OCC 2006-32 OCC Bulletin Subject: Identity Theft Red Flags and Address Discrepancies Description: Proposed Rule Date: July 27, 2006 TO: Chief Executive Officers and Compliance Officers of All National Banks, Federal Branches and Agencies, Third-Party Service Providers, Department and Division Heads, and All Examining Personnel The federal financial institution regulatory agencies and the Federal Trade Commission (agencies) are soliciting comments on the attached Notice of Proposed Rulemaking (NPRM) titled "Identity Theft Red Flags and Address Discrepancies" that was published in the Federal Register on July 18, 2006. The NPRM implements sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003, which requires the agencies to issue regulations and guidelines. The regulations that the agencies are jointly proposing under section 114 would require eachfinancial institution and creditor to develop and implement a written identity theft prevention Program (program) that includes policies and procedures for detecting, preventing and mitigating identity theft in connection with account openings and existing accounts. The program is required to be risk based and must be tailored to the size and complexity of each financial institution or creditor and the nature and scope of its activities. The proposed regulations include guidelines listing patterns, practices, and specific forms of activity that raise a "red flag" signaling a possible risk of identity theft. An institution or creditor would be required to incorporate into its program those red flags from the guidelines that are relevant to detecting the risks of identity theft to its customers or its own safety and soundness. Given the changing nature of identity theft, an institution or creditor also would be required to incorporate additional red flags on an ongoing basis from its own experiences, supervisory guidance, and other methods of identity theft the institution or creditor has identified. Under the proposed regulations, the program must include policies and procedures for verifying the identity of persons opening new accounts, detecting any red flags that are relevant to its operations, and implementing a mitigation strategy appropriate to the identified level of risk. The proposed regulations implementing section 114 also would require credit card and debit card issuers to develop policies and procedures to assess the validity of a request for a change of address followed closely by a request for an additional or replacement card. Additional proposed regulations implementing section 315 would require users of consumer reports, such as banks that use credit reports, to develop reasonable policies and proceduresregarding notices of address discrepancies they receive from a consumer reporting agency (CRA). If a user of a consumer report receives notice from a CRA that a consumer's address it has provided to obtain the report "substantially differs" from the consumer's address in the CRA's file, the user must provide the CRA with an address for the consumer that the user has reasonably confirmed to be accurate. Comments on the NPRM must be submitted by September 18, 2006. For questions concerning the proposed rule, contact Amy Friend, assistant chief counsel, at (202) 874-5200; Deborah Katz, senior counsel, Legislative and Regulatory Activities Division, at (202) 874-5090; or Paul Utterback, national bank examiner, Compliance Policy, at (202) 874-5461. _________________________________________ Julie L. Williams First Senior Deputy Comptroller and Chief Counsel Attachment - 71 FR 40786 [http://www.occ.treas.gov/fr/fedrgister/71fr40786.pdf]