Oklahoma Bankers Association We make bankers better!
Joint Regulation on Identity Theft Red Flags & Address Discrepancies
Joint Regulation on Identity Theft Red Flags & Address Discrepancies
The bank regulatory agencies and Federal Trade Commission have jointly issued a final regulation entitled “Identity Theft Red Flags and Address Discrepancies,” to carry out provisions of Sections 114 and 315 of the FACT Act.
The regulation’s effective date is January 1, 2008, but compliance will not be mandatory until November 1, 2008. Banks will have a ten-month transition period to put various parts of their identity-theft-prevention program in place. Logically, a bank’s first step is to adopt an appropriate written policy and obtain board approval. Then the process of training employees to carry out various aspects of the policy will begin. It also may take a while to obtain written assurances from third-party service providers that they agree to comply with the regulation’s requirements.
The new joint regulation primarily covers two subjects: (1) developing and implementing a written Identity Theft Prevention Program in connection with certain existing loan and deposit accounts, and opening of new accounts, and (2) what to do if a “notice of address discrepancy” is received from a credit bureau (for example, because an individual’s address on the loan application does not match the credit report). I will discuss each of these subjects below.
1. Joint Regulation’s Numbering System
The regulation has been jointly developed and adopted by the OCC, Federal Reserve, FDIC, OTS, NCUA and FTC. Although this makes things more confusing, each regulator has authority to adopt regulations covering only the financial institutions and other companies within its own separate jurisdiction. As a result, there actually are six separate sets of regulations, one for each agency.
This article refers only to the FDIC version of the regulation, numbered as 12 CFR Sections 334.82, 334.90, and 334.91. The sections apply to institutions that have the FDIC as their primary federal regulator (non-Fed-member state banks). National banks are governed by an identical set of OCC regulations, numbered as 12 CFR Sections 41.82, 41.90, and 41.91. Fed-member state banks and bank holding companies are governed by the Federal Reserve, with regulations numbered as 12 CFR Sections 222.82, 222.90 and 222.91.
OTS regulations (for savings associations) appear in 12 CFR Section 571, NCUA regulations (for credit unions) are in 12 CFR Section 717, and Federal Trade Commission regulations covering non-financial-institution companies (and individuals) appear in 16 CFR Section 717.
If a financial institution’s primary federal regulator is not the FDIC, the institution can locate the correct subpart of its own regulator’s version of the regulation by modifying only the part of the section number that precedes the decimal. (For example, the paragraph of the FDIC regulation that is found in 12 CFR Section 334.90(b)(3) is the same as the OCC’s version in 12 CFR Section 41.90(b)(3), and the Federal Reserve’s version at 12 CFR Section 222.90(b)(3).)
2. Identity Theft Prevention Program
Section 334.90(d) is the main point of the new regulation. It requires financial institutions and other creditors to set up an “identity theft prevention program.” (The term “creditors” includes companies that either (1) lend money or (2) sell goods or services on credit or on a “billing” basis–including finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.)
An “identity theft program” is required for any institution or other creditor establishing “covered accounts.” Section 334.90(b) defines “account” as “a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes.” The definition specifically includes “deposit account,” and also “an extension of credit,” including “the purchase of property or services involving a deferred payment.” The regulation’s introductory material indicates that “account” may also include “fiduciary, agency, custodial, brokerage and investment advisory activities.”
Section 334.90(b)(3) provides two separate definitions of “covered account” (an account covered by the regulation), and satisfying either one is sufficient. First, any account is a “covered account” if (1) it is “primarily for personal, family, or household purposes,” (2) it “is designed to permit multiple payments or transactions,” and (3) it is maintained by a “financial institution or creditor.” All consumer loan accounts and consumer deposit accounts held by banks are automatically “covered accounts.” Any “dealer paper” or “seller credit card” for consumers would be covered, and also any consumer services account with multiple payments (cable, telephone, electric, natural gas, etc.)
Second, as a completely separate definition, any other account is a “covered account” if (1) it is maintained by a “financial institution or creditor” and (2) is one “for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.”
Some companies serve only commercial customers, and have no “accounts” meeting the first definition. But if they sell products or services on credit, or make commercial loans, they still may have “covered accounts” falling within the second definition, depending on the circumstances.
That consumer accounts fall within the first category is a “given”; but whether an entity has “covered accounts” falling within the second category (“other”) is more subjective, based partly on the entity’s “risk assessment.” Section 334.90(c) requires an entity to “periodically determine whether it offers or maintains covered accounts.” Three factors must be considered in determining whether non-consumer accounts are “covered accounts”:
(1) The methods a financial institution or creditor provides to open its accounts. (A bank uses CIP on all new accounts, and normally asks questions until it is reasonably certain of a customer’s identity. A merchant or wholesaler, by contrast, may be less likely to obtain CIP-type documents. A bank or other creditor that opens accounts by long distance–by internet, telephone, fax or mail–may have more “identity theft” risk than a bank or creditor that only opens accounts face-to-face.)
(2) The methods a financial institution or creditor provides to access its accounts. (For example, if a savings account can only be accessed by means of teller transactions—no checks, debit cards, ACH, ATM, online transfers, etc.—the risk of identity theft is much less. On an account where many electronic transactions are allowed—such as online transfers, ACH, ATM, and merchant POS—it would be hard to argue that there’s no “identity theft” risk.
(3) The financial institution’s or other creditor’s previous experiences with identity theft. (When a bank sustains actual losses due to identity theft on certain kinds of accounts, that experience is an indicator of what types of accounts probably should not be left out of the institution’s own determination of “other accounts” that should be treated as “covered accounts.” Of course, methods of committing fraud are constantly changing, and a bank’s recent loss experience should also be used to update periodically what accounts at the bank should be considered “covered accounts.”
All banks have “covered accounts” (deposits, loans, safe deposit boxes, etc.) falling within the first category (“consumer”), as well as some types within the second category (“other”). Some commercial customers have better fraud-prevention procedures than consumers have, but there are still certain types of commercial accounts (for example, credit cards) always have risk of loss from identity theft. As a result, every bank’s “identity theft prevention program” needs to consider both “consumer” and “other” accounts. (Some, but not all, types of commercial accounts will be included.)
As required in Section 334.90(d), each financial institution or other creditor must develop and implement a written Identity Theft Prevention Program that is “designed to detect, prevent, and mitigate identity theft in connection with [1] the opening of a covered account, or [2] any existing covered account.” The Program “must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.”
3. Different Risk Profiles
Although all financial institutions open deposit accounts and loan accounts, some are willing to do so (for example) over the internet or by mail, at least occasionally, without dealing with the customer in person. This provides greater convenience, but tends to increase the potential identity-theft-related risk. The average small-town bank doesn’t open accounts this way, and will have a different risk profile, at least in this aspect. But even among banks that open accounts by such methods, some may have very careful verification procedures that help to mitigate the risk, or have only very limited situations in which they would allow this at all. Because there can be considerable variation between banks as to what products are offered, how they are offered, and what safeguards are used, it’s logical that every bank’s Identity Theft Prevention Program will need to carefully consider that bank’s unique characteristics.
As another example, some banks allow access to certain types of deposit account only by very restricted means. This may make those accounts less vulnerable to identity theft. (Less risk means less protection required, and simpler policies.) C.D.’s, for example, usually can only be accessed in person. Some banks restrict access to savings accounts almost as much as C.D.’s (basically allowing only teller transactions). Although in a minority, some banks also do not allow ACH debits on savings accounts. An increasing number of banks now allow online transfers between accounts, creating another means of easy access to savings deposits. Many banks are also linking savings and checking accounts so that an overdraft in checking will cause an automatic transfer from savings. Each added means of access to an account creates both greater convenience and a possibly increased risk of identity theft losses.
In another case, some banks may allow funds to be wired from a corporate account based on telephoned instructions, while others allow only faxed (signed) or in-person written instructions. Whether a bank’s customer-verification procedures are appropriately designed and implemented may help to determine how much identity-theft risk is involved in commercial wire transactions.
4. Definition of “Red Flags”
Section 334.90 defines a “Red Flag” as “a pattern, practice, or specific activity that indicates the possible existence of identity theft.” Red Flags are like “warning signs” or “suspicious events” that alert a bank to proceed much more carefully, or not to proceed at all, whenever they occur.
Each bank should develop its own list of Red Flags, because each bank’s operations will be different. If a bank doesn’t offer certain products or services, the regulators’ suggested Red Flags that relate only to those particular activities will have no relevance, and should not be included in the bank’s Program.
A bank must determine what Red Flags are appropriate to include in its Program, selected from the regulators’ suggested list, or from the bank’s own experience. A bank isn’t required to justify its decision to leave certain of the regulators’ Red Flags out of its own list, if it believes in good faith that those issues are not relevant to its own methods of doing business; but a bank does need to come up with a list of Red Flags appropriate to its business.
Appendix J to Section 334 (also attached to the other regulators’ versions of the regulation) is entitled “Interagency Guidelines on Identity Theft Detection, Prevention and Mitigation.” Part II(a) of the Guidelines states, “A financial institution or creditor should consider the following factors in identifying relevant Red Flags for covered accounts, as appropriate: (1) The types of covered accounts it offers or maintains; (2) The methods it provides to open its covered accounts; (3) The methods it provides to access its covered accounts; and (4) Its previous experiences with identity theft.”
5. Elements of a Program
Section 334.90(d)(2) states that an institution’s written Identity Theft Prevention Program must include reasonable policies and procedures to accomplish four goals:
(i) The Program must decide and list what Red Flags are relevant for the “covered accounts” that the financial institution or creditor offers or maintains.
(ii) The Program must have procedures that will reasonably detect Red Flags (those listed as part of the Program) when they occur.
(iii) If Red Flags occur and are detected, the Program should set out the appropriate response to take, to prevent and mitigate identity theft. (“Prevention” would involve steps to shut the problem down before it turns into a loss, and “mitigation” would include steps to keep the damage from getting worse after it has already begun, or possibly even ways to try to reverse the damage. Employees in each relevant area should know what “action steps” they need to take if a Red Flag pops up.)
(iv) The Program (including the determination of what Red Flags are relevant) must be updated periodically to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.(As newer fraudulent schemes arise, the institution’s Program should try to address heightened risks or weaknesses that those schemes exploit. Also, as an institution offers new types of accounts, or new methods of access to existing accounts, the existing Program should be reconsidered and perhaps modified to take those changes into account.)
6. Administration of Program
Section 334.90(e)(1) requires the initial written Program to be approved either by the board of directors or by an appropriate committee of the board. After the Program is in place, there must be continuing oversight, development (including modification), implementation (follow-through), and administration of the Program, as discussed below, under the supervision of either (1) the board, (2) an appropriate committee of the board, or (3) “a designated employee at the level of senior management.”
Proper administration includes training, as necessary, to effectively implement the Program. (It’s only necessary to train employees concerning portions of the Program that relate to their own jobs. Where existing employees already have certain training, the program does not require re-training on those points. New accounts personnel, for example, already have extensive training in CIP, which is an important part of a bank’s steps to prevent losses from identity theft in connection with opening of new accounts.
7. Interagency Guidelines
Appendix J to the regulation contains some lengthy identity-theft-related Interagency Guidelines. Much of the material now included in the Guidelines was originally intended to become part of the regulation itself. In response to comments that the proposed regulation (containing this information) was overly complicated and not flexible enough to recognize differences between institutions, the final version of the regulation was simplified and shortened. The material moved to the Guidelines is still strongly suggested but can be used in a more flexible way if that better fits the institution’s circumstances.
The stated purpose of the Guidelines is “to assist financial institutions and creditors in the formulation and maintenance of a Program that satisfies the requirements of Section 334.90.” The Guidelines, although not absolutely mandatory, are still a highly recommended approach or blueprint for a financial institution to use in designing its “Identity Theft Prevention Program.”
It’s O.K. for a financial institution to ignore a portion of the Guidelines that does not apply to its own business and methods of operations; but when there is something in the Guidelines that clearly relates to a bank’s particular products, services and operations, that bank should either (a) follow what the Guidelines suggest, or (b) develop something different that is equally or more appropriate for dealing with identity-theft-related risks. The issue is what particular details are best suited to the bank’s own situation.
The Guidelines state that a financial institution or other creditor “may incorporate, as appropriate, its existing policies, procedures, and other arrangements that control reasonably foreseeable risks to customers or to the safety or soundness of the financial institution or creditor from identity theft.”
For example, every bank has a CIP policy. A Program’s identity-theft procedures in opening new accounts should refer to the bank’s existing CIP policy, which almost certainly will be the “centerpiece” of the bank’s efforts in that area. The Program may supplement the bank’s CIP program by listing some additional Red Flags, if appropriate, that address other identity-theft-related risks in opening “covered accounts”—if CIP does not completely something.
By contrast, in determining what would be an appropriate range of procedures for preventing or dealing with identity theft attempts on covered accounts that are already open, a bank’s Program may require a lot more detail. CIP (already in the past) is not so directly relevant to risk-prevention on existing accounts, and more information from the Guidelines (and the attached Supplement A) needs to be copied into the Program in this area.
8. Listing Appropriate Red Flags
The Guidelines suggest that relevant Red Flags should be chosen and incorporated from sources such as (1) incidents of identity theft that the financial institution or creditor has experienced: (2) changes in methods of identity theft that reflect changing risks to customers and the institution; and (3) applicable supervisory guidance.
Supplement A to the Appendix J Guidelines sets out examples of Reg Flags in each of the following five categories: (1) Alerts, notifications, or other warnings, received from credit bureaus or service providers, such as fraud detection services; (2) Presentation of suspicious documents; (3) Presentation of suspicious personal identifying information, such as a suspicious address change; (4) The unusual use of, or other suspicious activity related to, a covered account; and (5) Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the institution.
9. Detecting Red Flags
A bank’s Program must include steps to detect Red Flags (as they occur) in connection with both (a) the opening of covered accounts, and (b) existing covered accounts.
The Program should include obtaining identifying information about, and verifying the identity of, a person opening an account. As already stated, a bank’s CIP policy is the centerpiece of this particular requirement.
For existing covered accounts, the Program should include appropriate steps for authenticating customers (as they engage in certain types of transactions, such as cashing in a C.D., wiring funds, or accessing a safe deposit box), monitoring customer transactions, and verifying the validity of change-of-address requests.
10. Preventing/Mitigating Identity Theft
With CIP already a “given,” perhaps the next most important part of a bank’s Program should be to lay out what will be appropriate responses by the institution if some of the Red Flags listed in the Program actually occur. Employees need training not only in recognizing Red Flags as they happen, but also in making the correct responses to them, as set out in the Program.
Part IV of the Guidelines indicates that an institution’s response to a Red Flag should be “commensurate with the degree of risk posed.” In other words, it should be neither too much (overkill), nor too little (which would fail to adequately address the potential problem).
In determining an appropriate response to a Red Flag that is detected, an institution “should consider aggravating factors that may heighten the risk of identity theft,” such as a data security breach that results in unauthorized access to a customer’s account records, or notice to the financial institution that a customer has provided information related to a covered account to someone fraudulently claiming to represent the financial institution, or to a fraudulent website.
The Guidelines list some possible examples of appropriate responses to Red Flags that are detected: (a) monitoring a covered account for evidence of identity theft; (b) contacting the customer; (c) changing passwords, security codes or other security features that permit access to the account; (d) opening a new covered account to replace the account in question; (e) not opening a new covered account; (f) closing an existing covered account; (g) not attempting to collect on a covered account or not selling a covered account to a debt collector (after learning that a fraudster may have initiated the activity on the account, rather than the customer); (h) notifying law enforcement; or (i) determining that no response is warranted under the particular circumstances.
The adoption of a Program moves a bank in the direction of “something needs to happen” in response to an “identity theft risk” that arises, instead of taking a “do nothing” approach either because it’s easier, or because no one has adequately considered what would be an appropriate response in the situation.
11. Updating the Program
An institution’s Program (including its Red Flags) should be updated “periodically” (at no required interval) to reflect changes in risks to customers or to the safety and soundness of the financial institution from identity theft.
Factors to be taken into account as part of the updating include the following: (1) The financial institution or other creditor’s experiences with identity theft; (2) Changes in methods of identity theft; (3) Changes in methods to detect, prevent, and mitigate identity theft; (4) Changes in the types of accounts that the financial institution or creditor offers or maintains; and (5) Changes in the business arrangements of the financial institution, including mergers, acquisitions, joint ventures, and service provider arrangements.
12. Administering the Program
The Guidelines require (1) ongoing oversight of the institution’s Program, (2) annual reports, and (3) oversight of service provider arrangements.
After a bank’s Program is established, oversight can be managed either (a) by the board, (b) by an appropriate committee of the board, or (c) by a designated senior-management employee. Responsibility for the Program’s implementation must be specifically assigned in one of these three ways.
At least annually, staff of the financial institution must report to the oversight group concerning compliance by the financial institution with Section 334.90. Reports should address anything significant relating to the Program, and should evaluate (1) the effectiveness of the institution’s policies and procedures in addressing identity-theft risk in connection with opening covered accounts, and with respect to existing covered accounts: (2) service provider arrangements; (3) significant incidents that have occurred involving identity theft, and management’s response; and (4) recommendations for changes to the Program. (Feedback should be used to strengthen the Program’s effectiveness.)
Whenever an institution uses a service provider to perform any activity in connection with covered accounts, that institution should take steps to ensure that the service provider’s activity is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. (It’s possible that a service provider will work for many financial institutions, each of which has a somewhat different Program. The Guidelines do not require a service provider to comply with each institution’s own Program. Instead, the service provider must use “reasonable” policies and procedures.)
In its contract, an institution can require a service provider to use policies and procedures to detect relevant Reg Flags that may arise in the performance of the service provider’s activities. The service provider can be further required either (1) to report the Red Flags to the financial institution, or (2) to take appropriate steps itself to prevent or mitigate identity theft.
13. Other Legal Requirements
The Guidelines also refer to several other legal requirements that may apply. One is the duty to do suspicious activity reporting; another is the restrictions applicable when a credit report contains a fraud or active duty alert. A third is the requirement not to report credit information that may be inaccurate, and the duty to correct or update inaccurate or incomplete information. A fourth is the prohibition in 15 USC Section 1681m on selling, transferring, or placing for collection certain debts resulting from identity theft.
14. Address Discrepancy on Consumer Report
A separate new section of the regulation, 12 CFR Section 334.82, with the same effective dates, imposes duties on any user of consumer reports that receives a “notice of address discrepancy” from a consumer reporting agency.
The Fair Credit Reporting Act, at 15 USC Section 1681c(h)(1), requires a consumer reporting agency to give a user a notice of an “address discrepancy.” The regulation now defines “address discrepancy” and specifies what a “user of a consumer report” must do when it receives such a notice.
(The phrase “user of consumer reports” does not automatically include all financial institutions, nor is it limited just to financial institutions. If a bank obtains no credit reports, this particular provision will not apply. However, many companies and individuals other than financial institutions are also “users of consumer reports,” and they are definitely covered by the FTC version of the same regulation. Depending on the circumstances, any of following who use credit reports can also be subject to the regulation: (1) insurance companies processing applications for life insurance; (2) landlords reviewing prospective tenants; (3) cell-phone companies accepting new customers; and (4) employers reviewing job applications.)
Section 334.82(b) of the regulation clarifies that an “address discrepancy” means “a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency’s file for the consumer.” A misspelling of a street name or a reversal of two digits in a street address would almost certainly not be a “substantial difference.”
By contrast, when an applicant lists a certain address on an application, and a credit report reflects only a totally different address for that consumer, a more serious problem may exist. The simplest explanation, and easiest to resolve, occurs when the credit bureau has not received information that a consumer has moved. Another explanation (unlikely) is that a credit transaction for another individual (perhaps with an identical name) has somehow gotten confused with the current applicant. But more dangerously, an imposter may be attempting to apply for credit by stealing a real consumer’s identity, while using an address not belonging to that consumer.
In situations where the “user” of a consumer report (including a bank) receives a “notice of address discrepancy” from a credit bureau, Section 334.82(c)(1) requires the user to “develop and implement reasonable policies and procedures designed to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report.” By forcing the “user” to “form a reasonable belief” before proceeding further, the regulators basically bar the “user” of the consumer report from completing the transaction by using that credit report—until the address discrepancy can be resolved to the user’s reasonable satisfaction.
From one perspective, the requirement to always investigate a substantial difference in address is an increased regulatory burden. Someone who might be inclined to skip over an address discrepancy will no longer be able to do so. However, if a lender or other business needs good credit information to process an application, that purpose would be defeated by relying on a consumer report that possibly does not belong to the applicant. Taking steps to verify the correct address will help to protect a “real” consumer from identity theft, while also helping a bank to avoid fraud losses on applications by impostors.
Section 334.82(c)(2) gives some examples of “policies and procedures” for forming a reasonable belief that the consumer’s address is correct. These fall into two categories. The first approach compares information in the consumer report with information that the bank (or other company) already has in its files (applications, change of address notices, account records, and CIP documentation), or that it is currently obtaining (as part of CIP, or other information gathered from third-party sources).
The second method is to verify the conflicting address information in the consumer report with the customer. For example, if the consumer’s address on the application doesn’t match the credit report, a lender might ask, “Have you lived at any other address in the last two years?” If the applicant says, “No,” this would almost certainly be false. If the applicant says, “Yes,” the lender might ask the applicant verbally for the previous address and the circumstances. If the applicant then stumbles around in answering, this is a bad sign, but if he immediately gives the correct previous address, this is probably a good sign.
A lender also might ask the applicant why other creditors’ accounts continue to reflect the older address. One explanation might be that the borrower has a main residence and a second residence and lives at both addresses during different parts of the year, and a neighbor forwards mail. Another possibility is that the applicant has been transferred to a job in the new town, but the spouse and kids remain in the previous town until the house is sold or the school year is completed—and on that basis mail continues to come to the old address.
Usually there will be a very explainable reason for the discrepancy in addresses—and the lender may want to make notes of what it learns, for its file. By contrast, when an applicant can’t give a clear story to explain the address discrepancy, the “user” should probably not feel comfortable.
Section 334.82(d) goes a step farther. When a “user” has “reasonably confirmed” that an address is accurate, after receiving a “notice of address discrepancy,” that user must furnish the confirmed address to the credit bureau that provided the notice. The credit bureau can then update its records with a reliable address for the consumer. This also helps later “users,” who will not have to deal with a “notice of address discrepancy.”
To reduce the burden of reporting changed/corrected addresses to the credit bureau, Section 334.82(d)(1) limits the circumstances in which this is required: (1) The “user” must have a reasonable belief that it has “reasonably confirmed” the consumer’s address; (2) the requirement relates only to a time when the user “establishes a continuing relationship with the consumer” (in other words, only when opening an account, not when later reviewing one; never for a one-time transaction; and never if the account being considered is not actually approved or opened); and (3) the “user” must be one that “regularly and in the ordinary course of business furnishes information” to the credit bureau.
(Concerning the last requirement, an employer might occasionally obtain credit reports (with the applicant’s written consent) in connection with job applications, although it does not furnish any information to the credit bureau, or at least does not do so regularly.This “user” would drop out of the requirement to report a changed address. Similarly, a landlord may occasionally obtain credit reports on prospective tenants, without providing regular information to the credit bureau, and would also be excluded. By contrast, a large apartment complex, or a cell phone company, might regularly report credit information to the credit bureau, in addition to obtaining credit reports, and so would be covered by the requirement to report a changed address.)
If a “user” is required by the regulation to report a changed/corrected address to the credit bureau, this information must be included with what is regularly reported to the credit bureau during the same reporting period in which the “continuing relationship with the consumer” is set up.
15. Other Provisions
In addition to the matters discussed in this article, Section 334.91 of the regulation discusses certain “duties of card issuers concerning changes of address.” Also, Supplement A to the Guidelines provides 26 specific Red Flags that an institution may want to consider incorporating into its Program. I will discuss these two additional topics as part of my article next month.