TO: |
Chief Executive Officers and Compliance Officers of All National Banks, Federal Branches and Agencies, Third-Party Service Providers, Department and Division Heads, and All Examining Personnel
|
The federal financial institution regulatory
agencies and the Federal Trade Commission (agencies) are issuing a
final rulemaking titled “Identity Theft Red Flags and Address
Discrepancies” to implement sections 114 and 315 of the Fair and
Accurate Credit Transactions Act of 2003. Covered financial
institutions and creditors will have until November 1, 2008, to
comply with the final rules.
The final rules implementing section 114 require each financial
institution and creditor that holds “covered accounts” to develop
and implement a written identity theft prevention program that
includes policies and procedures for detecting, preventing, and
mitigating identity theft in connection with account openings and
existing accounts. A covered account is any consumer account, or any
other account that the financial institution or creditor offers or
maintains for which there is a reasonably foreseeable risk to
consumers or to the safety and soundness of the financial
institution or creditor from identity theft.
The agencies are issuing guidelines to assist covered entities in
developing and implementing an identity theft prevention program.
The guidelines include a supplement that identifies 26 patterns,
practices, and specific forms of activity that are “red flags”
signaling possible identity theft. Entities may consider these
examples in identifying red flags that are relevant to detecting
identity theft in connection with their own operations.
The final rules implementing section 114 also require credit card
and debit card issuers to develop policies and procedures to assess
the validity of a notification of a change of address followed
closely by a request for an additional or a replacement card.
Additional rules implementing section 315 require users of
consumer reports, such as banks that use credit reports, to develop
reasonable policies and procedures regarding notices of address
discrepancies they receive from a consumer reporting agency (CRA).
If a user of a consumer report receives notice from a CRA that a
consumer’s address it has provided to obtain the report
“substantially differs” from the consumer’s address in the CRA’s
file, the user must provide the CRA with an address for the consumer
that the user has reasonably confirmed is accurate.
For questions concerning the final rulemaking, contact Amy
Friend, Assistant Chief Counsel, at (202) 874-5200; Deborah Katz,
Senior Counsel, or Andra Shuster, Special Counsel, Legislative and
Regulatory Activities Division, at (202) 874-5090; or Paul
Utterback, National Bank Examiner, Compliance Policy Division, at
(202) 874-4428.
/signed/
Julie L. Williams
First Senior Deputy Comptroller and Chief Counsel
|
Attachment: Final
Rulemaking
[http://www.occ.treas.gov/fr/fedrgister/72fr63718.pdf]
|