers or maintains a
to detect, prevent and mitigate identity                telecommunications companies, already                 ‘‘covered account.’’
theft in connection with the opening of                 are motivated to prevent identity theft
                                                                                                                 The final regulations provide that the
an account or any existing account. The                 and other forms of fraud in order to
                                                                                                              Program must be designed to detect,
Agencies also proposed guidelines that                  limit their own financial losses.
                                                                                                              prevent, and mitigate identity theft in
identified 31 patterns, practices, and                  Financial institution commenters
                                                                                                              connection with the opening of a
specific forms of activity that indicate a              maintained that they are already doing
                                                                                                              covered account or any existing covered
possible risk of identity theft. The                    most of what would be required by the
                                                                                                              account. In addition, the Program must
proposed regulations required each                      proposal as a result of having to comply
                                                                                                              be tailored to the entity’s size,
financial institution and creditor to                   with the customer identification
                                                                                                              complexity and nature of its operations.
incorporate into its Program relevant                   program (CIP) regulations implementing
                                                        section 326 of the USA PATRIOT Act 6                    7 12 CFR part 30, app. B (national banks); 12 CFR
  3 One  of these letters represented the comments      and other existing requirements. These                part 208, app. D–2 and part 225, app. F (state
of five consumer groups.                                                                                      member banks and holding companies); 12 CFR
  4 Use of the term ‘‘customer,’’ here, appears to be     6 See, e.g., 31 CFR 103.121 (applicable to banks,   part 364, app. B (state non-member banks); 12 CFR
a drafting error and likely should read ‘‘creditor.’’   thrifts and credit unions and certain non-federally   part 570, app. B (savings associations); 12 CFR part
  5 Pub. L. 107–56.                                     regulated banks).                                     748, App. A (credit unions).
63720         Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

   The final regulations list the four      4. Section-by-Section Analysis 8                       Agencies use the term ‘‘continuing
basic elements that must be included in                                                            relationship’’ instead, and define this
                                            Sectionl.90(a) Purpose and Scope
the Program of a financial institution or                                                          phrase in a manner consistent with the
creditor. The Program must contain            Proposed §l.90(a) described the                      Agencies’’ privacy rules 10
‘‘reasonable policies and procedures’’      statutory authority for the proposed                   implementing Title V of the Gramm-
to:                                         regulations, namely, section 114 of the                Leach-Bliley Act (GLBA), 15 U.S.C.
                                            FACT Act. It also defined the scope of                 6801.11 These commenters urged that
   • Identify relevant Red Flags for        this section; each of the Agencies                     the definition of ‘‘account’’ not be
covered accounts and incorporate those      proposed tailoring this paragraph to                   expanded to include relationships that
Red Flags into the Program;                 describe those entities to which this                  are not ‘‘continuing.’’ They stated that it
   • Detect Red Flags that have been        section would apply. The Agencies                      would be very burdensome to gather
incorporated into the Program;              received no comments on this section,                  and maintain information on non-
   • Respond appropriately to any Red       and it is adopted as proposed.                         customers for one-time transactions.
Flags that are detected to prevent and      Sectionl.90(b) Definitions                             Other commenters suggested defining
mitigate identity theft; and                                                                       the term ‘‘account’’ in a manner
                                               Proposed §l.90(b) contained                         consistent with the CIP rules.
   • Ensure the Program is updated          definitions of various terms that applied                 Many commenters stated that defining
periodically, to reflect changes in risks   to the proposed rules and guidelines.                  ‘‘account’’ to cover both consumer and
to customers or to the safety and           While §l.90(b) of the final rules                      business accounts was too broad,
soundness of the financial institution or   continues to describe the definitions                  exceeded the scope of the FACT Act,
creditor from identity theft.               applicable to the final rules and                      and would make the regulation too
   The regulations also enumerate           guidelines, changes have been made to                  burdensome. These commenters
certain steps that financial institutions   address the comments, as follows.                      recommended limiting the scope of the
and creditors must take to administer          Sectionl.90(b)(1) Account. The                      regulations and guidelines to cover only
                                            Agencies proposed using the term                       consumer financial services, specifically
the Program. These steps include
                                            ‘‘account’’ to describe the relationships              accounts established for personal,
obtaining approval of the initial written
                                            covered by section 114 that an account                 family and household purposes, because
Program by the board of directors or a      holder or customer may have with a                     these types of accounts typically are
committee of the board, ensuring            financial institution or creditor.9 The                targets of identity theft. They asserted
oversight of the development,               proposed definition of ‘‘account’’ was ‘‘a             that identity theft has not historically
implementation and administration of        continuing relationship established to                 been common in connection with
the Program, training staff, and            provide a financial product or service                 business or commercial accounts.
overseeing service provider                 that a financial holding company could                    Consumer groups maintained that the
arrangements.                               offer by engaging in an activity that is               proposed definition of ‘‘account’’ was
   In order to provide financial            financial in nature or incidental to such              too narrow. They explained that because
institutions and creditors with more        a financial activity under section 4(k) of             the proposed definition was tied to
flexibility in developing a Program, the    the Bank Holding Company Act, 12                       financial products and services that can
Agencies have moved certain detail          U.S.C. 1843(k).’’ The definition also                  be offered under the Bank Holding
formerly contained in the proposed          gave examples of types of ‘‘accounts.’’                Company Act, it inappropriately
regulations to the guidelines located in       Some commenters stated that the                     excluded certain transactions involving
Appendix J. This detailed guidance          regulations do not need a definition of                creditors that are not financial
should assist financial institutions and    ‘‘account’’ to give effect to their terms.             institutions that should be covered by
                                            Some commenters maintained that a                      the regulations. Some of these
creditors in the formulation and
                                            new definition for ‘‘account’’ would be                commenters recommended that the
maintenance of a Program that satisfies
                                            confusing as this term is already defined              definition of ‘‘account’’ include any
the requirements of the regulations to
                                            inconsistently in several regulations and              relationship with a financial institution
detect, prevent, and mitigate identity      in section 615(e) of the FCRA. These                   or creditor in which funds could be
theft. Each financial institution or        commenters recommended that the                        intercepted or credit could be extended,
creditor that is required to implement a                                                           as well as any other transaction which
Program must consider the guidelines          8 The OCC, Board, FDIC, OTS and NCUA are
                                                                                                   could obligate an individual or other
and include in its Program those            placing the regulations and guidelines                 covered entity, including transactions
guidelines that are appropriate. The        implementing section 114 in the part of their
                                            regulations that implement the FCRA—12 CFR             that do not result in a continuing
guidelines provide policies and             parts 41, 222, 334, 571, and 717, respectively. In     relationship. Others suggested that there
procedures for use by institutions and      addition, the FDIC cross-references the regulations    should be no flexibility to exclude any
creditors, where appropriate, to satisfy    and guidelines in 12 CFR part 364. For ease of         account that is held by an individual or
                                            reference, the discussion in this preamble uses the
the requirements of the final rules,        shared numerical suffix of each of these agency’s      which generates information about
including the four elements listed          regulations. The FTC also is placing the final         individuals that reflects on their
above. While an institution or creditor     regulations and guidelines in the part of its          financial or credit reputations.
may determine that particular               regulations implementing the FCRA, specifically 16        The Agencies have modified the
                                            CFR part 681. However, the FTC uses different
guidelines are not appropriate to           numerical suffixes that equate to the numerical        definition of ‘‘account’’ to address these
incorporate into its Program, the           suffixes discussed in the preamble as follows:         comments. First, the final rules now
Program must nonetheless contain            preamble suffix .82 = FTC suffix .1, preamble suffix   apply to ‘‘covered accounts,’’ a term that
                                            .90 = FTC suffix .2, and preamble suffix .91 = FTC     the Agencies have added to the
reasonable policies and procedures to       suffix .3. In addition, Appendix J referenced in the
meet the specific requirements of the       preamble is the FTC’s Appendix A.                      definition section to eliminate
final rules. The illustrative examples of     9 The Agencies acknowledged that section 114
                                                                                                     10 See 12 CFR 40 (OCC); 12 CFR 216 (Board); 12
Red Flags formerly in Appendix J are        does not use the term ‘‘account’’ and, in other
                                            contexts, the FCRA defines the term ‘‘account’’        CFR 332 (FDIC); 12 CFR 573 (OTS); 12 CFR 716
now listed in a supplement to the           narrowly to describe certain consumer deposit or       (NCUA); and 16 CFR 313 (FTC).
guidelines.                                 asset accounts. See 15 U.S.C. 1681a(r)(4).               11 Pub. L. 106–102.
Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                                        63721

confusion between these rules and other                 established, but also to account                 The Agencies recognize that
rules that apply to an ‘‘account.’’ The                 openings, when a relationship has not         consumer accounts are presently the
Agencies have retained a definition of                  yet been established.                         most common target of identity theft
‘‘account’’ simply to clarify and provide                  Sectionl.90(b)(2) Board of Directors.      and acknowledge that Congress
context for the definition of ‘‘covered                 The proposed regulations discussed the        expected the final regulation to address
account.’’                                              role of the board of directors of a           risks of identity theft to consumers.13
   Section 114 provides broad discretion                financial institution or creditor. For        For this reason, the final rules require
to the Agencies to prescribe regulations                financial institutions and creditors          each Program to cover accounts
and guidelines to address identity theft.               covered by the regulations that do not        established primarily for personal,
The terminology in section 114 is not                   have boards of directors, the proposed        family or household purposes, that
confined to ‘‘consumer’’ accounts.                      regulations defined ‘‘board of directors’’    involve or are designed to permit
While identity theft primarily has been                 to include, in the case of a branch or        multiple payments or transactions, i.e.,
directed at consumers, the Agencies are                 agency of a foreign bank, the managing        consumer accounts. As discussed above
aware that small businesses also have                   official in charge of the branch or           in connection with the definition of
been targets of identity theft. Over time,              agency. For other creditors that do not       ‘‘account,’’ the final rules also require
identity theft could expand to affect                   have boards of directors, the proposed        the Programs of financial institutions
other types of accounts. Thus, the                      regulations defined ‘‘board of directors’’    and creditors to cover any other type of
definition of ‘‘account’’ in §l.90(b)(1)                as a designated employee.                     account that the institution or creditor
of the final rules continues to cover any                  Consumer groups objected to the            offers or maintains for which there is a
relationship to obtain a product or                     proposed definition as it applied to          reasonably foreseeable risk from identity
service that an account holder or                       creditors that do not have boards of          theft.
customer may have with a financial                      directors. These commenters                      Accordingly, the definition of
institution or creditor.12 Through                      recommended that for these entities,          ‘‘covered account’’ is divided into two
examples, the definition makes clear                    ‘‘board of directors’’ should be defined      parts. The first part refers to ‘‘an account
that the purchase of property or services               as a designated employee at the level of      that a financial institution or creditor
involving a deferred payment is                         senior management. They asserted that         offers or maintains, primarily for
considered to be an account.                            otherwise, institutions that do not have      personal, family, or household
   Although the definition of ‘‘account’’               a board of directors would be given an        purposes, that involves or is designed to
includes business accounts, the risk-                   unfair advantage for purposes of the          permit multiple payments or
based nature of the final rules allows                  substantive provisions of the rules,          transactions.’’ The definition provides
each financial institution or creditor                  because they would be permitted to            examples to illustrate that these types of
flexibility to determine which business                 assign any employee to fulfill the role of    consumer accounts include, ‘‘a credit
accounts will be covered by its Program                 the ‘‘board of directors.’’                   card account, mortgage loan, automobile
through a risk evaluation process.                         The Agencies agree this important          loan, margin account, cell phone
   The Agencies also recognize that a                   role should be performed by an                account, utility account, checking
person may establish a relationship with                employee at the level of senior               account, or savings account.’’14
a creditor, such as an automobile dealer                management, rather than any designated           The second part of the definition
or a telecommunications provider,                       employee. Accordingly, the definition of      refers to ‘‘any other account that the
primarily to obtain a product or service                ‘‘board of directors’’ has been revised in    financial institution or creditor offers or
that is not financial in nature. To make                § l.90(b)(2) of the final rules so that, in   maintains for which there is a
clear that an ‘‘account’’ includes                      the case of a creditor that does not have     reasonably foreseeable risk to customers
relationships with creditors that are not               a board of directors, the term ‘‘board of     or to the safety and soundness of the
financial institutions, the definition is               directors’’ means ‘‘a designated              financial institution or creditor from
no longer tied to the provision of                      employee at the level of senior               identity theft, including financial,
‘‘financial’’ products and services.                    management.’’                                 operational, compliance, reputation, or
Accordingly, the Agencies have deleted                     Section l.90(b)(3) Covered Account.        litigation risks.’’ This part of the
the reference to the Bank Holding                       As mentioned previously, the Agencies         definition reflects the Agencies’ belief
Company Act.                                            have added a new definition of                that other types of accounts, such as
   The definition of ‘‘account’’ still
                                                        ‘‘covered account’’ in § l.90(b)(3) to        small business accounts or sole
includes the words ‘‘continuing                                                                       proprietorship accounts, may be
                                                        describe the type of ‘‘account’’ covered
relationship.’’ The Agencies have                                                                     vulnerable to identity theft, and,
                                                        by the final rules. The proposed rules
determined that, at this time, the burden                                                             therefore, should be considered for
                                                        would have provided a financial
that would be imposed upon financial                                                                  coverage by the Program of a financial
                                                        institution or creditor with broad
institutions and creditors by a                                                                       institution or creditor.
                                                        flexibility to apply its Program to those
requirement to detect, prevent and                                                                       In response to the proposed definition
                                                        accounts that it determined were
mitigate identity theft in connection                                                                 of ‘‘account,’’ a trade association
                                                        vulnerable to the risk of identity theft,
with single, non-continuing transactions                                                              representing credit unions suggested
                                                        and did not mandate coverage of any
by non-customers would outweigh the                                                                   that the term ‘‘customer’’ in the
                                                        particular type of account.
benefits of such a requirement. The                                                                   definition be revised to refer to
                                                           Consumer group commenters urged
Agencies recognize, however, that
                                                        the Agencies to limit the discretion
identity theft may occur at the time of                                                                 13 See S. Rep. No. 108–166 at 13 (Oct. 17, 2003)
                                                        afforded to financial institutions and
account opening. Therefore, as detailed                                                               (accompanying S. 1753).
                                                        creditors by requiring them to cover
below, the obligations of the final rule                                                                14 These examples reflect the fact that the rules
                                                        consumer accounts in their Programs.          are applicable to a variety of financial institutions
apply not only to existing accounts,
                                                        While seeking to preserve their               and creditors. They are not intended to confer any
where a relationship already has been                                                                 additional powers on covered entities. Nonetheless,
                                                        discretion, many industry commenters
                                                                                                      some of the Agencies have chosen to limit the
  12 Accordingly, the definition of ‘‘account’’ still   requested that the Agencies limit the         examples in their rule texts to those products
applies to fiduciary, agency, custodial, brokerage      final rules to consumer accounts, where       covered entities subject to their jurisdiction are
and investment advisory activities.                     identity theft is most likely to occur.       legally permitted to offer.
63722              Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

‘‘member’’ to better reflect the               that the Agencies chose this broad                  individual who has a consumer account
ownership structure of some financial          definition because, in addition to                  will always be a ‘‘customer.’’ A
institutions or to ‘‘consumer’’ to include     individuals, various types of entities              ‘‘customer’’ may also be a person that
all individuals doing business at all          (e.g., small businesses) can be victims of          has another type of account for which
types of financial institutions. The           identity theft. Under the proposed                  a financial institution or creditor
definition of ‘‘account’’ in the final rules   definition, however, a financial                    determines there is a reasonably
no longer makes reference to the term          institution or creditor would have had              foreseeable risk to its customers or to its
‘‘customer’’; however, the definition of       the discretion to determine which type              own safety and soundness from identity
‘‘covered account’’ continues to employ        of customer accounts would be covered               theft.
this term, to be consistent with section       under its Program, since the proposed                  The Agencies note that the
114 of the FACT Act, which uses the            regulations were risk-based.17                      Information Security Standards and the
term ‘‘customer.’’ Of course, in the case         As noted above, most industry                    privacy rules implemented various
of credit unions, the final rules and          commenters maintained that including                sections of Title V of the GLBA, 15
guidelines will apply to the accounts of       all persons, not just consumers, within             U.S.C. 6801, which specifically apply
members that are maintained primarily          the definition of ‘‘customer’’ would                only to customers who are consumers.
for personal, family, or household             impose a substantial financial burden               By contrast, section 114 does not define
purposes, and those that are otherwise         on financial institutions and creditors,            the term ‘‘customer.’’ Because the
subject to a reasonably foreseeable risk       and make compliance with the                        Agencies continue to believe that a
of identity theft.                             regulations more burdensome. These                  business customer can be a target of
   Sections l.90(b)(4) and (b)(5) Credit       commenters stated that business                     identity theft, the final rules contain a
and Creditor. The proposed rules               identity theft is rare, and maintained              risk-based process designed to ensure
defined these terms by cross-reference         that financial institutions and creditors           that these types of customers will be
to the relevant sections of the FCRA.          should be allowed to direct their fraud             covered by the Program of a financial
There were no comments on the                  prevention resources to the areas of                institution or creditor, when the risk of
definition of ‘‘credit’’ and § l.90(b)(4)      highest risk. They also noted that                  identity theft is reasonably foreseeable.
of the final rules adopts the definition       businesses are more sophisticated than                 The definition of ‘‘customer’’ in the
as proposed.                                   consumers, and are in a better position             final rules continues to cover only
   Some commenters asked the Agencies          to protect themselves against fraud than            customers that already have accounts.
to clarify that the term ‘‘creditor’’ does     consumers, both in terms of prevention              The Agencies note, however, that the
not cover third-party debt collectors          and in enforcing their legal rights.                substantive provisions of the final rules,
who regularly arrange for the extension,          Some financial institution                       described later, require the Program of
renewal, or continuation of credit.            commenters were concerned that the                  a financial institution or creditor to
   Section 114 applies to financial            broad definition of ‘‘customer’’ would              detect, prevent, and mitigate identity
institutions and creditors. Under the          create opportunities for commercial                 theft in connection with the opening of
FCRA, the term ‘‘creditor’’ has the same       customers to shift responsibility from              a covered account as well as any
meaning as in section 702 of the Equal         themselves to the financial institution             existing covered account. The final rules
Credit Opportunity Act (ECOA), 15              for not discovering Red Flags and                   address persons whose identities are
U.S.C. 1691a.15 ECOA defines                   alerting business customers about                   used by an imposter to open an account
‘‘creditor’’ to include a person who           embezzlement or other fraudulent                    in these substantive provisions, rather
arranges for the extension, renewal, or        transactions by the commercial                      than through the definition of
continuation of credit, which in some          customer’s own employees. These                     ‘‘customer.’’
cases could include third-party debt           commenters suggested narrowing the                     Section l.90(b)(7) Financial
collectors. 15 U.S.C. 1691a(e).                definition to cover natural persons and             Institution. The Agencies received no
Therefore, the Agencies are not                to exclude business customers. Some of              comments on the proposed definition of
excluding third-party debt collectors          these commenters suggested that the                 ‘‘financial institution.’’ It is adopted in
from the scope of the final rules, and         definition of ‘‘customer’’ should be                § l.90(b)(7), as proposed, with a cross-
§ l.90(b)(5) of the final rules adopts the     consistent with the definition of this              reference to the relevant definition in
definition of ‘‘creditor’’ as proposed.        term in the Information Security                    the FCRA.
   Section l.90(b)(6) Customer. Section        Standards and the Agencies’ privacy                    Section l.90(b)(8) Identity Theft. The
114 of the FACT Act refers to ‘‘account        rules.                                              proposal defined ‘‘identity theft’’ by
holders’’ and ‘‘customers’’ of financial          Consumer groups commented that the               cross-referencing the FTC’s rule that
institutions and creditors without             proposed definition of ‘‘customer’’ was             defines ‘‘identity theft’’ for purposes of
defining either of these terms. For ease       too narrow. They recommended that the               the FCRA.18
of reference, the Agencies proposed to         definition be amended, so that the                     Most industry commenters objected to
use the term ‘‘customer’’ to encompass         regulations would not only protect                  the breadth of the proposed definition of
both ‘‘customers’’ and ‘‘account               persons who are already customers of a              ‘‘identity theft.’’ They recommended
holders.’’ ‘‘Customer’’ was defined as a       financial institution or creditor, but also         that the definition include only actual
person that has an account with a              persons whose identities are used by an             fraud committed using identifying
financial institution or creditor. The         imposter to open an account.                        information of a consumer, and exclude
proposed definition of ‘‘customer’’               Section l.90(b)(6) of the final rule             attempted fraud, identity theft
applied to any ‘‘person,’’ defined by the      defines ‘‘customer’’ to mean a person               committed against businesses, and any
FCRA as any individual, partnership,           that has a ‘‘covered account’’ with a               identity fraud involving the creation of
corporation, trust, estate, cooperative,       financial institution or creditor. Under            a fictitious identity using fictitious data
association, government or                     the definition of ‘‘covered account,’’ an           combined with real information from
governmental subdivision or agency, or
                                                 17 Proposed § l.90(d)(1) required this               18 69 FR 63922 (Nov. 3, 2004) (codified at 16 CFR
other entity.16 The proposal explained                                                             603.2(a)). Section 111 of the FACT Act added
                                               determination to be substantiated by a risk
                                               evaluation that takes into consideration which      several new definitions to the FCRA, including
 15 See   15 U.S.C. 1681a(r)(5).               customer accounts of the financial institution or   ‘‘identity theft,’’ and authorized the FTC to further
 16 See   15 U.S.C. 1681a(b).                  creditor are subject to a risk of identity theft.   define this term. See 15 U.S.C. 1681a.
Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                                         63723

multiple individuals. By contrast,                     identity theft as ‘‘Red Flags’’ to better     consider aggravating factors that may
consumer groups supported a broad                      position financial institutions and           heighten the risk of identity theft in
interpretation of ‘‘identity theft,’’                  creditors to stop identity theft at its       determining an appropriate response to
including the incorporation of                         inception.                                    the Red Flags it detects.
‘‘attempted fraud’’ in the definition.                    Most industry commenters objected to          Section l.90(b)(10) Service Provider.
   Section l.90(b)(8) of the final rules               the broad scope of the definition of          The proposed regulations defined
adopts the definition of ‘‘identity theft’’            ‘‘Red Flag,’’ particularly the phrase         ‘‘service provider’’ as a person that
as proposed. The Agencies believe that                 ‘‘possible risk of identity theft.’’ These    provides a service directly to the
it is important to ensure that all                     commenters believed that this definition      financial institution or creditor. This
provisions of the FACT Act that address                would require financial institutions and      definition was based upon the
identity theft are interpreted in a                    creditors to identify all risks and           definition of ‘‘service provider’’ in the
consistent manner. Therefore, the final                develop procedures to prevent or              Information Security Standards.23
rule continues to define identity theft                mitigate them, without regard to the             One commenter agreed with this
with reference to the FTC’s regulation,                significance of the risk. They asserted       definition. However, two other
which as currently drafted provides that               that the statute does not support the use     commenters stated that the definition
the term ‘‘identity theft’’ means ‘‘a fraud            of ‘‘possible risk’’ and suggested            was too broad. They suggested
committed or attempted using the                       defining a ‘‘Red Flag’’ as an indicator of    narrowing the definition of ‘‘service
identifying information of another                     significant, substantial, or the probable     provider’’ to persons or entities that
person without authority.’’ 19 The FTC                 risk of identity theft. These commenters      have access to customer information.
defines the term ‘‘identifying                         stated that this would allow a financial         Section l.90(b)(10) of the final rules
information’’ to mean ‘‘any name or                    institution or creditor to focus              adopts the definition as proposed. The
number that may be used, alone or in                   compliance in areas where it is most          Agencies have concluded that defining
conjunction with any other information,                needed.                                       ‘‘service provider’’ to include only
to identify a specific person, including                  Most industry commenters also stated       persons that have access to customer
any—                                                   that the inclusion of precursors to           information would inappropriately
   (1) Name, social security number, date              identity theft in the definition of ‘‘Red     narrow the coverage of the final rules.
of birth, official State or government                 Flag’’ would make the regulations even        The Agencies have interpreted section
issued driver’s license or identification              broader and more burdensome. They             114 broadly to require each financial
number, alien registration number,                     stated that financial institutions and        institution and creditor to detect,
government passport number, employer                   creditors do not have the ability to          prevent, and mitigate identity theft not
or taxpayer identification number;                     detect and respond to precursors, such        only in connection with any existing
   (2) Unique biometric data, such as                  as phishing, in the same manner as            covered account, but also in connection
fingerprint, voice print, retina or iris               other Red Flags that are more indicative      with the opening of an account. A
image, or other unique physical                        of actual ongoing identity theft.             financial institution or creditor is
representation;                                           By contrast, consumer groups               ultimately responsible for complying
   (3) Unique electronic identification                supported the inclusion of the phrase         with the final rules and guidelines even
number, address, or routing code; or                   ‘‘possible risk of identity theft’’ and the   if it outsources an activity to a third-
   (4) Telecommunication identifying                   reference to precursors in the proposed       party service provider. Thus, a financial
information or access device (as defined               definition of ‘‘Red Flag.’’ These             institution or creditor that uses a service
in 18 U.S.C. 1029(e)).                                 commenters stated that placing                provider to open accounts will need to
   Thus, under the FTC’s regulation, the               emphasis on detecting precursors to           provide for the detection, prevention,
creation of a fictitious identity using any            identity theft, instead of waiting for        and mitigation of identity theft in
single piece of information belonging to               proven cases, is the right approach.          connection with this activity, even
a real person falls within the definition                 The Agencies have concluded that the       when the service provider has access to
of ‘‘identity theft’’ because such a fraud             phrase ‘‘possible risk’’ in the proposed      the information of a person who is not
involves ‘‘using the identifying                       definition of ‘‘Red Flag’’ is confusing       yet, and may not become, a ‘‘customer.’’
information of another person without                  and could unduly burden entities with
authority.’’ 20                                        limited resources. Therefore, the final       Section l.90(c) Periodic Identification
   Section l.90(b)(9) Red Flag. The                    rules define ‘‘Red Flag’’ in § l.90(b)(9)     of Covered Accounts
proposed regulations defined ‘‘Red                     using language derived directly from             To simplify compliance with the final
Flag’’ as a pattern, practice, or specific             section 114, namely, ‘‘a pattern,             rules, the Agencies added a new
activity that indicates the possible risk              practice, or specific activity that           provision in § l.90(c) that requires each
of identity theft. The preamble to the                 indicates the possible existence of           financial institution and creditor to
proposed rules explained that indicators               identity theft.’’ 22                          periodically determine whether it offers
of a ‘‘possible risk’’ of identity theft                  The Agencies continue to believe,          or maintains any covered accounts. As
would include precursors to identity                   however, that financial institutions and      a part of this determination, a financial
theft such as phishing,21 and security                 creditors should consider precursors to       institution or creditor must conduct a
breaches involving the theft of personal               identity theft in order to stop identity      risk assessment to determine whether it
information, which often are a means to                theft before it occurs. Therefore, as
acquire the information of another                     described below, the Agencies have               23 The Information Security Standards define
person for use in committing identity                  chosen to address precursors directly,        ‘‘service provider’’ to mean any person or entity
theft. The preamble explained that the                 through a substantive provision in            that maintains, processes, or otherwise is permitted
Agencies included such precursors to                                                                 access to customer information or consumer
                                                       section IV of the guidelines titled           information through the provision of services
                                                       ‘‘Prevention and Mitigation,’’ rather         directly to the financial institution. 12 CFR part 30,
  19 See 16 CFR 603.2(a).                              than through the definition of ‘‘Red          app. B (national banks); 12 CFR part 208, app. D–
  20 See 16 CFR 603.2(b).
                                                       Flag.’’ This provision states that a          2 and part 225, app. F (state member banks and
  21 Electronic messages to customers of financial                                                   holding companies); 12 CFR part 364, app. B (state
institutions and creditors directing them to provide   financial institution or creditor should      non-member banks); 12 CFR part 570, app. B
personal information in response to a fraudulent                                                     (savings associations); 12 CFR part 748, App. A
e-mail.                                                 22 15   U.S.C. 1681m(c)(2)(A).               (credit unions).
63724             Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

offers or maintains covered accounts                    § l.90(d), which described the               conducting safe, sound, and compliant
described in § l.90(b)(3)(ii) (accounts                 development and implementation of a          operations. Some of these commenters
other than consumer accounts), taking                   Program. It also stated that the Program     urged the Agencies to revise the final
into consideration:                                     must address financial, operational,         rules and guidelines and adopt an
   • The methods it provides to open its                compliance, reputation, and litigation       approach similar to the Information
accounts;                                               risks and be appropriate to the size and     Security Standards which they
   • The methods it provides to access                  complexity of the financial institution      characterized as providing institutions
its accounts; and                                       or creditor and the nature and scope of      with an outline of issues to consider
   • Its previous experiences with                      its activities.                              without requiring specific approaches.
identity theft.                                            Some commenters believed that the            Although a few commenters believed
   Thus, a financial institution or                     proposed regulations exceeded the            that the proposed requirement to update
creditor should consider whether, for                   scope of section 114 by covering deposit     the Program was burdensome and
example, a reasonably foreseeable risk                  accounts and by requiring a response to      should be eliminated, most commenters
of identity theft may exist in connection               the risk of identity theft, not just the     agreed that the Program should be
with business accounts it offers or                     identification of the risk of identity       designed to address changing risks over
maintains that may be opened or                         theft. One commenter expressed               time. A number of these commenters,
accessed remotely, through methods                      concern about the application of the         however, objected to the requirement
that do not require face-to-face contact,               Program to existing accounts.                that the Program must be designed to
such as through the internet or                            The SBA commented that requiring          address changing identity theft risks ‘‘as
telephone. In addition, those                           all small businesses covered by the          they arise,’’ as too burdensome a
institutions and creditors that offer or                regulations to create a written Program      standard. Instead, they recommended
maintain business accounts that have                    would be overly burdensome. Several          that the final regulations require a
been the target of identity theft should                financial institution commenters             financial institution or creditor to
factor those experiences with identity                  objected to what they perceived as a         reassess periodically whether to adjust
theft into their determination.                         proposed requirement that financial          the types of accounts covered or Red
   This provision is modeled on various                 institutions and creditors have a written    Flags to be detected based upon any
process-oriented and risk-based                         Program solely to address identity theft.    changes in the types and methods of
regulations issued by the Agencies, such                They recommended that the final              identity theft that an institution or
as the Information Security Standards.                  regulations allow a covered entity to        creditor has experienced.
Compliance with this type of regulation                 simply maintain or expand its existing          Section l.90(d) of the final rules
is based upon a regulated entity’s own                  fraud prevention and information             requires each financial institution or
preliminary risk assessment. The risk                   security programs as long as they            creditor that offers or maintains one or
assessment required here directs a                      included the detection, prevention, and      more covered accounts to develop and
financial institution or creditor to                    mitigation of identity theft. Some of        implement a written Program that is
determine, as a threshold matter,                       these commenters stated that requiring       designed to detect, prevent, and mitigate
whether it will need to have a                          a written program would merely focus         identity theft in connection with the
Program.24 If a financial institution or                examiner attention on documentation          opening of a covered account or any
creditor determines that it does need a                 and cause financial institutions to          existing covered account. To signal that
Program, then this risk assessment will                 produce needless paperwork.                  the final rules are flexible, and allow
enable the financial institution or                        While commenters generally agreed         smaller financial institutions and
creditor to identify those accounts the                 that the Program should be appropriate       creditors to tailor their Programs to their
Program must address. This provision                    to the size and complexity of the            operations, the final rules state that the
also requires a financial institution or                financial institution or creditor, and the   Program must be appropriate to the size
creditor that initially determines that it              nature and scope of its activities, many     and complexity of the financial
does not need to have a Program to                      industry commenters objected to the          institution or creditor and the nature
reassess periodically whether it must                   prescriptive nature of this section. They    and scope of its activities.
develop and implement a Program in                      urged the Agencies to provide greater           The guidelines are appended to the
light of changes in the accounts that it                flexibility to financial institutions and    final rules to assist financial institutions
offers or maintains and the various other               creditors by allowing them to                and creditors in the formulation and
factors set forth in the provision.                     implement their own procedures as            maintenance of a Program that satisfies
                                                        opposed to those provided in the             the requirements of the regulation.
Section l.90(d)(1) Identity Theft                       proposed regulations. Several other          Section I of the guidelines, titled ‘‘The
Prevention Program Requirement                          commenters suggested permitting              Program,’’ makes clear that a covered
   Proposed § l.90(c) described the                     financial institutions and creditors to      entity may incorporate into its Program,
primary objectives of a Program. It                     take into account the cost and               as appropriate, its existing processes
stated that each financial institution or               effectiveness of policies and procedures     that control reasonably foreseeable risks
creditor must implement a written                       and the institution’s history of fraud       to customers or to the safety and
Program that includes reasonable                        when designing its Program.                  soundness of the financial institution or
policies and procedures to address the                     Several financial institution             creditor from identity theft, such as
risk of identity theft to its customers and             commenters maintained that the               those already developed in connection
to the safety and soundness of the                      Program required by the proposed rules       with the entity’s fraud prevention
financial institution or creditor, in the               was not sufficiently flexible. They          program. This will avoid duplication
manner described in proposed                            maintained that a true risk-based            and allow covered entities to benefit
                                                        approach would permit institutions to        from existing policies and procedures.
  24 The Agencies anticipate that some financial        prioritize the importance of various            The Agencies do not agree with those
institutions and creditors, such as various creditors   controls, address the most important         commenters who asserted that the scope
regualted by the FTC that solely engage in business-
to-business transactions, will be able to determine
                                                        risks first, and accept the good faith       of the proposed regulations (and hence
that they do not need to develop and implement a        judgments of institutions in                 the final rules that adopt the identical
Program.                                                differentiating among their options for      approach with respect to these issues)
Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                                    63725

exceed the Agencies’’ statutory                  The Agencies’ interpretation of                        The Agencies recognize that requiring
mandate. First, section 114 clearly           section 114 is also supported by the                   a written Program will impose some
permits the Agencies to issue                 legislative history that indicates                     burden. However, the Agencies believe
regulations and guidelines that address       Congress expected the Agencies to issue                the benefit of being able to assess a
more than the mere identification of the      regulations and guidelines for the                     covered entity’s compliance with the
risk of identity theft. Section 114           purposes of ‘‘identifying and preventing               final rules by evaluating the adequacy
contains a broad mandate directing the        identity theft.’’ 25                                   and implementation of its written
Agencies to issue guidelines ‘‘regarding         Finally, the Agencies’ interpretation               Program outweighs the burdens
identity theft’’ and to prescribe             of section 114 is broad, based on a                    imposed by this requirement.
regulations requiring covered entities to     public policy perspective that                            Moreover, although the final rules
establish reasonable policies and             regulations and guidelines addressing                  continue to require a written Program,
procedures for implementing the               the identification of the risk of identity             as detailed below, the Agencies have
guidelines. Second, two provisions in         theft, without addressing the prevention               substantially revised the proposal to
section 114 indicate that Congress            and mitigation of identity theft, would                focus the final rules and guidelines on
expected the Agencies to issue final          not be particularly meaningful or                      reasonably foreseeable risks, make the
regulations and guidelines requiring          effective.                                             final rules less prescriptive, and provide
financial institutions and creditors to          The Agencies also have concluded                    financial institutions and creditors with
detect, prevent, and mitigate identity        that the scope of section 114 does not                 more discretion to develop policies and
theft.                                        only apply to credit transactions, but                 procedures to detect, prevent, and
   The first relevant provision is codified                                                          mitigate identity theft.
                                              also applies, for example, to deposit
in section 615(e)(1)(C) of the FCRA,                                                                    Proposed § l.90(c) also provided that
                                              accounts. Section 114 refers to the risk
where Congress addressed a particular                                                                the Program must address changing
                                              of identity theft, generally, and not                  identity theft risks as they arise based
scenario involving card issuers. In that
                                              strictly in connection with credit.                    upon the experience of the financial
provision, Congress directed the
                                              Because identity theft can and does                    institution or creditor with identity theft
Agencies to prescribe regulations
                                              occur in connection with various types                 and changes in: Methods of identity
requiring a card issuer to take specific
                                              of accounts, including deposit accounts,               theft; methods to detect, prevent, and
steps to assess the validity of a change
                                              the final rules address identity theft in              mitigate identity theft; the types of
of address request when it receives such
                                              a comprehensive manner.                                accounts the financial institution or
a request and, within a short period of
time, also receives a request for an             Furthermore, nothing in section 114                 creditor offers; and its business
additional or replacement card. The           indicates that the regulations must only               arrangements, such as mergers and
regulations must prohibit a card issuer       apply to identity theft in connection                  acquisitions, alliances and joint
from issuing an additional or                 with account openings. The FTC has                     ventures, and service provider
replacement card under such                   defined ‘‘identity theft’’ as ‘‘a fraud                arrangements.
circumstances, unless it notifies the         committed or attempted using the                          The Agencies continue to believe that,
cardholder or ‘‘uses other means of           identifying information of another                     to ensure a Program’s continuing
assessing the validity of the change of       person without authority.’’ 26 Such                    effectiveness, it must be updated, at
address in accordance with reasonable         fraud may occur in connection with                     least periodically. However, in order to
policies and procedures established by        account openings and with existing                     simplify the final rules, the Agencies
the card issuer in accordance with the        accounts. Section 615(e)(3) states that                moved this requirement into the next
regulations prescribed [by the Agencies]      the guidelines that the Agencies                       section, where it is one of the required
* * *.’’ This provision makes clear           prescribe ‘‘shall not be inconsistent’’                elements of the Program, as discussed
that Congress contemplated that the           with the policies and procedures                       below.
Agencies’ regulations would require a         required under 31 U.S.C. 5318(l), a
                                              reference to the CIP rules which require               Development and Implementation of
financial institution or creditor to have
                                              certain financial institutions to verify               Identity Theft Prevention Program
policies and procedures not only to
identify Red Flags, but also, to prevent      the identity of customers opening new                     The remaining provisions of the
and mitigate identity theft.                  accounts. However, the Agencies do not                 proposed rules were set forth under the
   The second relevant provision is           read this phrase to prevent them from                  above-referenced section heading. Many
codified in section 615(e)(2)(B) of the       prescribing rules directed at existing                 commenters asserted that the Agencies
FCRA, and directs the Agencies to             accounts. To interpret the provision in                should simply articulate certain
consider addressing in the identity theft     this manner would solely authorize the                 objectives and provide financial
guidelines transactions that occur with       Agencies to prescribe regulations and                  institutions and creditors the flexibility
respect to credit or deposit accounts that    guidelines identical to and duplicative                and discretion to design policies and
have been inactive for more than two          of those already issued—making the                     procedures to fulfill the objectives of the
years. The Agencies must consider             Agencies’ regulatory authority in this                 Program without the level of detail
whether a creditor or financial               area superfluous and meaningless.27                    required under this section.
institution detecting such activity                                                                     As described earlier, to ensure that
should ‘‘follow reasonable policies that        25 See S. Rep. No. 108–166 at 13 (Oct. 17, 2003)     financial institutions and creditors are
provide for notice to be given to the         (accompanying S. 1753).                                able to design Programs that effectively
consumer in a manner reasonably                 26 16 CFR 603.2(a).
                                                                                                     address identity theft in a manner
                                                27 The Agencies’ conclusion is also supported by
designed to reduce the likelihood of                                                                 tailored to their own operations, the
                                              case law interpreting similar terminology, albeit in
identity theft with respect to such           a different context, finding that ‘‘inconsistent’’
                                                                                                     Agencies have made significant changes
account.’’ This provision signals that the    means it is impossible to comply with two laws         in the proposal by deleting whole
Agencies are authorized to prescribe          simultaneously, or one law frustrates the purposes     provisions or moving them into the
regulations and guidelines that               and objectives of another. See, e.g., Davenport v.     guidelines in Appendix J. More
                                              Farmers Ins. Group, 378 F.3d 839 (8th Cir. 2004);
comprehensively address identity              Retail Credit Co. v. Dade County, Florida, 393 F.
                                                                                                     specifically, the Agencies abbreviated
theft—in a manner that goes beyond the        Supp. 577 (S.D. Fla. 1975); Alexiou v. Brad Benson     the proposed requirements formerly
mere identification of possible risks.        Mitsubishi, 127 F. Supp.2d 557 (D.N.J. 2000).          located in the provisions titled
You can also read
Next part ... Cancel