WASHINGTON, - (November 14, 2007) - TO: Chief
Executive Officers and Compliance Officers of All National Banks, Federal Branches and Agencies, Third-Party Service Providers, Department and Division
Heads, and All Examining Personnel
The federal financial institution regulatory agencies and the Federal Trade Commission (agencies) are issuing a final rulemaking titled “Identity Theft Red
Flags and Address Discrepancies” to implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003. Covered financial institutions
and creditors will have until November 1, 2008, to comply with the final rules.
The final rules implementing section 114 require each financial institution and creditor that holds “covered accounts” to develop and implement a written
identity theft prevention program that includes policies and procedures for detecting, preventing, and mitigating identity theft in connection with account
openings and existing accounts. A covered account is any consumer account, or any other account that the financial institution or creditor offers or
maintains for which there is a reasonably foreseeable risk to consumers or to the safety and soundness of the financial institution or creditor from
The agencies are issuing guidelines to assist covered entities in developing and implementing an identity theft prevention program. The guidelines include
a supplement that identifies 26 patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft. Entities may
consider these examples in identifying red flags that are relevant to detecting identity theft in connection with their own operations.
The final rules implementing section 114 also require credit card and debit card issuers to develop policies and procedures to assess the validity of a
notification of a change of address followed closely by a request for an additional or a replacement card.
Additional rules implementing section 315 require users of consumer reports, such as banks that use credit reports, to develop reasonable policies and
procedures regarding notices of address discrepancies they receive from a consumer reporting agency (CRA). If a user of a consumer report receives notice
from a CRA that a consumer’s address it has provided to obtain the report “substantially differs” from the consumer’s address in the CRA’s file, the user
must provide the CRA with an address for the consumer that the user has reasonably confirmed is accurate.
For questions concerning the final rulemaking, contact Amy Friend, Assistant Chief Counsel, at (202) 874-5200; Deborah Katz, Senior Counsel, or Andra
Shuster, Special Counsel, Legislative and Regulatory Activities Division, at (202) 874-5090; or Paul Utterback, National Bank Examiner, Compliance Policy
Division, at (202) 874-4428.
SOURCE: Comptroller of the Currency - Administrator of National Banks