Skip to Content

Proposed Rule

Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble Start Printed Page 40786

AGENCIES:

Office of the Comptroller of the Currency, Treasury (OCC); Board of Governors of the Federal Reserve System (Board); Federal Deposit Insurance Corporation (FDIC); Office of Thrift Supervision, Treasury (OTS); National Credit Union Administration (NCUA); and Federal Trade Commission (FTC or Commission).

ACTION:

Joint notice of proposed rulemaking.

SUMMARY:

The OCC, Board, FDIC, OTS, NCUA and FTC (the Agencies) request comment on a proposal that would implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). As required by section 114, the Agencies are jointly proposing guidelines for financial institutions and creditors identifying patterns, practices, and specific forms of activity, that indicate the possible existence of identity theft. The Agencies also are proposing joint regulations requiring each financial institution and creditor to establish reasonable policies and procedures for implementing the guidelines, including a provision requiring credit and debit card issuers to assess the validity of a request for a change of address under certain circumstances.

In addition, the Agencies are proposing joint regulations under section 315 that provide guidance regarding reasonable policies and procedures that a user of consumer reports must employ when such a user receives a notice of address discrepancy from a consumer reporting agency.

DATES:

Comments must be submitted on or before September 18, 2006.

ADDRESSES:

The Agencies will jointly review all of the comments submitted. Therefore, you may comment to any of the Agencies and you need not send comments (or copies) to all of the Agencies. Because paper mail in the Washington area and at the Agencies is subject to delay, please submit your comments by e-mail whenever possible. Commenters are encouraged to use the title “Red Flags Rule” in addition to the docket or RIN number to facilitate the organization and distribution of comments among the Agencies. Interested parties are invited to submit comments in accordance with the following instructions:

OCC: You should designate OCC in your comment and include Docket Number 06-07. You may submit comments by any of the following methods:

  • Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
  • OCC Web site: http://www.occ.treas.gov. Click on “Contact the OCC,” scroll down and click on “Comments on Proposed Regulations.”
  • E-mail address: regs.comments@occ.treas.gov.
  • Fax: (202) 874-4448.
  • Mail: Office of the Comptroller of the Currency, 250 E Street, SW., Public Reference Room, Mail Stop 1-5, Washington, DC 20219.
  • Hand Delivery/Courier: 250 E Street, SW., Attn: Public Reference Room, Mail Stop 1-5, Washington, DC 20219.

Instructions: All submissions received must include the agency name (OCC) and docket number or Regulatory Information Number (RIN) for this notice of proposed rulemaking. In general, the OCC will enter all comments received into the docket without change, including any business or personal information that you provide.

You may review the comments received by the OCC and other related materials by any of the following methods:

  • Viewing Comments Personally: You may personally inspect and photocopy comments received at the OCC's Public Reference Room, 250 E Street, SW., Washington, DC. You can make an appointment to inspect comments by calling (202) 874-5043.
  • Viewing Comments Electronically: You may request e-mail or CD-ROM copies of comments that the OCC has received by contacting the OCC's Public Reference Room at regs.comments@occ.treas.gov.
  • Docket: You may also request available background documents using the methods described earlier.

Board: You may submit comments, identified by Docket No. R-1255, by any of the following methods:

All public comments are available from the Board's Web site at www.federalreserve.gov/​generalinfo/​foia/​ProposedRegs.cfm as submitted, unless modified for technical reasons. Accordingly, your comments will not be edited to remove any identifying or contact information. Public comments may also be viewed electronically or in paper in Room MP-500 of the Board's Martin Building (20th and C Streets, NW.) between 9 a.m. and 5 p.m. on weekdays.

FDIC: You may submit comments, identified by RIN number by any of the following methods:

  • Agency Web site: http://www.fdic.gov/​regulations/​laws/​federal/​propose.html. Follow instructions for submitting comments on the Agency Web site.
  • E-mail: Comments@FDIC.gov. Include the RIN number in the subject line of the message. Start Printed Page 40787
  • Mail: Robert E. Feldman, Executive Secretary, Attention: Comments, Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC 20429.
  • Hand Delivery/Courier: Guard station at the rear of the 550 17th Street Building (located on F Street) on business days between 7 a.m. and 5 p.m.
  • Instructions: All submissions received must include the agency name and RIN for this rulemaking. All comments received will be posted without change to http://www.fdic.gov/​regulations/​laws/​federal/​propose.html including any personal information provided. Comments may be inspected at the FDIC Public Information Center, Room E-1002, 3502 North Fairfax Drive, Arlington, VA, 22226, between 9 a.m. and 5 p.m. on business days.

OTS: You may submit comments, identified by No. 2006-19, by any of the following methods:

  • Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
  • E-mail: regs.comments@ots.treas.gov. Please include No. 2006-19 in the subject line of the message and include your name and telephone number in the message.
  • Fax: (202) 906-6518.
  • Mail: Regulation Comments, Chief Counsel's Office, Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552, Attention: No. 2006-19.
  • Hand Delivery/Courier: Guard's Desk, East Lobby Entrance, 1700 G Street, NW., from 9 a.m. to 4 p.m. on business days, Attention: Regulation Comments, Chief Counsel's Office, Attention: No. 2006-19.

Instructions: All submissions received must include the agency name and number or Regulatory Information Number (RIN) for this rulemaking. All comments received will be posted without change to http://www.ots.treas.gov/​pagehtml.cfm?​catNumber=​67&​an=​1, including any personal information provided.

Docket: For access to the docket to read background documents or comments received, go to http://www.ots.treas.gov/​pagehtml.cfm?​catNumber=​67&​an=​1. In addition, you may inspect comments at the Public Reading Room, 1700 G Street, NW, by appointment. To make an appointment for access, call (202) 906-5922, send an e-mail to public.info@ots.treas.gov, or send a facsimile transmission to (202) 906-7755. (Prior notice identifying the materials you will be requesting will assist us in serving you.) We schedule appointments on business days between 10 a.m. and 4 p.m. In most cases, appointments will be available the next business day following the date we receive a request.

NCUA: You may submit comments by any of the following methods (Please send comments by one method only):

  • Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
  • NCUA Web site: http://www.ncua.gov/​RegulationsOpinionsLaws/​proposedregs/​proposedregs.html. Follow the instructions for submitting comments.
  • E-mail: Address to regcomments@ncua.gov. Include “[Your name] Comments on Proposed Rule 717, Identity Theft Red Flags,” in the e-mail subject line.
  • Fax: (703) 518-6319. Use the subject line described above for e-mail.
  • Mail: Address to Mary F. Rupp, Secretary of the Board, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428.
  • Hand Delivery/Courier: Same as mail address.

FTC: Comments should refer to “The Red Flags Rule, Project No. R611019,” and may be submitted by any of the following methods. However, if the comment contains any material for which confidential treatment is requested, it must be filed in paper form, and the first page of the document must be clearly labeled “Confidential.” [1]

  • E-mail: Comments filed in electronic form should be submitted by clicking on the following Web link: https://secure.commentworks.com/​ftc-redflags and following the instructions on the Web-based form. To ensure that the Commission considers an electronic comment, you must file it on the Web-based form at https://secure.commentworks.com/​ftc-redflags.
  • Federal eRulemaking Portal: If this notice appears at http://www.regulations.gov, you may also file an electronic comment through that Web site. The Commission will consider all comments that regulations.gov forwards to it.
  • Mail or Hand Delivery: A comment filed in paper form should include “The Red Flags Rule, Project No. R611019,” both in the text and on the envelope and should be mailed or delivered, with two complete copies, to the following address: Federal Trade Commission/Office of the Secretary, Room H-135 (Annex M), 600 Pennsylvania Avenue, NW., Washington, DC 20580. Because paper mail in the Washington area and at the Commission is subject to delay, please consider submitting your comments in electronic form, as prescribed above. The FTC is requesting that any comment filed in paper form be sent by courier or overnight service, if possible.

Comments on any proposed filing, recordkeeping, or disclosure requirements that are subject to paperwork burden review under the Paperwork Reduction Act should additionally be submitted to: Office of Management and Budget, Attention: Desk Officer for the Federal Trade Commission. Comments should be submitted via facsimile to (202) 395-6974 because U.S. Postal Mail is subject to lengthy delays due to heightened security precautions.

The FTC Act and other laws the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. All timely and responsive public comments, whether filed in paper or electronic form, will be considered by the Commission, and will be available to the public on the FTC Web site, to the extent practicable, at http://www.ftc.gov/​os/​publiccomments.htm. As a matter of discretion, the FTC makes every effort to remove home contact information for individuals from the public comments it receives before placing those comments on the FTC Web site. More information, including routine uses permitted by the Privacy Act, may be found in the FTC's privacy policy, at http://www.ftc.gov/​ftc/​privacy.htm.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

OCC: Amy Friend, Assistant Chief Counsel, (202) 874-5200; Deborah Katz, Senior Counsel, or Andra Shuster, Special Counsel, Legislative and Regulatory Activities Division, (202) 874-5090; Paul Utterback, Compliance Specialist, Compliance Department, (202) 874-5461; or Aida Plaza Carter, Director, Bank Information Technology, (202) 874-4740, Office of the Comptroller of the Currency, 250 E Street, SW., Washington, DC 20219.

Board: David A. Stein, Counsel, or Ky Tran-Trong, Senior Attorney, Division of Consumer and Community Affairs, (202) 452-3667; Andrew Miller, Counsel, Legal Division, (202) 452-Start Printed Page 407883428; or John Gibbons, Supervisory Financial Analyst, Division of Banking Supervision and Regulation, (202) 452-6409, Board of Governors of the Federal Reserve System, 20th and C Streets, NW., Washington, DC 20551.

FDIC: Jeffrey M. Kopchik, Senior Policy Analyst, (202) 898-3872 or David P. Lafleur, Policy Analyst, (202) 898-6569, Division of Supervision and Consumer Protection; Richard M. Schwartz, Counsel, (202) 898-7424, or Richard B. Foley, Counsel, (202) 898-3784, Legal Division, Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC 20429.

OTS: Glenn Gimble, Senior Project Manager, Operation Risk, (202) 906-7158; Kathleen M. McNulty, Technology Program Manager, Information Technology Risk Management, (202) 906-6322; or Richard Bennett, Counsel, Regulations and Legislation Division, (202) 906-7409, Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552.

NCUA: Regina M. Metz, Staff Attorney, Office of General Counsel, (703) 518-6540, National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314-3428.

FTC: Naomi B. Lefkovitz, Attorney, Division of Privacy and Identity Protection, Bureau of Consumer Protection, (202) 326-3228, Federal Trade Commission, 600 Pennsylvania Avenue, NW., Washington DC 20580

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

This notice contains the following sections:

I. Section 114 of the FACT Act

A. Background

The President signed the FACT Act into law on December 4, 2003. Pub. L. 108-159 (2003). The FACT Act added several new provisions to the Fair Credit Reporting Act of 1970 (FCRA), 15 U.S.C. 1681 et seq., that relate to the detection, prevention, and mitigation of identity theft.[2] Section 114 amends section 615 of the FCRA and requires the Agencies to jointly issue guidelines for financial institutions and creditors regarding identity theft with respect to their account holders and customers. In developing the guidelines, the Agencies must identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. The guidelines must be updated as often as necessary, and cannot be inconsistent with the policies and procedures required under section 326 of the USA PATRIOT Act, 31 U.S.C. 5318(l), which requires verification of the identity of persons opening new accounts.

Section 114 also directs the Agencies to consider including reasonable guidelines providing that a financial institution or creditor “shall follow reasonable policies and procedures” for notifying the consumer, “in a manner reasonably designed to reduce the likelihood of identity theft,” when a transaction occurs in connection with a consumer's credit or deposit account that has been inactive for two years.

In addition, the Agencies must jointly prescribe regulations requiring each financial institution and creditor to establish reasonable policies and procedures for implementing the guidelines to identify possible risks to account holders or customers or to the safety and soundness of the institution or customer.

The joint regulations must include a provision generally requiring credit and debit card issuers to assess the validity of change of address requests. In particular, if the card issuer receives a notice of change of address for an existing account, and within a short period of time (during at least the first 30 days) receives a request for an additional or replacement card for the same account, the issuer must follow reasonable policies and procedures designed to prevent identity theft. Under these circumstances, the card issuer may not issue the card unless it (1) Notifies the cardholder of the request at the cardholder's former address and provides the cardholder with a means to promptly report an incorrect address; (2) notifies the cardholder of the address change request by another means of communication previously agreed to by the issuer and the cardholder; or (3) uses other means of evaluating the validity of the address change in accordance with the reasonable policies and procedures established by the card issuer to comply with the joint regulations.

Section 114 broadly describes elements that belong in the regulations and those that belong in the “guidelines” without defining this term. The Agencies are proposing to implement the requirements of section 114 through regulations (Red Flag Regulations) requiring each financial institution and creditor to implement a written Identity Theft Prevention Program (Program). The Program must contain reasonable policies and procedures to address the risk of identity theft. The Agencies also are proposing guidelines that identify patterns, practices, and specific forms of activity that indicate a possible risk of identity theft (Red Flag Guidelines or Appendix J). As required by statute, the Agencies will update the Red Flag Guidelines as often as necessary. The proposed Red Flag Regulations require financial institutions and creditors to incorporate relevant indicators of identity theft into their Programs. The Agencies request comment on whether the elements described in section 114 have been properly allocated between the proposed regulations and the proposed guidelines.

As required by section 114, the Agencies also are proposing joint regulations requiring credit card issuers to implement reasonable policies and procedures to assess the validity of a change of address.

B. Proposed Red Flag Regulations

1. Overview

The Agencies are proposing Red Flag Regulations that adopt a flexible risk-based approach similar to the approach used in the “Interagency Guidelines Establishing Information Security Standards” [3] issued by the Federal banking agencies (FDIC, Board, OCC and OTS), the “Guidelines for Safeguarding Member Information” issued by the NCUA,[4] and the “Standards for Safeguarding Customer Information” [5] issued by the FTC, (collectively, Information Security Standards), to implement section 501(b) of the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. 6801.

Under the proposed Red Flag Regulations, financial institutions and creditors must have a written Program that is based upon the risk assessment of the financial institution or creditor and that includes controls to address the identity theft risks identified. Like the program described in the Agencies' Information Security Standards, this Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities, and be flexible to address changing identity theft risks as they arise. A financial institution or creditor may wish to combine its program to prevent identity theft with its information security program, as these programs are complementary in many ways.[6]

Start Printed Page 40789

Briefly summarized, under the proposed Red Flag Regulations, the Program of each financial institution or creditor must be designed to address the risk of identity theft to customers and to the safety and soundness of the financial institution or creditor. The Program must include policies and procedures to prevent identity theft from occurring, including policies and procedures to:

  • Identify those Red Flags that are relevant to detecting a possible risk of identity theft to customers or to the safety and soundness of the financial institution or creditor;
  • Verify the identity of persons opening accounts;
  • Detect the Red Flags that the financial institution or creditor identifies as relevant in connection with the opening of an account or any existing account;
  • Assess whether the Red Flags detected evidence a risk of identity theft;
  • Mitigate the risk of identity theft, commensurate with the degree of risk posed;
  • Train staff to implement the Program; and
  • Oversee service provider arrangements.

The proposed Red Flag Regulations also require the board of directors or an appropriate committee of the board to approve the Program. In addition, the board, an appropriate committee of the board, or senior management must exercise oversight over the Program's implementation. Staff implementing the Program must report to its board, an appropriate committee or senior management, at least annually, on compliance by the financial institution or creditor with the Red Flag Regulations. These Regulations are described in greater detail in the section-by-section analysis that follows.

2. Proposed Red Flag Regulations: Section-by-Section Analysis

The OCC, Board, FDIC, OTS and NCUA propose putting the Red Flag Regulations and Guidelines in the FCRA part of their regulations, 12 CFR parts 41, 222, 334, 571, and 717, respectively. In addition, the FDIC proposes to cross-reference the Red Flag Regulations and Guidelines in 12 CFR part 364. For ease of reference, the discussion in this preamble uses the shared numerical suffix of each of these agency's regulations.[7]

Section __.90 Duties regarding the detection, prevention, and mitigation of identity theft

Section __.90(a) Purpose and Scope

Proposed § __.90(a) sets forth the statutory authority for the proposed Red Flag Regulations, namely, section 114 of the FACT Act, which amends section 615 of the FCRA, 15 U.S.C. 1681m. It also defines the scope of this section; each of the Agencies has tailored this paragraph to describe those entities to which this section applies.

Section __.90(b) Definitions

Proposed § __.90(b) sets forth the definitions of various terms that apply to this section.

1. Account. Section 114 of the FACT Act does not use the term “account.” However, for ease of reference, the Agencies believe it is helpful to identify a single term to describe the relationships covered by section 114 that an account holder or customer may have with a financial institution or creditor. Therefore, for purposes of the Red Flag Regulations, the Agencies propose to use the term “account” to broadly describe the various relationships an account holder or customer may have with a financial institution or creditor that may become subject to identity theft.[8]

The proposed definition of “account” is similar to the definition of “customer relationship” found in the Agencies' privacy regulations.[9] In particular, the proposed definition of “account” is “a continuing relationship established to provide a financial product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under section 4(k) of the Bank Holding Company Act, 12 U.S.C. 1843(k).” [10] The definition gives examples of an “account” including an extension of credit for personal, family, household or business purposes (such as a credit card account, margin account, or retail installment sales contract, including a car loan or lease), and a demand deposit, savings or other asset account for personal, family, household or business purposes (such as a checking or savings account). While the proposed definition of “account” is expansive, the risk-based nature of the proposed Red Flag Regulations affords each financial institution or creditor flexibility to determine which relationships will be covered by its Program through a risk evaluation process.

The Agencies request comment on the scope of the proposed definition of “account.” In particular, the Agencies solicit comment on whether reference to “financial products and services that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under section 4(k) of the Bank Holding Company Act” is appropriate to describe the relationships that an account holder or customer may have with a financial institution or creditor that should be covered by the Red Flag Regulations. The Agencies also request comment on whether the definition of “account” should include relationships that are not “continuing” that a person may have with a financial institution or creditor. In addition, the Agencies request comment on whether additional or different examples of accounts should be added to the Regulations.

2. Board of Directors. The proposed Red Flag Regulations discuss the role of the board of directors of a financial institution or creditor. However, the Agencies recognize that some of the financial institutions and creditors covered by the Regulations will not have a board of directors. Therefore, in addition to its plain meaning, the proposed definition of “board of directors” includes, in the case of a foreign branch or agency of a foreign bank, the managing official in charge of the branch or agency. In the case of any other creditor that does not have a board of directors, “board of directors” is defined as a designated employee.

3. Customer. Section 114 of the FACT Act refers to “account holders” and “customers” of financial institutions and creditors without defining either of these terms. For ease of reference, the Start Printed Page 40790Agencies are proposing to define “customer” to encompass both “customers” and “account holders.” Thus, “customer” means a person that has an account with a financial institution or creditor.

The proposed definition of “customer” is broader than the definition of this term in the Information Security Standards. The proposed definition applies to any “person,” defined by the FCRA as any individual, partnership, corporation, trust, estate, cooperative, association, government or governmental subdivision or agency, or other entity.[11]

The Agencies chose this broad definition because, in addition to individuals, various types of entities (e.g., small businesses) can be victims of identity theft. Although the definition of “customer” is broad, a financial institution or creditor would have the discretion to determine which type of customer accounts will be covered under its Program, since the proposed Red Flag Regulations are risk-based.[12] The Agencies solicit comment on the scope of the proposed definition of “customer.”

4. Identity Theft. The proposed definition of “identity theft” states that this term has the same meaning as in 16 CFR 603.2(a). Section 111 of the FACT Act added several new definitions to the FCRA, including “identity theft.” However, section 111 granted authority to the FTC to further define this term.[13] The FTC exercised this authority and issued a final rule, which became effective on December 1, 2004, that defines “identity theft” as “a fraud committed or attempted using the identifying information of another person without authority.” [14] The FTC's rule defines “identifying information” to mean any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, such as a name, social security number, date of birth, official State or government issued driver's license or identification number, alien registration number, government passport number, or employer or taxpayer identification number.[15]

This definition of “identity theft” in the FTC's rule would be applicable to the Red Flag Regulations. Accordingly, “identity theft” within the meaning of the proposed Red Flag Regulations includes both actual and attempted identity theft.

5. Red Flag. The proposed definition of a “Red Flag” is a pattern, practice, or specific activity that indicates the possible risk of identity theft. This definition is based on the statutory language. Section 114 states that in developing the Red Flag Guidelines, the Agencies must identify patterns, practices, and specific forms of activity that indicate “the possible existence” of identity theft. In other words, the Red Flags identified by the Agencies must be indicators of “the possible existence” of “a fraud committed or attempted using the identifying information of another person without authority.” [16]

Section 114 also states that the purpose of the Red Flag Regulations is to identify “possible risks” to account holders or customers or to the safety and soundness of the institution or “customer” [17] from identity theft. The Agencies believe that a “possible risk” of identity theft may exist even where the “possible existence” of identity theft is not necessarily indicated. For example, electronic messages to customers of financial institutions and creditors directing them to a fraudulent website in order to obtain their personal information (“phishing”), and a security breach involving the theft of personal information often are a means to acquire the information of another person for use in committing identity theft. Because of the linkage between these events and identity theft, the Agencies believe that it is important to include such precursors to identity theft as Red Flags. Defining these early warning signals as Red Flags will better position financial institutions and creditors to stop identity theft at its inception. Therefore, the Agencies have defined “Red Flags” expansively to include those precursors to identity theft which indicate “a possible risk” of identity theft to customers, financial institutions, and creditors.

The Agencies request comment on the scope of the definition of “Red Flags” and, specifically, whether the definition of Red Flags should include precursors to identity theft.

6. Service Provider. The proposed definition of “service provider” is a person that provides a service directly to the financial institution or creditor. This definition is based upon the definition of “service provider” in the Agencies” standards implementing section 501(b) of the GLBA.[18]

Section __.90(c) Identity Theft Prevention Program

Proposed paragraph § __.90(c) describes the primary objectives of the Program. It states that each financial institution or creditor must implement a written Program that includes reasonable policies and procedures to address the risk of identity theft to its customers and the safety and soundness of the financial institution or creditor, in the manner described in § __.90(d). The program must address financial, operational, compliance, reputation, and litigation risks.

The risks of identity theft to a customer may include financial, reputation and litigation risks that occur when another person uses a customer's account fraudulently, such as by using the customer's credit card account number to make unauthorized purchases. The risks of identity theft to the safety and soundness of the financial institution or creditor may include: compliance, reputation, or litigation risks for failure to adequately protect customers from identity theft; operational and financial risks from absorbing losses to customers who are the victims of identity theft; or losses to the financial institution or creditor from opening an account for a person engaged in identity theft. Addressing identity theft in these circumstances would not only benefit customers, but would also benefit the financial institution or creditor, and any person (who has no relationship with the financial institution or creditor) whose identity has been misappropriated.

In addition, proposed paragraph § __.90(c) states that the Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities. Thus, the proposed Red Flag Regulations are flexible and take into account the operations of smaller institutions.[19]

Proposed paragraph § __.90(c) also states that the Program must address Start Printed Page 40791changing identity theft risks as they arise based upon the experience of the financial institution or creditor with identity theft. In addition, the Program must also address changes in methods of identity theft, methods to detect, prevent, and mitigate identity theft, in the types of accounts the financial institution or creditor offers, and in its business arrangements, such as mergers and acquisitions, alliances and joint ventures, and service provider arrangements.

Thus, to ensure the Program's effectiveness in addressing the risk of identity theft to customers and to its own safety and soundness, each financial institution or creditor must monitor, evaluate, and adjust its Program, including the type of accounts covered, as appropriate. For example, a financial institution or creditor must periodically reassess whether to adjust the types of accounts covered by its Program and whether to adjust the Red Flags that are a part of its Program based upon any changes in the types and methods of identity theft that it experiences.

Section__.90(d) Development and Implementation of Identity Theft Prevention Program.

1. Identification and Evaluation of Red Flags

i. Risk-Based Red Flags

Under proposed paragraph § __.90(d)(1)(i), the Program must include policies and procedures to identify which Red Flags, singly or in combination, are relevant to detecting the possible risk of identity theft to customers or to the safety and soundness of the financial institution or creditor, using the risk evaluation described in § __.90(d)(1)(ii). The Red Flags identified must reflect changing identity theft risks to customers and to the financial institution or creditor as they arise. At a minimum, the Program must incorporate any relevant Red Flags from Appendix J, applicable supervisory guidance, incidents of identity theft that the financial institution or creditor has experienced, and methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks.

The proposed Red Flags enumerated in Appendix J are indicators of a possible risk of identity theft that the Agencies compiled from literature on the topic, information from credit bureaus, financial institutions, creditors, designers of fraud detection software, and the Agencies' own experiences. Some of the Red Flags may, by themselves, be reliable indicators of a possible risk of identity theft, such as a photograph on identification that is not consistent with the appearance of the applicant. Some Red Flags may be less reliable except in combination with additional Red Flags, such as where a home phone number and address submitted on an application match the address and number provided by another applicant. Such a match may be attributable to identity theft or, for example, it may indicate that the two applicants who share a residence are opening separate accounts.

The Agencies expect that the final Red Flag Regulations will apply to a wide variety of financial institutions and creditors that offer many different products and services, from credit cards to certain cell phone accounts. The Agencies are not proposing to prescribe which Red Flags will be relevant to a particular type of financial institution or creditor. For this reason, the proposed Regulations provide that each financial institution and creditor must identify for itself which Red Flags are relevant to detecting the risk of identity theft, based upon the risk evaluation described in § __.90(d)(1)(ii).

The Agencies recognize that some Red Flags that are relevant today may become obsolete as time passes. While the Agencies expect to update Appendix J periodically,[20] it may be difficult to do so quickly enough to keep pace with rapidly evolving patterns of identity theft or as quickly as financial institutions and creditors experience new types of identity theft. The Agencies may, however, be able to issue supervisory guidance more rapidly. Therefore, proposed paragraph § __.90(d)(1)(i) provides that each financial institution and creditor must have policies and procedures to identify any additional Red Flags that are relevant to detecting a possible risk of identity theft from applicable supervisory guidance, incidents of identity theft that the financial institution or creditor has experienced, and methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks.

Given the changing nature of identity theft, a financial institution or creditor must incorporate Red Flags on a continuing basis so that its Program reflects changing identity theft risks to customers and to the financial institution or creditor as they arise. Ultimately, a financial institution or creditor is responsible for implementing a Program that is designed to effectively detect, prevent, and mitigate identity theft. The Agencies request comment on whether the enumerated sources of Red Flags are appropriate.

The Agencies understand that many financial institutions and creditors already have implemented sophisticated policies and procedures to detect and prevent fraud, including identity theft, through such methods as detection of anomalous patterns of account usage. Often these policies and procedures include the use of complex computer-based products, such as sophisticated software. The Agencies attempted to draft this section in a flexible, technologically neutral manner that would not require financial institutions or creditors to acquire expensive new technology to comply with the Red Flag Regulations, and also would not prevent financial institutions and creditors from continuing to use their own or a third party's computer-based products. The Agencies note, however, that a financial institution or creditor that uses a third party's computer-based programs to detect fraud and identity theft must independently assess whether such programs meet the requirements of the Red Flag Regulations and Red Flag Guidelines and should not rely solely on the representations of the third party.

The Agencies request comment on the anticipated impact of this proposed paragraph on the policies and procedures that financial institutions and creditors currently have to detect, prevent, and mitigate identity theft, including on third party computer-based products that are currently being used to detect identity theft.

ii. Risk Evaluation

Proposed paragraph § __.90(d)(1)(ii) provides that in order to identify which Red Flags are relevant to detecting a possible risk of identity theft to its customers or to its own safety and soundness, the financial institution or creditor must consider:

A. Which of its accounts are subject to a risk of identity theft;

B. The methods it provides to open these accounts;

C. The methods it provides to access these accounts; and

D. Its size, location, and customer base.

This provision describes a key part of the Program of a financial institution or creditor. Under proposed paragraph § __.90(d)(1)(ii), the financial institution or creditor must define the scope of its Program by assessing which of its accounts are subject to a risk of identity theft. For example, the financial institution or creditor must assess Start Printed Page 40792whether it will identify Red Flags in connection with extensions of credit only, or whether other types of relationships, such as deposit accounts, are likely to be subject to identity theft and should, therefore, be included in the scope of its Program. It must also assess whether to include solely the accounts of individual customers, or whether other types of accounts, such as those of small businesses, will be included in the scope of its Program. The financial institution or creditor must determine which Red Flags are relevant when it initially establishes its Program, and whenever it is necessary to address changing risks of identity theft.

The factors enumerated in proposed § __.90(d)(1)(ii) are nearly identical to those that each financial institution must consider when designing procedures for verifying the identity of customers opening new accounts in accordance with the Customer Identification Program (CIP) rules, issued to implement section 326 of the USA PATRIOT Act, 31 U.S.C. 5318(l).[21] The Agencies believe that these CIP factors are equally relevant in the Red Flags context. For example, the Red Flags that may be relevant when an account is opened in a face-to-face transaction may be different from those relevant to an account that is opened remotely, by telephone, or over the Internet.

The Agencies solicit comment on whether the factors that must be considered are appropriate and whether any additional factors should be included.

2. Identity Theft Prevention and Mitigation

Proposed § __.90(d)(2) states that the Program must include reasonable policies and procedures designed to prevent and mitigate identity theft in connection with the opening of an account or any existing account. This section then describes the following policies and procedures that the Program must include. Some of the policies and procedures relate solely to account openings. Others relate to existing accounts.

i. Verify Identity of Persons Opening Accounts

Proposed paragraph § __.90(d)(2)(i) states that the Program must include reasonable policies and procedures to obtain identifying information about, and verify the identity of, a person opening an account. This provision is designed to address the risk of identity theft to a financial institution or creditor that occurs in connection with the opening of new accounts.

Some financial institutions and creditors already are subject to the CIP rules, which require verification of the identity of customers opening accounts. A financial institution or creditor may satisfy the proposed requirement in § __.90(d)(2)(i) to have policies and procedures for verifying the identity of a person opening an account by applying the policies and procedures for identity verification it has developed to comply with the CIP rules. However, the financial institution or creditor must use the CIP policies and procedures to verify the identity of any “customer,” meaning any person that opens a new account, in connection with any type of “account” that its risk evaluation indicates could be the subject of identity theft. By contrast, the CIP rules exclude a variety of entities from the definition of “customer” and exclude a number of products and relationships from the definition of “account.” The Agencies are not proposing any exclusions from either of these terms given the risk-based nature of the Red Flag Regulations.[22]

The Agencies recognize, however, that not all financial institutions and creditors that must implement the Red Flag Regulations are required to comply with the CIP rules. This provision would allow any financial institution or creditor to follow the CIP rules to satisfy the Red Flag requirements to obtain identifying information about, and verify the identity of, a person opening an account. This approach is designed to ensure that, as stated in section 114, the Red Flag Guidelines are not inconsistent with the policies and procedures required by the CIP rules.

ii. Detect Red Flags

Proposed paragraph. § __.90(d)(2)(ii) states that the Program must include reasonable policies and procedures to detect the Red Flags identified pursuant to paragraph § __.90(d)(1).

iii. Assess the Risk of Identity Theft

Proposed paragraph § __.90(d)(2)(iii) states that the Program must include policies and procedures to assess whether the Red Flags the financial institution or creditor has detected pursuant to paragraph § __.90(d)(2)(ii) evidence a risk of identity theft. It also states that a financial institution or creditor must have a reasonable basis for concluding that a Red Flag does not evidence a risk of identity theft.

Factors indicating that a Red Flag does not evidence a risk of identity theft might include: Patterns of spending that are inconsistent with established patterns of activity on an account because the customer is traveling abroad, or an inconsistency between the social security number on an account application and a consumer report because numbers inadvertently were transposed during the application process.

iv. Address the Risk of Identity Theft

Proposed paragraph § __.90(d)(2)(iv) states that the Program must include policies and procedures that address the risk of identity theft to the customer, the financial institution, or creditor, commensurate with the degree of risk posed. The Regulations then provide an illustrative list of measures that a financial institution or creditor may take,[23] including:

A. Monitoring an account for evidence of identity theft;

B. Contacting the customer;

C. Changing any passwords, security codes, or other security devices that permit access to a customer's account;

D. Reopening an account with a new account number;

E. Not opening a new account;

F. Closing an existing account;

G. Notifying law enforcement and, for those that are subject to 31 U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with applicable law and regulation;

H. Implementing any requirements regarding limitations on credit extensions under 15 U.S.C. 1681c-1(h), such as declining to issue an additional credit card when the financial institution or creditor detects a fraud or active duty alert associated with the Start Printed Page 40793opening of an account, or an existing account; or

I. Implementing any requirements for furnishers of information to consumer reporting agencies under 15 U.S.C. 1681s-2, to correct or update inaccurate or incomplete information.

Financial institutions and creditors typically use such measures to mitigate the risk of identity theft. In addition, measures E through G are actions that each financial institution subject to the CIP rules must include in its procedures for responding to circumstances in which it cannot form a reasonable belief that it knows the true identity of a customer.[24] Measure H describes the procedures required in section 112 of the FACT Act, 15 U.S.C. 1681c-1(h), that are applicable to a prospective user of credit reports when a user obtains a credit report that includes a fraud alert or active duty alert. Measure I describes the requirements in section 623 of the FCRA, 15 U.S.C. 1681s-2, applicable to a furnisher of information to consumer reporting agencies that discovers inaccurate or incomplete information about a consumer.

These measures illustrate various actions that a financial institution or creditor may take depending upon the degree of risk that is present. For example, a financial institution or creditor may choose to contact a customer to determine whether a material change in credit card usage reflects purchases made by the customer or unauthorized charges. However, if the financial institution or creditor is notified that a customer provided his or her password and account number to a fraudulent website, it likely will close the customer's existing account and reopen it with a new account number.

The Agencies solicit comment on whether the enumerated measures should be included as examples that a financial institution or creditor may take and whether additional measures should be included.

3. Train Staff

Under proposed paragraph § __.90(d)(3), each financial institution or creditor must train staff to implement its Program. Proper training will enable staff to address the risk of identity theft. For example, staff should be trained to detect Red Flags with regard to new and existing accounts, such as discrepancies in identification presented by a person opening an account or anomalous wire transfers in connection with a customer's deposit account. Staff should also be trained to mitigate identity theft, for example, by recognizing when an account should not be opened.

4. Oversee Service Provider Arrangements

Proposed paragraph § __.90(d)(4) states that whenever a financial institution or creditor engages a service provider to perform an activity on its behalf that is covered by § __.90, the financial institution or creditor must take steps designed to ensure that the activity is conducted in compliance with a Program that meets the requirements of paragraphs (c) and (d) of this section. For example, a financial institution or creditor that uses a service provider to open accounts on its behalf, may reserve for itself the responsibility to verify the identity of a person opening a new account, may direct the service provider to do so, or may use another service provider to verify identity. Ultimately, however, the financial institution or creditor remains responsible for ensuring that the activity is being conducted in compliance with a Program that meets the requirements of the Red Flag Regulations.

In addition, this provision would allow a service provider that provides services to multiple financial institutions and creditors to conduct activities on behalf of these entities in accordance with its own program to prevent identity theft, as long as the program meets the requirements of the Red Flag Regulations. The service provider would not need to apply the particular Program of each individual financial institution or creditor to whom it is providing services.

Under the Agencies' Information Security Standards, financial institutions must require their service providers by contract to safeguard customer information in any manner that meets the objectives of the Standards. The Standards provide flexibility for a service provider's information security measures to differ from the program that a financial institution implements. By contrast, the CIP regulations do not contain a service provider provision. Instead, the preamble to the CIP regulations simply states that the CIP regulations do not affect a financial institution's authority to contract for services to be performed by a third party either on or off the institution's premises, and also does not alter an institution's authority to use an agent to perform services on its behalf.[25] The Agencies invite comment on whether permitting a service provider to implement a Program, including policies and procedures to identify and detect Red Flags, that differs from the programs of the individual financial institution or creditor to whom it is providing services, would fulfill the objectives of the Red Flag Regulations. The Agencies also invite comment on whether it is necessary to address service provider arrangements in the Red Flag Regulations, or whether it is self-evident that a financial institution or creditor remains responsible for complying with the standards set forth in the Regulations, including when it contracts with a third party to perform an activity on its behalf.

5. Involve the Board of Directors and Senior Management

Proposed § __.90(d)(5) highlights the responsibility of the board of directors and senior management to develop and implement the Program. The board of directors or an appropriate committee of the board must approve the written Program. The board, an appropriate committee of the board, or senior management is charged with overseeing the development, implementation, and maintenance of the Program, including assigning specific responsibility for its implementation. In addition, persons charged with overseeing the Program must review reports that must be prepared at least annually by staff regarding compliance by the financial institution or creditor with the Red Flag Regulations. The reports must discuss material matters related to the Program and evaluate issues such as: The effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft in connection with the opening of accounts and with respect to existing accounts; service provider arrangements; significant incidents involving identity theft and management's response; and recommendations for changes in the Program. This report will indicate whether the Program must be adjusted to increase its effectiveness.

The Agencies request comment regarding the frequency with which reports should be prepared for the board, a board committee, or senior management. The Agencies also request comment on whether this paragraph properly allocates the responsibility for oversight and implementation of the Program between the board and senior management.

C. Proposed Red Flag Guidelines: Appendix J

Section 114 of the FACT Act states that in developing the guidelines, the Start Printed Page 40794Agencies are directed to identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. The Agencies are proposing to implement this provision by requiring the Program of a financial institution or creditor to include policies and procedures that require the identification and detection of risk-based Red Flags.

As discussed earlier, the Program must include policies and procedures designed to identify Red Flags relevant to detecting a possible risk of identity theft from among those listed in Appendix J. The proposed Red Flags enumerated in Appendix J are indicators of a possible risk of identity theft that the Agencies compiled from a variety of sources. Appendix J covers Red Flags that may be detected in connection with an account opening or an existing account. Some of the Red Flags, by themselves, may be reliable indicators of identity theft, while others are more reliable when detected in combination with other Red Flags.

Recognizing that a wide range of financial institutions and creditors and a broad variety of accounts will be covered by the Red Flag Regulations, the proposed Regulations provide each financial institution and creditor with the flexibility to develop policies and procedures to identify which Red Flags in Appendix J are relevant to detecting the possible risk of identity theft.

The proposed list in Appendix J is not meant to be exhaustive. Therefore, proposed § __.90(d)(1) of the Red Flag Regulations also provide that each financial institution and creditor must have policies and procedures to identify additional Red Flags from applicable supervisory guidance that may be issued from time-to-time, incidents of identity theft that the financial institution or creditor has experienced, and methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks. Ultimately, the financial institution or creditor is responsible for implementing a Program that is designed to effectively detect, prevent and mitigate identity theft.

The Agencies solicit comment on whether the proposed Red Flags listed in Appendix J are too specific or not specific enough, and whether additional or different Red Flags should be included.

Section 114 also directs the Agencies to consider whether to include reasonable guidelines for notifying the consumer when a transaction occurs in connection with a consumer's credit or deposit account that has been inactive for two years, in order to reduce the likelihood of identity theft. The Agencies considered whether to incorporate this provision directly into Appendix J, but determined that the two-year limit may not be an accurate indicator of identity theft given the wide variety of credit and deposit accounts that would be covered by the provision.

The Agencies have concluded, however, that activity in connection with an account that has been inactive for a period of time may be an indicator of a possible risk of identity theft, depending upon the circumstances. Therefore, the Agencies have incorporated a Red Flag on inactive accounts into Appendix J that is flexible and is designed to take into consideration the type of account, the expected pattern of usage of the account, and any other relevant factors.

The Agencies request comment on whether a provision that mirrors the statutory language regarding inactive accounts should be placed directly into Appendix J or the Red Flag Regulations, or whether the more flexible approach to inactive accounts proposed (i.e., listing as a Red Flag the use of an account that has been inactive for a reasonably lengthy period of time) should be retained.

The Agencies also request comment on whether, for ease of use, this appendix should be moved to the end of Subpart J or remain at the end of the part as proposed.

D. Proposed Special Rules for Card Issuers: Section-by-Section Analysis

Section __.91 Duties of Card Issuers Regarding Changes of Address

Section __.91(a) Scope

Section 114 specifically provides that the Agencies must prescribe regulations requiring credit and debit card issuers to assess the validity of change of address requests. Therefore, in addition to the general rule in § __.90 that applies to all financial institutions and creditors, the Agencies are proposing regulations for card issuers, namely a person described in § __.90(a) that issues a debit or credit card. A financial institution or creditor that is a card issuer may incorporate the requirements of § __.91 into its Program.

Section __.91(b) Definitions

The proposed regulations include two definitions that are solely applicable to the special rule for card issuers. The first proposed definition is for the term “cardholder.” Section 114 states that the regulations must require the card issuer to follow reasonable policies and procedures to assess the validity of a change of address before issuing an additional or replacement card. Section 114 provides that a card issuer may satisfy this requirement by notifying “the cardholder.”

The term “cardholder” is not defined in the statute. The legislative history relating to this provision indicates that “issuers of credit cards and debit cards who receive a consumer request for an additional or replacement card for an existing account” may assess the validity of the request by notifying “the cardholder.” [26] Presumably, the request will be valid if the consumer making the request and the cardholder are one and the same “consumer.” Therefore, the proposal defines “cardholder” as a consumer who has been issued a credit or debit card. Further, because “consumer” is defined in the FCRA as an “individual” [27] the proposed regulations will cover a request by an individual for a business card. The Agencies request comment on whether this definition of “cardholder” is appropriate.

The second proposed definition is for the phrase “clear and conspicuous.” Section __.91 includes a provision requiring that any written or electronic notice provided by a card issuer to the consumer pursuant to the regulations be given in a “clear and conspicuous manner.” The proposed regulations define “clear and conspicuous” based on the definition of this phrase found in the Agencies' privacy regulations.[28]

The Agencies request comment on whether, for ease of use, the regulations implementing section 315 should define additional terms, such as “card issuer,” “credit card,” and “debit card,” that are already defined in the FCRA.

Section __.91(c) General Requirements

As required by section 114, proposed § __.91(c) states that a card issuer that receives notification of a change of address for a consumer's debit or credit card account, and within a short period of time afterwards (during at least the first 30 days after it receives such notification) receives a request for an additional or replacement card for the same account, may not honor the request and issue such a card, unless it assesses the validity of the change of address request in at least one of three ways. As specified in section 114, proposed paragraph § __.91(c) Start Printed Page 40795provides that, in accordance with the card issuer's reasonable policies and procedures, and for the purpose of assessing the validity of the change of address, the card issuer must:

(i) Notify the cardholder of the request at the cardholder's former address and provide to the cardholder a means of promptly reporting incorrect address changes;

(ii) Notify the cardholder of the request by any other means of communication that the card issuer and the cardholder have previously agreed to use; or

(iii) Use other means of assessing the validity of the change of address, in accordance with the policies and procedures that the card issuer has established pursuant to § __.90.

The proposed rule text specifies that the notification of a change of address must pertain to a “consumer's” debit or credit account, consistent with the legislative history discussed above.[29]

The Agencies request comment on this provision and, in particular, whether the Agencies should elaborate further on the means that a card issuer must use to assess the validity of a request for a change of address.

Section __.91(d) Form of Notice

The Agencies note that section 114 is titled “Establishment of Procedures for the Identification of Possible Instances of Identity Theft.” The Agencies understand that Congress singled out this scenario involving card issuers and placed it in section 114 because it is well known to be a possible indicator of identity theft. The Agencies believe that a consumer needs to be able to recognize the urgent nature of a written or electronic notice that he or she receives from a card issuer pursuant to § __.91(d). Therefore, the proposed regulations prescribe the form that such a notice should take. They state that any written or electronic notice that a card issuer provides under this paragraph must be clear and conspicuous and provided separately from its regular correspondence with the cardholder. Of course, a card issuer may give notice orally in accordance with the policies and procedures the cardholder has established pursuant to § __.90(b).

The Agencies request comment on whether this section should elaborate further on the form that a notice provided under § __.91(d) must take.

II. Section 315 of the FACT Act

A. Background

Section 315 of the FACT Act amends section 605 of the FCRA, 15 U.S.C. 1681c, by adding a new section (h). Section 315 requires that, when providing consumer reports to requesting users, nationwide consumer reporting agencies (as defined in section 603(p) of the FCRA) (CRAs) must provide a notice of the existence of a discrepancy if the address provided by the user in its request “substantially differs” from the address the CRA has in the consumer's file.

Section 315 also requires the Agencies to jointly issue regulations that provide guidance regarding reasonable policies and procedures that a user of a consumer report should employ when the user receives a notice of address discrepancy. These regulations must describe reasonable policies and procedures for users of consumer reports to (i) enable them to form a reasonable belief that the user knows the identity of the person for whom it has obtained a consumer report, and (ii) reconcile the address of the consumer with the CRA, if the user establishes a continuing relationship with the consumer and regularly and in the ordinary course of business furnishes information to the CRA.

B. Proposed Regulation Implementing Section 315: Section-by-Section Analysis

Section __.82(a) Scope

The scope of section 315 differs from the scope of section 114. Section 315 applies to “users of consumer reports” and “persons requesting consumer reports” (hereinafter referred to as “users”), as opposed to financial institutions and creditors. Therefore, section 315 does not apply to a financial institution or creditor that does not use consumer reports.

Section __.82(b) Definition

The proposed rule defines “notice of address discrepancy,” a new term introduced in section 315.[30] The proposed definition is “a notice sent to a user of a consumer report by a CRA pursuant to 15 U.S.C. 1681c(h)(1), that informs the user of a substantial difference [31] between the address for the consumer provided by the user in requesting the consumer report and the address or addresses the CRA has in the consumer's file.”

The Agencies note that the provisions of section 315 requiring CRAs to provide notices of address discrepancy became effective on December 1, 2004. To the extent that CRAs each have developed their own standards for delivery of notices of address discrepancy, it is particularly important for users to be able to recognize and receive notices of address discrepancy, especially if they are being delivered electronically by CRAs. For example, CRAs may provide consumer reports with some type of a code to indicate an address discrepancy. Users must be prepared to recognize the code as an indication of an address discrepancy.

Section __.82(c) Requirement to Form a Reasonable Belief

Proposed § __.82(c) implements the requirement in section 315 that the Agencies prescribe regulations describing reasonable policies and procedures that will enable the user to form a reasonable belief that the user knows “the identity of the person to whom the consumer report pertains” when the user receives a notice of address discrepancy. Proposed § __.82(c) states that a user must develop and implement reasonable policies and procedures for “verifying the identity of the consumer for whom it has obtained a consumer report” whenever it receives a notice of address discrepancy. These policies and procedures must be designed to enable the user to form a reasonable belief that it knows the identity of the consumer for whom it has obtained a consumer report, or determine that it cannot do so.

This section also provides that if a user employs the policies and procedures regarding identification and verification set forth in the CIP rules,[32] it satisfies the requirement to have policies and procedures to verify the identity of the consumer. This provision takes into consideration that many users already may be subject to the CIP rules, and have in place procedures to comply with those rules, at least with respect to the opening of accounts. Thus, such a user could use its existing CIP policies and procedures to satisfy this requirement, so long as it applies them in all situations where it receives a notice of address discrepancy. In addition, any user, such as a landlord or employer, may adopt the CIP rules and apply them in all situations where it receives an address discrepancy to meet Start Printed Page 40796this requirement, even if it is not subject to a CIP rule.

The Agencies request comment on whether the CIP procedures are sufficient to enable a user that receives a notice of address discrepancy with a consumer report to form a reasonable belief that it knows the identity of the consumer for whom it obtained the report, both in connection with the opening of an account, and in other circumstances where a user obtains a consumer report.[33]

The statutory requirement that a user must form a reasonable belief that it knows the identity of the consumer for whom it obtained a consumer report applies whether or not the user subsequently establishes a continuing relationship with the consumer. By contrast, the additional statutory requirement that a user reconcile the address of the consumer with the CRA only applies if the user establishes a continuing relationship with the consumer.

The requirement that the user form a reasonable belief that it knows the identity of the consumer is likely to benefit both consumers and users. For example, this requirement should reduce the likelihood that a user will rely on the wrong consumer report in making a decision about a consumer's eligibility for a product, such as the consumer report of another consumer with the same name who lives at a different address. In addition, these policies and procedures may assist the user to detect whether a consumer about whom it has requested a consumer report is engaged in identity theft or is a victim of identity theft.[34]

Section __.82(d)(1) Requirement to Furnish Consumer's Address To a Consumer Reporting Agency

Proposed § __.82(d)(1) provides that a user must develop and implement reasonable policies and procedures for furnishing to the CRA from whom it received the notice of address discrepancy an address for the consumer that the user has reasonably confirmed is accurate when the following three conditions are satisfied. The first condition set forth in proposed § __.82(d)(1)(i) is that the user must be able to form a reasonable belief that it knows the identity of the consumer for whom the consumer report was obtained. This condition will ensure that the user furnishes a new address for the consumer to the CRA only after the user forms a reasonable belief that it knows the identity of the consumer, using the policies and procedures set forth in paragraph § __.82(c).

The second condition, set forth in proposed § __.82(d)(1)(ii), is that the user furnish the address to the CRA if it establishes or maintains a continuing relationship with the consumer. Section 315 specifically requires that the user furnish the consumer's address to the CRA if the user establishes a continuing relationship with the consumer. Therefore, proposed § __.82(d)(1)(ii) reiterates this requirement. However, a user also may obtain a notice of address discrepancy in connection with a consumer with whom it already has an existing relationship. Section 315 provides the Agencies with broad authority to prescribe regulations in all circumstances when a user has received a notice of address discrepancy. The Agencies have exercised this authority to provide that the user must also furnish the consumer's address to the CRA from whom the user has received a notice of address discrepancy when the user maintains a continuing relationship with the consumer.

Finally, as required by section 315, the third condition set out in proposed § __.82(d)(1)(iii) is that if the user regularly and in the ordinary course of business furnishes information to the CRA from which a notice of address discrepancy pertaining to the consumer was obtained, the consumer's address must be communicated to the CRA as part of the information the user regularly provides.

Section __.82(d)(2) Requirement To Confirm Consumer's Address

The Agencies note that section 315 requires the Agencies to prescribe regulations describing reasonable policies and procedures for a user “to reconcile the address of the consumer” about whom it has obtained a notice of address discrepancy with the CRA “by furnishing such address” to the CRA. (Emphasis added.) Even when the user is able to form a reasonable belief that it knows the identity of the consumer, there may be many reasons that the initial address furnished by the consumer is incorrect. For example, a consumer may have provided the address of a secondary residence or inadvertently reversed a street number. To ensure that the address that is furnished to the CRA is accurate, the Agencies are proposing to interpret the phrase, “such address,” as an address that the user has reasonably confirmed is accurate. This interpretation requires a user to take steps to “reconcile” the address it initially received from the consumer when it receives a notice of address discrepancy rather than simply furnishing the initial address it received to the CRA. Proposed § __.82(d)(2) contains the following list of illustrative measures that a user may employ to reasonably confirm the accuracy of the consumer's address:

  • Verifying the address with the person to whom the consumer report pertains;
  • Reviewing its own records of the address provided to request the consumer report;
  • Verifying the address through third-party sources; or
  • Using other reasonable means.

The Agencies solicit comment on whether the regulation should include examples of measures to reasonably confirm the accuracy of the consumer's address, or whether different or additional examples should be listed.

Section __.82(d)(3) Timing

Section 315 specifically addresses when a user must furnish the consumer's address to the CRA. It states that this information must be furnished for the reporting period in which the user's relationship with the consumer is established. Accordingly, proposed § __.82(d)(3)(i) states that, with respect to new relationships, the policies and procedures that a user develops in accordance with § __.82(d)(1) must provide that a user will furnish the consumer's address that it has reasonably confirmed to the CRA as part of the information it regularly furnishes for the reporting period in which it establishes a relationship with the consumer.

However, a user may also receive a notice of address discrepancy in other circumstances, such as when it requests a consumer report for a consumer with whom it already has an existing relationship. As previously noted, section 315 provides the Agencies with broad authority to prescribe regulations in all circumstances when a user has received a notice of discrepancy. Thus, proposed paragraph § __.82(d)(3)(ii) states that in other circumstances, such as when the user already has an existing relationship with the consumer, the user should furnish this information for the reporting period in which the user has reasonably confirmed the accuracy of Start Printed Page 40797the address of the consumer for whom it has obtained a consumer report.

The Agencies recognize that the timing provision for newly established relationships may be problematic for users hoping to take full advantage of the flexibility in the timing for verification of identity afforded by the CIP rules. As required by statute, proposed § __.82(d)(3)(i), the timing provision for new relationships, states that the reconciled address must be furnished for the reporting period in which the user establishes a relationship with the consumer. Proposed § __.82(d)(1), which also mirrors the requirement of the statute, requires the reconciled address to be furnished to the CRA only when the user both establishes a continuing relationship with the consumer and forms a reasonable belief that it knows the identity of the consumer to whom the consumer report relates. Typically, the CIP rules permit an account to be opened (i.e, relationship to be established) if certain identifying information is provided. Verification to establish the true identity of the customer is required within a reasonable period of time after the account has been opened. However, in this context, and in order to satisfy the requirements of both § __.82(d)(1) and § __.82(d)(3)(i), a user employing the CIP rules will have to both establish a continuing relationship and a reasonable belief that it knows the consumer's identity during the same reporting period.

The Agencies request comment on whether the timing for responding to notices of address discrepancy received in connection with newly established relationships and in connection with circumstances other than newly established relationships is appropriate.

III. General Provisions

The OCC, the Board, the FDIC, the OTS, and the NCUA [35] are proposing to amend the first sentence in § __.3, which contains the definitions that are applicable throughout this part. This sentence currently states that the list of definitions in § __.3 apply throughout the part “unless the context requires otherwise.” These agencies are proposing to amend this introductory sentence to make clear that the definitions in § __.3 apply “for purposes of this part, unless explicitly stated otherwise.” Thus, these definitions apply throughout the part unless defined differently in an individual subpart.

OTS is also proposing nonsubstantive, technical changes to its rule sections on purpose and scope (§ 571.1) and disposal of consumer information (§ 571.83). These changes are necessary in light of the proposed incorporation of the address discrepancy section into subpart I.

IV. Regulatory Analysis

A. Paperwork Reduction Act

I. Request for Comment on Proposed Information Collection

In accordance with the requirements of the Paperwork Reduction Act of 1995, the Agencies may not conduct or sponsor, and the respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number.

The information collection requirements contained in this joint notice of proposed rulemaking have been submitted by the OCC, FDIC, OTS, NCUA, and FTC to OMB for review and approval under the Paperwork Reduction Act of 1995. The requirements are found in 12 CFR 41.82, 41.90, 41.91, 334.82, 334.90, 334.91, 571.82, 571.90, 571.91, and 717.82; 717.90; and 717.91; and 16 CFR 681.1, 681.2, and 681.3.

In accordance with the Paperwork Reduction Act (PRA) of 1995 (44 U.S.C. 3506; 5 CFR part 1320, Appendix A.1), the Board has reviewed the proposed rule under the authority delegated by OMB. The proposed rule contains requirements subject to the PRA. The collections of information that are required by this proposed rule are found in 12 CFR 222.82, 222.90, and 222.91. The Board may not conduct or sponsor, and an organization is not required to respond to, this information collection unless it displays a currently valid OMB control number. The OMB control number is to be assigned.

Comments are invited on:

(a) Whether the collection of information is necessary for the proper performance of the Agencies' functions, including whether the information has practical utility;

(b) The accuracy of the estimates of the burden of the information collection, including the validity of the methodology and assumptions used;

(c) Ways to enhance the quality, utility, and clarity of the information to be collected;

(d) Ways to minimize the burden of the information collection on respondents, including through the use of automated collection techniques or other forms of information technology; and

(e) Estimates of capital or start up costs and costs of operation, maintenance, and purchase of services to provide information.

All comments will become a matter of public record.

Comments should be addressed to: OCC: Communications Division, Office of the Comptroller of the Currency, Public Information Room, Mail stop 1-5, Attention: 1557-NEW, 250 E Street, SW., Washington, DC 20219. In addition, comments may be sent by fax to 202-874-4448, or by electronic mail to regs.comments@occ.treas.gov. You can inspect and photocopy the comments at the OCC's Public Information Room, 250 E Street, SW., Washington, DC 20219. You can make an appointment to inspect the comments by calling 202-874-5043.

Board: You may submit comments, identified by R-1255, by any of the following methods:

All public comments are available from the Board's Web site at http://www.federalreserve.gov/​generalinfo/​foia/​ProposedRegs.cfm as submitted, unless modified for technical reasons. Accordingly, your comments will not be edited to remove any identifying or contact information. Public comments may also be viewed electronically or in paper in Room MP-500 of the Board's Martin Building (20th and C Streets, NW.) between 9 a.m. and 5 p.m. on weekdays.

FDIC: You may submit written comments, which should refer to 3064-___, by any of the following methods:

  • Agency Web site: http://www.fdic.gov/​regulations/​laws/​federal/​propose.html. Follow the instructions for submitting comments on the FDIC Web site. Start Printed Page 40798
  • Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
  • E-mail: Comments@FDIC.gov.
  • Mail: Robert E. Feldman, Executive Secretary, Attention: Comments, FDIC, 550 17th Street, NW., Washington, DC 20429.
  • Hand Delivery/Courier: Guard station at the rear of the 550 17th Street Building (located on F Street) on business days between 7 a.m. and 5 p.m.

Public Inspection: All comments received will be posted without change to http://www.fdic.gov/​regulations/​laws/​federal/​propose/​html including any personal information provided. Comments may be inspected at the FDIC Public Information Center, Room 100, 801 17th Street, NW., Washington, DC, between 9 a.m. and 4:30 p.m. on business days.

OTS: Information Collection Comments, Chief Counsel's Office, Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552; send a facsimile transmission to (202) 906-6518; or send an e-mail to infocollection.comments @ots.treas.gov. OTS will post comments and the related index on the OTS Internet site at http://www.ots.treas.gov. In addition, interested persons may inspect the comments at the Public Reading Room, 1700 G Street, NW., by appointment. To make an appointment, call (202) 906-5922, send an e-mail to publicinfo@ots.treas.gov, or send a facsimile transmission to (202) 906-7755.

NCUA: You may submit comments by any of the following methods (Please send comments by one method only):

FTC: Comments should refer to “The Red Flags Rule: Project No. R611019,” and may be submitted by any of the following methods. However, if the comment contains any material for which confidential treatment is requested, it must be filed in paper form, and the first page of the document must be clearly labeled “Confidential.” [36]

  • E-mail: Comments filed in electronic form should be submitted by clicking on the following Web link: https://secure.commentworks.com/​ftc-redflags and following the instructions on the Web-based form. To ensure that the Commission considers an electronic comment, you must file it on the Web-based form at https://secure.commentworks.com/​ftc-redflags.
  • Federal eRulemaking Portal: If this notice appears at http://www.regulations.gov, you may also file an electronic comment through that Web site. The Commission will consider all comments that regulations.gov forwards to it.
  • Mail or Hand Delivery: A comment filed in paper form should include “The Red Flags Rule, Project No. R611019,” both in the text and on the envelope and should be mailed or delivered, with two complete copies, to the following address: Federal Trade Commission/Office of the Secretary, Room H-135 (Annex M), 600 Pennsylvania Avenue, NW., Washington, DC 20580. Because paper mail in the Washington area and at the Commission is subject to delay, please consider submitting your comments in electronic form, as prescribed above. The FTC is requesting that any comment filed in paper form be sent by courier or overnight service, if possible.

Comments on any proposed filing, recordkeeping, or disclosure requirements that are subject to paperwork burden review under the Paperwork Reduction Act should additionally be submitted to: Office of Management and Budget, Attention: Desk Officer for the Federal Trade Commission. Comments should be submitted via facsimile to (202) 395-6974 because U.S. Postal Mail is subject to lengthy delays due to heightened security precautions.

The FTC Act and other laws the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. All timely and responsive public comments, whether filed in paper or electronic form, will be considered by the Commission, and will be available to the public on the FTC Web site, to the extent practicable, at http://www.ftc.gov/​os/​publiccomments.htm. As a matter of discretion, the FTC makes every effort to remove home contact information for individuals from the public comments it receives before placing those comments on the FTC Web site. More information, including routine uses permitted by the Privacy Act, may be found in the FTC's privacy policy, at http://www.ftc.gov/​ftc/​privacy.htm.

II. Proposed Information Collection

Title of Information Collection: Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2002.

Frequency of Response: On occasion.

Affected Public: OCC: National banks and Federal branches and agencies of foreign banks and certain subsidiaries of these entities.

Board: State member banks, uninsured state agencies and branches of foreign banks, commercial lending companies owned or controlled by foreign banks, and Edge and agreement corporations.

FDIC: Insured nonmember banks, insured state branches of foreign banks, and certain subsidiaries of these entities.

OTS: Savings associations and certain of their subsidiaries.

NCUA: Federally-chartered credit unions.

FTC: Section 114: State-chartered credit unions, non-bank lenders, mortgage brokers, motor vehicle dealers, utility companies, telecommunications companies, and any other person that regularly participates in a credit decision, including setting the terms of credit.

Section 315: State-chartered credit unions, non-bank lenders, insurers, landlords, employers, mortgage brokers, motor vehicle dealers, collection agencies, and any other person who requests a consumer report from a nationwide consumer reporting agency as described in section 603(p) of the FCRA.

Abstract: Section 114: As required by section 114, the Agencies are jointly proposing guidelines for financial institutions and creditors identifying patterns, practices, and specific forms of activity, that indicate the possible existence of identity theft. The Agencies also are proposing joint regulations requiring each financial institution and creditor to establish reasonable policies Start Printed Page 40799and procedures to address the risk of identity theft that incorporate the guidelines. In addition, credit and debit card issuers must develop policies and procedures to assess the validity of a request for a change of address under certain circumstances.

The information collections in the proposed regulations implementing section 114 would require each financial institution and creditor to create an Identity Theft Prevention Program (Program) and report to the board of directors, a committee thereof or senior management at least annually on compliance with the proposed regulations. Staff must be trained to implement the Program. In addition, each credit and debit card issuer would be required to establish policies and procedures to assess the validity of a change of address request. The proposed regulations require the card issuer to notify the cardholder in writing, electronically, or orally, or use another means of assessing the validity of the change of address.

Section 315: The Agencies are proposing joint regulations under section 315 that provide guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a user receives a notice of address discrepancy from a consumer reporting agency.

The information collections in the proposed regulations implementing section 315 would require each user of consumer reports to develop reasonable policies and procedures that it will employ when it receives a notice of address discrepancy from a consumer reporting agency. The proposed regulations require a user of consumer reports to furnish an address that the user has reasonably confirmed is accurate to the consumer reporting agency from which it receives a notice of address discrepancy.

Estimated Burden:[37] Section 114: The Agencies estimate that it will initially take financial institutions and creditors 25 hours to create the Program outlined in the proposed rule, 4 hours to prepare an annual report, and 2 hours to train staff to implement the Program.

The Agencies estimate that it will take credit and debit card issuers 4 hours to develop policies and procedures to assess the validity of a change of address request.

The Agencies believe that most of the covered entities already employ a variety of measures to detect and address identity theft that are required by section 114 of the proposed regulations because these are usual and customary business practices that they engage in to minimize losses due to fraud. In addition, the Agencies believe that many financial institutions and creditors already have implemented some of the requirements of the proposed regulations implementing section 114 as a result of having to comply with other existing regulations and guidance, such as the regulations implementing section 326 of the USA PATRIOT Act, 31 U.S.C. 5318(l),[38] the Information Security Standards that implement section 501(b) of the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. 6801, and section 216 of the FACT Act, 15 U.S.C. 1681w,[39] and guidance issued by the Agencies or the Federal Financial Institutions Examination Council regarding information security, authentication, identity theft, and response programs.[40] The Agencies also believe that card issuers already assess the validity of change of address requests, and for the most part, have automated the process of notifying the cardholder or using other means to assess the validity of changes of address. Therefore implementation of this requirement will pose no further burden. Accordingly, these estimates represent the incremental amount of time the Agencies believe it will take to create a written Program that incorporates the policies and procedures that covered entities are likely to already have in place, the incremental time to train staff to implement the Program, to establish policies and procedures to assess the validity of changes of address, and to notify cardholders, as appropriate.

Section 315: The Agencies estimate that it will take users of consumer reports 4 hours to develop policies and procedures that they will employ when they receive a notice of address discrepancy. The Agencies believe that users of credit reports covered by this analysis already are furnishing this information to consumer reporting agencies because it is a usual and customary business practice. Therefore, the Agencies estimate that there will be no implementation burden.

Thus, the burden associated with this collection of information may be summarized as follows.

OCC

Number of respondents: 2,100.

Estimated time per response: 39.

Developing program: 25.

Preparing annual report: 4.

Training: 2.

Developing policies and procedures to assess validity of changes of address: 4.

Developing policies and procedures to respond to notices of address discrepancy: 4.

Total estimated annual burden: 81,900.

Board

Number of respondents: 1,182.

Estimated time per response: 39 hours.

Developing program: 25 hours.

Preparing annual report: 4 hours.

Training: 2 hours.

Developing policies and procedures to assess validity of changes of address: 4 hours.

Developing policies and procedures to respond to notices of address discrepancy: 4 hours.

Total Estimated Annual Burden: 46,098.

FDIC

Number of respondents: 5,245.

Estimated time per response: 39 hours.

Developing program: 25 hours.

Preparing annual report: 4 hours.

Training: 2 hours.

Developing policies and procedures to assess validity of changes of address: 4 hours. Start Printed Page 40800

Developing policies and procedures to respond to notices of address discrepancy: 4 hours.

Total Estimated Annual Burden: 204,555 hours.

OTS

Number of respondents: 858.

Estimated time per response: 39 hours.

Developing program: 25 hours.

Preparing annual report: 4 hours.

Training: 2 hours.

Developing policies and procedures to assess validity of changes of address: 4 hours.

Developing policies and procedures to respond to notices of address discrepancy: 4 hours.

Total Estimated Annual Burden: 33,462.

NCUA

Number of respondents: 5,393.

Estimated time per Response: 39 hours.

Developing program: 25 hours.

Preparing annual report: 4 hours.

Training: 2 hours.

Developing policies and procedures to assess validity of changes of address: 4 hours.

Developing policies and procedures to respond to notice of address discrepancy: 4 hours.

Total Estimated Annual Burden: 210,327.

FTC [41]

Section 114: Estimated Hours Burden: As discussed above, the proposed regulations would require financial institutions and creditors to create a Program and report to the board of directors, a committee thereof, or senior management at least annually on compliance with the proposed regulations. The FCRA defines “creditor” to have the same meaning as in section 702 of the ECOA.[42] Under Regulation B, which implements the ECOA, a creditor means a person who regularly participates in a credit decision, including setting the terms of credit. Regulation B defines credit as a transaction in which the party has a right to defer payment of a debt, regardless of whether the credit is for personal or commercial purposes.[43] Given the broad scope of entities covered, it is difficult to determine precisely the number of financial institutions and creditors that are subject to the FTC's jurisdiction. There are numerous small businesses under the FTC's jurisdiction, and there is no formal way to track them; moreover, as a whole, the entities under the FTC's jurisdiction are so varied that there are no general sources that provide a record of their existence. Nonetheless, FTC staff estimates that the proposed regulations implementing section 114 will affect over 3500 financial institutions [44] and over 11 million creditors [45] subject to the FTC's jurisdiction, for a combined total of approximately 11.1 million affected entities. As detailed below, FTC staff estimates that the average annual information collection burden during the three-year period for which OMB clearance is sought will be 6,279,000 hours (rounded to the nearest thousand). The estimated annual labor cost associated with this burden is $134,621,000 (rounded to the nearest thousand).

FTC staff believes that the affected entities can be categorized in two groups, based on the nature of their businesses: Entities that are subject to a high risk of identity theft and entities that are subject to a low risk of identity theft.[46] Moreover, FTC staff believes that many of the high-risk entities, as part of their usual and customary business practices, already take steps to minimize losses due to fraud. Furthermore, FTC staff believes that motor vehicle dealers would incur less burden than other high-risk entities. Because their loans are typically financed by financial institutions that are also subject to these proposed regulations, FTC staff believes that motor vehicle dealers are likely to use the financial institutions' programs as a basis for developing their own programs. Accordingly, FTC staff estimates that to create and implement a written Program that incorporates the policies and procedures that high-risk entities already are likely to have in place, it will take high-risk entities (excluding motor vehicle dealers) 25 hours, with an annual recurring burden of 1 hour, and it will take motor vehicle dealers 5 hours, with an annual recurring burden of 1 hour. FTC staff also estimates that the incremental time to train staff to implement the Program will take high-risk entities (including motor vehicle dealers) 2 hours, with an annual recurring burden of 1 hour. Finally, FTC staff estimates that preparation of an annual report will take high-risk entities (including motor vehicle dealers) 4 hours, with an annual recurring burden of 1 hour.

FTC staff assumes that most of the low-risk entities do not employ currently the measures to detect and address identity theft that are required by section 114 of the proposed regulations. However, the proposed regulations are drafted in a flexible manner that allows entities to develop and implement different types of programs based upon their size, complexity, and the nature and scope of their activities. Moreover, the emphasis of the written Program, as required under the proposed regulations, is to identify risks of identity theft. To the extent that entities determine that they have a minimal risk of identity theft, they would be tasked only with developing a streamlined Program. As a result, FTC staff anticipates that the burden on low-risk entities to comply with the proposed regulations will be minimal. Accordingly, FTC staff believes that to create a streamlined Program, it will take low-risk entities 20 minutes, with an annual recurring burden of 5 minutes. The FTC staff believes that training staff to be attentive to any future risks of identity theft will take low-risk entities 10 minutes, with an annual recurring burden of 5 minutes. The FTC staff believes that preparing an annual report will take low-risk entities 10 minutes, with an annual recurring burden of 5 minutes.

Accordingly, FTC staff estimates that the proposed regulations implementing section 114 affect the following: 93,487 high-risk entities (excluding motor vehicle dealers) subject to the FTC's jurisdiction at an average annual burden of 12 hours and 20 minutes per entity [average annual burden over 3-year clearance period for creation and implementation of Program ((25 + 1 + 1)/3) plus average annual burden over 3-year clearance period for staff training ((2 + 1 + 1)/3) plus average annual Start Printed Page 40801burden over 3-year clearance period for preparing annual report ((4 + 1 + 1)/3)], for a total of 1,153,000 hours (rounded to the nearest thousand); 173,115 motor vehicle dealers subject to the FTC's jurisdiction at an average annual burden of 5 hours and 40 minutes per entity [average annual burden over 3-year clearance period for creation and implementation of Program ((5+1+1)/3) plus average annual burden over 3-year clearance period for staff training ((2 + 1 + 1)/3) plus average annual burden over 3-year clearance period for preparing annual report ((4 + 1 + 1)/3)], for a total of 981,000 hours (rounded to the nearest thousand); and 10,813,525 low-risk entities subject to the FTC's jurisdiction at an average annual burden of approximately 23 minutes per entity [average annual burden over 3-year clearance period for creation and implementation of streamlined Program ((20 + 5 + 5)/3) plus average annual burden over 3-year clearance period for staff training ((10+5+5)/3) plus average annual burden over 3-year clearance period for preparing annual report ((10 + 5 + 5)/3], for a total of 4,145,000 hours (rounded to the nearest thousand).

The FTC requests comment on whether the proposed regulations are sufficiently flexible to minimize the burden of compliance on entities that are not subject to a significant risk of identity theft. If not, are there ways in which the burden for such entities could be minimized further? If so, what are the ways in which the burden could be minimized further?

The proposed regulations implementing Section 114 also require credit and debit card issuers to establish policies and procedures to assess the validity of a change of address request, including notifying the cardholder or using another means of assessing the validity of the change of address. FTC staff believes that there may be as many as 3,764 credit or debit card issuers under the FTC's jurisdiction.[47] FTC staff estimates that most of the credit or debit card issuers are high-risk entities that already have automated the process of notifying the cardholder or using other means to assess the validity of the change of address, such that implementation will pose no further burden. Nevertheless, in order to be conservative, FTC staff estimates that it will take 100 credit or debit card issuers 4 hours to develop and implement policies and procedures to assess the validity of a change of address request for a total burden of 400 hours.

Estimated Cost Burden: FTC staff derived labor costs by applying appropriate estimated hourly cost figures to the burden hours described above. It is difficult to calculate with precision the labor costs associated with the proposed regulations, as they entail varying compensation levels of management and/or technical staff among companies of different sizes. In calculating the cost figures, staff assumes that for high-risk entities, professional technical personnel and/or managerial personnel will create and implement the Program, prepare the annual report, train employees, and assess the validity of a change of address request, at an hourly rate of $32.00.[48] Staff assumes that for low-risk entities, administrative support personnel will justify the low-risk of identity theft, prepare the annual report, and train employees, at an hourly rate of $16.00.[49]

Based on the above estimates and assumptions, the total annual labor costs for all categories of covered entities under the proposed regulations implementing section 114 are $134,621,000 (rounded to the nearest thousand) [((1,153,000 hours + 400 hours + 981,000 hours) × $32.00 = $68,301,000) + (4,145,000 hours × $16.00 = $66,320,000)].

Section 315: Estimated Hours Burden: User Policies and Procedures: As discussed above, the regulations implementing section 315 provide guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a user receives a notice of address discrepancy from a consumer reporting agency. Given the broad scope of users of consumer reports, it is difficult to determine with precision the number of users of consumer reports that are subject to the FTC's jurisdiction. As noted above, there are numerous small businesses under the FTC's jurisdiction, and there is no formal way to track them; moreover, as a whole, the entities under the FTC's jurisdiction are so varied that there are no general sources that provide a record of their existence. Nonetheless, FTC staff estimates that the proposed regulations implementing section 315 will affect approximately 1.6 million users of consumer reports subject to the FTC's jurisdiction.[50] As detailed below, FTC staff estimates that the average annual information collection burden during the three-year period for which OMB clearance is sought will be 831,000 hours (rounded to the nearest thousand). The estimated annual labor cost associated with this burden is $13,296,000 (rounded to the nearest thousand).

Although Section 315 created a new obligation for consumer reporting agencies to provide a notice of address discrepancy to users of consumer reports, prior to FACTA's enactment, users of consumer reports could compare the address on the consumer report to the address provided by the consumer and discern for themselves any discrepancy. As a result, FTC staff believes that many users of consumer reports have developed methods of reconciling address discrepancies, and the following estimates represent the incremental amount of time it will take users of consumer reports to develop and comply with the policies and procedures for when they receive a notice of address discrepancy.

Due to the varied nature of the entities under the jurisdiction of the FTC, it is difficult to determine the appropriate burden estimates. For example, users of consumer reports can range from a landlord renting a single unit who may use no more than one consumer report a year, to insurance companies that may use thousands of consumer reports a year. FTC staff estimates that it may take a small user no more than 16 minutes to develop and comply with the policies and procedures that it will employ when it receives a notice of address discrepancy, whereas a large user may take 1 hour. Similarly, FTC staff estimates that, during the remaining two years of the clearance, it may take a small user no more than 1 minute to comply with the policies and procedures that it will employ when it receives a notice of address discrepancy, whereas a large user may take 45 minutes. Taking into account these extremes, FTC staff estimates that, during the first year of the clearance, it will take users of consumer reports under the jurisdiction of the FTC an average of 40 minutes [the midrange between 16 minutes and 60 minutes is approximately 38 minutes rounded to 40 minutes] to develop and comply with the policies and procedures that they Start Printed Page 40802will employ when they receive a notice of address discrepancy. FTC staff also estimates that the average recurring burden during the remaining two years of the clearance period will be 25 minutes [the midrange between 1 minute and 45 minutes is approximately 23 minutes rounded to 25 minutes].

Furnishing Correct Addresses: The proposed regulations implementing section 315 also require a user of consumer reports to furnish an address that the user has reasonably confirmed is accurate to the consumer reporting agency from which it receives a notice of address discrepancy, but only to the extent that such user regularly and in the ordinary course of business furnishes information to such consumer reporting agency. FTC staff believes that only 10,000 of the 1,658,758 users of consumer reports furnish information to consumer reporting agencies as part of their usual and customary business practices,[51] therefore, only these 10,000 users of consumer reports will be affected by the portion of the proposed regulations that require furnishing the correct address. FTC staff estimates that it will take such users of consumer reports 30 minutes to develop the policies and procedures for furnishing the correct address to the consumer reporting agencies pursuant to the proposed regulations for implementing section 315. FTC staff believes that users of consumer reports that furnish information to consumer reporting agencies as part of their usual and customary business practices will have automated the process of furnishing the correct address in the first year of the clearance, therefore, there will be no annual recurring burden.

Accordingly, FTC staff estimates that the proposed regulations implementing section 315 affect 1,658,758 users of consumer reports subject to the FTC's jurisdiction that must develop policies and procedures that they will employ when they receive a notice of address discrepancy, at an average annual burden of 30 minutes per entity [average annual burden over 3-year clearance period = (40 + 25 + 25)/3)], for a total of approximately 829,000 hours (rounded to the nearest thousand). The 10,000 of those users described above must also furnish the correct address to the consumer reporting agency, at an average annual burden of 10 minutes per entity [average annual burden over 3-year clearance period = ((30 + 0 + 0)/3)], for a total of 2,000 hours (rounded to the nearest thousand).

Estimated Cost Burden: FTC staff derived labor costs by applying appropriate estimated hourly cost figures to the burden hours described above. It is difficult to calculate with precision the labor costs associated with the proposed regulations, as they entail varying compensation levels of different types of support staff among companies of different sizes, as well as users of consumer reports with no employees. Nonetheless, in calculating the cost figures, staff assumes that the policies and procedures for notice of address discrepancy and furnishing the correct address will be set up by administrative support personnel at an hourly rate of $16.00.[52]

Based on the above estimates and assumptions, the total annual labor costs for the two categories of burden under the proposed regulations implementing section 315 are $13,296,000 (rounded to the nearest thousand) [(829,000 hours + 2,000 hours) × $16.00].

B. Regulatory Flexibility Act

OCC: When an agency issues a rulemaking proposal, the Regulatory Flexibility Act (RFA), requires the agency to publish an initial regulatory flexibility analysis unless the agency certifies that the rule will not have “a significant economic impact on a substantial number of small entities.” [53] 5 U.S.C. 603, 605(b). The OCC has reviewed the impact of the proposed regulations on small banks and certifies that that proposed regulations, if adopted as proposed, would not have a significant economic impact on a substantial number of small entities.

The proposed rulemaking implements sections 114 and 315 of the FACT Act and applies to all national banks, Federal branches and agencies and their operating subsidiaries that are not functionally regulated within the meaning of section 5(c)(5) of the Bank Holding Company Act,[54] 1,011 of which have assets of less than or equal to $165 million.

The proposed regulations implementing section 114 require the development and establishment of a written identity theft prevention program to detect, prevent, and mitigate identity theft. The proposed regulations also require card issuers to assess the validity of a notice of address change under certain circumstances.

The OCC believes that the requirements in the proposed regulations implementing section 114 of the FACT Act are consistent with banks' usual and customary business practices used to minimize losses due to fraud in connection with new and existing accounts. Banks also are likely to have implemented most of the proposed requirements as a result of having to comply with other existing regulations and guidance. For example, national banks are already subject to CIP rules requiring them to verify the identity of a person opening a new account.[55] A covered entity may use the policies and procedures developed to comply with the CIP rules to satisfy the identity verification requirements in the proposed rules.

National banks complying with the “Interagency Guidelines Establishing Information Security Standards” [56] and guidance recently issued by the FFIEC titled “Authentication in an Internet Banking Environment” [57] already will have policies and procedures in place to detect attempted and actual intrusions into customer information systems. Banks complying with the OCC's “Guidance on Identity Theft and Pretext Calling” [58] already will have policies and procedures to verify the validity of change of address requests on existing accounts.

In addition, the flexibility incorporated into the proposed rulemaking provides a covered entity with discretion to design and implement a program that is tailored to its size and complexity and the nature and scope of its operations. In this regard, the OCC believes that expenditures associated with establishing and implementing an identity theft prevention program will be commensurate with the size of the bank.

The OCC believes that the proposed regulations implementing section 114, if adopted as proposed, will not impose undue costs on national banks and will not have a substantial economic impact on a substantial number of small national banks. Nonetheless, the OCC specifically requests comment and specific data on the size of the incremental burden creating an identity theft prevention program would have on small national banks, given banks' Start Printed Page 40803current practices and compliance with existing requirements. The OCC also requests comment on how the final regulations might minimize any burden imposed to the extent consistent with the requirements of the FACT Act.

The regulations implementing section 315 require users of consumer reports to have various policies and procedures to respond to the receipt of an address discrepancy. The FACT Act already requires CRAs to provide notices of address discrepancy to users of credit reports. The OCC understands that as a matter of good business practice, most national banks currently have policies and procedures in place to respond to these notices when they are provided in connection with both new and existing accounts, by furnishing an address for the consumer that the bank has reasonably confirmed is accurate to the CRA from which it received the notice of address discrepancy. In addition, with respect to new accounts, a national bank already is required by the CIP rules to ensure that it knows the identity of a person opening a new account and to keep a record describing the resolution of any substantive discrepancy discovered during the verification process.

Given current practices of national banks in responding to notices of address discrepancy from CRAs, and the existing requirements in the CIP rule, the OCC believes that the proposed regulations implementing section 315, if adopted as proposed, will not impose undue costs on national banks and likely will not have a significant economic impact on a substantial number of national banks. Nonetheless, the OCC specifically requests comment on whether the proposed requirements differ from small banks' current practices and whether the proposed requirements on users of consumer reports to have policies and procedures to respond to the receipt of an address discrepancy could be altered to minimize any burden imposed to the extent consistent with the requirements of the FACT Act.

Board: The Regulatory Flexibility Act (RFA) (5 U.S.C. 601 et seq.) requires an agency either to provide an initial regulatory flexibility analysis with a proposed rule or certify that the proposed rule will not have a significant economic impact on a substantial number of small entities (defined for purposes of the RFA to include commercial banks and other depository institutions with less than $165 million in assets).

A. Reasons for the Proposed Rule

The FACT Act amends the FCRA and was enacted, in part, for the purpose of preventing the theft of consumer information. The statute contains several provisions relating to the detection, prevention, and mitigation of identity theft. The Board is proposing rules to implement statutory directives in section 114 of the FACT Act, which amends section 615 of the FCRA, and section 315 of the FACT Act, which amends section 605 of the FCRA, that require the Board to prescribe regulations jointly with other federal agencies.

Section 114 requires the Board to prescribe regulations that require financial institutions and creditors to establish policies and procedures to implement guidelines established by the Board that address identity theft with respect to account holders and customers. Section 114 also requires the Board to adopt regulations applicable to credit and debit card issuers to implement policies and procedures to assess the validity of change of address requests. Section 315 requires the Board to prescribe regulations that provide guidance regarding reasonable policies and procedures that a user of consumers' reports should employ to verify the identity of a consumer when a consumer reporting agency provides a notice of address discrepancy relating to that consumer.

B. Statement of Objectives and Legal Basis

The SUPPLEMENTARY INFORMATION above contains information on the objectives of the final rules. The legal bases for the proposed rules are sections 114 and 315 of the FACT Act.

C. Description of Small Entities To Which the Rule Applies

The Board's proposed rule would apply to all banks that are members of the Federal Reserve System (other than national banks) and their respective operating subsidiaries, branches and agencies of foreign banks (other than Federal branches, Federal Agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.). The Board's rule would apply to the following institutions (numbers approximate): State member banks (902), U.S. branches and agencies of foreign banks (206), commercial lending companies owned or controlled by foreign banks (3), and Edge and agreement corporations (71), for a total of approximately 1,182 institutions. The Board estimates that more than 550 of these institutions could be considered small institutions with assets less than $165 million.

D. Projected Reporting, Recordkeeping and Other Compliance Requirements

Section 114 requires the Board to prescribe regulations that require financial institutions and creditors to establish reasonable policies and procedures to implement guidelines established by the Board and other federal agencies that address identity theft with respect to account holders and customers. This would be implemented by requiring a covered financial institution or creditor to create an Identity Theft Prevention Program that detects, prevents and mitigates the risk of identity theft applicable to its accounts.

Section 114 also requires the Board to adopt regulations applicable to credit and debit card issuers to implement policies and procedures to assess the validity of change of address requests. The proposed rule would implement this by requiring credit and debit card issuers to establish reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a debit or credit card account and within a short period of time afterwards (at least 30 days), the issuer receives a request for an additional or replacement card for the same account.

Section 315 requires the Board to prescribe regulations that provide guidance regarding reasonable policies and procedures that a user of consumers' reports should employ to verify the identity of a consumer when a consumer reporting agency provides a notice of address discrepancy relating to that consumer and to reconcile the address discrepancy with the consumer reporting agency in certain circumstances. The proposed rule would require users of consumer reports to develop and implement reasonable policies and procedures for verifying the identity of a consumer for whom it has obtained a consumer report and for whom it receives a notice of address discrepancy and to reconcile an address discrepancy with the appropriate consumer reporting agency in certain circumstances.

The Board seeks information and comment on any costs, compliance requirements, or changes in operating procedures arising from the application of the proposed rules in addition to or which may differ from those arising Start Printed Page 40804from the application of the statute generally.

E. Identification of Duplicative, Overlapping, or Conflicting Federal Rules

The Board is unable to identify any federal statutes or regulations that would duplicate, overlap, or conflict with the proposed rule. The Board seeks comment regarding any statutes or regulations, including state or local statutes or regulations, that would duplicate, overlap, or conflict with the proposed rule, including particularly any statutes or regulations that address situations in which institutions must adopt specified policies and procedures to detect or prevent identity theft or mitigate identity theft that has occurred.

Section 222.90 of the Board's proposed rule would require financial institutions and creditors that are subject to the Board's rule to implement a written identity theft program that includes reasonable policies and procedures to address the risk of identity theft to its customers and the safety and soundness of the financial institution or creditor. Many of these entities also are subject to the Interagency Guidelines Establishing Standards for Safeguarding Customer Information (see 12 CFR part 208, appendix D-1) and rules of the Department of the Treasury that require these entities to implement customer identification programs (see 31 CFR 103.121).

Programs adopted pursuant to these requirements would include policies and procedures that would safeguard against the theft of customer information and would be considered complementary to the identity theft prevention program that would be required under § 222.90. For example, proposed § 222.90(d) would require that institutions adopt reasonable policies and procedures to, among other things, obtain identifying information about, and verify the identity of, persons opening an account. The proposed rule indicates that policies and procedures an institution has adopted under the Department of the Treasury's rules on customer identification programs would satisfy this requirement.

F. Discussion of Significant Alternatives

The proposed rules would require financial institutions and creditors to create an Identity Theft Prevention Program, maintain a record of the Program, and report to the board of directors, a committee of the board, or senior management at least annually on compliance with the regulations. Credit and debit card issuers would be required to assess the validity of a change of address request by notifying the cardholder or using other means to assess the validity of a change of address. Users of consumer reports would be required to furnish an address that the user has reasonably confirmed is accurate to the consumer reporting agency from which it receives a notice of address discrepancy.

The Board welcomes comments on any significant alternatives, consistent with the mandates in section 114 and 315, that would minimize the impact of the proposed rules on small entities.

FDIC: In accordance with the Regulatory Flexibility Act (5 U.S.C. 601-612) (RFA), an agency must publish an initial regulatory flexibility analysis with its proposed rule, unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities (defined for purposes of the RFA to include banks with less than $165 million in assets). The FDIC hereby certifies that the proposed rule would not have a significant economic impact on a substantial number of small entities.

Under the proposed rule, financial institutions and creditors must have a written program that includes controls to address the identity theft risks they have identified. With respect to credit and debit card issuers, the program also must include policies and procedures to assess the validity of change of address requests. Users of consumer reports must have reasonable policies and procedures with respect to address discrepancies. The program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities, and be flexible to address changing identity theft risks as they arise. A financial institution or creditor may wish to combine its program to prevent identity theft with its information security program, as these programs are complementary in many ways.

The proposed rule would apply to all FDIC-insured state nonmember banks, approximately 3,400 of which are small entities. The proposed rule is drafted in a flexible manner that allows institutions to develop and implement different types of programs based upon their size, complexity, and the nature and scope of their activities. The proposed rule would also permit institutions to modify existing information security programs to address identity theft. The FDIC also believes that many institutions have already implemented a significant portion of the detection and mitigation efforts required by the proposed rule.

OTS: When an agency issues a rulemaking proposal, the Regulatory Flexibility Act (RFA), requires the agency to publish an initial regulatory flexibility analysis unless the agency certifies that the rule will not have “a significant economic impact on a substantial number of small entities.” [59] 5 U.S.C. 603, 605(b). OTS has reviewed the impact of the proposed regulations on small savings associations and certifies that that proposed regulations, if adopted as proposed, would not have a significant economic impact on a substantial number of small entities.

The proposed rulemaking would implement sections 114 and 315 of the FACT Act and would apply to all savings associations (and federal savings association operating subsidiaries that are not functionally regulated within the meaning of section 5(c)(5) of the Bank Holding Company Act),[60] 446 of which have assets of less than or equal to $165 million.

The proposed regulations implementing section 114 would require the development and establishment of a written identity theft prevention program to detect, prevent, and mitigate identity theft. The proposed regulations also would require card issuers to assess the validity of a notice of address change under certain circumstances.

OTS believes that the proposed requirements implementing section 114 of the FACT Act would be consistent with savings associations' usual and customary business practices used to minimize losses due to fraud in connection with new and existing accounts. Savings associations also are likely to have implemented most of the proposed requirements as a result of having to comply with other existing regulations and guidance. For example, savings associations are already subject to CIP rules requiring them to verify the identity of a person opening a new account.[61] A covered entity may use the policies and procedures developed to comply with the CIP rules to satisfy the identity verification requirements in the proposed rules.

Savings associations complying with the “Interagency Guidelines Establishing Information Security Start Printed Page 40805Standards” [62] and guidance recently issued by the FFIEC titled “Authentication in an Internet Banking Environment” [63] already will have policies and procedures in place to detect attempted and actual intrusions into customer information systems. Savings associations complying with OTS's guidance on “Identity Theft and Pretext Calling” [64] already will have policies and procedures to verify the validity of change of address requests on existing accounts.

In addition, the flexibility incorporated into the proposed rulemaking provides a covered entity with discretion to design and implement a program that is tailored to its size and complexity and the nature and scope of its operations. In this regard, OTS believes that expenditures associated with establishing and implementing a program would be commensurate with the size of the savings associations.

OTS believes that the proposed regulations implementing section 114 would not impose undue costs on savings associations and likely would have a minimal economic impact on small savings associations. Nonetheless, OTS specifically requests comment and specific data on the size of the incremental burden creating a program would have on small savings associations, given their current practices and compliance with existing requirements. OTS also requests comment on how the final regulations might minimize any burden imposed to the extent consistent with the requirements of the FACT Act.

The proposed regulations implementing section 315 would require users of consumer reports to have various policies and procedures to respond to the receipt of an address discrepancy. The FACT Act already requires CRAs to provide notices of address discrepancy to users of credit reports. OTS understands that as a matter of good business practice, most savings associations currently have policies and procedures in place to respond to these notices when they are provided in connection with both new and existing accounts, by furnishing an address for the consumer that the savings association has reasonably confirmed is accurate to the CRA from which it received the notice of address discrepancy. In addition, with respect to new accounts, a savings association already is required by the CIP rules to ensure that it knows the identity of a person opening a new account and to keep a record describing the resolution of any substantive discrepancy discovered during the verification process.

Given current practices of savings associations in responding to notices of address discrepancy from CRAs, and the existing requirements in the CIP rule, OTS believes that the proposed regulations implementing section 315 would not impose undue costs on savings associations and likely would have a minimal economic impact on small savings associations. Nonetheless, OTS specifically requests comment on whether the proposed requirements differ from small savings associations' current practices and how the final regulations might minimize any burden imposed to the extent consistent with the requirements of the FACT Act.

NCUA: The Regulatory Flexibility Act requires NCUA to prepare an analysis to describe any significant economic impact a regulation may have on a substantial number of small credit unions (primarily those under $10 million in assets). The NCUA certifies the proposed rule will not have a significant economic impact on a substantial number of small credit unions and therefore, a regulatory flexibility analysis is not required.

FTC: The Regulatory Flexibility Act (“RFA”), 5 U.S.C. 601-612, requires that the Commission provide an Initial Regulatory Flexibility Analysis (“IRFA”) with a proposed rule and a Final Regulatory Flexibility Analysis (“FRFA”), if any, with the final rule, unless the Commission certifies that the rule will not have a significant economic impact on a substantial number of small entities. See 5 U.S.C. 603-605.

The Commission does not anticipate that the proposed regulations will have a significant economic impact on a substantial number of small entities. The Commission recognizes that the proposed regulations will affect a substantial number of small businesses. We do not expect, however, that the proposed requirements will have a significant economic impact on these small entities.

This document serves as notice to the Small Business Administration of the FTC's certification of no effect. To ensure the accuracy of this certification, however, the Commission requests comment on whether the proposed regulations will have a significant impact on a substantial number of small entities, including specific information on the number of entities that would be covered by the proposed regulations, the number of these companies that are “small entities,” and the average annual burden for each entity. Although the Commission certifies under the RFA that the regulations proposed in this notice would not, if promulgated, have a significant impact on a substantial number of small entities, the Commission has determined, nonetheless, that it is appropriate to publish an IRFA in order to inquire into the impact of the proposed regulations on small entities. Therefore, the Commission has prepared the following analysis:

1. Description of the Reasons That Action by the Agency Is Being Taken

The Federal Trade Commission is charged with enforcing the requirements of sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) (15 U.S.C. 1681m(e) and 1681c(h)(2)), which require the agency to issue these proposed regulations.

2. Statement of the Objectives of, and Legal Basis for, the Proposed Regulations

The objective of the proposed regulations is to establish guidelines for financial institutions and creditors identifying patterns, practices, and specific forms of activity, that indicate the possible existence of identity theft. In addition, the proposed regulations require credit and debit card issuers to establish policies and procedures to assess the validity of a change of address request. They also set out requirements for policies and procedures that a user of consumer reports must employ when such a user receives a notice of address discrepancy from a consumer reporting agency described in section 603(p) of the FCRA. The legal basis for the proposed regulations is 15 U.S.C. 1681m(e) and1681c(h)(2).

3. Small Entities To Which the Proposed Rule Will Apply

The proposed regulations apply to a wide variety of business categories under the Small Business Size Standards. Generally, the proposed regulations would apply to financial institutions, creditors, and users of consumer reports. In particular, entities under FTC's jurisdiction covered by section 114 include State-chartered credit unions, non-bank lenders, mortgage brokers, automobile dealers, utility companies, telecommunications companies, and any other person that regularly participates in a credit decision, including setting the terms of credit. The section 315 requirements Start Printed Page 40806apply to State-chartered credit unions, non-bank lenders, insurers, landlords, employers, mortgage brokers, automobile dealers, collection agencies, and any other person who requests a consumer report from a consumer reporting agency described in section 603(p) of the FCRA.

Given the coverage of the proposed rule, a very large number of small entities across almost every industry could be subject to the Rule. For the majority of these entities, a small business is defined by the Small Business Administration as one whose average annual receipts do not exceed $6 million or who have fewer than 500 employees.[65]

Section 114: As discussed in the PRA section of this Notice, given the broad scope of section 114's requirements, it is difficult to determine with precision the number of financial institutions and creditors that are subject to the FTC's jurisdiction. There are numerous small businesses under the FTC's jurisdiction and there is no formal way to track them; moreover, as a whole, the entities under the FTC's jurisdiction are so varied that there are no general sources that provide a record of their existence. Nonetheless, FTC staff estimates that the proposed regulations implementing section 114 will affect over 3500 financial institutions and over 11 million creditors [66] subject to the FTC's jurisdiction, for a combined total of approximately 11.1 million affected entities. Of this total, the FTC staff expects that well over 90% of these firms qualify as small businesses under existing size standards (i.e., $165 million in assets for financial institutions and $6.5 million in sales for many creditors), but requests comment on the number of small businesses that would be covered by the rule.

The proposed regulations implementing Section 114 also require credit and debit card issuers to establish policies and procedures to assess the validity of a change of address request. Indeed, the proposed regulations require credit and debit card issuers to notify the cardholder or to use another means of assessing the validity of the change of address. FTC staff believes that there may be as many as 3,764 credit or debit card issuers that fall under the jurisdiction of the FTC and that well over 90% of these firms qualify as small businesses under existing size standards (i.e., $165 million in assets for financial institutions and $6.5 million in sales for many creditors), but requests comment on the number of small businesses that would be covered by the rule.

Section 315: As discussed in the PRA section of this Notice, given the broad scope of section 315's requirements, it is difficult to determine with precision the number of users of consumer reports that are subject to the FTC's jurisdiction. There are numerous small businesses under the FTC's jurisdiction and there is no formal way to track them; moreover, as a whole, the entities under the FTC's jurisdiction are so varied that there are no general sources that provide a record of their existence. Nonetheless, FTC staff estimates that the proposed regulations implementing section 315 will affect approximately 1.6 million users of consumer reports subject to the FTC's jurisdiction [67] and that well over 90% of these firms qualify as small businesses under existing size standards (i.e., $165 million in assets for financial institutions and $6.5 million in sales for many creditors), but requests comment on the number of small businesses that would be covered by the rule.

4. Projected Reporting, Recordkeeping and Other Compliance Requirements

The proposed requirements will involve some increased costs for affected parties. Most of these costs will be incurred by those required to draft identity theft Programs and annual reports. There will also be costs associated with training, and for credit and debit card issuers to establish policies and procedures to assess the validity of a change of address request. In addition, there will be costs related to developing reasonable policies and procedures that a user of consumer reports must employ when a user receives a notice of address discrepancy from a consumer reporting agency, and for furnishing an address that the user has reasonably confirmed is accurate The Commission does not expect, however, that the increased costs associated with proposed regulations will be significant as explained below.

Section 114: The FTC staff estimates that there may be as many as 90% of the businesses affected by the proposed rules under section 114 that are subject to a high-risk of identity theft that qualify as small businesses, but staff requests comment on the number of small businesses that would be affected. It is likely that such entities already engage in various activities to minimize losses due to fraud as part of their usual and customary business practices. Accordingly, the impact of the proposed requirements would be merely incremental and not significant. In particular, the rule will direct many of these entities to consolidate their existing policies and procedures into a written Program and may require some additional staff training.

The FTC expects that well over 90% of the businesses affected by the proposed rules under section 114 that are subject to a low risk of identity theft qualify as small businesses under existing size standards (i.e., $165 million in assets for financial institutions and $6.5 million in sales for many creditors), but the staff requests comment on the number of small businesses that would be covered by the rule. As discussed in the PRA section of this Notice, it is unlikely that such low-risk entities employ the measures to detect and address identity theft. Nevertheless, the proposed requirements are drafted in a flexible manner that allows entities to develop and implement different types of programs based upon their size, complexity, and the nature and scope of their activities. As a result, the FTC staff expects that the burden on these low-risk entities will be minimal (i.e., not significant). The proposed regulations would require low-risk entities that have no existing identity theft procedures to justify in writing their low-risk of identity theft, train staff to be attentive to future risks of identity theft, and prepare the annual report. The FTC staff believes that, for the affected low-risk entities, such activities will not be complex or resource-intensive tasks.

The proposed regulations implementing Section 114 also require credit and debit card issuers to establish policies and procedures to assess the validity of a change of address request. It is likely that most of the entities have automated the process of notifying the cardholder or using other means to assess the validity of the change of address such that implementation will pose no further burden. For those that do not, the FTC staff expects that a small number of such entities (100) will need to develop policies and procedures to assess the validity of a change of Start Printed Page 40807address request. The impacts on such entities should not be significant, however.

Section 315: The regulations implementing section 315 provide guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a user receives a notice of address discrepancy from a consumer reporting agency. The proposed regulations also require a user of consumer reports to furnish an address that the user has reasonably confirmed is accurate to the consumer reporting agency from which it receives a notice of address discrepancy, but only to the extent that such user regularly and in the ordinary course of business furnishes information to such consumer reporting agency. The FTC staff believes that the impacts on users of consumer reports that are small businesses will not be significant. As discussed in the PRA section of this Notice, the FTC staff believes that it will not take users of consumer reports under FTC jurisdiction a significant amount of time to develop policies and procedures that they will employ when they receive a notice of address discrepancy. FTC staff believes that only 10,000 of such users of consumer reports furnish information to consumer reporting agencies as part of their usual and customary business practices and that approximately 20% of these entities qualify as small businesses. Therefore, the staff estimates that 2,000 small businesses will be affected by this portion of the proposed regulation that requires furnishing the correct address. As discussed in the PRA section of this Notice, FTC staff estimates that it will not take such users of consumer reports a significant amount of time to develop the policies and procedures for furnishing the correct address to the consumer reporting agencies pursuant to the proposed regulations for implementing section 315. The FTC staff estimates that the costs associated with these impacts will not be significant.

The Commission does not expect that there will be any significant legal, professional, or training costs to comply with the Rule. Although it is not possible to estimate small businesses' compliance costs precisely, such costs are likely to be quite modest for most small entities. Nonetheless, because the Commission is concerned about the potential impact of the proposed Rule on small entities, it specifically invites comment on the costs of compliance for such parties. In particular, although the Commission does not expect that small entities will require legal assistance to meet the proposed Rule's requirements, the Commission requests comment on whether small entities believe that they will incur such costs and, if so, what they will be. In addition, the Commission requests comment on the costs, if any, of training relevant employees regarding the proposed requirements. The Commission invites comment and information on these issues.

5. Duplicative, Overlapping, or Conflicting Federal Rules

The Commission has not identified any other federal statutes, rules, or policies that would duplicate, overlap, or conflict with the proposed Rule. The Commission invites comment and information on this issue.

6. Significant Alternatives to the Proposed Rule

The standards in the proposed Rule are flexible, and take into account a covered entity's size and sophistication, as well as the costs and benefits of alternative compliance methods. Nevertheless, the Commission seeks comment and information on the need, if any, for alternative compliance methods that, consistent with the statutory requirements, would reduce the economic impact of the rule on such small entities, including the need, if any, to delay the rule's effective date to provide additional time for small business compliance.

If the comments filed in response to this notice identify small entities that are affected by the rule, as well as alternative methods of compliance that would reduce the economic impact of the rule on such entities, the Commission will consider the feasibility of such alternatives and determine whether they should be incorporated into the final rule.

C. OCC and OTS Executive Order 12866 Determination

The OCC and the OTS each has determined that this proposed rulemaking, mandated by sections 114 and 315 of the FACT Act, is not a significant regulatory action under Executive Order 12866.

The OCC and OTS believe that national banks and savings associations, respectively, already have procedures in place that fulfill many of the requirements of the proposed regulations because they are consistent with institutions' usual and customary business practices used to minimize losses due to fraud in connection with new and existing accounts. Institutions also are likely to have implemented many of the proposed requirements as a result of complying with other existing regulations and guidance. For these reasons, and for the reasons discussed elsewhere in this preamble, the OCC and OTS each believes that the burden stemming from this rulemaking will not cause the proposed rules to be a “significant regulatory action.”

Nevertheless, because the proposed rulemaking implements new statutory requirements, it may impose costs on some national banks and savings associations by requiring them to formalize or enhance their existing policies and procedures. Therefore, the OCC and OTS invite national banks, savings associations and the public to provide any cost estimates and related data that they think would be useful in evaluating the overall costs of this rulemaking. The OCC and OTS will review any comments and cost data provided carefully, and will revisit the cost aspects of the proposed rules in developing final rules.

D. OCC and OTS Executive Order 13132 Determination

The OCC and the OTS each has determined that this proposal does not have any federalism implications for purposes of Executive Order 13132.

E. NCUA Executive Order 13132 Determination

Executive Order 13132 encourages independent regulatory agencies to consider the impact of their actions on State and local interests. In adherence to fundamental federalism principles, the NCUA, an independent regulatory agency as defined in 44 U.S.C. 3502(5) voluntarily complies with the Executive Order. The proposed rule applies only to federally chartered credit unions and would not have substantial direct effects on the States, on the connection between the national government and the States, or on the distribution of power and responsibilities among the various levels of government. The NCUA has determined that this proposed rule does not constitute a policy that has federalism implications for purposes of the Executive Order.

F. OCC and OTS Unfunded Mandates Reform Act of 1995 Determination

Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law 104-4 (Unfunded Mandates Act) requires that an agency prepare a budgetary impact statement before promulgating a rule that includes a Federal mandate that may result in expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year (adjusted annually for inflation). If a budgetary impact Start Printed Page 40808statement is required section 205 of the Unfunded Mandates Act also requires an agency to identify and consider a reasonable number of regulatory alternatives before promulgating a rule.

The OCC and OTS each believes that the financial institutions subject to their jurisdiction covered by the proposed rules already have identity theft prevention programs because it is a sound business practice. In addition, key elements of the proposed rules are elements in existing regulations and guidance. Therefore, the OCC and OTS each has determined that this proposed rule will not result in expenditures by State, local, and tribal governments, or by the private sector, that exceed the expenditure threshold. Accordingly, neither the OCC nor OTS has prepared a budgetary impact statement or specifically addressed regulatory alternatives considered.

G. NCUA: The Treasury and General Government Appropriations Act, 1999—Assessment of Federal Regulations and Policies on Families

The NCUA has determined that this proposed rule would not affect family well-being within the meaning of section 654 of the Treasury and General Government Appropriations Act, 1999, Pub. L. 105-277, 112 Stat. 2681 (1998).

H. Community Bank Comment Request

The Agencies invite your comments on the impact of this proposal on community banks. The Agencies recognize that community banks operate with more limited resources than larger institutions and may present a different risk profile. Thus, the Agencies specifically request comment on the impact of the proposal on community banks' current resources and available personnel with the requisite expertise, and whether the goals of the proposal could be achieved, for community banks, through an alternative approach.

V. Solicitation of Comments on Use of Plain Language

Section 722 of the Gramm-Leach-Bliley Act, Pub. L. 106-102, sec. 722, 113 Stat. 1338, 1471 (Nov. 12, 1999), requires the OCC, Board, FDIC, and OTS to use plain language in all proposed and final rules published after January 1, 2000. Therefore, these agencies specifically invite your comments on how to make this proposal easier to understand. For example:

  • Have we organized the material to suit your needs? If not, how could this material be better organized?
  • Are the requirements in the proposed guidelines and regulations clearly stated? If not, how could the guidelines and regulations be more clearly stated?
  • Do the proposed guidelines and regulations contain language or jargon that is not clear? If so, which language requires clarification?
  • Would a different format (grouping and order of sections, use of headings, paragraphing) make the guidelines and regulations easier to understand? If so, what changes to the format would make them easier to understand?
  • What else could we do to make the guidelines and regulations easier to understand?

VI. Communications by Outside Parties to FTC Commissioners or Their Advisors

Written communications and summaries or transcripts of oral communications respecting the merits of this proceeding from any outside party to any FTC Commissioner or FTC Commissioner's advisor will be placed on the public record. See 16 CFR 1.26(b)(5).

Start List of Subjects

List of Subjects

End List of Subjects

Department of the Treasury

Office of the Comptroller of the Currency

12 CFR Chapter I

Authority and Issuance

For the reasons discussed in the joint preamble, the Office of the Comptroller of the Currency proposes to amend chapter I of title 12 of the Code of Federal Regulations by amending 12 CFR part 41 as follows:

Start Part

PART 41—FAIR CREDIT REPORTING

1. The authority citation for part 41 is revised to read as follows:

Start Authority

Authority: 12 U.S.C. 1 et seq., 24(Seventh), 93a, 481, and 1818; 15 U.S.C. 1681c, 1681m, 1681s, 1681w, 6801 and 6805.

End Authority

Subpart A—General Provisions

2. Amend § 41.3 by revising the introductory text to read as follows:

Definitions.

For purposes of this part, unless explicitly stated otherwise:

* * * * *

Subpart I—Duties of Users of Consumer Reports Regarding Address Discrepancies and Records Disposal

3. Revise the heading for Subpart I as shown above.

4. Add § 41.82 to read as follows:

Duties of users regarding address discrepancies.

(a) Scope. This section applies to users of consumer reports that receive notices of address discrepancies from credit reporting agencies (referred to as “users”), and that are national banks, Federal branches and agencies of foreign banks, and any of their operating subsidiaries that are not functionally regulated within the meaning of section 5(c)(5) of the Bank Holding Company Act of 1956, as amended (12 U.S.C. 1844(c)(5)).

(b) Definition. For purposes of this section, a notice of address discrepancy means a notice sent to a user of a consumer report by a consumer reporting agency pursuant to 15 U.S.C. 1681c(h)(1), that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency's file for the consumer.

(c) Requirement to form a reasonable belief. A user must develop and implement reasonable policies and procedures for verifying the identity of the consumer for whom it has obtained a consumer report and for whom it Start Printed Page 40809receives a notice of address discrepancy. These policies and procedures must be designed to enable the user either to form a reasonable belief that it knows the identity of the consumer or determine that it cannot do so. A user that employs the policies and procedures regarding identification and verification set forth in the Customer Identification Program (CIP) rules implementing 31 U.S.C. 5318(l) under these circumstances satisfies this requirement, whether or not the user is subject to the CIP rules.

(d) Consumer's address (1) Requirement to furnish consumer's address to a consumer reporting agency. A user must develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the consumer reporting agency from whom it received the notice of address discrepancy when the user:

(i) Can form a reasonable belief that it knows the identity of the consumer for whom the consumer report was obtained;

(ii) Establishes or maintains a continuing relationship with the consumer; and

(iii) Regularly and in the ordinary course of business furnishes information to the consumer reporting agency from which the notice of address discrepancy pertaining to the consumer was obtained.

(2) Requirement to confirm consumer's address. The user may reasonably confirm an address is accurate by:

(i) Verifying the address with the person to whom the consumer report pertains;

(ii) Reviewing its own records of the address provided to request the consumer report;

(iii) Verifying the address through third-party sources; or

(iv) Using other reasonable means.

(3) Timing. The policies and procedures developed in accordance with paragraph (d)(1) of this section must provide that the user will furnish the consumer's address that the user has reasonably confirmed is accurate to the consumer reporting agency as part of the information it regularly furnishes:

(i) With respect to new relationships, for the reporting period in which it establishes a relationship with the consumer; and

(ii) In other circumstances, for the reporting period in which the user confirms the accuracy of the address of the consumer.

5. Add Subpart J to part 41 to read as follows:

Subpart J—Identity Theft Red Flags

Duties regarding the detection, prevention, and mitigation of identity theft.

(a) Purpose and scope. This section implements section 114 of the Fair and Accurate Credit Transactions Act, 15 U.S.C. 1681m, which amends section 615 of the Fair Credit Reporting Act (FCRA). It applies to financial institutions and creditors that are national banks, Federal branches and agencies of foreign banks, and any of their operating subsidiaries that are not functionally regulated within the meaning of section 5(c)(5) of the Bank Holding Company Act of 1956, as amended (12 U.S.C. 1844(c)(5)).

(b) Definitions. For purposes of this section, the following definitions apply:

(1) Account means a continuing relationship established to provide a financial product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under section 4(k) of the Bank Holding Company Act, 12 U.S.C. 1843(k). Account includes:

(i) An extension of credit for personal, family, household or business purposes, such as a credit card account, margin account, or retail installment sales contract, such as a car loan or lease; and

(ii) A demand deposit, savings or other asset account for personal, family, household, or business purposes, such as a checking or savings account.

(2) The term board of directors includes:

(i) In the case of a foreign branch or agency of a foreign bank, the managing official in charge of the branch or agency; and

(ii) In the case of any other creditor that does not have a board of directors, a designated employee.

(3) Customer means a person that has an account with a financial institution or creditor.

(4) Identity theft has the same meaning as in 16 CFR 603.2(a).

(5) Red Flag means a pattern, practice, or specific activity that indicates the possible risk of identity theft.

(6) Service provider means a person that provides a service directly to the financial institution or creditor.

(c) Identity Theft Prevention Program. Each financial institution or creditor must implement a written Identity Theft Prevention Program (Program). The Program must include reasonable policies and procedures to address the risk of identity theft to its customers and the safety and soundness of the financial institution or creditor, including financial, operational, compliance, reputation, and litigation risks, in the manner discussed in paragraph (d) of this section. The Program must be:

(1) Appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities; and

(2) Designed to address changing identity theft risks as they arise in connection with the experiences of the financial institution or creditor with identity theft, and changes in methods of identity theft, methods to detect, prevent, and mitigate identity theft, the types of accounts it offers, and business arrangements, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.

(d) Development and implementation of Program. (1) Identification and evaluation of Red Flags. (i) Risk-based Red Flags. The Program must include policies and procedures to identify Red Flags, singly or in combination, that are relevant to detecting a possible risk of identity theft to customers or to the safety and soundness of the financial institution or creditor, using the risk evaluation set forth in paragraph (d)(1)(ii) of this section. The Red Flags identified must reflect changing identity theft risks to customers and to the financial institution or creditor as they arise. At a minimum, the Program must incorporate any relevant Red Flags from:

(A) Appendix J to this part;

(B) Applicable supervisory guidance;

(C) Incidents of identity theft that the financial institution or creditor has experienced; and

(D) Methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks.

(ii) Risk evaluation. In identifying which Red Flags are relevant, the financial institution or creditor must consider:

(A) Which of its accounts are subject to a risk of identity theft;

(B) The methods it provides to open these accounts;

(C) The methods it provides to access these accounts; and

(D) Its size, location, and customer base.

(2) Identity theft prevention and mitigation. The Program must include reasonable policies and procedures designed to prevent and mitigate identity theft in connection with the opening of an account or any existing account, including policies and procedures to:

(i) Obtain identifying information about, and verify the identity of, a person opening an account. A financial institution or creditor that uses the policies and procedures regarding Start Printed Page 40810identification and verification set forth in the Customer Identification Program (CIP) rules implementing 31 U.S.C. 5318(l), under these circumstances, satisfies this requirement whether or not the user is subject to the CIP rules;

(ii) Detect the Red Flags identified pursuant to paragraph (d)(1) of this section;

(iii) Assess whether the Red Flags detected pursuant to paragraph (d)(2)(ii) of this section evidence a risk of identity theft. An institution or creditor must have a reasonable basis for concluding that a Red Flag does not evidence a risk of identity theft; and

(iv) Address the risk of identity theft, commensurate with the degree of risk posed, such as by:

(A) Monitoring an account for evidence of identity theft;

(B) Contacting the customer;

(C) Changing any passwords, security codes, or other security devices that permit access to a customer's account;

(D) Reopening an account with a new account number;

(E) Not opening a new account;

(F) Closing an existing account;

(G) Notifying law enforcement and, for those that are subject to 31 U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with applicable law and regulation;

(H) Implementing any requirements regarding limitations on credit extensions under 15 U.S.C. 1681c-1(h), such as declining to issue an additional credit card when the financial institution or creditor detects a fraud or active duty alert associated with the opening of an account, or an existing account; or

(I) Implementing any requirements for furnishers of information to consumer reporting agencies under 15 U.S.C. 1681s-2, to correct or update inaccurate or incomplete information.

(3) Staff training. Each financial institution or creditor must train staff to implement its Program.

(4) Oversight of service provider arrangements. Whenever a financial institution or creditor engages a service provider to perform an activity on its behalf and the requirements of its Program are applicable to that activity (such as account opening), the financial institution or creditor must take steps designed to ensure that the activity is conducted in compliance with a Program that meets the requirements of paragraphs (c) and (d) of this section.

(5) Involvement of board of directors and senior management. (i) Board approval. The board of directors or an appropriate committee of the board must approve the written Program.

(ii) Oversight by board or senior management. The board of directors, an appropriate committee of the board, or senior management must oversee the development, implementation, and maintenance of the Program, including assigning specific responsibility for its implementation, and reviewing annual reports prepared by staff regarding compliance by the financial institution or creditor with this section.

(iii) Reports. (A) In general. Staff of the financial institution or creditor responsible for implementation of its Program must report to the board, an appropriate committee of the board, or senior management, at least annually, on compliance by the financial institution or creditor with this section.

(B) Contents of report. The report must discuss material matters related to the Program and evaluate issues such as: the effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft in connection with the opening of accounts and with respect to existing accounts; service provider arrangements; significant incidents involving identity theft and management's response; and recommendations for changes in the Program.

Duties of card issuers regarding changes of address.

(a) Scope. This section applies to a person described in § 41.90(a) that issues a debit or credit card.

(b) Definitions. For purposes of this section:

(1) Cardholder means a consumer who has been issued a credit or debit card.

(2) Clear and conspicuous means reasonably understandable and designed to call attention to the nature and significance of the information presented.

(c) In general. A card issuer must establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer's debit or credit card account and within a short period of time afterwards (during at least the first 30 days after it receives such notification), the card issuer receives a request for an additional or replacement card for the same account. Under these circumstances, the card issuer may not issue an additional or replacement card, unless, in accordance with its reasonable policies and procedures and for the purpose of assessing the validity of the change of address, the card issuer:

(1) Notifies the cardholder of the request at the cardholder's former address and provides to the cardholder a means of promptly reporting incorrect address changes;

(2) Notifies the cardholder of the request by any other means of communication that the card issuer and the cardholder have previously agreed to use; or

(3) Uses other means of assessing the validity of the change of address, in accordance with the policies and procedures the card issuer has established pursuant to § 41.90.

(d) Form of notice. Any written or electronic notice that the card issuer provides under this paragraph shall be clear and conspicuous and provided separately from its regular correspondence with the cardholder.

6. Reserve appendices B through I to part 41.

7. Add Appendix J to part 41 to read as follows:

Appendix J to Part 41—Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation

Red Flags in Connection With an Account Application or an Existing Account Information From a Consumer Reporting Agency

1. A fraud or active duty alert is included with a consumer report.

2. A notice of address discrepancy is provided by a consumer reporting agency.

3. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:

a. A recent and significant increase in the volume of inquiries.

b. An unusual number of recently established credit relationships.

c. A material change in the use of credit, especially with respect to recently established credit relationships.

d. An account was closed for cause or identified for abuse of account privileges by a financial institution or creditor.

Documentary Identification

4. Documents provided for identification appear to have been altered.

5. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.

6. Other information on the identification is not consistent with information provided by the person opening a new account or customer presenting the identification.

7. Other information on the identification is not consistent with information that is on file, such as a signature card.

Personal Information

8. Personal information provided is inconsistent when compared against external information sources. For example:

a. The address does not match any address in the consumer report; or

b. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration's Death Master File.

9. Personal information provided is internally inconsistent. For example, there is Start Printed Page 40811a lack of correlation between the SSN range and date of birth.

10. Personal information provided is associated with known fraudulent activity. For example:

a. The address on an application is the same as the address provided on a fraudulent application; or

b. The phone number on an application is the same as the number provided on a fraudulent application.

11. Personal information provided is of a type commonly associated with fraudulent activity. For example:

a. The address on an application is fictitious, a mail drop, or prison.

b. The phone number is invalid, or is associated with a pager or answering service.

12. The address, SSN, or home or cell phone number provided is the same as that submitted by other persons opening an account or other customers.

13. The person opening the account or the customer fails to provide all required information on an application.

14. Personal information provided is not consistent with information that is on file.

15. The person opening the account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.

Address Changes

16. Shortly following the notice of a change of address for an account, the institution or creditor receives a request for new, additional, or replacement checks, convenience checks, cards, or a cell phone, or for the addition of authorized users on the account.

17. Mail sent to the customer is returned as undeliverable although transactions continue to be conducted in connection with the customer's account.

Anomalous Use of the Account

18. A new revolving credit account is used in a manner commonly associated with fraud. For example:

a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or

b. The customer fails to make the first payment or makes an initial payment but no subsequent payments.

19. An account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example:

a. Nonpayment when there is no history of late or missed payments;

b. A material increase in the use of available credit;

c. A material change in purchasing or spending patterns;

d. A material change in electronic fund transfer patterns in connection with a deposit account; or

e. A material change in telephone call patterns in connection with a cellular phone account.

20. An account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors).

Notice from Customers or Others Regarding Customer Accounts

21. The financial institution or creditor is notified of unauthorized charges in connection with a customer's account.

22. The financial institution or creditor is notified that it has opened a fraudulent account for a person engaged in identity theft.

23. The financial institution or creditor is notified that the customer is not receiving account statements.

24. The financial institution or creditor is notified that its customer has provided information to someone fraudulently claiming to represent the financial institution or creditor or to a fraudulent website.

25. Electronic messages are returned to mail servers of the financial institution or creditor that it did not originally send, indicating that its customers may have been asked to provide information to a fraudulent website that looks very similar, if not identical, to the website of the financial institution or creditor.

Other Red Flags

26. The name of an employee of the financial institution or creditor has been added as an authorized user on an account.

27. An employee has accessed or downloaded an unusually large number of customer account records.

28. The financial institution or creditor detects attempts to access a customer's account by unauthorized persons.

29. The financial institution or creditor detects or is informed of unauthorized access to a customer's personal information.

30. There are unusually frequent and large check orders in connection with a customer's account.

31. The person opening an account or the customer is unable to lift a credit freeze placed on his or her consumer report.

Board of Governors of the Federal Reserve System

12 CFR Chapter II

Authority and Issuance

For the reasons discussed in the joint preamble, the Board of Governors of the Federal Reserve System proposes to amend chapter II of title 12 of the Code of Federal Regulations by amending 12 CFR part 222 as follows:

End Part Start Part

PART 222—FAIR CREDIT REPORTING (REGULATION V)

1. The authority citation for part 222 is revised to read as follows:

Start Authority

Authority: 15 U.S.C. 1681b, 1681c, 1681m and 1681s; Secs. 3, 214, and 216, Pub. L. 108-159, 117 Stat. 1952.

End Authority

2. Amend § 222.3 by revising the introductory text to read as follows:

Subpart A—General Provisions

* * * * *
Definitions.

For purposes of this part, unless explicitly stated otherwise:

* * * * *

3. Revise the heading for Subpart I to read as follows:

Subpart I—Duties of Users of Consumer Reports Regarding Address Discrepancies and Records Disposal

4. Add § 222.82 to read as follows:

Duties of users regarding address discrepancies.

(a) Scope. This section applies to users of consumer reports that receive notices of address discrepancies from credit reporting agencies (referred to as “users”), and that are member banks of the Federal Reserve System (other than national banks) and their respective operating subsidiaries, branches and Agencies of foreign banks (other than Federal branches, Federal Agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.).

(b) Definition. For purposes of this section, a notice of address discrepancy means a notice sent to a user of a consumer report by a consumer reporting agency pursuant to 15 U.S.C. 1681c(h)(1), that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency's file for the consumer.

(c) Requirement to form a reasonable belief. A user must develop and implement reasonable policies and procedures for verifying the identity of the consumer for whom it has obtained a consumer report and for whom it receives a notice of address discrepancy. These policies and procedures must be designed to enable the user either to form a reasonable belief that it knows the identity of the consumer or determine that it cannot do so. A user that employs the policies and procedures regarding identification and verification set forth in the Customer Identification Program (CIP) rules implementing 31 U.S.C. 5318(l) under these circumstances satisfies this requirement, whether or not the user is subject to the CIP rules.

(d) Consumer's address. (1) Requirement to furnish consumer's address to a consumer reporting agency. A user must develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed Start Printed Page 40812is accurate to the consumer reporting agency from whom it received the notice of address discrepancy when the user:

(i) Can form a reasonable belief that it knows the identity of the consumer for whom the consumer report was obtained;

(ii) Establishes or maintains a continuing relationship with the consumer; and

(iii) Regularly and in the ordinary course of business furnishes information to the consumer reporting agency from which the notice of address discrepancy pertaining to the consumer was obtained.

(2) Requirement to confirm consumer's address. The user may reasonably confirm an address is accurate by:

(i) Verifying the address with the person to whom the consumer report pertains;

(ii) Reviewing its own records of the address provided to request the consumer report;

(iii) Verifying the address through third-party sources; or

(iv) Using other reasonable means.

(3) Timing. The policies and procedures developed in accordance with paragraph (d)(1) of this section must provide that the user will furnish the consumer's address that the user has reasonably confirmed is accurate to the consumer reporting agency as part of the information it regularly furnishes:

(i) With respect to new relationships, for the reporting period in which it establishes a relationship with the consumer; and

(ii) In other circumstances, for the reporting period in which the user confirms the accuracy of the address of the consumer.

5. Add Subpart J to part 222 to read as follows:

Subpart J—Identity Theft Red Flags

Duties regarding the detection, prevention, and mitigation of identity theft.

(a) Purpose and scope. This section implements section 114 of the Fair and Accurate Credit Transactions Act, 15 U.S.C. 1681m, which amends section 615 of the Fair Credit Reporting Act (FCRA). It applies to financial institutions and creditors that are member banks of the Federal Reserve System (other than national banks) and their respective operating subsidiaries, branches and Agencies of foreign banks (other than Federal branches, Federal Agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 et seq., and 611 et seq.).

(b) Definitions. For purposes of this section, the following definitions apply:

(1) Account means a continuing relationship established to provide a financial product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under section 4(k) of the Bank Holding Company Act, 12 U.S.C. 1843(k). Account includes:

(i) An extension of credit for personal, family, household or business purposes, such as a credit card account, margin account, or retail installment sales contract, such as a car loan or lease; and

(ii) A demand deposit, savings or other asset account for personal, family, household, or business purposes, such as a checking or savings account.

(2) The term board of directors includes:

(i) In the case of a foreign branch or agency of a foreign bank, the managing official in charge of the branch or agency; and

(ii) In the case of any other creditor that does not have a board of directors, a designated employee.

(3) Customer means a person that has an account with a financial institution or creditor.

(4) Identity theft has the same meaning as in 16 CFR 603.2(a).

(5) Red Flag means a pattern, practice, or specific activity that indicates the possible risk of identity theft.

(6) Service provider means a person that provides a service directly to the financial institution or creditor.

(c) Identity Theft Prevention Program. Each financial institution or creditor must implement a written Identity Theft Prevention Program (Program). The Program must include reasonable policies and procedures to address the risk of identity theft to its customers and the safety and soundness of the financial institution or creditor, including financial, operational, compliance, reputation, and litigation risks, in the manner discussed in paragraph (d) of this section. The Program must be:

(1) Appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities; and

(2) Designed to address changing identity theft risks as they arise in connection with the experiences of the financial institution or creditor with identity theft, and changes in methods of identity theft, methods to detect, prevent, and mitigate identity theft, the types of accounts it offers, and business arrangements, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.

(d) Development and implementation of Program. (1) Identification and evaluation of Red Flags. (i) Risk-based Red Flags. The Program must include policies and procedures to identify Red Flags, singly or in combination, that are relevant to detecting a possible risk of identity theft to customers or to the safety and soundness of the financial institution or creditor, using the risk evaluation set forth in paragraph (d)(1)(ii) of this section. The Red Flags identified must reflect changing identity theft risks to customers and to the financial institution or creditor as they arise. At a minimum, the Program must incorporate any relevant Red Flags from:

(A) Appendix J to this part;

(B) Applicable supervisory guidance;

(C) Incidents of identity theft that the financial institution or creditor has experienced; and

(D) Methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks.

(ii) Risk evaluation. In identifying which Red Flags are relevant, the financial institution or creditor must consider:

(A) Which of its accounts are subject to a risk of identity theft;

(B) The methods it provides to open these accounts;

(C) The methods it provides to access these accounts; and

(D) Its size, location, and customer base.

(2) Identity theft prevention and mitigation. The Program must include reasonable policies and procedures designed to prevent and mitigate identity theft in connection with the opening of an account or any existing account, including policies and procedures to:

(i) Obtain identifying information about, and verify the identity of, a person opening an account. A financial institution or creditor that uses the policies and procedures regarding identification and verification set forth in the Customer Identification Program (CIP) rules implementing 31 U.S.C. 5318(l), under these circumstances, satisfies this requirement whether or not the user is subject to the CIP rules;

(ii) Detect the Red Flags identified pursuant to paragraph (d)(1) of this section;

(iii) Assess whether the Red Flags detected pursuant to paragraph (d)(2)(ii) of this section evidence a risk of identity theft. An institution or creditor must have a reasonable basis for concluding Start Printed Page 40813that a Red Flag does not evidence a risk of identity theft; and

(iv) Address the risk of identity theft, commensurate with the degree of risk posed, such as by:

(A) Monitoring an account for evidence of identity theft;

(B) Contacting the customer;

(C) Changing any passwords, security codes, or other security devices that permit access to a customer's account;

(D) Reopening an account with a new account number;

(E) Not opening a new account;

(F) Closing an existing account;

(G) Notifying law enforcement and, for those that are subject to 31 U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with applicable law and regulation;

(H) Implementing any requirements regarding limitations on credit extensions under 15 U.S.C. 1681c-1(h), such as declining to issue an additional credit card when the financial institution or creditor detects a fraud or active duty alert associated with the opening of an account, or an existing account; or

(I) Implementing any requirements for furnishers of information to consumer reporting agencies under 15 U.S.C. 1681s-2, to correct or update inaccurate or incomplete information.

(3) Staff training. Each financial institution or creditor must train staff to implement its Program.

(4) Oversight of service provider arrangements. Whenever a financial institution or creditor engages a service provider to perform an activity on its behalf and the requirements of its Program are applicable to that activity (such as account opening), the financial institution or creditor must take steps designed to ensure that the activity is conducted in compliance with a Program that meets the requirements of paragraphs (c) and (d) of this section.

(5) Involvement of board of directors and senior management. (i) Board approval. The board of directors or an appropriate committee of the board must approve the written Program.

(ii) Oversight by board or senior management. The board of directors, an appropriate committee of the board, or senior management must oversee the development, implementation, and maintenance of the Program, including assigning specific responsibility for its implementation, and reviewing annual reports prepared by staff regarding compliance by the financial institution or creditor with this section.

(iii) Reports. (A) In general. Staff of the financial institution or creditor responsible for implementation of its Program must report to the board, an appropriate committee of the board, or senior management, at least annually, on compliance by the financial institution or creditor with this section.

(B) Contents of report. The report must discuss material matters related to the Program and evaluate issues such as: the effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft in connection with the opening of accounts and with respect to existing accounts; service provider arrangements; significant incidents involving identity theft and management's response; and recommendations for changes in the Program.

Duties of card issuers regarding changes of address.

(a) Scope. This section applies to a person described in § 222.90(a) that issues a debit or credit card.

(b) Definitions. For purposes of this section:

(1) Cardholder means a consumer who has been issued a credit or debit card.

(2) Clear and conspicuous means reasonably understandable and designed to call attention to the nature and significance of the information presented.

(c) In general. A card issuer must establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer's debit or credit card account and within a short period of time afterwards (during at least the first 30 days after it receives such notification), the card issuer receives a request for an additional or replacement card for the same account. Under these circumstances, the card issuer may not issue an additional or replacement card, unless, in accordance with its reasonable policies and procedures and for the purpose of assessing the validity of the change of address, the card issuer:

(1) Notifies the cardholder of the request at the cardholder's former address and provides to the cardholder a means of promptly reporting incorrect address changes;

(2) Notifies the cardholder of the request by any other means of communication that the card issuer and the cardholder have previously agreed to use; or

(3) Uses other means of assessing the validity of the change of address, in accordance with the policies and procedures the card issuer has established pursuant to section 222.90.

(d) Form of notice. Any written or electronic notice that the card issuer provides under this paragraph shall be clear and conspicuous and provided separately from its regular correspondence with the cardholder.

6. Reserve appendices C through I to part 222.

7. Add Appendix J to part 222 to read as follows:

Appendix J to Part 222—Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation

Red Flags in Connection With an Account Application or an Existing Account Information From a Consumer Reporting Agency

1. A fraud or active duty alert is included with a consumer report.

2. A notice of address discrepancy is provided by a consumer reporting agency.

3. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:

a. A recent and significant increase in the volume of inquiries.

b. An unusual number of recently established credit relationships.

c. A material change in the use of credit, especially with respect to recently established credit relationships.

d. An account was closed for cause or identified for abuse of account privileges by a financial institution or creditor.

Documentary Identification

4. Documents provided for identification appear to have been altered.

5. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.

6. Other information on the identification is not consistent with information provided by the person opening a new account or customer presenting the identification.

7. Other information on the identification is not consistent with information that is on file, such as a signature card.

Personal Information

8. Personal information provided is inconsistent when compared against external information sources. For example:

a. The address does not match any address in the consumer report; or

b. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration's Death Master File.

9. Personal information provided is internally inconsistent. For example, there is a lack of correlation between the SSN range and date of birth.

10. Personal information provided is associated with known fraudulent activity. For example:

a. The address on an application is the same as the address provided on a fraudulent application; or

b. The phone number on an application is the same as the number provided on a fraudulent application.

11. Personal information provided is of a type commonly associated with fraudulent activity. For example:

a. The address on an application is fictitious, a mail drop, or prison. Start Printed Page 40814

b. The phone number is invalid, or is associated with a pager or answering service.

12. The address, SSN, or home or cell phone number provided is the same as that submitted by other persons opening an account or other customers.

13. The person opening the account or the customer fails to provide all required information on an application.

14. Personal information provided is not consistent with information that is on file.

15. The person opening the account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.

Address Changes

16. Shortly following the notice of a change of address for an account, the institution or creditor receives a request for new, additional, or replacement checks, convenience checks, cards, or a cell phone, or for the addition of authorized users on the account.

17. Mail sent to the customer is returned as undeliverable although transactions continue to be conducted in connection with the customer's account.

Anomalous Use of the Account

18. A new revolving credit account is used in a manner commonly associated with fraud. For example:

a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or

b. The customer fails to make the first payment or makes an initial payment but no subsequent payments.

19. An account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example:

a. Nonpayment when there is no history of late or missed payments;

b. A material increase in the use of available credit;

c. A material change in purchasing or spending patterns;

d. A material change in electronic fund transfer patterns in connection with a deposit account; or

e. A material change in telephone call patterns in connection with a cellular phone account.

20. An account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors).

Notice From Customers or Others Regarding Customer Accounts

21. The financial institution or creditor is notified of unauthorized charges in connection with a customer's account.

22. The financial institution or creditor is notified that it has opened a fraudulent account for a person engaged in identity theft.

23. The financial institution or creditor is notified that the customer is not receiving account statements.

24. The financial institution or creditor is notified that its customer has provided information to someone fraudulently claiming to represent the financial institution or creditor or to a fraudulent website.

25. Electronic messages are returned to mail servers of the financial institution or creditor that it did not originally send, indicating that its customers may have been asked to provide information to a fraudulent website that looks very similar, if not identical, to the website of the financial institution or creditor.

Other Red Flags

26. The name of an employee of the financial institution or creditor has been added as an authorized user on an account.

27. An employee has accessed or downloaded an unusually large number of customer account records.

28. The financial institution or creditor detects attempts to access a customer's account by unauthorized persons.

29. The financial institution or creditor detects or is informed of unauthorized access to a customer's personal information.

30. There are unusually frequent and large check orders in connection with a customer's account.

31. The person opening an account or the customer is unable to lift a credit freeze placed on his or her consumer report.

Federal Deposit Insurance Corporation

12 CFR Chapter III

Authority and Issuance

For the reasons set forth in the joint preamble, the Federal Deposit Insurance Corporation proposes to amend chapter III of title 12 of the Code of Federal Regulations by amending 12 CFR parts 334 and 364 as follows:

End Part Start Part

PART 334—FAIR CREDIT REPORTING

1. The authority citation for part 334 is revised to read as follows:

Start Authority

Authority: 12 U.S.C. 1818 and 1819 (Tenth); 15 U.S.C. 1681b, 1681c, 1681m, 1681s, 1681w, 6801 and 6805.

End Authority

Subpart A—General Provisions

2. Amend § 334.3 by revising the introductory text to read as follows:

Definitions.

For purposes of this part, unless explicitly stated otherwise:

* * * * *

Subpart I—Duties of Users of Consumer Reports Regarding Address Discrepancies and Records Disposal

3. Revise the heading for Subpart I as shown above.

4. Add § 334.82 to read as follows:

Duties of users regarding address discrepancies.

(a) Scope. This section applies to users of consumer reports that receive notices of address discrepancies from credit reporting agencies (referred to as “users”), and that are insured state nonmember banks, insured state licensed branches of foreign banks, or subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers).

(b) Definition. For purposes of this section, a notice of address discrepancy means a notice sent to a user of a consumer report by a consumer reporting agency pursuant to 15 U.S.C. 1681c(h)(1), that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency's file for the consumer.

(c) Requirement to form a reasonable belief. A user must develop and implement reasonable policies and procedures for verifying the identity of the consumer for whom it has obtained a consumer report and for whom it receives a notice of address discrepancy. These policies and procedures must be designed to enable the user either to form a reasonable belief that it knows the identity of the consumer or determine that it cannot do so. A user that employs the policies and procedures regarding identification and verification set forth in the Customer Identification Program (CIP) rules implementing 31 U.S.C. 5318(l) under these circumstances satisfies this requirement, whether or not the user is subject to the CIP rules.

(d) Consumer's address (1) Requirement to furnish consumer's address to a consumer reporting agency. A user must develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the consumer reporting agency from whom it received the notice of address discrepancy when the user:

(i) Can form a reasonable belief that it knows the identity of the consumer for whom the consumer report was obtained;

(ii) Establishes or maintains a continuing relationship with the consumer; and

(iii) Regularly and in the ordinary course of business furnishes information to the consumer reporting agency from which the notice of address discrepancy pertaining to the consumer was obtained.

(2) Requirement to confirm consumer's address. The user may reasonably confirm an address is accurate by: Start Printed Page 40815

(i) Verifying the address with the person to whom the consumer report pertains;

(ii) Reviewing its own records of the address provided to request the consumer report;

(iii) Verifying the address through third-party sources; or

(iv) Using other reasonable means.

(3) Timing. The policies and procedures developed in accordance with paragraph (d)(1) of this section must provide that the user will furnish the consumer's address that the user has reasonably confirmed is accurate to the consumer reporting agency as part of the information it regularly furnishes:

(i) With respect to new relationships, for the reporting period in which it establishes a relationship with the consumer; and

(ii) In other circumstances, for the reporting period in which the user confirms the accuracy of the address of the consumer.

5. Add Subpart J to part 334 to read as follows:

Subpart J—Identity Theft Red Flags

Duties regarding the detection, prevention, and mitigation of identity theft.

(a) Purpose and scope. This section implements section 114 of the Fair and Accurate Credit Transactions Act, 15 U.S.C. 1681m, which amends section 615 of the Fair Credit Reporting Act (FCRA). It applies to financial institutions and creditors that are insured state nonmember banks, insured state licensed branches of foreign banks, or subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers).

(b) Definitions. For purposes of this section, the following definitions apply:

(1) Account means a continuing relationship established to provide a financial product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under section 4(k) of the Bank Holding Company Act, 12 U.S.C. 1843(k). Account includes:

(i) An extension of credit for personal, family, household or business purposes, such as a credit card account, margin account, or retail installment sales contract, such as a car loan or lease; and

(ii) A demand deposit, savings or other asset account for personal, family, household, or business purposes, such as a checking or savings account.

(2) The term board of directors includes:

(i) In the case of a foreign branch or agency of a foreign bank, the managing official in charge of the branch or agency; and

(ii) In the case of any other creditor that does not have a board of directors, a designated employee.

(3) Customer means a person that has an account with a financial institution or creditor.

(4) Identity theft has the same meaning as in 16 CFR 603.2(a).

(5) Red Flag means a pattern, practice, or specific activity that indicates the possible risk of identity theft.

(6) Service provider means a person that provides a service directly to the financial institution or creditor.

(c) Identity Theft Prevention Program. Each financial institution or creditor must implement a written Identity Theft Prevention Program (Program). The Program must include reasonable policies and procedures to address the risk of identity theft to its customers and the safety and soundness of the financial institution or creditor, including financial, operational, compliance, reputation, and litigation risks, in the manner discussed in paragraph (d) of this section. The Program must be:

(1) Appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities; and

(2) Designed to address changing identity theft risks as they arise in connection with the experiences of the financial institution or creditor with identity theft, and changes in methods of identity theft, methods to detect, prevent, and mitigate identity theft, the types of accounts it offers, and business arrangements, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.

(d) Development and implementation of Program. (1) Identification and evaluation of Red Flags. (i) Risk-based Red Flags. The Program must include policies and procedures to identify Red Flags, singly or in combination, that are relevant to detecting a possible risk of identity theft to customers or to the safety and soundness of the financial institution or creditor, using the risk evaluation set forth in paragraph (d)(1)(ii) of this section. The Red Flags identified must reflect changing identity theft risks to customers and to the financial institution or creditor as they arise. At a minimum, the Program must incorporate any relevant Red Flags from:

(A) Appendix J to this part;

(B) Applicable supervisory guidance;

(C) Incidents of identity theft that the financial institution or creditor has experienced; and

(D) Methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks.

(ii) Risk evaluation. In identifying which Red Flags are relevant, the financial institution or creditor must consider:

(A) Which of its accounts are subject to a risk of identity theft;

(B) The methods it provides to open these accounts;

(C) The methods it provides to access these accounts; and

(D) Its size, location, and customer base.

(2) Identity theft prevention and mitigation. The Program must include reasonable policies and procedures designed to prevent and mitigate identity theft in connection with the opening of an account or any existing account, including policies and procedures to:

(i) Obtain identifying information about, and verify the identity of, a person opening an account. A financial institution or creditor that uses the policies and procedures regarding identification and verification set forth in the Customer Identification Program (CIP) rules implementing 31 U.S.C. 5318(l), under these circumstances, satisfies this requirement whether or not the user is subject to the CIP rules;

(ii) Detect the Red Flags identified pursuant to paragraph (d)(1) of this section;

(iii) Assess whether the Red Flags detected pursuant to paragraph (d)(2)(ii) of this section evidence a risk of identity theft. An institution or creditor must have a reasonable basis for concluding that a Red Flag does not evidence a risk of identity theft; and

(iv) Address the risk of identity theft, commensurate with the degree of risk posed, such as by:

(A) Monitoring an account for evidence of identity theft;

(B) Contacting the customer;

(C) Changing any passwords, security codes, or other security devices that permit access to a customer's account;

(D) Reopening an account with a new account number;

(E) Not opening a new account;

(F) Closing an existing account;

(G) Notifying law enforcement and, for those that are subject to 31 U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with applicable law and regulation;

(H) Implementing any requirements regarding limitations on credit extensions under 15 U.S.C. 1681c-1(h), such as declining to issue an additional credit card when the financial institution or creditor detects a fraud or active duty alert associated with the opening of an account, or an existing account; or Start Printed Page 40816

(I) Implementing any requirements for furnishers of information to consumer reporting agencies under 15 U.S.C. 1681s-2, to correct or update inaccurate or incomplete information.

(3) Staff training. Each financial institution or creditor must train staff to implement its Program.

(4) Oversight of service provider arrangements. Whenever a financial institution or creditor engages a service provider to perform an activity on its behalf and the requirements of its Program are applicable to that activity (such as account opening), the financial institution or creditor must take steps designed to ensure that the activity is conducted in compliance with a Program that meets the requirements of paragraphs (c) and (d) of this section.

(5) Involvement of board of directors and senior management. (i) Board approval. The board of directors or an appropriate committee of the board must approve the written Program.

(ii) Oversight by board or senior management. The board of directors, an appropriate committee of the board, or senior management must oversee the development, implementation, and maintenance of the Program, including assigning specific responsibility for its implementation, and reviewing annual reports prepared by staff regarding compliance by the financial institution or creditor with this section.

(iii) Reports. (A) In general. Staff of the financial institution or creditor responsible for implementation of its Program must report to the board, an appropriate committee of the board, or senior management, at least annually, on compliance by the financial institution or creditor with this section.

(B) Contents of report. The report must discuss material matters related to the Program and evaluate issues such as: the effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft in connection with the opening of accounts and with respect to existing accounts; service provider arrangements; significant incidents involving identity theft and management's response; and recommendations for changes in the Program.

Duties of card issuers regarding changes of address.

(a) Scope. This section applies to a person described in § 334.90(a) that issues a debit or credit card.

(b) Definitions. For purposes of this section:

(1) Cardholder means a consumer who has been issued a credit or debit card.

(2) Clear and conspicuous means reasonably understandable and designed to call attention to the nature and significance of the information presented.

(c) In general. A card issuer must establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer's debit or credit card account and within a short period of time afterwards (during at least the first 30 days after it receives such notification), the card issuer receives a request for an additional or replacement card for the same account. Under these circumstances, the card issuer may not issue an additional or replacement card, unless, in accordance with its reasonable policies and procedures and for the purpose of assessing the validity of the change of address, the card issuer:

(1) Notifies the cardholder of the request at the cardholder's former address and provides to the cardholder a means of promptly reporting incorrect address changes;

(2) Notifies the cardholder of the request by any other means of communication that the card issuer and the cardholder have previously agreed to use; or

(3) Uses other means of assessing the validity of the change of address, in accordance with the policies and procedures the card issuer has established pursuant to section 334.90.

(d) Form of notice. Any written or electronic notice that the card issuer provides under this paragraph shall be clear and conspicuous and provided separately from its regular correspondence with the cardholder.

6. Reserve appendices A through I to part 334.

7. Add Appendix J to part 334 to read as follows:

Appendix J to Part 334—Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation

Red Flags in Connection With an Account Application or an Existing Account Information From a Consumer Reporting Agency

1. A fraud or active duty alert is included with a consumer report.

2. A notice of address discrepancy is provided by a consumer reporting agency.

3. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:

a. A recent and significant increase in the volume of inquiries.

b. An unusual number of recently established credit relationships.

c. A material change in the use of credit, especially with respect to recently established credit relationships.

d. An account was closed for cause or identified for abuse of account privileges by a financial institution or creditor.

Documentary Identification

4. Documents provided for identification appear to have been altered.

5. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.

6. Other information on the identification is not consistent with information provided by the person opening a new account or customer presenting the identification.

7. Other information on the identification is not consistent with information that is on file, such as a signature card.

Personal Information

8. Personal information provided is inconsistent when compared against external information sources. For example:

a. The address does not match any address in the consumer report; or

b. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration's Death Master File.

9. Personal information provided is internally inconsistent. For example, there is a lack of correlation between the SSN range and date of birth.

10. Personal information provided is associated with known fraudulent activity. For example:

a. The address on an application is the same as the address provided on a fraudulent application; or

b. The phone number on an application is the same as the number provided on a fraudulent application.

11. Personal information provided is of a type commonly associated with fraudulent activity. For example:

a. The address on an application is fictitious, a mail drop, or prison.

b. The phone number is invalid, or is associated with a pager or answering service.

12. The address, SSN, or home or cell phone number provided is the same as that submitted by other persons opening an account or other customers.

13. The person opening the account or the customer fails to provide all required information on an application.

14. Personal information provided is not consistent with information that is on file.

15. The person opening the account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.

Address Changes

16. Shortly following the notice of a change of address for an account, the institution or creditor receives a request for new, additional or replacement checks, convenience checks, cards, or cell phone, or for the addition of authorized users on the account.

17. Mail sent to the customer is returned as undeliverable although transactions continue to be conducted in connection with the customer's account. Start Printed Page 40817

Anomalous Use of the Account

18. A new revolving credit account is used in a manner commonly associated with fraud. For example:

a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or

b. The customer fails to make the first payment or makes an initial payment but no subsequent payments.

19. An account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example:

a. Nonpayment when there is no history of late or missed payments;

b. A material increase in the use of available credit;

c. A material change in purchasing or spending patterns;

d. A material change in electronic fund transfer patterns in connection with a deposit account; or

e. A material change in telephone call patterns in connection with a cellular phone account.

20. An account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors).

Notice From Customers or Others Regarding Customer Accounts

21. The financial institution or creditor is notified of unauthorized charges in connection with a customer's account.

22. The financial institution or creditor is notified that it has opened a fraudulent account for a person engaged in identity theft.

23. The financial institution or creditor is notified that the customer is not receiving account statements.

24. The financial institution or creditor is notified that its customer has provided information to someone fraudulently claiming to represent the financial institution or creditor or to a fraudulent Web site.

25. Electronic messages are returned to mail servers of the financial institution or creditor that it did not originally send, indicating that its customers may have been asked to provide information to a fraudulent Web site that looks very similar, if not identical, to the Web site of the financial institution or creditor.

Other Red Flags

26. The name of an employee of the financial institution or creditor has been added as an authorized user on an account.

27. An employee has accessed or downloaded an unusually large number of customer account records.

28. The financial institution or creditor detects attempts to access a customer's account by unauthorized persons.

29. The financial institution or creditor detects or is informed of unauthorized access to a customer's personal information.

30. There are unusually frequent and large check orders in connection with a customer's account.

31. The person opening an account or the customer is unable to lift a credit freeze placed on his or her consumer report.

End Part Start Part

PART 364—STANDARDS FOR SAFETY AND SOUNDNESS

8. The authority citation for part 364 continues to read as follows:

Start Authority

Authority: 12 U.S.C. 1819(Tenth), 1831p-1; 15 U.S.C. 1681s, 1681w, 6801(b), 6805(b)(1).

End Authority

9. Add the following sentence at the end of § 364.101(b):

Standards for safety and soundness.
* * * * *

(b) * * * The interagency regulations and guidelines on identity theft detection, prevention, and mitigation prescribed pursuant to section 114 of the Fair and Accurate Credit Transactions Act of 2003, 15 U.S.C. 1681m(e), are set forth in §§ 334.90, 334.91, and Appendix J of part 334.

Department of the Treasury

Office of Thrift Supervision

12 CFR Chapter V

Authority and Issuance

For the reasons discussed in the joint preamble, the Office of Thrift Supervision proposes to amend chapter V of title 12 of the Code of Federal Regulations by amending 12 CFR part 571 as follows:

End Part Start Part

PART 571—FAIR CREDIT REPORTING

1. The authority citation for part 571 is revised to read as follows:

Start Authority

Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828, 1831p-1, and 1881-1884; 15 U.S.C. 1681b, 1681c, 1681m, 1681s, and 1681w; 15 U.S.C. 6801 and 6805(b)(1).

End Authority

Subpart A—General Provisions

2. Amend § 571.1 by revising paragraph (b)(9) and adding a new paragraph (b)(10) to read as follows:

Purpose and Scope.
* * * * *

(b) Scope.

* * * * *

(9)(i) The scope of § 571.82 of Subpart I of this part is stated in § 571.82(a).

(ii) The scope of § 571.83 of Subpart I of this part is stated in § 571.83(a).

(10) The scope of Subpart J of this part is stated in § 571.90(a).

3. Amend § 571.3 by revising the introductory text to read as follows:

Definitions.

For purposes of this part, unless explicitly stated otherwise:

* * * * *

Subpart I—Duties of Users of Consumer Reports Regarding Address Discrepancies and Records Disposal

4. Revise the heading for Subpart I as shown above.

5. Add § 571.82 to read as follows:

Duties of users regarding address discrepancies.

(a) Scope. This section applies to users of consumer reports that receive notices of address discrepancies from credit reporting agencies (referred to as “users”), and that are either savings associations whose deposits are insured by the Federal Deposit Insurance Corporation or, in accordance with § 559.3(h)(1) of this chapter, federal savings association operating subsidiaries that are not functionally regulated within the meaning of section 5(c)(5) of the Bank Holding Company Act of 1956, as amended (12 U.S.C. 1844(c)(5)).

(b) Definition. For purposes of this section, a notice of address discrepancy means a notice sent to a user of a consumer report by a consumer reporting agency pursuant to 15 U.S.C. 1681c(h)(1), that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency's file for the consumer.

(c) Requirement to form a reasonable belief. A user must develop and implement reasonable policies and procedures for verifying the identity of the consumer for whom it has obtained a consumer report and for whom it receives a notice of address discrepancy. These policies and procedures must be designed to enable the user either to form a reasonable belief that it knows the identity of the consumer or determine that it cannot do so. A user that employs the policies and procedures regarding identification and verification set forth in the Customer Identification Program (CIP) rules implementing 31 U.S.C. 5318(l) under these circumstances satisfies this requirement, whether or not the user is subject to the CIP rules.

(d) Consumer's address. (1) Requirement to furnish consumer's address to a consumer reporting agency. A user must develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the consumer reporting agency from whom it received the notice of address discrepancy when the user:

(i) Can form a reasonable belief that it knows the identity of the consumer for Start Printed Page 40818whom the consumer report was obtained;

(ii) Establishes or maintains a continuing relationship with the consumer; and

(iii) Regularly and in the ordinary course of business furnishes information to the consumer reporting agency from which the notice of address discrepancy pertaining to the consumer was obtained.

(2) Requirement to confirm consumer's address. The user may reasonably confirm an address is accurate by:

(i) Verifying the address with the person to whom the consumer report pertains;

(ii) Reviewing its own records of the address provided to request the consumer report;

(iii) Verifying the address through third-party sources; or

(iv) Using other reasonable means.

(3) Timing. The policies and procedures developed in accordance with paragraph (d)(1) of this section must provide that the user will furnish the consumer's address that the user has reasonably confirmed is accurate to the consumer reporting agency as part of the information it regularly furnishes:

(i) With respect to new relationships, for the reporting period in which it establishes a relationship with the consumer; and

(ii) In other circumstances, for the reporting period in which the user confirms the accuracy of the address of the consumer.

6. Revise § 571.83 by:

a. Redesignating paragraphs (a) and (b) as paragraph (b) and (c), respectively.

b. Adding a new paragraph (a) to read as follows:

Disposition of consumer information.

(a) Scope. This section applies to savings associations whose deposits are insured by the Federal Deposit Insurance Corporation (and federal savings association operating subsidiaries in accordance with § 559.3(h)(1) of this chapter) (defined as “you” in § 571.3(o) of this part).

* * * * *

7. Add Subpart J to part 571 to read as follows:

Subpart J—Identity Theft Red Flags

Duties regarding the detection, prevention, and mitigation of identity theft.

(a) Purpose and scope. This section implements section 114 of the Fair and Accurate Credit Transactions Act, 15 U.S.C. 1681m, which amends section 615 of the Fair Credit Reporting Act (FCRA). It applies to financial institutions and creditors that are either savings associations whose deposits are insured by the Federal Deposit Insurance Corporation or, in accordance with § 559.3(h)(1) of this chapter, federal savings association operating subsidiaries that are not functionally regulated within the meaning of section 5(c)(5) of the Bank Holding Company Act of 1956, as amended (12 U.S.C. 1844(c)(5)).

(b) Definitions. For purposes of this section, the following definitions apply:

(1) Account means a continuing relationship established to provide a financial product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under section 4(k) of the Bank Holding Company Act, 12 U.S.C. 1843(k). Account includes:

(i) An extension of credit for personal, family, household or business purposes, such as a credit card account, margin account, or retail installment sales contract, such as a car loan or lease; and

(ii) A demand deposit, savings or other asset account for personal, family, household, or business purposes, such as a checking or savings account.

(2) The term board of directors includes:

(i) In the case of a foreign branch or agency of a foreign bank, the managing official in charge of the branch or agency; and

(ii) In the case of any other creditor that does not have a board of directors, a designated employee.

(3) Customer means a person that has an account with a financial institution or creditor.

(4) Identity theft has the same meaning as in 16 CFR 603.2(a).

(5) Red Flag means a pattern, practice, or specific activity that indicates the possible risk of identity theft.

(6) Service provider means a person that provides a service directly to the financial institution or creditor.

(c) Identity Theft Prevention Program. Each financial institution or creditor must implement a written Identity Theft Prevention Program (Program). The Program must include reasonable policies and procedures to address the risk of identity theft to its customers and the safety and soundness of the financial institution or creditor, including financial, operational, compliance, reputation, and litigation risks, in the manner discussed in paragraph (d) of this section. The Program must be:

(1) Appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities; and

(2) Designed to address changing identity theft risks as they arise in connection with the experiences of the financial institution or credit with identity theft, and changes in methods of identity theft, methods to detect, prevent, and mitigate identity theft, the types of accounts it offers, and business arrangements, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.

(d) Development and implementation of Program. (1) Identification and evaluation of Red Flags. (i) Risk-based Red Flags. The Program must include policies and procedures to identify Red Flags, singly or in combination, that are relevant to detecting a possible risk of identity theft to customers or to the safety and soundness of the financial institution or creditor, using the risk evaluation set forth in paragraph (d)(1)(ii) of this section. The Red Flags identified must reflect changing identity theft risks to customers and to the financial institution or creditor as they arise. At a minimum, the Program must incorporate any relevant Red Flags from:

(A) Appendix J to this part;

(B) Applicable supervisory guidance;

(C) Incidents of identity theft that the financial institution or creditor has experienced; and

(D) Methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks.

(ii) Risk evaluation. In identifying which Red Flags are relevant, the financial institution or creditor must consider:

(A) Which of its accounts are subject to a risk of identity theft;

(B) The methods it provides to open these accounts;

(C) The methods it provides to access these accounts; and

(D) Its size, location, and customer base.

(2) Identity theft prevention and mitigation. The Program must include reasonable policies and procedures designed to prevent and mitigate identity theft in connection with the opening of an account or any existing account, including policies and procedures to:

(i) Obtain identifying information about, and verify the identity of, a person opening an account. A financial institution or creditor that uses the policies and procedures regarding identification and verification set forth in the Customer Identification Program (CIP) rules implementing 31 U.S.C. 5318(l), under these circumstances, Start Printed Page 40819satisfies this requirement whether or not the user is subject to the CIP rules;

(ii) Detect the Red Flags pursuant to paragraph (d)(1) of this section;

(iii) Assess whether the Red Flags detected pursuant to paragraph (d)(2)(ii) of this section evidence a risk of identity theft. An institution or creditor must have a reasonable basis for concluding that a Red Flag does not evidence a risk of identity theft; and

(iv) Address the risk of identity theft, commensurate with the degree of risk posed, such as by:

(A) Monitoring an account for evidence of identity theft;

(B) Contacting the customer;

(C) Changing any passwords, security codes, or other security devices that permit access to a customer's account;

(D) Reopening an account with a new account number;

(E) Not opening a new account;

(F) Closing an existing account;

(G) Notifying law enforcement and, for those that are subject to 31 U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with applicable law and regulation;

(H) Implementing any requirements regarding limitations on credit extensions under 15 U.S.C. 1681c-1(h) as declining to issue an additional credit card when the financial institution or creditor detects a fraud or active duty alert associated with the opening of an account, or an existing account; or

(I) Implementing any requirements for furnishers of information to consumer reporting agencies under 15 U.S.C. 1681s-2, to correct or update inaccurate or incomplete information.

(3) Staff training. Each financial institution or creditor must train staff to implement its Program.

(4) Oversight of service provider arrangements. Whenever a financial institution or creditor engages a service provider to perform an activity on its behalf and the requirements of its Program are applicable to that activity (such as account opening), the financial institution or creditor must take steps designed to ensure that the activity is conducted in compliance with a Program that meets the requirements of paragraphs (c) and (d) of this section.

(5) Involvement of board of directors and senior management. (i) Board approval. The board of directors or an appropriate committee of the board must approve the written Program.

(ii) Oversight by board or senior management. The board of directors, an appropriate committee of the board, or senior management must oversee the development, implementation, and maintenance of the Program, including assigning specific responsibility for its implementation, and reviewing annual reports prepared by staff regarding compliance by the financial institution or creditor with this section.

(iii) Reports. (A) In general. Staff of the financial institution or creditor responsible for implementation of its Program must report to the board, an appropriate committee of the board, or senior management, at least annually, on compliance by the financial institution or creditor with this section.

(B) Contents of report. The report must discuss material matters related to the Program and evaluate issues such as: the effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft in connection with the opening of accounts and with respect to existing accounts; service provider arrangements; significant incidents involving identity theft and management's response; and recommendations for changes in the Program.

Duties of card issuers regarding changes of address.

(a) Scope. This section applies to a person described in § 571.90(a) that issues a debit or credit card.

(b) Definitions. For purposes of this section:

(1) Cardholder means a consumer who has been issued a credit or debit card.

(2) Clear and conspicuous means reasonably understandable and designed to call attention to the nature and significance of the information presented.

(c) In general. The card issuer must establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer's debit or credit card account and within a short period of time afterwards (during at least the first 30 days after it receives such notification), the card issuer receives a request for an additional or replacement card for the same account. Under these circumstances, the card issuer may not issue an additional or replacement card, unless, in accordance with its reasonable policies and procedures and for the purpose of assessing the validity of the change of address, the card issuer:

(1) Notifies the cardholder of the request at the cardholder's former address and provides to the cardholder a means of promptly reporting incorrect address changes;

(2) Notifies the cardholder of the request by any other means of communication that the card issuer and the cardholder have previously agreed to use; or

(3) Uses other means of assessing the validity of the change of address, in accordance with the policies and procedures the card issuer has established pursuant to section 571.90.

(d) Form of notice. Any written or electronic notice that the card issuer provides under this paragraph shall be clear and conspicuous and provided separately from its regular correspondence with the cardholder.

8. Reserve appendices A through I to part 571.

9. Add Appendix J to part 571 to read as follows:

Appendix J to Part 571—Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation

Red Flags in Connection With an Account Application or an Existing Account Information From a Consumer Reporting Agency

1. A fraud or active duty alert is included with a consumer report.

2. A notice of address discrepancy is provided by a consumer reporting agency.

3. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:

a. A recent and significant increase in the volume of inquiries.

b. An unusual number of recently established credit relationships.

c. A material change in the use of credit, especially with respect to recently established credit relationships.

d. An account was closed for cause or identified for abuse of account privileges by a financial institution or creditor.

Documentary Identification

4. Documents provided for identification appear to have been altered.

5. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.

6. Other information on the identification is not consistent with information provided by the person opening a new account or customer presenting the identification.

7. Other information on the identification is not consistent with information that is on file, such as a signature card.

Personal Information

8. Personal information provided is inconsistent when compared against external information sources. For example:

a. The address does not match any address in the consumer report; or

b. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration's Death Master File.

9. Personal information provided is internally inconsistent. For example, there is a lack of correlation between the SSN range and date of birth.

10. Personal information provided is associated with known fraudulent activity. For example: Start Printed Page 40820

a. The address on an application is the same as the address provided on a fraudulent application; or

b. The phone number on an application is the same as the number provided on a fraudulent application.

11. Personal information provided is of a type commonly associated with fraudulent activity. For example:

a. The address on an application is fictitious, a mail drop, or prison.

b. The phone number is invalid, or is associated with a pager or answering service.

12. The address, SSN, or home or cell phone number provided is the same as that submitted by other persons opening an account or other customers.

13. The person opening the account or the customer fails to provide all required information on an application.

14. Personal information provided is not consistent with information that is on file.

15. The person opening the account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.

Address Changes

16. Shortly following the notice of a change of address for an account, the institution or creditor receives a request for new, additional, or replacement checks, convenience checks, cards, or a cell phone, or for the addition of authorized users on the account.

17. Mail sent to the customer is returned as undeliverable although transactions continue to be conducted in connection with the customer's account.

Anomalous Use of the Account

18. A new revolving credit account is used in a manner commonly associated with fraud. For example:

a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or

b. The customer fails to make the first payment or makes an initial payment but no subsequent payments.

19. An account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example:

a. Nonpayment when there is no history of late or missed payments;

b. A material increase in the use of available credit;

c. A material change in purchasing or spending patterns;

d. A material change in electronic fund transfer patterns in connection with a deposit account; or

e. A material change in telephone call patterns in connection with a cellular phone account.

20. An account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors).

Notice From Customers or Others Regarding Customer Accounts

21. The financial institution or creditor is notified of unauthorized charges in connection with a customer's account.

22. The financial institution or creditor is notified that it has opened a fraudulent account for a person engaged in identity theft.

23. The financial institution or creditor is notified that the customer is not receiving account statements.

24. The financial institution or creditor is notified that its customer has provided information to someone fraudulently claiming to represent the financial institution or creditor or to a fraudulent website.

25. Electronic messages are returned to mail servers of the financial institution or creditor that it did not originally send, indicating that its customers may have been asked to provide information to a fraudulent Web site that looks very similar, if not identical, to the Web site of the financial institution or creditor.

Other Red Flags

26. The name of an employee of the financial institution or creditor has been added as an authorized user on an account.

27. An employee has accessed or downloaded an unusually large number of customer account records.

28. The financial institution or creditor detects attempts to access a customer's account by unauthorized persons.

29. The financial institution or creditor detects or is informed of unauthorized access to a customer's personal information.

30. There are unusually frequent and large check orders in connection with a customer's account.

31. The person opening an account or the customer is unable to lift a credit freeze placed on his or her consumer report.

National Credit Union Administration

12 CFR Part 717

Authority and Issuance

For the reasons discussed in the joint preamble, the National Credit Union Administration proposes to amend chapter VII of title 12 of the Code of Federal Regulations by amending 12 CFR part 717 as follows:

End Part Start Part

PART 717—FAIR CREDIT REPORTING

1. The authority citation for part 717 is revised to read as follows:

Start Authority

Authority: 15 U.S.C. 1681a, 1681c, 1681m, 1681s, 1681w, 6801 and 6805.

End Authority

Subpart A—General Provisions

2. Amend § 717.3 by revising the introductory text to read as follows:

Definitions.

For purposes of this part, unless explicitly stated otherwise:

* * * * *

Subpart I—Duties of Users of Consumer Reports Regarding Address Discrepancies and Records Disposal

3. Revise the heading for Subpart I as shown above.

4. Add § 717.82 to read as follows:

Duties of users regarding address discrepancies.

(a) Scope. This section applies to users of consumer reports that receive notices of address discrepancies from credit reporting agencies (referred to as “users”), and that are Federal credit unions.

(b) Definition. For purposes of this section, a notice of address discrepancy means a notice sent to a user of a consumer report by a consumer reporting agency pursuant to 15 U.S.C. 1681c(h)(1), that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency's file for the consumer.

(c) Requirement to form a reasonable belief. A user must develop and implement reasonable policies and procedures for verifying the identity of the consumer for whom it has obtained a consumer report and for whom it receives a notice of address discrepancy. These policies and procedures must be designed to enable the user either to form a reasonable belief that it knows the identity of the consumer or determine that it cannot do so. A user that employs the policies and procedures regarding identification and verification set forth in the Customer Identification Program (CIP) rules implementing 31 U.S.C. 5318(l) under these circumstances satisfies this requirement, whether or not the user is subject to the CIP rules.

(d) Consumer's address (1) Requirement to furnish consumer's address to a consumer reporting agency. A user must develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the consumer reporting agency from whom it received the notice of address discrepancy when the user:

(i) Can form a reasonable belief that it knows the identity of the consumer for whom the consumer report was obtained;

(ii) Establishes or maintains a continuing relationship with the consumer; and

(iii) Regularly and in the ordinary course of business furnishes information to the consumer reporting agency from which the notice of address discrepancy Start Printed Page 40821pertaining to the consumer was obtained.

(2) Requirement to confirm consumer's address. The user may reasonably confirm an address is accurate by:

(i) Verifying the address with the person to whom the consumer report pertains;

(ii) Reviewing its own records of the address provided to request the consumer report;

(iii) Verifying the address through third-party sources; or

(iv) Using other reasonable means.

(3) Timing. The policies and procedures developed in accordance with paragraph (d)(1) of this section must provide that the user will furnish the consumer's address that the user has reasonably confirmed is accurate to the consumer reporting agency as part of the information it regularly furnishes:

(i) With respect to new relationships, for the reporting period in which it establishes a relationship with the consumer; and

(ii) In other circumstances, for the reporting period in which the user confirms the accuracy of the address of the consumer.

5. Add Subpart J to part 717 to read as follows:

Subpart J—Identity Theft Red Flags

Duties regarding the detection, prevention, and mitigation of identity theft.

(a) Purpose and scope. This section implements section 114 of the Fair and Accurate Credit Transactions Act, 15 U.S.C. 1681m, which amends section 615 of the Fair Credit Reporting Act (FCRA). It applies to financial institutions and creditors that are Federal credit unions.

(b) Definitions. For purposes of this section, the following definitions apply:

(1) Account means a continuing relationship established to provide a financial product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under section 4(k) of the Bank Holding Company Act, 12 U.S.C. 1843(k). Account includes:

(i) An extension of credit for personal, family, household or business purposes, such as a credit card account, margin account, or retail installment sales contract, such as a car loan or lease; and

(ii) A demand deposit, savings or other asset account for personal, family, household, or business purposes, such as a checking or savings account.

(2) The term board of directors includes:

(i) In the case of a foreign branch or agency of a foreign bank, the managing official in charge of the branch or agency; and

(ii) In the case of any other creditor that does not have a board of directors, a designated employee.

(3) Customer means a person that has an account with a financial institution or creditor.

(4) Identity theft has the same meaning as in 16 CFR 603.2(a).

(5) Red Flag means a pattern, practice, or specific activity that indicates the possible risk of identity theft.

(6) Service provider means a person that provides a service directly to the financial institution or creditor.

(c) Identity Theft Prevention Program. Each financial institution or creditor must implement a written Identity Theft Prevention Program (Program). The Program must include reasonable policies and procedures to address the risk of identity theft to its customers and the safety and soundness of the financial institution or creditor, including financial, operational, compliance, reputation, and litigation risks, in the manner discussed in paragraph (d) of this section. The Program must be:

(1) Appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities; and

(2) Designed to address changing identity theft risks as they arise in connection with the experiences of the financial institution or creditor with identity theft, and changes in methods of identity theft, methods to detect, prevent, and mitigate identity theft, the types of accounts it offers, and business arrangements, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.

(d) Development and implementation of Program. (1) Identification and evaluation of Red Flags. (i) Risk-based Red Flags. The Program must include policies and procedures to identify Red Flags, singly or in combination, that are relevant to detecting a possible risk of identity theft to customers or to the safety and soundness of the financial institution or creditor, using the risk evaluation set forth in paragraph (d)(1)(ii) of this section. The Red Flags identified must reflect changing identity theft risks to customers and to the financial institution or creditor as they arise. At a minimum, the Program must incorporate any relevant Red Flags from:

(A) Appendix J to this part;

(B) Applicable supervisory guidance;

(C) Incidents of identity theft that the financial institution or creditor has experienced; and

(D) Methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks.

(ii) Risk evaluation. In identifying which Red Flags are relevant, the financial institution or creditor must consider:

(A) Which of its accounts are subject to a risk of identity theft;

(B) The methods it provides to open these accounts;

(C) The methods it provides to access these accounts; and

(D) Its size, location, and customer base.

(2) Identity theft prevention and mitigation. The Program must include reasonable policies and procedures designed to prevent and mitigate identity theft in connection with the opening of an account or any existing account, including policies and procedures to:

(i) Obtain identifying information about, and verify the identity of, a person opening an account. A financial institution or creditor that uses the policies and procedures regarding identification and verification set forth in the Customer Identification Program (CIP) rules implementing 31 U.S.C. 5318(l), under these circumstances, satisfies this requirement whether or not the user is subject to the CIP rules;

(ii) Detect the Red Flags identified pursuant to paragraph (d)(1) of this section;

(iii) Assess whether the Red Flags detected pursuant to paragraph (d)(2)(ii) of this section evidence a risk of identity theft. An institution or creditor must have a reasonable basis for concluding that a Red Flag does not evidence a risk of identity theft; and

(iv) Address the risk of identity theft, commensurate with the degree of risk posed, such as by:

(A) Monitoring an account for evidence of identity theft;

(B) Contacting the customer;

(C) Changing any passwords, security codes, or other security devices that permit access to a customer's account;

(D) Reopening an account with a new account number;

(E) Not opening a new account;

(F) Closing an existing account;

(G) Notifying law enforcement and, for those that are subject to 31 U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with applicable law and regulation;

(H) Implementing any requirements regarding limitations on credit extensions under 15 U.S.C. 1681c-1(h), such as declining to issue an additional credit card when the financial institution or creditor detects a fraud or active duty alert associated with the opening of an account, or an existing account; or Start Printed Page 40822

(I) Implementing any requirements for furnishers of information to consumer reporting agencies under 15 U.S.C. 1681s-2, to correct or update inaccurate or incomplete information.

(3) Staff training. Each financial institution or creditor must train staff to implement its Program.

(4) Oversight of service provider arrangements. Whenever a financial institution or creditor engages a service provider to perform an activity on its behalf and the requirements of its Program are applicable to that activity (such as account opening), the financial institution or creditor must take steps designed to ensure that the activity is conducted in compliance with a Program that meets the requirements of paragraphs (c) and (d) of this section.

(5) Involvement of board of directors and senior management. (i) Board approval. The board of directors or an appropriate committee of the board must approve the written Program.

(ii) Oversight by board or senior management. The board of directors, an appropriate committee of the board, or senior management must oversee the development, implementation, and maintenance of the Program, including assigning specific responsibility for its implementation, and reviewing annual reports prepared by staff regarding compliance by the financial institution or creditor with this section.

(iii) Reports. (A) In general. Staff of the financial institution or creditor responsible for implementation of its Program must report to the board, an appropriate committee of the board, or senior management, at least annually, on compliance by the financial institution or creditor with this section.

(B) Contents of report. The report must discuss material matters related to the Program and evaluate issues such as: the effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft in connection with the opening of accounts and with respect to existing accounts; service provider arrangements; significant incidents involving identity theft and management's response; and recommendations for changes in the Program.

Duties of card issuers regarding changes of address.

(a) Scope. This section applies to a person described in § 717.90(a) that issues a debit or credit card.

(b) Definitions. For purposes of this section:

(1) Cardholder means a consumer who has been issued a credit or debit card.

(2) Clear and conspicuous means reasonably understandable and designed to call attention to the nature and significance of the information presented.

(c) In general. A card issuer must establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer's debit or credit card account and within a short period of time afterwards (during at least the first 30 days after it receives such notification), the card issuer receives a request for an additional or replacement card for the same account. Under these circumstances, the card issuer may not issue an additional or replacement card, unless, in accordance with its reasonable policies and procedures and for the purpose of assessing the validity of the change of address, the card issuer:

(1) Notifies the cardholder of the request at the cardholder's former address and provides to the cardholder a means of promptly reporting incorrect address changes;

(2) Notifies the cardholder of the request by any other means of communication that the card issuer and the cardholder have previously agreed to use; or

(3) Uses other means of assessing the validity of the change of address, in accordance with the policies and procedures the card issuer has established pursuant to section 717.90.

(d) Form of notice. Any written or electronic notice that the card issuer provides under this paragraph shall be clear and conspicuous and provided separately from its regular correspondence with the cardholder.

6. Reserve appendices A through I to part 717.

7. Add Appendix J to part 717 to read as follows:

Appendix J to Part 717—Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation

Red Flags in Connection With an Account Application or an Existing Account Information From a Consumer Reporting Agency

1. A fraud or active duty alert is included with a consumer report.

2. A notice of address discrepancy is provided by a consumer reporting agency.

3. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:

a. A recent and significant increase in the volume of inquiries.

b. An unusual number of recently established credit relationships.

c. A material change in the use of credit, especially with respect to recently established credit relationships.

d. An account was closed for cause or identified for abuse of account privileges by a financial institution or creditor.

Documentary Identification

4. Documents provided for identification appear to have been altered.

5. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.

6. Other information on the identification is not consistent with information provided by the person opening a new account or customer presenting the identification.

7. Other information on the identification is not consistent with information that is on file, such as a signature card.

Personal Information

8. Personal information provided is inconsistent when compared against external information sources. For example:

a. The address does not match any address in the consumer report; or

b. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration's Death Master File.

9. Personal information provided is internally inconsistent. For example, there is a lack of correlation between the SSN range and date of birth.

10. Personal information provided is associated with known fraudulent activity. For example:

a. The address on an application is the same as the address provided on a fraudulent application; or

b. The phone number on an application is the same as the number provided on a fraudulent application.

11. Personal information provided is of a type commonly associated with fraudulent activity. For example:

a. The address on an application is fictitious, a mail drop, or prison.

b. The phone number is invalid, or is associated with a pager or answering service.

12. The address, SSN, or home or cell phone number provided is the same as that submitted by other persons opening an account or other customers.

13. The person opening the account or the customer fails to provide all required information on an application.

14. Personal information provided is not consistent with information that is on file.

15. The person opening the account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.

Address Changes

16. Shortly following the notice of a change of address for an account, the institution or creditor receives a request for new, additional, or replacement checks, convenience checks, cards, or a cell phone, or for the addition of authorized users on the account.

17. Mail sent to the customer is returned as undeliverable although transactions continue to be conducted in connection with the customer's account. Start Printed Page 40823

Anomalous Use of the Account

18. A new revolving credit account is used in a manner commonly associated with fraud. For example:

a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or

b. The customer fails to make the first payment or makes an initial payment but no subsequent payments.

19. An account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example:

a. Nonpayment when there is no history of late or missed payments;

b. A material increase in the use of available credit;

c. A material change in purchasing or spending patterns;

d. A material change in electronic fund transfer patterns in connection with a deposit account; or

e. A material change in telephone call patterns in connection with a cellular phone account.

20. An account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors).

Notice From Customers or Others Regarding Customer Accounts

21. The financial institution or creditor is notified of unauthorized charges in connection with a customer's account.

22. The financial institution or creditor is notified that it has opened a fraudulent account for a person engaged in identity theft.

23. The financial institution or creditor is notified that the customer is not receiving account statements.

24. The financial institution or creditor is notified that its customer has provided information to someone fraudulently claiming to represent the financial institution or creditor or to a fraudulent Web site.

25. Electronic messages are returned to mail servers of the financial institution or creditor that it did not originally send, indicating that its customers may have been asked to provide information to a fraudulent Web site that looks very similar, if not identical, to the Web site of the financial institution or creditor.

Other Red Flags

26. The name of an employee of the financial institution or creditor has been added as an authorized user on an account.

27. An employee has accessed or downloaded an unusually large number of customer account records.

28. The financial institution or creditor detects attempts to access a customer's account by unauthorized persons.

29. The financial institution or creditor detects or is informed of unauthorized access to a customer's personal information.

30. There are unusually frequent and large check orders in connection with a customer's account.

31. The person opening an account or the customer is unable to lift a credit freeze placed on his or her consumer report.

Federal Trade Commission

16 CFR Part 681

For the reasons discussed in the joint preamble, the Commission proposes to add part 681 of title 16 of the Code of Federal Regulations as follows:

End Part Start Part

PART 681—IDENTITY THEFT RULES

681.1
Duties of users of consumer reports regarding address discrepancies.
681.2
Duties regarding the detection, prevention, and mitigation of identity theft.
681.3
Duties of card issuers regarding changes of address.

Appendix A to Part 681 Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation

Start Authority

Authority: Pub. L. 108-159, sec 114 and sec 315; 15 U.S.C. 1681m(e) and 15 U.S.C. 1681c(h).

End Authority
Duties of users of consumer reports regarding address discrepancies.

(a) Scope. This section applies to users of consumer reports that are subject to administrative enforcement of the FCRA by the Federal Trade Commission pursuant to 15 U.S.C. 1681s(a)(1) (referred to as “users”).

(b) Definition. For purposes of this section, a notice of address discrepancy means a notice sent to a user of a consumer report by a consumer reporting agency pursuant to 15 U.S.C. 1681c(h)(1), that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency's file for the consumer.

(c) Requirement to form a reasonable belief. A user must develop and implement reasonable policies and procedures for verifying the identity of the consumer for whom it has obtained a consumer report and for whom it receives a notice of address discrepancy. These policies and procedures must be designed to enable the user either to form a reasonable belief that it knows the identity of the consumer or determine that it cannot do so. A user that employs the policies and procedures regarding identification and verification set forth in the Customer Identification Program (CIP) rules implementing 31 U.S.C. 5318(l) under these circumstances satisfies this requirement, whether or not the user is subject to the CIP rules.

(d) Consumer's address

(1) Requirement to furnish consumer's address to a consumer reporting agency. A user must develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the consumer reporting agency from whom it received the notice of address discrepancy when the user:

(i) Can form a reasonable belief that it knows the identity of the consumer for whom the consumer report was obtained;

(ii) Establishes or maintains a continuing relationship with the consumer; and

(iii) Regularly and in the ordinary course of business furnishes information to the consumer reporting agency from which the notice of address discrepancy pertaining to the consumer was obtained.

(2) Requirement to confirm consumer's address. The user may reasonably confirm an address is accurate by:

(i) Verifying the address with the person to whom the consumer report pertains;

(ii) Reviewing its own records of the address provided to request the consumer report;

(iii) Verifying the address through third-party sources; or

(iv) Using other reasonable means.

(3) Timing. The policies and procedures developed in accordance with paragraph (d)(1) of this section must provide that the user will furnish the consumer's address that the user has reasonably confirmed is accurate to the consumer reporting agency as part of the information it regularly furnishes:

(i) With respect to new relationships, for the reporting period in which it establishes a relationship with the consumer; and

(ii) In other circumstances, for the reporting period in which the user confirms the accuracy of the address of the consumer.

Duties regarding the detection, prevention, and mitigation of identity theft.

(a) Purpose and scope. This section implements section 114 of the Fair and Accurate Credit Transactions Act, 15 U.S.C. 1681m, which amends section 615 of the Fair Credit Reporting Act (FCRA). It applies to financial institutions and creditors that are subject to administrative enforcement of the FCRA by the Federal Trade Commission pursuant to 15 U.S.C. 1681s(a)(1).

(b) Definitions. For purposes of this section, the following definitions apply:

(1) Account means a continuing relationship established to provide a financial product or service that a Start Printed Page 40824financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under section 4(k) of the Bank Holding Company Act, 12 U.S.C. 1843(k). Account includes:

(i) An extension of credit for personal, family, household or business purposes, such as a credit card account, margin account, or retail installment sales contract, such as a car loan or lease; and

(ii) A demand deposit, savings or other asset account for personal, family, household, or business purposes, such as a checking or savings account.

(2) The term board of directors includes:

(i) In the case of a foreign branch or agency of a foreign bank, the managing official in charge of the branch or agency; and

(ii) In the case of any other creditor that does not have a board of directors, a designated employee.

(3) Customer means a person that has an account with a financial institution or creditor.

(4) Identity theft has the same meaning as in 16 CFR 603.2(a).

(5) Red Flag means a pattern, practice, or specific activity that indicates the possible risk of identity theft.

(6) Service provider means a person that provides a service directly to the financial institution or creditor.

(c) Identity Theft Prevention Program. Each financial institution or creditor must implement a written Identity Theft Prevention Program (Program). The Program must include reasonable policies and procedures to address the risk of identity theft to its customers and the safety and soundness of the financial institution or creditor, including financial, operational, compliance, reputation, and litigation risks, in the manner discussed in paragraph (d) of this section. The Program must be:

(1) Appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities; and

(2) Designed to address changing identity theft risks as they arise in connection with the experiences of the financial institution or creditor with identity theft, and changes in methods of identity theft, methods to detect, prevent, and mitigate identity theft, the types of accounts it offers, and business arrangements, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.

(d) Development and implementation of Program.

(1) Identification and evaluation of Red Flags.

(i) Risk-based Red Flags. The Program must include policies and procedures to identify Red Flags, singly or in combination, that are relevant to detecting a possible risk of identity theft to customers or to the safety and soundness of the financial institution or creditor, using the risk evaluation set forth in paragraph (d)(1)(ii) of this section. The Red Flags identified must reflect changing identity theft risks to customers and to the financial institution or creditor as they arise. At a minimum, the Program must incorporate any relevant Red Flags from:

(A) Appendix A to this part;

(B) Applicable supervisory guidance;

(C) Incidents of identity theft that the financial institution or creditor has experienced; and

(D) Methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks.

(ii) Risk evaluation. In identifying which Red Flags are relevant, the financial institution or creditor must consider:

(A) Which of its accounts are subject to a risk of identity theft;

(B) The methods it provides to open these accounts;

(C) The methods it provides to access these accounts; and

(D) Its size, location, and customer base.

(2) Identity theft prevention and mitigation. The Program must include reasonable policies and procedures designed to prevent and mitigate identity theft in connection with the opening of an account or any existing account, including policies and procedures to:

(i) Obtain identifying information about, and verify the identity of, a person opening an account. A financial institution or creditor that uses the policies and procedures regarding identification and verification set forth in the Customer Identification Program (CIP) rules implementing 31 U.S.C. 5318(l), under these circumstances, satisfies this requirement whether or not the user is subject to the CIP rules;

(ii) Detect the Red Flags identified pursuant to paragraph (d)(1) of this section;

(iii) Assess whether the Red Flags detected pursuant to paragraph (d)(2)(ii) of this section evidence a risk of identity theft. An institution or creditor must have a reasonable basis for concluding that a Red Flag does not evidence a risk of identity theft; and

(iv) Address the risk of identity theft, commensurate with the degree of risk posed, such as by:

(A) Monitoring an account for evidence of identity theft;

(B) Contacting the customer;

(C) Changing any passwords, security codes, or other security devices that permit access to a customer's account;

(D) Reopening an account with a new account number;

(E) Not opening a new account;

(F) Closing an existing account;

(G) Notifying law enforcement and, for those that are subject to 31 U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with applicable law and regulation;

(H) Implementing any requirements regarding limitations on credit extensions under 15 U.S.C. 1681c-1(h), such as declining to issue an additional credit card when the financial institution or creditor detects a fraud or active duty alert associated with the opening of an account, or an existing account; or

(I) Implementing any requirements for furnishers of information to consumer reporting agencies under 15 U.S.C. 1681s-2, to correct or update inaccurate or incomplete information.

(3) Staff training. Each financial institution or creditor must train staff to implement its Program.

(4) Oversight of service provider arrangements. Whenever a financial institution or creditor engages a service provider to perform an activity on its behalf and the requirements of its Program are applicable to that activity (such as account opening), the financial institution or creditor must take steps designed to ensure that the activity is conducted in compliance with a Program that meets the requirements of paragraphs (c) and (d) of this section.

(5) Involvement of board of directors and senior management. (i) Board approval. The board of directors or an appropriate committee of the board must approve the written Program.

(ii) Oversight by board or senior management. The board of directors, an appropriate committee of the board, or senior management must oversee the development, implementation, and maintenance of the Program, including assigning specific responsibility for its implementation, and reviewing annual reports prepared by staff regarding compliance by the financial institution or creditor with this section.

(iii) Reports.

(A) In general. Staff of the financial institution or creditor responsible for implementation of its Program must report to the board, an appropriate committee of the board, or senior management, at least annually, on compliance by the financial institution or creditor with this section. Start Printed Page 40825

(B) Contents of report. The report must discuss material matters related to the Program and evaluate issues such as: the effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft in connection with the opening of accounts and with respect to existing accounts; service provider arrangements; significant incidents involving identity theft and management's response; and recommendations for changes in the Program.

Duties of card issuers regarding changes of address.

(a) Scope. This section applies to a person described in § 681.2(a) that issues a debit or credit card.

(b) Definitions. For purposes of this section:

(1) Cardholder means a consumer who has been issued a credit or debit card.

(2) Clear and conspicuous means reasonably understandable and designed to call attention to the nature and significance of the information presented.

(c) In general. A card issuer must establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer's debit or credit card account and within a short period of time afterwards (during at least the first 30 days after it receives such notification), the card issuer receives a request for an additional or replacement card for the same account. Under these circumstances, the card issuer may not issue an additional or replacement card, unless, in accordance with its reasonable policies and procedures and for the purpose of assessing the validity of the change of address, the card issuer:

(1) Notifies the cardholder of the request at the cardholder's former address and provides to the cardholder a means of promptly reporting incorrect address changes;

(2) Notifies the cardholder of the request by any other means of communication that the card issuer and the cardholder have previously agreed to use; or

(3) Uses other means of assessing the validity of the change of address, in accordance with the policies and procedures the card issuer has established pursuant to this section.

(d) Form of notice. Any written or electronic notice that the card issuer provides under this paragraph shall be clear and conspicuous and provided separately from its regular correspondence with the cardholder.

Appendix A to Part 681—Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation

Red Flags in Connection With an Account Application or an Existing Account

Information From a Consumer Reporting Agency

1. A fraud or active duty alert is included with a consumer report.

2. A notice of address discrepancy is provided by a consumer reporting agency.

3. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:

a. A recent and significant increase in the volume of inquiries.

b. An unusual number of recently established credit relationships.

c. A material change in the use of credit, especially with respect to recently established credit relationships.

d. An account was closed for cause or identified for abuse of account privileges by a financial institution or creditor.

Documentary Identification

4. Documents provided for identification appear to have been altered.

5. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.

6. Other information on the identification is not consistent with information provided by the person opening a new account or customer presenting the identification.

7. Other information on the identification is not consistent with information that is on file, such as a signature card.

Personal Information

8. Personal information provided is inconsistent when compared against external information sources. For example:

a. The address does not match any address in the consumer report; or

b. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration's Death Master File.

9. Personal information provided is internally inconsistent. For example, there is a lack of correlation between the SSN range and date of birth.

10. Personal information provided is associated with known fraudulent activity. For example:

a. The address on an application is the same as the address provided on a fraudulent application; or

b. The phone number on an application is the same as the number provided on a fraudulent application.

11. Personal information provided is of a type commonly associated with fraudulent activity. For example:

a. The address on an application is fictitious, a mail drop, or prison.

b. The phone number is invalid, or is associated with a pager or answering service.

12. The address, SSN, or home or cell phone number provided is the same as that submitted by other persons opening an account or other customers.

13. The person opening the account or the customer fails to provide all required information on an application.

14. Personal information provided is not consistent with information that is on file.

15. The person opening the account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.

Address Changes

16. Shortly following the notice of a change of address for an account, the institution or creditor receives a request for new, additional or replacement checks, convenience checks, cards, or cell phone, or for the addition of authorized users on the account.

17. Mail sent to the customer is returned as undeliverable although transactions continue to be conducted in connection with the customer's account.

Anomalous Use of the Account

18. A new revolving credit account is used in a manner commonly associated with fraud. For example:

a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or

b. The customer fails to make the first payment or makes an initial payment but no subsequent payments.

19. An account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example:

a. Nonpayment when there is no history of late or missed payments;

b. A material increase in the use of available credit;

c. A material change in purchasing or spending patterns;

d. A material change in electronic fund transfer patterns in connection with a deposit account; or

e. A material change in telephone call patterns in connection with a cellular phone account.

20. An account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors).

Notice From Customers or Others Regarding Customer Accounts

21. The financial institution or creditor is notified of unauthorized charges in connection with a customer's account.

22. The financial institution or creditor is notified that it has opened a fraudulent account for a person engaged in identity theft.

23. The financial institution or creditor is notified that the customer is not receiving account statements.

24. The financial institution or creditor is notified that its customer has provided information to someone fraudulently claiming to represent the financial institution or creditor or to a fraudulent Web site.

25. Electronic messages are returned to mail servers of the financial institution or creditor that it did not originally send, Start Printed Page 40826indicating that its customers may have been asked to provide information to a fraudulent Web site that looks very similar, if not identical, to the Web site of the financial institution or creditor.

Other Red Flags

26. The name of an employee of the financial institution or creditor has been added as an authorized user on an account.

27. An employee has accessed or downloaded an unusually large number of customer account records.

28. The financial institution or creditor detects attempts to access a customer's account by unauthorized persons.

29. The financial institution or creditor detects or is informed of unauthorized access to a customer's personal information.

30. There are unusually frequent and large check orders in connection with a customer's account.

31. The person opening an account or the customer is unable to lift a credit freeze placed on his or her consumer report.

Start Signature

Dated: May 8, 2006.

John C. Dugan,

Comptroller of the Currency.

By Order of the Board of Governors of the Federal Reserve System, July 5, 2006.

Jennifer J. Johnson,

Secretary of the Board.

By Order of the Board of Directors.

Dated at Washington, DC, the 9th day of May, 2006. Federal Deposit Insurance Corporation.

Robert E. Feldman,

Executive Secretary.

Dated: April 10, 2006.

By the Office of Thrift Supervision.

John M. Reich,

Director.

By the National Credit Union Administration Board on June 15, 2006.

Mary Rupp,

Secretary of the Board.

By direction of the Commission.

Donald S. Clark,

Secretary.

End Signature End Part End Supplemental Information

Footnotes

1.  Commission Rule 4.2(d), 16 CFR 4.2(d). The comment must be accompanied by an explicit request for confidential treatment, including the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. The request will be granted or denied by the Commission's General Counsel, consistent with applicable law and the public interest. See Commission Rule 4.9(c), 16 CFR 4.9(c).

Back to Citation

2.  Section 111 of the FACT Act defines “identity theft” as “a fraud committed using the identifying information of another person, subject to such further definition as the [Federal Trade] Commission may prescribe, by regulation.” 15 U.S.C. 1681a(q)(3).

Back to Citation

3.  12 CFR part 30, app. B (national banks); 12 CFR part 208, app. D-2 and part 225, app. F (state member banks and holding companies); 12 CFR part 364, app. B (state non-member banks); 12 CFR part 570, app. B (savings associations).

Back to Citation

6.  The Agencies note, however, that some creditors covered by the proposed Red Flag Guidelines are not financial institutions subject to Title V of the GLBA and, therefore, are not required to have an information security program under the GLBA. Moreover, the term “customer” is defined more broadly in the proposed Red Flag Regulations than in the Information Security Standards.

Back to Citation

7.  The FTC also proposes putting the Red Flag Regulations and Guidelines in the FCRA part of its regulations, specifically 16 CFR part 681. However, the FTC uses different numerical suffixes that equate to the numerical suffixes discussed in the preamble as follows: preamble suffix .82 = FTC suffix .1, preamble suffix .90 = FTC suffix .2, and preamble suffix .91 = FTC suffix .3. In addition, the Appendix J referenced in the preamble equates to Appendix A for the FTC.

Back to Citation

8.  The Agencies recognize that, in other contexts, the FCRA defines the term “account” narrowly to describe certain deposit relationships. See 15 U.S.C. 1681a(r)(4).

Back to Citation

9.  See 12 CFR 40.3(i)(1) (OCC); 12 CFR 216.3(i)(1) (Board); 12 CFR 332.3(i)(1) (FDIC); 12 CFR 573.3(i)(1) (OTS); 12 CFR 716.3(j) (NCUA); and 16 CFR 313.3(i)(1) (FTC).

Back to Citation

10.  See 12 CFR 225.86 for a description of activities that are “financial in nature or incidental to a financial activity,” and explanation that these include activities that are “closely related to banking,” as set forth in 12 CFR 225.28, such as fiduciary, agency, custodial, brokerage and investment advisory activities.

Back to Citation

12.  Under proposed § __.90(d)(1), this determination must be substantiated by a risk evaluation that takes into consideration which customer accounts of the financial institution or creditor are subject to a risk of identity theft.

Back to Citation

14.  69 FR 63922 (Nov. 3, 2004) (codified at 16 CFR 603.2(a)).

Back to Citation

15.  See 16 CFR 603.2(b) for additional examples of “identifying information,” including unique biometric identifiers.

Back to Citation

16.  See 16 CFR 603.2(a)(defining “identity theft”).

Back to Citation

17.  Use of the term “customer” here appears to be a drafting error and likely should read “creditor.” Use of the term “customer” here appears to be a drafting error and likely should read “creditor.”

Back to Citation

18.  12 CFR part 30, app. B (national banks); 12 CFR part 208, app. D-2 and part 225, app. F (state member banks and holding companies); 12 CFR part 364, app. B (state non-member banks); 12 CFR part 570, app. B (savings associations); 12 CFR part 748, app. A (credit unions); 16 CFR part 314 (FTC regulated financial institutions).

Back to Citation

19.  Agencies “are expected to take into account the limited personnel and resources available to smaller institutions and craft such regulations and guidelines in a manner that does not unduly burden these smaller institutions.” See 149 Cong. Rec. E2513 (daily ed. December 8, 2003) (statement Rep. Oxley).

Back to Citation

20.  Section 114 directs the Agencies to update the guidelines as often as necessary. See 15 U.S.C. 1681m(e)(1)(a).

Back to Citation

21.  See, e.g., 31 CFR 103.121 (banks, savings associations, credit unions, and certain non-federally regulated banks); 31 CFR 103.122 (broker-dealers); 31 CFR 103.123 (futures commission merchants).

Back to Citation

22.  See, e.g., 31 CFR 103.121(a).

Back to Citation

23.  In the case of credit, the Equal Credit Opportunity Act (ECOA), 15 U.S.C. 1691 et seq., applies. Under ECOA, it is unlawful for a creditor to discriminate against any applicant for credit because the applicant has in good faith exercised any right under the Consumer Credit Protection Act (CCPA). 15 U.S.C. 1691(a). A consumer who requests the inclusion of a fraud alert or active duty alert in his or her credit file is exercising a right under the FCRA, which is a part of the CCPA, 15 U.S.C. 1601 et seq. 15 U.S.C. 1681c-1. Consequently, when a credit file contains a fraud or active duty alert, a creditor must take reasonable steps to verify the identity of the individual in accordance with the requirements in 15 U.S.C. 1681c-1 before extending credit, closing an account, or otherwise limiting the availability of credit. The inability of a creditor to verify the individual's identity may indicate that the individual is engaged in identity theft and, in those circumstances, the creditor may decline to open an account, close an account or take other reasonable actions to limit the availability of credit.

Back to Citation

24.  See, e.g., 31 CFR 103.121(b)(2)(iii).

Back to Citation

25.  68 FR 25104 (May 9, 2003)(preamble to CIP rule applicable to banks, savings associations, and credit unions).

Back to Citation

26.  See 149 Cong. Rec. E2513 (daily ed. December 8, 2003) (statement of Rep. Oxley) (emphasis added).

Back to Citation

28.  12 CFR 40.3(b)(1) (OCC); 12 CFR 216.3(b)(1) (Board); 12 CFR 332.3(b)(1) (FDIC); 12 CFR 573.3(b)(1) (OTS); 12 CFR 716.3(b)(1) (NCUA); 16 CFR 313.3(b)(1) (FTC).

Back to Citation

29.  See 149 Cong. Rec. E2513 (daily ed. December 8, 2003) (statement of Rep. Oxley) (describing this section as relating to “issuers of credit cards and debit cards who receive a consumer request for an additional or replacement card for an existing account.” (Emphasis added.))

Back to Citation

30.  All other terms used in this section of the proposal have the same meanings as set forth in the FCRA (15 U.S.C. 1681a).

Back to Citation

31.  The term used in the statute, “substantially differs,” is not defined. CRAs are responsible for determining when addresses substantially differ and, hence, when they must send a notice of address discrepancy to a user requesting a consumer report.

Back to Citation

32.  See, e.g., 31 CFR 103.121(b)(2)(i) and (ii).

Back to Citation

33.  For example, a user may request a consumer report on a consumer with whom it already has a continuing relationship in order to determine whether to increase the consumer's credit line, or in other circumstances, such as in the case of a landlord or employer, to determine a consumer's eligibility to rent housing or for employment.

Back to Citation

34.  Under the Red Flag Guidelines, a notice of address discrepancy received from a consumer reporting agency is a Red Flag. Thus, a user subject to the Red Flag Regulations that receives a notice of address discrepancy will need to determine whether its policies and procedures regarding identity theft prevention and mitigation apply here.

Back to Citation

35.  The equivalent language for the FTC already exists in 16 CFR 603.1.

Back to Citation

36.  Commission Rule 4.2(d), 16 CFR 4.2(d). The comment must be accompanied by an explicit request for confidential treatment, including the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. The request will be granted or denied by the Commission's General Counsel, consistent with applicable law and the public interest. See Commission Rule 4.9(c), 16 CFR 4.9(c).

Back to Citation

37.  The Estimated Burden section reflects the views of all of the Agencies except the FTC, which has prepared a separate analysis.

Back to Citation

38.  See, e.g., 31 CFR 103.121 (banks, savings associations, credit unions, and certain non-federally regulated banks); 31 CFR 103.122 (broker-dealers); 31 CFR 103.123 (futures commission merchants).

Back to Citation

39.  12 CFR part 30, app. B (national banks); 12 CFR part 208, app. D-2 and part 225, app. F (state member banks and holding companies); 12 CFR part 364, app. B (state non-member banks); 12 CFR part 570, app. B (savings associations); 12 CFR part 748, app. A and B, and 12 CFR 717 (credit unions); 16 CFR part 314 (financial institutions that are not regulated by the Board, FDIC, NCUA, OCC and OTS).

Back to Citation

40.  See, e.g., 12 CFR part 30, supp. A to app. B (national banks); 12 CFR part 208, supp. A to app. D-2 and part 225, supp. A to app. F (state member banks and holding companies); 12 CFR part 364, supp. A to app. B (state non-member banks); 12 CFR part 570, supp. A to app. B (savings associations); 12 CFR 748, app. A and B (credit unions); Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook's Information Security Booklet (the “IS Booklet”) available at http://www.ffiec.gov/​guides.htm; FFIEC “Authentication in an Internet Banking Environment” available at http://www.ffiec.gov/​pdf/​authentication_​guidance.pdf; Board SR 01-11 (Supp) (Apr. 26, 2001) available at: http://www.federalreserve.gov/​boarddocs/​srletters/​2001/​sr0111.htm; “Guidance on Identity Theft and Pretext Calling,” OCC AL 2001-4 (April 30, 2001); “Identity Theft and Pretext Calling,” OTS CEO Letter #139 (May 4, 2001); NCUA Letter to Credit Unions 01-CU-09, “Identity Theft and Pretext Calling” (Sept. 2001); OCC 2005-24, “Threats from Fraudulent Bank Web Sites: Risk Mitigation and Response Guidance for Web Site Spoofing Incidents,” (July 1, 2005); “Phishing and E-mail Scams,” OTS CEO Letter #193 (Mar. 8, 2004); NCUA Letter to Credit Unions 04-CU-12, “Phishing Guidance for Credit Unions” (Sept. 2004).

Back to Citation

41.  Due to the varied nature of the entities subject to the jurisdiction of the FTC, this Estimated Burden section reflects only the view of the FTC. The banking regulatory agencies have jointly prepared a separate analysis.

Back to Citation

43.  Regulation B Equal Credit Opportunity, 12 CFR 202 (as amended effective April 15, 2003).

Back to Citation

44.  Under the FCRA, the only financial institutions over which the FTC has jurisdiction are state-chartered credit unions. 15 U.S.C. 1681s. As of December 31, 2005, there were 3,302 state-chartered federally-insured credit unions and 362 state-chartered nonfederally insured credit unions, totaling 3,664 financial institutions. See http://www.ncua.gov/​news/​quick_​facts/​quick_​facts.html and “Disclosures for Non-Federally Insured Depository Institutions under the Federal Deposit Insurance Corporation Improvement Act (FDICIA),” 70 FR 12823 (March 16, 2005).

Back to Citation

45.  This estimate is derived from an analysis of a database of U.S. businesses based on NAICS codes for businesses that market goods or services to consumers or other businesses, which totaled 11,076,463 creditors subject to the FTC's jurisdiction.

Back to Citation

46.  In general, high-risk entities may provide consumer financial services or other goods or services of value to identity thieves such as telecommunication services or goods that are easily convertible to cash, whereas low-risk entities may do business primarily with other businesses and provide non-financial services or goods that are not easily convertible to cash.

Back to Citation

47.  In addition to the 3,664 state-chartered credit unions under FTC jurisdiction (see supra), there may be other creditors that issue their own credit cards. FTC staff is unable to determine how many such creditors exist, but estimates that there may be as many as 100. FTC staff requests comment on the number of such creditors in existence.

Back to Citation

48.  The cost is derived from a mid-range among the reported 2004 Bureau of Labor Statistics (BLS) rates for likely positions within the professional technical and managerial categories.

Back to Citation

49.  The cost is derived from a mid-range among the reported 2004 BLS rates for likely positions within the administrative support category.

Back to Citation

50.  This estimate is derived from an analysis of a database of U.S. businesses based on NAICS codes for businesses in industries that typically use consumer reports from consumer reporting agencies described in section 603(p), which totaled 1,658,758 users of consumer reports subject to the FTC's jurisdiction.

Back to Citation

51.  Report to Congress Under Sections 318 and 319 of the Fair and Accurate Credit Transactions of 2003, Federal Trade Commission, 80 (Dec. 2004) available at http://www.ftc.gov/​reports/​facta/​041209factarpt.pdf.

Back to Citation

52.  As noted above, the cost is derived from a mid-range among the reported 2004 BLS rates for likely positions within the administrative support category.

Back to Citation

53.  Small Business Administration regulations define “small entities” to include banks with total assets of $165 million or less. 13 CFR 121.201.

Back to Citation

54.  For convenience, these entities are referred to as “national banks.”

Back to Citation

56.  12 CFR part 30, app. B (national banks).

Back to Citation

57.  OCC Bulletin 2005-35 (Oct. 12, 2005).

Back to Citation

58.  OCC AL 2001-4 (April 30, 2001).

Back to Citation

59.  Small Business Administration regulations define “small entities” to include savings associations with total assets of $165 million or less. 13 CFR 121.201.

Back to Citation

60.  For convenience, these entities are referred to as “savings associations.”

Back to Citation

61.  31 CFR 103.121; 12 CFR 563.177 (savings associations).

Back to Citation

62.  12 CFR part 570, app. B (savings associations).

Back to Citation

63.  OTS CEO Letter 228 (Oct. 12, 2005).

Back to Citation

64.  “Identity Theft and Pretext Calling,” OTS CEO Letter #139 (May 4, 2001).

Back to Citation

65.  These numbers represent the size standards for most retail and service industries ($6 million total receipts) and manufacturing industries (500 employees). A list of the SBA's size standards for all industries can be found at http://www.sba.gov/​size/​summary-whatis.html.

Back to Citation

66.  This estimate is derived from census data of U.S. businesses based on NAICS codes for businesses that market goods or services to consumers and businesses. 2003 County Business Patterns, U.S. Census Bureau (http://censtats.census.gov/​cgi-bin/​cbpnaic/​cbpsel.pl); and 2002 Economic Census Bureau (http://www.census.gov/​econ/​census02/​).

Back to Citation

67.  This estimate is derived from census data of U.S. businesses based on NAICS codes for businesses that market goods or services to consumers and businesses. 2003 County Business Patterns, U.S. Census Bureau (http://censtats.census.gov/​cgi-bin/​cbpnaic/​cbpsel.pl); and 2002 Economic Census, Bureau (http://www.census.gov/​econ/​census02/​).

Back to Citation

[FR Doc. 06-6187 Filed 7-17-06; 8:45 am]

BILLING CODE 4810-33-P, 6210-01-P, 6714-01-P, 6720-01-P, 7535-01-P, 6750-01-P