Consumer Compliance Outlook > 2008 > Third Quarter 2008

Consumer Compliance Outlook: Third Quarter 2008

New Rules Set for Identity Theft Red Flags and Address Discrepancies

By Eddie Valentine, Supervising Examiner, Federal Reserve Bank of Philadelphia

President George W. Bush signed the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) into law on December 4, 2003, in part to combat identity theft, which results in billions of dollars in losses each year to individuals and businesses. Section 114 of the FACT Act directs the federal banking agencies and the Federal Trade Commission (the agencies) to issue joint regulations and guidelines to address identity theft. In October 2007, the Agencies issued their final rules,¹ which impose the following requirements: 1) financial institutions must implement programs to prevent identity theft; and 2) credit and debit card issuers must develop policies and procedures to identify and resolve address discrepancies for debit and credit card accounts.

In addition, Section 315 of the FACT Act directs the agencies to issue joint regulations regarding address discrepancies. The Agencies' final rules require users of credit reports to follow specified procedures when they receive a notice from a consumer reporting agency of a substantial difference between a consumer's address that the user provided to request a consumer report and the address in the agency's file. This article summarizes the new rules, for which the mandatory compliance deadline is November 1, 2008.

Identity Theft Prevention Program

Financial institutions and creditors that offer or maintain covered accounts — which are defined in §222.90(b)(3) of the regulations as all consumer accounts that involve or are designed to permit multiple payments or transactions, and any other accounts (including business purpose accounts) for which there is a reasonable risk of identity theft — must develop and implement a written identity theft prevention program to combat identity theft with respect to new and existing covered accounts. The program must be tailored to the entity's size, its complexity, and the nature of its operations. Each program must satisfy the following requirements:

1. Identify relevant patterns, practices, and specific forms of activity that are red flags² signaling possible identity theft and incorporate those red flags into the program;
2. Detect red flags that have been incorporated into the program;
3. Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
4. Ensure that the program is updated periodically to reflect changes in risks from identity theft.

Board Approval and Oversight of the Identity Theft Prevention Program

The regulations also enumerate specific steps that financial institutions and creditors must undertake to administer their programs, including: (1) obtaining approval of the initial written program by the board of directors or a board committee; (2) ensuring oversight to develop, implement, and administer the program; (3) providing adequate training to staff; and (4) providing appropriate oversight of service provider arrangements. Guidelines are included in Appendix J of the regulations to assist financial institutions and creditors in developing and implementing a program that meets the specific requirements of the final rules.

Address Discrepancy Rules for Issuers of Credit and Debit Cards

Additionally, credit and debit card issuers must develop policies and procedures to verify a request for a change of address that is followed closely (within 30 days or a longer period established in a creditor's or a financial institution's procedures) by a request for an additional or replacement card. A card issuer cannot issue the additional or replacement card until it has verified the validity of the change of address request in accordance with the financial institution's policies and procedures. If a change of address request has been verified before a request for an additional or replacement card is received, it is not necessary to verify the address a second time before issuing the card.

Address Discrepancy Rules for Users of Consumer Reports

The address discrepancy rules apply to the user of a consumer report that receives notice from a nationwide consumer reporting agency that the address the user included in its request for a report and the address in the nationwide consumer reporting agency's files are substantially different. The rules impose two requirements to establish policies and procedures for responding to address discrepancy notices: one that applies to all users, and another that applies only to users in certain circumstances.

All users must establish reasonable policies and procedures to form a reasonable belief that the consumer whose report the user requested is the same consumer to whom the agency's report pertains. Section 222.82(c)(2) provides examples of acceptable procedures to accomplish this. A user must also develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the consumer reporting agency from which it received the notice of address discrepancy when: 1) the user can form a reasonable belief that the person in the consumer report and the consumer about whom it requested the report are the same person; 2) the user establishes a continuing relationship with the consumer; and 3) the user regularly, in the course of business, furnishes information to the consumer reporting agency that alerted the user to the address discrepancy. Section 222.82(d)(2) provides examples of acceptable ways of verifying a consumer's address.

Final Thoughts

Financial institutions should have already started to formulate plans for implementing the new rules in anticipation of the November 1, 2008, deadline. In preparing for this deadline, financial institutions should consider the following:

• Setting up a task force to identify covered accounts and relevant red flags for such accounts, and to develop practices and procedures that must be followed when red flags are detected;
• Reviewing the guidelines in Appendix J of the regulations and considering which guidelines to include in your institution's program;
• Allowing sufficient time, prior to the mandatory compliance date, to present proposed identity theft programs to the board of directors for final approval; and
• Staying current on industry developments for any new types of identity theft risks that may affect your organization's customer and account base and adjusting your institution's program accordingly.

In designing its program, a financial institution or creditor may incorporate, as appropriate, its existing policies, procedures, and other arrangements that control reasonably foreseeable risks to customers or to the safety and soundness of the financial institution or to the creditor from identity theft. For example, an institution could include some of the policies and procedures it has established for new accounts under its customer identification program (CIP) required by the Treasury Department's BSA/AML and recordkeeping regulations.

Specific issues and questions about this article should be raised with the consumer compliance contact at your supervising Reserve Bank or with your primary regulator.

• ¹ edocket.access.gpo.gov
• ² A red flag is considered a pattern, practice, or specific activity that indicates the possible existence of identity theft. Supplement A to Appendix J of the regulations includes an illustrative list of examples of possible red flags.