Docstoc

Identity Theft Red Flag Risk Assessment

Document Sample
Identity Theft Red Flag Risk Assessment Powered By Docstoc
					Friday, 

November 9, 2007 





Part IV

Department of the Treasury
Office of the Comptroller of the
Currency
12 CFR Part 41

Federal Reserve System
12 CFR Part 222

Federal Deposit Insurance
Corporation
12 CFR Parts 334 and 364

Department of the Treasury
Office of Thrift Supervision
12 CFR Part 571

National Credit Union
Administration
12 CFR Part 717

Federal Trade Commission
16 CFR Part 681

Identity Theft Red Flags and Address
Discrepancies Under the Fair and
Accurate Credit Transactions Act of 2003;
Final Rule
63718         Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

DEPARTMENT OF THE TREASURY                   and mitigate identity theft in connection   Office of Thrift Supervision, 1700 G
                                             with the opening of certain accounts or     Street, NW., Washington, DC 20552.
Office of the Comptroller of the             certain existing accounts. In addition,       NCUA: Regina M. Metz, Staff
Currency                                     the Agencies are issuing guidelines to      Attorney, Office of General Counsel,
                                             assist financial institutions and           (703) 518–6540, National Credit Union
12 CFR Part 41                               creditors in the formulation and            Administration, 1775 Duke Street,
[Docket ID OCC–2007–0017]
                                             maintenance of a Program that satisfies     Alexandria, VA 22314–3428.
                                             the requirements of the rules. The rules      FTC: Naomi B. Lefkovitz, Attorney, or
RIN 1557–AC87                                implementing section 114 also require       Pavneet Singh, Attorney, Division of
                                             credit and debit card issuers to assess     Privacy and Identity Protection, Bureau
FEDERAL RESERVE SYSTEM                       the validity of notifications of changes    of Consumer Protection, (202) 326–
                                             of address under certain circumstances.     2252, Federal Trade Commission, 600
12 CFR Part 222                              Additionally, the Agencies are issuing      Pennsylvania Avenue, NW., Washington
[Docket No. R–1255]                          joint rules under section 315 that          DC 20580.
                                             provide guidance regarding reasonable       SUPPLEMENTARY INFORMATION:
FEDERAL DEPOSIT INSURANCE                    policies and procedures that a user of
CORPORATION                                  consumer reports must employ when a         I. Introduction
                                             consumer reporting agency sends the            The President signed the FACT Act
12 CFR Parts 334 and 364                     user a notice of address discrepancy.       into law on December 4, 2003.1 The
                                             DATES: The joint final rules and            FACT Act added several new provisions
RIN 3064–AD00
                                             guidelines are effective January 1, 2008.   to the Fair Credit Reporting Act of 1970
DEPARTMENT OF THE TREASURY                   The mandatory compliance date for this      (FCRA), 15 U.S.C. 1681 et seq. Section
                                             rule is November 1, 2008.                   114 of the FACT Act, 15 U.S.C.
Office of Thrift Supervision                                                             1681m(e), amends section 615 of the
                                             FOR FURTHER INFORMATION CONTACT:
                                                                                         FCRA, and directs the Agencies to issue
                                               OCC: Amy Friend, Assistant Chief          joint regulations and guidelines
12 CFR Part 571                              Counsel, (202) 874–5200; Deborah Katz,      regarding the detection, prevention, and
[Docket No. OTS–2007–0019]                   Senior Counsel, or Andra Shuster,           mitigation of identity theft, including
                                             Special Counsel, Legislative and            special regulations requiring debit and
RIN 1550–AC04                                Regulatory Activities Division, (202)       credit card issuers to validate
                                             874–5090; Paul Utterback, Compliance        notifications of changes of address
NATIONAL CREDIT UNION
                                             Specialist, Compliance Department,          under certain circumstances.2 Section
ADMINISTRATION
                                             (202) 874–5461; or Aida Plaza Carter,       315 of the FACT Act, 15 U.S.C.
                                             Director, Bank Information Technology,      1681c(h), adds a new section 605(h)(2)
12 CFR Part 717
                                             (202) 874–4740, Office of the               to the FCRA requiring the Agencies to
                                             Comptroller of the Currency, 250 E          issue joint regulations that provide
FEDERAL TRADE COMMISSION
                                             Street, SW., Washington, DC 20219.          guidance regarding reasonable policies
16 CFR Part 681                                Board: David A. Stein or Ky Tran-         and procedures that a user of a
                                             Trong, Counsels, or Amy Burke,              consumer report should employ when
RIN 3084–AA94                                Attorney, Division of Consumer and          the user receives a notice of address
                                             Community Affairs, (202) 452–3667;          discrepancy.
Identity Theft Red Flags and Address         Kara L. Handzlik, Attorney, Legal              On July 18, 2006, the Agencies
Discrepancies Under the Fair and             Division, (202) 452–3852; or John           published a joint notice of proposed
Accurate Credit Transactions Act of          Gibbons, Supervisory Financial Analyst,     rulemaking (NPRM) in the Federal
2003                                         Division of Banking Supervision and         Register (71 FR 40786) proposing rules
AGENCIES:  Office of the Comptroller of      Regulation, (202) 452–6409, Board of        and guidelines to implement section
the Currency, Treasury (OCC); Board of       Governors of the Federal Reserve            114 and proposing rules to implement
Governors of the Federal Reserve             System, 20th and C Streets, NW.,            section 315 of the FACT Act. The public
System (Board); Federal Deposit              Washington, DC 20551.                       comment period closed on September
Insurance Corporation (FDIC); Office of        FDIC: Jeffrey M. Kopchik, Senior          18, 2006. The Agencies collectively
Thrift Supervision, Treasury (OTS);          Policy Analyst, (202) 898–3872, or          received a total of 129 comments in
National Credit Union Administration         David P. Lafleur, Policy Analyst, (202)     response to the NPRM, although many
(NCUA); and Federal Trade Commission         898–6569, Division of Supervision and       commenters sent copies of the same
(FTC or Commission).                         Consumer Protection; Richard M.             letter to each of the Agencies. The
ACTION: Joint final rules and guidelines.
                                             Schwartz, Counsel, (202) 898–7424, or       comments included 63 from financial
                                             Richard B. Foley, Counsel, (202) 898–       institutions, 12 from financial
SUMMARY:   The OCC, Board, FDIC, OTS,        3784, Legal Division, Federal Deposit       institution holding companies, 23 from
NCUA and FTC (the Agencies) are              Insurance Corporation, 550 17th Street,     financial institution trade associations,
jointly issuing final rules and guidelines   NW., Washington, DC 20429.                  12 from individuals, nine from other
implementing section 114 of the Fair           OTS: Ekita Mitchell, Consumer             trade associations, five from other
and Accurate Credit Transactions Act of      Regulations Analyst, Compliance and         business entities, three from consumer
2003 (FACT Act) and final rules              Consumer Protection, (202) 906–6451;
implementing section 315 of the FACT         Kathleen M. McNulty, Technology               1 Pub.  L. 108–159.
Act. The rules implementing section          Program Manager, Information                  2 Section   111 of the FACT Act defines ‘‘identity
114 require each financial institution or    Technology Risk Management, (202)           theft’’ as ‘‘a fraud committed using the identifying
                                                                                         information of another person, subject to such
creditor to develop and implement a          906–6322; or Richard Bennett, Senior        further definition as the [Federal Trade]
written Identity Theft Prevention            Compliance Counsel, Regulations and         Commission may prescribe, by regulation.’’ 15
Program (Program) to detect, prevent,        Legislation Division, (202) 906–7409,       U.S.C. 1681a(q)(3).
                  Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                                                 63719

groups,3 one from a member of                           indicators of a possible risk of identity             commenters suggested that the
Congress, and one from the United                       theft (Red Flags), including indicators               regulations and guidelines take the form
States Small Business Administration                    from among those listed in the                        of broad objectives modeled on the
(SBA).                                                  guidelines. To promote flexibility and                objectives set forth in the ‘‘Interagency
                                                        responsiveness to the changing nature of              Guidelines Establishing Information
II. Section 114 of the FACT Act
                                                        identity theft, the proposed rules also               Security Standards’’ (Information
A. Red Flag Regulations and Guidelines                  stated that covered entities would need               Security Standards).7 A few financial
1. Background                                           to include in their Programs relevant                 institution commenters asserted that the
                                                        Red Flags from applicable supervisory                 primary cause of identity theft is the
   Section 114 of the FACT Act requires                 guidance, their own experiences, and                  lack of care on the part of the consumer.
the Agencies to jointly issue guidelines                methods that the entity had identified                They stated that consumers should be
for financial institutions and creditors                that reflect changes in identity theft                held responsible for protecting their
regarding identity theft with respect to                risks.                                                own identifying information.
their account holders and customers.                       The Agencies invited comment on all                  The Agencies have modified the
Section 114 also directs the Agencies to                aspects of the proposed regulations and               proposed rules and guidelines in light of
prescribe joint regulations requiring                   guidelines implementing section 114,                  the comments received. An overview of
each financial institution and creditor to              and specifically requested comment on                 the final rules, guidelines, and
establish reasonable policies and                       whether the elements described in                     supplement, a discussion of the
procedures for implementing the                         section 114 had been properly allocated               comments, and the specific manner in
guidelines, to identify possible risks to               between the proposed regulations and                  which the proposed rules and
account holders or customers or to the                  the proposed guidelines.                              guidelines have been modified, follows.
safety and soundness of the institution                    Consumer groups maintained that the
or ‘‘customer.’’4                                       proposed regulations provided too                     3. Overview of final rules and
   In developing the guidelines, the                    much discretion to financial institutions             guidelines
Agencies must identify patterns,                        and creditors to decide which accounts                   The Agencies are issuing final rules
practices, and specific forms of activity               and Red Flags to include in their                     and guidelines that provide both
that indicate the possible existence of                 Programs and how to respond to those                  flexibility and more guidance to
identity theft. The guidelines must be                  Red Flags. These commenters stated that               financial institutions and creditors. The
updated as often as necessary, and                      the flexible and risk-based approach                  final rules also require the Program to
cannot be inconsistent with the policies                taken in the proposed rulemaking                      address accounts where identity theft is
and procedures issued under section                     would permit ‘‘business as usual.’’
326 of the USA PATRIOT Act,5 31                                                                               most likely to occur. The final rules
                                                           Some small financial institutions also             describe which financial institutions
U.S.C. 5318(l), that require verification               expressed concern about the flexibility
of the identity of persons opening new                                                                        and creditors are required to have a
                                                        afforded by the proposal. These                       Program, the objectives of the Program,
accounts. The Agencies also must                        commenters stated that they preferred to
consider including reasonable                                                                                 the elements that the Program must
                                                        have clearer, more structured guidance                contain, and how the Program must be
guidelines that would apply when a                      describing exactly how to develop and
transaction occurs in connection with a                                                                       administered.
                                                        implement a Program and what they                        Under the final rules, only those
consumer’s credit or deposit account                    would need to do to achieve
that has been inactive for two years.                                                                         financial institutions and creditors that
                                                        compliance.                                           offer or maintain ‘‘covered accounts’’
These guidelines would provide that in                     Most commenters, however, including
such circumstances, a financial                                                                               must develop and implement a written
                                                        many financial institutions and                       Program. A covered account is (1) an
institution or creditor ‘‘shall follow                  creditors, asserted that the proposal was
reasonable policies and procedures’’ for                                                                      account primarily for personal, family,
                                                        overly prescriptive, contained                        or household purposes, that involves or
notifying the consumer, ‘‘in a manner                   requirements beyond those mandated in
reasonably designed to reduce the                                                                             is designed to permit multiple payments
                                                        the FACT Act, would be costly and                     or transactions, or (2) any other account
likelihood of identity theft.’’                         burdensome to implement, and would                    for which there is a reasonably
2. Overview of Proposal and Comments                    complicate the existing efforts of                    foreseeable risk to customers or the
Received                                                financial institutions and creditors to               safety and soundness of the financial
   The Agencies proposed to implement                   detect and prevent identity theft. Some               institution or creditor from identity
section 114 through regulations                         industry commenters asserted that the                 theft. Each financial institution and
requiring each financial institution and                rulemaking was unnecessary because                    creditor must periodically determine
creditor to implement a written Program                 large businesses, such as banks and                   whether it offers or maintains a
to detect, prevent and mitigate identity                telecommunications companies, already                 ‘‘covered account.’’
theft in connection with the opening of                 are motivated to prevent identity theft
                                                                                                                 The final regulations provide that the
an account or any existing account. The                 and other forms of fraud in order to
                                                                                                              Program must be designed to detect,
Agencies also proposed guidelines that                  limit their own financial losses.
                                                                                                              prevent, and mitigate identity theft in
identified 31 patterns, practices, and                  Financial institution commenters
                                                                                                              connection with the opening of a
specific forms of activity that indicate a              maintained that they are already doing
                                                                                                              covered account or any existing covered
possible risk of identity theft. The                    most of what would be required by the
                                                                                                              account. In addition, the Program must
proposed regulations required each                      proposal as a result of having to comply
                                                                                                              be tailored to the entity’s size,
financial institution and creditor to                   with the customer identification
                                                                                                              complexity and nature of its operations.
incorporate into its Program relevant                   program (CIP) regulations implementing
                                                        section 326 of the USA PATRIOT Act 6                    7 12 CFR part 30, app. B (national banks); 12 CFR
  3 One  of these letters represented the comments      and other existing requirements. These                part 208, app. D–2 and part 225, app. F (state
of five consumer groups.                                                                                      member banks and holding companies); 12 CFR
  4 Use of the term ‘‘customer,’’ here, appears to be     6 See, e.g., 31 CFR 103.121 (applicable to banks,   part 364, app. B (state non-member banks); 12 CFR
a drafting error and likely should read ‘‘creditor.’’   thrifts and credit unions and certain non-federally   part 570, app. B (savings associations); 12 CFR part
  5 Pub. L. 107–56.                                     regulated banks).                                     748, App. A (credit unions).
63720         Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

   The final regulations list the four      4. Section-by-Section Analysis 8                       Agencies use the term ‘‘continuing
basic elements that must be included in                                                            relationship’’ instead, and define this
                                            Sectionl.90(a) Purpose and Scope
the Program of a financial institution or                                                          phrase in a manner consistent with the
creditor. The Program must contain            Proposed §l.90(a) described the                      Agencies’’ privacy rules 10
‘‘reasonable policies and procedures’’      statutory authority for the proposed                   implementing Title V of the Gramm-
to:                                         regulations, namely, section 114 of the                Leach-Bliley Act (GLBA), 15 U.S.C.
                                            FACT Act. It also defined the scope of                 6801.11 These commenters urged that
   • Identify relevant Red Flags for        this section; each of the Agencies                     the definition of ‘‘account’’ not be
covered accounts and incorporate those      proposed tailoring this paragraph to                   expanded to include relationships that
Red Flags into the Program;                 describe those entities to which this                  are not ‘‘continuing.’’ They stated that it
   • Detect Red Flags that have been        section would apply. The Agencies                      would be very burdensome to gather
incorporated into the Program;              received no comments on this section,                  and maintain information on non-
   • Respond appropriately to any Red       and it is adopted as proposed.                         customers for one-time transactions.
Flags that are detected to prevent and      Sectionl.90(b) Definitions                             Other commenters suggested defining
mitigate identity theft; and                                                                       the term ‘‘account’’ in a manner
                                               Proposed §l.90(b) contained                         consistent with the CIP rules.
   • Ensure the Program is updated          definitions of various terms that applied                 Many commenters stated that defining
periodically, to reflect changes in risks   to the proposed rules and guidelines.                  ‘‘account’’ to cover both consumer and
to customers or to the safety and           While §l.90(b) of the final rules                      business accounts was too broad,
soundness of the financial institution or   continues to describe the definitions                  exceeded the scope of the FACT Act,
creditor from identity theft.               applicable to the final rules and                      and would make the regulation too
   The regulations also enumerate           guidelines, changes have been made to                  burdensome. These commenters
certain steps that financial institutions   address the comments, as follows.                      recommended limiting the scope of the
and creditors must take to administer          Sectionl.90(b)(1) Account. The                      regulations and guidelines to cover only
                                            Agencies proposed using the term                       consumer financial services, specifically
the Program. These steps include
                                            ‘‘account’’ to describe the relationships              accounts established for personal,
obtaining approval of the initial written
                                            covered by section 114 that an account                 family and household purposes, because
Program by the board of directors or a      holder or customer may have with a                     these types of accounts typically are
committee of the board, ensuring            financial institution or creditor.9 The                targets of identity theft. They asserted
oversight of the development,               proposed definition of ‘‘account’’ was ‘‘a             that identity theft has not historically
implementation and administration of        continuing relationship established to                 been common in connection with
the Program, training staff, and            provide a financial product or service                 business or commercial accounts.
overseeing service provider                 that a financial holding company could                    Consumer groups maintained that the
arrangements.                               offer by engaging in an activity that is               proposed definition of ‘‘account’’ was
   In order to provide financial            financial in nature or incidental to such              too narrow. They explained that because
institutions and creditors with more        a financial activity under section 4(k) of             the proposed definition was tied to
flexibility in developing a Program, the    the Bank Holding Company Act, 12                       financial products and services that can
Agencies have moved certain detail          U.S.C. 1843(k).’’ The definition also                  be offered under the Bank Holding
formerly contained in the proposed          gave examples of types of ‘‘accounts.’’                Company Act, it inappropriately
regulations to the guidelines located in       Some commenters stated that the                     excluded certain transactions involving
Appendix J. This detailed guidance          regulations do not need a definition of                creditors that are not financial
should assist financial institutions and    ‘‘account’’ to give effect to their terms.             institutions that should be covered by
                                            Some commenters maintained that a                      the regulations. Some of these
creditors in the formulation and
                                            new definition for ‘‘account’’ would be                commenters recommended that the
maintenance of a Program that satisfies
                                            confusing as this term is already defined              definition of ‘‘account’’ include any
the requirements of the regulations to
                                            inconsistently in several regulations and              relationship with a financial institution
detect, prevent, and mitigate identity      in section 615(e) of the FCRA. These                   or creditor in which funds could be
theft. Each financial institution or        commenters recommended that the                        intercepted or credit could be extended,
creditor that is required to implement a                                                           as well as any other transaction which
Program must consider the guidelines          8 The OCC, Board, FDIC, OTS and NCUA are
                                                                                                   could obligate an individual or other
and include in its Program those            placing the regulations and guidelines                 covered entity, including transactions
guidelines that are appropriate. The        implementing section 114 in the part of their
                                            regulations that implement the FCRA—12 CFR             that do not result in a continuing
guidelines provide policies and             parts 41, 222, 334, 571, and 717, respectively. In     relationship. Others suggested that there
procedures for use by institutions and      addition, the FDIC cross-references the regulations    should be no flexibility to exclude any
creditors, where appropriate, to satisfy    and guidelines in 12 CFR part 364. For ease of         account that is held by an individual or
                                            reference, the discussion in this preamble uses the
the requirements of the final rules,        shared numerical suffix of each of these agency’s      which generates information about
including the four elements listed          regulations. The FTC also is placing the final         individuals that reflects on their
above. While an institution or creditor     regulations and guidelines in the part of its          financial or credit reputations.
may determine that particular               regulations implementing the FCRA, specifically 16        The Agencies have modified the
                                            CFR part 681. However, the FTC uses different
guidelines are not appropriate to           numerical suffixes that equate to the numerical        definition of ‘‘account’’ to address these
incorporate into its Program, the           suffixes discussed in the preamble as follows:         comments. First, the final rules now
Program must nonetheless contain            preamble suffix .82 = FTC suffix .1, preamble suffix   apply to ‘‘covered accounts,’’ a term that
                                            .90 = FTC suffix .2, and preamble suffix .91 = FTC     the Agencies have added to the
reasonable policies and procedures to       suffix .3. In addition, Appendix J referenced in the
meet the specific requirements of the       preamble is the FTC’s Appendix A.                      definition section to eliminate
final rules. The illustrative examples of     9 The Agencies acknowledged that section 114
                                                                                                     10 See 12 CFR 40 (OCC); 12 CFR 216 (Board); 12
Red Flags formerly in Appendix J are        does not use the term ‘‘account’’ and, in other
                                            contexts, the FCRA defines the term ‘‘account’’        CFR 332 (FDIC); 12 CFR 573 (OTS); 12 CFR 716
now listed in a supplement to the           narrowly to describe certain consumer deposit or       (NCUA); and 16 CFR 313 (FTC).
guidelines.                                 asset accounts. See 15 U.S.C. 1681a(r)(4).               11 Pub. L. 106–102.
                   Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                                        63721

confusion between these rules and other                 established, but also to account                 The Agencies recognize that
rules that apply to an ‘‘account.’’ The                 openings, when a relationship has not         consumer accounts are presently the
Agencies have retained a definition of                  yet been established.                         most common target of identity theft
‘‘account’’ simply to clarify and provide                  Sectionl.90(b)(2) Board of Directors.      and acknowledge that Congress
context for the definition of ‘‘covered                 The proposed regulations discussed the        expected the final regulation to address
account.’’                                              role of the board of directors of a           risks of identity theft to consumers.13
   Section 114 provides broad discretion                financial institution or creditor. For        For this reason, the final rules require
to the Agencies to prescribe regulations                financial institutions and creditors          each Program to cover accounts
and guidelines to address identity theft.               covered by the regulations that do not        established primarily for personal,
The terminology in section 114 is not                   have boards of directors, the proposed        family or household purposes, that
confined to ‘‘consumer’’ accounts.                      regulations defined ‘‘board of directors’’    involve or are designed to permit
While identity theft primarily has been                 to include, in the case of a branch or        multiple payments or transactions, i.e.,
directed at consumers, the Agencies are                 agency of a foreign bank, the managing        consumer accounts. As discussed above
aware that small businesses also have                   official in charge of the branch or           in connection with the definition of
been targets of identity theft. Over time,              agency. For other creditors that do not       ‘‘account,’’ the final rules also require
identity theft could expand to affect                   have boards of directors, the proposed        the Programs of financial institutions
other types of accounts. Thus, the                      regulations defined ‘‘board of directors’’    and creditors to cover any other type of
definition of ‘‘account’’ in §l.90(b)(1)                as a designated employee.                     account that the institution or creditor
of the final rules continues to cover any                  Consumer groups objected to the            offers or maintains for which there is a
relationship to obtain a product or                     proposed definition as it applied to          reasonably foreseeable risk from identity
service that an account holder or                       creditors that do not have boards of          theft.
customer may have with a financial                      directors. These commenters                      Accordingly, the definition of
institution or creditor.12 Through                      recommended that for these entities,          ‘‘covered account’’ is divided into two
examples, the definition makes clear                    ‘‘board of directors’’ should be defined      parts. The first part refers to ‘‘an account
that the purchase of property or services               as a designated employee at the level of      that a financial institution or creditor
involving a deferred payment is                         senior management. They asserted that         offers or maintains, primarily for
considered to be an account.                            otherwise, institutions that do not have      personal, family, or household
   Although the definition of ‘‘account’’               a board of directors would be given an        purposes, that involves or is designed to
includes business accounts, the risk-                   unfair advantage for purposes of the          permit multiple payments or
based nature of the final rules allows                  substantive provisions of the rules,          transactions.’’ The definition provides
each financial institution or creditor                  because they would be permitted to            examples to illustrate that these types of
flexibility to determine which business                 assign any employee to fulfill the role of    consumer accounts include, ‘‘a credit
accounts will be covered by its Program                 the ‘‘board of directors.’’                   card account, mortgage loan, automobile
through a risk evaluation process.                         The Agencies agree this important          loan, margin account, cell phone
   The Agencies also recognize that a                   role should be performed by an                account, utility account, checking
person may establish a relationship with                employee at the level of senior               account, or savings account.’’14
a creditor, such as an automobile dealer                management, rather than any designated           The second part of the definition
or a telecommunications provider,                       employee. Accordingly, the definition of      refers to ‘‘any other account that the
primarily to obtain a product or service                ‘‘board of directors’’ has been revised in    financial institution or creditor offers or
that is not financial in nature. To make                § l.90(b)(2) of the final rules so that, in   maintains for which there is a
clear that an ‘‘account’’ includes                      the case of a creditor that does not have     reasonably foreseeable risk to customers
relationships with creditors that are not               a board of directors, the term ‘‘board of     or to the safety and soundness of the
financial institutions, the definition is               directors’’ means ‘‘a designated              financial institution or creditor from
no longer tied to the provision of                      employee at the level of senior               identity theft, including financial,
‘‘financial’’ products and services.                    management.’’                                 operational, compliance, reputation, or
Accordingly, the Agencies have deleted                     Section l.90(b)(3) Covered Account.        litigation risks.’’ This part of the
the reference to the Bank Holding                       As mentioned previously, the Agencies         definition reflects the Agencies’ belief
Company Act.                                            have added a new definition of                that other types of accounts, such as
   The definition of ‘‘account’’ still
                                                        ‘‘covered account’’ in § l.90(b)(3) to        small business accounts or sole
includes the words ‘‘continuing                                                                       proprietorship accounts, may be
                                                        describe the type of ‘‘account’’ covered
relationship.’’ The Agencies have                                                                     vulnerable to identity theft, and,
                                                        by the final rules. The proposed rules
determined that, at this time, the burden                                                             therefore, should be considered for
                                                        would have provided a financial
that would be imposed upon financial                                                                  coverage by the Program of a financial
                                                        institution or creditor with broad
institutions and creditors by a                                                                       institution or creditor.
                                                        flexibility to apply its Program to those
requirement to detect, prevent and                                                                       In response to the proposed definition
                                                        accounts that it determined were
mitigate identity theft in connection                                                                 of ‘‘account,’’ a trade association
                                                        vulnerable to the risk of identity theft,
with single, non-continuing transactions                                                              representing credit unions suggested
                                                        and did not mandate coverage of any
by non-customers would outweigh the                                                                   that the term ‘‘customer’’ in the
                                                        particular type of account.
benefits of such a requirement. The                                                                   definition be revised to refer to
                                                           Consumer group commenters urged
Agencies recognize, however, that
                                                        the Agencies to limit the discretion
identity theft may occur at the time of                                                                 13 See S. Rep. No. 108–166 at 13 (Oct. 17, 2003)
                                                        afforded to financial institutions and
account opening. Therefore, as detailed                                                               (accompanying S. 1753).
                                                        creditors by requiring them to cover
below, the obligations of the final rule                                                                14 These examples reflect the fact that the rules
                                                        consumer accounts in their Programs.          are applicable to a variety of financial institutions
apply not only to existing accounts,
                                                        While seeking to preserve their               and creditors. They are not intended to confer any
where a relationship already has been                                                                 additional powers on covered entities. Nonetheless,
                                                        discretion, many industry commenters
                                                                                                      some of the Agencies have chosen to limit the
  12 Accordingly, the definition of ‘‘account’’ still   requested that the Agencies limit the         examples in their rule texts to those products
applies to fiduciary, agency, custodial, brokerage      final rules to consumer accounts, where       covered entities subject to their jurisdiction are
and investment advisory activities.                     identity theft is most likely to occur.       legally permitted to offer.
63722               Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

‘‘member’’ to better reflect the               that the Agencies chose this broad                  individual who has a consumer account
ownership structure of some financial          definition because, in addition to                  will always be a ‘‘customer.’’ A
institutions or to ‘‘consumer’’ to include     individuals, various types of entities              ‘‘customer’’ may also be a person that
all individuals doing business at all          (e.g., small businesses) can be victims of          has another type of account for which
types of financial institutions. The           identity theft. Under the proposed                  a financial institution or creditor
definition of ‘‘account’’ in the final rules   definition, however, a financial                    determines there is a reasonably
no longer makes reference to the term          institution or creditor would have had              foreseeable risk to its customers or to its
‘‘customer’’; however, the definition of       the discretion to determine which type              own safety and soundness from identity
‘‘covered account’’ continues to employ        of customer accounts would be covered               theft.
this term, to be consistent with section       under its Program, since the proposed                  The Agencies note that the
114 of the FACT Act, which uses the            regulations were risk-based.17                      Information Security Standards and the
term ‘‘customer.’’ Of course, in the case         As noted above, most industry                    privacy rules implemented various
of credit unions, the final rules and          commenters maintained that including                sections of Title V of the GLBA, 15
guidelines will apply to the accounts of       all persons, not just consumers, within             U.S.C. 6801, which specifically apply
members that are maintained primarily          the definition of ‘‘customer’’ would                only to customers who are consumers.
for personal, family, or household             impose a substantial financial burden               By contrast, section 114 does not define
purposes, and those that are otherwise         on financial institutions and creditors,            the term ‘‘customer.’’ Because the
subject to a reasonably foreseeable risk       and make compliance with the                        Agencies continue to believe that a
of identity theft.                             regulations more burdensome. These                  business customer can be a target of
   Sections l.90(b)(4) and (b)(5) Credit       commenters stated that business                     identity theft, the final rules contain a
and Creditor. The proposed rules               identity theft is rare, and maintained              risk-based process designed to ensure
defined these terms by cross-reference         that financial institutions and creditors           that these types of customers will be
to the relevant sections of the FCRA.          should be allowed to direct their fraud             covered by the Program of a financial
There were no comments on the                  prevention resources to the areas of                institution or creditor, when the risk of
definition of ‘‘credit’’ and § l.90(b)(4)      highest risk. They also noted that                  identity theft is reasonably foreseeable.
of the final rules adopts the definition       businesses are more sophisticated than                 The definition of ‘‘customer’’ in the
as proposed.                                   consumers, and are in a better position             final rules continues to cover only
   Some commenters asked the Agencies          to protect themselves against fraud than            customers that already have accounts.
to clarify that the term ‘‘creditor’’ does     consumers, both in terms of prevention              The Agencies note, however, that the
not cover third-party debt collectors          and in enforcing their legal rights.                substantive provisions of the final rules,
who regularly arrange for the extension,          Some financial institution                       described later, require the Program of
renewal, or continuation of credit.            commenters were concerned that the                  a financial institution or creditor to
   Section 114 applies to financial            broad definition of ‘‘customer’’ would              detect, prevent, and mitigate identity
institutions and creditors. Under the          create opportunities for commercial                 theft in connection with the opening of
FCRA, the term ‘‘creditor’’ has the same       customers to shift responsibility from              a covered account as well as any
meaning as in section 702 of the Equal         themselves to the financial institution             existing covered account. The final rules
Credit Opportunity Act (ECOA), 15              for not discovering Red Flags and                   address persons whose identities are
U.S.C. 1691a.15 ECOA defines                   alerting business customers about                   used by an imposter to open an account
‘‘creditor’’ to include a person who           embezzlement or other fraudulent                    in these substantive provisions, rather
arranges for the extension, renewal, or        transactions by the commercial                      than through the definition of
continuation of credit, which in some          customer’s own employees. These                     ‘‘customer.’’
cases could include third-party debt           commenters suggested narrowing the                     Section l.90(b)(7) Financial
collectors. 15 U.S.C. 1691a(e).                definition to cover natural persons and             Institution. The Agencies received no
Therefore, the Agencies are not                to exclude business customers. Some of              comments on the proposed definition of
excluding third-party debt collectors          these commenters suggested that the                 ‘‘financial institution.’’ It is adopted in
from the scope of the final rules, and         definition of ‘‘customer’’ should be                § l.90(b)(7), as proposed, with a cross-
§ l.90(b)(5) of the final rules adopts the     consistent with the definition of this              reference to the relevant definition in
definition of ‘‘creditor’’ as proposed.        term in the Information Security                    the FCRA.
   Section l.90(b)(6) Customer. Section        Standards and the Agencies’ privacy                    Section l.90(b)(8) Identity Theft. The
114 of the FACT Act refers to ‘‘account        rules.                                              proposal defined ‘‘identity theft’’ by
holders’’ and ‘‘customers’’ of financial          Consumer groups commented that the               cross-referencing the FTC’s rule that
institutions and creditors without             proposed definition of ‘‘customer’’ was             defines ‘‘identity theft’’ for purposes of
defining either of these terms. For ease       too narrow. They recommended that the               the FCRA.18
of reference, the Agencies proposed to         definition be amended, so that the                     Most industry commenters objected to
use the term ‘‘customer’’ to encompass         regulations would not only protect                  the breadth of the proposed definition of
both ‘‘customers’’ and ‘‘account               persons who are already customers of a              ‘‘identity theft.’’ They recommended
holders.’’ ‘‘Customer’’ was defined as a       financial institution or creditor, but also         that the definition include only actual
person that has an account with a              persons whose identities are used by an             fraud committed using identifying
financial institution or creditor. The         imposter to open an account.                        information of a consumer, and exclude
proposed definition of ‘‘customer’’               Section l.90(b)(6) of the final rule             attempted fraud, identity theft
applied to any ‘‘person,’’ defined by the      defines ‘‘customer’’ to mean a person               committed against businesses, and any
FCRA as any individual, partnership,           that has a ‘‘covered account’’ with a               identity fraud involving the creation of
corporation, trust, estate, cooperative,       financial institution or creditor. Under            a fictitious identity using fictitious data
association, government or                     the definition of ‘‘covered account,’’ an           combined with real information from
governmental subdivision or agency, or
                                                 17 Proposed § l.90(d)(1) required this               18 69 FR 63922 (Nov. 3, 2004) (codified at 16 CFR
other entity.16 The proposal explained                                                             603.2(a)). Section 111 of the FACT Act added
                                               determination to be substantiated by a risk
                                               evaluation that takes into consideration which      several new definitions to the FCRA, including
 15 See   15 U.S.C. 1681a(r)(5). 
             customer accounts of the financial institution or   ‘‘identity theft,’’ and authorized the FTC to further
 16 See   15 U.S.C. 1681a(b). 
                creditor are subject to a risk of identity theft.   define this term. See 15 U.S.C. 1681a.
                  Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                                         63723

multiple individuals. By contrast,                     identity theft as ‘‘Red Flags’’ to better     consider aggravating factors that may
consumer groups supported a broad                      position financial institutions and           heighten the risk of identity theft in
interpretation of ‘‘identity theft,’’                  creditors to stop identity theft at its       determining an appropriate response to
including the incorporation of                         inception.                                    the Red Flags it detects.
‘‘attempted fraud’’ in the definition.                    Most industry commenters objected to          Section l.90(b)(10) Service Provider.
   Section l.90(b)(8) of the final rules               the broad scope of the definition of          The proposed regulations defined
adopts the definition of ‘‘identity theft’’            ‘‘Red Flag,’’ particularly the phrase         ‘‘service provider’’ as a person that
as proposed. The Agencies believe that                 ‘‘possible risk of identity theft.’’ These    provides a service directly to the
it is important to ensure that all                     commenters believed that this definition      financial institution or creditor. This
provisions of the FACT Act that address                would require financial institutions and      definition was based upon the
identity theft are interpreted in a                    creditors to identify all risks and           definition of ‘‘service provider’’ in the
consistent manner. Therefore, the final                develop procedures to prevent or              Information Security Standards.23
rule continues to define identity theft                mitigate them, without regard to the             One commenter agreed with this
with reference to the FTC’s regulation,                significance of the risk. They asserted       definition. However, two other
which as currently drafted provides that               that the statute does not support the use     commenters stated that the definition
the term ‘‘identity theft’’ means ‘‘a fraud            of ‘‘possible risk’’ and suggested            was too broad. They suggested
committed or attempted using the                       defining a ‘‘Red Flag’’ as an indicator of    narrowing the definition of ‘‘service
identifying information of another                     significant, substantial, or the probable     provider’’ to persons or entities that
person without authority.’’ 19 The FTC                 risk of identity theft. These commenters      have access to customer information.
defines the term ‘‘identifying                         stated that this would allow a financial         Section l.90(b)(10) of the final rules
information’’ to mean ‘‘any name or                    institution or creditor to focus              adopts the definition as proposed. The
number that may be used, alone or in                   compliance in areas where it is most          Agencies have concluded that defining
conjunction with any other information,                needed.                                       ‘‘service provider’’ to include only
to identify a specific person, including                  Most industry commenters also stated       persons that have access to customer
any—                                                   that the inclusion of precursors to           information would inappropriately
   (1) Name, social security number, date              identity theft in the definition of ‘‘Red     narrow the coverage of the final rules.
of birth, official State or government                 Flag’’ would make the regulations even        The Agencies have interpreted section
issued driver’s license or identification              broader and more burdensome. They             114 broadly to require each financial
number, alien registration number,                     stated that financial institutions and        institution and creditor to detect,
government passport number, employer                   creditors do not have the ability to          prevent, and mitigate identity theft not
or taxpayer identification number;                     detect and respond to precursors, such        only in connection with any existing
   (2) Unique biometric data, such as                  as phishing, in the same manner as            covered account, but also in connection
fingerprint, voice print, retina or iris               other Red Flags that are more indicative      with the opening of an account. A
image, or other unique physical                        of actual ongoing identity theft.             financial institution or creditor is
representation;                                           By contrast, consumer groups               ultimately responsible for complying
   (3) Unique electronic identification                supported the inclusion of the phrase         with the final rules and guidelines even
number, address, or routing code; or                   ‘‘possible risk of identity theft’’ and the   if it outsources an activity to a third-
   (4) Telecommunication identifying                   reference to precursors in the proposed       party service provider. Thus, a financial
information or access device (as defined               definition of ‘‘Red Flag.’’ These             institution or creditor that uses a service
in 18 U.S.C. 1029(e)).                                 commenters stated that placing                provider to open accounts will need to
   Thus, under the FTC’s regulation, the               emphasis on detecting precursors to           provide for the detection, prevention,
creation of a fictitious identity using any            identity theft, instead of waiting for        and mitigation of identity theft in
single piece of information belonging to               proven cases, is the right approach.          connection with this activity, even
a real person falls within the definition                 The Agencies have concluded that the       when the service provider has access to
of ‘‘identity theft’’ because such a fraud             phrase ‘‘possible risk’’ in the proposed      the information of a person who is not
involves ‘‘using the identifying                       definition of ‘‘Red Flag’’ is confusing       yet, and may not become, a ‘‘customer.’’
information of another person without                  and could unduly burden entities with
authority.’’ 20                                        limited resources. Therefore, the final       Section l.90(c) Periodic Identification
   Section l.90(b)(9) Red Flag. The                    rules define ‘‘Red Flag’’ in § l.90(b)(9)     of Covered Accounts
proposed regulations defined ‘‘Red                     using language derived directly from             To simplify compliance with the final
Flag’’ as a pattern, practice, or specific             section 114, namely, ‘‘a pattern,             rules, the Agencies added a new
activity that indicates the possible risk              practice, or specific activity that           provision in § l.90(c) that requires each
of identity theft. The preamble to the                 indicates the possible existence of           financial institution and creditor to
proposed rules explained that indicators               identity theft.’’ 22                          periodically determine whether it offers
of a ‘‘possible risk’’ of identity theft                  The Agencies continue to believe,          or maintains any covered accounts. As
would include precursors to identity                   however, that financial institutions and      a part of this determination, a financial
theft such as phishing,21 and security                 creditors should consider precursors to       institution or creditor must conduct a
breaches involving the theft of personal               identity theft in order to stop identity      risk assessment to determine whether it
information, which often are a means to                theft before it occurs. Therefore, as
acquire the information of another                     described below, the Agencies have               23 The Information Security Standards define
person for use in committing identity                  chosen to address precursors directly,        ‘‘service provider’’ to mean any person or entity
theft. The preamble explained that the                 through a substantive provision in            that maintains, processes, or otherwise is permitted
Agencies included such precursors to                                                                 access to customer information or consumer
                                                       section IV of the guidelines titled           information through the provision of services
                                                       ‘‘Prevention and Mitigation,’’ rather         directly to the financial institution. 12 CFR part 30,
  19 See 16 CFR 603.2(a).                              than through the definition of ‘‘Red          app. B (national banks); 12 CFR part 208, app. D–
  20 See 16 CFR 603.2(b).
                                                       Flag.’’ This provision states that a          2 and part 225, app. F (state member banks and
  21 Electronic messages to customers of financial                                                   holding companies); 12 CFR part 364, app. B (state
institutions and creditors directing them to provide   financial institution or creditor should      non-member banks); 12 CFR part 570, app. B
personal information in response to a fraudulent                                                     (savings associations); 12 CFR part 748, App. A
e-mail.                                                 22 15   U.S.C. 1681m(c)(2)(A).               (credit unions).
63724             Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

offers or maintains covered accounts                    § l.90(d), which described the               conducting safe, sound, and compliant
described in § l.90(b)(3)(ii) (accounts                 development and implementation of a          operations. Some of these commenters
other than consumer accounts), taking                   Program. It also stated that the Program     urged the Agencies to revise the final
into consideration:                                     must address financial, operational,         rules and guidelines and adopt an
   • The methods it provides to open its                compliance, reputation, and litigation       approach similar to the Information
accounts;                                               risks and be appropriate to the size and     Security Standards which they
   • The methods it provides to access                  complexity of the financial institution      characterized as providing institutions
its accounts; and                                       or creditor and the nature and scope of      with an outline of issues to consider
   • Its previous experiences with                      its activities.                              without requiring specific approaches.
identity theft.                                            Some commenters believed that the            Although a few commenters believed
   Thus, a financial institution or                     proposed regulations exceeded the            that the proposed requirement to update
creditor should consider whether, for                   scope of section 114 by covering deposit     the Program was burdensome and
example, a reasonably foreseeable risk                  accounts and by requiring a response to      should be eliminated, most commenters
of identity theft may exist in connection               the risk of identity theft, not just the     agreed that the Program should be
with business accounts it offers or                     identification of the risk of identity       designed to address changing risks over
maintains that may be opened or                         theft. One commenter expressed               time. A number of these commenters,
accessed remotely, through methods                      concern about the application of the         however, objected to the requirement
that do not require face-to-face contact,               Program to existing accounts.                that the Program must be designed to
such as through the internet or                            The SBA commented that requiring          address changing identity theft risks ‘‘as
telephone. In addition, those                           all small businesses covered by the          they arise,’’ as too burdensome a
institutions and creditors that offer or                regulations to create a written Program      standard. Instead, they recommended
maintain business accounts that have                    would be overly burdensome. Several          that the final regulations require a
been the target of identity theft should                financial institution commenters             financial institution or creditor to
factor those experiences with identity                  objected to what they perceived as a         reassess periodically whether to adjust
theft into their determination.                         proposed requirement that financial          the types of accounts covered or Red
   This provision is modeled on various                 institutions and creditors have a written    Flags to be detected based upon any
process-oriented and risk-based                         Program solely to address identity theft.    changes in the types and methods of
regulations issued by the Agencies, such                They recommended that the final              identity theft that an institution or
as the Information Security Standards.                  regulations allow a covered entity to        creditor has experienced.
Compliance with this type of regulation                 simply maintain or expand its existing          Section l.90(d) of the final rules
is based upon a regulated entity’s own                  fraud prevention and information             requires each financial institution or
preliminary risk assessment. The risk                   security programs as long as they            creditor that offers or maintains one or
assessment required here directs a                      included the detection, prevention, and      more covered accounts to develop and
financial institution or creditor to                    mitigation of identity theft. Some of        implement a written Program that is
determine, as a threshold matter,                       these commenters stated that requiring       designed to detect, prevent, and mitigate
whether it will need to have a                          a written program would merely focus         identity theft in connection with the
Program.24 If a financial institution or                examiner attention on documentation          opening of a covered account or any
creditor determines that it does need a                 and cause financial institutions to          existing covered account. To signal that
Program, then this risk assessment will                 produce needless paperwork.                  the final rules are flexible, and allow
enable the financial institution or                        While commenters generally agreed         smaller financial institutions and
creditor to identify those accounts the                 that the Program should be appropriate       creditors to tailor their Programs to their
Program must address. This provision                    to the size and complexity of the            operations, the final rules state that the
also requires a financial institution or                financial institution or creditor, and the   Program must be appropriate to the size
creditor that initially determines that it              nature and scope of its activities, many     and complexity of the financial
does not need to have a Program to                      industry commenters objected to the          institution or creditor and the nature
reassess periodically whether it must                   prescriptive nature of this section. They    and scope of its activities.
develop and implement a Program in                      urged the Agencies to provide greater           The guidelines are appended to the
light of changes in the accounts that it                flexibility to financial institutions and    final rules to assist financial institutions
offers or maintains and the various other               creditors by allowing them to                and creditors in the formulation and
factors set forth in the provision.                     implement their own procedures as            maintenance of a Program that satisfies
                                                        opposed to those provided in the             the requirements of the regulation.
Section l.90(d)(1) Identity Theft                       proposed regulations. Several other          Section I of the guidelines, titled ‘‘The
Prevention Program Requirement                          commenters suggested permitting              Program,’’ makes clear that a covered
   Proposed § l.90(c) described the                     financial institutions and creditors to      entity may incorporate into its Program,
primary objectives of a Program. It                     take into account the cost and               as appropriate, its existing processes
stated that each financial institution or               effectiveness of policies and procedures     that control reasonably foreseeable risks
creditor must implement a written                       and the institution’s history of fraud       to customers or to the safety and
Program that includes reasonable                        when designing its Program.                  soundness of the financial institution or
policies and procedures to address the                     Several financial institution             creditor from identity theft, such as
risk of identity theft to its customers and             commenters maintained that the               those already developed in connection
to the safety and soundness of the                      Program required by the proposed rules       with the entity’s fraud prevention
financial institution or creditor, in the               was not sufficiently flexible. They          program. This will avoid duplication
manner described in proposed                            maintained that a true risk-based            and allow covered entities to benefit
                                                        approach would permit institutions to        from existing policies and procedures.
  24 The Agencies anticipate that some financial        prioritize the importance of various            The Agencies do not agree with those
institutions and creditors, such as various creditors   controls, address the most important         commenters who asserted that the scope
regualted by the FTC that solely engage in business-
to-business transactions, will be able to determine
                                                        risks first, and accept the good faith       of the proposed regulations (and hence
that they do not need to develop and implement a        judgments of institutions in                 the final rules that adopt the identical
Program.                                                differentiating among their options for      approach with respect to these issues)
              Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                                    63725

exceed the Agencies’’ statutory                  The Agencies’ interpretation of                        The Agencies recognize that requiring
mandate. First, section 114 clearly           section 114 is also supported by the                   a written Program will impose some
permits the Agencies to issue                 legislative history that indicates                     burden. However, the Agencies believe
regulations and guidelines that address       Congress expected the Agencies to issue                the benefit of being able to assess a
more than the mere identification of the      regulations and guidelines for the                     covered entity’s compliance with the
risk of identity theft. Section 114           purposes of ‘‘identifying and preventing               final rules by evaluating the adequacy
contains a broad mandate directing the        identity theft.’’ 25                                   and implementation of its written
Agencies to issue guidelines ‘‘regarding         Finally, the Agencies’ interpretation               Program outweighs the burdens
identity theft’’ and to prescribe             of section 114 is broad, based on a                    imposed by this requirement.
regulations requiring covered entities to     public policy perspective that                            Moreover, although the final rules
establish reasonable policies and             regulations and guidelines addressing                  continue to require a written Program,
procedures for implementing the               the identification of the risk of identity             as detailed below, the Agencies have
guidelines. Second, two provisions in         theft, without addressing the prevention               substantially revised the proposal to
section 114 indicate that Congress            and mitigation of identity theft, would                focus the final rules and guidelines on
expected the Agencies to issue final          not be particularly meaningful or                      reasonably foreseeable risks, make the
regulations and guidelines requiring          effective.                                             final rules less prescriptive, and provide
financial institutions and creditors to          The Agencies also have concluded                    financial institutions and creditors with
detect, prevent, and mitigate identity        that the scope of section 114 does not                 more discretion to develop policies and
theft.                                        only apply to credit transactions, but                 procedures to detect, prevent, and
   The first relevant provision is codified                                                          mitigate identity theft.
                                              also applies, for example, to deposit
in section 615(e)(1)(C) of the FCRA,                                                                    Proposed § l.90(c) also provided that
                                              accounts. Section 114 refers to the risk
where Congress addressed a particular                                                                the Program must address changing
                                              of identity theft, generally, and not                  identity theft risks as they arise based
scenario involving card issuers. In that
                                              strictly in connection with credit.                    upon the experience of the financial
provision, Congress directed the
                                              Because identity theft can and does                    institution or creditor with identity theft
Agencies to prescribe regulations
                                              occur in connection with various types                 and changes in: Methods of identity
requiring a card issuer to take specific
                                              of accounts, including deposit accounts,               theft; methods to detect, prevent, and
steps to assess the validity of a change
                                              the final rules address identity theft in              mitigate identity theft; the types of
of address request when it receives such
                                              a comprehensive manner.                                accounts the financial institution or
a request and, within a short period of
time, also receives a request for an             Furthermore, nothing in section 114                 creditor offers; and its business
additional or replacement card. The           indicates that the regulations must only               arrangements, such as mergers and
regulations must prohibit a card issuer       apply to identity theft in connection                  acquisitions, alliances and joint
from issuing an additional or                 with account openings. The FTC has                     ventures, and service provider
replacement card under such                   defined ‘‘identity theft’’ as ‘‘a fraud                arrangements.
circumstances, unless it notifies the         committed or attempted using the                          The Agencies continue to believe that,
cardholder or ‘‘uses other means of           identifying information of another                     to ensure a Program’s continuing
assessing the validity of the change of       person without authority.’’ 26 Such                    effectiveness, it must be updated, at
address in accordance with reasonable         fraud may occur in connection with                     least periodically. However, in order to
policies and procedures established by        account openings and with existing                     simplify the final rules, the Agencies
the card issuer in accordance with the        accounts. Section 615(e)(3) states that                moved this requirement into the next
regulations prescribed [by the Agencies]      the guidelines that the Agencies                       section, where it is one of the required
* * *.’’ This provision makes clear           prescribe ‘‘shall not be inconsistent’’                elements of the Program, as discussed
that Congress contemplated that the           with the policies and procedures                       below.
Agencies’ regulations would require a         required under 31 U.S.C. 5318(l), a
                                              reference to the CIP rules which require               Development and Implementation of
financial institution or creditor to have
                                              certain financial institutions to verify               Identity Theft Prevention Program
policies and procedures not only to
identify Red Flags, but also, to prevent      the identity of customers opening new                     The remaining provisions of the
and mitigate identity theft.                  accounts. However, the Agencies do not                 proposed rules were set forth under the
   The second relevant provision is           read this phrase to prevent them from                  above-referenced section heading. Many
codified in section 615(e)(2)(B) of the       prescribing rules directed at existing                 commenters asserted that the Agencies
FCRA, and directs the Agencies to             accounts. To interpret the provision in                should simply articulate certain
consider addressing in the identity theft     this manner would solely authorize the                 objectives and provide financial
guidelines transactions that occur with       Agencies to prescribe regulations and                  institutions and creditors the flexibility
respect to credit or deposit accounts that    guidelines identical to and duplicative                and discretion to design policies and
have been inactive for more than two          of those already issued—making the                     procedures to fulfill the objectives of the
years. The Agencies must consider             Agencies’ regulatory authority in this                 Program without the level of detail
whether a creditor or financial               area superfluous and meaningless.27                    required under this section.
institution detecting such activity                                                                     As described earlier, to ensure that
should ‘‘follow reasonable policies that        25 See S. Rep. No. 108–166 at 13 (Oct. 17, 2003)     financial institutions and creditors are
provide for notice to be given to the         (accompanying S. 1753).                                able to design Programs that effectively
consumer in a manner reasonably                 26 16 CFR 603.2(a).
                                                                                                     address identity theft in a manner
                                                27 The Agencies’ conclusion is also supported by
designed to reduce the likelihood of                                                                 tailored to their own operations, the
                                              case law interpreting similar terminology, albeit in
identity theft with respect to such           a different context, finding that ‘‘inconsistent’’
                                                                                                     Agencies have made significant changes
account.’’ This provision signals that the    means it is impossible to comply with two laws         in the proposal by deleting whole
Agencies are authorized to prescribe          simultaneously, or one law frustrates the purposes     provisions or moving them into the
regulations and guidelines that               and objectives of another. See, e.g., Davenport v.     guidelines in Appendix J. More
                                              Farmers Ins. Group, 378 F.3d 839 (8th Cir. 2004);
comprehensively address identity              Retail Credit Co. v. Dade County, Florida, 393 F.
                                                                                                     specifically, the Agencies abbreviated
theft—in a manner that goes beyond the        Supp. 577 (S.D. Fla. 1975); Alexiou v. Brad Benson     the proposed requirements formerly
mere identification of possible risks.        Mitsubishi, 127 F. Supp.2d 557 (D.N.J. 2000).          located in the provisions titled
63726             Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

‘‘Identification and Evaluation of Red                the possible risk of identity theft to       Appendix J that were obsolete or not
Flags’’ and ‘‘Identity Theft Prevention               customers or to the safety and               appropriate for their activities.
and Mitigation’’ and have placed them                 soundness of the financial institution or       By contrast, consumer groups
under a section of the final rules titled             creditor. They criticized the phrase         criticized the flexibility and discretion
‘‘Elements of a Program.’’ The proposed               ‘‘possible risk’’ as too broad and stated    afforded to financial institutions and
requirements on ‘‘Staff Training,’’                   that it was unrealistic to impose upon       creditors in this section of the proposed
‘‘Oversight of Service Provider                       covered entities a continuing obligation     rules. These commenters urged the
Arrangements,’’ and ‘‘Involvement of                  to incorporate into their Programs Red       Agencies to make certain Red Flags from
Board of Directors and Senior                         Flags to address virtually any new           Appendix J mandatory, such as a fraud
Management’’ are now in a section of                  identity theft incident or trend and         alert on a consumer report.
the final rules titled ‘‘Administration of            potential fraud prevention measure.             Proposed § l.90(d)(1)(ii) provided
the Program.’’ The guidelines in                      These commenters stated that this            that in order to identify which Red Flags
Appendix J elaborate on these                         would be a burdensome compliance             are relevant to detecting a possible risk
requirements. A discussion of the                     exercise that would limit flexibility and    of identity theft to its customers or to its
comments received on these sections of                add costs, which in turn, would take         own safety and soundness, the financial
the proposed rules, and the                           away limited resources from the              institution or creditor must consider:
corresponding sections of the final rules             ultimate objective of combating identity        A. Which of its accounts are subject
and guidelines follows.                               theft.                                       to a risk of identity theft;
                                                         Many commenters objected to the              B. The methods it provides to open
Section l.90(d)(2)(i) Element I of the                proposed requirement that the Red Flags
Program: Identification of Red Flags                                                               these accounts;
                                                      identified by a financial institution or        C. The methods it provides to access
   Proposed § l.90(d)(1)(i) required a                creditor reflect changing identity theft     these accounts; and
Program to include policies and                       risks to customers and to the financial         D. Its size, location, and customer
procedures to identify which Red Flags,               institution or creditor ‘‘as they arise.’’
                                                                                                   base.
singly or in combination, are relevant to             These commenters requested that the
                                                                                                      While some industry commenters
detecting the possible risk of identity               final rules permit financial institutions
                                                                                                   thought the enumerated factors were
theft to customers or to the safety and               and creditors a reasonable amount of
                                                                                                   appropriate, other commenters stated
soundness of the financial institution or             time to adjust the Red Flags included in
                                                                                                   that the factors on the list were not
creditor, using the risk evaluation                   their Programs.
                                                         Some commenters agreed that the           necessarily the ones used by financial
described in § l.90(d)(1)(ii). It also                                                             institutions to identify risk and were
required the Red Flags identified to                  enumerated sources of Red Flags were
                                                      appropriate. A few commenters stated         irrelevant to any determination of
reflect changing identity theft risks to                                                           identity theft or actual fraud. These
customers and to the financial                        that financial institutions and creditors
                                                      should not be required to include in         commenters maintained that this
institution or creditor as they arise.                                                             proposed requirement would require
   Proposed § l.90(d)(1)(i) provided that             their Programs any Red Flags except for
                                                      those set forth in Appendix J or in          financial institutions to develop entirely
each financial institution and creditor                                                            new programs that may not be as
must incorporate into its Program                     supervisory guidance, or that they had
                                                      experienced. However, most                   effective or efficient as those designed
relevant Red Flags from Appendix J.                                                                by anti-fraud experts. Therefore, they
The preamble to the proposed rules                    commenters objected to the requirement
                                                      that, at a minimum, the Program              recommended that the final rules
acknowledged that some Red Flags that                                                              provide financial institutions and
are relevant today may become obsolete                incorporate any relevant Red Flags from
                                                      Appendix J.                                  creditors with wide latitude to
as time passes. The preamble stated that                                                           determine what factors they should
the Agencies expected to update                          Some financial institution
                                                      commenters urged deletion of the             consider and how they categorize them.
Appendix J periodically,28 but that it                                                             These commenters urged the Agencies
may be difficult to do so quickly enough              proposed requirement to include a list
                                                      of relevant Red Flags in their Program.      to refrain from providing a list of factors
to keep pace with rapidly evolving                                                                 that financial institutions and creditors
patterns of identity theft or as quickly as           They stated that a financial institution
                                                      should be able to assess which Red           would have to consider because a finite
financial institutions and creditors                                                               list could limit their ability to adapt to
experience new types of identity theft.               Flags are appropriate without having to
                                                      justify to an examiner why it failed to      new forms of identity theft.
Therefore, proposed § l.90(d)(1)(i) also
                                                      include a specific Red Flag on a list.          Some commenters suggested that the
provided that each financial institution
                                                      Other commenters recommended that            risk evaluation include an assessment of
and creditor must incorporate into its
                                                      the list of Red Flags in Appendix J be       other factors such as the likelihood of
Program relevant Red Flags from
                                                      illustrative only. These commenters          harm, the cost and operational burden
applicable supervisory guidance,
                                                      recommended that a financial                 of using a particular Red Flag and the
incidents of identity theft that the
                                                      institution or creditor be permitted to      effectiveness of a particular Red Flag for
financial institution or creditor has
                                                      include any Red Flags on its list that it    that institution or creditor. Some
experienced, and methods of identity
                                                      concludes are appropriate. They              commenters suggested that the factors
theft that the financial institution or
                                                      suggested that the Agencies encourage        refer to the likely risk of identity theft,
creditor has identified that reflect
                                                      institutions to review the list of Red       while others suggested that the factors
changes in identity theft risks.
                                                      Flags, and use their own experience and      be modified to refer to the possible risk
   Some commenters objected to the
                                                      expertise to identify other Red Flags that   of identity theft to which each type of
proposed requirement that the Program
                                                      become apparent as fraudsters adapt          account offered by the financial
contain policies and procedures to
                                                      and develop new techniques. They             institution or creditor is subject. Other
identify which Red Flags, singly or in
                                                      maintained that in this manner,              commenters, including a trade
combination, are relevant to detecting
                                                      institutions and creditors would be able     association representing small financial
  28 Section 114 directs the Agencies to update the   to identify the appropriate Red Flags        institutions, asked the Agencies to
guidelines as often as necessary. See 15 U.S.C.       and not waste limited resources and          provide guidelines on how to conduct a
1681m(e)(1)(a).                                       effort addressing those Red Flags in         risk assessment.
               Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                          63727

   The final rules continue to address            Section II of the guidelines also gives   flexibility to be able to adapt to rapidly
the identification of relevant Red Flags,      examples of sources from which               changing risks of identity theft.
but simply state that the first element of     financial institutions and creditors
                                                                                            Sections l.90(d)(2)(ii) and (iii)
a Program must be reasonable policies          should derive relevant Red Flags, rather
                                                                                            Elements II and III of the Program:
and procedures to identify relevant Red        than requiring that the Program
                                                                                            Detection of and Response to Red Flags
Flags for the covered accounts that the        incorporate relevant Red Flags strictly
financial institution or creditor offers or    from the four sources listed in the             Proposed § l.90(d)(2) stated that the
maintains. The final rules also state that     proposed rules. Section II states that a     Program must include reasonable
a financial institution or creditor must       financial institution or creditor should     policies and procedures designed to
incorporate these Red Flags into its           incorporate into its Program relevant        prevent and mitigate identity theft in
Program.                                       Red Flags from sources such as: (1)          connection with the opening of an
   The final rules do not require policies     Incidents of identity theft that the         account or any existing account. This
and procedures for identifying which           financial institution or creditor has        section then described the policies and
Red Flags are relevant to detecting a          experienced; (2) methods of identity         procedures that the Program must
‘‘possible risk’’ of identity theft.           theft that the financial institution or      include, some of which related solely to
Moreover, as described below, a covered        creditor has identified that reflect         account openings while others related to
entity’s obligation to update its Red          changes in identity theft risks; and (3)     existing accounts.
Flags is now a separate element of the         applicable supervisory guidance.                Some financial institution
                                                  The Agencies have deleted the             commenters acknowledged that
Program. The section of the proposed
                                               reference to the Red Flags in Appendix       reference to prevention and mitigation
rules describing the various factors that
                                               J as a source. Instead, a separate           of identity theft was generally a good
a financial institution or creditor must
                                               provision in section II of the guidelines,   objective, but they urged that the final
consider to identify relevant Red Flags,
                                               titled ‘‘Categories of Red Flags,’’ states   rules refrain from prescribing how
and the sources from which a financial
                                               that the Program of a financial              financial institutions must achieve it.
institution or creditor must derive its
                                               institution or creditor ‘‘should include’’   Others noted that the CIP rules and the
Red Flags, are now in section II of the
                                               relevant Red Flags from five particular      Information Security Standards already
guidelines titled ‘‘ Identifying Relevant
                                               categories ‘‘as appropriate.’’ The           required many of the steps in the
Red Flags.’’
                                               Agencies have included these                 proposal. They recommended that the
   The Agencies acknowledge that                                                            final rules recognize this and clarify that
establishing a finite list of factors that a   categories, which summarize the
                                               various types of Red Flags that were         compliance with parallel requirements
financial institution or creditor must                                                      would be sufficient for compliance
consider when identifying relevant Red         previously enumerated in Appendix J,
                                               in order to provide additional non-          under these rules.
Flags for covered accounts could limit                                                         Section l.90(d)(1) of the final rules
                                               prescriptive guidance regarding the
the ability of a financial institution or                                                   requires financial institutions and
                                               identification of relevant Red Flags.
creditor to respond to new forms of                                                         creditors to develop and implement a
                                                  Section II of the guidelines also notes
identity theft. Therefore, section II of the   that ‘‘examples’’ of individual Red Flags    written Program to detect, prevent, and
guidelines contains a list of factors that     from each of the five categories are         mitigate identity theft in connection
a financial institution or creditor            appended as Supplement A to                  with the opening of a covered account
‘‘should consider * * * as                     Appendix J. The examples in                  or any existing covered account.
appropriate’’ in identifying relevant Red      Supplement A are a list of Red Flags         Therefore, the Agencies concluded that
Flags.                                         similar to those found in the proposed       it was not necessary to reiterate this
   The Agencies also modified the list in      rules. The Agencies did not intend for       requirement in § l.90(d)(2). The
order to provide more appropriate              these examples to be a comprehensive         Agencies have deleted the prefatory
examples of factors for consideration by       list of all types of identity theft that a   language from proposed § l.90(d)(2) on
a financial institution or creditor            financial institution or creditor may        prevention and mitigation in order to
determining which Red Flags may be             experience. When identifying Red Flags,      streamline the final rules. The various
relevant. These factors are:                   financial institutions and creditors must    provisions addressing prevention and
   • The types of covered accounts it          consider the nature of their business        mitigation formerly in this section,
offers or maintains;                           and the type of identity theft to which      namely, verification of identity,
   • The methods it provides to open its       they may be subject. For instance,           detection of Red Flags, assessment of
covered accounts;                              creditors in the health care field may be    the risk of Red Flags, and responses to
   • The methods it provides to access         at risk of medical identity theft (i.e.,     the risk of identity theft, have been
its covered accounts; and                      identity theft for the purpose of            incorporated into the final rules as
   • Its previous experiences with             obtaining medical services) and,             ‘‘Elements of the Program’’ and into the
identity theft.                                therefore, must identify Red Flags that      guidelines elaborating on these
   Thus, for example, Red Flags relevant       reflect this risk.                           provisions. Comments received
to deposit accounts may differ from               The Agencies also have decided not to     regarding these provisions and the
those relevant to credit accounts, and         single out any specific Red Flags as         manner in which they have been
those applicable to consumer accounts          mandatory for all financial institutions     integrated into the final rules and
may differ from those applicable to            and creditors. Rather, the final rule        guidelines follows.
business accounts. Red Flags                   continues to follow the risk-based, non-
appropriate for accounts that may be           prescriptive approach regarding the          Detecting Red Flags
opened or accessed remotely may differ         identification of Red Flags that was set       Proposed § l.90(d)(2)(i) stated that
from those that require face-to-face           forth in the proposal. The Agencies          the Program must include reasonable
contact. In addition, a financial              recognize that the final rules and           policies and procedures to obtain
institution or creditor should consider        guidelines cover a wide variety of           identifying information about, and
identifying as relevant those Red Flags        financial institutions and creditors that    verify the identity of, a person opening
that directly relate to its previous           offer and maintain many different            an account. This provision was
experiences with identity theft.               products and services, and require the       designed to address the risk of identity
63728               Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

theft to a financial institution or creditor      In the final rules, the detection of Red            existing policies and procedures and to
that occurs in connection with the             Flags is the second element of the                     develop and implement risk-based
opening of new accounts.                       Program. The final rules provide that a                policies and procedures that detect Red
   The proposed rules stated that any          Program must contain reasonable                        Flags in an effective and comprehensive
financial institution or creditor would        policies and procedures to detect the                  manner.
be able to satisfy the proposed                Red Flags that a financial institution or
requirement in § l.90(d)(2)(i) by using        creditor has incorporated into its                     Responding to Red Flags
the policies and procedures for identity       Program.                                                  Proposed § l.90(d)(2)(iii) stated that
verification set forth in the CIP rules.          Section III of the guidelines provides              to prevent and mitigate identity theft,
The preamble to the proposed rules             examples of various means to detect Red                the Program must include policies and
explained that although the CIP rules          Flags. It states that the Program’s                    procedures to assess whether the Red
exclude a variety of entities from the         policies and procedures should address                 Flags the financial institution or creditor
definition of ‘‘customer’’ and exclude a       the detection of Red Flags in connection               detected pursuant to proposed
number of products and relationships           with the opening of covered accounts,                  § l.90(d)(2)(ii) evidence a risk of
from the definition of ‘‘account,’’ 29 the     such as by obtaining identifying                       identity theft. It also stated that a
Agencies were not proposing any                information about, and verifying the                   financial institution or creditor must
exclusions from either of these terms          identity of, a person opening a covered                have a reasonable basis for concluding
given the risk-based nature of the             account, for example, using the policies               that a Red Flag (detected) does not
regulations.                                   and procedures regarding identification                evidence a risk of identity theft.
   Most commenters supported this              and verification set forth in the CIP                     Financial institution commenters
provision. Many of these commenters            rules. Section III also states that the                expressed concern that this standard
urged the Agencies to include in the           Program’s policies and procedures                      would force an institution to justify to
final rules a clear statement                  should address the detection of Red                    examiners why it did not take measures
acknowledging that financial                   Flags in connection with existing                      to respond to a particular Red Flag.
institutions and creditors complying           covered accounts, such as by                           Some consumer groups believed it was
with the CIP rules would be deemed to          authenticating customers, monitoring                   appropriate to require a financial
be in compliance with this provision’s         transactions, and verifying the validity               institution or creditor to have a
requirements. Some of these                    of change of address requests, in the                  reasonable basis for concluding that a
commenters encouraged the Agencies to          case of existing covered accounts.                     particular Red Flag detected does not
place the exemptions from the CIP rules           Covered entities subject to the CIP                 evidence a risk of identity theft. Other
in these final rules for consistency in        rules, the Federal Financial Institution’s             consumer groups believed that this was
implementing both regulatory mandates.         Examination Council’s guidance on                      too weak a standard and that mandating
   Some commenters, however, believed          authentication,30 the Information                      the detection of certain Red Flags would
the requirement to verify the identity of      Security Standards, and Bank Secrecy                   be more effective and preventive.
a person opening an account duplicated         Act (BSA) rules 31 may already be                         Some commenters mistakenly read
the requirements in the CIP rules and          engaged in detecting Red Flags. These                  the proposed provision as requiring a
urged elimination of this redundancy.          entities may wish to integrate the                     financial institution or creditor to have
Other entities not already subject to the      policies and procedures already                        a reasonable basis for excluding a Red
CIP rules stated that complying with           developed for purposes of complying                    Flag listed in Appendix J from its
those rules would be very costly and           with these issuances into their                        Program requiring the mandatory review
burdensome. These commenters asked             Programs. However, such policies and                   and analysis of each and every Red Flag.
that the Agencies provide them with            procedures may need to be                              These commenters urged the Agencies
additional guidance regarding the CIP          supplemented. For example, the CIP                     to delete this provision.
rules.                                         rules were written to implement section                   Proposed § l.90(d)(2)(iv) stated that
   Consumer groups were concerned that         326 32 of the USA PATRIOT Act,33 an                    to prevent and mitigate identity theft,
use of the CIP rules would not                 Act directed toward facilitating the                   the Program must include policies and
adequately address identity theft. They        prevention, detection, and prosecution                 procedures that address the risk of
stated that the CIP rules allow accounts       of international money laundering and                  identity theft to the customer, the
to be opened before identity is verified,      the financing of terrorism. Certain types              financial institution, or creditor,
which is not the proper standard to            of ‘‘accounts,’’ ‘‘customers,’’ and                    commensurate with the degree of risk
prevent identity theft.                        products are exempted or treated                       posed. The proposed regulations also
   As described below, the Agencies            specially in the CIP rules because they                provided an illustrative list of measures
have moved verification of the identity        pose a lower risk of money laundering                  that a financial institution or creditor
of persons opening an account into             or terrorist financing. Such special                   could take, including:
section III of the guidelines where it is      treatment may not be appropriate to                       • Monitoring an account for evidence
described as one of the policies and           accomplish the broader objective of                    of identity theft;
procedures that a financial institution or     detecting, preventing, and mitigating                     • Contacting the customer;
creditor should have to detect Red Flags       identity theft. Accordingly, the Agencies                 • Changing any passwords, security
in connection with the opening of a            expect all financial institutions and                  codes, or other security devices that
covered account.                               creditors to evaluate the adequacy of                  permit access to a customer’s account;
   Proposed § l.90(d)(2)(ii) stated that                                                                 • Reopening an account with a new
the Program must include reasonable              30 ‘‘Authentication in an Internet Banking           account number;
policies and procedures to detect the          Environment’’ (October 12, 2005) available at             • Not opening a new account;
Red Flags identified pursuant to               http://www.ffiec.gov/press/pr101205.htm.                  • Closing an existing account;
paragraph § l.90(d)(1). The Agencies             31 See, e.g. 12 CFR 21.21 (national banks); 12 CFR
                                                                                                         • Notifying law enforcement and, for
                                               208.63 (state member banks); 12 CFR 326.8 (state
did not receive any specific comments          non-member banks); 12 CFR 563.177 (savings
                                                                                                      those that are subject to 31 U.S.C.
on this provision.                             associations); and 12 CFR 748.2 (credit unions).       5318(g), filing a Suspicious Activity
                                                 32 31 U.S.C. 5318(l). 
                              Report in accordance with applicable
 29 See,   e.g., 31 CFR 103.121(a).              33 Pub. L. 107–56. 
                                 law and regulation;
               Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                           63729

   • Implementing any requirements             § l.90(d)(2)(iv) are now located in          inclusion of a fraud alert or active duty
regarding limitations on credit                section IV of the guidelines, titled         alert in his or her credit file is exercising
extensions under 15 U.S.C. 1681c–1(h),         ‘‘Prevention and Mitigation of Identity      a right under the FCRA, which is a part
such as declining to issue an additional       Theft.’’ Section IV states that the          of the CCPA, 15 U.S.C. 1601, et seq.
credit card when the financial                 Program’s policies and procedures            When a credit file contains a fraud or
institution or creditor detects a fraud or     should provide for appropriate               active duty alert, section 605A of the
active duty alert associated with the          responses to the Red Flags the financial     FCRA, 15 U.S.C. 1681c–1(h), requires a
opening of an account, or an existing          institution or creditor has detected that    creditor to take certain steps before
account; or                                    are commensurate with the degree of          extending credit, increasing a credit
   • Implementing any requirements for         risk posed. In addition, as described        limit, or issuing an additional card on
furnishers of information to consumer          earlier, the final rules do not define Red   an existing credit account. For an initial
reporting agencies under 15 U.S.C.             Flags to include indicators of a             or active duty alert, these steps include
1681s–2, to correct or update inaccurate       ‘‘possible risk’’ of identity theft          utilizing reasonable policies and
or incomplete information.                     (including ‘‘precursors’’ to identity        procedures to form a reasonable belief
   Some commenters agreed that                 theft). Instead, section IV states that in   that the creditor knows the identity of
financial institutions and creditors           determining an appropriate response, a       the consumer and, where a consumer
should be able to use their own                financial institution or creditor should     has specified a telephone number for
judgment to determine which measures           consider aggravating factors that may        identity verification purposes,
to take depending upon the degree of           heighten the risk of identity theft, and     contacting the consumer at that
risk that is present. However, consumer        provides examples of such factors.           telephone number or taking reasonable
groups believed that the final rules              The Agencies also modified the            steps to verify the consumer’s identity
should require notification of                 examples of appropriate responses as         and confirm that the application is not
consumers in every case where a Red            follows. First, the Agencies added ‘‘not     the result of identity theft, 15 U.S.C.
Flag that requires a response has been         attempting to collect on a covered           1681c–1(h)(1)(B).
detected.                                      account or not selling a covered account        The purpose of the footnote was to
   Other commenters objected to some of        to a debt collector’’ as a possible          remind financial institutions and
the examples given as measures that            response to Red Flags detected. Second,      creditors of their legal responsibilities in
financial institutions and creditors           the Agencies added ‘‘determining that        circumstances where a consumer has
could take to address the risk of identity     no response is warranted under the           placed a fraud or active duty alert on his
theft. For example, one commenter              particular circumstances’’ to make clear     or her consumer report. In particular,
objected to the inclusion, as an example,      that an appropriate response may be no       the Agencies have concerns that in some
of the requirements regarding                  response, especially, for example, when      cases, creditors have adopted policies of
limitations on credit extensions under         a financial institution or creditor has a    automatically denying credit to
15 U.S.C. 1681c–1(h). The commenter            reasonable basis for concluding that the     consumers whenever an initial fraud
stated that this statutory provision is        Red Flags detected do not evidence a         alert or an active duty alert appears on
confusing, useless, and should not be          risk of identity theft.                      an applicant’s consumer report. The
referenced in the final rules. Other              In addition, the Agencies moved the       Agencies agree that this rulemaking is
commenters suggested that the Agencies         proposed examples, that referenced           not the appropriate vehicle for
clarify that the inclusion of this             responses mandated by statute, to            addressing issues under ECOA.
statutory provision in the proposed            section VII of the guidelines titled         However, the Agencies will continue to
rules as an example of how to address          ‘‘Other Applicable Legal Requirements’’      evaluate compliance with ECOA
the risk of identity theft did not make        to highlight that certain responses are      through their routine examination or
this provision discretionary.                  legally required.                            enforcement processes, including issues
   The final rules merge the concepts             The section of the proposal listing       related to fraud and active duty alerts.
previously in proposed § l.90(d)(2)(iii)       examples of measures to address the
and § l.90(d)(2)(iv) into the third            risk of identity theft included a footnote   Section l.90(d)(2)(iv) Element IV of
element of the Program: reasonable             that discussed the relationship between      the Program: Updating the Program
policies and procedures to respond             a consumer’s placement of a fraud or            To ensure that the Program of a
appropriately to any Red Flags that are        active duty alert on his or her consumer     financial institution or creditor remains
detected pursuant to paragraph (d)(2)(ii)      report and ECOA, 15 U.S.C. 1691, et seq.     effective over time, the final rules
of this section to prevent and mitigate        A few commenters objected to this            provide a fourth element of the Program:
identity theft.                                footnote. Some commenters believed           policies and procedures to ensure the
   In order to ‘‘respond appropriately,’’ it   that creditors had a right to deny credit    Program (including the Red Flags
is implicit that a financial institution or    automatically whenever a fraud or            determined to be relevant) is updated
creditor must assess whether the Red           active duty alert appears on the             periodically to reflect changes in risks to
Flags detected evidence a risk of              consumer report of an applicant. Other       customers and to the safety and
identity theft, and must have a                commenters believed that the footnote        soundness of the financial institution or
reasonable basis for concluding that a         raised complex issues under the ECOA         creditor from identity theft. As
Red Flag does not evidence a risk of           and FCRA that required more thorough         described earlier, this element replaces
identity theft. Therefore, the Agencies        consideration, and questioned the need       the requirements formerly in proposed
concluded that it is not necessary to          and appropriateness of addressing            § l.90(c)(2) which stated that the
specify any such separate assessment,          ECOA in the context of this rulemaking.      Program must be designed to address
and, accordingly, deleted the language            Under ECOA, it is unlawful for a          changing identity theft risks as they
from the proposal regarding assessing          creditor to discriminate against any         arise, and proposed § l.90(d)(1)(i)
Red Flags and addressing the risk of           applicant for credit because the             which stated that the Red Flags
identity theft.                                applicant has in good faith exercised        included in a covered entity’s Program
   Most of the examples of measures for        any right under the Consumer Credit          must reflect changing identity theft risks
preventing and mitigating identity theft       Protection Act (CCPA), 15 U.S.C.             to customers and to the financial
previously listed in proposed                  1691(a). A consumer who requests the         institution or creditor as they arise.
63730         Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

Unlike the proposed provisions,              implementation, and maintenance of the      insure uniformity of policy throughout
however, this element only requires          Program, including assigning specific       large organizations.
‘‘periodic’’ updating. The Agencies          responsibility for its implementation.         Some commenters stated that the
concluded that requiring financial           The proposal also provided that persons     preparation of reports for board review
institutions and creditors to                charged with overseeing the Program         would be costly and burdensome. The
immediately and continuously update          must review reports prepared at least       SBA suggested that the FTC consider a
their Programs would be overly               annually by staff regarding compliance      one-page certification option for small
burdensome.                                  by the financial institution or creditor    low-risk entities to minimize the burden
   Section V of the guidelines elaborates    with the regulations.                       of reports. One commenter opined that
on the obligation to ensure that the            Proposed § l.90(d)(5)(iii) stated that   it would be sufficient if the Agencies
Program is periodically updated. It          reports must discuss material matters       mandated that covered entities
reiterates the factors previously in         related to the Program and evaluate         continuously review and evaluate the
proposed § l.90(c)(2) that should cause      issues such as: The effectiveness of the    policies and procedures they adopted
a financial institution or creditor to       policies and procedures of the financial    pursuant to the regulations and modify
update its Program, such as its own          institution or creditor in addressing the   them as necessary. Consumer groups
experiences with identity theft, changes     risk of identity theft in connection with   suggested that the final rules
in methods of identity theft, changes in     the opening of accounts and with            specifically require financial
methods to detect, prevent and mitigate      respect to existing accounts; service       institutions and creditors to adjust their
identity theft, changes in accounts that     provider arrangements; significant          Programs to address deficiencies raised
it offers or maintains, and changes in its   incidents involving identity theft and      by their annual reports.
business arrangements.                       management’s response; and                     Commenters generally took the
Section l.90(e) Administration of the        recommendations for changes in the          position that reports to the board, a
Program                                      Program.                                    board committee, or senior management
                                                Some commenters agreed that identity     regarding compliance with the final
   The final rules group the remaining                                                   rules should be prepared at most on a
provisions of the proposed rules under       theft is an important issue, and the
                                             board, therefore, should be involved in     yearly basis, or when significant
the heading ‘‘Administration of the                                                      changes have occurred that alter the
Program,’’ albeit in a different order       the overall development, approval, and
                                             oversight of the Program. These             institution’s risk. One commenter
than proposed. This section of the final                                                 recommended a clarification that any
rules describes the steps that financial     commenters suggested that the final
                                             rules make clear that the board need not    reporting to the board of material
institutions and creditors must take to                                                  information relating to the Program
administer the Program, including:           be responsible for the day-to-day
                                             operations of the Program.                  could be combined with reporting
Obtaining approval of the initial written                                                obligations required under the
Program; ensuring oversight of the              Most industry commenters opposed
                                             the proposed requirement that the board     Information Security Standards.
development, implementation and                                                             Section l.90(e)(1) of the final rules
administration of the Program; training      or board committee approve the
                                             Program and receive annual reports          continues to require approval of the
staff; and overseeing service provider                                                   written Program by the board of
arrangements.                                about compliance with the Program.
                                             These commenters asserted that the          directors or an appropriate committee of
   A number of commenters criticized                                                     the board. However, to ensure that this
each of the proposed provisions              statute does not mandate such
                                             requirements, and that compliance with      requirement does not hamper the ability
regarding administration of the Program,                                                 of a financial institution or creditor to
arguing they were not specifically           these rules did not warrant more board
                                             attention than other regulations. They      update its Program in a timely manner,
required by section 114. The Agencies                                                    the final rules provide that the board or
believe the mandate in section 114 is        asserted that such requirements would
                                             impede the ability of a financial           an appropriate committee must approve
broad, and provides the Agencies with                                                    only the initial written Program.
an ample basis to issue rules and            institution or creditor to keep up with
                                             the fast-paced changes and                  Thereafter, at the discretion of the
guidelines containing these provisions                                                   covered entity, the board, a committee,
because they are critical to ensuring the    developments inherent with instances
                                             of fraud and identity theft. They stated    or senior management may update the
effectiveness of a Program. Therefore,                                                   Program.
the Agencies have retained these             that boards of directors should not be
                                                                                            Bank holding companies and their
elements in the final rules and              required to consider the minutiae of the
                                                                                         bank and non-bank subsidiaries will be
guidelines with some modifications, as       fraud prevention efforts of a financial
                                                                                         governed by the principles articulated
follows.                                     institution or creditor and suggested the
                                                                                         in connection with the banking
                                             task be delegated to senior management
Sections l.90(e)(1) and (2)                                                              agencies’’ Information Security
                                             with expertise in this area. Some
Involvement of the Board of Directors                                                    Standards:
                                             commenters suggested the final rules
and Senior Management                        provide a covered entity with the             The Agencies agree that subsidiaries
  Proposed § l.90(d)(5) highlighted the      discretion to assign oversight              within a holding company can use the
                                             responsibilities in a manner consistent     security program developed at the holding
responsibility of the board of directors
                                                                                         company level. However, if subsidiary
and senior management to develop,            with the institution’s own risk             institutions choose to use a security program
implement, and oversee the Program.          evaluation.                                 developed at the holding company level, the
Proposed § l.90(d)(5)(i) specifically           One commenter suggested that the         board of directors or an appropriate
required the board of directors or an        final rules permit the board of directors   committee at each subsidiary institution
appropriate committee of the board to        of a holding company to approve and         must conduct an independent review to
approve the written Program. Proposed        oversee the Program for the entire          ensure that the program is suitable and
§ l.90(d)(5)(ii) required that the board,    organization. The commenter explained       complies with the requirements prescribed
an appropriate committee of the board,       that this approach would eliminate the      by the subsidiary’s primary regulator * * * .
or senior management be charged with         need for redundant actions by a             66 FR 8620 (Feb. 1, 2001) (Preamble to
overseeing the development,                  multiplicity of boards, and help to         final Information Security Standards.)
                 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                              63731

   The Agencies recognize that boards of             available to smaller institutions to         perform an activity on its behalf and the
directors have many responsibilities and             provide training.                            requirements of the Program applied to
it generally is not feasible for a board to             Some financial institution                that activity, the financial institution or
involve itself in the detailed oversight,            commenters stated that it was not clear      creditor would be required to take steps
development, implementation, and                     why staff training would be specifically     designed to ensure the activity is
administration of the Program.                       required under the final rules, absent a     conducted in compliance with a
Accordingly, § l.90(e)(2) of the final               specific statutory requirement. They         Program that satisfies the regulations.
rules provides discretion to a financial             maintained that financial institutions       The preamble to the proposed rules
institution or creditor to determine who             have sufficient incentives to ensure that    explained that this provision would
will be responsible for these aspects of             appropriate staff is trained. Other          allow a service provider serving
the Program. It states that a financial              commenters suggested that the Agencies       multiple financial institutions and
institution or creditor must involve the             clarify that this provision would only       creditors to conduct activities on behalf
board of directors, an appropriate                   require training for relevant staff and      of these entities in accordance with its
committee thereof, or a designated                   would permit training on identity theft      own program to prevent identity theft,
employee at the level of senior                      that is integrated into overall staff        as long as the program meets the
management in the oversight,                         training on similar or overlapping           requirements of the regulations. The
development, implementation, and                     matters such as fraud prevention.            service provider would not need to
administration of the Program.                          One commenter objected to an              apply the particular Program of each
   Section VI of the guidelines elaborates           example in the preamble to the               individual financial institution or
on this provision of the final rules. The            proposed rules which stated that staff       creditor to whom it is providing
guidelines note that such oversight                  should be trained to detect ‘‘anomalous      services.
should include assigning specific                    wire transfers in connection with a             Several commenters asserted it would
                                                     customer’s deposit account.’’ The            be costly and burdensome for financial
responsibility for the Program’s
                                                     commenter stated that this example           institutions and creditors to ensure third
implementation and reviewing reports
                                                     potentially exposed financial                party compliance with the final rules
prepared by staff on compliance by the
                                                     institutions to significant and              and therefore, this provision should be
financial institution or creditor with this
                                                     unintended liability, predicting that        eliminated. They urged that financial
section. As suggested by commenters,
                                                     customers and law enforcement would          institutions and creditors be given
the guidelines also state that oversight
                                                     use the rules to support claims that         maximum flexibility to manage service
should include approving material
                                                     financial institutions are responsible for   provider relationships.
changes to the Program as necessary to
                                                     authorizing transactions by fraudsters.         Some financial institution
address changing identity theft risks.                                                            commenters also suggested that the
                                                     The commenter asserted that financial
Section VI also provides that reports                                                             Agencies withdraw this provision. They
                                                     institutions do not have systems that
should be prepared at least annually                                                              stated that the FACT Act does not
                                                     can detect these transactions because
and describes the contents of a report as                                                         address this issue and asserted that
                                                     they fall outside the usual fraud filter
proposed in § l.90(d)(5)(iii)(B).                                                                 there already is no doubt that if a
                                                     parameters.
   These steps are modeled on sections                  Section l.90(e)(3) of the final rules     financial institution delegates any of its
of the Information Security Standards.34             provides that a covered entity must train    operations to a third party, the
As noted previously, financial                       staff, as necessary, to effectively          institution will remain responsible for
institutions and creditors subject to                implement the Program. There is no           related regulatory compliance.
these Standards may combine elements                 corresponding section of the guidelines.        Other commenters stated that it
required under the final rules and                      The Agencies continue to believe          should remain a contractual matter
guidelines, including reports, with those            proper training will enable staff to         between the parties whether the service
required by the Standards, as they see               address the risk of identity theft.          provider may implement a program that
fit.                                                 However, this provision requires             is different from its financial institution
Section l.90(e)(3) Staff Training                    training of only relevant staff. In          client.
                                                     addition, staff that has already been           Consumer groups asked the Agencies
   Proposed § l.90(d)(3) required each               trained, for example, as a part of the       to ensure that the decision of a financial
financial institution or creditor to train           anti-fraud prevention efforts of the         institution or creditor to outsource
staff to implement its Program.                      financial institution or creditor, do not    would not lead to lower Red Flag
   Consumer groups believed that this                need to be re-trained except ‘‘as            standards. These commenters suggested
provision should be more detailed and                necessary.’’                                 the final rules state that the Program
specifically require monitoring,                        The Agencies recognize that some of       must also meet the requirements that
oversight, and auditing of a covered                 the examples, such as detecting              would apply if the activity were
entity’s training efforts. By contrast, a            ‘‘anomalous wire transfers in                performed without the use of a service
number of industry commenters                        connection with a customer’s deposit         provider. They also suggested the final
recommended that the Agencies                        account’’ may fall outside the usual         rules clarify that, in addition to any
withdraw this provision because they                 fraud filter parameters. However, the        responsibility on the service provider
believed it was burdensome. Some of                  Agencies expect that compliance with         imposed by law, regulation, or contract,
these commenters asserted that the                   the final rules will improve the ability     the financial institution or creditor
Agencies had not taken into account the              of financial institutions and creditors to   would be responsible for a failure to
limited personnel and resources                      detect, prevent, and mitigate identity       comply with the Program.
                                                     theft.                                          Most commenters, however, agreed
  34 A board approval requirement is also found in                                                with the proposal and stated that a
the BSA rules of the Federal banking agencies and    Section l.90(e)(4) Oversight of Service      service provider must have the
the NCUA. See 12 CFR 21.21; (OCC); 12 CFR 208.63     Provider Arrangements                        flexibility to meet the objectives of the
(Board); 12 CFR 326.8 (FDIC); 12 CFR 563.177
(OTS); and 12 CFR 748.2 (NCUA). Thus, contrary
                                                       Proposed § l.90(d)(4) stated that,         rules without having to tailor its
to the assertion of some commenters, this rule is    whenever a financial institution or          services to the Program requirements of
being treated in a manner similar to other rules.    creditor engaged a service provider to       each company for which it provides
63732         Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

service. These commenters noted that         each financial institution or creditor                 proposed to afford each financial
this proposed approach was the same as       that is required to implement a Program                institution and creditor flexibility to
that used in the Information Security        must consider the guidelines in                        determine which Red Flags were
Standards.                                   Appendix J and include in its Program                  relevant for their purposes to detect
   The Agencies believe it is important      those guidelines that are appropriate.                 identity theft, including from among
to retain a provision in the final rules        Each of the guidelines corresponds to               those listed in Appendix J.
addressing service providers to remind       a provision of the final rules. As                        As mentioned previously, consumer
financial institutions and creditors that    mentioned earlier, the guidelines were                 groups criticized the discretion in the
they continue to remain responsible for      issued to assist financial institutions                proposal that permitted financial
compliance with the final rules, even if     and creditors in the development and                   institutions and creditors to choose Red
they outsource operations to a third         implementation of a Program that                       Flags relevant to detecting the risk of
party. However, the Agencies have            satisfies the requirements of the final                identity theft based upon the list of
simplified the service provider              rules. The guidelines provide policies                 enumerated factors. These groups urged
provision in the final rules and moved       and procedures that financial                          the Agencies to make certain Red Flags
the remaining parts of proposed              institutions and creditors should use,                 in Appendix J mandatory. In addition,
§ l.90(d)(4) to the guidelines.              where appropriate, to satisfy the                      consumer groups suggested a number of
   Section l.90(e)(4) of the final rules     regulatory requirements of the final                   additional Red Flags for inclusion in
provides that a covered entity must          rules. While an institution or a creditor              Appendix J.
exercise appropriate and effective           may determine that a particular                           Some commenters agreed that the list
oversight of service provider                guideline is not appropriate for its                   of examples of Red Flags was
arrangements, without further                circumstances, it nonetheless must                     appropriate because, in their view, it
elaboration. This provision provides         ensure its Program contains reasonable                 was designed to be flexible. Some
maximum flexibility to financial             policies and procedures to fulfill the                 industry commenters, including a
institutions and creditors in managing       requirements of the final rules. This                  number of small financial institutions,
their service provider arrangements,         approach provides financial institutions               stated that the Red Flags set forth in
while making clear that a covered entity     and creditors with the flexibility to                  Appendix J would assist them in
cannot escape its obligations to comply      determine ‘‘how best to develop and                    developing and improving their identity
with the final rules and to include in its   implement the required policies and                    theft prevention programs. Other
Program those guidelines that are            procedures.’’ 35                                       commenters suggested deleting the list
appropriate by simply outsourcing an
                                             Supplement A to Appendix J: Examples                   of Red Flags or modifying the list in a
activity.
   Section VI(c) of the guidelines           of Red Flags                                           manner appropriate to the nature of
provides that, whenever a financial                                                                 their own operations.
                                               Section 114 of the FACT Act states                      The Agencies have retained the list of
institution or creditor engages a service    that, in developing the guidelines, the
provider to perform an activity in                                                                  examples of Red Flags because section
                                             Agencies must identify patterns,                       114 states that the Agencies ‘‘shall
connection with one or more covered          practices, and specific forms of activity,
accounts, the financial institution or                                                              identify patterns, practices, and specific
                                             that indicate the possible existence of                forms of activity that indicate the
creditor should take steps to ensure that    identity theft. The Agencies proposed
the activity of the service provider is                                                             possible existence of identity theft.’’ The
                                             implementing this provision by                         Agencies also retained the list because
conducted in accordance with                 requiring the Program of a financial
reasonable policies and procedures                                                                  some commenters indicated that having
                                             institution or creditor to include                     examples of Red Flags would be helpful
designed to detect, prevent, and mitigate    policies and procedures for the
the risk of identity theft. Thus, the                                                               to them. However, the examples of Red
                                             identification and detection of Red Flags              Flags are now set forth in a separate
guidelines make clear that a service         in connection with an account opening
provider that provides services to                                                                  supplement to the guidelines. The list of
                                             or an existing account, including from                 examples is similar to that which the
multiple financial institutions and          among those listed in Appendix J.
creditors may do so in accordance with                                                              Agencies proposed, however, the Red
                                               The Agencies compiled the Red Flags                  Flags that the Agencies identified as
its own program to prevent identity          enumerated in Appendix J from a
theft, as long as the program meets the                                                             precursors to identity theft have been
                                             variety of sources, such as literature on              deleted and are now addressed in
requirements of the regulations. The         the topic, information from credit
guidelines also provide an example of                                                               section IV of the guidelines. Moreover,
                                             bureaus, financial institutions, creditors,            in response to a Congressional
how a covered entity may comply with         designers of fraud detection software,
this provision. The guidelines state that                                                           commenter, the Agencies added, as an
                                             and the Agencies’ own experiences. The                 example of a Red Flag, an application
a financial institution or creditor could    preamble to the proposed rules stated
require the service provider, by contract,                                                          that gives the appearance of having been
                                             that some of the Red Flags, by                         destroyed and reassembled.
to have policies and procedures to           themselves, may be reliable indicators
detect relevant Red Flags that may arise                                                               The introductory language to the
                                             of identity theft, while others are more
in the performance of the service                                                                   supplement clarifies that the
                                             reliable when detected in combination
provider’s activities and either report                                                             enumerated Red Flags are examples.
                                             with other Red Flags.
the Red Flags to the financial institution                                                          Thus, a financial institution or creditor
                                               The preamble to the proposed rules
or creditor or take appropriate steps to                                                            may tailor the Red Flags it chooses for
                                             explained that the Agencies recognized
prevent or mitigate identity theft.                                                                 its Program to its own operations. A
                                             that a wide range of financial
                                                                                                    financial institution or creditor will not
Section l.90(f) Consideration of             institutions and creditors, and a broad
                                                                                                    need to justify to an Agency its failure
Guidelines in Appendix J                     variety of accounts would be covered by
                                                                                                    to include in the Program a specific Red
                                             the regulations. Therefore, the Agencies
  The Agencies have added a provision                                                               Flag from the list of examples. However,
to the final rules that explains the           35 See H.R. Rep. No. 108–263 at 43 (Sept. 4, 2003)   a covered entity will have to account for
relationship of the rules to the             (accompanying H.R. 2622); S. Rep. No. 108–166 at       the overall effectiveness of a Program
guidelines. Section l.90(f) states that      13 (Oct. 17, 2003) (accompanying S. 1753).             that is appropriate to its size and
              Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                                 63733

complexity and the nature and scope of       within a short period of time (during at      issuer to follow reasonable policies and
its activities.                              least the first 30 days), receives a          procedures to assess the validity of a
                                             request for an additional or replacement      change of address, before issuing an
Inactive Accounts
                                             card for the same account, the issuer         additional or replacement card. Section
   Section 114 also directs the Agencies     must follow reasonable policies and           114 provides that a card issuer may
to consider whether to include               procedures to assess the validity of the      satisfy this requirement by notifying
reasonable guidelines for notifying the      change of address through one of three        ‘‘the cardholder.’’ The term
consumer when a transaction occurs in        methods. The card issuer may not issue        ‘‘cardholder’’ is not defined in the FACT
connection with a consumer’s credit or       the card unless it: (1) Notifies the          Act. The preamble to the proposed rules
deposit account that has been inactive       cardholder of the request at the              explained that the legislative record
for two years, in order to reduce the        cardholder’s former address and               relating to this provision indicates that
likelihood of identity theft. The            provides the cardholder with a means to       ‘‘issuers of credit cards and debit cards
preamble to the proposed rules noted         promptly report an incorrect address; (2)     who receive a consumer request for an
that the Agencies believed that the two-     notifies the cardholder of the address        additional or replacement card for an
year limit was not always an accurate        change request by another means of            existing account’’ may assess the
indicator of identity theft given the wide   communication previously agreed to by         validity of the request by notifying ‘‘the
variety of credit and deposit accounts       the issuer and the cardholder; or (3)         cardholder.’’ 36 As the preamble noted,
that would be covered by the provision.      uses other means of evaluating the            the request, presumably, will be valid if
Therefore, in place of guidelines on         validity of the address change in             the consumer making the request and
inactive accounts, the Agencies              accordance with the reasonable policies       the cardholder are one and the same
proposed incorporating a Red Flag on         and procedures established by the card        ‘‘consumer.’’ Therefore, the proposal
inactive accounts into Appendix J that       issuer to comply with the joint               defined ‘‘cardholder’’ as a consumer
was flexible and was designed to take        regulations described earlier regarding       who has been issued a credit or debit
into consideration the type of account,      identity theft.                               card. The preamble to the proposed
the expected pattern of usage of the            For this reason, the Agencies also         rules also explained that, because
account, and any other relevant factors.     proposed special rules that required          ‘‘consumer’’ is defined in the FCRA as
   Some consumer groups suggested that       credit and debit card issuers to assess       an ‘‘individual,’’ 37 the proposed
a new section be added to the guidelines     the validity of change of address             regulations applied to any request for an
requiring notice to the consumer when        notifications by notifying the cardholder     additional or replacement card by an
a transaction occurs in connection with      or through certain other means. The           individual, including a card for a
a consumer’s credit or deposit account       proposed regulations stated that a            business purpose, such as a corporate
that has been inactive for two years         financial institution or creditor that is a   card.
unless this pattern would be expected        card issuer may incorporate the                  Some commenters asked the Agencies
for a particular type of account. Other      requirements of § l.91 into its Program.      to clarify that this definition does not
commenters agreed with the Agencies’            As described in the section-by-section     apply to holders of stored value cards,
proposal to simply make activity on an       analysis that follows, commenters             such as payroll and gift cards, or to
inactive account a Red Flag. They also       generally requested changes that would        cards used to access a home equity line
agreed that the Agencies should not use      make the proposed rules more flexible.        of credit. Another commenter urged that
two years of inactivity as a hard and fast                                                 the final rules exclude credit and debit
rule, and allow financial institutions       2. Section-by-Section Analysis                cards for a business purpose.
                                                                                              The final rules continue to define
and creditors to use their own standards     Section l.91(a)    Scope
to determine when an account is                                                            ‘‘cardholder’’ as a consumer who has
inactive.                                      The proposed rules stated that this         been issued a credit or debit card. Both
   In the final rules, the Agencies          section applies to a person, described in     ‘‘credit card’’ and ‘‘debit card’’ are
continue to list activity on an inactive     proposed § l.90(a), that issues a debit       defined in section 603(r) of the FCRA. 38
account as a Red Flag. Given the variety     or credit card. The Agencies did not          The definition of ‘‘credit card’’ is
of covered accounts to which the final       receive any comments on this section.         defined by cross-reference to section
rules and guidelines will apply, the            In the final rules, for clarity, the       103 of the Truth in Lending Act, 15
Agencies concluded that the two-year         Agencies deleted the cross-reference to       U.S.C. 1601, et seq. 39 The definition of
period suggested in section 114 would        § l.90(a). Each Agency also revised its       ‘‘debit card’’ is any card issued by a
                                             scope paragraph to list the entities over     financial institution to a consumer for
not necessarily be a useful indicator of
                                             which it has jurisdiction that are subject    use in initiating an electronic fund
identity theft. Therefore, the Agencies
have not included a provision in the         to § l.91. Under the final rules, section     transfer from the account of the
guidelines regarding notification when a     l.91 applies to any debit or credit card      consumer at such financial institution
                                             issuer (card issuer) that is subject to an    for the purposes of transferring money
transaction occurs in connection with a
                                             Agency’s jurisdiction.                        between accounts or obtaining money,
consumer’s credit or deposit account
                                                                                           property, labor, or services. 40
that has been inactive for two years.        Section l.91(b)    Definitions                   Section 603(r) of the FCRA provides
B. Special Rules for Card Issuers               The proposed rules included two            that ‘‘account’’ and ‘‘electronic fund
                                             definitions solely applicable to the          transfer’’ have the same meaning as
1. Background                                                                              those terms have in the Electronic
                                             special rules for card issuers:
   Section 114 also requires the Agencies    ‘‘cardholder’’ and ‘‘clear and                Funds Transfer Act (EFTA), 15 U.S.C.
to prescribe joint regulations generally     conspicuous.’’ Section l.91(b) of the
requiring credit and debit card issuers to   final rules also contains these                  36 See 149 Cong. Rec. E2513 (daily ed. December

assess the validity of change of address                                                   8, 2003) (statement of Rep. Oxley) (emphasis
                                             definitions as follows.                       added).
notifications. In particular, these
regulations must ensure that if the card     Section l.91(b)(1)   Cardholder                  37 15 U.S.C. 1681a(c).
                                                                                              38 15 U.S.C. 1681a.

issuer receives a notice of change of          Under section 114, the Agencies must           39 See 15 U.S.C. 1681a(r)(2).

address for an existing account and,         prescribe regulations requiring a card           40 15 U.S.C. 1681a(r)(3).
63734              Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

1693, et seq. The EFTA, and Regulation        Sections l.91(c) and (d) Address              assessing the validity of the change of
E, 12 CFR part 205, govern electronic         Validation                                    address in accordance with the policies
fund transfers. In contrast to section           Proposed § l.91(c) simply restated         and procedures the card issuer
603(r) of the FCRA, neither the EFTA          the statutory requirements described          establishes pursuant to § l.90.
nor Regulation E defines the term ‘‘debit     above with some minor stylistic                  Commenters also asked the Agencies
card.’’ Instead, coverage under the EFTA      changes. A number of commenters               to clarify that the obligation to assess
and Regulation E depends upon                 noted that the requirements of this           the validity of a request for an address
whether electronic fund transfers can be      section would be difficult and                change is not triggered unless the card
made to or from an ‘‘account,’’ meaning       expensive to implement. They stated           issuer actually changes the cardholder’s
a checking, savings, or other consumer        that millions of address changes are          address.
asset account established primarily for                                                        Some commenters asked the Agencies
                                              processed every year, though very few
personal, family or household purposes.                                                     to clarify whether electronic notices
                                              turn out to be fraudulent.
The Board recently issued a final rule           By contrast, consumer groups               would be acceptable if the cardholder
expanding the definition of ‘‘account’’       suggested that the final regulations          had previously contracted for electronic
under Regulation E to cover payroll card      should require the card issuer to notify      communications. Consumer groups
accounts. 41 Therefore, a holder of a         the consumer of a request for an address      recommended electronic notification be
payroll card is a ‘‘cardholder’’ for          change followed by the request for an         permitted only when the consumer
purposes of § l.91(b)(1), provided that       additional or replacement card, unless        consents in accordance with the E-Sign
the card issuer is a ‘‘financial              there are special circumstances that          Act.
institution’’ as defined in section 603(t)    prevent doing so in a timely manner.             The Agencies note that the statutory
of the FCRA.                                     Many commenters recommended that           provision being implemented here is
   The Board decided not to cover other                                                     quite specific. Congress mandated that
                                              the final rules provide credit and debit
types of prepaid cards as accounts                                                          the requirements set forth in section
                                              card issuers with greater flexibility to
under Regulation E at the time it issued                                                    615(e)(1)(C) of the FCRA apply to
                                              verify address changes. For example,
the payroll card rule. Therefore, the                                                       notifications of changes of address,
                                              they stated it is not clear that an address
definition of ‘‘cardholder’’ does not                                                       which would necessarily include both
                                              change linked with a request for an
include the holder of a gift card or other                                                  those received directly from consumers
                                              additional card is a significant indicator
prepaid card product, unless and until                                                      and those received from the Postal
                                              of identity theft. Therefore, they
the Board elects to cover such cards as                                                     Service. Congress also statutorily
                                              recommended the rules (1) specifically
accounts under Regulation E.                                                                provided various methods to card
   The definition of ‘‘cardholder’’ would     permit card issuers to satisfy the
                                              requirements of this section by verifying     issuers for assessing the validity of a
also include a recipient of a home                                                          change of address. 43 Accordingly, the
equity loan if the holder is able to access   the address at the time the address
                                              change notification is received, whether      final rules reflect these methods.
the proceeds of the loan with a credit or                                                      Under § l.91(c) of the final rules, a
debit card within the meaning of 15           or not the notification is linked to a
                                              request for an additional or replacement      card issuer that receives an address
U.S.C. 1681a(r).                                                                            change notification and, within at least
   Identity theft may occur in connection     card; or (2) verify the address whenever
                                              a request for an additional or                30 days, a request for an additional or
with a card that a consumer uses for a
                                              replacement card is made, whether or          replacement card, may not issue an
business purpose and may affect the
                                              not the card issuer receives notification     additional or replacement card until it
consumer’s personal credit standing.
                                              of an address change.                         has notified the cardholder or has
Additionally, the definition of
                                                 One commenter suggested that the           otherwise assessed the validity of the
‘‘consumer’’ under the FCRA is simply
                                              rules should only apply to card issuers       change of address in accordance with
an ‘‘individual.’’ 42 For this reason, the
                                              that receive direct notification of an        the policies and procedures the card
Agencies continue to believe that the
                                              address change rather than an address         issuer has established pursuant to
protections of this provision must
                                              change notification from the U.S. Postal      § l.90. The Agencies have concluded
extend to consumers who hold a card
                                              Service. The commenter asserted that          that card issuers should be granted
for a personal, household, family or
                                              there is a higher risk of fraud with a        additional flexibility. Therefore,
business purpose.
                                              direct request for a change of address.       § l.91(d) clarifies that a card issuer may
Section l.91(b)(2) Clear and                     Consumer groups also recommended           satisfy the requirements of § l.91(c) by
conspicuous                                   that the Agencies set a period longer         validating an address, according to the
  The second proposed definition was          than the 30-day minimum for card              methods set forth in § l.91(c)(1) or (2),
for the phrase ‘‘clear and conspicuous.’’     issuers to be on alert after an address       when it receives an address change
Proposed § l.91 included a provision          change request. These commenters              notification, before it receives a request
that required any written or electronic       recommended that, because of billing          for an additional or replacement card.
notice provided by a card issuer to the       cycles and the time it takes to issue a       The rules do not require a card issuer
consumer pursuant to the regulations to       new card, an issuer should be required        that issues an additional or replacement
be given in a ‘‘clear and conspicuous         to assess the validity of an address          card to validate an address whenever it
manner.’’ The proposed regulations            change if it receives a request for an        receives a request for such a card,
defined ‘‘clear and conspicuous’’ based       additional or replacement card within at      because section 114 only requires the
on the definition of this phrase found in     least 90 days after the request for the       validation of an address when the card
the Agencies’ privacy rules.                  address change.                               issuer also has received a notification of
  The Agencies received no comments              Some commenters asked the Agencies         a change of address.
on the phrase ‘‘clear and conspicuous,’’      to clarify what ‘‘other means’’ would be
and have adopted the definition as            acceptable in assessing the validity of a        43 See S. Rep. No. 108–166 at 14 (October 17,

                                                                                            2003)(accompanying S. 1753)(stating that a card
proposed in § l.91(b)(2).                     change in address. One commenter
                                                                                            issuer may rely on authentication procedures that
                                              stated that it is not cost effective to       do not involve a separate communication with the
 41 See   71 FR 51,437 (August 10, 2006). 
   contact the customer, therefore, most         cardholder so long as the issuer has reasonably
 42 15   U.S.C. 1681a(c). 
                   card issuers would use ‘‘other means’’ of     assessed the validity of the address change.)
                  Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                                       63735

   The Agencies also revised § l.91 to                  procedures the card issuer has               continuing relationship with the
clarify that a card issuer must provide                 established.                                 consumer and regularly and in the
to the cardholder a ‘‘reasonable’’ means                  A few commenters recommended that          ordinary course of business furnishes
of promptly reporting incorrect address                 this proposed requirement apply only if      information to the CRA.
changes whenever the card issuer                        the issuer notifies the cardholder of the
                                                                                                     B. Section-by-Section Analysis
notifies the cardholder of the request for              change of address request at the
an additional or replacement card. 44                   cardholder’s former address. These           Section l.82(a)        Scope
   The Agencies declined to adopt the                   commenters stated that, otherwise, the         Proposed § l.82(a) noted that the
recommendation that an issuer assess                    provision would prohibit other types of      scope of section 315 differs from the
the validity of an address change if it                 notices, such as those in periodic           scope of section 114 and explained that
receives a request for an additional or                 statements. Another commenter stated         section 315 applies to ‘‘users of
replacement card within ‘‘at least 90                   that this provision was not necessary        consumer reports’’ and ‘‘persons
days’’ after an address change                          because card issuers would send such         requesting consumer reports’’
notification, as ‘‘at least 30 days’’ may               notices separately in any event.             (hereinafter referred to as ‘‘users’’), as
be a reasonable period of time in some                    The Agencies are not convinced that
                                                                                                     opposed to financial institutions and
cases. However, a card issuer that does                 such a notice would be provided
                                                                                                     creditors. Therefore, section 315 does
not validate an address when it receives                separately from a card issuer’s regular
                                                                                                     not apply to a financial institution or
an address change notification may find                 correspondence with the cardholder
                                                                                                     creditor that does not use consumer
it prudent to validate the address before               unless required. Moreover, the Agencies
                                                                                                     reports. The Agencies did not receive
issuing an additional or replacement                    do not agree that this requirement
                                                                                                     any comments on this section and have
card, even when it receives a request for               should apply only if a card issuer
                                                                                                     adopted it as proposed in the final rules.
such a card more than 30 days after the                 chooses to notify the cardholder of the
notification of address change. In sum,                 change of address request at the             Section l.82(b) Definition
the Agencies expect card issuers to                     cardholder’s former address in
                                                                                                        Proposed § l.82(b) defined ‘‘notice of
exercise diligence commensurate with                    accordance with § l.91(c)(1). Even
                                                                                                     address discrepancy’’ as ‘‘a notice sent
their own experiences with identity                     where the card issuer and cardholder
                                                                                                     to a user of a consumer report by a CRA
theft.                                                  agree to some other means for notice,
   The Agencies also confirm that a card                                                             pursuant to 15 U.S.C. 1681c(h)(1), that
                                                        this alternative means does not change
issuer is not obligated to assess the                                                                informs the user of a substantial
                                                        the important nature of the notice.
                                                                                                     difference between the address for the
validity of a notification of an address                Therefore, § l.91(e) of the final rules
change after receiving a request for an                                                              consumer provided by the user in
                                                        provides that any written or electronic
additional or replacement card if it                                                                 requesting the consumer report and the
                                                        notice that the card issuer provides
previously determined not to change the                                                              address or addresses the CRA has in the
                                                        under this paragraph must be clear and
cardholder’s address because the                                                                     consumer’s file.’’ 46
                                                        conspicuous, and provided separately
address change request was                                                                              In the preamble to the proposed rules,
                                                        from its regular correspondence with
fraudulent. 45                                                                                       the Agencies noted that section
                                                        the cardholder.
                                                                                                     605(h)(1) requiring CRAs to provide
Section l.91(e) Form of Notice                          III. Section 315 of the FACT Act             notices of address discrepancy became
   In the preamble to the proposed rules,                                                            effective on December 1, 2004. To the
                                                        A. Background
the Agencies noted that Congress had                                                                 extent CRAs each have developed their
singled out this scenario involving card                   Section 315 of the FACT Act amends        own standards for delivery of notices of
issuers and placed it in section 114                    section 605 of the FCRA, 15 U.S.C.           address discrepancy, the proposal noted
because it is perceived to be a possible                1681c, by adding a new subsection (h).       that it is important for users to be able
indicator of identity theft. To highlight               Section 605(h)(1) requires that, when        to recognize and receive notices of
the important and urgent nature of                      providing a consumer report to a person      address discrepancy, especially if they
notice that a consumer receives from a                  that requests the report (the user), a       are being delivered electronically by
card issuer pursuant to § l.91(c), the                  nationwide consumer reporting agency,        CRAs. For example, CRAs may provide
Agencies also proposed requiring that                   as defined in section 603(p) of the          consumer reports with some type of a
any written or electronic notice that a                 FCRA, (CRA) must provide a notice of         code to indicate an address discrepancy.
card issuer provides under this                         the existence of a discrepancy if the        Users must be prepared to recognize the
paragraph must be clear and                             address provided by the user in its          code as an indication of an address
conspicuous and provided separately                     request ‘‘substantially differs’’ from the   discrepancy.
from its regular correspondence with                    address the CRA has in the consumer’s           While some commenters agreed with
the cardholder. The preamble to the                     file.                                        the proposed definition, a number of
proposed rules stated that a card issuer                   Section 605(h)(2) requires the            commenters suggested that the Agencies
could also provide notice orally, in                    Agencies to issue joint regulations that     clarify that only a ‘‘substantial’’
accordance with the policies and                        provide guidance regarding reasonable        discrepancy would trigger the
                                                        policies and procedures a user of a          requirements in this provision and that
  44 See S. Rep. No. 108–166 at 14 (October 17,         consumer report should employ when           obvious errors would not. Some
2003) (accompanying S. 1753) (stating that a means      the user receives a notice of address        commenters also suggested that the
of reporting an incorrect change could be through       discrepancy. These regulations must          Agencies provide examples of what
the mail, by telephone, or electronically.)             describe reasonable policies and
  45 This position is consistent with the legislative                                                constitutes a ‘‘substantial difference.’’
history of this section. See S. Rep. No. 108–166 at
                                                        procedures for a user of a consumer          One commenter stated that users should
14 (Oct. 17, 2003) (accompanying S. 1753) (stating      report to employ to (i) enable it to form    be able to determine when there is a
that it would not be necessary for the card issuer      a reasonable belief that the user knows      substantial difference.
to take these steps ‘‘if, despite receiving a request   the identity of the person for whom it
for an address change, the issuer did not actually
change the cardholder’s address for any reason (e.g.,
                                                        has obtained a consumer report, and (ii)       46 All other terms used in this section have the

the card issuer had previously determined that the      reconcile the address of the consumer        same meanings as set forth in the FCRA (15 U.S.C.
request for an address change was invalid)’’).          with the CRA, if the user establishes a      1681a).
63736          Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

   As noted earlier, section 605(h)(1)        regulations by simply determining it                 policies and procedures to verify the
requires a CRA to send a notice of            cannot form a reasonable belief would                identity of the consumer. This provision
address discrepancy when it determines        allow the user to open an account,                   took into consideration the fact that
that the address provided to the CRA by       effectively rendering the statute                    many users already may be subject to
a user ‘‘substantially differs’’ from the     meaningless.                                         the CIP rules, and have in place
address the CRA has in the consumer’s            The purpose of section 315 is to                  procedures to comply with those rules,
file. The phrase ‘‘substantially differs’’    enhance the accuracy of consumer                     at least with respect to the opening of
is not defined in the statute. Instead, the   information, specifically to ensure that             accounts. Thus, a user could rely upon
statute allows each CRA to construe this      the user has obtained the correct                    its existing CIP policies and procedures
phrase as it chooses and, accordingly, to     consumer report for the consumer about               to satisfy this requirement, so long as it
set the standard it will use to determine     whom it has requested such a report. To              applied them in all situations where it
when it will send a notice of address         implement this concept more clearly,                 receives a notice of address discrepancy.
discrepancy.                                  § l.82(c) of the final rules provides that           The proposal also stated that any user,
   As required by section 605(h)(2), this     a user must develop and implement                    such as a landlord or employer, may
rulemaking focuses on the obligations of      reasonable policies and procedures                   adopt the CIP rules and apply them in
users that receive a notice of address        designed to enable the user to form a                all situations where it receives a notice
discrepancy from a CRA. The statute           reasonable belief that a consumer report             of address discrepancy to meet this
does not indicate that the Agencies are       relates to the consumer about whom it                requirement, even if it is not subject to
to define the phrase ‘‘substantially          has requested the report when the user               a CIP rule.
differs’’ for CRAs or to permit users to      receives a notice of address                            The Agencies requested comment on
define that phrase themselves.                discrepancy.47                                       whether the CIP procedures would be
Therefore, the final rules adopt the             The Agencies do not agree with                    sufficient to enable a user that receives
proposed definition of ‘‘notice of            commenters who suggested that the                    a notice of address discrepancy with a
address discrepancy’’ without change.         proposed provision should apply only                 consumer report to form a reasonable
                                              in connection with the establishment of              belief that it knows the identity of the
Section l.82(c) Requirement to form a         a continuing relationship with a                     consumer for whom it obtained the
reasonable belief                             consumer, in other words, when a user                report, both in connection with the
   Proposed § l.82(c) implemented the         is opening a new account. The statutory              opening of an account, as well as in
requirement in section 605(h)(2)(B)(i)        requirement in section 605(h)(2)(B)(i)               other circumstances where a user
that the Agencies prescribe regulations       that a user form a reasonable belief that            obtains a consumer report, such as
describing reasonable policies and            it knows the identity of the consumer                when a user requests a consumer report
procedures to enable the user to form a       for whom it obtained a consumer report               to determine whether to increase the
reasonable belief that the user knows         applies whether or not the user                      consumer’s credit line, or in the case of
‘‘the identity of the person to whom the      subsequently establishes a continuing                a landlord or employer, to determine a
consumer report pertains’’ when the           relationship with the consumer. This is              consumer’s eligibility to rent housing or
user receives a notice of address             in contrast to the additional statutory              for employment.
discrepancy. Proposed § l.82(c) stated        requirement in section 605(h)(2)(B)(ii)                 Many commenters supported the use
that a user must develop and implement        that a user reconcile the address of the             of CIP to satisfy this requirement. Some
reasonable policies and procedures for        consumer with the CRA, only when the                 commenters, however, asked the
‘‘verifying the identity of the consumer      user establishes a continuing                        Agencies to clarify that once a
for whom it has obtained a consumer           relationship with the consumer.                      consumer’s identity was verified using
report’’ whenever it receives a notice of        In addition, a user may receive a                 CIP, it would not be necessary to re-
address discrepancy. The proposal             notice of address discrepancy with a                 verify that consumer’s identity under
stated further that these policies and        consumer report, both in connection                  this provision.
procedures must be designed to enable         with the opening of an account and in                   Some commenters found the
the user to form a reasonable belief that     other circumstances when the user                    proposal’s preamble language confusing.
it knows the identity of the consumer         already has a relationship with the                  These commenters did not understand
for whom it has obtained a consumer           consumer, such as when the consumer                  why a user would need to use its CIP
report, or determine that it cannot do so.    applies for an increased credit line. The            policies in every situation where a
   A number of commenters stated that         Agencies believe it is important for a               notice of address discrepancy was
the statutory requirement that a user         user to form a reasonable belief that a              received in order to comply with this
form a reasonable belief that it knows        consumer report relates to the consumer              requirement; they felt that it might be
the identity of the consumer for whom         about whom it has requested the report               possible to form a reasonable belief
it obtained a consumer report should          in both of these cases. Accordingly, the             without using CIP in some
only apply in situations where the user       final rules do not limit this provision              circumstances.
establishes a continuing relationship         solely to the establishment of new                      Other commenters noted that the CIP
with the consumer.                            accounts.                                            rules, which were issued for different
   A consumer group suggested that the           Proposed § l.82(c) also provided that             purposes, are not the appropriate
language in the proposed regulation           if a user employs the policies and                   standard for investigating a consumer’s
permitting a user to determine that it        procedures regarding identification and              identity after a notice of address
cannot form a reasonable belief of the        verification set forth in the CIP rules,48           discrepancy because those rules permit
identity of the consumer should be            it would satisfy the requirement to have             verification of an address to occur after
deleted because the statute specifically                                                           an account is opened and do not require
requires a reasonable belief to be              47 The Agencies acknowledge that an address        contacting the consumer. One
formed. This commenter stated that the        discrepancy also may be an indicator of identity     commenter stated that it was not clear
purpose of the statute was to reduce the      theft. To address this problem, the Agencies         whether a user relying on the CIP rules
                                              included address discrepancies as an example of a
number of new accounts opened using           Red Flag in connection with the Identity Theft Red   to satisfy the obligations under the
false addresses, and that permitting a        Flag regulations.                                    regulation must comply with some or all
user to satisfy its obligations under the       48 See, e.g., 31 CFR 103.121(b)(2)(i) and (ii).    of the requirements in the CIP rules,
                    Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                     63737

including those that require policies and        the FCRA, a notice of address               the statute. They also noted that users
procedures to address circumstances              discrepancy may be a Red Flag and           often do not obtain full consumer
when a user cannot form a reasonable             require an appropriate response to          reports for existing customers—just
belief it knows the identity of the              prevent and mitigate identity theft         credit scores. These commenters noted
consumer.                                        under the user’s Identity Theft             that limited reports often do not contain
   The Agencies believe that comparing           Prevention Program.                         an address for a customer. Some
information provided by a CRA to                                                             commenters also felt existing
information the user obtains and uses            Section l.82(d)(1) Requirement To
                                                                                             relationships should be excluded
(or has obtained and used) to verify a           Furnish Consumer’s Address to a
                                                                                             because users already would have
consumer’s identity pursuant to the              Consumer Reporting Agency
                                                                                             verified a consumer’s address at the
requirements set forth in the CIP rules             Proposed § l.82(d)(1) provided that a    time of account opening.
is an appropriate way to satisfy this            user must develop and implement                The Agencies have modified this
obligation, particularly in connection           reasonable policies and procedures for      section as follows. The final rules
with the opening of a new account.               furnishing to the CRA from whom it          continue to provide that a user must
However, when a user receives a notice           received the notice of address              develop and implement reasonable
of address discrepancy in connection             discrepancy an address for the              policies and procedures for furnishing
with an existing account, after already          consumer that the user has reasonably       an address for the consumer that the
having identified and verified the               confirmed is accurate when the              user has reasonably confirmed is
consumer in accordance with the CIP              following three conditions are satisfied.   accurate to the CRA when three
rules, the Agencies would not expect a           The first condition, in proposed            conditions are present. The first
user to employ the CIP procedures                § l.82(d)(1)(i), was that the user must     condition, in § _.82(d)(1)(i), has been
again. To address this issue and provide         be able to form a reasonable belief that    revised to be consistent with the earlier
users with flexibility, § l.82(c) of the         it knows the identity of the consumer       changes in section § _.82(c) that focus
final rule provides examples of                  for whom the consumer report was            more narrowly on accuracy and require
reasonable policies and procedures that          obtained. This condition would have         that a user form a reasonable belief that
a user may employ to enable the user to          ensured the user would furnish a new        a consumer report relates to the
form a reasonable belief that a consumer         address for the consumer to the CRA         consumer about whom it requested the
report relates to the consumer about             only after the user had formed a            report. The second condition, in
whom it has requested the report. These          reasonable belief that it knew the          § _.82(d)(1)(ii), now applies only to new
examples include comparing                       identity of the consumer, using the         accounts and states that a confirmed
information provided by the CRA with             policies and procedures set forth in        address must be furnished if the user
information the user: (1) Obtains and            paragraph § l.82(c).                        ‘‘establishes’’ a continuing relationship
uses to verify the consumer’s identity in           The second condition, in proposed        with the consumer. The reference to ‘‘or
accordance with the requirements of the          § l.82(d)(1)(ii), was that the user         maintains’’ a continuing relationship
CIP rules; (2) maintains in its own              furnish the address to the CRA if it        has been deleted. The Agencies agree
records, such as applications, change of         establishes or maintains a continuing       with commenters that section
address notifications, other customer            relationship with the consumer. Section     605(h)(2)(B)(ii) does not require the
account records, or retained CIP                 315 specifically requires that the user     reporting of a confirmed address to a
documentation; or (3) obtains from               furnish the consumer’s address to the       CRA in connection with existing
third-party sources. Another example is          CRA if the user establishes a continuing    relationships. The Agencies have
to verify the information in the                 relationship with the consumer.             concluded that users are more likely
consumer report provided by the CRA              Therefore, proposed § l.82(d)(1)(ii)        than a CRA to have an accurate address
with the consumer.                               reiterated this requirement. However,       for an existing customer and, therefore,
   If a user cannot establish a reasonable       because a user also may obtain a notice     should not be required by these rules to
belief that the consumer report relates to       of address discrepancy in connection        take additional steps to confirm the
the consumer about whom it has                   with a consumer with whom it already        accuracy of the customer’s address.
requested the report, the Agencies               has an existing relationship, the           Users already have an ongoing duty to
expect the user will not use that report.        proposal also provided that the user        correct and update information for their
While section 605(h)(2)(B)(i) is silent on       must furnish the consumer’s address to      existing customers under section 623 of
this point, other laws may be applicable         the CRA from whom the user has              the FCRA, 15 U.S.C. 1681s–2.
in such a situation. For example, in the         received a notice of address discrepancy    Accordingly, under the final rules, the
case of account openings, a user that is         when the user maintains a continuing        obligation to furnish a confirmed
subject to the CIP rules generally will          relationship with the consumer.             address for the consumer to the CRA is
need to document how it has resolved                Finally, the third condition, in         applicable only to new relationships.
the discrepancy between the address              proposed § _.82(d)(1)(iii), provided that   The third condition, in § _.82(d)(1)(iii),
provided by the consumer and the                 if the user regularly and in the ordinary   has been adopted in the final rule
address in the consumer report.49 If the         course of business furnishes information    without substantive change.
user cannot establish a reasonable belief        to the CRA from which a notice of
                                                 address discrepancy pertaining to the       Section l.82(d)(2) Requirement To
that it knows the true identity of the
                                                 consumer was obtained, the consumer’s       Confirm Consumer’s Address
consumer, it will need to implement the
policies and procedures for addressing           address must be communicated to the           In the preamble to the proposal, the
these circumstances as required by the           CRA as part of the information the user     Agencies noted that section 315 requires
CIP rules, which may involve not                 regularly provides.                         them to prescribe regulations describing
opening an account or closing an                    A majority of commenters                 reasonable policies and procedures for a
account.50 If a user is a ‘‘financial            recommended that the requirement to         user ‘‘to reconcile the address of the
institution’’ or ‘‘creditor’’ as defined by      furnish a confirmed address should not      consumer’’ about whom it has obtained
                                                 apply to existing accounts. These           a notice of address discrepancy with the
 49 See,   e.g., 31 CFR 103.121(b)(3)(i)(D). 
   commenters maintained that such a           CRA ‘‘by furnishing such address’’ to
 50 See,   e.g., 31 CFR 103.121(b)(2)(iii). 
    requirement would exceed the scope of       the CRA. (Emphasis added.) The
63738              Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

Agencies noted that, even when the user                  purpose. The Agencies believe the            the user both establishes a continuing
is able to form a reasonable belief that                 options for confirmation listed in the       relationship with the consumer and
it knows the identity of the consumer,                   regulation provide sufficient flexibility    forms a reasonable belief that it knows
there may be many reasons the initial                    for users to confirm consumers’              the identity of the consumer to whom
address furnished by the consumer is                     addresses. For this reason, they have        the consumer report relates. Typically,
incorrect. For example, a consumer may                   been adopted in the final rule as            the CIP rules permit an account to be
have provided the address of a                           proposed, with minor technical               opened (i.e., relationship to be
secondary residence or inadvertently                     changes. Section l.82(d)(2)(i) has been      established) if certain identifying
reversed a street number. To ensure that                 revised to conform the language with         information is provided. Verification to
the address furnished to the CRA is                      § l.82(c). Section l.82(d)(2)(ii) has        establish the true identity of the
accurate, the Agencies proposed to                       been revised to emphasize the                customer is required within a
interpret the phrase, ‘‘such address,’’ as               verification of the consumer’s address       reasonable period of time after the
an address the user has reasonably                       rather than the review of the user’s         account has been opened. As explained
confirmed is accurate. This                              records to determine whether the             in the preamble to the proposed rules,
interpretation would have required a                     address given by the consumer is the         to satisfy the requirements of both
user to take steps to ‘‘reconcile’’ the                  same.                                        § l.82(d)(1) and § l.82(d)(3)(i), a user
address it initially received from the                   Section l.82(d)(3) Timing                    employing the CIP rules would have to
consumer when it receives a notice of                                                                 verify the identity of the consumer
address discrepancy, rather than simply                     Section 315 specifies when a user
                                                         must furnish the consumer’s address to       using the identifying information it
furnishing the initial address it received                                                            obtained in accordance with the CIP
from the consumer to the CRA.                            the CRA. It states that this information
                                                         must be furnished for the reporting          rules within the same reporting period
Proposed § l.82(d)(2) contained the                                                                   that the user opens the account and
                                                         period in which the user’s relationship
following list of illustrative measures                                                               establishes a continuing relationship
                                                         with the consumer is established.
that a user may employ to reasonably                                                                  with the consumer.
                                                         Accordingly, proposed § l.82(d)(3)(i)
confirm the accuracy of the consumer’s                                                                  The Agencies requested comment on
                                                         stated that, with respect to new
address:                                                                                              whether the timing for responding to
   • Verifying the address with the                      relationships, the policies and
                                                         procedures a user develops in                notices of address discrepancy received
person to whom the consumer report
pertains;                                                accordance with § l.82(d)(1) must            in connection with newly established
   • Reviewing its own records of the                    provide that a user will furnish the         relationships and in connection with
address provided to request the                          consumer’s address that it has               circumstances other than newly
consumer report;                                         reasonably confirmed to the CRA as part      established relationships is appropriate.
   • Verifying the address through third-                of the information it regularly furnishes    One commenter objected to the
party sources; or                                        for the reporting period in which it         requirement that a user employing the
   • Using other reasonable means.                       establishes a relationship with the          CIP rules would have to both establish
   The Agencies solicited comment on                     consumer.                                    a continuing relationship and a
whether these examples were necessary,                      The proposed rule also addressed          reasonable belief that it knows the
or whether different or additional                       other situations when a user may             consumer’s identity during the same
examples should be listed.                               receive a notice of address discrepancy.     reporting period. A few commenters
   A number of commenters stated that                    Proposed § l.82(d)(3)(ii) stated that in     noted that the timing for reporting
requiring a user to confirm the address                  other circumstances, such as when the        should simply be ‘‘reasonable,’’ such as
furnished exceeded the scope of the                      user already has an existing relationship    the next reporting cycle.
statute. They asserted that the benefit of               with the consumer, the user should             Because the Agencies have
improvements in the accuracy of                          furnish this information for the             determined that the requirement to
addresses and the prevention of identity                 reporting period in which the user has       furnish a confirmed address will apply
theft would not outweigh the additional                  reasonably confirmed the accuracy of         only to newly established accounts, the
burden of this requirement. A few                        the address of the consumer for whom         Agencies have revised § l.82(d)(3) to
commenters noted that complying with                     it has obtained a consumer report.
                                                            The Agencies also noted that, in order    remove the references to the timing for
the CIP rules should be sufficient to
                                                         to satisfy the requirements of both          furnishing reports in connection with
verify the address. Commenters also felt
                                                         § l.82(d)(1) and § l.82(d)(3)(i), a user     other accounts, contained in the
that users should have the flexibility to
                                                         employing the CIP rules would have to        proposal. The final rules reflect the
establish their own validation processes
                                                         establish a continuing relationship and      language in section 605(h)(2)(B)(ii), and
based on risk.
   As stated earlier, the Agencies believe               verify the identity of the consumer          state that a user’s policies and
the purpose of the statute is to enhance                 during the same reporting period.            procedures must provide that the user
the accuracy of information relating to                     The Agencies recognized the timing        will furnish the consumer’s address that
consumers by requiring the user to                       provision for newly established              the user has reasonably confirmed is
furnish an address that the user has                     relationships could be problematic for       accurate to the consumer reporting
reasonably confirmed is accurate.51                      users hoping to take full advantage of       agency as part of the information it
Simply providing the CRA with the                        the flexibility in timing for verification   regularly furnishes for the reporting
initial address supplied to the user by                  of identity afforded by the CIP rules. As    period in which it establishes a
the consumer, and which caused the                       required by statute, proposed                relationship with the consumer.
CRA to send a notice of address                          § l.82(d)(3)(i) stated that the reconciled     A timing issue still exists for a user
discrepancy, would not serve this                        address must be furnished for the            that chooses to compare the information
                                                         reporting period in which the user           in the consumer report with information
   51 This requirement is consistent with the            establishes a relationship with the          that the user obtains and uses to verify
legislative history which provides that this section     consumer. Proposed § l.82(d)(1), which       the consumer’s identity in accordance
is intended to obligate the user to utilize reasonable
policies and procedures to resolve discrepancies.
                                                         also mirrored the requirement of the         with the CIP rules for the purpose of
See H.R. Rep. No. 108–263 at 46 (Sept. 4, 2003)          statute, required the reconciled address     forming a reasonable belief that a
(accompanying H.R. 2622).                                to be furnished to the CRA only when         consumer report relates to the consumer
                 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                                      63739

about whom it has requested the report.            final rules. These commenters felt they       guidance, and thus may need more time
However, the Agencies believe that the             needed time to take an inventory of           to implement the final rules and
benefits of being able to use CIP for this         their existing systems and develop new        guidelines. Therefore, the Agencies are
purpose should outweigh any additional             programs necessary for compliance.            providing covered entities with a
burden of having to establish a                    Some commenters noted that they likely        transition period to comply with the
reasonable belief that a consumer report           would use technological solutions to          requirements contained in the final
relates to the consumer about whom it              comply with the rules and that it is          rulemaking.
has requested the report within the                necessary to schedule such projects well
                                                                                                 VI. Regulatory Analysis
same reporting period that the user                in advance. Commenters also noted that
opens the account and establishes a                compliance with the final rules may           A. Paperwork Reduction Act
continuing relationship with the                   require systemic and operational                In accordance with the requirements
consumer.                                          changes across business lines and could       of the Paperwork Reduction Act of 1995
                                                   affect relationships with vendors and         (PRA) (44 U.S.C. 3501 et seq., 5 CFR
IV. General Provisions                             third party service providers that would      part 1320 Appendix A.1), the Agencies
   The OCC, the Board, the FDIC, the               require time to change.                       have reviewed the final rulemaking and
OTS, and the NCUA 52 proposed to                      Neither section 114 nor section 315 of     determined that it contains collections
amend the first sentence in § l.3,                 the FACT Act specifically addresses the       of information subject to the PRA. The
which contains the definitions that are            effective date of the regulations issued      Board made this determination under
applicable throughout this part. This              pursuant to these sections. Under the         authority delegated to the Board by the
sentence stated that the list of                   Administrative Procedure Act (APA), 5         Office of Management and Budget
definitions in § l.3 apply throughout              U.S.C. 553(d), agencies must generally        (OMB). The information collection
the part ‘‘unless the context requires             publish a substantive rule not less than      requirements in the final rulemaking
otherwise.’’ These agencies proposed to            30 days before its effective date. In         may be found in 12 CFR 41.82, 41.90,
amend this introductory sentence to                addition, under section 302 of the Riegle     41.91, 222.82, 222.90, 222.91, 334.82,
make clear that the definitions in § l.3           Community Development and                     334.90, 334.91, 571.82, 571.90, 571.91,
apply ‘‘for purposes of this part, unless          Regulatory Improvement Act of 1994            717.82, 717.90; and 717.91; and 16 CFR
explicitly stated otherwise.’’ Thus, these         (CDRIA),53 rules issued by the Federal        681.1, 681.2, and 681.3.
definitions apply throughout the part              banking agencies that impose additional         An agency may not conduct or
unless defined differently in an                   reporting, disclosure, or other new           sponsor, and a respondent is not
individual subpart. There were no                  requirements on financial institutions        required to respond to, an information
comments on this proposal, and the                 generally will take effect on the first day   collection unless it displays a currently
change to § l.3 is adopted as proposed.            of a calendar quarter that begins on or       valid OMB control number. The
   OTS proposed nonsubstantive,                    after the date on which the regulations       information collection requirements
technical changes to its rule sections on          are published in the Federal Register.        contained in this joint final rule were
purpose and scope (§ 571.1) and                    Because these final rules are substantive     submitted by the OCC, FDIC, OTS,
disposal of consumer information                   and impose additional requirements on         NCUA, and FTC to OMB for review and
(§ 571.83). OTS explained that these               financial institutions, the Agencies have     approval under the Paperwork
changes were necessary in light of the             provided for an effective date of             Reduction Act of 1995. OMB assigned
proposed incorporation of the address              [January 1, 2008], consistent with the        the following control numbers to the
discrepancy section into subpart I.                APA and CDRIA.                                collections of information: OMB Control
There were no comments on these                       At the same time, the Agencies have
                                                                                                 Nos. 1557–0237 (OCC), 3064–0152
proposed changes and they are adopted              determined that it is appropriate to
                                                                                                 (FDIC), 1550–0113 (OTS), 3133–0175
substantially as proposed. Further, since          provide all covered entities with a
                                                                                                 (NCUA), and 3084–0137 (FTC). The
these changes render the definition of             delayed compliance date of November
                                                                                                 Board’s OMB Control No. is 7100–
‘‘you’’ in § 571.3(o) superfluous, OTS is          1, 2008, to comply with the
                                                                                                 0308.54
removing that definition.                          requirements of the final rulemaking.
   The OCC’s final rules add a purpose             Some financial institutions and               Description of the Collection
section at § 41.1. The final rules are             creditors already employ a variety of            Section 114: The proposed rules
simply restoring the purpose section of            measures that satisfy the requirements        implementing section 114 required each
part 41 that was inadvertently deleted             of the final rulemaking because these         financial institution and creditor to (1)
when ‘‘subpart D-Medical Information’’             are usual and customary business              create an Identity Theft Prevention
was added to this part.                            practices to minimize losses due to           Program (Program); (2) report to the
                                                   fraud, or as a result of already              board of directors, a committee thereof
V. Effective Date                                  complying with other existing                 or senior management, at least annually,
   The Agencies received a number of               regulations and guidance that relate to       on compliance with the proposed
comments regarding the effective date of           information security, authentication,         regulations; and (3) train staff to
the final regulations and guidelines,              identity theft, and response programs.        implement the Program.
although the proposed rulemaking did               However, the Agencies recognize that             In addition, the proposed rules
not address this issue. While consumer             these entities may still need time to         required each credit and debit card
groups recommended that the effective              evaluate their existing programs, and to      issuer (card issuer) to establish policies
date for compliance with the regulations           integrate appropriate elements from           and procedures to (1) assess the validity
be the minimum time allowed by law,                them into the Program and into the
many financial institutions and                    other policies and procedures required           54 The information collections (ICs) in this rule

creditors requested the time for                   by this final rulemaking. Further, the        will be incorporated with the Board’s Disclosure
compliance be extended from between                Agencies recognize that some covered          Requirements Associated with Regulation V (OMB
                                                   entities have not previously been             No. 7100–0308). The burden estimates provided in
12 to 24 months from issuance of the                                                             this rule pertain only to the ICs associated with this
                                                   subject to any related regulations or         final rulemaking. The current OMB inventory for
  52 The equivalent language for the FTC already                                                 Regulation V is available at: http://www.reginfo.gov/
exists in 16 CFR 603.1.                             53 Pub.   L. 103–325; 12 U.S.C. § 4802(b).   public/do/PRAMain.
63740         Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

of a change of address notification          many financial institutions and                            The final rulemaking also clarifies
before honoring a request for an             creditors already have implemented                      that only relevant staff need be trained
additional or replacement card received      some of the requirements of the final                   to implement the Program, as
during at least the first 30 days after it   rules implementing section 114 as a                     necessary—meaning that staff already
receives the notification; and (2) notify    result of having to comply with other                   trained, for example, as a part of a
the cardholder in writing, electronically,   existing regulations and guidance, such                 covered entity’s anti-fraud prevention
or orally, or use another means of           as the CIP regulations implementing                     efforts do not need to be re-trained
assessing the validity of the change of      section 326 of the USA PATRIOT Act,                     except as necessary. Despite this
address.                                     31 U.S.C. 5318(l) that require                          clarification, in response to comments
   Section 315: The proposed rules           verification of the identity of persons                 received, the Agencies are increasing
implementing section 315 required each       opening new accounts),55 the                            the burden estimates attributable to
user of consumer reports to (1) develop      Information Security Standards that                     training from two to four hours.
reasonable policies and procedures it        implement section 501(b) of the Gramm-                     The Agencies’ estimates attribute all
would employ when it receives a notice       Leach-Bliley Act (GLBA), 15 U.S.C.                      burden to covered entities, which are
of address discrepancy from a CRA; and       6801, and section 216 of the FACT Act,                  entities directly subject to the
(2) to furnish an address the user           15 U.S.C. 1681w,56 and guidance issued                  requirements of the final rulemaking. A
reasonably confirmed is accurate to the      by the Agencies or the Federal Financial                covered entity that outsources activities
CRA from which it receives a notice of       Institutions Examination Council                        to a third-party service provider is, in
address discrepancy.                         regarding information security,                         effect, reallocating to that service
   The information collections in the                                                                provider the burden that it would
                                             authentication, identity theft, and
final rulemaking are the same as those                                                               otherwise have carried itself. Under
                                             response programs.57 The final
in the proposal.                                                                                     these circumstances, burden is, by
                                             rulemaking underscores the ability of a
Comments Received                                                                                    contract, shifted from the covered entity
                                             financial institution or creditor to
                                                                                                     to the service provider, but the total
   The Agencies sought comment on the        incorporate into its Program its existing
                                                                                                     amount of burden is not increased.
burden estimates for the information         processes that control reasonably                       Thus, third-party service provider
collections described in the proposal.       foreseeable risks to customers or to its                burden is already included in the
The Agencies received approximately          own safety and soundness from identity                  burden estimates provided for covered
129 comments on the proposed                 theft, such as those already developed                  entities.
rulemaking. Most commenters                  in connection with the covered entity’s                    The Agencies continue to believe that
maintained that proposal would impose        fraud prevention program. Thus, the                     card issuers already assess the validity
additional regulatory burden and             burden estimate attributable to the                     of change of address requests and, for
asserted that the estimates of the cost of   creation of a Program is unchanged.                     the most part, have automated the
compliance should be considerably                                                                    process of notifying the cardholder or
higher than the Agencies projected. A           55 See, e.g., 31 CFR 103.121 (banks, savings
                                                                                                     using other means to assess the validity
few of these commenters specifically         associations, credit unions, and certain non-           of changes of address. Further, as
                                             federally regulated banks); 31 CFR 103.122 (broker-
addressed PRA burden, however, they          dealers); 31 CFR 103.123 (futures commission            commenters requested, the final
did not provide specific estimates of        merchants).                                             rulemaking clarifies that card issuers
additional burden hours that would              56 12 CFR part 30, app. B (national banks); 12 CFR   may satisfy the requirements of this
result from the proposal. Some of these      part 208, app. D–2 and part 225, app. F (state          section by verifying the address at the
                                             member banks and holding companies); 12 CFR
commenters stated that staff training        part 364, app. B (state non-member banks); 12 CFR
                                                                                                     time the address change notification is
estimates were significantly                 part 570, app. B (savings associations); 12 CFR part    received, before a request for an
underestimated. Other commenters             748, app. A and B, and 12 CFR 717 (credit unions);      additional or replacement card.
stated that the costs of compliance          16 CFR part 314 (financial institutions that are not    Therefore, the estimates attributable to
                                             regulated by the Board, FDIC, NCUA, OCC and             this portion of the rulemaking are
failed to consider the cost to third-party   OTS).
service providers that the commenters           57 See, e.g., 12 CFR part 30, supp. A to app. B      unchanged.
characterized as being required to           (national banks); 12 CFR part 208, supp. A to app.         Regarding the final rules
implement the Program.                       D–2 and part 225, supp. A to app. F (state member       implementing section 315, the Agencies
                                             banks and holding companies); 12 CFR part 364,          recognize that users of consumer reports
Explanation of Burden Estimates Under        supp. A to app. B (state non-member banks); 12 CFR      will need to develop policies and
the Final Rulemaking                         part 570, supp. A to app. B (savings associations);
                                             12 CFR 748, app. A and B (credit unions); Federal       procedures to employ upon receiving a
  The Agencies believe that many of the      Financial Institutions Examination Council (FFIEC)      notice of address discrepancy in order
comments received regarding burden           Information Technology Examination Handbook’s           to: (1) Ensure that the user has obtained
stemmed from commenters’ misreading          Information Security Booklet (the ‘‘IS Booklet’’)       the correct consumer report for the
                                             available at http://www.ffiec.gov/guides.htm; FFIEC
of the requirements of the proposed          ‘‘Authentication in an Internet Banking                 consumer; and (2) confirm the accuracy
rulemaking. The final rulemaking             Environment’’ available at http://www.ffiec.gov/        of the address the user furnishes to the
clarifies these requirements, including      pdf/authentication_guidance.pdf; Board SR 01–11         CRA. However, under the final rules, a
those that relate to the information         (Supp) (Apr. 26, 2001) available at: http://            user only must furnish a confirmed
                                             www.federalreserve.gov/boarddocs/srletters/2001/
collections. It also differs from the        sr0111.htm; ‘‘Guidance on Identity Theft and            address to a CRA for new relationships.
proposal as described below.                 Pretext Calling,’’ OCC AL 2001–4 (April 30, 2001);      Thus, the required policies and
  The Agencies continue to believe that      ‘‘Identity Theft and Pretext Calling,’’ OTS CEO         procedures will no longer need to
most covered entities already employ a       Letter #139 (May 4, 2001); NCUA Letter to Credit        address the furnishing of confirmed
                                             Unions 01–CU–09, ‘‘Identity Theft and Pretext
variety of measures to detect and            Calling’’ (Sept. 2001); OCC 2005–24, ‘‘Threats from     addresses for existing relationships, and
address identity theft that are required     Fraudulent Bank Web Sites: Risk Mitigation and          users will not need to furnish to the
by section 114 of the final rulemaking       Response Guidance for Web Site Spoofing                 CRA in connection with existing
because these are usual and customary        Incidents,’’ (July 1, 2005); ‘‘Phishing and E-mail      relationships an address the user
                                             Scams,’’ OTS CEO Letter #193 (Mar. 8, 2004);
business practices that they employ to       NCUA Letter to Credit Unions 04–CU–12,                  reasonably confirmed is accurate.
minimize losses due to fraud. In             ‘‘Phishing Guidance for Credit Unions’’ (Sept.             The Agencies believe that users of
addition, the Agencies believe that          2004).                                                  credit reports covered by the final rules,
              Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                                             63741

on a regular basis, already furnish             Board:                                                will affect over 3,500 financial
information to CRAs in response to              Number of respondents: 1,172.                         institutions 61 and over 11 million
notices of address discrepancy because          Total Estimated Annual Burden:                        creditors 62 subject to the FTC’s
it is a usual and customary business          48,052.                                                 jurisdiction, for a combined total of
practice—except in connection with              FDIC:                                                 approximately 11.1 million affected
new deposit relationships. For the              Number of respondents: 5,260.                         entities. As detailed below, FTC staff
proposed rulemaking, the Agencies had           Total Estimated Annual Burden:                        estimates that the average annual
estimated that there would be no              215,660 hours.                                          information collection burden during
implementation burden associated with           OTS:                                                  the three-year period for which OMB
furnishing confirmed addresses to               Number of respondents: 832.                           clearance was sought will be 4,466,000
CRAs. However, as the result of                 Total Estimated Annual Burden:                        hours (rounded to the nearest
additional research, the Agencies now         34,112.                                                 thousand). The estimated annual labor
believe that some burden should be              NCUA:                                                 cost associated with this burden is
attributable to this collection, to account     Number of respondents: 5,103.                         $142,925,000 (rounded to the nearest
for information furnished to CRAs for           Total Estimated Annual Burden:                        thousand).
new deposit relationships. Because this       209,223.                                                   For the proposed rule, FTC staff had
burden is offset by the reduction in            FTC Estimated Burden:58                               divided affected entities into two
burden described above, the estimates           Section 114:                                          categories: entities that are subject to a
for the collections attributable to the         Estimated Hours Burden:                               high risk of identity theft and entities
final rules implementing section 315            As discussed above, the final                         that are subject to a low risk of identity
remain unchanged.                             regulations require financial institutions              theft. Based on comments as well as
   The Agencies continue to believe that      and creditors to conduct a risk                         changes in the final rule, FTC staff
25 hours to develop a Program, four           assessment periodically to determine                    believes that the affected entities can be
hours to prepare an annual report, four       whether they have covered accounts,                     categorized in three groups, based on
hours to develop policies and                 which include, at a minimum,                            the nature of their businesses: entities
procedures to assess the validity of          consumer accounts. If the financial                     subject to a high risk of identity theft,
changes of address, and four hours to         institutions and creditors determine that               entities subject to a low risk of identity
develop policies and procedures to            they have covered accounts, the final                   theft, but having consumer accounts
respond to notices of address                 regulations require them to create a                    that will require them to have a written
discrepancy, are reasonable estimates.        written Identity Theft Prevention                       Program, and entities subject to a low
   The potential respondents are              Program (Program) and they should                       risk of identity theft, but not having
national banks and Federal branches           report to the board of directors, a                     consumer accounts.63
and agencies of foreign banks and             committee thereof, or senior
                                              management at least annually on                         A. High-Risk Entities
certain of their subsidiaries (OCC); state
member banks, uninsured state agencies        compliance with the final regulations.                    In drafting its PRA analysis for the
and branches of foreign banks,                The FCRA defines ‘‘creditor’’ to have                   proposed regulations, FTC staff believed
commercial lending companies owned            the same meaning as in section 702 of                   that because motor vehicle dealers’’
or controlled by foreign banks, and Edge      the Equal Credit Opportunity Act                        loans typically are financed by financial
and agreement corporations (Board);           (ECOA).59 Under Regulation B, which                     institutions also subject to those
insured nonmember banks, insured state        implements the ECOA, a creditor means                   regulations, the dealers were likely to
branches of foreign banks, and certain of     a person who regularly participates in a                use the latter’s programs as a basis to
their subsidiaries (FDIC); savings            credit decision, including setting the                  develop their own. Therefore, although
associations and certain of their             terms of credit. Regulation B defines                   subject to a high risk of identity theft,
subsidiaries (OTS); Federally-chartered       credit as a transaction in which the                    their burden would be less than other
credit unions (NCUA); state-chartered         party has a right to defer payment of a                 high-risk entities. Commenters,
credit unions, non-bank lenders,              debt, regardless of whether the credit is               however, noted among other concerns
mortgage brokers, motor vehicle dealers,      for personal or commercial purposes.60                  that some motor vehicle dealers finance
utility companies, and any other person       Given the broad scope of entities
                                                                                                         61 Under the FCRA, the only financial institutions
that regularly participates in a credit       covered, it is difficult to determine
                                                                                                      over which the FTC has jurisdiction are state-
decision, including setting the terms of      precisely the number of financial                       chartered credit unions. 15 U.S.C. 1681s. As of
credit (FTC).                                 institutions and creditors that are                     December 31, 2005, there were 3,302 state-chartered
                                              subject to the FTC’s jurisdiction. There                federally-insured credit unions and 362 state-
Burden Estimates                              are numerous small businesses under                     chartered nonfederally insured credit unions,
                                                                                                      totaling 3,664 financial institutions. See
   The Agencies estimate the annual           the FTC’s jurisdiction, and there is no                 www.ncua.gov/news/quick_facts/quick_facts.html
burden per respondent is 41 hours (25         formal way to track them; moreover, as                  and ‘‘Disclosures for Non-Federally Insured
hours to develop a Program, four hours        a whole, the entities under the FTC’s                   Depository Institutions under the Federal Deposit
to prepare an annual report, four hours       jurisdiction are so varied that there are               Insurance Corporation Improvement Act (FDICIA),’’
                                                                                                      70 FR 12823 (Mar. 16, 2005).
for training, four hours for developing       no general sources that provide a record                   62 This estimate is derived from an analysis of a
policies and procedures to assess the         of their existence. Nonetheless, FTC                    database of U.S. businesses based on NAICS codes
validity of changes of address, and four      staff estimates that the proposed                       for businesses that market goods or services to
hours for developing policies and             regulations implementing section 114                    consumers or other businesses, which totaled
                                                                                                      11,076,463 creditors subject to the FTC’s
procedures to respond to notices of                                                                   jurisdiction.
address discrepancy). The Agencies              58 Due to the varied nature of the entities subject
                                                                                                         63 In general, high-risk entities may provide

attribute total burden to covered entities    to the jurisdiction of the FTC, this Estimated          consumer financial services or other goods or
                                              Burden section reflects only the view of the FTC.       services of value to identity thieves such as
as follows:                                   The banking regulatory agencies have jointly
   OCC:                                                                                               telecommunication services or goods that are easily
                                              prepared a separate analysis.                           convertible to cash, whereas low-risk entities may
   Number of respondents: 1,806.                59 U.S.C. 1681a(r)(5).
                                                                                                      do business primarily with other businesses or
   Total estimated annual burden:               60 Regulation B Equal Credit Opportunity, 12 CFR      provide non-financial services or goods that are not
74,046.                                       202 (as amended effective Apr. 15, 2003).               easily convertible to cash.
63742          Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

their own loans. Thus, for this burden        annual report on risks of identity theft              annual burden over 3-year clearance
estimate, FTC staff no longer is              which are minimal or non-existent.                    period for preparing annual report
considering motor vehicle dealers             Nonetheless, FTC staff believes that it               ((4+1+1)/3)], for a total of 3,466,000
separately from other high-risk entities.     may have underestimated the time low-                 hours (rounded to the nearest
   As noted above, the Agencies               risk entities may need to initially apply             thousand); and 1,622,029 low-risk
continue to believe that many of the          the final rule to develop a Program.                  entities that have consumer accounts
high-risk entities, as part of their usual    Thus, FTC staff has increased from 20                 subject to the FTC’s jurisdiction at an
and customary business practices,             minutes to 1 hour its previously stated               average annual burden of approximately
already take steps to minimize losses         estimate for this activity.                           37 minutes per entity [average annual
due to fraud. The final rulemaking               The final regulations have been
                                                                                                    burden over 3-year clearance period for
clarifies that only relevant staff need be    revised from the proposed regulations to
trained to implement the Program, as          alleviate the burden of creating a written            creation and implementation of
necessary meaning, for example, that          Program for entities that determine that              streamlined Program ((60+5+5)/3) plus
staff already trained as a part of a          they do not have any covered accounts.                average annual burden over 3-year
covered entity’s anti-fraud prevention        The FTC staff believes that entities                  clearance period for staff training
efforts do not need to be re-trained          subject to a low risk of identity theft, but          ((10+5+5)/3) plus average annual
except as incrementally needed.               not having consumer accounts, will                    burden over 3-year clearance period for
Notwithstanding this clarification, in        likely determine that they do not have                preparing annual report ((10+5+5)/3],
response to comments received, the            covered accounts. Such entities would                 for a total of 1,000,000 hours (rounded
Agencies are increasing the burden            not be required to develop a written                  to the nearest thousand).
estimates attributable to training from       Program, and thus will not incur PRA                     The proposed regulations
two to four hours, as is the FTC for high-    burden. The FTC staff estimates that                  implementing Section 114 also require
risk entities in their initial year of        approximately 9,191,496 64 of the                     credit and debit card issuers to establish
implementing the Program, but FTC             10,813,525 low-risk entities subject to               policies and procedures to assess the
staff continues to believe that one hour      the requirement to create a written                   validity of a change of address request,
of recurring annual training remains a        Program under the proposed regulations
reasonable estimate.                                                                                including notifying the cardholder or
                                              will not have covered accounts under                  using another means of assessing the
   The FTC staff maintains its estimate       the final rule. Therefore, these 9,191,496
of 25 hours for high-risk entities to                                                               validity of the change of address. The
                                              low-risk entities will not be required to
create and implement a written                                                                      FTC received no comments on its
                                              develop a written Program, thereby
Program, with an annual recurring                                                                   burden estimates in the NPRM and FTC
                                              substantially reducing the original
burden of 1 hour. As before, FTC staff        burden hours estimate in the NPRM for                 staff does not believe that the changes
anticipates that these entities will          low-risk entities.                                    made to the final regulation have altered
incorporate policies and procedures that         The FTC staff believes that for entities           its original burden estimates.
they likely already have in place. The        subject to a low risk of identity theft, but          Accordingly, FTC staff maintains that it
FTC staff continues to believe that           having consumer accounts that will                    will take 100 credit or debit card issuers
preparation of an annual report will take     require them to have a written Program,               4 hours to develop and implement
high-risk entities 4 hours initially, with    it will take such entities 1 hour to                  policies and procedures to assess the
an annual recurring burden of 1 hour.         review the final regulations and create               validity of a change of address request
B. Low-Risk Entities                          a streamlined Program, with an annual                 for a total burden of 400 hours.
                                              recurring burden of 5 minutes. The FTC                   Estimated Cost Burden:
   A few commenters believed that FTC         staff believes that training staff to be
staff had underestimated the amount of                                                                 The FTC staff derived labor costs by
                                              attentive to any future risks of identity
time it would take low-risk entities to                                                             applying appropriate estimated hourly
                                              theft will take low-risk entities 10
comply with the proposed regulations.                                                               cost figures to the burden hours
                                              minutes, with an annual recurring
These commenters estimated that the                                                                 described above. It is difficult to
                                              burden of 5 minutes. The FTC staff
amount of time would range from 6 to                                                                calculate with precision the labor costs
                                              believes that preparing an annual report
20 hours to create a program and 1 hour                                                             associated with the proposed
                                              will take low-risk entities 10 minutes,
each to train employees and draft the                                                               regulations, as they entail varying
                                              with an annual recurring burden of 5
annual report. The FTC staff believes                                                               compensation levels of management
                                              minutes.
these estimates were based on a                  Accordingly, FTC staff estimates that              and/or technical staff among companies
misunderstanding of the requirements          the final regulations implementing                    of different sizes. In the NPRM, FTC
of the proposed regulations, including        section 114 affect the following: 266,602             staff had estimated that low-risk entities
that the list of 31 Red Flags in the          high-risk entities subject to the FTC’s               would use administrative support
proposed guidelines was intended to be        jurisdiction at an average annual burden              personnel at an hourly cost of $16.00. A
a checklist. The final regulations clarify    of 13 hours per entity [average annual                few commenters disagreed that low-risk
that the list of Red Flags is illustrative    burden over 3-year clearance period for               entities would use administrative
only. Moreover, the emphasis of the           creation and implementation of Program                support personnel, arguing instead that
written Program, as required under the        ((25+1+1)/3) plus average annual                      the Program would be implemented at
final regulations, is to identify risks of    burden over 3-year clearance period for
identity theft. To the extent that entities                                                         a managerial level, and the labor cost
                                              staff training ((4+1+1)/3) plus average               should be at least $32.00 and possibly
with consumer accounts determine that
they have a minimal risk of identity                                                                even $48.00. Therefore, in calculating
                                                64 This estimate is derived from an analysis of a
theft, they would be tasked only with                                                               the cost figures, FTC staff assumes that
                                              database of U.S. businesses based on NAICS codes
developing a streamlined Program.             for businesses that market goods or services to       for all entities, professional technical
Therefore, the FTC staff does not believe     consumers or other businesses, net of the number      personnel and/or managerial personnel
that it would take such an entity 6 to 20     of creditors subject to the FTC’s jurisdiction, an    will create and implement the Program,
                                              estimated subset of which comprise anticipated
hours to develop a Program, 1 hour to         low-risk entities not having covered accounts under
                                                                                                    prepare the annual report, train
train employees, and 1 hour to draft an       the final rule.                                       employees, and assess the validity of a
                  Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                             63743

change of address request, at an hourly                inspect and photocopy the comments at        federal/propose/html including any
rate of $32.00.65                                      the OCC’s Public Information Room, 250       personal information provided.
   Based on the above estimates and                    E Street, SW., Washington, DC 20219.         Comments may be inspected at the FDIC
assumptions, the total annual labor                    For security reasons, the OCC requires       Public Information Center, Room 100,
costs for all categories of covered                    that visitors make an appointment to         801 17th Street, NW., Washington, DC,
entities under the final regulations                   inspect comments. You may do so by           between 9 a.m. and 4:30 p.m. on
implementing section 114 are                           calling 202–874–5043. Upon arrival,          business days.
$142,925,000 (rounded to the nearest                   visitors will be required to present valid      OTS: Information Collection
thousand) [(3,466,000 hours + 400 hours                government-issued photo identification       Comments, Chief Counsel’s Office,
+ 1,000,000 hours) x $32.00)].                         and submit to security screening in          Office of Thrift Supervision, 1700 G
   Section 315:                                        order to inspect and photocopy               Street, NW., Washington, DC 20552;
   Estimated Hours Burden:                             comments.
   The Commission did not receive any                                                               send a facsimile transmission to (202)
                                                          Board: You may submit comments,           906–6518; or send an e-mail to related
comments relating to its original burden               identified by R–1255, by any of the
estimates for the information collection                                                            index on the OTS Internet site at http://
                                                       following methods:                           www.ots.treas.gov. In addition,
requirements under section 315.                           Agency Web site: http://
Although the final regulations were                                                                 interested persons may inspect the
                                                       www.federalreserve.gov. Follow the           comments at the Public Reading Room,
modified such that they no longer                      instructions for submitting comments
require users to furnish a confirmed                                                                1700 G Street, NW., by appointment. To
                                                       on http://www.federalreserve.gov/            make an appointment, call (202) 906–
address to a CRA for existing                          generalinfo/foia/ProposedRegs.cfm.
relationships, FTC staff does not believe                                                           5922, send an e-mail to
                                                          Federal eRulemaking Portal: http://       publicinfo@ots.treas.gov, or send a
that this modification will significantly              www.regulations.gov. Follow the
alter its original burden estimates.                                                                facsimile transmission to (202) 906–
                                                       instructions for submitting comments.        7755.
Therefore, FTC staff burden estimates                     E-mail:
remain unchanged under section 315                     regs.comments@federalreserve.gov.               NCUA: You may submit comments by
from the estimates proposed in the                     Include docket number in the subject         any of the following methods (Please
NPRM. Accordingly, FTC staff estimates                 line of the message.                         send comments by one method only):
that the average annual information                       Fax: 202–452–3819 or 202–452–3102.           Federal eRulemaking Portal: http://
collection burden during the three-year                   Mail: Jennifer J. Johnson, Secretary,     www.regulations.gov.
period for which OMB clearance was                     Board of Governors of the Federal               Follow the instructions for submitting
sought will be 831,000 hours (rounded                  Reserve System, 20th Street and              comments.
to the nearest thousand). The FTC staff                Constitution Avenue, NW., Washington,           NCUA Web site: http://
continues to assume that the policies                  DC 20551.                                    www.ncua.gov/
and procedures for notice of address                      All public comments are available         RegulationsOpinionsLaws/
discrepancy and furnishing the correct                 from the Board’s Web site at http://         proposedregs/proposedregs.html.
address will be set up by administrative               www.federalreserve.gov/generalinfo/             Follow the instructions for submitting
support personnel at an hourly rate of                 foia/ProposedRegs.cfm as submitted,          comments.
$16.66 Thus, the estimated annual labor                unless modified for technical reasons.
cost associated with this burden is                    Accordingly, your comments will not be          E-mail: Address to
$13,296,000 (rounded to the nearest                    edited to remove any identifying or          regcomments@ncua.gov. Include ‘‘[Your
thousand).                                             contact information. Public comments         name] Comments on -,’’ in the e-mail
   The Agencies have a continuing                      may also be viewed electronically or in      subject line.
interest in the public’s opinions of our               paper form in Room MP–500 of the                Fax: (703) 518–6319. Use the subject
collections of information. At any time,               Board’s Martin Building (20th and C          line described above for e-mail.
comments regarding the burden                          Streets, NW.) between 9 a.m. and 5 p.m.         Mail: Address to Mary F. Rupp,
estimate, or any other aspect of this                  on weekdays.                                 Secretary of the Board, National Credit
collection of information, including                      FDIC: You may submit written              Union Administration, 1775 Duke
suggestions for reducing the burden,                   comments, which should refer to 3064–        Street, Alexandria, VA 22314–3428.
may be sent to:                                        AD00, by any of the following methods:          Hand Delivery/Courier: Same as mail
   OCC: Communications Division,                          Agency Web site: http://                  address.
Office of the Comptroller of the                       www.fdic.gov/regulations/laws/federal/          Additionally, commenters may send a
Currency, Public Information Room,                     propose.html.                                copy of their comments to the OMB
Mail stop 1–5, Attention: 1557–0237,                      Follow the instructions for submitting    desk officer for the OCC, Board, FDIC,
250 E Street, SW., Washington, DC                      comments on the FDIC Web site.               OTS, and NCUA by mail to the Office
20219. In addition, comments may be                       Federal eRulemaking Portal: http://       of Information and Regulatory Affairs,
sent by fax to 202–874–4448, or by                     www.regulations.gov. Follow the              U.S. Office of Management and Budget,
electronic mail to                                     instructions for submitting comments.        New Executive Office Building, Room
regs.comments@occ.treas.gov. You can                      E-mail: Comments@FDIC.gov.
                                                                                                    10235, 725 17th Street, NW.,
                                                          Mail: Robert E. Feldman, Executive
                                                                                                    Washington, DC 20503, or by fax to
   65 The cost is derived from a mid-range among the   Secretary, Attention: Comments, FDIC,
reported 2006 Bureau of Labor Statistics rates for                                                  (202) 395–6974.
                                                       550 17th Street, NW., Washington, DC
likely positions within the professional technical
                                                       20429.                                          FTC: Comments should refer to ‘‘The
and managerial categories. See June 2006 Bureau of                                                  Red Flags Rule: Project No. R611019,’’
Labor Statistics National Compensation Survey for         Hand Delivery/Courier: Guard station
occupational wages in the United States at http://     at the rear of the 550 17th Street           and may be submitted by any of the
www.bls.gov/ncs/ocs/sp/ncbl0910.pdf (‘‘June 2006       Building (located on F Street) on            following methods. However, if the
BLS NCS Survey’’).
                                                       business days between 7 a.m. and 5 p.m.      comment contains any material for
   66 This hourly wage is a conservative inflation-
                                                          Public Inspection: All comments           which confidential treatment is
adjusted updating of hourly mean wages ($14.86)
shown for administrative support personnel in the      received will be posted without change       requested, it must be filed in paper
June 2006 BLS NCS Survey.                              to http://www.fdic.gov/regulations/laws/     form, and the first page of the document
63744            Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

must be clearly labeled                               http://www.ftc.gov/os/                       proposed regulations implementing
‘‘Confidential.’’ 67                                  publiccomments.htm. As a matter of           section 114, if adopted as proposed,
   E-mail: Comments filed in electronic               discretion, the FTC makes every effort to    would not impose undue costs on
form should be submitted by clicking on               remove home contact information for          national banks and would not have a
the following Web link: https://                      individuals from the public comments it      substantial economic impact on a
secure.commentworks.com/ftc-redflags                  receives before placing those comments       substantial number of small national
and following the instructions on the                 on the FTC Web site. More information,       banks. The OCC noted that national
Web-based form. To ensure that the                    including routine uses permitted by the      banks already employ a variety of
Commission considers an electronic                    Privacy Act, may be found in the FTC’s       measures that satisfy the requirements
comment, you must file it on the Web-                 privacy policy, at http://www.ftc.gov/       of the rulemaking because (1) such
based form at https://                                ftc/privacy.htm.                             measures are a good business practice
secure.commentworks.com/ftc-redflags.                    Members of the public also can            and generally are a part of a bank’s
   Federal eRulemaking Portal: If this                request additional information or a copy     efforts to reduce losses due to fraud, and
notice appears at http://                             of the collection from:                      (2) national banks already comply with
www.regulations.gov, you may also file                   OCC: Mary Gottlieb, OCC Clearance         other regulations and guidance that
an electronic comment through that                    Officer, (202) 874–5090, Legislative and     relate to information security,
Web site. The Commission will consider                Regulatory Activities Division, Office of    authentication, identity theft, and
all comments that regulations.gov                     the Comptroller of the Currency, 250 E       response programs. For example,
forwards to it.                                       Street, SW., Washington, DC 20219.           national banks are already subject to CIP
   Mail or Hand Delivery: A comment                      Board: Michelle Shore, Clearance          rules requiring them to verify the
filed in paper form should include ‘‘The              Officer, Division of Research and            identity of a person opening a new
Red Flags Rule, Project No. R611019,’’                Statistics (202) 452–3829.                   account 68 and already have various
both in the text and on the envelope and                 FDIC: Steven F. Hanft, Clearance          systems in place to detect certain
should be mailed or delivered, with two               Officer, Legal Division, (202–898–3907).     patterns, practices and specific activities
complete copies, to the following                        OTS: Ira L. Mills, OTS Clearance          that indicate the possible existence of
address: Federal Trade Commission/                    Officer, Litigation Division, Chief          identity theft in connection with the
Office of the Secretary, Room H–135                   Counsel’s Office, at                         opening of new accounts. Similarly,
(Annex M), 600 Pennsylvania Avenue,                   Ira.Mills@ots.treas.gov, (202) 906–6531,     national banks complying with the
NW., Washington, DC 20580. Because                    or facsimile number (202) 906–6518.          ‘‘Interagency Guidelines Establishing
paper mail in the Washington area and                    NCUA: Regina M. Metz, Staff               Information Security Standards’’ 69 and
at the Commission is subject to delay,                Attorney, Office of General Counsel,         guidance recently issued by the FFIEC
please consider submitting your                       (703) 518–6540.                              titled ‘‘Authentication in an Internet
comments in electronic form, as                          FTC: See FOR FURTHER INFORMATION          Banking Environment’’ 70 already have
prescribed above. The FTC is requesting               CONTACT above.                               policies and procedures in place to
that any comment filed in paper form be                                                            detect attempted and actual intrusions
sent by courier or overnight service, if              B. Regulatory Flexibility Act
                                                                                                   into customer information systems and
possible.                                                OCC: Under section 605(b) of the          to detect patterns, practices and specific
   Comments on any proposed filing,                   Regulatory Flexibility Act (RFA), 5          activities that indicate the possible
recordkeeping, or disclosure                          U.S.C. 605(b), the OCC must either           existence of identity theft in connection
requirements that are subject to                      publish a Final Regulatory Flexibility       with existing accounts. Banks
paperwork burden review under the                     Analysis (FRFA) for a final rule or          complying with the OCC’s ‘‘Guidance
Paperwork Reduction Act should                        certify, along with a statement providing    on Identity Theft and Pretext Calling’’ 71
additionally be submitted to: Office of               the factual basis for such certification,    already have policies and procedures to
Management and Budget, Attention:                     the rule will not have a significant         verify the validity of change of address
Desk Officer for the Federal Trade                    economic impact on a substantial             requests on existing accounts.
Commission. Comments should be                        number of small entities. The Small             Nonetheless, the OCC specifically
submitted via facsimile to (202) 395–                 Business Administration has defined          requested comment and specific data on
6974 because U.S. Postal Mail is subject              ‘‘small entities’’ for banking purposes as   the size of the incremental burden
to lengthy delays due to heightened                   a bank or savings institution with assets    creating an identity theft prevention
security precautions.                                 of $165 million or less. See 13 CFR          program would have on small national
   The FTC Act and other laws the                     121.201.                                     banks, given banks’’ current practices
Commission administers permit the                        Based on its analysis and for the         and compliance with existing
collection of public comments to                      reasons stated below, the OCC certifies      requirements. The OCC also requested
consider and use in this proceeding as                that this final rulemaking will not have     comment on how the final regulations
appropriate. All timely and responsive                a significant economic impact on a           might minimize any burden imposed to
public comments, whether filed in                     substantial number of small entities.        the extent consistent with the
paper or electronic form, will be
                                                      Rules Implementing Section 114               requirements of the FACT Act.
considered by the Commission, and will
                                                                                                      Commenters confirmed that the
be available to the public on the FTC                   The proposed regulations                   proposed regulations implementing
Web site, to the extent practicable, at               implementing section 114 required the        section 114 of the FACT Act are
                                                      development and establishment of a           consistent with banks’’ usual and
  67 Commission Rule 4.2(d), 16 CFR 4.2(d). The
                                                      written identity theft prevention            customary business practices used to
comment must be accompanied by an explicit
request for confidential treatment, including the     program to detect, prevent, and mitigate     minimize losses due to fraud in
factual and legal basis for the request, and must     identity theft. The proposed regulations     connection with new and existing
identify the specific portions of the comment to be   also required card issuers to assess the
withheld from the public record. The request will     validity of a notice of address change        68 31
be granted or denied by the Commission’s General                                                         CFR 103.121; 12 CFR 21.21 (national banks).
Counsel, consistent with applicable law and the       under certain circumstances.                  69 12CFR part 30, app. B (national banks).
public interest. See Commission Rule 4.9(c), 16 CFR     In connection with the proposed             70 OCC Bulletin 2005–35 (Oct. 12, 2005).

4.9(c).                                               rulemaking, the OCC concluded that the        71 OCC AL 2001–4 (April 30, 2001).
                  Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                              63745

accounts. They also confirmed that                    customers or to the safety and                  As a result of the changes and
banks have implemented measures to                    soundness of the financial institution or    clarifications noted above, this section
address many of the proposed                          creditor from identity theft, such as        of the final rule is far more flexible and
requirements as a result of having to                 those already developed in connection        less burdensome than that in the
comply with existing regulations and                  with the entity’s fraud prevention           proposed rules while still fulfilling the
guidance. However, commenters also                    program.                                     statutory mandates enumerated in
asserted that the Agencies had                           • The final rules clarify that a          section 114. Moreover, the OCC has
underestimated the incremental burden                 Program (including the Red Flags             concluded that the incremental cost of
imposed by the proposed rules. They                   determined to be relevant) may be            these final rules and guidelines will not
highlighted aspects of the proposal that              periodically, rather than continually,       impose undue costs and will not have
they maintained would have required                   updated to reflect changes in risks to       a significant economic impact on a
banks to alter their current practices and            customers and to the safety and              substantial number of small entities.
implement duplicative policies and                    soundness of the financial institution or    Rules Implementing Section 315
procedures.                                           creditor from identity theft.
   Only a few commenters provided                        • The rules focus on consumer                The proposed regulations
estimates of additional burden that                   accounts, and require a Program to           implementing section 315 required a
would result from the proposed rules.                 include only other accounts ‘‘for which      user of consumer reports to have
Many of these comments stemmed from                   there is a reasonably foreseeable risk to    policies and procedures to enable the
a misreading of the requirements of the               customers or to the safety and               user to form a reasonable belief that it
proposed rules. Further, many                         soundness of the financial institution or    knows the identity of the consumer for
commenters confused the Agencies’                     creditor from identity theft.’’              whom it has obtained a consumer
PRA estimates with the Agencies’                         • The definition of ‘‘Red Flags’’ no      report. The proposed rules also required
overall conclusions regarding regulatory              longer includes reference to the             the user to furnish to the CRA from
burden.72                                             ‘‘possible risk’’ of identity theft and no   whom it received the notice of address
   The OCC believes that the final rules              longer incorporates precursors to            discrepancy an address for the
substantially address the concerns of the             identity theft.                              consumer that the user has reasonably
commenters as follows:                                   • The final rules clarify that the Red    confirmed is accurate when the user: (1)
   • The final rules allow a covered                  Flags in Supplement A are examples           Is able to form a reasonable belief that
entity to tailor its Program to its size,             rather than a mandatory checklist.           it knows the identity of the consumer
complexity and nature of its operations.                 • Supplement A includes a Red Flag        for whom the consumer report was
The final rules and guidelines do not                 for activity on an inactive account in       obtained; (2) establishes or maintains a
require the use of any specific                       place of a separate guideline.               continuing relationship with the
technology, systems, processes or                        • The final rules clarify that the        consumer; and (3) regularly and in the
methodology.                                          Board of Directors or a committee            ordinary course of business furnishes
   • The final rules list the four                    thereof must approve only the initial        information to the CRA from which a
elements that must be a part of a                     written Program. The rules provide a         notice of address discrepancy pertaining
Program, and the steps that a covered                 covered entity with the discretion to        to the consumer was obtained.
                                                      determine whether the Board or                  In connection with the proposed
entity must take to administer the
                                                      management will approve changes to           rulemaking the OCC noted that the
Program. The rules provide covered
                                                      the Program and the extent of Board          FACT Act already requires CRAs to
entities with greater discretion to
                                                      involvement in oversight of the              provide notices of address discrepancy
determine how to implement these
                                                      Program.                                     to users of credit reports. The OCC
mandates.
   • Additional requirements previously                  • The final rules clarify that only       stated that with respect to new
                                                      relevant staff must be trained to            accounts, a national bank already is
in the proposed rules are now in                                                                   required by the CIP rules to ensure that
guidelines that are located in Appendix               implement the Program, as necessary.
                                                         • Card issuers may satisfy the            it knows the identity of a person
J. The guidelines describe various                                                                 opening a new account and to keep a
                                                      requirements of this section by verifying
policies and procedures that a financial                                                           record describing the resolution of any
                                                      the address at the time the address
institution or creditor must consider                                                              substantive discrepancy discovered
                                                      change notification is received, whether
and include in its Program, where                                                                  during the verification process. The
                                                      or not the notification is linked to a
appropriate, to satisfy the requirements                                                           OCC also stated that as a matter of good
                                                      request for an additional or replacement
of the final rules. The preamble to the                                                            business practice, most national banks
                                                      card—building on issuers’ existing
rules explains that an institution or                                                              currently have policies and procedures
                                                      procedures.
creditor may determine that particular                   • Covered entities need not comply        in place to respond to notices of address
guidelines are not appropriate to                     with the final rules until November 1,       discrepancy when they are provided in
incorporate into its Program as long as               2008.                                        connection with both new and existing
its Program contains reasonable policies                 The Agencies did consider whether it      accounts, by furnishing an address for
and procedures to meet the specific                   would be appropriate to extend different     the consumer that the bank has
requirements of the final rules.                      treatment or exempt small covered            reasonably confirmed is accurate to the
   • The guidelines clarify that a                    entities from the requirements of this       CRA from which it received the notice
covered entity need not create duplicate              section of the final rulemaking. The         of address discrepancy.
policies and procedures and may                       Agencies note that identity theft can           The OCC specifically requested
incorporate into its Program, as                      occur in small entities as well as large     comment on whether the proposed
appropriate, its existing processes that              ones. The Agencies do not believe that       requirements differ from small banks’
control reasonably foreseeable risks to               an exemption for small entities is           current practices and whether the
   72 The PRA focuses more narrowly on the time,
                                                      appropriate given the flexibility built      proposed requirements on users of
effort, and financial resources expended by persons
                                                      into the final rules and guidelines and      consumer reports to have policies and
to generate, maintain, or provide information to or   the importance of the statutory goals        procedures to respond to the receipt of
for a Federal agency. See 44 U.S.C. 3501 et seq.      and mandate of section 114.                  an address discrepancy could be altered
63746         Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

to minimize any burden imposed to the         114 of the FACT Act amends section               3. Description and estimate of small
extent consistent with the requirements       615 of the FCRA and directs the Board,        entities affected by the final rule.
of the FACT Act.                              together with the other Agencies, to             The final rule applies to all banks that
   Many suggestions received in               issue joint regulations and guidelines        are members of the Federal Reserve
response to this solicitation for             regarding the detection, prevention, and      System (other than national banks) and
comment would have required a                 mitigation of identity theft, including       their respective operating subsidiaries,
statutory change. However, many               special regulations requiring debit and       branches and Agencies of foreign banks
commenters noted that section 315 does        credit card issuers to validate               (other than Federal branches, Federal
not require the reporting of a confirmed      notifications of changes of address           Agencies, and insured State branches of
address to a CRA for a notice of address      under certain circumstances. Section          foreign banks), commercial lending
discrepancy received for an existing          315 of the FACT Act adds section              companies owned or controlled by
account. These commenters stated that         605(h)(2) to the FCRA and requires the        foreign banks, and organizations
the level of regulatory burden imposed        Agencies to issue joint regulations that      operating under section 25 or 25A of the
by this requirement would be significant      provide guidance regarding reasonable         Federal Reserve Act (12 U.S.C. 601 et
and would force users to reconcile and        policies and procedures that a user of a      seq., and 611 et seq.). The Board’s rule
verify addresses millions of times a year     consumer report should employ when            will apply to the following institutions
in connection with routine account            the user receives a notice of address         (numbers approximate): State member
maintenance. Commenters maintained            discrepancy. The Board received no            banks (881), operating subsidiaries that
that this would result in enormous costs      comments on the reasons for the               are not functionally regulated with in
that provide relatively little benefit to     proposed rule. The Board is adopting          the meaning of section 5(c)(5) of the
consumers. The final rules address these      the final rule to implement sections 114      Bank Holding Company Act of 1956, as
comments and accordingly, under the           and 315 of the FACT Act. The                  amended (877), U.S. branches and
rules implementing section 315, a user        SUPPLEMENTARY INFORMATION above               agencies of foreign banks (219),
is not obligated to furnish a confirmed       contains information on the objectives        commercial lending companies owned
address for the consumer to the CRA in        of the final rule.                            or controlled by foreign banks (3), and
connection with existing accounts.               2. Summary of issues raised by             Edge and agreement corporations (64),
   Although, a bank will likely have to       comments in response to the initial           for a total of approximately 2,044
modify its existing procedures to add a       regulatory flexibility analysis.              institutions. The Board estimates that
new procedure for promptly reporting to          In accordance with Section 3(a) of the     more than 1,448 of these institutions
CRAs the reconciled address for new           RFA, the Board conducted an initial           could be considered small entities with
deposit accounts, the OCC has                 regulatory flexibility analysis in            assets of $165 million or less.
concluded that the final rules                connection with the proposed rule. One           4. Recordkeeping, reporting, and other
implementing section 315 will not             commenter, the Mortgage Bankers               compliance requirements.
impose undue costs on national banks          Association (MBA), responded to the              Section 114 requires the Board to
and will have not have a significant          initial regulatory flexibility analysis and   prescribe regulations that require
economic impact on a substantial              stated that contrary to the Agencies’         financial institutions and creditors to
number of small entities. Finally, as         belief, the proposed rule would have a        establish reasonable policies and
mentioned earlier, the final rules            significant economic impact on a              procedures to implement guidelines
provide a transition period and do not        substantial number of affected small          established by the Board and other
require covered entities to fully comply      entities. The MBA stated that                 federal agencies that address identity
with these requirements until November        commercial and multifamily mortgage           theft with respect to account holders
1, 2008.                                      lenders should not be subject to the          and customers. This would be
   Board: The Board prepared an initial       proposed rule because it would                implemented by requiring a covered
regulatory flexibility analysis as            constitute useless regulatory burden.         financial institution or creditor to create
required by the Regulatory Flexibility        Three commenters (Independent                 an Identity Theft Prevention Program
Act (RFA) (5 U.S.C. 601 et seq.) in           Community Bankers of America, The             that detects, prevents and mitigates the
connection with the July 18, 2006             Financial Services Roundtable and             risk of identity theft applicable to its
proposed rule. The Board received one         BITS, and KeyCorp) believed that the          accounts.
comment on its regulatory flexibility         Board and the other Agencies had                 Section 114 also requires the Board to
analysis.                                     underestimated the costs of compliance.       adopt regulations applicable to credit
   Under Section 605(b) of the RFA, 5         The issues raised by these commenters         and debit card issuers to implement
U.S.C. 605(b), the regulatory flexibility     did not apply uniquely to small entities      policies and procedures to assess the
analysis otherwise required under             and are described in the Paperwork            validity of change of address requests.
Section 604 of the RFA is not required        Reduction Act section above.                  The final rule implements this by
if an agency certifies, along with a             Some small financial institutions          requiring credit and debit card issuers to
statement providing the factual basis for     expressed concern about the flexibility       establish reasonable policies and
such certification, that the rule will not    granted by the proposal. As stated in the     procedures to assess the validity of a
have a significant economic impact on         Overview of Proposal and Comments             change of address if it receives
a substantial number of small entities.       Received, these commenters preferred to       notification of a change of address for a
Based on its analysis and for the reasons     have more structured guidance that            debit or credit card account and, within
stated below, the Board certifies that        describes how to develop and                  a short period of time afterwards (during
this final rule will not have a significant   implement a Program and what they             at least the first 30 days after it receives
economic impact on a substantial              would need to do to achieve                   such notification), the issuer receives a
number of small entities.                     compliance. In addition, one commenter        request for an additional or replacement
   1. Statement of the need for, and          expressed concern that smaller                card for the same account.
objectives of, the final rule.                institutions would be particularly               Section 315 requires the Board to
   The FACT Act amends the FCRA and           burdened by the proposal’s requirement        prescribe regulations that provide
was enacted, in part, for the purpose of      that the Program be designed to address       guidance regarding the reasonable
helping to reduce identity theft. Section     changing identity risks ‘‘as they arise.’’    policies and procedures that a user of
              Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                                 63747

consumers’ reports should employ to           approximately 3,260 of which are small        basis for such certification, the rule will
verify the identity of a consumer when        entities. The rule is drafted in a flexible   not have a significant economic impact
a consumer reporting agency provides a        manner that allows institutions to            on a substantial number of small
notice of address discrepancy with the        develop and implement different types         entities. The Small Business
consumer reporting agency in certain          of programs based upon their size,            Administration has defined ‘‘small
circumstances. The final rule requires        complexity, and the nature and scope of       entities’’ to include savings associations
users of consumer reports to develop          their activities. The final rules and         with total assets of $165 million or less.
and implement reasonable policies and         guidelines do not require the use of any      13 CFR 121.201.
procedures for verifying the identity of      specific technology, systems, processes
                                                                                               The rule will implement section 114
a consumer for whom it has obtained a         or methodology.
                                                 The guidelines clarify that a covered      and 315 of the FACT Act and will apply
consumer report and for whom it
                                              entity need not create duplicate policies     to all savings associations (and federal
receives a notice of address discrepancy
                                              and procedures and may incorporate            savings associations operating
and to reconcile an address discrepancy
with the appropriate consumer                 into its Program, as appropriate, its         subsidiaries that are not functionally
reporting agency in certain                   existing processes that control               regulated within the meaning of section
circumstances.                                reasonably foreseeable risks to               5(c)(5) of the Bank Holding Company
   5. Steps taken to minimize the             customers or to the safety and                Act), 424 of which have assets of less
economic impact on small entities.            soundness of the financial institution or     than or equal to $165 million. Based on
   The Board and the other Agencies           creditor from identity theft, such as         its analysis and for the reasons stated
have attempted to minimize the                those already developed in connection         below, OTS certifies that this final
economic impact on small entities by          with the entity’s fraud prevention            rulemaking will not have a significant
providing more flexibility in developing      program. The FDIC believes that many          economic impact on a substantial
a Program and moving certain detail           institutions have already implemented a       number of small entities.
contained in the proposed regulations to      significant portion of the detection and      Rules Implementing Section 114
the guidelines. In addition, to allow         mitigation efforts required by the rule.
small entities and creditors to tailor           With respect to the portion of the rule       The proposed regulations
their Programs to their operations, the       covering card issuers, those entities may     implementing section 114 required the
final rules provide that the Program          satisfy the requirements of this section      development and establishment of a
must be appropriate to the size and           by verifying the address at the time the      written identity theft prevention
complexity of the financial institution       address change notification is received,      program to detect, prevent, and mitigate
or creditor and the nature and scope of       whether or not the notification is linked     identity theft. The proposed regulations
its activities. The Board has also            to a request for an additional or             also required card issuers to assess the
eliminated the requirement for                replacement card—building on issuers’’        validity of a notice of address change
institutions to update their Program in       existing procedures.                          under certain circumstances.
response to changing identity theft risks        Under the final rule implementing
‘‘as they arise.’’ The final rule instead     FACT Act Section 315, a user of                  In connection with the proposed
requires ‘‘periodic’’ updating.               consumer reports (which constitutes           rulemaking, OTS concluded that the
   FDIC: The FDIC prepared an initial         most, if not all, FDIC-insured state          proposed regulations implementing
regulatory flexibility analysis as            nonmember banks) must have policies           section 114, if adopted as proposed,
required by the Regulatory Flexibility        and procedures to enable the user to          would not impose undue costs on
Act (RFA) (5 U.S.C. 601 et seq.) in           form a reasonable belief that it knows        savings associations and would not have
connection with the July 18, 2006             the identity of the consumer for whom         a substantial economic impact on a
proposed rule. Under Section 605(b) of        it has obtained a consumer report.            substantial number of small savings
the RFA, 5 U.S.C. 605(b), the regulatory      Although, a bank will likely have to          associations. OTS noted that savings
flexibility analysis otherwise required       modify its existing procedures to add a       associations already employ a variety of
under Section 604 of the RFA is not           new procedure for promptly reporting to       measures that satisfy the requirements
required if an agency certifies, along        consumer reporting agencies the               of the rulemaking because (1) such
with a statement providing the factual        reconciled address for new deposit            measures are a good business practice
basis for such certification, that the rule   accounts, the FDIC has concluded that         and generally are a part of a thrift’s
will not have a significant economic          the final rules implementing section          efforts to reduce losses due to fraud, and
impact on a substantial number of small       315—which only obligates a user to            (2) savings associations already comply
entities (defined for purposes of the         furnish a confirmed address for the           with other regulations and guidance that
RFA to include banks with less than           consumer to the consumer reporting            relate to information security,
$165 in assets). Based on its analysis        agency in connection with new, and not        authentication, identity theft, and
and for the reasons stated below, the         existing, accounts—will not impose            response programs. For example,
FDIC certifies that this final rule will      undue costs on banks and will not have        savings associations are already subject
not have a significant economic impact        a significant economic impact on a            to CIP rules requiring them to verify the
on a substantial number of small entities     substantial number of small entities.         identity of a person opening a new
   Under the final rule implementing             Moreover, the final rules provide a        account 73 and already have various
FACT Act Section 114, financial               transition period and do not require          systems in place to detect certain
institutions and creditors must have a        covered entities to fully comply with         patterns, practices and specific activities
written program that includes controls        these requirements until November 1,          that indicate the possible existence of
to address the identity theft risks they      2008.                                         identity theft in connection with the
have identified. Credit and debit card           OTS: Under section 605(b) of the           opening of new accounts. Similarly,
issuers must also have additional             Regulatory Flexibility Act (RFA), 5           savings associations complying with the
policies and procedures to assess the         U.S.C. 605(b), OTS must either publish        ‘‘Interagency Guidelines Establishing
validity of change of address requests.       a Final Regulatory Flexibility Analysis
   The final rule would apply to all          (FRFA) for a final rule or certify, along       73 31 CFR 103.121; 12 CFR 563.177 (savings

FDIC-insured state nonmember banks,           with a statement providing the factual        associations).
63748             Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

Information Security Standards’’ 74 and                    OTS believes that the final rules            • Supplement A includes a Red Flag
guidance recently issued by the FFIEC                   substantially address the concerns of the    for activity on an inactive account in
titled ‘‘Authentication in an Internet                  commenters as follows:                       place of a separate guideline.
Banking Environment’’ 75 already have                      • The final rules allow a covered            • The final rules clarify that the
policies and procedures in place to                     entity to tailor its Program to its size,    Board of Directors or a committee
detect attempted and actual intrusions                  complexity and nature of its operations.     thereof must approve only the initial
into customer information systems and                   The final rules and guidelines do not        written Program. The rules provide a
to detect patterns, practices and specific              require the use of any specific              covered entity with the discretion to
activities that indicate the possible                   technology, systems, processes or            determine whether the Board or
existence of identity theft in connection               methodology.                                 management will approve changes to
with existing accounts. Savings                            • The final rules list the four           the Program and the extent of Board
associations complying with OTS’s                       elements that must be a part of a            involvement in oversight of the
guidance on ‘‘Identity Theft and Pretext                Program, and the steps that a covered        Program.
Calling’’ 76 already have policies and                  entity must take to administer the              • The final rules clarify that only
procedures to verify the validity of                    Program. The rules provide covered           relevant staff must be trained to
change of address requests on existing                  entities with greater discretion to          implement the Program, as necessary.
accounts.                                               determine how to implement these                • Card issuers may satisfy the
   Nonetheless, OTS specifically                        mandates.                                    requirements of this section by verifying
requested comment and specific data on                     • Additional requirements previously      the address at the time the address
the size of the incremental burden                      in the proposed rules are now in             change notification is received, whether
creating an identity theft prevention                   guidelines that are located in Appendix      or not the notification is linked to a
program would have on small saving                      J. The guidelines describe various           request for an additional or replacement
associations, given their current                       policies and procedures that a financial     card—building on issuers’ existing
practices and compliance with existing                  institution or creditor must consider        procedures.
requirements. OTS also requested                        and include in its Program, where               • Covered entities need not comply
comment on how the final regulations                    appropriate, to satisfy the requirements     with the final rules until November 1,
might minimize any burden imposed to                    of the final rules. The preamble to the      2008.
                                                        rules explains that an institution or           The Agencies did consider whether it
the extent consistent with the
                                                        creditor may determine that particular       would be appropriate to extend different
requirements of the FACT Act.
                                                        guidelines are not appropriate to            treatment or exempt small covered
   Commenters confirmed that the
                                                        incorporate into its Program as long as      entities from the requirements of this
proposed regulations implementing
                                                        its Program contains reasonable policies     section of the final rulemaking. The
section 114 of the FACT Act are
                                                        and procedures to meet the specific          Agencies note that identity theft can
consistent with savings associations’
                                                        requirements of the final rules.             occur in small entities as well as large
usual and customary business practices
                                                           • The guidelines clarify that a           ones. The Agencies do not believe that
used to minimize losses due to fraud in
                                                        covered entity need not create duplicate     an exemption for small entities is
connection with new and existing
                                                        policies and procedures and may              appropriate given the flexibility built
accounts. They also confirmed that
                                                        incorporate into its Program, as             into the final rules and guidelines and
savings associations have implemented
                                                        appropriate, its existing processes that     the importance of the statutory goals
measures to address many of the
                                                        control reasonably foreseeable risks to      and mandate of section 114.
proposed requirements as a result of                                                                    As a result of the changes and
                                                        customers or to the safety and
having to comply with existing                                                                       clarifications noted above, this section
                                                        soundness of the financial institution or
regulations and guidance. However,                                                                   of the final rule is far more flexible and
                                                        creditor from identity theft, such as
commenters also asserted that the                                                                    less burdensome than that in the
                                                        those already developed in connection
Agencies had underestimated the                                                                      proposed rules while still fulfilling the
                                                        with the entity’s fraud prevention
incremental burden imposed by the                                                                    statutory mandates enumerated in
                                                        program.
proposed rules. They highlighted                           • The final rules clarify that a          section 114. Moreover, OTS has
aspects of the proposal that they                       Program (including the Red Flags             concluded that the incremental cost of
maintained would have required                          determined to be relevant) may be            these final rules and guidelines will not
savings associations to alter their                     periodically, rather than continually,       impose undue costs and will not have
current practices and implement                         updated to reflect changes in risks to       a significant economic impact on a
duplicative policies and procedures.                    customers and to the safety and              substantial number of small entities.
   Only a few commenters provided                       soundness of the financial institution or
estimates of additional burden that                                                                  Rules Implementing Section 315
                                                        creditor from identity theft.
would result from the proposed rules.                      • The rules focus on consumer                The proposed regulations
Many of these comments stemmed from                     accounts, and require a Program to           implementing section 315 required a
a misreading of the requirements of the                 include only other accounts ‘‘for which      user of consumer reports to have
proposed rules. Further, many                           there is a reasonably foreseeable risk to    policies and procedures to enable the
commenters confused the Agencies’                       customers or to the safety and               user to form a reasonable belief that it
PRA estimates with the Agencies’                        soundness of the financial institution or    knows the identity of the consumer for
overall conclusions regarding regulatory                creditor from identity theft.’’              whom it has obtained a consumer
burden.77                                                  • The definition of ‘‘Red Flags’’ no      report. The proposed rules also required
                                                        longer includes reference to the             the user to furnish to the CRA from
  74 12  CFR part 570, app. B (savings associations).   ‘‘possible risk’’ of identity theft and no   whom it received the notice of address
  75 OTS  CEO Letter 228 (Oct. 12, 2005).               longer incorporates precursors to            discrepancy an address for the
   76 OTS CEO Letter 139 (May 4, 2001).
   77 The PRA focuses more narrowly on the time,
                                                        identity theft.                              consumer that the user has reasonably
effort, and financial resources expended by persons
                                                           • The final rules clarify that the Red    confirmed is accurate when the user: (1)
to generate, maintain, or provide information to or     Flags in Supplement A are examples           Is able to form a reasonable belief that
for a Federal agency. See 44 U.S.C. 3501 et seq.        rather than a mandatory checklist.           it knows the identity of the consumer
              Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                        63749

for whom the consumer report was            promptly reporting to CRAs the               identity theft, and regulations requiring
obtained; (2) establishes or maintains a    reconciled address for new deposit           each financial institution and creditor to
continuing relationship with the            accounts, OTS has concluded that the         establish policies and procedures for
consumer; and (3) regularly and in the      final rules implementing section 315         implementing the guidelines. In
ordinary course of business furnishes       will not impose undue costs on savings       addition, section 114 requires credit and
information to the CRA from which a         associations and will have not have a        debit card issuers to establish policies
notice of address discrepancy pertaining    significant economic impact on a             and procedures to assess the validity of
to the consumer was obtained.               substantial number of small entities.        a change of address request. Section 315
   In connection with the proposed          Finally, as mentioned earlier, the final     requires the FTC to develop policies and
rulemaking OTS noted that the FACT          rules provide a transition period and do     procedures that a user of consumer
Act already requires CRAs to provide        not require covered entities to fully        reports must employ when such a user
notices of address discrepancy to users     comply with these requirements until         receives a notice of address discrepancy
of credit reports. OTS stated that with     November 1, 2008.                            from a consumer reporting agency
respect to new accounts, a savings             FTC: The Regulatory Flexibility Act       described in section 603(p) of the FCRA.
association already is required by the      (‘‘RFA’’), 5 U.S.C. 601–612, requires that   In this action, the FTC promulgates final
CIP rules to ensure that it knows the       the Commission provide an Initial            rules that would implement these
identity of a person opening a new          Regulatory Flexibility Analysis              requirements of the FACT Act.
account and to keep a record describing     (‘‘IRFA’’) with a proposed rule and a
the resolution of any substantive           Final Regulatory Flexibility Analysis        2. Significant Issues Received by Public
discrepancy discovered during the           (‘‘FRFA’’), if any, with the final rule,     Comment
verification process. OTS also stated       unless the Commission certifies that the        The Commission received a number
that as a matter of good business           rule will not have a significant             of comments on the effect of the
practice, most savings associations         economic impact on a substantial             proposed regulations. Some of the
currently have policies and procedures      number of small entities. See 5 U.S.C.       comments addressed the effect of the
in place to respond to notices of address   603–605.                                     proposed regulations on businesses
discrepancy when they are provided in          The Commission hereby certifies that      generally, and did not identify small
connection with both new and existing       the final regulations will not have a        businesses as a particular category. The
accounts, by furnishing an address for      significant economic impact on a             FTC staff, therefore, has included all
the consumer that the association has       substantial number of small business         comments in this FRFA that raised
reasonably confirmed is accurate to the     entities. The Commission recognizes          potentially significant compliance
CRA from which it received the notice       that the final regulations will affect a     issues for small businesses, regardless of
of address discrepancy.                     substantial number of small businesses.      whether the commenter identified small
   OTS specifically requested comment       We do not expect, however, that the          businesses as being an affected category.
on whether the proposed requirements        final regulations will have a significant       In drafting its PRA analysis for the
differ from small savings associations’     economic impact on these small               proposed regulations, FTC staff believed
current practices and whether the           entities.                                    that because motor vehicle dealers’
proposed requirements on users of              The Commission continues to believe       loans typically are financed by financial
consumer reports to have policies and       that a precise estimate of the number of     institutions also subject to those
procedures to respond to the receipt of     small entities that fall under the final     regulations, the dealers were likely to
an address discrepancy could be altered     regulations is not currently feasible.       use the latter’s programs as a basis to
to minimize any burden imposed to the       Based on changes made to the final           develop their own. Therefore, although
extent consistent with the requirements     regulations in response to comments          subject to a high risk of identity theft,
of the FACT Act.                            received, however, and the                   their burden would be less than other
   Many suggestions received in             Commission’s own experience and              high-risk entities. Commenters,
response to this solicitation for           knowledge of industry practices, the         however, noted among other concerns
comment would have required a               Commission also continues to believe         that some motor vehicle dealers finance
statutory change. However, many             that the cost and burden to small            their own loans. Thus, FTC staff no
commenters noted that section 315 does      business entities of complying with the      longer is considering motor vehicle
not require the reporting of a confirmed    final regulations are minimal.               dealers separately from other high-risk
address to a CRA for a notice of address    Accordingly, this document serves as         entities.
discrepancy received for an existing        notice to the Small Business                    As noted in the PRA analysis, the
account. These commenters stated that       Administration of the agency’s               Agencies continue to believe that many
the level of regulatory burden imposed      certification of no effect. Nonetheless,     of the high-risk entities, as part of their
by this requirement would be significant    the Commission has decided to publish        usual and customary business practices,
and would force users to reconcile and      a FRFA with these final regulations.         already take steps to minimize losses
verify addresses millions of times a year   Therefore, the Commission has prepared       due to fraud. The final rulemaking
in connection with routine account          the following analysis:                      clarifies that only relevant staff need be
maintenance. Commenters maintained                                                       trained to implement the Program, as
that this would result in enormous costs    1. Need for and Objectives of the Rule       necessary—meaning, for example, that
that provide relatively little benefit to      The FTC is charged with enforcing the     staff already trained as a part of a
consumers. The final rules address these    requirements of sections 114 and 315 of      covered entity’s anti-fraud prevention
comments and, accordingly, under the        the Fair and Accurate Credit                 efforts do not need to be re-trained
rules implementing section 315, a user      Transactions Act of 2003 (FACT Act)          except as incrementally needed.
is not obligated to furnish a confirmed     (15 U.S.C. §§ 1681m(e) and 1681c(h)(2)),     Notwithstanding this clarification, in
address for the consumer to the CRA in      which require the FTC to establish           response to comments received, the
connection with existing accounts.          guidelines for financial institutions and    Agencies are increasing the burden
   Although, a savings association will     creditors identifying patterns, practices,   estimates attributable to training from
likely have to modify its existing          and specific forms of activity, that         two to four hours, as is the FTC for high-
procedures to add a new procedure for       indicate the possible existence of           risk entities in their initial year of
63750            Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

implementing the Program, but FTC                     conduct a periodic risk assessment to         across almost every industry could be
staff continues to believe that one hour              determine if they covered accounts, they      subject to the final rules. For the
of recurring annual training remains a                will not be required to develop a written     majority of these entities, a small
reasonable estimate.                                  Program, thereby substantially reducing       business is defined by the Small
   A few commenters believed that FTC                 the original burden estimate in the           Business Administration as one whose
staff had underestimated the amount of                NPRM for low-risk entities.                   average annual receipts do not exceed
time it would take low-risk entities to                  The FTC received additional                $6.5 million or who have fewer than 500
comply with the proposed regulations.                 comments on its IRFA requesting that          employees.79
These commenters estimated that the                   the FTC delay implementation of the              Section 114: As discussed in the PRA
amount of time would range from 6 to                  final rules for small businesses by a         section of this Notice, given the broad
20 hours to create a program and 1 hour               minimum of six months, consider               scope of section 114’s requirements, it is
each to train employees and draft the                 creating a certification form for low-risk    difficult to determine with precision the
annual report. The FTC staff believes                 entities, and develop a small business        number of financial institutions and
these estimates were based on a                       compliance guide. The Agencies have           creditors that are subject to the FTC’s
misunderstanding of the requirements                  set a mandatory compliance deadline of        jurisdiction. There are numerous small
of the proposed regulations, including                November 1, 2008, thereby providing all       businesses under the FTC’s jurisdiction
that the list of 31 Red Flags in the                  entities with well over six months in         and there is no formal way to track
proposed guidelines was intended to be                which to implement the final                  them; moreover, as a whole, the entities
a checklist. The final regulations clarify            regulations. The FTC staff will be            under the FTC’s jurisdiction are so
that the list of Red Flags is illustrative            developing a small business compliance        varied that there are no general sources
only. Moreover, the emphasis of the                   guide prior to the mandatory                  that provide a record of their existence.
written Program, as required under the                compliance deadline of November 1,            Nonetheless, FTC staff estimates that the
final regulations, is to identify risks of            2008. The FTC staff will consider             final regulations implementing section
identity theft. To the extent that entities           whether to include any model forms in         114 will affect over 3500 financial
with consumer accounts determine that                 such guide.                                   institutions and over 11 million
they have a minimal risk of identity                     The FTC did not receive any                creditors 80 subject to the FTC’s
theft, they would be tasked only with                 comments on its IRFA for the proposed         jurisdiction, for a combined total of
developing a streamlined Program.                     regulations implementing section 114          approximately 11.1 million affected
Therefore, FTC staff does not believe                 requiring credit and debit card issuers to    entities. Of this total, the FTC staff
that it would take such an entity 6 to 20             establish policies and procedures to          expects that well over 90% of these
hours to develop a Program, 1 hour to                 assess the validity of a change of            firms qualify as small businesses under
train employees, and 1 hour to draft an               address request, including notifying the      existing size standards (i.e., $165
annual report on risks of identity theft              cardholder or using another means of          million in assets for financial
which are minimal or non-existent.                    assessing the validity of the change of       institutions and $6.5 million in sales for
Nonetheless, FTC staff believes that it               address. The FTC staff does not believe       many creditors).
may have underestimated the time low-                 that the changes made to the final               One commenter acknowledged that
risk entities may need to initially apply             regulation have altered its original          the FTC’s estimates as to the number of
the final rule to develop a Program.                  burden estimates.                             small entities that will be affected were
Thus, FTC staff has increased from 20                    The FTC did not receive any                accurate, but did not provide precise
minutes to 1 hour its previously stated               comments on its IRFA relating to the          numbers.
estimate for this activity.                           proposed regulations under section 315.          The final regulations implementing
   In addition, the final regulations have            3. Small Entities to Which the Final          section 114 also require credit and debit
been revised from the proposed                        Rule Will Apply                               card issuers to establish policies and
regulations to alleviate the burden of                                                              procedures to assess the validity of a
creating a written Program for entities                  The final regulations apply to a wide
                                                                                                    change of address request. Indeed, the
that determine that they do not have any              variety of business categories under the
                                                                                                    final regulations require credit and debit
covered accounts. The FTC staff                       Small Business Size Standards.
                                                                                                    card issuers to notify the cardholder or
believes that entities subject to a low               Generally, the final regulations would
                                                                                                    to use another means of assessing the
risk of identity theft, but not having                apply to financial institutions, creditors,
                                                                                                    validity of the change of address. FTC
consumer accounts, will likely                        and users of consumer reports. In
                                                                                                    staff believes that there may be as many
determine that they do not have covered               particular, entities under FTC’s
                                                                                                    as 3,764 credit or debit card issuers that
accounts. Such entities would not be                  jurisdiction covered by section 114
                                                                                                    fall under the jurisdiction of the FTC
required to develop a written Program.                include State-chartered credit unions,
                                                                                                    and that well over 90% of these firms
The FTC staff estimates that                          non-bank lenders, mortgage brokers,
                                                                                                    qualify as small businesses under
approximately 9,191,496 78 of the                     automobile dealers, utility companies,
                                                                                                    existing size standards (i.e., $165
10,813,525 low-risk entities subject to               telecommunications companies, and
                                                                                                    million in assets for financial
the requirement to create a written                   any other person that regularly
Program under the proposed regulations                participates in a credit decision,               79 These numbers represent the size standards for

will not have covered accounts under                  including setting the terms of credit.        most retail and service industries ($6.5 million total
the final rule. Therefore, although these             The section 315 requirements apply to         receipts) and manufacturing industries (500
                                                      State-chartered credit unions, non-bank       employees). A list of the SBA’s size standards for
9,191,496 low-risk entities will have to                                                            all industries can be found at http://www.sba.gov/
                                                      lenders, insurers, landlords, employers,      size/summary-whatis.html.
  78 This estimate is derived from an analysis of a   mortgage brokers, automobile dealers,            80 This estimate is derived from census data of

database of U.S. businesses based on NAICS codes      collection agencies, and any other            U.S. businesses based on NAICS codes for
for businesses that market goods or services to       person who requests a consumer report         businesses that market goods or services to
consumers or other businesses, net of the number      from a consumer reporting agency              consumers and businesses. 2003 County Business
of creditors subject to the FTC’s jurisdiction, an                                                  Patterns, U.S. Census Bureau (http://
estimated subset of which comprise anticipated        described in section 603(p) of the FCRA.      censtats.census.gov/cgi- bin/cbpnaic/cbpsel.pl); and
low-risk entities not having covered accounts under      Given the coverage of the final rules,     2002 Economic Census, Bureau (http://
the final rule.                                       a very large number of small entities         www.census.gov/econ/census02/).
                  Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                               63751

institutions and $6.5 million in sales for            associated with the final regulations          entities should not be significant,
many creditors).                                      will be significant as explained below.        however.
   The Commission did not receive any                    Section 114: The FTC staff estimates           In calculating the costs, FTC staff
comments to the IRFA on the latter                    that there may be as many as 90% of the        assumes that for all entities,
credit or debit card issuers that would               businesses affected by the proposed            professional technical personnel and/or
allow it to determine the precise                     rules under section 114 that are subject       managerial personnel will conduct the
number of small entities that will be                 to a high risk of identity theft that          periodic risk assessment, create and
affected.                                             qualify as small businesses. It is likely
   Section 315: As discussed in the PRA                                                              implement the Program, prepare the
                                                      that many such entities already engage         annual report, train employees, and
section of this Notice, given the broad               in various activities to minimize losses
scope of section 315’s requirements, it is                                                           assess the validity of a change of
                                                      due to fraud as part of their usual and        address request.
difficult to determine with precision the             customary business practices.
number of users of consumer reports                   Accordingly, the impact of the proposed           Section 315: The final regulations
that are subject to the FTC’s jurisdiction.           requirements would be merely                   implementing section 315 provide
There are numerous small businesses                   incremental and not significant. In            guidance regarding reasonable policies
under the FTC’s jurisdiction and there                particular, the rule will direct many of       and procedures that a user of consumer
is no formal way to track them;                       these entities to consolidate their            reports must employ when a user
moreover, as a whole, the entities under              existing policies and procedures into a        receives a notice of address discrepancy
the FTC’s jurisdiction are so varied that             written Program and may require some           from a consumer reporting agency. The
there are no general sources that provide             additional staff training.                     final regulations also require a user of
a record of their existence. Nonetheless,                The FTC expects that well over 90%          consumer reports to furnish an address
FTC staff estimates that the final                    of the businesses affected by the              that the user has reasonably confirmed
regulations implementing section 315                  proposed rules under section 114 that          is accurate to the consumer reporting
will affect approximately 1.6 million                 are subject to a low risk of identity theft    agency from which it receives a notice
users of consumer reports subject to the              qualify as small businesses under              of address discrepancy, but only to the
FTC’s jurisdiction 81 and that well over              existing size standards (i.e., $165            extent that such user regularly and in
90% of these firms qualify as small                   million in assets for financial                the ordinary course of business
businesses under existing size standards              institutions and $6.5 million in sales for     furnishes information to such consumer
(i.e., $165 million in assets for financial           many creditors). The final requirements        reporting agency. The FTC staff believes
institutions and $6.5 million in sales for            are drafted in a flexible manner that          that the impacts on users of consumer
many creditors).                                      limits the burden on a substantial             reports that are small businesses will
   The Commission did not receive any                 majority of low-risk entities to               not be significant. As discussed in the
comments to the IRFA on the proposed                  conducting periodic risk assessments for       PRA section of the NPRM, the FTC staff
regulations under Section 315 that                    covered accounts, and allows the               believes that it will not take users of
would allow it to determine the precise               remaining minority of low-risk entities        consumer reports under FTC
number of small entities that will be                 to develop and implement different             jurisdiction a significant amount of time
affected.                                             types of programs based upon their size,       to develop policies and procedures that
4. Projected Reporting, Recordkeeping                 complexity, and the nature and scope of        they will employ when they receive a
and Other Compliance Requirements                     their activities. As a result, the FTC staff   notice of address discrepancy. FTC staff
                                                      expects that the burden on these low-          believes that only 10,000 of such users
   The final requirements will involve
                                                      risk entities will be minimal (i.e., not       of consumer reports furnish information
some increased costs for affected
                                                      significant). The final regulations would      to consumer reporting agencies as part
parties. Most of these costs will be
                                                      require low-risk entities that have            of their usual and customary business
incurred by those required to conduct
                                                      covered accounts that have no existing         practices and that approximately 20% of
periodic risk assessments, and draft
                                                      identity theft procedures to state in          these entities qualify as small
identity theft Programs and annual
                                                      writing their low-risk of identity theft,      businesses. Therefore, the staff estimates
reports. There will also be costs
                                                      train staff to be attentive to future risks    that 2,000 small businesses will be
associated with training, and for credit
                                                      of identity theft, and, if appropriate,        affected by this portion of the final
and debit card issuers to establish
                                                      prepare an annual report. The FTC staff        regulation that requires furnishing the
policies and procedures to assess the
                                                      believes that, for the affected low-risk       correct address. As discussed in the
validity of a change of address request.
                                                      entities, such activities will be not be       PRA section of this NPRM, FTC staff
In addition, there will be costs related
                                                      complex or resource-intensive tasks.           estimates that it will not take such users
to developing reasonable policies and
                                                         The final regulations implementing          of consumer reports a significant
procedures that a user of consumer
                                                      section 114 also require credit and debit      amount of time to develop the policies
reports must employ when a user
                                                      card issuers to establish policies and         and procedures for furnishing the
receives a notice of address discrepancy
                                                      procedures to assess the validity of a
from a consumer reporting agency, and                                                                correct address to the consumer
                                                      change of address request. It is likely
for furnishing an address that the user                                                              reporting agencies pursuant to the final
                                                      that most of the entities have automated
has reasonably confirmed is accurate.                                                                regulations for implementing section
                                                      the process of notifying the cardholder
The Commission does not expect,                                                                      315. The FTC staff estimates that the
                                                      or using other means to assess the
however, that the increased costs                                                                    costs associated with these impacts will
                                                      validity of the change of address such
                                                      that implementation will pose no               not be significant.
  81 This estimate is derived from census data of

U.S. businesses based on NAICS codes for              further burden. For those that do not,            In calculating these costs, FTC staff
businesses that market goods or services to           the FTC staff expects that a small             assumes that the policies and
consumers and businesses. 2003 County Business        number of such entities (100) will need        procedures for notice of address
Patterns, U.S. Census Bureau (http://                                                                discrepancy and furnishing the correct
censtats.census.gov/cgi-bin/cbpnaic/cbpsel.pl); and
                                                      to develop policies and procedures to
2002 Economic Census, Bureau (http://                 assess the validity of a change of             address will be set up by administrative
www.census.gov/econ/census02/).                       address request. The impacts on such           support personnel.
63752          Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

5. Steps Taken To Minimize Significant        fundamental federalism principles, the       H. NCUA: Small Business Regulatory
Economic Impact of the Rule on Small          NCUA, an independent regulatory              Enforcement Fairness Act of 1996
Entities                                      agency as defined in 44 U.S.C. 3502(5)       (SBREFA) Determination
   The Commission considered whether          voluntarily complies with the Executive
                                                                                             A SBREFA (Pub. L. 104–121)
any significant alternatives, consistent      Order. These final rules apply only to
                                                                                           reporting requirement is triggered in
with the purposes of the FACT Act,            federally chartered credit unions and
                                                                                           instances where NCUA issues a final
could further minimize the final              would not have substantial direct effects    rule as defined by section 551 of the
regulations’ impact on small entities.        on the States, on the connection             Administrative Procedure Act, 5 U.S.C.
The FTC asked for comment on this             between the national government and          551. NCUA has determined this final
issue. The final requirements are drafted     the States, or on the distribution of        rule is not a major rule for purposes of
in a flexible manner that limits the          power and responsibilities among the         SBREFA and the Office of Management
burden on a substantial majority of low-      various levels of government. The            and Budget (OMB) has concurred.
risk entities to conducting periodic risk     NCUA has determined that these final
assessments for covered accounts and          rules do not constitute a policy that has    I. Plain Language
allows the remaining minority of low-         federalism implications for purposes of
risk entities to develop and implement                                                        Section 722 of the Gramm-Leach-
                                              the Executive Order.                         Bliley Act (12 U.S.C. 4809) requires the
different types of programs based upon
their size, complexity, and the nature        F. OCC and OTS Unfunded Mandates             Federal banking agencies and the NCUA
and scope of their activities. In addition,   Reform Act of 1995 Determination             to use ‘‘plain language’’ in all proposed
a commenter requested that the FTC                                                         and final rules published in the Federal
delay implementation of the final rules          Section 202 of the Unfunded               Register. The Agencies received no
for small businesses by a minimum of          Mandates Reform Act of 1995, Public          comments on how to make the rules
six months, produce a shortened Red           Law 104–4 (Unfunded Mandates Act)            easier to understand, and believe the
Flags list, consider creating a               requests that an agency prepare a            final rules are presented in a clear and
certification form for low-risk entities,     budgetary impact statement before            straightforward manner.
and develop a small business                  promulgating a rule that includes a          List of Subjects
compliance guide. The Agencies have           federal mandate that may result in
set a mandatory compliance deadline of        expenditure by State, local, and tribal      12 CFR Part 41
November 1, 2008, thereby providing all       governments, in the aggregate, or by the
                                                                                             Banks, banking, Consumer protection,
entities with well over six months in         private section, of $100 million or more
                                                                                           National Banks, Reporting and
which to implement the final                  in any one year. If a budgetary impact
                                                                                           recordkeeping requirements.
regulations. As discussed in the PRA          statement is required, section 205, of the
analysis infra, the Agencies have             Unfunded Mandates Act also requires          12 CFR Part 222
clarified that the Red Flags Supplement       an agency to identify and consider a
                                                                                             Banks, banking, Holding companies,
is illustrative only, and is not intended     reasonable number of regulatory
                                                                                           state member banks.
to be used as a checklist. Therefore, the     alternatives before promulgating a rule.
Agencies did not consider it necessary           The OCC and OTS each has                  12 CFR Part 334
to alter the Red Flags listed. The FTC        determined that this rule will not result
staff will be developing a small business                                                    Administrative practice and
                                              in expenditures by State, local, and         procedure, Bank deposit insurance,
compliance guide prior to the
                                              tribal governments, or by the private        Banks, banking, Reporting and
mandatory compliance deadline of
                                              sector, of $100 million or more. National    recordkeeping requirements, Safety and
November 1, 2008. The FTC staff will
                                              banks and savings associations already       soundness.
consider whether to include any model
forms in such guide.                          employ a variety of measures that satisfy
                                              the requirements of the final rulemaking     12 CFR Part 364
C. OCC and OTS Executive Order 12866          because, as described earlier, these are       Administrative practice and
Determination                                 usual and customary business practices       procedure, Bank deposit insurance,
  The OCC and the OTS each have               to minimize losses due to fraud, or          Banks, banking, Reporting and
independently determined that the final       because, as described earlier, they          recordkeeping requirements, Safety and
rule is not a ‘‘significant regulatory        already comply with other existing           Soundness.
action’’ as defined in Executive Order        regulations and guidance that relate to
12866 because the annual effect on the        information security, authentication,        12 CFR Part 571
economy is less than $100 million.            identity theft, and response programs.         Consumer protection, Credit, Fair
Accordingly, a regulatory assessment is       Accordingly, neither the OCC not the         Credit Reporting Act, Privacy, Reporting
not required.                                 OTS has prepared a budgetary impact          and recordkeeping requirements,
D. OCC and OTS Executive Order 13132          statement or specifically addressed the      Savings associations.
Determination                                 regulatory alternatives considered.
                                                                                           12 CFR Part 717
  The OCC and the OTS each has                G. NCUA: The Treasury and General
determined that these final rules do not      Government Appropriations Act, 1999—           Consumer protection, Credit unions,
have any federalism implications for          Assessment of Federal Regulations and        Fair credit reporting, Privacy, Reporting
purposes of Executive Order 13132.            Policies on Families                         and recordkeeping requirements.

E. NCUA Executive Order 13132                                                              16 CFR Part 681
                                                 The NCUA has determined that these
Determination                                 final rules will not affect family well-       Fair Credit Reporting Act, Consumer
  Executive Order 13132 encourages            being within the meaning of section 654      reports, Consumer report users,
independent regulatory agencies to            of the Treasury and General                  Consumer reporting agencies, Credit,
consider the impact of their actions on       Government Appropriations Act, 1999,         Creditors, Information furnishers,
State and local interests. In adherence to    Pub. L. 105–277, 112 Stat. 2681 (1998).      Identity theft, Trade practices.
                 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                             63753

Department of the Treasury                           (b) Definition. For purposes of this        (ii) Reviewing its own records to
                                                  section, a notice of address discrepancy    verify the address of the consumer;
Office of the Comptroller of the                                                                 (iii) Verifying the address through
                                                  means a notice sent to a user by a
Currency                                                                                      third-party sources; or
                                                  consumer reporting agency pursuant to
12 CFR Chapter I                                  15 U.S.C. 1681c(h)(1), that informs the        (iv) Using other reasonable means.
                                                  user of a substantial difference between       (3) Timing. The policies and
Authority and Issuance                                                                        procedures developed in accordance
                                                  the address for the consumer that the
■ For the reasons discussed in the joint          user provided to request the consumer       with paragraph (d)(1) of this section
preamble, the Office of the Comptroller           report and the address(es) in the           must provide that the user will furnish
of the Currency amends Part 41 of title           agency’s file for the consumer.             the consumer’s address that the user has
12, chapter I, of the Code of Federal                (c) Reasonable belief. (1) Requirement   reasonably confirmed is accurate to the
Regulations as follows:                           to form a reasonable belief. A user must    consumer reporting agency as part of the
                                                  develop and implement reasonable            information it regularly furnishes for the
PART 41—FAIR CREDIT REPORTING                     policies and procedures designed to         reporting period in which it establishes
                                                  enable the user to form a reasonable        a relationship with the consumer.
■ 1. The authority citation for part 41
continues to read as follows:                     belief that a consumer report relates to    ■ 6. Add Subpart J to part 41 to read as
                                                  the consumer about whom it has              follows:
  Authority: 12 U.S.C. 1 et seq., 24 (Seventh),   requested the report, when the user
93a, 481, 484, and 1818; 15 U.S.C. 1681a,                                                     Subpart J—Identity Theft Red Flags
                                                  receives a notice of address discrepancy.
1681b, 1681c, 1681m, 1681s, 1681s–3, 1681t,          (2) Examples of reasonable policies      Sec.
1681w, Sec. 214, Pub. L. 108–159, 117 Stat.                                                   41.90	 Duties regarding the detection,
1952.
                                                  and procedures. (i) Comparing the
                                                                                                   prevention, and mitigation of identity
                                                  information in the consumer report               theft.
Subpart A—General Provisions                      provided by the consumer reporting          41.91	 Duties of card issuers regarding
                                                  agency with information the user:                changes of address.
■ 2. Section 41.1 is added to read as                (A) Obtains and uses to verify the
follows:                                          consumer’s identity in accordance with      Subpart J—Identity Theft Red Flags
                                                  the requirements of the Customer
§ 41.1   Purpose.                                 Information Program (CIP) rules             § 41.90 Duties regarding the detection,
   (a) Purpose. The purpose of this part          implementing 31 U.S.C. 5318(l) (31 CFR      prevention, and mitigation of identity theft.
is to establish standards for national            103.121);                                      (a) Scope. This section applies to a
banks regarding consumer report                      (B) Maintains in its own records, such   financial institution or creditor that is a
information. In addition, the purpose of          as applications, change of address          national bank, Federal branch or agency
this part is to specify the extent to             notifications, other customer account       of a foreign bank, and any of their
which national banks may obtain, use,             records, or retained CIP documentation;     operating subsidiaries that are not
or share certain information. This part           or                                          functionally regulated within the
also contains a number of measures                   (C) Obtains from third-party sources;    meaning of section 5(c)(5) of the Bank
national banks must take to combat                or                                          Holding Company Act of 1956, as
consumer fraud and related crimes,                   (ii) Verifying the information in the    amended (12 U.S.C. 1844(c)(5)).
including identity theft.                         consumer report provided by the                (b) Definitions. For purposes of this
   (b) [Reserved]                                 consumer reporting agency with the          section and Appendix J, the following
■ 3. Amend § 41.3 by revising the                 consumer.                                   definitions apply:
introductory text to read as follows:                (d) Consumer’s address. (1)                 (1) Account means a continuing
                                                  Requirement to furnish consumer’s           relationship established by a person
§ 41.3   Definitions.                             address to a consumer reporting agency.     with a financial institution or creditor to
  For purposes of this part, unless               A user must develop and implement           obtain a product or service for personal,
explicitly stated otherwise:                      reasonable policies and procedures for      family, household or business purposes.
*     *     *     *    *                          furnishing an address for the consumer      Account includes:
                                                  that the user has reasonably confirmed         (i) An extension of credit, such as the
■ 4. Revise the heading for Subpart I to
                                                  is accurate to the consumer reporting       purchase of property or services
read as follows:
                                                  agency from whom it received the            involving a deferred payment; and
Subpart I—Duties of Users of                      notice of address discrepancy when the         (ii) A deposit account.
Consumer Reports Regarding Address                user:                                          (2) The term board of directors
Discrepancies and Records Disposal                   (i) Can form a reasonable belief that    includes:
                                                  the consumer report relates to the             (i) In the case of a branch or agency
■   5. Add § 41.82 to read as follows:            consumer about whom the user                of a foreign bank, the managing official
                                                  requested the report;                       in charge of the branch or agency; and
§ 41.82 Duties of users regarding address            (ii) Establishes a continuing               (ii) In the case of any other creditor
discrepancies.                                    relationship with the consumer; and         that does not have a board of directors,
  (a) Scope. This section applies to a               (iii) Regularly and in the ordinary      a designated employee at the level of
user of consumer reports (user) that              course of business furnishes information    senior management.
receives a notice of address discrepancy          to the consumer reporting agency from          (3) Covered account means:
from a consumer reporting agency, and             which the notice of address discrepancy        (i) An account that a financial
that is a national bank, Federal branch           relating to the consumer was obtained.      institution or creditor offers or
or agency of a foreign bank, or any of               (2) Examples of confirmation             maintains, primarily for personal,
their operating subsidiaries that are not         methods. The user may reasonably            family, or household purposes, that
functionally regulated within the                 confirm an address is accurate by:          involves or is designed to permit
meaning of section 5(c)(5) of the Bank               (i) Verifying the address with the       multiple payments or transactions, such
Holding Company Act of 1956, as                   consumer about whom it has requested        as a credit card account, mortgage loan,
amended (12 U.S.C. 1844(c)(5)).                   the report;                                 automobile loan, margin account, cell
63754         Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

phone account, utility account,                  (i) Identify relevant Red Flags for the    implement reasonable policies and
checking account, or savings account;         covered accounts that the financial           procedures to assess the validity of a
and                                           institution or creditor offers or             change of address if it receives
   (ii) Any other account that the            maintains, and incorporate those Red          notification of a change of address for a
financial institution or creditor offers or   Flags into its Program;                       consumer’s debit or credit card account
maintains for which there is a                   (ii) Detect Red Flags that have been       and, within a short period of time
reasonably foreseeable risk to customers      incorporated into the Program of the          afterwards (during at least the first 30
or to the safety and soundness of the         financial institution or creditor;            days after it receives such notification),
financial institution or creditor from           (iii) Respond appropriately to any Red     the card issuer receives a request for an
identity theft, including financial,          Flags that are detected pursuant to           additional or replacement card for the
operational, compliance, reputation, or       paragraph (d)(2)(ii) of this section to       same account. Under these
litigation risks.                             prevent and mitigate identity theft; and      circumstances, the card issuer may not
   (4) Credit has the same meaning as in         (iv) Ensure the Program (including the     issue an additional or replacement card,
15 U.S.C. 1681a(r)(5).                        Red Flags determined to be relevant) is       until, in accordance with its reasonable
   (5) Creditor has the same meaning as       updated periodically, to reflect changes      policies and procedures and for the
in 15 U.S.C. 1681a(r)(5), and includes        in risks to customers and to the safety       purpose of assessing the validity of the
lenders such as banks, finance                and soundness of the financial                change of address, the card issuer:
companies, automobile dealers,                institution or creditor from identity            (1)(i) Notifies the cardholder of the
mortgage brokers, utility companies,          theft.                                        request:
and telecommunications companies.                (e) Administration of the Program.            (A) At the cardholder’s former
   (6) Customer means a person that has       Each financial institution or creditor        address; or
a covered account with a financial            that is required to implement a Program          (B) By any other means of
institution or creditor.                      must provide for the continued                communication that the card issuer and
   (7) Financial institution has the same     administration of the Program and must:       the cardholder have previously agreed
meaning as in 15 U.S.C. 1681a(t).                (1) Obtain approval of the initial         to use; and
   (8) Identity theft has the same            written Program from either its board of         (ii) Provides to the cardholder a
meaning as in 16 CFR 603.2(a).                directors or an appropriate committee of      reasonable means of promptly reporting
   (9) Red Flag means a pattern, practice,    the board of directors;                       incorrect address changes; or
or specific activity that indicates the          (2) Involve the board of directors, an        (2) Otherwise assesses the validity of
possible existence of identity theft.         appropriate committee thereof, or a           the change of address in accordance
   (10) Service provider means a person       designated employee at the level of           with the policies and procedures the
that provides a service directly to the       senior management in the oversight,           card issuer has established pursuant to
financial institution or creditor.            development, implementation and               § 41.90 of this part.
   (c) Periodic Identification of Covered     administration of the Program;                   (d) Alternative timing of address
Accounts. Each financial institution or          (3) Train staff, as necessary, to          validation. A card issuer may satisfy the
creditor must periodically determine          effectively implement the Program; and        requirements of paragraph (c) of this
                                                 (4) Exercise appropriate and effective     section if it validates an address
whether it offers or maintains covered
                                              oversight of service provider                 pursuant to the methods in paragraph
accounts. As a part of this
                                              arrangements.                                 (c)(1) or (c)(2) of this section when it
determination, a financial institution or
                                                 (f) Guidelines. Each financial             receives an address change notification,
creditor must conduct a risk assessment
                                              institution or creditor that is required to   before it receives a request for an
to determine whether it offers or
                                              implement a Program must consider the         additional or replacement card.
maintains covered accounts described
                                              guidelines in Appendix J of this part            (e) Form of notice. Any written or
in paragraph (b)(3)(ii) of this section,
                                              and include in its Program those              electronic notice that the card issuer
taking into consideration:
                                              guidelines that are appropriate.              provides under this paragraph must be
   (1) The methods it provides to open
its accounts;                                 § 41.91 Duties of card issuers regarding      clear and conspicuous and provided
   (2) The methods it provides to access      changes of address.                           separately from its regular
its accounts; and                                (a) Scope. This section applies to an      correspondence with the cardholder.
   (3) Its previous experiences with          issuer of a debit or credit card (card        Appendices D–I [Reserved]
identity theft.                               issuer) that is a national bank, Federal
   (d) Establishment of an Identity Theft     branch or agency of a foreign bank, and       ■ 7. Add and reserve appendices D
Prevention Program. (1) Program               any of their operating subsidiaries that      through I to part 41.
requirement. Each financial institution       are not functionally regulated within the     ■ 8. Add Appendix J to part 41 to read
or creditor that offers or maintains one      meaning of section 5(c)(5) of the Bank        as follows:
or more covered accounts must develop         Holding Company Act of 1956, as
and implement a written Identity Theft                                                      Appendix J to Part 41—Interagency
                                              amended (12 U.S.C. 1844(c)(5)).
Prevention Program (Program) that is                                                        Guidelines on Identity Theft Detection,
                                                 (b) Definitions. For purposes of this
designed to detect, prevent, and mitigate                                                   Prevention, and Mitigation
                                              section:
identity theft in connection with the            (1) Cardholder means a consumer               Section 41.90 of this part requires each
opening of a covered account or any           who has been issued a credit or debit         financial institution and creditor that offers
existing covered account. The Program         card.                                         or maintains one or more covered accounts,
must be appropriate to the size and              (2) Clear and conspicuous means            as defined in § 41.90(b)(3) of this part, to
complexity of the financial institution                                                     develop and provide for the continued
                                              reasonably understandable and
                                                                                            administration of a written Program to detect,
or creditor and the nature and scope of       designed to call attention to the nature      prevent, and mitigate identity theft in
its activities.                               and significance of the information           connection with the opening of a covered
   (2) Elements of the Program. The           presented.                                    account or any existing covered account.
Program must include reasonable                  (c) Address validation requirements.       These guidelines are intended to assist
policies and procedures to:                   A card issuer must establish and              financial institutions and creditors in the
                Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                                       63755

formulation and maintenance of a Program           IV. Preventing and Mitigating Identity Theft       administration of its Program should report
that satisfies the requirements of § 41.90 of         The Program’s policies and procedures           to the board of directors, an appropriate
this part.                                         should provide for appropriate responses to        committee of the board, or a designated
I. The Program                                     the Red Flags the financial institution or         employee at the level of senior management,
                                                   creditor has detected that are commensurate        at least annually, on compliance by the
   In designing its Program, a financial
institution or creditor may incorporate, as        with the degree of risk posed. In determining      financial institution or creditor with § 41.90
appropriate, its existing policies, procedures,    an appropriate response, a financial               of this part.
and other arrangements that control                institution or creditor should consider               (2) Contents of report. The report should
reasonably foreseeable risks to customers or       aggravating factors that may heighten the risk     address material matters related to the
to the safety and soundness of the financial       of identity theft, such as a data security         Program and evaluate issues such as: the
institution or creditor from identity theft.       incident that results in unauthorized access       effectiveness of the policies and procedures
                                                   to a customer’s account records held by the        of the financial institution or creditor in
II. Identifying Relevant Red Flags                 financial institution, creditor, or third party,   addressing the risk of identity theft in
   (a) Risk Factors. A financial institution or    or notice that a customer has provided             connection with the opening of covered
creditor should consider the following factors     information related to a covered account held      accounts and with respect to existing covered
in identifying relevant Red Flags for covered      by the financial institution or creditor to        accounts; service provider arrangements;
accounts, as appropriate:                          someone fraudulently claiming to represent         significant incidents involving identity theft
   (1) The types of covered accounts it offers     the financial institution or creditor or to a
or maintains;                                                                                         and management’s response; and
                                                   fraudulent website. Appropriate responses
   (2) The methods it provides to open its                                                            recommendations for material changes to the
                                                   may include the following:
covered accounts;                                     (a) Monitoring a covered account for            Program.
   (3) The methods it provides to access its       evidence of identity theft;                           (c) Oversight of service provider
covered accounts; and                                 (b) Contacting the customer;                    arrangements. Whenever a financial
   (4) Its previous experiences with identity         (c) Changing any passwords, security            institution or creditor engages a service
theft.                                             codes, or other security devices that permit       provider to perform an activity in connection
   (b) Sources of Red Flags. Financial             access to a covered account;                       with one or more covered accounts the
institutions and creditors should incorporate         (d) Reopening a covered account with a          financial institution or creditor should take
relevant Red Flags from sources such as:           new account number;                                steps to ensure that the activity of the service
   (1) Incidents of identity theft that the           (e) Not opening a new covered account;          provider is conducted in accordance with
financial institution or creditor has                 (f) Closing an existing covered account;        reasonable policies and procedures designed
experienced;                                          (g) Not attempting to collect on a covered      to detect, prevent, and mitigate the risk of
   (2) Methods of identity theft that the          account or not selling a covered account to        identity theft. For example, a financial
financial institution or creditor has identified   a debt collector;                                  institution or creditor could require the
that reflect changes in identity theft risks;         (h) Notifying law enforcement; or               service provider by contract to have policies
and                                                   (i) Determining that no response is             and procedures to detect relevant Red Flags
   (3) Applicable supervisory guidance.            warranted under the particular                     that may arise in the performance of the
   (c) Categories of Red Flags. The Program        circumstances.
should include relevant Red Flags from the                                                            service provider’s activities, and either report
following categories, as appropriate.              V. Updating the Program                            the Red Flags to the financial institution or
Examples of Red Flags from each of these              Financial institutions and creditors should     creditor, or to take appropriate steps to
categories are appended as Supplement A to         update the Program (including the Red Flags        prevent or mitigate identity theft.
this Appendix J.                                   determined to be relevant) periodically, to        VII. Other Applicable Legal Requirements
   (1) Alerts, notifications, or other warnings    reflect changes in risks to customers or to the
                                                                                                        Financial institutions and creditors should
received from consumer reporting agencies or       safety and soundness of the financial
                                                   institution or creditor from identity theft,       be mindful of other related legal
service providers, such as fraud detection
services;                                          based on factors such as:                          requirements that may be applicable, such as:
   (2) The presentation of suspicious                 (a) The experiences of the financial              (a) For financial institutions and creditors
documents;                                         institution or creditor with identity theft;       that are subject to 31 U.S.C. 5318(g), filing a
   (3) The presentation of suspicious personal        (b) Changes in methods of identity theft;       Suspicious Activity Report in accordance
identifying information, such as a suspicious         (c) Changes in methods to detect, prevent,      with applicable law and regulation;
address change;                                    and mitigate identity theft;                         (b) Implementing any requirements under
   (4) The unusual use of, or other suspicious        (d) Changes in the types of accounts that       15 U.S.C. 1681c–1(h) regarding the
activity related to, a covered account; and        the financial institution or creditor offers or    circumstances under which credit may be
   (5) Notice from customers, victims of           maintains; and                                     extended when the financial institution or
identity theft, law enforcement authorities, or       (e) Changes in the business arrangements        creditor detects a fraud or active duty alert;
other persons regarding possible identity          of the financial institution or creditor,            (c) Implementing any requirements for
theft in connection with covered accounts          including mergers, acquisitions, alliances,        furnishers of information to consumer
held by the financial institution or creditor.     joint ventures, and service provider               reporting agencies under 15 U.S.C. 1681s–2,
III. Detecting Red Flags                           arrangements.                                      for example, to correct or update inaccurate
   The Program’s policies and procedures           VI. Methods for Administering the Program          or incomplete information, and to not report
should address the detection of Red Flags in          (a) Oversight of Program. Oversight by the      information that the furnisher has reasonable
connection with the opening of covered             board of directors, an appropriate committee       cause to believe is inaccurate; and
accounts and existing covered accounts, such       of the board, or a designated employee at the        (d) Complying with the prohibitions in 15
as by:                                             level of senior management should include:         U.S.C. 1681m on the sale, transfer, and
   (a) Obtaining identifying information              (1) Assigning specific responsibility for the   placement for collection of certain debts
about, and verifying the identity of, a person     Program’s implementation;                          resulting from identity theft.
opening a covered account, for example,               (2) Reviewing reports prepared by staff         Supplement A to Appendix J
using the policies and procedures regarding        regarding compliance by the financial
identification and verification set forth in the   institution or creditor with § 41.90 of this          In addition to incorporating Red Flags from
Customer Identification Program rules              part; and                                          the sources recommended in section II.b. of
implementing 31 U.S.C. 5318(l) (31 CFR                (3) Approving material changes to the           the Guidelines in Appendix J of this part,
103.121); and                                      Program as necessary to address changing           each financial institution or creditor may
   (b) Authenticating customers, monitoring        identity theft risks.                              consider incorporating into its Program,
transactions, and verifying the validity of           (b) Reports. (1) In general. Staff of the       whether singly or in combination, Red Flags
change of address requests, in the case of         financial institution or creditor responsible      from the following illustrative examples in
existing covered accounts.                         for development, implementation, and               connection with covered accounts:
63756           Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

Alerts, Notifications or Warnings from a          internal or third-party sources used by the          24. The financial institution or creditor is
Consumer Reporting Agency                         financial institution or creditor. For example:   notified that the customer is not receiving
   1. A fraud or active duty alert is included       a. The address on an application is            paper account statements.
with a consumer report.                           fictitious, a mail drop, or a prison; or             25. The financial institution or creditor is
   2. A consumer reporting agency provides a         b. The phone number is invalid, or is          notified of unauthorized charges or
notice of credit freeze in response to a          associated with a pager or answering service.     transactions in connection with a customer’s
request for a consumer report.                       14. The SSN provided is the same as that       covered account.
   3. A consumer reporting agency provides a      submitted by other persons opening an             Notice From Customers, Victims of Identity
notice of address discrepancy, as defined in      account or other customers.                       Theft, Law Enforcement Authorities, or Other
§ 41.82(b) of this part.                             15. The address or telephone number            Persons Regarding Possible Identity Theft in
   4. A consumer report indicates a pattern of    provided is the same as or similar to the         Connection With Covered Accounts Held by
activity that is inconsistent with the history    account number or telephone number                the Financial Institution or Creditor
and usual pattern of activity of an applicant     submitted by an unusually large number of
                                                                                                       26. The financial institution or creditor is
or customer, such as:                             other persons opening accounts or other           notified by a customer, a victim of identity
   a. A recent and significant increase in the    customers.                                        theft, a law enforcement authority, or any
volume of inquiries;                                 16. The person opening the covered             other person that it has opened a fraudulent
   b. An unusual number of recently               account or the customer fails to provide all      account for a person engaged in identity
established credit relationships;                 required personal identifying information on      theft.
   c. A material change in the use of credit,     an application or in response to notification
especially with respect to recently               that the application is incomplete.               Board of Governors of the Federal
established credit relationships; or                 17. Personal identifying information           Reserve System
   d. An account that was closed for cause or     provided is not consistent with personal
identified for abuse of account privileges by     identifying information that is on file with        12 CFR Chapter II.
a financial institution or creditor.              the financial institution or creditor.            Authority and Issuance
                                                     18. For financial institutions and creditors
Suspicious Documents
                                                  that use challenge questions, the person          ■ For the reasons set forth in the joint
   5. Documents provided for identification       opening the covered account or the customer       preamble, part 222 of title 12, chapter II,
appear to have been altered or forged.            cannot provide authenticating information         of the Code of Federal Regulations is
   6. The photograph or physical description      beyond that which generally would be
on the identification is not consistent with
                                                                                                    amended as follows:
                                                  available from a wallet or consumer report.
the appearance of the applicant or customer
presenting the identification.
                                                  Unusual Use of, or Suspicious Activity            PART 222—FAIR CREDIT REPORTING
                                                  Related to, the Covered Account                   (REGULATION V)
   7. Other information on the identification
is not consistent with information provided          19. Shortly following the notice of a change
                                                                                                    ■ 1. The authority citation for part 222
by the person opening a new covered account       of address for a covered account, the
                                                  institution or creditor receives a request for    continues to read as follows:
or customer presenting the identification.
   8. Other information on the identification     a new, additional, or replacement card or a         Authority: 15 U.S.C. 1681a, 1681b, 1681c,
is not consistent with readily accessible         cell phone, or for the addition of authorized     1681m, 1681s, 1681s–2, 1681s–3, 1681t, and
information that is on file with the financial    users on the account.                             1681w; Secs. 3 and 214, Pub. L. 108–159, 117
institution or creditor, such as a signature         20. A new revolving credit account is used     Stat. 1952.
card or a recent check.                           in a manner commonly associated with
   9. An application appears to have been         known patterns of fraud patterns. For             Subpart A—General Provisions
altered or forged, or gives the appearance of     example:
having been destroyed and reassembled.               a. The majority of available credit is used    ■ 2. Section 222.3 is amended by
                                                  for cash advances or merchandise that is          revising the introductory text to read as
Suspicious Personal Identifying Information       easily convertible to cash (e.g., electronics     follows:
   10. Personal identifying information           equipment or jewelry); or
provided is inconsistent when compared               b. The customer fails to make the first        § 222.3   Definitions.
against external information sources used by      payment or makes an initial payment but no          For purposes of this part, unless
the financial institution or creditor. For        subsequent payments.                              explicitly stated otherwise:
example:                                             21. A covered account is used in a manner      *     *     *     *    *
   a. The address does not match any address      that is not consistent with established
                                                                                                    ■ 3. The heading for Subpart I is revised
in the consumer report; or                        patterns of activity on the account. There is,
   b. The Social Security Number (SSN) has        for example:                                      to read as follows:
not been issued, or is listed on the Social          a. Nonpayment when there is no history of
Security Administration’s Death Master File.      late or missed payments;                          Subpart I—Duties of Users of
   11. Personal identifying information              b. A material increase in the use of           Consumer Reports Regarding Address
provided by the customer is not consistent        available credit;                                 Discrepancies and Records Disposal
with other personal identifying information          c. A material change in purchasing or
provided by the customer. For example, there      spending patterns;                                ■ 4. A new § 222.82 is added to read as
is a lack of correlation between the SSN             d. A material change in electronic fund        follows:
range and date of birth.                          transfer patterns in connection with a deposit
   12. Personal identifying information           account; or                                       § 222.82 Duties of users regarding address
provided is associated with known                    e. A material change in telephone call         discrepancies.
fraudulent activity as indicated by internal or   patterns in connection with a cellular phone        (a) Scope. This section applies to a
third-party sources used by the financial         account.                                          user of consumer reports (user) that
institution or creditor. For example:                22. A covered account that has been            receives a notice of address discrepancy
   a. The address on an application is the        inactive for a reasonably lengthy period of       from a consumer reporting agency, and
same as the address provided on a fraudulent      time is used (taking into consideration the       that is a member bank of the Federal
application; or                                   type of account, the expected pattern of usage
                                                                                                    Reserve System (other than a national
   b. The phone number on an application is       and other relevant factors).
the same as the number provided on a                 23. Mail sent to the customer is returned      bank) and its respective operating
fraudulent application.                           repeatedly as undeliverable although              subsidiaries, a branch or agency of a
   13. Personal identifying information           transactions continue to be conducted in          foreign bank (other than a Federal
provided is of a type commonly associated         connection with the customer’s covered            branch, Federal agency, or insured State
with fraudulent activity as indicated by          account.                                          branch of a foreign bank), commercial
              Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                           63757

lending company owned or controlled            (2) Examples of confirmation                 a designated employee at the level of
by a foreign bank, and an organization      methods. The user may reasonably                senior management.
operating under section 25 or 25A of the    confirm an address is accurate by:                 (3) Covered account means:
Federal Reserve Act (12 U.S.C. 601 et          (i) Verifying the address with the              (i) An account that a financial
seq., and 611 et seq.).                     consumer about whom it has requested            institution or creditor offers or
   (b) Definition. For purposes of this     the report;                                     maintains, primarily for personal,
section, a notice of address discrepancy       (ii) Reviewing its own records to            family, or household purposes, that
means a notice sent to a user by a          verify the address of the consumer;             involves or is designed to permit
consumer reporting agency pursuant to          (iii) Verifying the address through          multiple payments or transactions, such
15 U.S.C. 1681c(h)(1), that informs the     third-party sources; or                         as a credit card account, mortgage loan,
user of a substantial difference between       (iv) Using other reasonable means.           automobile loan, margin account, cell
the address for the consumer that the          (3) Timing. The policies and                 phone account, utility account,
user provided to request the consumer       procedures developed in accordance              checking account, or savings account;
report and the address(es) in the           with paragraph (d)(1) of this section           and
agency’s file for the consumer.             must provide that the user will furnish            (ii) Any other account that the
   (c) Reasonable belief. (1) Requirement   the consumer’s address that the user has        financial institution or creditor offers or
to form a reasonable belief. A user must    reasonably confirmed is accurate to the         maintains for which there is a
develop and implement reasonable            consumer reporting agency as part of the        reasonably foreseeable risk to customers
policies and procedures designed to         information it regularly furnishes for the      or to the safety and soundness of the
enable the user to form a reasonable        reporting period in which it establishes        financial institution or creditor from
belief that a consumer report relates to    a relationship with the consumer.               identity theft, including financial,
the consumer about whom it has              ■ 5. A new Subpart J is added to part           operational, compliance, reputation, or
requested the report, when the user         222 to read as follows:                         litigation risks.
receives a notice of address discrepancy.                                                      (4) Credit has the same meaning as in
                                            Subpart J—Identity Theft Red Flags
   (2) Examples of reasonable policies                                                      15 U.S.C. 1681a(r)(5).
                                            Sec.                                               (5) Creditor has the same meaning as
and procedures. (i) Comparing the           222.90	 Duties regarding the detection,
information in the consumer report                                                          in 15 U.S.C. 1681a(r)(5), and includes
                                                 prevention, and mitigation of identity     lenders such as banks, finance
provided by the consumer reporting               theft.
agency with information the user:           222.91	 Duties of card issuers regarding
                                                                                            companies, automobile dealers,
   (A) Obtains and uses to verify the            changes of address.                        mortgage brokers, utility companies,
consumer’s identity in accordance with                                                      and telecommunications companies.
the requirements of the Customer            Subpart J—Identity Theft Red Flags                 (6) Customer means a person that has
Information Program (CIP) rules                                                             a covered account with a financial
                                            § 222.90 Duties regarding the detection,        institution or creditor.
implementing 31 U.S.C. 5318(l) (31 CFR      prevention, and mitigation of identity theft.      (7) Financial institution has the same
103.121);                                      (a) Scope. This section applies to           meaning as in 15 U.S.C. 1681a(t).
   (B) Maintains in its own records, such   financial institutions and creditors that          (8) Identity theft has the same
as applications, change of address          are member banks of the Federal                 meaning as in 16 CFR 603.2(a).
notifications, other customer account       Reserve System (other than national                (9) Red Flag means a pattern, practice,
records, or retained CIP documentation;     banks) and their respective operating           or specific activity that indicates the
or                                          subsidiaries, branches and agencies of          possible existence of identity theft.
   (C) Obtains from third-party sources;    foreign banks (other than Federal                  (10) Service provider means a person
or                                          branches, Federal agencies, and insured         that provides a service directly to the
   (ii) Verifying the information in the    State branches of foreign banks),               financial institution or creditor.
consumer report provided by the             commercial lending companies owned                 (c) Periodic Identification of Covered
consumer reporting agency with the          or controlled by foreign banks, and             Accounts. Each financial institution or
consumer.                                   organizations operating under section           creditor must periodically determine
   (d) Consumer’s address. (1)              25 or 25A of the Federal Reserve Act (12        whether it offers or maintains covered
Requirement to furnish consumer’s           U.S.C. 601 et seq., and 611 et seq.).           accounts. As a part of this
address to a consumer reporting agency.        (b) Definitions. For purposes of this        determination, a financial institution or
A user must develop and implement           section and Appendix J, the following           creditor must conduct a risk assessment
reasonable policies and procedures for      definitions apply:                              to determine whether it offers or
furnishing an address for the consumer         (1) Account means a continuing               maintains covered accounts described
that the user has reasonably confirmed      relationship established by a person            in paragraph (b)(3)(ii) of this section,
is accurate to the consumer reporting       with a financial institution or creditor to     taking into consideration:
agency from whom it received the            obtain a product or service for personal,          (1) The methods it provides to open
notice of address discrepancy when the      family, household or business purposes.         its accounts;
user:                                       Account includes:                                  (2) The methods it provides to access
   (i) Can form a reasonable belief that       (i) An extension of credit, such as the      its accounts; and
the consumer report relates to the          purchase of property or services                   (3) Its previous experiences with
consumer about whom the user                involving a deferred payment; and               identity theft.
requested the report;                          (ii) A deposit account.                         (d) Establishment of an Identity Theft
   (ii) Establishes a continuing               (2) The term board of directors              Prevention Program. (1) Program
relationship with the consumer; and         includes:                                       requirement. Each financial institution
   (iii) Regularly and in the ordinary         (i) In the case of a branch or agency        or creditor that offers or maintains one
course of business furnishes information    of a foreign bank, the managing official        or more covered accounts must develop
to the consumer reporting agency from       in charge of the branch or agency; and          and implement a written Identity Theft
which the notice of address discrepancy        (ii) In the case of any other creditor       Prevention Program (Program) that is
relating to the consumer was obtained.      that does not have a board of directors,        designed to detect, prevent, and mitigate
63758          Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

identity theft in connection with the         designed to call attention to the nature         prevent, and mitigate identity theft in
opening of a covered account or any           and significance of the information              connection with the opening of a covered
existing covered account. The Program         presented.                                       account or any existing covered account.
                                                 (c) Address validation requirements.          These guidelines are intended to assist
must be appropriate to the size and
                                                                                               financial institutions and creditors in the
complexity of the financial institution       A card issuer must establish and                 formulation and maintenance of a Program
or creditor and the nature and scope of       implement reasonable policies and                that satisfies the requirements of § 222.90 of
its activities.                               procedures to assess the validity of a           this part.
   (2) Elements of the Program. The           change of address if it receives                 I. The Program
Program must include reasonable               notification of a change of address for a
                                                                                                  In designing its Program, a financial
policies and procedures to:                   consumer’s debit or credit card account          institution or creditor may incorporate, as
   (i) Identify relevant Red Flags for the    and, within a short period of time               appropriate, its existing policies, procedures,
covered accounts that the financial           afterwards (during at least the first 30         and other arrangements that control
institution or creditor offers or             days after it receives such notification),       reasonably foreseeable risks to customers or
maintains, and incorporate those Red          the card issuer receives a request for an        to the safety and soundness of the financial
Flags into its Program;                       additional or replacement card for the           institution or creditor from identity theft.
   (ii) Detect Red Flags that have been       same account. Under these                        II. Identifying Relevant Red Flags
incorporated into the Program of the          circumstances, the card issuer may not              (a) Risk Factors. A financial institution or
financial institution or creditor;            issue an additional or replacement card,         creditor should consider the following factors
   (iii) Respond appropriately to any Red     until, in accordance with its reasonable         in identifying relevant Red Flags for covered
Flags that are detected pursuant to           policies and procedures and for the              accounts, as appropriate:
paragraph (d)(2)(ii) of this section to       purpose of assessing the validity of the            (1) The types of covered accounts it offers
prevent and mitigate identity theft; and      change of address, the card issuer:              or maintains;
   (iv) Ensure the Program (including the        (1)(i) Notifies the cardholder of the            (2) The methods it provides to open its
Red Flags determined to be relevant) is                                                        covered accounts;
                                              request:
                                                                                                  (3) The methods it provides to access its
updated periodically, to reflect changes         (A) At the cardholder’s former                covered accounts; and
in risks to customers and to the safety       address; or                                         (4) Its previous experiences with identity
and soundness of the financial                   (B) By any other means of                     theft.
institution or creditor from identity         communication that the card issuer and              (b) Sources of Red Flags. Financial
theft.                                        the cardholder have previously agreed            institutions and creditors should incorporate
   (e) Administration of the Program.         to use; and                                      relevant Red Flags from sources such as:
Each financial institution or creditor           (ii) Provides to the cardholder a                (1) Incidents of identity theft that the
that is required to implement a Program       reasonable means of promptly reporting           financial institution or creditor has
must provide for the continued                incorrect address changes; or                    experienced;
administration of the Program and must:          (2) Otherwise assesses the validity of           (2) Methods of identity theft that the
                                                                                               financial institution or creditor has identified
   (1) Obtain approval of the initial         the change of address in accordance
                                                                                               that reflect changes in identity theft risks;
written Program from either its board of      with the policies and procedures the             and
directors or an appropriate committee of      card issuer has established pursuant to             (3) Applicable supervisory guidance.
the board of directors;                       § 222.90 of this part.                              (c) Categories of Red Flags. The Program
   (2) Involve the board of directors, an        (d) Alternative timing of address             should include relevant Red Flags from the
appropriate committee thereof, or a           validation. A card issuer may satisfy the        following categories, as appropriate.
designated employee at the level of           requirements of paragraph (c) of this            Examples of Red Flags from each of these
senior management in the oversight,           section if it validates an address               categories are appended as Supplement A to
development, implementation and               pursuant to the methods in paragraph             this Appendix J.
                                              (c)(1) or (c)(2) of this section when it            (1) Alerts, notifications, or other warnings
administration of the Program;
                                                                                               received from consumer reporting agencies or
   (3) Train staff, as necessary, to          receives an address change notification,         service providers, such as fraud detection
effectively implement the Program; and        before it receives a request for an              services;
   (4) Exercise appropriate and effective     additional or replacement card.                     (2) The presentation of suspicious
oversight of service provider                    (e) Form of notice. Any written or            documents;
arrangements.                                 electronic notice that the card issuer              (3) The presentation of suspicious personal
   (f) Guidelines. Each financial             provides under this paragraph must be            identifying information, such as a suspicious
institution or creditor that is required to   clear and conspicuous and provided               address change;
implement a Program must consider the         separately from its regular                         (4) The unusual use of, or other suspicious
guidelines in Appendix J of this part         correspondence with the cardholder.              activity related to, a covered account; and
                                                                                                  (5) Notice from customers, victims of
and include in its Program those
                                              Appendices D–I [Reserved]                        identity theft, law enforcement authorities, or
guidelines that are appropriate.                                                               other persons regarding possible identity
                                              ■ 6. Appendices D through I to part 222          theft in connection with covered accounts
§ 222.91 Duties of card issuers regarding
                                              are added and reserved.                          held by the financial institution or creditor.
changes of address.
                                              ■ 7. A new Appendix J is added to part           III. Detecting Red Flags
  (a) Scope. This section applies to a
                                              222 to read as follows:                             The Program’s policies and procedures
person described in § 222.90(a) that
issues a debit or credit card (card           Appendix J to Part 222—Interagency               should address the detection of Red Flags in
issuer).                                      Guidelines on Identity Theft Detection,          connection with the opening of covered
   (b) Definitions. For purposes of this                                                       accounts and existing covered accounts, such
                                              Prevention, and Mitigation
                                                                                               as by:
section:                                         Section 222.90 of this part requires each        (a) Obtaining identifying information
   (1) Cardholder means a consumer            financial institution and creditor that offers   about, and verifying the identity of, a person
who has been issued a credit or debit         or maintains one or more covered accounts,       opening a covered account, for example,
card.                                         as defined in § 222.90(b)(3) of this part, to    using the policies and procedures regarding
   (2) Clear and conspicuous means            develop and provide for the continued            identification and verification set forth in the
reasonably understandable and                 administration of a written Program to detect,   Customer Identification Program rules
                Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                                      63759

implementing 31 U.S.C. 5318(l) (31 CFR                (3) Approving material changes to the           whether singly or in combination, Red Flags
103.121); and                                      Program as necessary to address changing           from the following illustrative examples in
   (b) Authenticating customers, monitoring        identity theft risks.                              connection with covered accounts:
transactions, and verifying the validity of           (b) Reports. (1) In general. Staff of the
                                                                                                      Alerts, Notifications or Warnings from a
change of address requests, in the case of         financial institution or creditor responsible
                                                                                                      Consumer Reporting Agency
existing covered accounts.                         for development, implementation, and
                                                   administration of its Program should report           1. A fraud or active duty alert is included
IV. Preventing and Mitigating Identity Theft
                                                   to the board of directors, an appropriate          with a consumer report.
   The Program’s policies and procedures           committee of the board, or a designated               2. A consumer reporting agency provides a
should provide for appropriate responses to        employee at the level of senior management,        notice of credit freeze in response to a
the Red Flags the financial institution or         at least annually, on compliance by the            request for a consumer report.
creditor has detected that are commensurate        financial institution or creditor with § 222.90       3. A consumer reporting agency provides a
with the degree of risk posed. In determining      of this part.                                      notice of address discrepancy, as defined in
an appropriate response, a financial                  (2) Contents of report. The report should       § 222.82(b) of this part.
institution or creditor should consider            address material matters related to the               4. A consumer report indicates a pattern of
aggravating factors that may heighten the risk                                                        activity that is inconsistent with the history
                                                   Program and evaluate issues such as: the
of identity theft, such as a data security                                                            and usual pattern of activity of an applicant
                                                   effectiveness of the policies and procedures
incident that results in unauthorized access                                                          or customer, such as:
                                                   of the financial institution or creditor in
to a customer’s account records held by the                                                              a. A recent and significant increase in the
                                                   addressing the risk of identity theft in
financial institution, creditor, or third party,                                                      volume of inquiries;
                                                   connection with the opening of covered
or notice that a customer has provided                                                                   b. An unusual number of recently
                                                   accounts and with respect to existing covered
information related to a covered account held                                                         established credit relationships;
                                                   accounts; service provider arrangements;
by the financial institution or creditor to                                                              c. A material change in the use of credit,
                                                   significant incidents involving identity theft
someone fraudulently claiming to represent                                                            especially with respect to recently
the financial institution or creditor or to a      and management’s response; and
                                                   recommendations for material changes to the        established credit relationships; or
fraudulent website. Appropriate responses                                                                d. An account that was closed for cause or
may include the following:                         Program.
                                                      (c) Oversight of service provider               identified for abuse of account privileges by
   (a) Monitoring a covered account for                                                               a financial institution or creditor.
evidence of identity theft;                        arrangements. Whenever a financial
   (b) Contacting the customer;                    institution or creditor engages a service          Suspicious Documents
   (c) Changing any passwords, security            provider to perform an activity in connection
                                                   with one or more covered accounts the                 5. Documents provided for identification
codes, or other security devices that permit                                                          appear to have been altered or forged.
access to a covered account;                       financial institution or creditor should take
                                                   steps to ensure that the activity of the service      6. The photograph or physical description
   (d) Reopening a covered account with a                                                             on the identification is not consistent with
new account number;                                provider is conducted in accordance with
                                                   reasonable policies and procedures designed        the appearance of the applicant or customer
   (e) Not opening a new covered account;                                                             presenting the identification.
   (f) Closing an existing covered account;        to detect, prevent, and mitigate the risk of
                                                   identity theft. For example, a financial              7. Other information on the identification
   (g) Not attempting to collect on a covered                                                         is not consistent with information provided
account or not selling a covered account to        institution or creditor could require the
                                                   service provider by contract to have policies      by the person opening a new covered account
a debt collector;                                                                                     or customer presenting the identification.
   (h) Notifying law enforcement; or               and procedures to detect relevant Red Flags
                                                   that may arise in the performance of the              8. Other information on the identification
   (i) Determining that no response is                                                                is not consistent with readily accessible
warranted under the particular                     service provider’s activities, and either report
                                                   the Red Flags to the financial institution or      information that is on file with the financial
circumstances.                                                                                        institution or creditor, such as a signature
                                                   creditor, or to take appropriate steps to
V. Updating the Program                            prevent or mitigate identity theft.                card or a recent check.
   Financial institutions and creditors should                                                           9. An application appears to have been
                                                   VII. Other Applicable Legal Requirements           altered or forged, or gives the appearance of
update the Program (including the Red Flags
determined to be relevant) periodically, to           Financial institutions and creditors should     having been destroyed and reassembled.
reflect changes in risks to customers or to the    be mindful of other related legal
                                                   requirements that may be applicable, such as:      Suspicious Personal Identifying Information
safety and soundness of the financial
institution or creditor from identity theft,          (a) For financial institutions and creditors       10. Personal identifying information
based on factors such as:                          that are subject to 31 U.S.C. 5318(g), filing a    provided is inconsistent when compared
   (a) The experiences of the financial            Suspicious Activity Report in accordance           against external information sources used by
institution or creditor with identity theft;       with applicable law and regulation;                the financial institution or creditor. For
   (b) Changes in methods of identity theft;          (b) Implementing any requirements under         example:
   (c) Changes in methods to detect, prevent,      15 U.S.C. 1681c–1(h) regarding the                    a. The address does not match any address
and mitigate identity theft;                       circumstances under which credit may be            in the consumer report; or
   (d) Changes in the types of accounts that       extended when the financial institution or            b. The Social Security Number (SSN) has
the financial institution or creditor offers or    creditor detects a fraud or active duty alert;     not been issued, or is listed on the Social
maintains; and                                        (c) Implementing any requirements for           Security Administration’s Death Master File.
   (e) Changes in the business arrangements        furnishers of information to consumer                 11. Personal identifying information
of the financial institution or creditor,          reporting agencies under 15 U.S.C. 1681s–2,        provided by the customer is not consistent
including mergers, acquisitions, alliances,        for example, to correct or update inaccurate       with other personal identifying information
joint ventures, and service provider               or incomplete information, and to not report       provided by the customer. For example, there
arrangements.                                      information that the furnisher has reasonable      is a lack of correlation between the SSN
                                                   cause to believe is inaccurate; and                range and date of birth.
VI. Methods for Administering the Program             (d) Complying with the prohibitions in 15          12. Personal identifying information
   (a) Oversight of Program. Oversight by the      U.S.C. 1681m on the sale, transfer, and            provided is associated with known
board of directors, an appropriate committee       placement for collection of certain debts          fraudulent activity as indicated by internal or
of the board, or a designated employee at the      resulting from identity theft.                     third-party sources used by the financial
level of senior management should include:                                                            institution or creditor. For example:
   (1) Assigning specific responsibility for the   Supplement A to Appendix J                            a. The address on an application is the
Program’s implementation;                            In addition to incorporating Red Flags from      same as the address provided on a fraudulent
   (2) Reviewing reports prepared by staff         the sources recommended in section II.b. of        application; or
regarding compliance by the financial              the Guidelines in Appendix J of this part,            b. The phone number on an application is
institution or creditor with § 222.90 of this      each financial institution or creditor may         the same as the number provided on a
part; and                                          consider incorporating into its Program,           fraudulent application.
63760           Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

   13. Personal identifying information           transactions continue to be conducted in             (b) Definition. For purposes of this
provided is of a type commonly associated         connection with the customer’s covered            section, a notice of address discrepancy
with fraudulent activity as indicated by          account.                                          means a notice sent to a user by a
internal or third-party sources used by the          24. The financial institution or creditor is
                                                  notified that the customer is not receiving
                                                                                                    consumer reporting agency pursuant to
financial institution or creditor. For example:
   a. The address on an application is            paper account statements.                         15 U.S.C. 1681c(h)(1), that informs the
fictitious, a mail drop, or a prison; or             25. The financial institution or creditor is   user of a substantial difference between
   b. The phone number is invalid, or is          notified of unauthorized charges or               the address for the consumer that the
associated with a pager or answering service.     transactions in connection with a customer’s      user provided to request the consumer
   14. The SSN provided is the same as that       covered account.                                  report and the address(es) in the
submitted by other persons opening an                                                               agency’s file for the consumer.
                                                  Notice from Customers, Victims of Identity
account or other customers.                                                                            (c) Reasonable belief. (1) Requirement
                                                  Theft, Law Enforcement Authorities, or Other
   15. The address or telephone number                                                              to form a reasonable belief. A user must
                                                  Persons Regarding Possible Identity Theft in
provided is the same as or similar to the
                                                  Connection with Covered Accounts Held by          develop and implement reasonable
account number or telephone number
                                                  the Financial Institution or Creditor             policies and procedures designed to
submitted by an unusually large number of
other persons opening accounts or other             26. The financial institution or creditor is    enable the user to form a reasonable
customers.                                        notified by a customer, a victim of identity      belief that a consumer report relates to
   16. The person opening the covered             theft, a law enforcement authority, or any        the consumer about whom it has
account or the customer fails to provide all      other person that it has opened a fraudulent      requested the report, when the user
required personal identifying information on      account for a person engaged in identity          receives a notice of address discrepancy.
an application or in response to notification     theft.
                                                                                                       (2) Examples of reasonable policies
that the application is incomplete.               Federal Deposit Insurance Corporation             and procedures. (i) Comparing the
   17. Personal identifying information                                                             information in the consumer report
provided is not consistent with personal            12 CFR Chapter III
identifying information that is on file with
                                                                                                    provided by the consumer reporting
the financial institution or creditor.
                                                  Authority and Issuance                            agency with information the user:
   18. For financial institutions and creditors                                                        (A) Obtains and uses to verify the
                                                  ■ For the reasons discussed in the joint
that use challenge questions, the person                                                            consumer’s identity in accordance with
                                                  preamble, the Federal Deposit Insurance
opening the covered account or the customer                                                         the requirements of the Customer
                                                  Corporation is amending 12 CFR parts
cannot provide authenticating information                                                           Information Program (CIP) rules
beyond that which generally would be
                                                  334 and 364 of title 12, Chapter III, of
                                                                                                    implementing 31 U.S.C. 5318(l) (31 CFR
available from a wallet or consumer report.       the Code of Federal Regulations as
                                                                                                    103.121);
                                                  follows:                                             (B) Maintains in its own records, such
Unusual Use of, or Suspicious Activity
Related to, the Covered Account                   PART 334—FAIR CREDIT REPORTING                    as applications, change of address
   19. Shortly following the notice of a change                                                     notifications, other customer account
of address for a covered account, the
                                                  ■  1. The authority citation for part 334         records, or retained CIP documentation;
institution or creditor receives a request for    is revised to read as follows:                    or
a new, additional, or replacement card or a         Authority: 12 U.S.C. 1818, 1819 (Tenth)            (C) Obtains from third-party sources;
cell phone, or for the addition of authorized     and 1831p–1; 15 U.S.C. 1681a, 1681b, 1681c,       or
users on the account.                             1681m, 1681s, 1681s–3, 1681t, 1681w, 6801            (ii) Verifying the information in the
   20. A new revolving credit account is used     and 6805, Pub. L. 108–159, 117 Stat. 1952.        consumer report provided by the
in a manner commonly associated with                                                                consumer reporting agency with the
known patterns of fraud patterns. For             Subpart A—General Provisions                      consumer.
example:                                                                                               (d) Consumer’s address. (1)
   a. The majority of available credit is used    ■ 2. Amend § 334.3 by revising the                Requirement to furnish consumer’s
for cash advances or merchandise that is          introductory text to read as follows:             address to a consumer reporting agency.
easily convertible to cash (e.g., electronics
equipment or jewelry); or                         § 334.3   Definitions.                            A user must develop and implement
   b. The customer fails to make the first          For purposes of this part, unless               reasonable policies and procedures for
payment or makes an initial payment but no        explicitly stated otherwise:                      furnishing an address for the consumer
subsequent payments.                                                                                that the user has reasonably confirmed
   21. A covered account is used in a manner
                                                  *     *     *     *    *
                                                                                                    is accurate to the consumer reporting
that is not consistent with established           ■ 3. Revise the heading for Subpart I as
                                                                                                    agency from whom it received the
patterns of activity on the account. There is,    shown below.                                      notice of address discrepancy when the
for example:
                                                  Subpart I—Duties of Users of                      user:
   a. Nonpayment when there is no history of
                                                  Consumer Reports Regarding Address                   (i) Can form a reasonable belief that
late or missed payments;
   b. A material increase in the use of           Discrepancies and Records Disposal                the consumer report relates to the
available credit;                                                                                   consumer about whom the user
   c. A material change in purchasing or          ■   4. Add § 334.82 to read as follows:           requested the report;
spending patterns;                                                                                     (ii) Establishes a continuing
   d. A material change in electronic fund        § 334.82 Duties of users regarding address        relationship with the consumer; and
transfer patterns in connection with a deposit    discrepancies.                                       (iii) Regularly and in the ordinary
account; or                                         (a) Scope. This section applies to a            course of business furnishes information
   e. A material change in telephone call         user of consumer reports (user) that              to the consumer reporting agency from
patterns in connection with a cellular phone      receives a notice of address discrepancy          which the notice of address discrepancy
account.                                          from a consumer reporting agency and              relating to the consumer was obtained.
   22. A covered account that has been
                                                  that is an insured state nonmember                   (2) Examples of confirmation
inactive for a reasonably lengthy period of
time is used (taking into consideration the       bank, insured state licensed branch of a          methods. The user may reasonably
type of account, the expected pattern of usage    foreign bank, or a subsidiary of such             confirm an address is accurate by:
and other relevant factors).                      entities (except brokers, dealers, persons           (i) Verifying the address with the
   23. Mail sent to the customer is returned      providing insurance, investment                   consumer about whom it has requested
repeatedly as undeliverable although              companies, and investment advisers).              the report;
                Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                           63761

   (ii) Reviewing its own records to            checking account, or savings account;         institution or creditor offers or
verify the address of the consumer;             and                                           maintains, and incorporate those Red
   (iii) Verifying the address through             (ii) Any other account that the            Flags into its Program;
third-party sources; or                         financial institution or creditor offers or      (ii) Detect Red Flags that have been
   (iv) Using other reasonable means.           maintains for which there is a                incorporated into the Program of the
   (3) Timing. The policies and                 reasonably foreseeable risk to customers      financial institution or creditor;
procedures developed in accordance              or to the safety and soundness of the            (iii) Respond appropriately to any Red
with paragraph (d)(1) of this section           financial institution or creditor from        Flags that are detected pursuant to
must provide that the user will furnish         identity theft, including financial,          paragraph (d)(2)(ii) of this section to
the consumer’s address that the user has        operational, compliance, reputation, or       prevent and mitigate identity theft; and
reasonably confirmed is accurate to the         litigation risks.                                (iv) Ensure the Program (including the
consumer reporting agency as part of the           (4) Credit has the same meaning as in      Red Flags determined to be relevant) is
information it regularly furnishes for the      15 U.S.C. 1681a(r)(5).                        updated periodically, to reflect changes
reporting period in which it establishes           (5) Creditor has the same meaning as       in risks to customers and to the safety
a relationship with the consumer.               in 15 U.S.C. 1681a(r)(5), and includes        and soundness of the financial
■ 5. Add Subpart J to part 334 to read          lenders such as banks, finance                institution or creditor from identity
as follows:                                     companies, automobile dealers,                theft.
                                                mortgage brokers, utility companies,             (e) Administration of the Program.
Subpart J—Identity Theft Red Flags
                                                and telecommunications companies.             Each financial institution or creditor
Sec.                                               (6) Customer means a person that has       that is required to implement a Program
334.90	 Duties regarding the detection,         a covered account with a financial            must provide for the continued
     prevention, and mitigation of identity     institution or creditor.                      administration of the Program and must:
     theft.                                        (7) Financial institution has the same
334.91	 Duties of card issuers regarding
                                                                                                 (1) Obtain approval of the initial
     changes of address.
                                                meaning as in 15 U.S.C. 1681a(t).             written Program from either its board of
                                                   (8) Identity theft has the same            directors or an appropriate committee of
Subpart J—Identity Theft Red Flags              meaning as in 16 CFR 603.2(a).                the board of directors;
                                                   (9) Red Flag means a pattern, practice,       (2) Involve the board of directors, an
§ 334.90 Duties regarding the detection,        or specific activity that indicates the       appropriate committee thereof, or a
prevention, and mitigation of identity theft.   possible existence of identity theft.         designated employee at the level of
   (a) Scope. This section applies to a            (10) Service provider means a person       senior management in the oversight,
financial institution or creditor that is       that provides a service directly to the       development, implementation and
an insured state nonmember bank,                financial institution or creditor.            administration of the Program;
insured state licensed branch of a                 (c) Periodic Identification of Covered        (3) Train staff, as necessary, to
foreign bank, or a subsidiary of such           Accounts. Each financial institution or       effectively implement the Program; and
entities (except brokers, dealers, persons      creditor must periodically determine             (4) Exercise appropriate and effective
providing insurance, investment                 whether it offers or maintains covered        oversight of service provider
companies, and investment advisers).            accounts. As a part of this                   arrangements.
   (b) Definitions. For purposes of this        determination, a financial institution or        (f) Guidelines. Each financial
section and Appendix J, the following           creditor must conduct a risk assessment       institution or creditor that is required to
definitions apply:                              to determine whether it offers or             implement a Program must consider the
   (1) Account means a continuing               maintains covered accounts described          guidelines in Appendix J of this part
relationship established by a person            in paragraph (b)(3)(ii) of this section,      and include in its Program those
with a financial institution or creditor to     taking into consideration:                    guidelines that are appropriate.
obtain a product or service for personal,          (1) The methods it provides to open
family, household or business purposes.         its accounts;                                 § 334.91 Duties of card issuers regarding
Account includes:                                  (2) The methods it provides to access      changes of address.
   (i) An extension of credit, such as the      its accounts; and                                (a) Scope. This section applies to an
purchase of property or services                   (3) Its previous experiences with          issuer of a debit or credit card (card
involving a deferred payment; and               identity theft.                               issuer) that is an insured state
   (ii) A deposit account.                         (d) Establishment of an Identity Theft     nonmember bank, insured state licensed
   (2) The term board of directors              Prevention Program—(1) Program                branch of a foreign bank, or a subsidiary
includes:                                       requirement. Each financial institution       of such entities (except brokers, dealers,
   (i) In the case of a branch or agency        or creditor that offers or maintains one      persons providing insurance,
of a foreign bank, the managing official        or more covered accounts must develop         investment companies, and investment
in charge of the branch or agency; and          and implement a written Identity Theft        advisers).
   (ii) In the case of any other creditor       Prevention Program (Program) that is             (b) Definitions. For purposes of this
that does not have a board of directors,        designed to detect, prevent, and mitigate     section:
a designated employee at the level of           identity theft in connection with the            (1) Cardholder means a consumer
senior management.                              opening of a covered account or any           who has been issued a credit or debit
   (3) Covered account means:                   existing covered account. The Program         card.
   (i) An account that a financial              must be appropriate to the size and              (2) Clear and conspicuous means
institution or creditor offers or               complexity of the financial institution       reasonably understandable and
maintains, primarily for personal,              or creditor and the nature and scope of       designed to call attention to the nature
family, or household purposes, that             its activities.                               and significance of the information
involves or is designed to permit                  (2) Elements of the Program. The           presented.
multiple payments or transactions, such         Program must include reasonable                  (c) Address validation requirements.
as a credit card account, mortgage loan,        policies and procedures to:                   A card issuer must establish and
automobile loan, margin account, cell              (i) Identify relevant Red Flags for the    implement reasonable policies and
phone account, utility account,                 covered accounts that the financial           procedures to assess the validity of a
63762           Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

change of address if it receives                 I. The Program                                     creditor has detected that are commensurate
notification of a change of address for a           In designing its Program, a financial           with the degree of risk posed. In determining
consumer’s debit or credit card account          institution or creditor may incorporate, as        an appropriate response, a financial
                                                 appropriate, its existing policies, procedures,    institution or creditor should consider
and, within a short period of time
                                                 and other arrangements that control                aggravating factors that may heighten the risk
afterwards (during at least the first 30                                                            of identity theft, such as a data security
                                                 reasonably foreseeable risks to customers or
days after it receives such notification),       to the safety and soundness of the financial       incident that results in unauthorized access
the card issuer receives a request for an        institution or creditor from identity theft.       to a customer’s account records held by the
additional or replacement card for the                                                              financial institution, creditor, or third party,
                                                 II. Identifying Relevant Red Flags
same account. Under these                                                                           or notice that a customer has provided
circumstances, the card issuer may not              (a) Risk Factors. A financial institution or    information related to a covered account held
                                                 creditor should consider the following factors     by the financial institution or creditor to
issue an additional or replacement card,         in identifying relevant Red Flags for covered
until, in accordance with its reasonable                                                            someone fraudulently claiming to represent
                                                 accounts, as appropriate:                          the financial institution or creditor or to a
policies and procedures and for the                 (1) The types of covered accounts it offers     fraudulent Web site. Appropriate responses
purpose of assessing the validity of the         or maintains;                                      may include the following:
change of address, the card issuer:                 (2) The methods it provides to open its            (a) Monitoring a covered account for
   (1)(i) Notifies the cardholder of the         covered accounts;                                  evidence of identity theft;
request:                                            (3) The methods it provides to access its          (b) Contacting the customer;
                                                 covered accounts; and                                 (c) Changing any passwords, security
   (A) At the cardholder’s former                   (4) Its previous experiences with identity
address; or                                                                                         codes, or other security devices that permit
                                                 theft.                                             access to a covered account;
   (B) By any other means of                        (b) Sources of Red Flags. Financial                (d) Reopening a covered account with a
communication that the card issuer and           institutions and creditors should incorporate      new account number;
the cardholder have previously agreed            relevant Red Flags from sources such as:              (e) Not opening a new covered account;
to use; and                                         (1) Incidents of identity theft that the           (f) Closing an existing covered account;
   (ii) Provides to the cardholder a             financial institution or creditor has                 (g) Not attempting to collect on a covered
                                                 experienced;                                       account or not selling a covered account to
reasonable means of promptly reporting              (2) Methods of identity theft that the
incorrect address changes; or                                                                       a debt collector;
                                                 financial institution or creditor has identified      (h) Notifying law enforcement; or
   (2) Otherwise assesses the validity of        that reflect changes in identity theft risks;         (i) Determining that no response is
the change of address in accordance              and
                                                                                                    warranted under the particular
with the policies and procedures the                (3) Applicable supervisory guidance.
                                                                                                    circumstances.
card issuer has established pursuant to             (c) Categories of Red Flags. The Program
                                                 should include relevant Red Flags from the         V. Updating the Program.
§ 334.90 of this part.
                                                 following categories, as appropriate.                 Financial institutions and creditors should
   (d) Alternative timing of address             Examples of Red Flags from each of these           update the Program (including the Red Flags
validation. A card issuer may satisfy the        categories are appended as Supplement A to         determined to be relevant) periodically, to
requirements of paragraph (c) of this            this Appendix J.                                   reflect changes in risks to customers or to the
section if it validates an address                  (1) Alerts, notifications, or other warnings    safety and soundness of the financial
pursuant to the methods in paragraph             received from consumer reporting agencies or       institution or creditor from identity theft,
(c)(1) or (c)(2) of this section when it         service providers, such as fraud detection         based on factors such as:
receives an address change notification,         services;                                             (a) The experiences of the financial
                                                    (2) The presentation of suspicious              institution or creditor with identity theft;
before it receives a request for an              documents;
additional or replacement card.                                                                        (b) Changes in methods of identity theft;
                                                    (3) The presentation of suspicious personal        (c) Changes in methods to detect, prevent,
   (e) Form of notice. Any written or            identifying information, such as a suspicious      and mitigate identity theft;
electronic notice that the card issuer           address change;                                       (d) Changes in the types of accounts that
provides under this paragraph must be               (4) The unusual use of, or other suspicious     the financial institution or creditor offers or
clear and conspicuous and provided               activity related to, a covered account; and        maintains; and
separately from its regular                         (5) Notice from customers, victims of              (e) Changes in the business arrangements
                                                 identity theft, law enforcement authorities, or    of the financial institution or creditor,
correspondence with the cardholder.              other persons regarding possible identity          including mergers, acquisitions, alliances,
Appendices D–I [Reserved]                        theft in connection with covered accounts          joint ventures, and service provider
                                                 held by the financial institution or creditor.     arrangements.
■ 6. Add and reserve appendices D                III. Detecting Red Flags.
through I to part 334.                                                                              VI. Methods for Administering the Program
                                                    The Program’s policies and procedures              (a) Oversight of Program. Oversight by the
■ 7. Add Appendix J to part 334 to read          should address the detection of Red Flags in       board of directors, an appropriate committee
as follows:                                      connection with the opening of covered
                                                                                                    of the board, or a designated employee at the
                                                 accounts and existing covered accounts, such
Appendix J to Part 334—Interagency                                                                  level of senior management should include:
                                                 as by:
Guidelines on Identity Theft Detection,                                                                (1) Assigning specific responsibility for the
                                                    (a) Obtaining identifying information
                                                                                                    Program’s implementation;
Prevention, and Mitigation                       about, and verifying the identity of, a person
                                                                                                       (2) Reviewing reports prepared by staff
                                                 opening a covered account, for example,
   Section 334.90 of this part requires each                                                        regarding compliance by the financial
                                                 using the policies and procedures regarding
financial institution and creditor that offers   identification and verification set forth in the   institution or creditor with § 334.90 of this
or maintains one or more covered accounts,       Customer Identification Program rules              part; and
as defined in § 334.90(b)(3) of this part, to    implementing 31 U.S.C. 5318(l)(31 CFR                 (3) Approving material changes to the
develop and provide for the continued            103.121); and                                      Program as necessary to address changing
administration of a written Program to detect,      (b) Authenticating customers, monitoring        identity theft risks.
prevent, and mitigate identity theft in          transactions, and verifying the validity of           (b) Reports. (1) In general. Staff of the
connection with the opening of a covered         change of address requests, in the case of         financial institution or creditor responsible
account or any existing covered account.         existing covered accounts.                         for development, implementation, and
These guidelines are intended to assist                                                             administration of its Program should report
financial institutions and creditors in the      IV. Preventing and Mitigating Identity Theft.      to the board of directors, an appropriate
formulation and maintenance of a Program            The Program’s policies and procedures           committee of the board, or a designated
that satisfies the requirements of § 334.90 of   should provide for appropriate responses to        employee at the level of senior management,
this part.                                       the Red Flags the financial institution or         at least annually, on compliance by the
                Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                                     63763

financial institution or creditor with § 334.90       3. A consumer reporting agency provides a        14. The SSN provided is the same as that
of this part.                                      notice of address discrepancy, as defined in      submitted by other persons opening an
   (2) Contents of report. The report should       § 334.82(b) of this part.                         account or other customers.
address material matters related to the               4. A consumer report indicates a pattern of      15. The address or telephone number
Program and evaluate issues such as: the           activity that is inconsistent with the history    provided is the same as or similar to the
effectiveness of the policies and procedures       and usual pattern of activity of an applicant     account number or telephone number
of the financial institution or creditor in        or customer, such as:                             submitted by an unusually large number of
addressing the risk of identity theft in              a. A recent and significant increase in the    other persons opening accounts or other
connection with the opening of covered             volume of inquiries;                              customers.
accounts and with respect to existing covered         b. An unusual number of recently                 16. The person opening the covered
accounts; service provider arrangements;                                                             account or the customer fails to provide all
                                                   established credit relationships;
significant incidents involving identity theft                                                       required personal identifying information on
                                                      c. A material change in the use of credit,
and management’s response; and                                                                       an application or in response to notification
                                                   especially with respect to recently               that the application is incomplete.
recommendations for material changes to the        established credit relationships; or
Program.                                                                                               17. Personal identifying information
                                                      d. An account that was closed for cause or     provided is not consistent with personal
   (c) Oversight of service provider
                                                   identified for abuse of account privileges by     identifying information that is on file with
arrangements. Whenever a financial
                                                   a financial institution or creditor.              the financial institution or creditor.
institution or creditor engages a service
provider to perform an activity in connection      Suspicious Documents                                18. For financial institutions and creditors
with one or more covered accounts the                                                                that use challenge questions, the person
                                                      5. Documents provided for identification       opening the covered account or the customer
financial institution or creditor should take
                                                   appear to have been altered or forged.            cannot provide authenticating information
steps to ensure that the activity of the service
                                                      6. The photograph or physical description      beyond that which generally would be
provider is conducted in accordance with
reasonable policies and procedures designed        on the identification is not consistent with      available from a wallet or consumer report.
to detect, prevent, and mitigate the risk of       the appearance of the applicant or customer
                                                   presenting the identification.                    Unusual Use of, or Suspicious Activity
identity theft. For example, a financial                                                             Related to, the Covered Account
institution or creditor could require the             7. Other information on the identification
service provider by contract to have policies      is not consistent with information provided          19. Shortly following the notice of a change
and procedures to detect relevant Red Flags        by the person opening a new covered account       of address for a covered account, the
that may arise in the performance of the           or customer presenting the identification.        institution or creditor receives a request for
service provider’s activities, and either report      8. Other information on the identification     a new, additional, or replacement card or a
the Red Flags to the financial institution or      is not consistent with readily accessible         cell phone, or for the addition of authorized
creditor, or to take appropriate steps to          information that is on file with the financial    users on the account.
prevent or mitigate identity theft.                institution or creditor, such as a signature         20. A new revolving credit account is used
                                                   card or a recent check.                           in a manner commonly associated with
VII. Other Applicable Legal Requirements                                                             known patterns of fraud patterns. For
                                                      9. An application appears to have been
   Financial institutions and creditors should     altered or forged, or gives the appearance of     example:
be mindful of other related legal                  having been destroyed and reassembled.               a. The majority of available credit is used
requirements that may be applicable, such as:                                                        for cash advances or merchandise that is
   (a) For financial institutions and creditors    Suspicious Personal Identifying Information       easily convertible to cash (e.g., electronics
that are subject to 31 U.S.C. 5318(g), filing a       10. Personal identifying information           equipment or jewelry); or
Suspicious Activity Report in accordance           provided is inconsistent when compared               b. The customer fails to make the first
with applicable law and regulation;                against external information sources used by      payment or makes an initial payment but no
   (b) Implementing any requirements under         the financial institution or creditor. For        subsequent payments.
15 U.S.C. 1681c–1(h) regarding the                 example:                                             21. A covered account is used in a manner
circumstances under which credit may be               a. The address does not match any address      that is not consistent with established
extended when the financial institution or         in the consumer report; or                        patterns of activity on the account. There is,
creditor detects a fraud or active duty alert;        b. The Social Security Number (SSN) has        for example:
   (c) Implementing any requirements for           not been issued, or is listed on the Social          a. Nonpayment when there is no history of
furnishers of information to consumer              Security Administration’s Death Master File.      late or missed payments;
reporting agencies under 15 U.S.C. 1681s–2,                                                             b. A material increase in the use of
                                                      11. Personal identifying information
for example, to correct or update inaccurate                                                         available credit;
                                                   provided by the customer is not consistent
or incomplete information, and to not report                                                            c. A material change in purchasing or
                                                   with other personal identifying information
information that the furnisher has reasonable                                                        spending patterns;
                                                   provided by the customer. For example, there
cause to believe is inaccurate; and                                                                     d. A material change in electronic fund
                                                   is a lack of correlation between the SSN
   (d) Complying with the prohibitions in 15                                                         transfer patterns in connection with a deposit
                                                   range and date of birth.                          account; or
U.S.C. 1681m on the sale, transfer, and
                                                      12. Personal identifying information              e. A material change in telephone call
placement for collection of certain debts
                                                   provided is associated with known                 patterns in connection with a cellular phone
resulting from identity theft.
                                                   fraudulent activity as indicated by internal or   account.
Supplement A to Appendix J                         third-party sources used by the financial            22. A covered account that has been
  In addition to incorporating Red Flags from      institution or creditor. For example:             inactive for a reasonably lengthy period of
the sources recommended in section II.b. of           a. The address on an application is the        time is used (taking into consideration the
the Guidelines in Appendix J of this part,         same as the address provided on a fraudulent      type of account, the expected pattern of usage
each financial institution or creditor may         application; or                                   and other relevant factors).
consider incorporating into its Program,              b. The phone number on an application is          23. Mail sent to the customer is returned
whether singly or in combination, Red Flags        the same as the number provided on a              repeatedly as undeliverable although
from the following illustrative examples in        fraudulent application.                           transactions continue to be conducted in
connection with covered accounts:                     13. Personal identifying information           connection with the customer’s covered
                                                   provided is of a type commonly associated         account.
Alerts, Notifications or Warnings from a           with fraudulent activity as indicated by             24. The financial institution or creditor is
Consumer Reporting Agency                          internal or third-party sources used by the       notified that the customer is not receiving
  1. A fraud or active duty alert is included      financial institution or creditor. For example:   paper account statements.
with a consumer report.                               a. The address on an application is               25. The financial institution or creditor is
  2. A consumer reporting agency provides a        fictitious, a mail drop, or a prison; or          notified of unauthorized charges or
notice of credit freeze in response to a              b. The phone number is invalid, or is          transactions in connection with a customer’s
request for a consumer report.                     associated with a pager or answering service.     covered account.
63764           Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

Notice From Customers, Victims of Identity          (ii) The scope of § 571.83 of Subpart     the requirements of the Customer
Theft, Law Enforcement Authorities, or Other     I of this part is stated in § 571.83(a) of   Information Program (CIP) rules
Persons Regarding Possible Identity Theft in     this part.                                   implementing 31 U.S.C. 5318(l) (31 CFR
Connection With Covered Accounts Held by            (10)(i) The scope of § 571.90 of          103.121);
the Financial Institution or Creditor
                                                 Subpart J of this part is stated in             (B) Maintains in its own records, such
  26. The financial institution or creditor is   § 571.90(a) of this part.                    as applications, change of address
notified by a customer, a victim of identity        (ii) The scope of § 571.91 of Subpart     notifications, other customer account
theft, a law enforcement authority, or any
                                                 J of this part is stated in § 571.91(a) of   records, or retained CIP documentation;
other person that it has opened a fraudulent
account for a person engaged in identity         this part.                                   or
theft.                                           ■ 3. Amend § 571.3 by:                          (C) Obtains from third-party sources;
                                                 ■ a. Removing paragraph (o); and             or
PART 364—STANDARDS FOR SAFETY                    ■ b. Revising the introductory text to          (ii) Verifying the information in the
AND SOUNDNESS                                    read as follows:                             consumer report provided by the
                                                                                              consumer reporting agency with the
■  8. The authority citation for part 364        § 571.3   Definitions.                       consumer.
is revised to read as follows:                     For purposes of this part, unless             (d) Consumer’s address. (1)
                                                 explicitly stated otherwise:                 Requirement to furnish consumer’s
  Authority: 12 U.S.C. 1818 and 1819
(Tenth), 1831p–1; 15 U.S.C. 1681b, 1681s,        *     *     *     *    *                     address to a consumer reporting agency.
1681w, 6801(b), 6805(b)(1).                      ■ 4. Revise the heading for Subpart I as     A user must develop and implement
                                                 shown below.                                 reasonable policies and procedures for
■ 9. Add the following sentence at the
                                                                                              furnishing an address for the consumer
end of § 364.101(b):
                                                 Subpart I—Duties of Users of                 that the user has reasonably confirmed
§ 364.101 Standards for safety and               Consumer Reports Regarding Address           is accurate to the consumer reporting
soundness.                                       Discrepancies and Records Disposal           agency from whom it received the
*     *    *     *     *                                                                      notice of address discrepancy when the
                                                 ■   5. Add § 571.82 to read as follows:      user:
  (b) * * * The interagency regulations
and guidelines on identity theft                                                                 (i) Can form a reasonable belief that
                                                 § 571.82 Duties of users regarding address
detection, prevention, and mitigation            discrepancies.
                                                                                              the consumer report relates to the
prescribed pursuant to section 114 of                                                         consumer about whom the user
                                                    (a) Scope. This section applies to a      requested the report;
the Fair and Accurate Credit                     user of consumer reports (user) that            (ii) Establishes a continuing
Transactions Act of 2003, 15 U.S.C.              receives a notice of address discrepancy     relationship with the consumer; and
1681m(e), are set forth in §§ 334.90,            from a consumer reporting agency, and           (iii) Regularly and in the ordinary
334.91, and Appendix J of part 334.              that is a savings association whose          course of business furnishes information
DEPARTMENT OF THE TREASURY                       deposits are insured by the Federal          to the consumer reporting agency from
                                                 Deposit Insurance Corporation or, in         which the notice of address discrepancy
Office of Thrift Supervision                     accordance with § 559.3(h)(1) of this        relating to the consumer was obtained.
12 CFR Chapter V                                 chapter, a federal savings association          (2) Examples of confirmation
                                                 operating subsidiary that is not             methods. The user may reasonably
Authority and Issuance                           functionally regulated within the            confirm an address is accurate by:
                                                 meaning of section 5(c)(5) of the Bank          (i) Verifying the address with the
■  For the reasons discussed in the joint
                                                 Holding Company Act of 1956, as              consumer about whom it has requested
preamble, the Office of Thrift
                                                 amended (12 U.S.C. 1844(c)(5)).              the report;
Supervision is amending part 571 of
                                                    (b) Definition. For purposes of this         (ii) Reviewing its own records to
title 12, chapter V, of the Code of
                                                 section, a notice of address discrepancy     verify the address of the consumer;
Federal Regulations as follows:
                                                 means a notice sent to a user by a              (iii) Verifying the address through
PART 571—FAIR CREDIT REPORTING                   consumer reporting agency pursuant to        third-party sources; or
                                                 15 U.S.C. 1681c(h)(1), that informs the         (iv) Using other reasonable means.
■ 1. Revise the authority citation for part      user of a substantial difference between        (3) Timing. The policies and
571 to read as follows:                          the address for the consumer that the        procedures developed in accordance
  Authority: 12 U.S.C. 1462a, 1463, 1464,        user provided to request the consumer        with paragraph (d)(1) of this section
1467a, 1828, 1831p–1, and 1881–1884; 15          report and the address(es) in the            must provide that the user will furnish
U.S.C. 1681b, 1681c, 1681m, 1681s, 1681s–1,      agency’s file for the consumer.              the consumer’s address that the user has
1681t and 1681w; 15 U.S.C. 6801 and 6805;           (c) Reasonable belief. (1) Requirement    reasonably confirmed is accurate to the
Sec. 214 Pub. L. 108–159, 117 Stat. 1952.        to form a reasonable belief. A user must     consumer reporting agency as part of the
                                                 develop and implement reasonable             information it regularly furnishes for the
Subpart A—General Provisions                     policies and procedures designed to          reporting period in which it establishes
                                                 enable the user to form a reasonable         a relationship with the consumer.
■ 2. Amend § 571.1 by revising                   belief that a consumer report relates to
paragraph (b)(9) and adding a new                                                             ■ 6. Amend § 571.83 by:
                                                 the consumer about whom it has               ■ a. Redesignating paragraphs (a) and
paragraph (b)(10) to read as follows:            requested the report, when the user          (b) as paragraphs (b) and (c),
§ 571.1 Purpose and Scope.                       receives a notice of address discrepancy.    respectively.
                                                    (2) Examples of reasonable policies       ■ b. Adding a new paragraph (a) to read
*      *     *      *     *
                                                 and procedures. (i) Comparing the            as follows:
   (b) scope.                                    information in the consumer report
*      *     *      *     *                      provided by the consumer reporting           § 571.83 Disposal of consumer
   (9)(i) The scope of § 571.82 of Subpart       agency with information the user:            information.
I of this part is stated in § 571.82(a) of          (A) Obtains and uses to verify the          (a) Scope. This section applies to
this part.                                       consumer’s identity in accordance with       savings associations whose deposits are
                Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                          63765

insured by the Federal Deposit                  maintains for which there is a                  (ii) Detect Red Flags that have been
Insurance Corporation and federal               reasonably foreseeable risk to customers     incorporated into the Program of the
savings association operating                   or to the safety and soundness of the        financial institution or creditor;
subsidiaries in accordance with                 financial institution or creditor from          (iii) Respond appropriately to any Red
§ 559.3(h)(1) of this chapter (defined as       identity theft, including financial,         Flags that are detected pursuant to
‘‘you’’).                                       operational, compliance, reputation, or      paragraph (d)(2)(ii) of this section to
*     *     *     *     *                       litigation risks.                            prevent and mitigate identity theft; and
■ 7. Add Subpart J to part 571 to read             (4) Credit has the same meaning as in        (iv) Ensure the Program (including the
as follows:                                     15 U.S.C. 1681a(r)(5).                       Red Flags determined to be relevant) is
                                                   (5) Creditor has the same meaning as      updated periodically, to reflect changes
Subpart J—Identity Theft Red Flags                                                           in risks to customers and to the safety
                                                in 15 U.S.C. 1681a(r)(5), and includes
Sec.                                            lenders such as banks, finance               and soundness of the financial
571.90	 Duties regarding the detection,         companies, automobile dealers,               institution or creditor from identity
     prevention, and mitigation of identity                                                  theft.
     theft.
                                                mortgage brokers, utility companies,
                                                and telecommunications companies.               (e) Administration of the Program.
571.91	 Duties of card issuers regarding
     changes of address.                           (6) Customer means a person that has      Each financial institution or creditor
                                                a covered account with a financial           that is required to implement a Program
Subpart J—Identity Theft Red Flags              institution or creditor.                     must provide for the continued
                                                   (7) Financial institution has the same    administration of the Program and must:
§ 571.90 Duties regarding the detection,                                                        (1) Obtain approval of the initial
                                                meaning as in 15 U.S.C. 1681a(t).
prevention, and mitigation of identity theft.                                                written Program from either its board of
                                                   (8) Identity theft has the same
   (a) Scope. This section applies to a         meaning as in 16 CFR 603.2(a).               directors or an appropriate committee of
financial institution or creditor that is a        (9) Red Flag means a pattern, practice,   the board of directors;
savings association whose deposits are          or specific activity that indicates the         (2) Involve the board of directors, an
insured by the Federal Deposit                  possible existence of identity theft.        appropriate committee thereof, or a
Insurance Corporation or, in accordance            (10) Service provider means a person      designated employee at the level of
with § 559.3(h)(1) of this chapter, a           that provides a service directly to the      senior management in the oversight,
federal savings association operating           financial institution or creditor.           development, implementation and
subsidiary that is not functionally                (c) Periodic Identification of Covered    administration of the Program;
regulated within the meaning of section         Accounts. Each financial institution or         (3) Train staff, as necessary, to
5(c)(5) of the Bank Holding Company             creditor must periodically determine         effectively implement the Program; and
Act of 1956, as amended (12 U.S.C.              whether it offers or maintains covered          (4) Exercise appropriate and effective
1844(c)(5)).                                    accounts. As a part of this                  oversight of service provider
   (b) Definitions. For purposes of this                                                     arrangements.
                                                determination, a financial institution or
section and Appendix J, the following                                                           (f) Guidelines. Each financial
                                                creditor must conduct a risk assessment
definitions apply:                                                                           institution or creditor that is required to
                                                to determine whether it offers or
   (1) Account means a continuing                                                            implement a Program must consider the
                                                maintains covered accounts described
relationship established by a person                                                         guidelines in Appendix J of this part
                                                in paragraph (b)(3)(ii) of this section,
with a financial institution or creditor to                                                  and include in its Program those
                                                taking into consideration:
obtain a product or service for personal,                                                    guidelines that are appropriate.
                                                   (1) The methods it provides to open
family, household or business purposes.
                                                its accounts;                                § 571.91 Duties of card issuers regarding
Account includes:
   (i) An extension of credit, such as the         (2) The methods it provides to access     changes of address.
purchase of property or services                its accounts; and                               (a) Scope. This section applies to an
involving a deferred payment; and                  (3) Its previous experiences with         issuer of a debit or credit card (card
   (ii) A deposit account.                      identity theft.                              issuer) that is a savings association
   (2) The term board of directors                 (d) Establishment of an Identity Theft    whose deposits are insured by the
includes:                                       Prevention Program. (1) Program              Federal Deposit Insurance Corporation
   (i) In the case of a branch or agency        requirement. Each financial institution      or, in accordance with § 559.3(h)(1) of
of a foreign bank, the managing official        or creditor that offers or maintains one     this chapter, a federal savings
in charge of the branch or agency; and          or more covered accounts must develop        association operating subsidiary that is
   (ii) In the case of any other creditor       and implement a written Identity Theft       not functionally regulated within the
that does not have a board of directors,        Prevention Program (Program) that is         meaning of section 5(c)(5) of the Bank
a designated employee at the level of           designed to detect, prevent, and mitigate    Holding Company Act of 1956, as
senior management.                              identity theft in connection with the        amended (12 U.S.C. 1844(c)(5)).
   (3) Covered account means:                   opening of a covered account or any             (b) Definitions. For purposes of this
   (i) An account that a financial              existing covered account. The Program        section:
institution or creditor offers or               must be appropriate to the size and             (1) Cardholder means a consumer
maintains, primarily for personal,              complexity of the financial institution      who has been issued a credit or debit
family, or household purposes, that             or creditor and the nature and scope of      card.
involves or is designed to permit               its activities.                                 (2) Clear and conspicuous means
multiple payments or transactions, such            (2) Elements of the Program. The          reasonably understandable and
as a credit card account, mortgage loan,        Program must include reasonable              designed to call attention to the nature
automobile loan, margin account, cell           policies and procedures to:                  and significance of the information
phone account, utility account,                    (i) Identify relevant Red Flags for the   presented.
checking account, or savings account;           covered accounts that the financial             (c) Address validation requirements.
and                                             institution or creditor offers or            A card issuer must establish and
   (ii) Any other account that the              maintains, and incorporate those Red         implement reasonable policies and
financial institution or creditor offers or     Flags into its Program;                      procedures to assess the validity of a
63766           Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

change of address if it receives                 I. The Program                                     the Red Flags the financial institution or
notification of a change of address for a           In designing its Program, a financial           creditor has detected that are commensurate
consumer’s debit or credit card account          institution or creditor may incorporate, as        with the degree of risk posed. In determining
                                                 appropriate, its existing policies, procedures,    an appropriate response, a financial
and, within a short period of time
                                                 and other arrangements that control                institution or creditor should consider
afterwards (during at least the first 30                                                            aggravating factors that may heighten the risk
days after it receives such notification),       reasonably foreseeable risks to customers or
                                                 to the safety and soundness of the financial       of identity theft, such as a data security
the card issuer receives a request for an        institution or creditor from identity theft.       incident that results in unauthorized access
additional or replacement card for the                                                              to a customer’s account records held by the
                                                 II. Identifying Relevant Red Flags                 financial institution, creditor, or third party,
same account. Under these
circumstances, the card issuer may not              (a) Risk Factors. A financial institution or    or notice that a customer has provided
issue an additional or replacement card,         creditor should consider the following factors     information related to a covered account held
                                                 in identifying relevant Red Flags for covered      by the financial institution or creditor to
until, in accordance with its reasonable         accounts, as appropriate:                          someone fraudulently claiming to represent
policies and procedures and for the                 (1) The types of covered accounts it offers     the financial institution or creditor or to a
purpose of assessing the validity of the         or maintains;                                      fraudulent website. Appropriate responses
change of address, the card issuer:                 (2) The methods it provides to open its         may include the following:
   (1)(i) Notifies the cardholder of the         covered accounts;                                     (a) Monitoring a covered account for
request:                                            (3) The methods it provides to access its       evidence of identity theft;
   (A) At the cardholder’s former                covered accounts; and                                 (b) Contacting the customer;
address; or                                         (4) Its previous experiences with identity         (c) Changing any passwords, security
   (B) By any other means of                     theft.                                             codes, or other security devices that permit
                                                    (b) Sources of Red Flags. Financial             access to a covered account;
communication that the card issuer and           institutions and creditors should incorporate         (d) Reopening a covered account with a
the cardholder have previously agreed            relevant Red Flags from sources such as:           new account number;
to use; and                                         (1) Incidents of identity theft that the           (e) Not opening a new covered account;
   (ii) Provides to the cardholder a             financial institution or creditor has                 (f) Closing an existing covered account;
reasonable means of promptly reporting           experienced;                                          (g) Not attempting to collect on a covered
incorrect address changes; or                       (2) Methods of identity theft that the          account or not selling a covered account to
   (2) Otherwise assesses the validity of        financial institution or creditor has identified   a debt collector;
the change of address in accordance              that reflect changes in identity theft risks;         (h) Notifying law enforcement; or
with the policies and procedures the             and                                                   (i) Determining that no response is
                                                    (3) Applicable supervisory guidance.            warranted under the particular
card issuer has established pursuant to             (c) Categories of Red Flags. The Program
§ 571.90 of this part.                                                                              circumstances.
                                                 should include relevant Red Flags from the
   (d) Alternative timing of address             following categories, as appropriate.              V. Updating the Program
validation. A card issuer may satisfy the        Examples of Red Flags from each of these              Financial institutions and creditors should
requirements of paragraph (c) of this            categories are appended as Supplement A to         update the Program (including the Red Flags
section if it validates an address               this Appendix J.                                   determined to be relevant) periodically, to
pursuant to the methods in paragraph                (1) Alerts, notifications, or other warnings    reflect changes in risks to customers or to the
(c)(1) or (c)(2) of this section when it         received from consumer reporting agencies or       safety and soundness of the financial
                                                 service providers, such as fraud detection         institution or creditor from identity theft,
receives an address change notification,         services;                                          based on factors such as:
before it receives a request for an                 (2) The presentation of suspicious                 (a) The experiences of the financial
additional or replacement card.                  documents;                                         institution or creditor with identity theft;
   (e) Form of notice. Any written or               (3) The presentation of suspicious personal        (b) Changes in methods of identity theft;
electronic notice that the card issuer           identifying information, such as a suspicious         (c) Changes in methods to detect, prevent,
provides under this paragraph must be            address change;                                    and mitigate identity theft;
clear and conspicuous and provided                  (4) The unusual use of, or other suspicious        (d) Changes in the types of accounts that
separately from its regular                      activity related to, a covered account; and        the financial institution or creditor offers or
                                                    (5) Notice from customers, victims of           maintains; and
correspondence with the cardholder.              identity theft, law enforcement authorities, or       (e) Changes in the business arrangements
Appendices D–I [Reserved]                        other persons regarding possible identity          of the financial institution or creditor,
                                                 theft in connection with covered accounts          including mergers, acquisitions, alliances,
■ 8. Add and reserve appendices D                held by the financial institution or creditor.     joint ventures, and service provider
through I to part 571.                           III. Detecting Red Flags                           arrangements.
■ 9. Add Appendix J to part 571 to read             The Program’s policies and procedures           VI. Methods for Administering the Program
as follows:                                      should address the detection of Red Flags in          (a) Oversight of Program. Oversight by the
                                                 connection with the opening of covered             board of directors, an appropriate committee
Appendix J to Part 571—Interagency               accounts and existing covered accounts, such
Guidelines on Identity Theft Detection,                                                             of the board, or a designated employee at the
                                                 as by:                                             level of senior management should include:
Prevention, and Mitigation                          (a) Obtaining identifying information              (1) Assigning specific responsibility for the
                                                 about, and verifying the identity of, a person     Program’s implementation;
   Section 571.90 of this part requires each
                                                 opening a covered account, for example,
financial institution and creditor that offers                                                         (2) Reviewing reports prepared by staff
                                                 using the policies and procedures regarding
or maintains one or more covered accounts,                                                          regarding compliance by the financial
                                                 identification and verification set forth in the
as defined in § 571.90(b)(3) of this part, to                                                       institution or creditor with § 571.90 of this
                                                 Customer Identification Program rules
develop and provide for the continued                                                               part; and
                                                 implementing 31 U.S.C. 5318(l) (31 CFR
administration of a written Program to detect,   103.121); and                                         (3) Approving material changes to the
prevent, and mitigate identity theft in             (b) Authenticating customers, monitoring        Program as necessary to address changing
connection with the opening of a covered         transactions, and verifying the validity of        identity theft risks.
account or any existing covered account.         change of address requests, in the case of            (b) Reports. (1) In general. Staff of the
These guidelines are intended to assist          existing covered accounts.                         financial institution or creditor responsible
financial institutions and creditors in the                                                         for development, implementation, and
formulation and maintenance of a Program         IV. Preventing and Mitigating Identity Theft       administration of its Program should report
that satisfies the requirements of § 571.90 of      The Program’s policies and procedures           to the board of directors, an appropriate
this part.                                       should provide for appropriate responses to        committee of the board, or a designated
                Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                                     63767

employee at the level of senior management,           2. A consumer reporting agency provides a        b. The phone number is invalid, or is
at least annually, on compliance by the            notice of credit freeze in response to a          associated with a pager or answering service.
financial institution or creditor with § 571.90    request for a consumer report.                      14. The SSN provided is the same as that
of this part.                                         3. A consumer reporting agency provides a      submitted by other persons opening an
   (2) Contents of report. The report should       notice of address discrepancy, as defined in      account or other customers.
address material matters related to the            § 571.82(b) of this part.                           15. The address or telephone number
Program and evaluate issues such as: the              4. A consumer report indicates a pattern of    provided is the same as or similar to the
effectiveness of the policies and procedures       activity that is inconsistent with the history    account number or telephone number
of the financial institution or creditor in        and usual pattern of activity of an applicant     submitted by an unusually large number of
addressing the risk of identity theft in           or customer, such as:                             other persons opening accounts or other
connection with the opening of covered                a. A recent and significant increase in the    customers.
accounts and with respect to existing covered      volume of inquiries;                                16. The person opening the covered
accounts; service provider arrangements;              b. An unusual number of recently               account or the customer fails to provide all
significant incidents involving identity theft     established credit relationships;                 required personal identifying information on
                                                      c. A material change in the use of credit,     an application or in response to notification
and management’s response; and
                                                   especially with respect to recently               that the application is incomplete.
recommendations for material changes to the
                                                   established credit relationships; or                17. Personal identifying information
Program.                                                                                             provided is not consistent with personal
   (c) Oversight of service provider                  d. An account that was closed for cause or
                                                   identified for abuse of account privileges by     identifying information that is on file with
arrangements. Whenever a financial                                                                   the financial institution or creditor.
institution or creditor engages a service          a financial institution or creditor.
                                                                                                       18. For financial institutions and creditors
provider to perform an activity in connection      Suspicious Documents                              that use challenge questions, the person
with one or more covered accounts the                                                                opening the covered account or the customer
financial institution or creditor should take         5. Documents provided for identification
                                                   appear to have been altered or forged.            cannot provide authenticating information
steps to ensure that the activity of the service                                                     beyond that which generally would be
provider is conducted in accordance with              6. The photograph or physical description
                                                   on the identification is not consistent with      available from a wallet or consumer report.
reasonable policies and procedures designed
to detect, prevent, and mitigate the risk of       the appearance of the applicant or customer       Unusual Use of, or Suspicious Activity
identity theft. For example, a financial           presenting the identification.                    Related to, the Covered Account
institution or creditor could require the             7. Other information on the identification        19. Shortly following the notice of a change
service provider by contract to have policies      is not consistent with information provided       of address for a covered account, the
and procedures to detect relevant Red Flags        by the person opening a new covered account       institution or creditor receives a request for
that may arise in the performance of the           or customer presenting the identification.        a new, additional, or replacement card or a
service provider’s activities, and either report      8. Other information on the identification     cell phone, or for the addition of authorized
the Red Flags to the financial institution or      is not consistent with readily accessible         users on the account.
creditor, or to take appropriate steps to          information that is on file with the financial       20. A new revolving credit account is used
prevent or mitigate identity theft.                institution or creditor, such as a signature      in a manner commonly associated with
                                                   card or a recent check.                           known patterns of fraud patterns. For
VII. Other Applicable Legal Requirements              9. An application appears to have been         example:
   Financial institutions and creditors should     altered or forged, or gives the appearance of        a. The majority of available credit is used
be mindful of other related legal                  having been destroyed and reassembled.            for cash advances or merchandise that is
requirements that may be applicable, such as:                                                        easily convertible to cash (e.g., electronics
                                                   Suspicious Personal Identifying Information
   (a) For financial institutions and creditors                                                      equipment or jewelry); or
that are subject to 31 U.S.C. 5318(g), filing a       10. Personal identifying information              b. The customer fails to make the first
Suspicious Activity Report in accordance           provided is inconsistent when compared            payment or makes an initial payment but no
with applicable law and regulation;                against external information sources used by      subsequent payments.
   (b) Implementing any requirements under         the financial institution or creditor. For           21. A covered account is used in a manner
15 U.S.C. 1681c–1(h) regarding the                 example:                                          that is not consistent with established
circumstances under which credit may be               a. The address does not match any address      patterns of activity on the account. There is,
extended when the financial institution or         in the consumer report; or                        for example:
creditor detects a fraud or active duty alert;        b. The Social Security Number (SSN) has           a. Nonpayment when there is no history of
   (c) Implementing any requirements for           not been issued, or is listed on the Social       late or missed payments;
furnishers of information to consumer              Security Administration’s Death Master File.         b. A material increase in the use of
reporting agencies under 15 U.S.C. 1681s–2,           11. Personal identifying information           available credit;
for example, to correct or update inaccurate       provided by the customer is not consistent           c. A material change in purchasing or
or incomplete information, and to not report       with other personal identifying information       spending patterns;
information that the furnisher has reasonable      provided by the customer. For example, there         d. A material change in electronic fund
cause to believe is inaccurate; and                is a lack of correlation between the SSN          transfer patterns in connection with a deposit
   (d) Complying with the prohibitions in 15       range and date of birth.                          account; or
U.S.C. 1681m on the sale, transfer, and               12. Personal identifying information              e. A material change in telephone call
placement for collection of certain debts          provided is associated with known                 patterns in connection with a cellular phone
resulting from identity theft.                     fraudulent activity as indicated by internal or   account.
                                                   third-party sources used by the financial            22. A covered account that has been
Supplement A to Appendix J                         institution or creditor. For example:             inactive for a reasonably lengthy period of
  In addition to incorporating Red Flags from         a. The address on an application is the        time is used (taking into consideration the
the sources recommended in section II.b. of        same as the address provided on a fraudulent      type of account, the expected pattern of usage
the Guidelines in Appendix J of this part,         application; or                                   and other relevant factors).
each financial institution or creditor may            b. The phone number on an application is          23. Mail sent to the customer is returned
consider incorporating into its Program,           the same as the number provided on a              repeatedly as undeliverable although
whether singly or in combination, Red Flags        fraudulent application.                           transactions continue to be conducted in
from the following illustrative examples in           13. Personal identifying information           connection with the customer’s covered
connection with covered accounts:                  provided is of a type commonly associated         account.
                                                   with fraudulent activity as indicated by             24. The financial institution or creditor is
Alerts, Notifications or Warnings from a           internal or third-party sources used by the       notified that the customer is not receiving
Consumer Reporting Agency                          financial institution or creditor. For example:   paper account statements.
  1. A fraud or active duty alert is included         a. The address on an application is               25. The financial institution or creditor is
with a consumer report.                            fictitious, a mail drop, or a prison; or          notified of unauthorized charges or
63768           Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

transactions in connection with a customer’s      reasonable policies and procedures           reporting period in which it establishes
covered account.                                  designed to enable the user to form a        a relationship with the consumer.
Notice from Customers, Victims of Identity        reasonable belief that a consumer report     ■ 5. Add Subpart J to part 717 to read
Theft, Law Enforcement Authorities, or Other      relates to the consumer about whom it        as follows:
Persons Regarding Possible Identity Theft in      has requested the report, when the user
                                                                                               Subpart J—Identity Theft Red Flags
Connection With Covered Accounts Held by          receives a notice of address discrepancy.
the Financial Institution or Creditor                (2) Examples of reasonable policies       Sec.
                                                  and procedures. (i) Comparing the            717.90	 Duties regarding the detection,
  26. The financial institution or creditor is
                                                                                                    prevention, and mitigation of identity
notified by a customer, a victim of identity      information in the consumer report                theft.
theft, a law enforcement authority, or any        provided by the consumer reporting           717.91	 Duties of card issuers regarding
other person that it has opened a fraudulent      agency with information the user:                 changes of address.
account for a person engaged in identity             (A) Obtains and uses to verify the
theft.                                            consumer’s identity in accordance with       Subpart J—Identity Theft Red Flags
National Credit Union Administration              the requirements of the Customer
                                                                                               § 717.90 Duties regarding the detection,
 12 CFR Chapter VII                               Information Program (CIP) rules              prevention, and mitigation of identity theft.
                                                  implementing 31 U.S.C. 5318(l) (31 CFR
Authority and Issuance                            103.121);                                       (a) Scope. This section applies to a
                                                     (B) Maintains in its own records, such    financial institution or creditor that is a
■  For the reasons discussed in the joint
                                                  as applications, change of address           federal credit union.
preamble, the National Credit Union
                                                                                                  (b) Definitions. For purposes of this
Administration is amending part 717 of            notifications, other member account
                                                                                               section and Appendix J, the following
title 12, chapter VII, of the Code of             records, or retained CIP documentation;
                                                                                               definitions apply:
Federal Regulations as follows:                   or                                              (1) Account means a continuing
                                                     (C) Obtains from third-party sources;
PART 717—FAIR CREDIT REPORTING                                                                 relationship established by a person
                                                  or
                                                                                               with a federal credit union to obtain a
                                                     (ii) Verifying the information in the
■  1. The authority citation for part 717                                                      product or service for personal, family,
                                                  consumer report provided by the
is revised to read as follows:                                                                 household or business purposes.
                                                  consumer reporting agency with the
   Authority: 12 U.S.C. 1751 et seq.; 15 U.S.C.                                                Account includes:
                                                  consumer.
1681a, 1681b, 1681c, 1681m, 1681s, 1681s–                                                         (i) An extension of credit, such as the
                                                     (d) Consumer’s address—(1)
1, 1681t, 1681w, 6801 and 6805, Pub. L. 108–                                                   purchase of property or services
                                                  Requirement to furnish consumer’s
159, 117 Stat. 1952.                                                                           involving a deferred payment; and
                                                  address to a consumer reporting agency.         (ii) A share or deposit account.
Subpart A—General Provisions                      A user must develop and implement               (2) The term board of directors refers
                                                  reasonable policies and procedures for       to a federal credit union’s board of
■ 2. Amend § 717.3 by revising the                furnishing an address for the consumer       directors.
introductory text to read as follows:             that the user has reasonably confirmed          (3) Covered account means:
                                                  is accurate to the consumer reporting           (i) An account that a federal credit
§ 717.3   Definitions.                            agency from whom it received the             union offers or maintains, primarily for
  For purposes of this part, unless               notice of address discrepancy when the       personal, family, or household
explicitly stated otherwise:                      user:                                        purposes, that involves or is designed to
*     *     *     *    *                             (i) Can form a reasonable belief that     permit multiple payments or
■ 3. Revise the heading for Subpart I as
                                                  the consumer report relates to the           transactions, such as a credit card
shown below.                                      consumer about whom the user                 account, mortgage loan, automobile
                                                  requested the report;                        loan, checking account, or share
Subpart I—Duties of Users of                         (ii) Establishes a continuing             account; and
Consumer Reports Regarding Address                relationship with the consumer; and             (ii) Any other account that the federal
Discrepancies and Records Disposal                   (iii) Regularly and in the ordinary       credit union offers or maintains for
                                                  course of business furnishes information     which there is a reasonably foreseeable
■   4. Add § 717.82 to read as follows:           to the consumer reporting agency from        risk to members or to the safety and
                                                  which the notice of address discrepancy      soundness of the federal credit union
§ 717.82 Duties of users regarding address        relating to the consumer was obtained.
discrepancies.                                                                                 from identity theft, including financial,
                                                     (2) Examples of confirmation              operational, compliance, reputation, or
  (a) Scope. This section applies to a            methods. The user may reasonably             litigation risks.
user of consumer reports (user) that              confirm an address is accurate by:              (4) Credit has the same meaning as in
receives a notice of address discrepancy             (i) Verifying the address with the        15 U.S.C. 1681a(r)(5).
from a consumer reporting agency, and             consumer about whom it has requested            (5) Creditor has the same meaning as
that is federal credit union.                     the report;                                  in 15 U.S.C. 1681a(r)(5).
   (b) Definition. For purposes of this              (ii) Reviewing its own records to            (6) Customer means a member that
section, a notice of address discrepancy          verify the address of the consumer;          has a covered account with a federal
means a notice sent to a user by a                   (iii) Verifying the address through       credit union.
consumer reporting agency pursuant to             third-party sources; or                         (7) Financial institution has the same
15 U.S.C. 1681c(h)(1), that informs the              (iv) Using other reasonable means.        meaning as in 15 U.S.C. 1681a(t).
user of a substantial difference between             (3) Timing. The policies and                 (8) Identity theft has the same
the address for the consumer that the             procedures developed in accordance           meaning as in 16 CFR 603.2(a).
user provided to request the consumer             with paragraph (d)(1) of this section           (9) Red Flag means a pattern, practice,
report and the address(es) in the                 must provide that the user will furnish      or specific activity that indicates the
agency’s file for the consumer.                   the consumer’s address that the user has     possible existence of identity theft.
   (c) Reasonable belief—(1)                      reasonably confirmed is accurate to the         (10) Service provider means a person
Requirement to form a reasonable belief.          consumer reporting agency as part of the     that provides a service directly to the
A user must develop and implement                 information it regularly furnishes for the   federal credit union.
              Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                             63769

   (c) Periodic Identification of Covered       (4) Exercise appropriate and effective    provides under this paragraph must be
Accounts. Each federal credit union          oversight of service provider                clear and conspicuous and provided
must periodically determine whether it       arrangements.                                separately from its regular
offers or maintains covered accounts. As        (f) Guidelines. Each federal credit       correspondence with the cardholder.
a part of this determination, a federal      union that is required to implement a
                                             Program must consider the guidelines in      Appendices D–I [Reserved]
credit union must conduct a risk
assessment to determine whether it           Appendix J of this part and include in       ■ 6. Add and reserve appendices D
offers or maintains covered accounts         its Program those guidelines that are        through I to part 717.
described in paragraph (b)(3)(ii) of this    appropriate.                                 ■ 7. Add Appendix J to part 717 to read
section, taking into consideration:          § 717.91 Duties of card issuers regarding    as follows:
   (1) The methods it provides to open       changes of address.
its accounts;                                                                             Appendix J to Part 717—Interagency
   (2) The methods it provides to access        (a) Scope. This section applies to an     Guidelines on Identity Theft Detection,
its accounts; and                            issuer of a debit or credit card (card       Prevention, and Mitigation
   (3) Its previous experiences with         issuer) that is a federal credit union.
                                                (b) Definitions. For purposes of this        Section 717.90 of this part requires each
identity theft.                                                                           federal credit union that offers or maintains
   (d) Establishment of an Identity Theft    section:                                     one or more covered accounts, as defined in
                                                (1) Cardholder means a member who         § 717.90(b)(3) of this part, to develop and
Prevention Program. (1) Program
                                             has been issued a credit or debit card.      provide for the continued administration of
requirement. Each federal credit union          (2) Clear and conspicuous means
that offers or maintains one or more                                                      a written Program to detect, prevent, and
                                             reasonably understandable and                mitigate identity theft in connection with the
covered accounts must develop and            designed to call attention to the nature     opening of a covered account or any existing
implement a written Identity Theft           and significance of the information          covered account. These guidelines are
Prevention Program (Program) that is         presented.                                   intended to assist federal credit unions in the
designed to detect, prevent, and mitigate       (c) Address validation requirements.      formulation and maintenance of a Program
identity theft in connection with the        A card issuer must establish and             that satisfies the requirements of § 717.90 of
opening of a covered account or any                                                       this part.
                                             implement reasonable policies and
existing covered account. The Program        procedures to assess the validity of a       I. The Program
must be appropriate to the size and          change of address if it receives                In designing its Program, a federal credit
complexity of the federal credit union       notification of a change of address for a    union may incorporate, as appropriate, its
and the nature and scope of its              member’s debit or credit card account        existing policies, procedures, and other
activities.                                                                               arrangements that control reasonably
                                             and, within a short period of time
   (2) Elements of the Program. The                                                       foreseeable risks to members or to the safety
                                             afterwards (during at least the first 30     and soundness of the federal credit union
Program must include reasonable              days after it receives such notification),   from identity theft.
policies and procedures to:                  the card issuer receives a request for an
   (i) Identify relevant Red Flags for the                                                II. Identifying Relevant Red Flags
                                             additional or replacement card for the
covered accounts that the federal credit     same account. Under these                       (a) Risk Factors. A federal credit union
union offers or maintains, and                                                            should consider the following factors in
                                             circumstances, the card issuer may not       identifying relevant Red Flags for covered
incorporate those Red Flags into its         issue an additional or replacement card,     accounts, as appropriate:
Program;                                     until, in accordance with its reasonable        (1) The types of covered accounts it offers
   (ii) Detect Red Flags that have been      policies and procedures and for the          or maintains;
incorporated into the Program of the         purpose of assessing the validity of the        (2) The methods it provides to open its
federal credit union;                        change of address, the card issuer:          covered accounts;
   (iii) Respond appropriately to any Red       (1)(i) Notifies the cardholder of the        (3) The methods it provides to access its
Flags that are detected pursuant to          request:                                     covered accounts; and
paragraph (d)(2)(ii) of this section to         (A) At the cardholder’s former               (4) Its previous experiences with identity
prevent and mitigate identity theft; and                                                  theft.
                                             address; or                                     (b) Sources of Red Flags. Federal credit
   (iv) Ensure the Program (including the       (B) By any other means of                 unions should incorporate relevant Red Flags
Red Flags determined to be relevant) is      communication that the card issuer and       from sources such as:
updated periodically, to reflect changes     the cardholder have previously agreed           (1) Incidents of identity theft that the
in risks to members and to the safety        to use; and                                  federal credit union has experienced;
and soundness of the federal credit             (ii) Provides to the cardholder a            (2) Methods of identity theft that the
union from identity theft.                   reasonable means of promptly reporting       federal credit union has identified that reflect
   (e) Administration of the Program.        incorrect address changes; or                changes in identity theft risks; and
Each federal credit union that is               (2) Otherwise assesses the validity of       (3) Applicable supervisory guidance.
required to implement a Program must         the change of address in accordance             (c) Categories of Red Flags. The Program
                                                                                          should include relevant Red Flags from the
provide for the continued                    with the policies and procedures the         following categories, as appropriate.
administration of the Program and must:      card issuer has established pursuant to      Examples of Red Flags from each of these
   (1) Obtain approval of the initial        § 717.90 of this part.                       categories are appended as Supplement A to
written Program from either its board of        (d) Alternative timing of address         this Appendix J.
directors or an appropriate committee of     validation. A card issuer may satisfy the       (1) Alerts, notifications, or other warnings
the board of directors;                      requirements of paragraph (c) of this        received from consumer reporting agencies or
   (2) Involve the board of directors, an    section if it validates an address           service providers, such as fraud detection
appropriate committee thereof, or a          pursuant to the methods in paragraph         services;
designated employee at the level of                                                          (2) The presentation of suspicious
                                             (c)(1) or (c)(2) of this section when it
                                                                                          documents;
senior management in the oversight,          receives an address change notification,        (3) The presentation of suspicious personal
development, implementation and              before it receives a request for an          identifying information, such as a suspicious
administration of the Program;               additional or replacement card.              address change;
   (3) Train staff, as necessary, to            (e) Form of notice. Any written or           (4) The unusual use of, or other suspicious
effectively implement the Program; and       electronic notice that the card issuer       activity related to, a covered account; and
63770           Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

   (5) Notice from members, victims of                (e) Changes in the business arrangements          (d) Complying with the prohibitions in 15
identity theft, law enforcement authorities, or    of the federal credit union, including             U.S.C. 1681m on the sale, transfer, and
other persons regarding possible identity          mergers, acquisitions, alliances, joint            placement for collection of certain debts
theft in connection with covered accounts          ventures, and service provider arrangements.       resulting from identity theft.
held by the federal credit union.                  VI. Methods for Administering the Program          Supplement A to Appendix J
III. Detecting Red Flags                              (a) Oversight of Program. Oversight by the        In addition to incorporating Red Flags from
   The Program’s policies and procedures           board of directors, an appropriate committee       the sources recommended in section II.b. of
should address the detection of Red Flags in       of the board, or a designated employee at the      the Guidelines in Appendix J of this part,
connection with the opening of covered             level of senior management should include:         each federal credit union may consider
accounts and existing covered accounts, such          (1) Assigning specific responsibility for the   incorporating into its Program, whether
as by:                                             Program’s implementation;                          singly or in combination, Red Flags from the
   (a) Obtaining identifying information              (2) Reviewing reports prepared by staff
                                                                                                      following illustrative examples in connection
about, and verifying the identity of, a person     regarding compliance by the federal credit
                                                                                                      with covered accounts:
opening a covered account, for example,            union with § 717.90 of this part; and
using the policies and procedures regarding           (3) Approving material changes to the           Alerts, Notifications or Warnings From a
identification and verification set forth in the   Program as necessary to address changing           Consumer Reporting Agency
Customer Identification Program rules              identity theft risks.                                 1. A fraud or active duty alert is included
implementing 31 U.S.C. 5318(l) (31 CFR                (b) Reports. (1) In general. Staff of the
                                                                                                      with a consumer report.
103.121); and                                      federal credit union responsible for
                                                                                                         2. A consumer reporting agency provides a
   (b) Authenticating members, monitoring          development, implementation, and
                                                                                                      notice of credit freeze in response to a
transactions, and verifying the validity of        administration of its Program should report
                                                                                                      request for a consumer report.
change of address requests, in the case of         to the board of directors, an appropriate
                                                                                                         3. A consumer reporting agency provides a
existing covered accounts.                         committee of the board, or a designated
                                                   employee at the level of senior management,        notice of address discrepancy, as defined in
IV. Preventing and Mitigating Identity Theft                                                          § 717.82(b) of this part.
                                                   at least annually, on compliance by the
   The Program’s policies and procedures           federal credit union with § 717.90 of this            4. A consumer report indicates a pattern of
should provide for appropriate responses to        part.                                              activity that is inconsistent with the history
the Red Flags the federal credit union has            (2) Contents of report. The report should       and usual pattern of activity of an applicant
detected that are commensurate with the            address material matters related to the            or member, such as:
degree of risk posed. In determining an            Program and evaluate issues such as: the              a. A recent and significant increase in the
appropriate response, a federal credit union       effectiveness of the policies and procedures       volume of inquiries;
should consider aggravating factors that may       of the federal credit union in addressing the         b. An unusual number of recently
heighten the risk of identity theft, such as a     risk of identity theft in connection with the      established credit relationships;
data security incident that results in             opening of covered accounts and with                  c. A material change in the use of credit,
unauthorized access to a member’s account          respect to existing covered accounts; service      especially with respect to recently
records held by the federal credit union or a      provider arrangements; significant incidents       established credit relationships; or
third party, or notice that a member has           involving identity theft and management’s             d. An account that was closed for cause or
provided information related to a covered          response; and recommendations for material         identified for abuse of account privileges by
account held by the federal credit union to        changes to the Program.                            a financial institution or creditor.
someone fraudulently claiming to represent            (c) Oversight of service provider               Suspicious Documents
the federal credit union or to a fraudulent        arrangements. Whenever a federal credit
website. Appropriate responses may include         union engages a service provider to perform           5. Documents provided for identification
the following:                                     an activity in connection with one or more         appear to have been altered or forged.
   (a) Monitoring a covered account for            covered accounts the federal credit union             6. The photograph or physical description
evidence of identity theft;                        should take steps to ensure that the activity      on the identification is not consistent with
   (b) Contacting the member;                      of the service provider is conducted in            the appearance of the applicant or member
   (c) Changing any passwords, security            accordance with reasonable policies and            presenting the identification.
codes, or other security devices that permit       procedures designed to detect, prevent, and           7. Other information on the identification
access to a covered account;                       mitigate the risk of identity theft. For           is not consistent with information provided
   (d) Reopening a covered account with a          example, a federal credit union could require      by the person opening a new covered account
new account number;                                the service provider by contract to have           or member presenting the identification.
   (e) Not opening a new covered account;          policies and procedures to detect relevant            8. Other information on the identification
   (f) Closing an existing covered account;        Red Flags that may arise in the performance        is not consistent with readily accessible
   (g) Not attempting to collect on a covered      of the service provider’s activities, and either   information that is on file with the federal
account or not selling a covered account to        report the Red Flags to the federal credit         credit union, such as a signature card or a
a debt collector;                                  union, or to take appropriate steps to prevent     recent check.
   (h) Notifying law enforcement; or               or mitigate identity theft.                           9. An application appears to have been
   (i) Determining that no response is                                                                altered or forged, or gives the appearance of
                                                   VII. Other Applicable Legal Requirements           having been destroyed and reassembled.
warranted under the particular
circumstances.                                        Federal credit unions should be mindful of
                                                   other related legal requirements that may be       Suspicious Personal Identifying Information
V. Updating the Program                            applicable, such as:                                  10. Personal identifying information
   Federal credit unions should update the            (a) Filing a Suspicious Activity Report         provided is inconsistent when compared
Program (including the Red Flags determined        under 31 U.S.C. 5318(g) and 12 CFR 748.1(c);       against external information sources used by
to be relevant) periodically, to reflect changes      (b) Implementing any requirements under         the federal credit union. For example:
in risks to members or to the safety and           15 U.S.C. 1681c–1(h) regarding the                    a. The address does not match any address
soundness of the federal credit union from         circumstances under which credit may be            in the consumer report; or
identity theft, based on factors such as:          extended when the federal credit union                b. The Social Security Number (SSN) has
   (a) The experiences of the federal credit       detects a fraud or active duty alert;              not been issued, or is listed on the Social
union with identity theft;                            (c) Implementing any requirements for           Security Administration’s Death Master File.
   (b) Changes in methods of identity theft;       furnishers of information to consumer                 11. Personal identifying information
   (c) Changes in methods to detect, prevent,      reporting agencies under 15 U.S.C. 1681s–2,        provided by the member is not consistent
and mitigate identity theft;                       for example, to correct or update inaccurate       with other personal identifying information
   (d) Changes in the types of accounts that       or incomplete information, and to not report       provided by the member. For example, there
the federal credit union offers or maintains;      information that the furnisher has reasonable      is a lack of correlation between the SSN
and                                                cause to believe is inaccurate; and                range and date of birth.
                Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                                63771

   12. Personal identifying information              e. A material change in telephone call          report and the address(es) in the
provided is associated with known                 patterns in connection with a cellular phone       agency’s file for the consumer.
fraudulent activity as indicated by internal or   account.                                              (c) Reasonable belief. (1) Requirement
third-party sources used by the federal credit       22. A covered account that has been
union. For example:                               inactive for a reasonably lengthy period of        to form a reasonable belief. A user must
   a. The address on an application is the        time is used (taking into consideration the        develop and implement reasonable
same as the address provided on a fraudulent      type of account, the expected pattern of usage     policies and procedures designed to
application; or                                   and other relevant factors).                       enable the user to form a reasonable
   b. The phone number on an application is          23. Mail sent to the member is returned         belief that a consumer report relates to
the same as the number provided on a              repeatedly as undeliverable although               the consumer about whom it has
fraudulent application.                           transactions continue to be conducted in           requested the report, when the user
   13. Personal identifying information           connection with the member’s covered
provided is of a type commonly associated
                                                                                                     receives a notice of address discrepancy.
                                                  account.
with fraudulent activity as indicated by             24. The federal credit union is notified that      (2) Examples of reasonable policies
internal or third-party sources used by the       the member is not receiving paper account          and procedures. (i) Comparing the
federal credit union. For example:                statements.                                        information in the consumer report
   a. The address on an application is               25. The federal credit union is notified of     provided by the consumer reporting
fictitious, a mail drop, or prison; or            unauthorized charges or transactions in            agency with information the user:
   b. The phone number is invalid, or is          connection with a member’s covered                    (A) Obtains and uses to verify the
associated with a pager or answering service.     account.
   14. The SSN provided is the same as that
                                                                                                     consumer’s identity in accordance with
submitted by other persons opening an             Notice From Members, Victims of Identity           the requirements of the Customer
account or other members.                         Theft, Law Enforcement Authorities, or Other       Information Program (CIP) rules
   15. The address or telephone number            Persons Regarding Possible Identity Theft in       implementing 31 U.S.C. 5318(l) (31 CFR
provided is the same as or similar to the         Connection With Covered Accounts Held by           103.121);
account number or telephone number                the Federal Credit Union                              (B) Maintains in its own records, such
submitted by an unusually large number of           26. The federal credit union is notified by      as applications, change of address
other persons opening accounts or other           a member, a victim of identity theft, a law        notifications, other customer account
members.                                          enforcement authority, or any other person
   16. The person opening the covered                                                                records, or retained CIP documentation;
                                                  that it has opened a fraudulent account for
account or the member fails to provide all        a person engaged in identity theft.                or
required personal identifying information on                                                            (C) Obtains from third-party sources;
an application or in response to notification     FEDERAL TRADE COMMISSION                           or
that the application is incomplete.               16 CFR Part 681                                       (ii) Verifying the information in the
   17. Personal identifying information                                                              consumer report provided by the
provided is not consistent with personal          Authority and Issuance                             consumer reporting agency with the
identifying information that is on file with
                                                  ■ For the reasons discussed in the joint           consumer.
the federal credit union.
   18. For federal credit unions that use         preamble, the Commission is adding                    (d) Consumer’s address. (1)
challenge questions, the person opening the       part 681 of title 16 of the Code of                Requirement to furnish consumer’s
covered account or the member cannot              Federal Regulations as follows:                    address to a consumer reporting agency.
provide authenticating information beyond                                                            A user must develop and implement
that which generally would be available from      PART 681—IDENTITY THEFT RULES
                                                                                                     reasonable policies and procedures for
a wallet or consumer report.                      Sec.                                               furnishing an address for the consumer
                                                  681.1	 Duties of users of consumer reports         that the user has reasonably confirmed
Unusual Use of, or Suspicious Activity                 regarding address discrepancies.
Related to, the Covered Account                   681.2	 Duties regarding the detection,
                                                                                                     is accurate to the consumer reporting
   19. Shortly following the notice of a change        prevention, and mitigation of identity        agency from whom it received the
of address for a covered account, the                  theft.                                        notice of address discrepancy when the
institution or creditor receives a request for    681.3	 Duties of card issuers regarding            user:
a new, additional, or replacement card or a            changes of address.                              (i) Can form a reasonable belief that
cell phone, or for the addition of authorized                                                        the consumer report relates to the
users on the account.                             Appendix A to Part 681—Interagency
                                                  Guidelines on Identity Theft Detection,            consumer about whom the user
   20. A new revolving credit account is used                                                        requested the report;
in a manner commonly associated with              Prevention, and Mitigation
known patterns of fraud patterns. For                                                                   (ii) Establishes a continuing
                                                    Authority: Pub. L. 108–159, sec. 114 and         relationship with the consumer; and
example:                                          sec. 315; 15 U.S.C. 1681m(e) and 15 U.S.C.
   a. The majority of available credit is used                                                          (iii) Regularly and in the ordinary
                                                  1681c(h).
for cash advances or merchandise that is                                                             course of business furnishes information
easily convertible to cash (e.g., electronics     § 681.1 Duties of users regarding address          to the consumer reporting agency from
equipment or jewelry); or                         discrepancies.                                     which the notice of address discrepancy
   b. The member fails to make the first                                                             relating to the consumer was obtained.
payment or makes an initial payment but no
                                                    (a) Scope. This section applies to
                                                  users of consumer reports that are                    (2) Examples of confirmation
subsequent payments.
   21. A covered account is used in a manner      subject to administrative enforcement of           methods. The user may reasonably
that is not consistent with established           the FCRA by the Federal Trade                      confirm an address is accurate by:
patterns of activity on the account. There is,    Commission pursuant to 15 U.S.C.                      (i) Verifying the address with the
for example:                                      1681s(a)(1) (users).                               consumer about whom it has requested
   a. Nonpayment when there is no history of        (b) Definition. For purposes of this             the report;
late or missed payments;                          section, a notice of address discrepancy              (ii) Reviewing its own records to
   b. A material increase in the use of           means a notice sent to a user by a                 verify the address of the consumer;
available credit;
                                                  consumer reporting agency pursuant to                 (iii) Verifying the address through
   c. A material change in purchasing or
spending patterns;                                15 U.S.C. 1681c(h)(1), that informs the            third-party sources; or
   d. A material change in electronic fund        user of a substantial difference between              (iv) Using other reasonable means.
transfer patterns in connection with a deposit    the address for the consumer that the                 (3) Timing. The policies and
account; or                                       user provided to request the consumer              procedures developed in accordance
63772           Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

with paragraph (d)(1) of this section              (6) Customer means a person that has      that is required to implement a Program
must provide that the user will furnish         a covered account with a financial           must provide for the continued
the consumer’s address that the user has        institution or creditor.                     administration of the Program and must:
reasonably confirmed is accurate to the            (7) Financial institution has the same       (1) Obtain approval of the initial
consumer reporting agency as part of the        meaning as in 15 U.S.C. 1681a(t).            written Program from either its board of
information it regularly furnishes for the         (8) Identity theft has the same           directors or an appropriate committee of
reporting period in which it establishes        meaning as in 16 CFR 603.2(a).               the board of directors;
a relationship with the consumer.                  (9) Red Flag means a pattern, practice,      (2) Involve the board of directors, an
                                                or specific activity that indicates the      appropriate committee thereof, or a
§ 681.2 Duties regarding the detection,         possible existence of identity theft.
prevention, and mitigation of identity theft.
                                                                                             designated employee at the level of
                                                   (10) Service provider means a person      senior management in the oversight,
   (a) Scope. This section applies to           that provides a service directly to the      development, implementation and
financial institutions and creditors that       financial institution or creditor.           administration of the Program;
are subject to administrative                      (c) Periodic Identification of Covered       (3) Train staff, as necessary, to
enforcement of the FCRA by the Federal          Accounts. Each financial institution or      effectively implement the Program; and
Trade Commission pursuant to 15                 creditor must periodically determine
                                                                                                (4) Exercise appropriate and effective
U.S.C. 1681s(a)(1).                             whether it offers or maintains covered
                                                                                             oversight of service provider
   (b) Definitions. For purposes of this        accounts. As a part of this
                                                                                             arrangements.
section, and Appendix A, the following          determination, a financial institution or
                                                                                                (f) Guidelines. Each financial
definitions apply:                              creditor must conduct a risk assessment
                                                                                             institution or creditor that is required to
   (1) Account means a continuing               to determine whether it offers or
                                                                                             implement a Program must consider the
relationship established by a person            maintains covered accounts described
                                                                                             guidelines in Appendix A of this part
with a financial institution or creditor to     in paragraph (b)(3)(ii) of this section,
                                                                                             and include in its Program those
obtain a product or service for personal,       taking into consideration:
                                                                                             guidelines that are appropriate.
family, household or business purposes.            (1) The methods it provides to open
Account includes:                               its accounts;                                § 681.3 Duties of card issuers regarding
   (i) An extension of credit, such as the         (2) The methods it provides to access     changes of address.
purchase of property or services                its accounts; and                              (a) Scope. This section applies to a
involving a deferred payment; and                  (3) Its previous experiences with         person described in § 681.2(a) that
   (ii) A deposit account.                      identity theft.                              issues a debit or credit card (card
   (2) The term board of directors                 (d) Establishment of an Identity Theft    issuer).
includes:                                       Prevention Program. (1) Program
                                                                                                (b) Definitions. For purposes of this
                                                requirement. Each financial institution
   (i) In the case of a branch or agency                                                     section:
                                                or creditor that offers or maintains one
of a foreign bank, the managing official                                                        (1) Cardholder means a consumer
                                                or more covered accounts must develop
in charge of the branch or agency; and                                                       who has been issued a credit or debit
                                                and implement a written Identity Theft
   (ii) In the case of any other creditor                                                    card.
                                                Prevention Program (Program) that is
that does not have a board of directors,                                                        (2) Clear and conspicuous means
                                                designed to detect, prevent, and mitigate
a designated employee at the level of                                                        reasonably understandable and
                                                identity theft in connection with the
senior management.                                                                           designed to call attention to the nature
                                                opening of a covered account or any
   (3) Covered account means:                   existing covered account. The Program        and significance of the information
   (i) An account that a financial              must be appropriate to the size and          presented.
institution or creditor offers or               complexity of the financial institution         (c) Address validation requirements.
maintains, primarily for personal,              or creditor and the nature and scope of      A card issuer must establish and
family, or household purposes, that             its activities.                              implement reasonable policies and
involves or is designed to permit                  (2) Elements of the Program. The          procedures to assess the validity of a
multiple payments or transactions, such         Program must include reasonable              change of address if it receives
as a credit card account, mortgage loan,        policies and procedures to:                  notification of a change of address for a
automobile loan, margin account, cell              (i) Identify relevant Red Flags for the   consumer’s debit or credit card account
phone account, utility account,                 covered accounts that the financial          and, within a short period of time
checking account, or savings account;           institution or creditor offers or            afterwards (during at least the first 30
and                                             maintains, and incorporate those Red         days after it receives such notification),
   (ii) Any other account that the              Flags into its Program;                      the card issuer receives a request for an
financial institution or creditor offers or        (ii) Detect Red Flags that have been      additional or replacement card for the
maintains for which there is a                  incorporated into the Program of the         same account. Under these
reasonably foreseeable risk to customers        financial institution or creditor;           circumstances, the card issuer may not
or to the safety and soundness of the              (iii) Respond appropriately to any Red    issue an additional or replacement card,
financial institution or creditor from          Flags that are detected pursuant to          until, in accordance with its reasonable
identity theft, including financial,            paragraph (d)(2)(ii) of this section to      policies and procedures and for the
operational, compliance, reputation, or         prevent and mitigate identity theft; and     purpose of assessing the validity of the
litigation risks.                                  (iv) Ensure the Program (including the    change of address, the card issuer:
   (4) Credit has the same meaning as in        Red Flags determined to be relevant) is         (1)(i) Notifies the cardholder of the
15 U.S.C. 1681a(r)(5).                          updated periodically, to reflect changes     request:
   (5) Creditor has the same meaning as         in risks to customers and to the safety         (A) At the cardholder’s former
in 15 U.S.C. 1681a(r)(5), and includes          and soundness of the financial               address; or
lenders such as banks, finance                  institution or creditor from identity           (B) By any other means of
companies, automobile dealers,                  theft.                                       communication that the card issuer and
mortgage brokers, utility companies,               (e) Administration of the Program.        the cardholder have previously agreed
and telecommunications companies.               Each financial institution or creditor       to use; and
                Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations                                       63773

   (ii) Provides to the cardholder a                  (3) Applicable supervisory guidance.               (i) Determining that no response is
reasonable means of promptly reporting                (c) Categories of Red Flags. The Program        warranted under the particular
incorrect address changes; or                      should include relevant Red Flags from the         circumstances.
   (2) Otherwise assesses the validity of          following categories, as appropriate.              V. Updating the Program
                                                   Examples of Red Flags from each of these
the change of address in accordance                categories are appended as Supplement A to            Financial institutions and creditors should
with the policies and procedures the               this Appendix A.                                   update the Program (including the Red Flags
card issuer has established pursuant to               (1) Alerts, notifications, or other warnings    determined to be relevant) periodically, to
§ 681.2 of this part.                              received from consumer reporting agencies or       reflect changes in risks to customers or to the
   (d) Alternative timing of address               service providers, such as fraud detection         safety and soundness of the financial
validation. A card issuer may satisfy the          services;                                          institution or creditor from identity theft,
                                                      (2) The presentation of suspicious              based on factors such as:
requirements of paragraph (c) of this                                                                    (a) The experiences of the financial
section if it validates an address                 documents;
                                                      (3) The presentation of suspicious personal     institution or creditor with identity theft;
pursuant to the methods in paragraph                                                                     (b) Changes in methods of identity theft;
                                                   identifying information, such as a suspicious
(c)(1) or (c)(2) of this section when it           address change;                                       (c) Changes in methods to detect, prevent,
receives an address change notification,              (4) The unusual use of, or other suspicious     and mitigate identity theft;
before it receives a request for an                activity related to, a covered account; and           (d) Changes in the types of accounts that
additional or replacement card.                       (5) Notice from customers, victims of           the financial institution or creditor offers or
   (e) Form of notice. Any written or              identity theft, law enforcement authorities, or    maintains; and
electronic notice that the card issuer             other persons regarding possible identity             (e) Changes in the business arrangements
                                                   theft in connection with covered accounts          of the financial institution or creditor,
provides under this paragraph must be                                                                 including mergers, acquisitions, alliances,
clear and conspicuous and provided                 held by the financial institution or creditor.
                                                                                                      joint ventures, and service provider
separately from its regular                        III. Detecting Red Flags                           arrangements.
correspondence with the cardholder.                   The Program’s policies and procedures           VI. Methods for Administering the Program
                                                   should address the detection of Red Flags in
Appendix A to Part 681—Interagency                 connection with the opening of covered                (a) Oversight of Program. Oversight by the
Guidelines on Identity Theft Detection,            accounts and existing covered accounts, such       board of directors, an appropriate committee
Prevention, and Mitigation                         as by:                                             of the board, or a designated employee at the
                                                      (a) Obtaining identifying information           level of senior management should include:
   Section 681.2 of this part requires each                                                              (1) Assigning specific responsibility for the
financial institution and creditor that offers     about, and verifying the identity of, a person
                                                   opening a covered account, for example,            Program’s implementation;
or maintains one or more covered accounts,                                                               (2) Reviewing reports prepared by staff
as defined in § 681.2(b)(3) of this part, to       using the policies and procedures regarding
                                                   identification and verification set forth in the   regarding compliance by the financial
develop and provide for the continued                                                                 institution or creditor with § 681.2 of this
administration of a written Program to detect,     Customer Identification Program rules
                                                   implementing 31 U.S.C. 5318(l) (31 CFR             part; and
prevent, and mitigate identity theft in                                                                  (3) Approving material changes to the
connection with the opening of a covered           103.121); and
                                                      (b) Authenticating customers, monitoring        Program as necessary to address changing
account or any existing covered account.                                                              identity theft risks.
These guidelines are intended to assist            transactions, and verifying the validity of
                                                   change of address requests, in the case of            (b) Reports. (1) In general. Staff of the
financial institutions and creditors in the                                                           financial institution or creditor responsible
formulation and maintenance of a Program           existing covered accounts.
                                                                                                      for development, implementation, and
that satisfies the requirements of § 681.2 of      IV. Preventing and Mitigating Identity Theft       administration of its Program should report
this part.                                            The Program’s policies and procedures           to the board of directors, an appropriate
I. The Program                                     should provide for appropriate responses to        committee of the board, or a designated
   In designing its Program, a financial           the Red Flags the financial institution or         employee at the level of senior management,
institution or creditor may incorporate, as        creditor has detected that are commensurate        at least annually, on compliance by the
appropriate, its existing policies, procedures,    with the degree of risk posed. In determining      financial institution or creditor with § 681.2
and other arrangements that control                an appropriate response, a financial               of this part.
reasonably foreseeable risks to customers or       institution or creditor should consider               (2) Contents of report. The report should
to the safety and soundness of the financial       aggravating factors that may heighten the risk     address material matters related to the
institution or creditor from identity theft.       of identity theft, such as a data security         Program and evaluate issues such as: The
                                                   incident that results in unauthorized access       effectiveness of the policies and procedures
II. Identifying Relevant Red Flags                 to a customer’s account records held by the        of the financial institution or creditor in
   (a) Risk Factors. A financial institution or    financial institution, creditor, or third party,   addressing the risk of identity theft in
creditor should consider the following factors     or notice that a customer has provided             connection with the opening of covered
in identifying relevant Red Flags for covered      information related to a covered account held      accounts and with respect to existing covered
accounts, as appropriate:                          by the financial institution or creditor to        accounts; service provider arrangements;
   (1) The types of covered accounts it offers     someone fraudulently claiming to represent         significant incidents involving identity theft
or maintains;                                      the financial institution or creditor or to a      and management’s response; and
   (2) The methods it provides to open its         fraudulent website. Appropriate responses          recommendations for material changes to the
covered accounts;                                  may include the following:                         Program.
   (3) The methods it provides to access its          (a) Monitoring a covered account for               (c) Oversight of service provider
covered accounts; and                              evidence of identity theft;                        arrangements. Whenever a financial
   (4) Its previous experiences with identity         (b) Contacting the customer;                    institution or creditor engages a service
theft.                                                (c) Changing any passwords, security            provider to perform an activity in connection
   (b) Sources of Red Flags. Financial             codes, or other security devices that permit       with one or more covered accounts the
institutions and creditors should incorporate      access to a covered account;                       financial institution or creditor should take
relevant Red Flags from sources such as:              (d) Reopening a covered account with a          steps to ensure that the activity of the service
   (1) Incidents of identity theft that the        new account number;                                provider is conducted in accordance with
financial institution or creditor has                 (e) Not opening a new covered account;          reasonable policies and procedures designed
experienced;                                          (f) Closing an existing covered account;        to detect, prevent, and mitigate the risk of
   (2) Methods of identity theft that the             (g) Not attempting to collect on a covered      identity theft. For example, a financial
financial institution or creditor has identified   account or not selling a covered account to        institution or creditor could require the
that reflect changes in identity theft risks;      a debt collector;                                  service provider by contract to have policies
and                                                   (h) Notifying law enforcement; or               and procedures to detect relevant Red Flags
63774           Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations

that may arise in the performance of the              8. Other information on the identification     a new, additional, or replacement card or a
service provider’s activities, and either report   is not consistent with readily accessible         cell phone, or for the addition of authorized
the Red Flags to the financial institution or      information that is on file with the financial    users on the account.
creditor, or to take appropriate steps to          institution or creditor, such as a signature         20. A new revolving credit account is used
prevent or mitigate identity theft.                card or a recent check.                           in a manner commonly associated with
VII. Other Applicable Legal Requirements              9. An application appears to have been         known patterns of fraud patterns. For
                                                   altered or forged, or gives the appearance of     example:
  Financial institutions and creditors should      having been destroyed and reassembled.               a. The majority of available credit is used
be mindful of other related legal                                                                    for cash advances or merchandise that is
requirements that may be applicable, such as:      Suspicious Personal Identifying Information       easily convertible to cash (e.g., electronics
  (a) For financial institutions and creditors        10. Personal identifying information           equipment or jewelry); or
that are subject to 31 U.S.C. 5318(g), filing a    provided is inconsistent when compared               b. The customer fails to make the first
Suspicious Activity Report in accordance           against external information sources used by      payment or makes an initial payment but no
with applicable law and regulation;                the financial institution or creditor. For        subsequent payments.
  (b) Implementing any requirements under          example:                                             21. A covered account is used in a manner
15 U.S.C. 1681c–1(h) regarding the                    a. The address does not match any address      that is not consistent with established
circumstances under which credit may be            in the consumer report; or                        patterns of activity on the account. There is,
extended when the financial institution or            b. The Social Security Number (SSN) has        for example:
creditor detects a fraud or active duty alert;     not been issued, or is listed on the Social          a. Nonpayment when there is no history of
  (c) Implementing any requirements for            Security Administration’s Death Master File.      late or missed payments;
furnishers of information to consumer                 11. Personal identifying information              b. A material increase in the use of
reporting agencies under 15 U.S.C. 1681s–2,        provided by the customer is not consistent        available credit;
for example, to correct or update inaccurate       with other personal identifying information          c. A material change in purchasing or
or incomplete information, and to not report                                                         spending patterns;
                                                   provided by the customer. For example, there
information that the furnisher has reasonable                                                           d. A material change in electronic fund
                                                   is a lack of correlation between the SSN
cause to believe is inaccurate; and                                                                  transfer patterns in connection with a deposit
                                                   range and date of birth.
  (d) Complying with the prohibitions in 15                                                          account; or
                                                      12. Personal identifying information
U.S.C. 1681m on the sale, transfer, and                                                                 e. A material change in telephone call
                                                   provided is associated with known
placement for collection of certain debts                                                            patterns in connection with a cellular phone
                                                   fraudulent activity as indicated by internal or
resulting from identity theft.                                                                       account.
                                                   third-party sources used by the financial
Supplement A to Appendix A                         institution or creditor. For example:                22. A covered account that has been
                                                      a. The address on an application is the        inactive for a reasonably lengthy period of
   In addition to incorporating Red Flags from                                                       time is used (taking into consideration the
the sources recommended in section II.b. of        same as the address provided on a fraudulent
                                                   application; or                                   type of account, the expected pattern of usage
the Guidelines in Appendix A of this part,                                                           and other relevant factors).
each financial institution or creditor may            b. The phone number on an application is
                                                   the same as the number provided on a                 23. Mail sent to the customer is returned
consider incorporating into its Program,                                                             repeatedly as undeliverable although
whether singly or in combination, Red Flags        fraudulent application.
                                                      13. Personal identifying information           transactions continue to be conducted in
from the following illustrative examples in                                                          connection with the customer’s covered
connection with covered accounts:                  provided is of a type commonly associated
                                                   with fraudulent activity as indicated by          account.
Alerts, Notifications or Warnings from a           internal or third-party sources used by the          24. The financial institution or creditor is
Consumer Reporting Agency                          financial institution or creditor. For example:   notified that the customer is not receiving
                                                      a. The address on an application is            paper account statements.
   1. A fraud or active duty alert is included
                                                   fictitious, a mail drop, or a prison; or             25. The financial institution or creditor is
with a consumer report.
                                                      b. The phone number is invalid, or is          notified of unauthorized charges or
   2. A consumer reporting agency provides a
notice of credit freeze in response to a           associated with a pager or answering service.     transactions in connection with a customer’s
request for a consumer report.                        14. The SSN provided is the same as that       covered account.
   3. A consumer reporting agency provides a       submitted by other persons opening an             Notice from Customers, Victims of Identity
notice of address discrepancy, as defined in       account or other customers.                       Theft, Law Enforcement Authorities, or Other
§ 681.1(b) of this part.                              15. The address or telephone number            Persons Regarding Possible Identity Theft in
   4. A consumer report indicates a pattern of     provided is the same as or similar to the         Connection With Covered Accounts Held by
activity that is inconsistent with the history     account number or telephone number                the Financial Institution or Creditor
and usual pattern of activity of an applicant      submitted by an unusually large number of
                                                                                                       26. The financial institution or creditor is
or customer, such as:                              other persons opening accounts or other
                                                                                                     notified by a customer, a victim of identity
   a. A recent and significant increase in the     customers.
                                                                                                     theft, a law enforcement authority, or any
volume of inquiries;                                  16. The person opening the covered
                                                                                                     other person that it has opened a fraudulent
   b. An unusual number of recently                account or the customer fails to provide all
                                                                                                     account for a person engaged in identity
established credit relationships;                  required personal identifying information on
                                                                                                     theft.
   c. A material change in the use of credit,      an application or in response to notification
especially with respect to recently                that the application is incomplete.                 Dated: October 5, 2007.
established credit relationships; or                  17. Personal identifying information           John C. Dugan,
   d. An account that was closed for cause or      provided is not consistent with personal          Comptroller of the Currency.
identified for abuse of account privileges by      identifying information that is on file with
a financial institution or creditor.               the financial institution or creditor.              By order of the Board of Governors of the
                                                      18. For financial institutions and creditors   Federal Reserve System, October 29, 2007.
Suspicious Documents                                                                                 Jennifer J. Johnson,
                                                   that use challenge questions, the person
   5. Documents provided for identification        opening the covered account or the customer       Secretary of the Board.
appear to have been altered or forged.             cannot provide authenticating information
   6. The photograph or physical description       beyond that which generally would be                Dated at Washington, DC, this 16th day of
on the identification is not consistent with       available from a wallet or consumer report.       October, 2007.
the appearance of the applicant or customer                                                            By order of the Board of Directors.
presenting the identification.                     Unusual Use of, or Suspicious Activity
                                                   Related to, the Covered Account                   Federal Deposit Insurance Corporation.
   7. Other information on the identification
                                                                                                     Robert E. Feldman,
is not consistent with information provided          19. Shortly following the notice of a change
by the person opening a new covered account        of address for a covered account, the             Executive Secretary.
or customer presenting the identification.         institution or creditor receives a request for      Dated: October 24, 2007.
                 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations   63775

  By the Office of Thrift Supervision.
John M. Reich,
Director.
  By order of the National Credit Union
Administration Board, October 15, 2007.
Mary Rupp,
Secretary of the Board.
  By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 07–5453 Filed 11–8–07; 8:45 am]
BILLING CODE 4810–33–P; 6210–01–P; 6714–01–P;
6720–01–P; 7535–01–P; 6750–01–P