1. Friday,
November 9, 2007
Part IV
Department of the Treasury
Office of the Comptroller of the
Currency
12 CFR Part 41
Federal Reserve System
12 CFR Part 222
Federal Deposit Insurance
Corporation
12 CFR Parts 334 and 364
Department of the Treasury
Office of Thrift Supervision
12 CFR Part 571
National Credit Union
Administration
12 CFR Part 717
Federal Trade Commission
16 CFR Part 681
Identity Theft Red Flags and Address
Discrepancies Under the Fair and
Accurate Credit Transactions Act of 2003;
Final Rule
jlentini on PROD1PC65 with RULES4
VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00001 Fmt 4737 Sfmt 4737 E:FRFM09NOR4.SGM 09NOR4
2. 63718 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations
DEPARTMENT OF THE TREASURY and mitigate identity theft in connection Office of Thrift Supervision, 1700 G
with the opening of certain accounts or Street, NW., Washington, DC 20552.
Office of the Comptroller of the certain existing accounts. In addition, NCUA: Regina M. Metz, Staff
Currency the Agencies are issuing guidelines to Attorney, Office of General Counsel,
assist financial institutions and (703) 518–6540, National Credit Union
12 CFR Part 41 creditors in the formulation and Administration, 1775 Duke Street,
[Docket ID OCC–2007–0017]
maintenance of a Program that satisfies Alexandria, VA 22314–3428.
the requirements of the rules. The rules FTC: Naomi B. Lefkovitz, Attorney, or
RIN 1557–AC87 implementing section 114 also require Pavneet Singh, Attorney, Division of
credit and debit card issuers to assess Privacy and Identity Protection, Bureau
FEDERAL RESERVE SYSTEM the validity of notifications of changes of Consumer Protection, (202) 326–
of address under certain circumstances. 2252, Federal Trade Commission, 600
12 CFR Part 222 Additionally, the Agencies are issuing Pennsylvania Avenue, NW., Washington
[Docket No. R–1255] joint rules under section 315 that DC 20580.
provide guidance regarding reasonable SUPPLEMENTARY INFORMATION:
FEDERAL DEPOSIT INSURANCE policies and procedures that a user of
CORPORATION consumer reports must employ when a I. Introduction
consumer reporting agency sends the The President signed the FACT Act
12 CFR Parts 334 and 364 user a notice of address discrepancy. into law on December 4, 2003.1 The
DATES: The joint final rules and FACT Act added several new provisions
RIN 3064–AD00
guidelines are effective January 1, 2008. to the Fair Credit Reporting Act of 1970
DEPARTMENT OF THE TREASURY The mandatory compliance date for this (FCRA), 15 U.S.C. 1681 et seq. Section
rule is November 1, 2008. 114 of the FACT Act, 15 U.S.C.
Office of Thrift Supervision 1681m(e), amends section 615 of the
FOR FURTHER INFORMATION CONTACT:
FCRA, and directs the Agencies to issue
OCC: Amy Friend, Assistant Chief joint regulations and guidelines
12 CFR Part 571 Counsel, (202) 874–5200; Deborah Katz, regarding the detection, prevention, and
[Docket No. OTS–2007–0019] Senior Counsel, or Andra Shuster, mitigation of identity theft, including
Special Counsel, Legislative and special regulations requiring debit and
RIN 1550–AC04 Regulatory Activities Division, (202) credit card issuers to validate
874–5090; Paul Utterback, Compliance notifications of changes of address
NATIONAL CREDIT UNION
Specialist, Compliance Department, under certain circumstances.2 Section
ADMINISTRATION
(202) 874–5461; or Aida Plaza Carter, 315 of the FACT Act, 15 U.S.C.
Director, Bank Information Technology, 1681c(h), adds a new section 605(h)(2)
12 CFR Part 717
(202) 874–4740, Office of the to the FCRA requiring the Agencies to
Comptroller of the Currency, 250 E issue joint regulations that provide
FEDERAL TRADE COMMISSION
Street, SW., Washington, DC 20219. guidance regarding reasonable policies
16 CFR Part 681 Board: David A. Stein or Ky Tran- and procedures that a user of a
Trong, Counsels, or Amy Burke, consumer report should employ when
RIN 3084–AA94 Attorney, Division of Consumer and the user receives a notice of address
Community Affairs, (202) 452–3667; discrepancy.
Identity Theft Red Flags and Address Kara L. Handzlik, Attorney, Legal On July 18, 2006, the Agencies
Discrepancies Under the Fair and Division, (202) 452–3852; or John published a joint notice of proposed
Accurate Credit Transactions Act of Gibbons, Supervisory Financial Analyst, rulemaking (NPRM) in the Federal
2003 Division of Banking Supervision and Register (71 FR 40786) proposing rules
AGENCIES: Office of the Comptroller of Regulation, (202) 452–6409, Board of and guidelines to implement section
the Currency, Treasury (OCC); Board of Governors of the Federal Reserve 114 and proposing rules to implement
Governors of the Federal Reserve System, 20th and C Streets, NW., section 315 of the FACT Act. The public
System (Board); Federal Deposit Washington, DC 20551. comment period closed on September
Insurance Corporation (FDIC); Office of FDIC: Jeffrey M. Kopchik, Senior 18, 2006. The Agencies collectively
Thrift Supervision, Treasury (OTS); Policy Analyst, (202) 898–3872, or received a total of 129 comments in
National Credit Union Administration David P. Lafleur, Policy Analyst, (202) response to the NPRM, although many
(NCUA); and Federal Trade Commission 898–6569, Division of Supervision and commenters sent copies of the same
(FTC or Commission). Consumer Protection; Richard M. letter to each of the Agencies. The
ACTION: Joint final rules and guidelines.
Schwartz, Counsel, (202) 898–7424, or comments included 63 from financial
Richard B. Foley, Counsel, (202) 898– institutions, 12 from financial
SUMMARY: The OCC, Board, FDIC, OTS, 3784, Legal Division, Federal Deposit institution holding companies, 23 from
NCUA and FTC (the Agencies) are Insurance Corporation, 550 17th Street, financial institution trade associations,
jointly issuing final rules and guidelines NW., Washington, DC 20429. 12 from individuals, nine from other
implementing section 114 of the Fair OTS: Ekita Mitchell, Consumer trade associations, five from other
and Accurate Credit Transactions Act of Regulations Analyst, Compliance and business entities, three from consumer
2003 (FACT Act) and final rules Consumer Protection, (202) 906–6451;
implementing section 315 of the FACT Kathleen M. McNulty, Technology 1 Pub. L. 108–159.
jlentini on PROD1PC65 with RULES4
Act. The rules implementing section Program Manager, Information 2 Section 111 of the FACT Act defines ‘‘identity
114 require each financial institution or Technology Risk Management, (202) theft’’ as ‘‘a fraud committed using the identifying
information of another person, subject to such
creditor to develop and implement a 906–6322; or Richard Bennett, Senior further definition as the [Federal Trade]
written Identity Theft Prevention Compliance Counsel, Regulations and Commission may prescribe, by regulation.’’ 15
Program (Program) to detect, prevent, Legislation Division, (202) 906–7409, U.S.C. 1681a(q)(3).
VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
3. Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63719
groups,3 one from a member of indicators of a possible risk of identity commenters suggested that the
Congress, and one from the United theft (Red Flags), including indicators regulations and guidelines take the form
States Small Business Administration from among those listed in the of broad objectives modeled on the
(SBA). guidelines. To promote flexibility and objectives set forth in the ‘‘Interagency
responsiveness to the changing nature of Guidelines Establishing Information
II. Section 114 of the FACT Act
identity theft, the proposed rules also Security Standards’’ (Information
A. Red Flag Regulations and Guidelines stated that covered entities would need Security Standards).7 A few financial
1. Background to include in their Programs relevant institution commenters asserted that the
Red Flags from applicable supervisory primary cause of identity theft is the
Section 114 of the FACT Act requires guidance, their own experiences, and lack of care on the part of the consumer.
the Agencies to jointly issue guidelines methods that the entity had identified They stated that consumers should be
for financial institutions and creditors that reflect changes in identity theft held responsible for protecting their
regarding identity theft with respect to risks. own identifying information.
their account holders and customers. The Agencies invited comment on all The Agencies have modified the
Section 114 also directs the Agencies to aspects of the proposed regulations and proposed rules and guidelines in light of
prescribe joint regulations requiring guidelines implementing section 114, the comments received. An overview of
each financial institution and creditor to and specifically requested comment on the final rules, guidelines, and
establish reasonable policies and whether the elements described in supplement, a discussion of the
procedures for implementing the section 114 had been properly allocated comments, and the specific manner in
guidelines, to identify possible risks to between the proposed regulations and which the proposed rules and
account holders or customers or to the the proposed guidelines. guidelines have been modified, follows.
safety and soundness of the institution Consumer groups maintained that the
or ‘‘customer.’’4 proposed regulations provided too 3. Overview of final rules and
In developing the guidelines, the much discretion to financial institutions guidelines
Agencies must identify patterns, and creditors to decide which accounts The Agencies are issuing final rules
practices, and specific forms of activity and Red Flags to include in their and guidelines that provide both
that indicate the possible existence of Programs and how to respond to those flexibility and more guidance to
identity theft. The guidelines must be Red Flags. These commenters stated that financial institutions and creditors. The
updated as often as necessary, and the flexible and risk-based approach final rules also require the Program to
cannot be inconsistent with the policies taken in the proposed rulemaking address accounts where identity theft is
and procedures issued under section would permit ‘‘business as usual.’’
326 of the USA PATRIOT Act,5 31 most likely to occur. The final rules
Some small financial institutions also describe which financial institutions
U.S.C. 5318(l), that require verification expressed concern about the flexibility
of the identity of persons opening new and creditors are required to have a
afforded by the proposal. These Program, the objectives of the Program,
accounts. The Agencies also must commenters stated that they preferred to
consider including reasonable the elements that the Program must
have clearer, more structured guidance contain, and how the Program must be
guidelines that would apply when a describing exactly how to develop and
transaction occurs in connection with a administered.
implement a Program and what they Under the final rules, only those
consumer’s credit or deposit account would need to do to achieve
that has been inactive for two years. financial institutions and creditors that
compliance. offer or maintain ‘‘covered accounts’’
These guidelines would provide that in Most commenters, however, including
such circumstances, a financial must develop and implement a written
many financial institutions and Program. A covered account is (1) an
institution or creditor ‘‘shall follow creditors, asserted that the proposal was
reasonable policies and procedures’’ for account primarily for personal, family,
overly prescriptive, contained or household purposes, that involves or
notifying the consumer, ‘‘in a manner requirements beyond those mandated in
reasonably designed to reduce the is designed to permit multiple payments
the FACT Act, would be costly and or transactions, or (2) any other account
likelihood of identity theft.’’ burdensome to implement, and would for which there is a reasonably
2. Overview of Proposal and Comments complicate the existing efforts of foreseeable risk to customers or the
Received financial institutions and creditors to safety and soundness of the financial
The Agencies proposed to implement detect and prevent identity theft. Some institution or creditor from identity
section 114 through regulations industry commenters asserted that the theft. Each financial institution and
requiring each financial institution and rulemaking was unnecessary because creditor must periodically determine
creditor to implement a written Program large businesses, such as banks and whether it offers or maintains a
to detect, prevent and mitigate identity telecommunications companies, already ‘‘covered account.’’
theft in connection with the opening of are motivated to prevent identity theft
The final regulations provide that the
an account or any existing account. The and other forms of fraud in order to
Program must be designed to detect,
Agencies also proposed guidelines that limit their own financial losses.
prevent, and mitigate identity theft in
identified 31 patterns, practices, and Financial institution commenters
connection with the opening of a
specific forms of activity that indicate a maintained that they are already doing
covered account or any existing covered
possible risk of identity theft. The most of what would be required by the
account. In addition, the Program must
proposed regulations required each proposal as a result of having to comply
be tailored to the entity’s size,
financial institution and creditor to with the customer identification
complexity and nature of its operations.
incorporate into its Program relevant program (CIP) regulations implementing
section 326 of the USA PATRIOT Act 6
jlentini on PROD1PC65 with RULES4
7 12 CFR part 30, app. B (national banks); 12 CFR
3 One of these letters represented the comments and other existing requirements. These part 208, app. D–2 and part 225, app. F (state
of five consumer groups. member banks and holding companies); 12 CFR
4 Use of the term ‘‘customer,’’ here, appears to be 6 See, e.g., 31 CFR 103.121 (applicable to banks, part 364, app. B (state non-member banks); 12 CFR
a drafting error and likely should read ‘‘creditor.’’ thrifts and credit unions and certain non-federally part 570, app. B (savings associations); 12 CFR part
5 Pub. L. 107–56. regulated banks). 748, App. A (credit unions).
VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
4. 63720 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations
The final regulations list the four 4. Section-by-Section Analysis 8 Agencies use the term ‘‘continuing
basic elements that must be included in relationship’’ instead, and define this
Sectionl.90(a) Purpose and Scope
the Program of a financial institution or phrase in a manner consistent with the
creditor. The Program must contain Proposed §l.90(a) described the Agencies’’ privacy rules 10
‘‘reasonable policies and procedures’’ statutory authority for the proposed implementing Title V of the Gramm-
to: regulations, namely, section 114 of the Leach-Bliley Act (GLBA), 15 U.S.C.
FACT Act. It also defined the scope of 6801.11 These commenters urged that
• Identify relevant Red Flags for this section; each of the Agencies the definition of ‘‘account’’ not be
covered accounts and incorporate those proposed tailoring this paragraph to expanded to include relationships that
Red Flags into the Program; describe those entities to which this are not ‘‘continuing.’’ They stated that it
• Detect Red Flags that have been section would apply. The Agencies would be very burdensome to gather
incorporated into the Program; received no comments on this section, and maintain information on non-
• Respond appropriately to any Red and it is adopted as proposed. customers for one-time transactions.
Flags that are detected to prevent and Sectionl.90(b) Definitions Other commenters suggested defining
mitigate identity theft; and the term ‘‘account’’ in a manner
Proposed §l.90(b) contained consistent with the CIP rules.
• Ensure the Program is updated definitions of various terms that applied Many commenters stated that defining
periodically, to reflect changes in risks to the proposed rules and guidelines. ‘‘account’’ to cover both consumer and
to customers or to the safety and While §l.90(b) of the final rules business accounts was too broad,
soundness of the financial institution or continues to describe the definitions exceeded the scope of the FACT Act,
creditor from identity theft. applicable to the final rules and and would make the regulation too
The regulations also enumerate guidelines, changes have been made to burdensome. These commenters
certain steps that financial institutions address the comments, as follows. recommended limiting the scope of the
and creditors must take to administer Sectionl.90(b)(1) Account. The regulations and guidelines to cover only
Agencies proposed using the term consumer financial services, specifically
the Program. These steps include
‘‘account’’ to describe the relationships accounts established for personal,
obtaining approval of the initial written
covered by section 114 that an account family and household purposes, because
Program by the board of directors or a holder or customer may have with a these types of accounts typically are
committee of the board, ensuring financial institution or creditor.9 The targets of identity theft. They asserted
oversight of the development, proposed definition of ‘‘account’’ was ‘‘a that identity theft has not historically
implementation and administration of continuing relationship established to been common in connection with
the Program, training staff, and provide a financial product or service business or commercial accounts.
overseeing service provider that a financial holding company could Consumer groups maintained that the
arrangements. offer by engaging in an activity that is proposed definition of ‘‘account’’ was
In order to provide financial financial in nature or incidental to such too narrow. They explained that because
institutions and creditors with more a financial activity under section 4(k) of the proposed definition was tied to
flexibility in developing a Program, the the Bank Holding Company Act, 12 financial products and services that can
Agencies have moved certain detail U.S.C. 1843(k).’’ The definition also be offered under the Bank Holding
formerly contained in the proposed gave examples of types of ‘‘accounts.’’ Company Act, it inappropriately
regulations to the guidelines located in Some commenters stated that the excluded certain transactions involving
Appendix J. This detailed guidance regulations do not need a definition of creditors that are not financial
should assist financial institutions and ‘‘account’’ to give effect to their terms. institutions that should be covered by
creditors in the formulation and Some commenters maintained that a the regulations. Some of these
new definition for ‘‘account’’ would be commenters recommended that the
maintenance of a Program that satisfies
confusing as this term is already defined definition of ‘‘account’’ include any
the requirements of the regulations to
inconsistently in several regulations and relationship with a financial institution
detect, prevent, and mitigate identity in section 615(e) of the FCRA. These or creditor in which funds could be
theft. Each financial institution or commenters recommended that the intercepted or credit could be extended,
creditor that is required to implement a as well as any other transaction which
Program must consider the guidelines 8 The OCC, Board, FDIC, OTS and NCUA are
could obligate an individual or other
and include in its Program those placing the regulations and guidelines covered entity, including transactions
guidelines that are appropriate. The implementing section 114 in the part of their
regulations that implement the FCRA—12 CFR that do not result in a continuing
guidelines provide policies and parts 41, 222, 334, 571, and 717, respectively. In relationship. Others suggested that there
procedures for use by institutions and addition, the FDIC cross-references the regulations should be no flexibility to exclude any
creditors, where appropriate, to satisfy and guidelines in 12 CFR part 364. For ease of account that is held by an individual or
reference, the discussion in this preamble uses the
the requirements of the final rules, shared numerical suffix of each of these agency’s which generates information about
including the four elements listed regulations. The FTC also is placing the final individuals that reflects on their
above. While an institution or creditor regulations and guidelines in the part of its financial or credit reputations.
may determine that particular regulations implementing the FCRA, specifically 16 The Agencies have modified the
CFR part 681. However, the FTC uses different
guidelines are not appropriate to numerical suffixes that equate to the numerical definition of ‘‘account’’ to address these
incorporate into its Program, the suffixes discussed in the preamble as follows: comments. First, the final rules now
Program must nonetheless contain preamble suffix .82 = FTC suffix .1, preamble suffix apply to ‘‘covered accounts,’’ a term that
.90 = FTC suffix .2, and preamble suffix .91 = FTC the Agencies have added to the
reasonable policies and procedures to suffix .3. In addition, Appendix J referenced in the
meet the specific requirements of the definition section to eliminate
jlentini on PROD1PC65 with RULES4
preamble is the FTC’s Appendix A.
final rules. The illustrative examples of 9 The Agencies acknowledged that section 114
10 See 12 CFR 40 (OCC); 12 CFR 216 (Board); 12
Red Flags formerly in Appendix J are does not use the term ‘‘account’’ and, in other
contexts, the FCRA defines the term ‘‘account’’ CFR 332 (FDIC); 12 CFR 573 (OTS); 12 CFR 716
now listed in a supplement to the narrowly to describe certain consumer deposit or (NCUA); and 16 CFR 313 (FTC).
guidelines. asset accounts. See 15 U.S.C. 1681a(r)(4). 11 Pub. L. 106–102.
VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
5. Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63721
confusion between these rules and other established, but also to account The Agencies recognize that
rules that apply to an ‘‘account.’’ The openings, when a relationship has not consumer accounts are presently the
Agencies have retained a definition of yet been established. most common target of identity theft
‘‘account’’ simply to clarify and provide Sectionl.90(b)(2) Board of Directors. and acknowledge that Congress
context for the definition of ‘‘covered The proposed regulations discussed the expected the final regulation to address
account.’’ role of the board of directors of a risks of identity theft to consumers.13
Section 114 provides broad discretion financial institution or creditor. For For this reason, the final rules require
to the Agencies to prescribe regulations financial institutions and creditors each Program to cover accounts
and guidelines to address identity theft. covered by the regulations that do not established primarily for personal,
The terminology in section 114 is not have boards of directors, the proposed family or household purposes, that
confined to ‘‘consumer’’ accounts. regulations defined ‘‘board of directors’’ involve or are designed to permit
While identity theft primarily has been to include, in the case of a branch or multiple payments or transactions, i.e.,
directed at consumers, the Agencies are agency of a foreign bank, the managing consumer accounts. As discussed above
aware that small businesses also have official in charge of the branch or in connection with the definition of
been targets of identity theft. Over time, agency. For other creditors that do not ‘‘account,’’ the final rules also require
identity theft could expand to affect have boards of directors, the proposed the Programs of financial institutions
other types of accounts. Thus, the regulations defined ‘‘board of directors’’ and creditors to cover any other type of
definition of ‘‘account’’ in §l.90(b)(1) as a designated employee. account that the institution or creditor
of the final rules continues to cover any Consumer groups objected to the offers or maintains for which there is a
relationship to obtain a product or proposed definition as it applied to reasonably foreseeable risk from identity
service that an account holder or creditors that do not have boards of theft.
customer may have with a financial directors. These commenters Accordingly, the definition of
institution or creditor.12 Through recommended that for these entities, ‘‘covered account’’ is divided into two
examples, the definition makes clear ‘‘board of directors’’ should be defined parts. The first part refers to ‘‘an account
that the purchase of property or services as a designated employee at the level of that a financial institution or creditor
involving a deferred payment is senior management. They asserted that offers or maintains, primarily for
considered to be an account. otherwise, institutions that do not have personal, family, or household
Although the definition of ‘‘account’’ a board of directors would be given an purposes, that involves or is designed to
includes business accounts, the risk- unfair advantage for purposes of the permit multiple payments or
based nature of the final rules allows substantive provisions of the rules, transactions.’’ The definition provides
each financial institution or creditor because they would be permitted to examples to illustrate that these types of
flexibility to determine which business assign any employee to fulfill the role of consumer accounts include, ‘‘a credit
accounts will be covered by its Program the ‘‘board of directors.’’ card account, mortgage loan, automobile
through a risk evaluation process. The Agencies agree this important loan, margin account, cell phone
The Agencies also recognize that a role should be performed by an account, utility account, checking
person may establish a relationship with employee at the level of senior account, or savings account.’’14
a creditor, such as an automobile dealer management, rather than any designated The second part of the definition
or a telecommunications provider, employee. Accordingly, the definition of refers to ‘‘any other account that the
primarily to obtain a product or service ‘‘board of directors’’ has been revised in financial institution or creditor offers or
that is not financial in nature. To make § l.90(b)(2) of the final rules so that, in maintains for which there is a
clear that an ‘‘account’’ includes the case of a creditor that does not have reasonably foreseeable risk to customers
relationships with creditors that are not a board of directors, the term ‘‘board of or to the safety and soundness of the
financial institutions, the definition is directors’’ means ‘‘a designated financial institution or creditor from
no longer tied to the provision of employee at the level of senior identity theft, including financial,
‘‘financial’’ products and services. management.’’ operational, compliance, reputation, or
Accordingly, the Agencies have deleted Section l.90(b)(3) Covered Account. litigation risks.’’ This part of the
the reference to the Bank Holding As mentioned previously, the Agencies definition reflects the Agencies’ belief
Company Act. have added a new definition of that other types of accounts, such as
The definition of ‘‘account’’ still
‘‘covered account’’ in § l.90(b)(3) to small business accounts or sole
includes the words ‘‘continuing proprietorship accounts, may be
describe the type of ‘‘account’’ covered
relationship.’’ The Agencies have vulnerable to identity theft, and,
by the final rules. The proposed rules
determined that, at this time, the burden therefore, should be considered for
would have provided a financial
that would be imposed upon financial coverage by the Program of a financial
institution or creditor with broad
institutions and creditors by a institution or creditor.
flexibility to apply its Program to those
requirement to detect, prevent and In response to the proposed definition
accounts that it determined were
mitigate identity theft in connection of ‘‘account,’’ a trade association
vulnerable to the risk of identity theft,
with single, non-continuing transactions representing credit unions suggested
and did not mandate coverage of any
by non-customers would outweigh the that the term ‘‘customer’’ in the
particular type of account.
benefits of such a requirement. The definition be revised to refer to
Consumer group commenters urged
Agencies recognize, however, that
the Agencies to limit the discretion
identity theft may occur at the time of 13 See S. Rep. No. 108–166 at 13 (Oct. 17, 2003)
afforded to financial institutions and
account opening. Therefore, as detailed (accompanying S. 1753).
creditors by requiring them to cover
below, the obligations of the final rule 14 These examples reflect the fact that the rules
consumer accounts in their Programs. are applicable to a variety of financial institutions
apply not only to existing accounts,
jlentini on PROD1PC65 with RULES4
While seeking to preserve their and creditors. They are not intended to confer any
where a relationship already has been additional powers on covered entities. Nonetheless,
discretion, many industry commenters
some of the Agencies have chosen to limit the
12 Accordingly, the definition of ‘‘account’’ still requested that the Agencies limit the examples in their rule texts to those products
applies to fiduciary, agency, custodial, brokerage final rules to consumer accounts, where covered entities subject to their jurisdiction are
and investment advisory activities. identity theft is most likely to occur. legally permitted to offer.
VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
6. 63722 Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations
‘‘member’’ to better reflect the that the Agencies chose this broad individual who has a consumer account
ownership structure of some financial definition because, in addition to will always be a ‘‘customer.’’ A
institutions or to ‘‘consumer’’ to include individuals, various types of entities ‘‘customer’’ may also be a person that
all individuals doing business at all (e.g., small businesses) can be victims of has another type of account for which
types of financial institutions. The identity theft. Under the proposed a financial institution or creditor
definition of ‘‘account’’ in the final rules definition, however, a financial determines there is a reasonably
no longer makes reference to the term institution or creditor would have had foreseeable risk to its customers or to its
‘‘customer’’; however, the definition of the discretion to determine which type own safety and soundness from identity
‘‘covered account’’ continues to employ of customer accounts would be covered theft.
this term, to be consistent with section under its Program, since the proposed The Agencies note that the
114 of the FACT Act, which uses the regulations were risk-based.17 Information Security Standards and the
term ‘‘customer.’’ Of course, in the case As noted above, most industry privacy rules implemented various
of credit unions, the final rules and commenters maintained that including sections of Title V of the GLBA, 15
guidelines will apply to the accounts of all persons, not just consumers, within U.S.C. 6801, which specifically apply
members that are maintained primarily the definition of ‘‘customer’’ would only to customers who are consumers.
for personal, family, or household impose a substantial financial burden By contrast, section 114 does not define
purposes, and those that are otherwise on financial institutions and creditors, the term ‘‘customer.’’ Because the
subject to a reasonably foreseeable risk and make compliance with the Agencies continue to believe that a
of identity theft. regulations more burdensome. These business customer can be a target of
Sections l.90(b)(4) and (b)(5) Credit commenters stated that business identity theft, the final rules contain a
and Creditor. The proposed rules identity theft is rare, and maintained risk-based process designed to ensure
defined these terms by cross-reference that financial institutions and creditors that these types of customers will be
to the relevant sections of the FCRA. should be allowed to direct their fraud covered by the Program of a financial
There were no comments on the prevention resources to the areas of institution or creditor, when the risk of
definition of ‘‘credit’’ and § l.90(b)(4) highest risk. They also noted that identity theft is reasonably foreseeable.
of the final rules adopts the definition businesses are more sophisticated than The definition of ‘‘customer’’ in the
as proposed. consumers, and are in a better position final rules continues to cover only
Some commenters asked the Agencies to protect themselves against fraud than customers that already have accounts.
to clarify that the term ‘‘creditor’’ does consumers, both in terms of prevention The Agencies note, however, that the
not cover third-party debt collectors and in enforcing their legal rights. substantive provisions of the final rules,
who regularly arrange for the extension, Some financial institution described later, require the Program of
renewal, or continuation of credit. commenters were concerned that the a financial institution or creditor to
Section 114 applies to financial broad definition of ‘‘customer’’ would detect, prevent, and mitigate identity
institutions and creditors. Under the create opportunities for commercial theft in connection with the opening of
FCRA, the term ‘‘creditor’’ has the same customers to shift responsibility from a covered account as well as any
meaning as in section 702 of the Equal themselves to the financial institution existing covered account. The final rules
Credit Opportunity Act (ECOA), 15 for not discovering Red Flags and address persons whose identities are
U.S.C. 1691a.15 ECOA defines alerting business customers about used by an imposter to open an account
‘‘creditor’’ to include a person who embezzlement or other fraudulent in these substantive provisions, rather
arranges for the extension, renewal, or transactions by the commercial than through the definition of
continuation of credit, which in some customer’s own employees. These ‘‘customer.’’
cases could include third-party debt commenters suggested narrowing the Section l.90(b)(7) Financial
collectors. 15 U.S.C. 1691a(e). definition to cover natural persons and Institution. The Agencies received no
Therefore, the Agencies are not to exclude business customers. Some of comments on the proposed definition of
excluding third-party debt collectors these commenters suggested that the ‘‘financial institution.’’ It is adopted in
from the scope of the final rules, and definition of ‘‘customer’’ should be § l.90(b)(7), as proposed, with a cross-
§ l.90(b)(5) of the final rules adopts the consistent with the definition of this reference to the relevant definition in
definition of ‘‘creditor’’ as proposed. term in the Information Security the FCRA.
Section l.90(b)(6) Customer. Section Standards and the Agencies’ privacy Section l.90(b)(8) Identity Theft. The
114 of the FACT Act refers to ‘‘account rules. proposal defined ‘‘identity theft’’ by
holders’’ and ‘‘customers’’ of financial Consumer groups commented that the cross-referencing the FTC’s rule that
institutions and creditors without proposed definition of ‘‘customer’’ was defines ‘‘identity theft’’ for purposes of
defining either of these terms. For ease too narrow. They recommended that the the FCRA.18
of reference, the Agencies proposed to definition be amended, so that the Most industry commenters objected to
use the term ‘‘customer’’ to encompass regulations would not only protect the breadth of the proposed definition of
both ‘‘customers’’ and ‘‘account persons who are already customers of a ‘‘identity theft.’’ They recommended
holders.’’ ‘‘Customer’’ was defined as a financial institution or creditor, but also that the definition include only actual
person that has an account with a persons whose identities are used by an fraud committed using identifying
financial institution or creditor. The imposter to open an account. information of a consumer, and exclude
proposed definition of ‘‘customer’’ Section l.90(b)(6) of the final rule attempted fraud, identity theft
applied to any ‘‘person,’’ defined by the defines ‘‘customer’’ to mean a person committed against businesses, and any
FCRA as any individual, partnership, that has a ‘‘covered account’’ with a identity fraud involving the creation of
corporation, trust, estate, cooperative, financial institution or creditor. Under a fictitious identity using fictitious data
association, government or the definition of ‘‘covered account,’’ an combined with real information from
jlentini on PROD1PC65 with RULES4
governmental subdivision or agency, or
17 Proposed § l.90(d)(1) required this 18 69 FR 63922 (Nov. 3, 2004) (codified at 16 CFR
other entity.16 The proposal explained 603.2(a)). Section 111 of the FACT Act added
determination to be substantiated by a risk
evaluation that takes into consideration which several new definitions to the FCRA, including
15 See 15 U.S.C. 1681a(r)(5). customer accounts of the financial institution or ‘‘identity theft,’’ and authorized the FTC to further
16 See 15 U.S.C. 1681a(b). creditor are subject to a risk of identity theft. define this term. See 15 U.S.C. 1681a.
VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4
7. Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations 63723
multiple individuals. By contrast, identity theft as ‘‘Red Flags’’ to better consider aggravating factors that may
consumer groups supported a broad position financial institutions and heighten the risk of identity theft in
interpretation of ‘‘identity theft,’’ creditors to stop identity theft at its determining an appropriate response to
including the incorporation of inception. the Red Flags it detects.
‘‘attempted fraud’’ in the definition. Most industry commenters objected to Section l.90(b)(10) Service Provider.
Section l.90(b)(8) of the final rules the broad scope of the definition of The proposed regulations defined
adopts the definition of ‘‘identity theft’’ ‘‘Red Flag,’’ particularly the phrase ‘‘service provider’’ as a person that
as proposed. The Agencies believe that ‘‘possible risk of identity theft.’’ These provides a service directly to the
it is important to ensure that all commenters believed that this definition financial institution or creditor. This
provisions of the FACT Act that address would require financial institutions and definition was based upon the
identity theft are interpreted in a creditors to identify all risks and definition of ‘‘service provider’’ in the
consistent manner. Therefore, the final develop procedures to prevent or Information Security Standards.23
rule continues to define identity theft mitigate them, without regard to the One commenter agreed with this
with reference to the FTC’s regulation, significance of the risk. They asserted definition. However, two other
which as currently drafted provides that that the statute does not support the use commenters stated that the definition
the term ‘‘identity theft’’ means ‘‘a fraud of ‘‘possible risk’’ and suggested was too broad. They suggested
committed or attempted using the defining a ‘‘Red Flag’’ as an indicator of narrowing the definition of ‘‘service
identifying information of another significant, substantial, or the probable provider’’ to persons or entities that
person without authority.’’ 19 The FTC risk of identity theft. These commenters have access to customer information.
defines the term ‘‘identifying stated that this would allow a financial Section l.90(b)(10) of the final rules
information’’ to mean ‘‘any name or institution or creditor to focus adopts the definition as proposed. The
number that may be used, alone or in compliance in areas where it is most Agencies have concluded that defining
conjunction with any other information, needed. ‘‘service provider’’ to include only
to identify a specific person, including Most industry commenters also stated persons that have access to customer
any— that the inclusion of precursors to information would inappropriately
(1) Name, social security number, date identity theft in the definition of ‘‘Red narrow the coverage of the final rules.
of birth, official State or government Flag’’ would make the regulations even The Agencies have interpreted section
issued driver’s license or identification broader and more burdensome. They 114 broadly to require each financial
number, alien registration number, stated that financial institutions and institution and creditor to detect,
government passport number, employer creditors do not have the ability to prevent, and mitigate identity theft not
or taxpayer identification number; detect and respond to precursors, such only in connection with any existing
(2) Unique biometric data, such as as phishing, in the same manner as covered account, but also in connection
fingerprint, voice print, retina or iris other Red Flags that are more indicative with the opening of an account. A
image, or other unique physical of actual ongoing identity theft. financial institution or creditor is
representation; By contrast, consumer groups ultimately responsible for complying
(3) Unique electronic identification supported the inclusion of the phrase with the final rules and guidelines even
number, address, or routing code; or ‘‘possible risk of identity theft’’ and the if it outsources an activity to a third-
(4) Telecommunication identifying reference to precursors in the proposed party service provider. Thus, a financial
information or access device (as defined definition of ‘‘Red Flag.’’ These institution or creditor that uses a service
in 18 U.S.C. 1029(e)). commenters stated that placing provider to open accounts will need to
Thus, under the FTC’s regulation, the emphasis on detecting precursors to provide for the detection, prevention,
creation of a fictitious identity using any identity theft, instead of waiting for and mitigation of identity theft in
single piece of information belonging to proven cases, is the right approach. connection with this activity, even
a real person falls within the definition The Agencies have concluded that the when the service provider has access to
of ‘‘identity theft’’ because such a fraud phrase ‘‘possible risk’’ in the proposed the information of a person who is not
involves ‘‘using the identifying definition of ‘‘Red Flag’’ is confusing yet, and may not become, a ‘‘customer.’’
information of another person without and could unduly burden entities with
authority.’’ 20 limited resources. Therefore, the final Section l.90(c) Periodic Identification
Section l.90(b)(9) Red Flag. The rules define ‘‘Red Flag’’ in § l.90(b)(9) of Covered Accounts
proposed regulations defined ‘‘Red using language derived directly from To simplify compliance with the final
Flag’’ as a pattern, practice, or specific section 114, namely, ‘‘a pattern, rules, the Agencies added a new
activity that indicates the possible risk practice, or specific activity that provision in § l.90(c) that requires each
of identity theft. The preamble to the indicates the possible existence of financial institution and creditor to
proposed rules explained that indicators identity theft.’’ 22 periodically determine whether it offers
of a ‘‘possible risk’’ of identity theft The Agencies continue to believe, or maintains any covered accounts. As
would include precursors to identity however, that financial institutions and a part of this determination, a financial
theft such as phishing,21 and security creditors should consider precursors to institution or creditor must conduct a
breaches involving the theft of personal identity theft in order to stop identity risk assessment to determine whether it
information, which often are a means to theft before it occurs. Therefore, as
acquire the information of another described below, the Agencies have 23 The Information Security Standards define
person for use in committing identity chosen to address precursors directly, ‘‘service provider’’ to mean any person or entity
theft. The preamble explained that the through a substantive provision in that maintains, processes, or otherwise is permitted
Agencies included such precursors to access to customer information or consumer
section IV of the guidelines titled information through the provision of services
‘‘Prevention and Mitigation,’’ rather directly to the financial institution. 12 CFR part 30,
jlentini on PROD1PC65 with RULES4
19 See 16 CFR 603.2(a). than through the definition of ‘‘Red app. B (national banks); 12 CFR part 208, app. D–
20 See 16 CFR 603.2(b).
Flag.’’ This provision states that a 2 and part 225, app. F (state member banks and
21 Electronic messages to customers of financial holding companies); 12 CFR part 364, app. B (state
institutions and creditors directing them to provide financial institution or creditor should non-member banks); 12 CFR part 570, app. B
personal information in response to a fraudulent (savings associations); 12 CFR part 748, App. A
e-mail. 22 15 U.S.C. 1681m(c)(2)(A). (credit unions).
VerDate Aug<31>2005 20:05 Nov 08, 2007 Jkt 214001 PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 E:FRFM09NOR4.SGM 09NOR4