I. INTRODUCTION
The federal banking agencies have issued a final rule requiring banks to adopt a written identity theft prevention program. The final rule implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). The program may be tailored to the needs of an individual institution, but must be designed to detect, prevent and mitigate identity theft associated with all consumer accounts (primarily for personal, family or household purposes) and others where the bank determines reasonable identity-theft risk.
The final rule provides guidelines that each institution must consider in setting up and maintaining such a system, as well as a list of “red flags” that may indicate identity theft. The program must be appropriate to the size and complexity of the institution and the nature and scope of its activities and be flexible enough to address changing identity theft risks as they arise.
Under the final rule, issuers of credit and debit cards must establish and maintain a system to evaluate and validate change-of-address requests. In addition, the rule provides guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a consumer reporting agency sends a user a notice of address discrepancy. The final rule took effect on January 1, 2008, with compliance mandatory by November 1, 2008.
II. KEY DEFINITIONS
An understanding of the following defined terms is important in implementing an institution’s identity theft prevention program.
A. Covered Account - A “covered account” is (1) an account primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions, (i.e., a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account) or (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution from identity theft, including financial, operational, compliance, reputation or litigation risks.
B. Customer - A person that has a covered account with a financial institution.
C. Identity Theft - The final rule defines “identity theft” by cross-referencing the FTC’s regulations which provides that the term “identity theft” means a fraud committed or attempted using the identifying information of another person without authority.
D. Identifying Information - Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any - (1) Name, social security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number; (2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; (3) Unique electronic identification number, address, or routing code; or (4) Telecommunication identifying information or access device (as defined in 18 U.S.C. 1029(e)).
E. Red Flag - A pattern, practice, or specific activity that indicates the possible existence of identity theft.
F. Service Provider - A person that provides a service directly to the financial institution.
III. COMPONENTS OF AN IDENTITY THEFT PREVENTION PROGRAM
Under the final rule, only those financial institutions that offer or maintain “covered accounts” must develop and implement a written Program (See definition of “Covered Accounts” above). Each financial institution must periodically determine whether it offers or maintains a “covered account.”
The final regulation also provides that the Program must be designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. In addition, the Program must be tailored to the entity’s size, complexity and nature of its operations.
The final regulation lists the four basic elements that must be included in the Program of a financial institution. The Program must contain “reasonable policies and procedures” to:
The regulation also enumerates certain steps that financial institutions must take to administer the Program. These steps include obtaining approval of the initial written Program by the board of directors or a committee of the board, ensuring oversight of the development, implementation and administration of the Program, training staff, and overseeing service provider arrangements.
IV. PERIODIC IDENTIFICATION OF COVERED ACCOUNTS
Each financial institution is required to periodically determine whether it offers or maintains any “covered accounts.” As a part of this determination, a financial institution must conduct a risk assessment to determine whether it offers or maintains covered accounts (accounts other than consumer accounts), taking into consideration (a) the methods it provides to open its accounts; (b) the methods it provides to access its accounts; and (c) its previous experiences with identity theft.
As a result, a financial institution should consider whether, for example, a reasonably foreseeable risk of identity theft may exist in connection with business accounts it offers or maintains that may be opened or accessed remotely, through methods that do not require face-to-face contact, such as through the internet or telephone. In addition, those institutions that offer or maintain business accounts that have been the target of identity theft should factor those experiences with identity theft into their determination.
The risk assessment required here directs a financial institution to determine, as a threshold matter, whether it will need to have a Program. If a financial institution determines that it does need a Program, then this risk assessment will enable the financial institution to identify those accounts the Program must address. This provision also requires a financial institution that initially determines that it does not need to have a Program to reassess periodically whether it must develop and implement a Program in light of changes in the accounts that it offers or maintains and the various other factors set forth in the provision.
V. IDENTITY THEFT PREVENTION PROGRAM
The final rule requires each financial institution that offers or maintains one or more covered accounts to develop and implement a written Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. To signal that the final rule is flexible, and allow smaller financial institutions and creditors to tailor their Programs to their operations, the final rule states that the Program must be appropriate to the size and complexity of the financial institution and the nature and scope of its activities.
A. Guidelines
In order to provide financial institutions with greater flexibility in developing a program, the agencies moved certain detail formerly contained in the proposed regulations to the guidelines located in Appendix J. This detailed guidance should assist financial institutions in the formulation and maintenance of a Program that satisfies the requirements of the regulation to detect, prevent and mitigate identity theft.
Each financial institution that is required to implement a program must consider the guidelines and must include in its Program those guidelines that are appropriate. The guidelines provide policies and procedures for use by institutions, where appropriate, to satisfy the requirements of the final rule, including the components of an identity theft prevention program listed above. While an institution may determine that particular guidelines are not appropriate to incorporate into its program, the Program must nonetheless contain reasonable policies and procedures to meet the specific requirements of the final rule.
Section I of the guidelines makes clear that a covered entity may incorporate into its Program, as appropriate, its existing processes that control reasonably foreseeable risks to customers or to the safety and soundness of the financial institution from identity theft, such as those already developed in connection with the entity’s fraud prevention program. This is designed to avoid duplication and allow covered entities to benefit from existing policies and procedures.
VI. ELEMENTS OF AN IDENTITY THEFT PREVENTION PROGRAM
A. Identification of Red Flags
The final rule simply states that the first element of a Program must be reasonable policies and procedures to identify relevant Red Flags for the covered accounts that the financial institution offers or maintains. A financial institution must incorporate these Red Flags into its Program.
The final rule does not require policies and procedures for identifying which Red Flags are relevant to detecting a “possible risk” of identity theft. Moreover a covered entity’s obligation to update its Red Flags is now a separate element of the Program.
The Agencies acknowledge that establishing a finite list of factors that a financial institution must consider when identifying relevant Red Flags for covered accounts could limit the ability of a financial institution to respond to new forms of identity theft. Therefore, the guidelines contains a list of factors that a financial institution or creditor “should consider. . . as appropriate” in identifying relevant Red Flags.
These factors are:
Thus, for example, Red Flags relevant to deposit accounts may differ from those relevant to credit accounts, and those applicable to consumer accounts may differ from those applicable to business accounts. Red Flags appropriate for accounts that may be opened or accessed remotely may differ from those that require face-to-face contact. In addition, a financial institution should consider identifying as relevant those Red Flags that directly relate to its previous experiences with identity theft.
The guidelines also give examples of sources from which financial institutions should derive relevant Red Flags and state that a financial institution should incorporate into its Program relevant Red Flags from sources such as: (1) incidents of identity theft that the financial institution has experienced; (2) methods of identity theft that the financial institution has identified that reflect changes in identity theft risks; and (3) applicable supervisory guidance.
The Agencies state that the Program of a financial institution “should include” relevant Red Flags from five particular categories “as appropriate.” These categories have been included in Section II of the guidelines. Section II of the guidelines also notes that “examples” of individual Red Flags from each of the five categories are appended as Supplement A to Appendix J.
When identifying Red Flags, financial institutions must consider the nature of their business and the type of identity theft to which they may be subject. For instance, creditors in the health care field may be at risk of medical identity theft (i.e., identity theft for the purpose of obtaining medical services) and, therefore, must identify Red Flags that reflect this risk.
The final rule continues to follow the risk-based, non-prescriptive approach regarding the identification of Red Flags that was set forth in the proposal. The Agencies recognize that the final rules and guidelines cover a wide variety of financial institutions that offer and maintain many different products and services, and require the flexibility to be able to adapt to rapidly changing risks of identity theft.
B. Detection of and Response to Red Flags
1. Detecting Red Flags
The final rule provides that a Program must contain reasonable policies and procedures to detect the Red Flags that a financial institution has incorporated into its Program.
The guidelines provide examples of various means to detect Red Flags. They state that the Program’s policies and procedures should address the detection of Red Flags in connection with the opening of covered accounts, such as by obtaining identifying information about, and verifying the identity of, a person opening a covered account, for example, using the policies and procedures regarding identification and verification set forth in the CIP rules. They also state that the Program’s policies and procedures should address the detection of Red Flags in connection with existing covered accounts, such as by authenticating customers, monitoring transactions, and verifying the validity of change of address requests, in the case of existing covered accounts.
2. Responding to Red Flags
The final rules require reasonable policies and procedures to respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft.
In order to “respond appropriately,” it is implicit that a financial institution must assess whether the Red Flags detected evidence a risk of identity theft, and must have a reasonable basis for concluding that a Red Flag does not evidence a risk of identity theft.
Examples of measures for preventing and mitigating identity theft are located in Section IV of the guidelines, titled “Prevention and Mitigation of Identity Theft.” Section IV states that the Program’s policies and procedures should provide for appropriate responses to the Red Flags the financial institution has detected that are commensurate with the degree of risk posed. The final rule does not define Red Flags to include indicators of a “possible risk” of identity theft (including “precursors” to identity theft), but rather, Section IV states that in determining an appropriate response, a financial institution should consider aggravating factors that may heighten the risk of identity theft, and provides examples of such factors.
C. Updating the Program
The final rule requires policies and procedures to ensure the Program (including the Red Flags determined to be relevant) is updated periodically to reflect changes in risks to customers and to the safety and soundness of the financial institution from identity theft. The factors that should cause a financial institution to update its Program, include its own experiences with identity theft, changes in methods of identity theft, changes in methods to detect, prevent and mitigate identity theft, changes in accounts that it offers or maintains, and changes in its business arrangements.
D. Administration of the Program
The final rule describes the steps that financial institutions must take to administer the Program, including: obtaining approval of the initial written Program; ensuring oversight of the development, implementation and administration of the Program; training staff; and overseeing service provider arrangements.
1. Involvement of the Board of Directors and Senior Management
The final rule requires approval of the written Program by the board of directors or an appropriate committee of the board. To ensure that this requirement does not hamper the ability of a financial institution to update its Program in a timely manner, the final rule provides that the board or an appropriate committee must approve only the initial written Program. Thereafter, at the discretion of the financial institution, the board, a committee, or senior management may update the Program.
Bank holding companies and their bank and non-bank subsidiaries will be governed by the principles articulated in connection with the banking agencies’ Information Security Standards:
The Agencies agree that subsidiaries within a holding company can use the security program developed at the holding company level. However, if subsidiary institutions choose to use a security program developed at the holding company level, the board of directors or an appropriate committee at each subsidiary institution must conduct an independent review to ensure that the program is suitable and complies with the requirements prescribed by the subsidiary’s primary regulator.
The Agencies recognize that boards of directors have many responsibilities and it generally is not feasible for a board to involve itself in the detailed oversight, development, implementation, and administration of the Program. Accordingly, the final rule provides discretion to a financial institution or creditor to determine who will be responsible for these aspects of the Program. It states that a financial institution must involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation, and administration of the Program.
The guidelines note that such oversight should include assigning specific responsibility for the Program’s implementation and reviewing reports prepared by staff on compliance by the financial institution with this section. The guidelines also state that oversight should include approving material changes to the Program as necessary to address changing identity theft risks. Reports should be prepared at least annually with the contents of a report to include: the effectiveness of the policies and procedures of the financial institution in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidence involving identity theft and management’s response; and recommendations for material changes to the Program.
2. Staff Training
The final rule provides that financial institutions must train staff, as necessary, to effectively implement the Program. This provision requires training of only relevant staff. In addition, staff that has already been trained, for example, as a part of the anti-fraud prevention efforts of the financial institution, do not need to be re-trained except “as necessary.”
3. Oversight of Service Provider Arrangements
Financial institutions continue to remain responsible for compliance with the final rule, even if they outsource operations to a third party. Accordingly, the final rule provides that a financial institution must exercise appropriate and effective oversight of service provider arrangements, without further elaboration. This provision provides maximum flexibility to financial institutions in managing their service provider arrangements, while making clear a financial institution cannot escape its obligations to comply with the final rule and to include in its Program those guidelines that are appropriate by simply outsourcing an activity.
The guidelines provide that, whenever a financial institution engages a service provider to perform an activity in connection with one or more covered accounts, the financial institution should take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. Thus, the guidelines make clear that a service provider that provides services to multiple financial institutions may do so in accordance with its own program to prevent identity theft, as long as the program meets the requirements of the regulations.
The guidelines also provide an example of how a financial institution may comply with this provision and state that a financial institution could require the service provider, by contract, to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider’s activities and either report the Red Flags to the financial institution or take appropriate steps to prevent or mitigate identity theft.
VII. GUIDELINES - APPENDIX J
The Agencies have added a provision to the final rule stating each financial institution that is required to implement a Program must consider the guidelines in Appendix J and include in its Program those guidelines that are appropriate.
Each of the guidelines corresponds to a provision of the final rule. The guidelines were issued to assist financial institutions in the development and implementation of a Program that satisfies the requirements of the final rule. The guidelines provide policies and procedures that financial institutions should use, where appropriate, to satisfy the regulatory requirements of the final rule. While an institution may determine that a particular guideline is not appropriate for its circumstances, it nonetheless must ensure its Program contains reasonable policies and procedures to fulfill the requirements of the final rule. Financial institutions are provided with the flexibility to determine “how best to develop and implement the required policies and procedures.”
A. Examples of Red Flags - Supplement A to Appendix J
Supplement A to Appendix J provides a list of examples of red flags:
Categories of Red Flags: The Program should include relevant Red Flags from the following categories, as appropriate. Examples of Red Flags from each of these categories are appended as Supplement A to Appendix J.
A financial institution may tailor the Red Flags it chooses for its Program to its own operations. A financial institution will not need to justify to an Agency its failure to include in the Program a specific Red Flag from the list of examples. However, a financial institution will have to account for the overall effectiveness of a Program that is appropriate to its size and complexity and the nature and scope of its activities.
VIII. SUPPLEMENT A TO APPENDIX J
In addition to incorporating Red Flags from the sources recommended in Section II.b of the Guidelines in Appendix J of this part, each financial institution or creditor may consider incorporating into its Program Red Flags, whether singly or in combination, from the following illustrative examples in connection with covered accounts:
Alerts, Notifications or Warnings from a Consumer Reporting Agency
1. A fraud or active duty alert is included with a consumer report.
2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report.
3. A consumer reporting agency provides a notice of address discrepancy, as defined in § 334.82(b) of this part.
4. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:
a. A recent and significant increase in the volume of inquiries; b. An unusual number of recently established credit relationships; c. A material change in the use of credit, especially with respect to recently established credit relationships; or d. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.
Suspicious Documents
5. Documents provided for identification appear to have been altered or forged.
6. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.
7. Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification. 8. Other information on the identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check. 9. application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
Suspicious Personal Identifying Information
10. Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor. For example:
a. The address does not match any address in the consumer report; or
b. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration’s Death Master File.
11. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth. 12. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example:
a. The address on an application is the same as the address provided on a fraudulent application; or
b. The phone number on an application is the same as the number provided on a fraudulent application.
13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example:
a. The address on an application is fictitious, a mail drop, or prison; or
b. The phone number is invalid, or is associated with a pager or answering service.
14. The SSN provided is the same as that submitted by other persons opening an account or other customers.
15. The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other customers.
16. The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.
17. Personal identifying information provided is not consistent with personal identifying information that is on file with the financial institution or creditor.
18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.
Unusual Use of, or Suspicious Activity Related to, the Covered Account
19. Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for new, additional, or replacement cards or a cell phone, or for the addition of authorized users on the account.
20. A new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns. For example:
a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or
b. The customer fails to make the first payment or makes an initial payment but no subsequent payments.
21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example
a. Nonpayment when there is no history of late or missed payments;
b. A material increase in the use of available credit;
c. A material change in purchasing or spending patterns;
d. A material change in electronic fund transfer patterns in connection with a deposit account; or
e. A material change in telephone call patterns in connection with a cellular phone account.
22. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors).
23. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer’s covered account.
24. The financial institution or creditor is notified that the customer is not receiving paper account statements.
25. The financial institution or creditor is notified of unauthorized charges or transactions in connection with a customer’s covered account.
Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection with Covered Accounts Held by the Financial Institution or Creditor
26. The financial institution or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identit
IX. SPECIAL RULES FOR CARD ISSUERS
The final rule requires credit and debit card issuers to assess the validity of change of address notifications. The regulations must ensure that if the card issuer receives a notice of change of address for an existing account, and within a short period of time (during at least the first 30 days) receives a request for an additional or replacement card for the same account, the issuer must follow reasonable policies and procedures to assess the validity of the change of address through one of three methods. The card issuer may not issue the card unless it: (1) notifies the cardholder of the request at the cardholder’s former address and provides the cardholder with a means to promptly report an incorrect address; (2) notifies the cardholder of the address change request by another means of communication previously agreed to by the issuer and the cardholder; or (3) uses other means of evaluating the validity of the address change in accordance with the reasonable policies and procedures established by the card issuer to comply with the joint regulations described earlier regarding identity theft.
A. Cardholder
A consumer who has been issued a credit card or debit card. A cardholder includes the holder of a payroll card, provided that the card issuer is a financial institution, but does not presently include the holder of a gift cards, or other prepaid gift card product.
B. Credit Card
A credit card is defined by cross-reference to Section 103 of the Truth in Lending Act, 15 U.S.C. 1601, et seq.
C. Debit Card
Any card issued by a financial institution to a consumer for use in initiating an electronic fund transfer from the account of the consumer at such financial institution for the purposes of transferring money between accounts or obtaining money, property, labor, or services.
D. Address Change Notification
Under the final rule, a card issuer that receives an address change notification and, within at least 30 days, a request for an additional or replacement card, may not issue an additional or replacement card until it has notified the cardholder or has otherwise assessed the validity of the change of address in accordance with the policies and procedures the card issuer has established. The Agencies have clarified that the card issuer may satisfy the requirements by validating an address when it receives an address change notification, before it receives a request for an additional or replacement card. The rules do not require a card issuer that issues an additional or replacement card to validate an address whenever it receives a request for such a card, because the FACT Act only requires the validation of an address when the card issuer also has received a notification of a change of address.
The Agencies clarified that a card issuer must provide to the cardholder a “reasonable” means of promptly reporting incorrect address changes whenever the card issuer notifies the cardholder of the request for an additional or replacement card.
A card issuer that does not validate an address when it receives an address change notification may find it prudent to validate the address before issuing an additional or replacement card, even when it receives a request for such a card more than 30 days after the notification of address change. The Agencies also confirm that a card issuer is not obligated to assess the validity of a notification of an address change after receiving a request for an additional or replacement card if it previously determined not to change the cardholder’s address because the address change request was fraudulent.
E. Form of Notice
The final rule provides that any written or electronic notice that the card issuer provides under this paragraph must be clear and conspicuous, and provided separately from its regular correspondence with the cardholder.
X. USERS OF CONSUMER REPORTS
Section 315 of the FACT Act amends the Fair Credit Reporting Act (FCRA) by requiring that, when providing a consumer report to a person that requests the report (the user), a nationwide consumer reporting agency (CRA) must provide a notice of the existence of a discrepancy if the address provided by the user in its request “substantially differs” from the address the CRA has in the consumer’s file.
Users of a consumer report should employ reasonable policies and procedures when receiving a notice discrepancy. The policies and procedures must assist the user of a consumer report to (1) enable it to form a reasonable belief that the user knows the identity of the person for whom it has obtained a consumer report, and (2) reconcile the address of the consumer with the CRA, if the user establishes a continuing relationship with the consumer and regularly and in the ordinary course of business furnishes information to the CRA.
A. Requirement to Form a Reasonable Belief
The final rule provides examples of reasonable policies and procedures that a user may employ to enable a user to form a reasonable believe that a consumer report relates to the consumer about whom it has requested the report. These examples include comparing information provided by the CRA with information the user: (1) obtains and uses to verify the consumer’s identity in accordance with the requirements of the CIP rules; (2) maintains in its own records, such as applications, change of address notifications, other customer account records, or retained CIP documentation; or (3) obtains from third-party sources. Another example is to verify the information in the consumer report provided by the CRA with the consumer.
If a user cannot establish a reasonable belief that the consumer report relates to the consumer about whom it has requested the report, the Agencies expect the user will not use that report. For example, in the case of account openings, a user that is subject to the CIP rules generally will need to document how it has resolved the discrepancy between the address provided by the consumer and the address in the consumer report. If the user cannot establish a reasonable belief that it knows the true identity of the consumer, it will need to implement the policies and procedures for addressing these circumstances as required by the CIP rules, which may involve not opening an account or closing an account. If a user is a “financial institution” a notice of address discrepancy may be a Red Flag and require an appropriate response to prevent and mitigate identity theft under the user’s Identity Theft Prevention Program.
B. Requirement to Furnish Consumer’s Address to a Consumer Reporting Agency
A user must develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the CRA from whom it received the notice of address discrepancy when the user:
1. Can form a reasonable belief that the consumer report relates to the consumer about whom the user requested the report;
2. Establishes a continuing relationship with the consumer; and
3. Regularly and in the ordinary course of business furnishes information to the CRA from which the notice of address discrepancy relating to the consumer was obtained.
The user may reasonably confirm an address is accurate by:
1. Verifying the address with the consumer about whom it has requested the report;
2. Reviewing its own records to verify the address of the consumer;
3. Verifying the address through third-party sources; or
4. Using other reasonable means.
The policies and procedures developed in accordance with these requirements must provide that the user will furnish the consumer’s address that the user has reasonably confirmed is accurate to the CRA as part of the information it regularly furnishes for the reporting period in which it establishes a relationship with the consumer.
Appropriate responses may include the following:
1. Monitoring a covered account for evidence of identity theft;
2. Contacting the customer;
3. Changing any passwords, security codes, or other security devices that permit access to a covered account;
4. Reopening a covered account with a new account number;
5. Not opening a new covered account;
6. Closing an existing covered account;
7. Not attempting to collect on a covered account or not selling a covered account to a debt collector;
8. Notifying law enforcement; or
9. Determining that no response is warranted under the particular circumstances.
XI. FREQUENTLY ASKED QUESTIONS ON IDENTITY THEFT RULES
The Federal Banking Agencies have issued a set of frequently asked questions (FAQs) to assist financial institutions, creditors, users of consumer reports, and issuers of credit cards and debit cards to comply with federal regulations (Red Flags and Address Discrepancy Rules) on identity theft and discrepancies and changes of addresses.
The regulations require financial institutions and creditors to develop and implement written Identity Theft Prevention Programs and require issuers of credit cards and debit cards to assess the validity of notifications of changes of address. The rules also provide guidance for users of consumer reports regarding reasonable policies and procedures to employ when consumer reporting agencies send them notices of address discrepancies.
The FAQs provide guidance on numerous aspects of the regulations, including which types of entities and accounts are covered; establishment and administration of an Identity Theft Prevention Program; address validation requirements applicable to card issuers; and the obligations of users of consumer reports upon receiving a notice of address discrepancy. The entire list of FAQs may be viewed by going to www.fdic.gov and searching for "FAQs Red Flags and Address Discrepancy Rules."