Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, 40786-40826 [06-6187]

Agencies

• FEDERAL DEPOSIT INSURANCE CORPORATION
• FEDERAL RESERVE SYSTEM
• FEDERAL TRADE COMMISSION
• National Credit Union Administration
• Office of the Comptroller of the Currency
• DEPARTMENT OF THE TREASURY
• Office of Thrift Supervision
• Comptroller of the Currency

[Federal Register Volume 71, Number 137 (Tuesday, July 18, 2006)]
[Proposed Rules]
[Pages 40786-40826]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 06-6187]



[[Page 40785]]

  
  
  
  
  
  
-----------------------------------------------------------------------


Part II

Department of the Treasury



Office of the Comptroller of the Currency



12 CFR Part 41



Federal Reserve System

12 CFR Part 222



Federal Deposit Insurance Corporation

12 CFR Parts 334 and 364



Department of the Treasury



Office of Thrift Supervision

12 CFR Part 571



National Credit Union Administration

12 CFR Part 717



Federal Trade Commission

16 CFR Part 681



-----------------------------------------------------------------------



Identity Theft Red Flags and Address Discrepancies Under the Fair and 
Accurate Credit Transactions Act of 2003; Proposed Rule

Federal Register / Vol. 71, No. 137 / Tuesday, July 18, 2006 / 
Proposed Rules

[[Page 40786]]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 41

[Docket No. 06-07]
RIN 1557-AC87

FEDERAL RESERVE SYSTEM

12 CFR Part 222

[Docket No. R-1255]

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Parts 334 and 364

RIN 3064-AD00

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

12 CFR Part 571

[No. 2006-19]
RIN 1550-AC04

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 717

FEDERAL TRADE COMMISSION

16 CFR Part 681

RIN 3084-AA94


Identity Theft Red Flags and Address Discrepancies Under the Fair 
and Accurate Credit Transactions Act of 2003

AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC); 
Board of Governors of the Federal Reserve System (Board); Federal 
Deposit Insurance Corporation (FDIC); Office of Thrift Supervision, 
Treasury (OTS); National Credit Union Administration (NCUA); and 
Federal Trade Commission (FTC or Commission).

ACTION: Joint notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The OCC, Board, FDIC, OTS, NCUA and FTC (the Agencies) request 
comment on a proposal that would implement sections 114 and 315 of the 
Fair and Accurate Credit Transactions Act of 2003 (FACT Act). As 
required by section 114, the Agencies are jointly proposing guidelines 
for financial institutions and creditors identifying patterns, 
practices, and specific forms of activity, that indicate the possible 
existence of identity theft. The Agencies also are proposing joint 
regulations requiring each financial institution and creditor to 
establish reasonable policies and procedures for implementing the 
guidelines, including a provision requiring credit and debit card 
issuers to assess the validity of a request for a change of address 
under certain circumstances.
    In addition, the Agencies are proposing joint regulations under 
section 315 that provide guidance regarding reasonable policies and 
procedures that a user of consumer reports must employ when such a user 
receives a notice of address discrepancy from a consumer reporting 
agency.

DATES: Comments must be submitted on or before September 18, 2006.

ADDRESSES: The Agencies will jointly review all of the comments 
submitted. Therefore, you may comment to any of the Agencies and you 
need not send comments (or copies) to all of the Agencies. Because 
paper mail in the Washington area and at the Agencies is subject to 
delay, please submit your comments by e-mail whenever possible. 
Commenters are encouraged to use the title ``Red Flags Rule'' in 
addition to the docket or RIN number to facilitate the organization and 
distribution of comments among the Agencies. Interested parties are 
invited to submit comments in accordance with the following 
instructions:
    OCC: You should designate OCC in your comment and include Docket 
Number 06-07. You may submit comments by any of the following methods:
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments.
     OCC Web site: https://www.occ.treas.gov. Click on ``Contact 
the OCC,'' scroll down and click on ``Comments on Proposed 
Regulations.''
     E-mail address: regs.comments@occ.treas.gov.
     Fax: (202) 874-4448.
     Mail: Office of the Comptroller of the Currency, 250 E 
Street, SW., Public Reference Room, Mail Stop 1-5, Washington, DC 
20219.
     Hand Delivery/Courier: 250 E Street, SW., Attn: Public 
Reference Room, Mail Stop 1-5, Washington, DC 20219.
    Instructions: All submissions received must include the agency name 
(OCC) and docket number or Regulatory Information Number (RIN) for this 
notice of proposed rulemaking. In general, the OCC will enter all 
comments received into the docket without change, including any 
business or personal information that you provide.
    You may review the comments received by the OCC and other related 
materials by any of the following methods:

     Viewing Comments Personally: You may personally inspect 
and photocopy comments received at the OCC's Public Reference Room, 250 
E Street, SW., Washington, DC. You can make an appointment to inspect 
comments by calling (202) 874-5043.
     Viewing Comments Electronically: You may request e-mail or 
CD-ROM copies of comments that the OCC has received by contacting the 
OCC's Public Reference Room at regs.comments@occ.treas.gov.
     Docket: You may also request available background 
documents using the methods described earlier.

    Board: You may submit comments, identified by Docket No. R-1255, by 
any of the following methods:
     Agency Web site: https://www.federalreserve.gov. Follow the 
instructions for submitting comments at https://www.federalreserve.gov/
generalinfo/foia/ProposedRegs.cfm.
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments.
     E-mail: regs.comments@federalreserve.gov. Include docket 
number in the subject line of the message.
     FAX: 202/452-3819 or 202/452-3102.
     Mail: Jennifer J. Johnson, Secretary, Board of Governors 
of the Federal Reserve System, 20th Street and Constitution Avenue, 
NW., Washington, DC 20551.

    All public comments are available from the Board's Web site at 
www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as submitted, 
unless modified for technical reasons. Accordingly, your comments will 
not be edited to remove any identifying or contact information. Public 
comments may also be viewed electronically or in paper in Room MP-500 
of the Board's Martin Building (20th and C Streets, NW.) between 9 a.m. 
and 5 p.m. on weekdays.

    FDIC: You may submit comments, identified by RIN number by any of 
the following methods:
     Agency Web site: https://www.fdic.gov/regulations/laws/
federal/propose.html. Follow instructions for submitting comments on 
the Agency Web site.
     E-mail: Comments@FDIC.gov. Include the RIN number in the 
subject line of the message.

[[Page 40787]]

     Mail: Robert E. Feldman, Executive Secretary, Attention: 
Comments, Federal Deposit Insurance Corporation, 550 17th Street, NW., 
Washington, DC 20429.
     Hand Delivery/Courier: Guard station at the rear of the 
550 17th Street Building (located on F Street) on business days between 
7 a.m. and 5 p.m.
     Instructions: All submissions received must include the 
agency name and RIN for this rulemaking. All comments received will be 
posted without change to https://www.fdic.gov/regulations/laws/federal/
propose.html including any personal information provided. Comments may 
be inspected at the FDIC Public Information Center, Room E-1002, 3502 
North Fairfax Drive, Arlington, VA, 22226, between 9 a.m. and 5 p.m. on 
business days.

    OTS: You may submit comments, identified by No. 2006-19, by any of 
the following methods:
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments.
     E-mail: regs.comments@ots.treas.gov. Please include No. 
2006-19 in the subject line of the message and include your name and 
telephone number in the message.
     Fax: (202) 906-6518.
     Mail: Regulation Comments, Chief Counsel's Office, Office 
of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552, 
Attention: No. 2006-19.
     Hand Delivery/Courier: Guard's Desk, East Lobby Entrance, 
1700 G Street, NW., from 9 a.m. to 4 p.m. on business days, Attention: 
Regulation Comments, Chief Counsel's Office, Attention: No. 2006-19.
    Instructions: All submissions received must include the agency name 
and number or Regulatory Information Number (RIN) for this rulemaking. 
All comments received will be posted without change to https://
www.ots.treas.gov/pagehtml.cfm?catNumber=67&an=1, including any 
personal information provided.
    Docket: For access to the docket to read background documents or 
comments received, go to https://www.ots.treas.gov/
pagehtml.cfm?catNumber=67&an=1. In addition, you may inspect comments 
at the Public Reading Room, 1700 G Street, NW, by appointment. To make 
an appointment for access, call (202) 906-5922, send an e-mail to 
public.info@ots.treas.gov, or send a facsimile transmission to (202) 
906-7755. (Prior notice identifying the materials you will be 
requesting will assist us in serving you.) We schedule appointments on 
business days between 10 a.m. and 4 p.m. In most cases, appointments 
will be available the next business day following the date we receive a 
request.

    NCUA: You may submit comments by any of the following methods 
(Please send comments by one method only):
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments.
     NCUA Web site: https://www.ncua.gov/
RegulationsOpinionsLaws/proposedregs/proposedregs.html. Follow the 
instructions for submitting comments.
     E-mail: Address to regcomments@ncua.gov. Include ``[Your 
name] Comments on Proposed Rule 717, Identity Theft Red Flags,'' in the 
e-mail subject line.
     Fax: (703) 518-6319. Use the subject line described above 
for e-mail.
     Mail: Address to Mary F. Rupp, Secretary of the Board, 
National Credit Union Administration, 1775 Duke Street, Alexandria, 
Virginia 22314-3428.
     Hand Delivery/Courier: Same as mail address.

    FTC: Comments should refer to ``The Red Flags Rule, Project No. 
R611019,'' and may be submitted by any of the following methods. 
However, if the comment contains any material for which confidential 
treatment is requested, it must be filed in paper form, and the first 
page of the document must be clearly labeled ``Confidential.'' \1\
---------------------------------------------------------------------------

    \1\ Commission Rule 4.2(d), 16 CFR 4.2(d). The comment must be 
accompanied by an explicit request for confidential treatment, 
including the factual and legal basis for the request, and must 
identify the specific portions of the comment to be withheld from 
the public record. The request will be granted or denied by the 
Commission's General Counsel, consistent with applicable law and the 
public interest. See Commission Rule 4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

     E-mail: Comments filed in electronic form should be 
submitted by clicking on the following Web link: https://
secure.commentworks.com/ftc-redflags and following the instructions on 
the Web-based form. To ensure that the Commission considers an 
electronic comment, you must file it on the Web-based form at https://
secure.commentworks.com/ftc-redflags.
     Federal eRulemaking Portal: If this notice appears at 
https://www.regulations.gov, you may also file an electronic comment 
through that Web site. The Commission will consider all comments that 
regulations.gov forwards to it.
     Mail or Hand Delivery: A comment filed in paper form 
should include ``The Red Flags Rule, Project No. R611019,'' both in the 
text and on the envelope and should be mailed or delivered, with two 
complete copies, to the following address: Federal Trade Commission/
Office of the Secretary, Room H-135 (Annex M), 600 Pennsylvania Avenue, 
NW., Washington, DC 20580. Because paper mail in the Washington area 
and at the Commission is subject to delay, please consider submitting 
your comments in electronic form, as prescribed above. The FTC is 
requesting that any comment filed in paper form be sent by courier or 
overnight service, if possible.
    Comments on any proposed filing, recordkeeping, or disclosure 
requirements that are subject to paperwork burden review under the 
Paperwork Reduction Act should additionally be submitted to: Office of 
Management and Budget, Attention: Desk Officer for the Federal Trade 
Commission. Comments should be submitted via facsimile to (202) 395-
6974 because U.S. Postal Mail is subject to lengthy delays due to 
heightened security precautions.
    The FTC Act and other laws the Commission administers permit the 
collection of public comments to consider and use in this proceeding as 
appropriate. All timely and responsive public comments, whether filed 
in paper or electronic form, will be considered by the Commission, and 
will be available to the public on the FTC Web site, to the extent 
practicable, at https://www.ftc.gov/os/publiccomments.htm. As a matter 
of discretion, the FTC makes every effort to remove home contact 
information for individuals from the public comments it receives before 
placing those comments on the FTC Web site. More information, including 
routine uses permitted by the Privacy Act, may be found in the FTC's 
privacy policy, at https://www.ftc.gov/ftc/privacy.htm.

FOR FURTHER INFORMATION CONTACT: OCC: Amy Friend, Assistant Chief 
Counsel, (202) 874-5200; Deborah Katz, Senior Counsel, or Andra 
Shuster, Special Counsel, Legislative and Regulatory Activities 
Division, (202) 874-5090; Paul Utterback, Compliance Specialist, 
Compliance Department, (202) 874-5461; or Aida Plaza Carter, Director, 
Bank Information Technology, (202) 874-4740, Office of the Comptroller 
of the Currency, 250 E Street, SW., Washington, DC 20219.
    Board: David A. Stein, Counsel, or Ky Tran-Trong, Senior Attorney, 
Division of Consumer and Community Affairs, (202) 452-3667; Andrew 
Miller, Counsel, Legal Division, (202) 452-

[[Page 40788]]

3428; or John Gibbons, Supervisory Financial Analyst, Division of 
Banking Supervision and Regulation, (202) 452-6409, Board of Governors 
of the Federal Reserve System, 20th and C Streets, NW., Washington, DC 
20551.
    FDIC: Jeffrey M. Kopchik, Senior Policy Analyst, (202) 898-3872 or 
David P. Lafleur, Policy Analyst, (202) 898-6569, Division of 
Supervision and Consumer Protection; Richard M. Schwartz, Counsel, 
(202) 898-7424, or Richard B. Foley, Counsel, (202) 898-3784, Legal 
Division, Federal Deposit Insurance Corporation, 550 17th Street, NW., 
Washington, DC 20429.
    OTS: Glenn Gimble, Senior Project Manager, Operation Risk, (202) 
906-7158; Kathleen M. McNulty, Technology Program Manager, Information 
Technology Risk Management, (202) 906-6322; or Richard Bennett, 
Counsel, Regulations and Legislation Division, (202) 906-7409, Office 
of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552.
    NCUA: Regina M. Metz, Staff Attorney, Office of General Counsel, 
(703) 518-6540, National Credit Union Administration, 1775 Duke Street, 
Alexandria, VA 22314-3428.
    FTC: Naomi B. Lefkovitz, Attorney, Division of Privacy and Identity 
Protection, Bureau of Consumer Protection, (202) 326-3228, Federal 
Trade Commission, 600 Pennsylvania Avenue, NW., Washington DC 20580

SUPPLEMENTARY INFORMATION: This notice contains the following sections:

I. Section 114 of the FACT Act

A. Background

    The President signed the FACT Act into law on December 4, 2003. 
Pub. L. 108-159 (2003). The FACT Act added several new provisions to 
the Fair Credit Reporting Act of 1970 (FCRA), 15 U.S.C. 1681 et seq., 
that relate to the detection, prevention, and mitigation of identity 
theft.\2\ Section 114 amends section 615 of the FCRA and requires the 
Agencies to jointly issue guidelines for financial institutions and 
creditors regarding identity theft with respect to their account 
holders and customers. In developing the guidelines, the Agencies must 
identify patterns, practices, and specific forms of activity that 
indicate the possible existence of identity theft. The guidelines must 
be updated as often as necessary, and cannot be inconsistent with the 
policies and procedures required under section 326 of the USA PATRIOT 
Act, 31 U.S.C. 5318(l), which requires verification of the identity of 
persons opening new accounts.
---------------------------------------------------------------------------

    \2\ Section 111 of the FACT Act defines ``identity theft'' as 
``a fraud committed using the identifying information of another 
person, subject to such further definition as the [Federal Trade] 
Commission may prescribe, by regulation.'' 15 U.S.C. 1681a(q)(3).
---------------------------------------------------------------------------

    Section 114 also directs the Agencies to consider including 
reasonable guidelines providing that a financial institution or 
creditor ``shall follow reasonable policies and procedures'' for 
notifying the consumer, ``in a manner reasonably designed to reduce the 
likelihood of identity theft,'' when a transaction occurs in connection 
with a consumer's credit or deposit account that has been inactive for 
two years.
    In addition, the Agencies must jointly prescribe regulations 
requiring each financial institution and creditor to establish 
reasonable policies and procedures for implementing the guidelines to 
identify possible risks to account holders or customers or to the 
safety and soundness of the institution or customer.
    The joint regulations must include a provision generally requiring 
credit and debit card issuers to assess the validity of change of 
address requests. In particular, if the card issuer receives a notice 
of change of address for an existing account, and within a short period 
of time (during at least the first 30 days) receives a request for an 
additional or replacement card for the same account, the issuer must 
follow reasonable policies and procedures designed to prevent identity 
theft. Under these circumstances, the card issuer may not issue the 
card unless it (1) Notifies the cardholder of the request at the 
cardholder's former address and provides the cardholder with a means to 
promptly report an incorrect address; (2) notifies the cardholder of 
the address change request by another means of communication previously 
agreed to by the issuer and the cardholder; or (3) uses other means of 
evaluating the validity of the address change in accordance with the 
reasonable policies and procedures established by the card issuer to 
comply with the joint regulations.
    Section 114 broadly describes elements that belong in the 
regulations and those that belong in the ``guidelines'' without 
defining this term. The Agencies are proposing to implement the 
requirements of section 114 through regulations (Red Flag Regulations) 
requiring each financial institution and creditor to implement a 
written Identity Theft Prevention Program (Program). The Program must 
contain reasonable policies and procedures to address the risk of 
identity theft. The Agencies also are proposing guidelines that 
identify patterns, practices, and specific forms of activity that 
indicate a possible risk of identity theft (Red Flag Guidelines or 
Appendix J). As required by statute, the Agencies will update the Red 
Flag Guidelines as often as necessary. The proposed Red Flag 
Regulations require financial institutions and creditors to incorporate 
relevant indicators of identity theft into their Programs. The Agencies 
request comment on whether the elements described in section 114 have 
been properly allocated between the proposed regulations and the 
proposed guidelines.
    As required by section 114, the Agencies also are proposing joint 
regulations requiring credit card issuers to implement reasonable 
policies and procedures to assess the validity of a change of address.

B. Proposed Red Flag Regulations

1. Overview
    The Agencies are proposing Red Flag Regulations that adopt a 
flexible risk-based approach similar to the approach used in the 
``Interagency Guidelines Establishing Information Security Standards'' 
\3\ issued by the Federal banking agencies (FDIC, Board, OCC and OTS), 
the ``Guidelines for Safeguarding Member Information'' issued by the 
NCUA,\4\ and the ``Standards for Safeguarding Customer Information'' 
\5\ issued by the FTC, (collectively, Information Security Standards), 
to implement section 501(b) of the Gramm-Leach-Bliley Act (GLBA), 15 
U.S.C. 6801.
---------------------------------------------------------------------------

    \3\ 12 CFR part 30, app. B (national banks); 12 CFR part 208, 
app. D-2 and part 225, app. F (state member banks and holding 
companies); 12 CFR part 364, app. B (state non-member banks); 12 CFR 
part 570, app. B (savings associations).
    \4\ 12 CFR part 748, app. A.
    \5\ 16 CFR part 314.
---------------------------------------------------------------------------

    Under the proposed Red Flag Regulations, financial institutions and 
creditors must have a written Program that is based upon the risk 
assessment of the financial institution or creditor and that includes 
controls to address the identity theft risks identified. Like the 
program described in the Agencies' Information Security Standards, this 
Program must be appropriate to the size and complexity of the financial 
institution or creditor and the nature and scope of its activities, and 
be flexible to address changing identity theft risks as they arise. A 
financial institution or creditor may wish to combine its program to 
prevent identity theft with its information security program, as these 
programs are complementary in many ways.\6 \
---------------------------------------------------------------------------

    \6\ The Agencies note, however, that some creditors covered by 
the proposed Red Flag Guidelines are not financial institutions 
subject to Title V of the GLBA and, therefore, are not required to 
have an information security program under the GLBA. Moreover, the 
term ``customer'' is defined more broadly in the proposed Red Flag 
Regulations than in the Information Security Standards.

---------------------------------------------------------------------------

[[Page 40789]]

    Briefly summarized, under the proposed Red Flag Regulations, the 
Program of each financial institution or creditor must be designed to 
address the risk of identity theft to customers and to the safety and 
soundness of the financial institution or creditor. The Program must 
include policies and procedures to prevent identity theft from 
occurring, including policies and procedures to:
     Identify those Red Flags that are relevant to detecting a 
possible risk of identity theft to customers or to the safety and 
soundness of the financial institution or creditor;
     Verify the identity of persons opening accounts;
     Detect the Red Flags that the financial institution or 
creditor identifies as relevant in connection with the opening of an 
account or any existing account;
     Assess whether the Red Flags detected evidence a risk of 
identity theft;
     Mitigate the risk of identity theft, commensurate with the 
degree of risk posed;
     Train staff to implement the Program; and
     Oversee service provider arrangements.
    The proposed Red Flag Regulations also require the board of 
directors or an appropriate committee of the board to approve the 
Program. In addition, the board, an appropriate committee of the board, 
or senior management must exercise oversight over the Program's 
implementation. Staff implementing the Program must report to its 
board, an appropriate committee or senior management, at least 
annually, on compliance by the financial institution or creditor with 
the Red Flag Regulations. These Regulations are described in greater 
detail in the section-by-section analysis that follows.
2. Proposed Red Flag Regulations: Section-by-Section Analysis
    The OCC, Board, FDIC, OTS and NCUA propose putting the Red Flag 
Regulations and Guidelines in the FCRA part of their regulations, 12 
CFR parts 41, 222, 334, 571, and 717, respectively. In addition, the 
FDIC proposes to cross-reference the Red Flag Regulations and 
Guidelines in 12 CFR part 364. For ease of reference, the discussion in 
this preamble uses the shared numerical suffix of each of these 
agency's regulations.\7\
---------------------------------------------------------------------------

    \7\ The FTC also proposes putting the Red Flag Regulations and 
Guidelines in the FCRA part of its regulations, specifically 16 CFR 
part 681. However, the FTC uses different numerical suffixes that 
equate to the numerical suffixes discussed in the preamble as 
follows: preamble suffix .82 = FTC suffix .1, preamble suffix .90 = 
FTC suffix .2, and preamble suffix .91 = FTC suffix .3. In addition, 
the Appendix J referenced in the preamble equates to Appendix A for 
the FTC.
---------------------------------------------------------------------------

Section ----.90 Duties regarding the detection, prevention, and 
mitigation of identity theft
Section ----.90(a) Purpose and Scope
    Proposed Sec.  ----.90(a) sets forth the statutory authority for 
the proposed Red Flag Regulations, namely, section 114 of the FACT Act, 
which amends section 615 of the FCRA, 15 U.S.C. 1681m. It also defines 
the scope of this section; each of the Agencies has tailored this 
paragraph to describe those entities to which this section applies.
Section ----.90(b) Definitions
    Proposed Sec.  ----.90(b) sets forth the definitions of various 
terms that apply to this section.
    1. Account. Section 114 of the FACT Act does not use the term 
``account.'' However, for ease of reference, the Agencies believe it is 
helpful to identify a single term to describe the relationships covered 
by section 114 that an account holder or customer may have with a 
financial institution or creditor. Therefore, for purposes of the Red 
Flag Regulations, the Agencies propose to use the term ``account'' to 
broadly describe the various relationships an account holder or 
customer may have with a financial institution or creditor that may 
become subject to identity theft.\8\
---------------------------------------------------------------------------

    \8\ The Agencies recognize that, in other contexts, the FCRA 
defines the term ``account'' narrowly to describe certain deposit 
relationships. See 15 U.S.C. 1681a(r)(4).
---------------------------------------------------------------------------

    The proposed definition of ``account'' is similar to the definition 
of ``customer relationship'' found in the Agencies' privacy 
regulations.\9\ In particular, the proposed definition of ``account'' 
is ``a continuing relationship established to provide a financial 
product or service that a financial holding company could offer by 
engaging in an activity that is financial in nature or incidental to 
such a financial activity under section 4(k) of the Bank Holding 
Company Act, 12 U.S.C. 1843(k).'' \10\ The definition gives examples of 
an ``account'' including an extension of credit for personal, family, 
household or business purposes (such as a credit card account, margin 
account, or retail installment sales contract, including a car loan or 
lease), and a demand deposit, savings or other asset account for 
personal, family, household or business purposes (such as a checking or 
savings account). While the proposed definition of ``account'' is 
expansive, the risk-based nature of the proposed Red Flag Regulations 
affords each financial institution or creditor flexibility to determine 
which relationships will be covered by its Program through a risk 
evaluation process.
---------------------------------------------------------------------------

    \9\ See 12 CFR 40.3(i)(1) (OCC); 12 CFR 216.3(i)(1) (Board); 12 
CFR 332.3(i)(1) (FDIC); 12 CFR 573.3(i)(1) (OTS); 12 CFR 716.3(j) 
(NCUA); and 16 CFR 313.3(i)(1) (FTC).
    \10\ See 12 CFR 225.86 for a description of activities that are 
``financial in nature or incidental to a financial activity,'' and 
explanation that these include activities that are ``closely related 
to banking,'' as set forth in 12 CFR 225.28, such as fiduciary, 
agency, custodial, brokerage and investment advisory activities.
---------------------------------------------------------------------------

    The Agencies request comment on the scope of the proposed 
definition of ``account.'' In particular, the Agencies solicit comment 
on whether reference to ``financial products and services that a 
financial holding company could offer by engaging in an activity that 
is financial in nature or incidental to such a financial activity under 
section 4(k) of the Bank Holding Company Act'' is appropriate to 
describe the relationships that an account holder or customer may have 
with a financial institution or creditor that should be covered by the 
Red Flag Regulations. The Agencies also request comment on whether the 
definition of ``account'' should include relationships that are not 
``continuing'' that a person may have with a financial institution or 
creditor. In addition, the Agencies request comment on whether 
additional or different examples of accounts should be added to the 
Regulations.
    2. Board of Directors. The proposed Red Flag Regulations discuss 
the role of the board of directors of a financial institution or 
creditor. However, the Agencies recognize that some of the financial 
institutions and creditors covered by the Regulations will not have a 
board of directors. Therefore, in addition to its plain meaning, the 
proposed definition of ``board of directors'' includes, in the case of 
a foreign branch or agency of a foreign bank, the managing official in 
charge of the branch or agency. In the case of any other creditor that 
does not have a board of directors, ``board of directors'' is defined 
as a designated employee.
    3. Customer. Section 114 of the FACT Act refers to ``account 
holders'' and ``customers'' of financial institutions and creditors 
without defining either of these terms. For ease of reference, the

[[Page 40790]]

Agencies are proposing to define ``customer'' to encompass both 
``customers'' and ``account holders.'' Thus, ``customer'' means a 
person that has an account with a financial institution or creditor.
    The proposed definition of ``customer'' is broader than the 
definition of this term in the Information Security Standards. The 
proposed definition applies to any ``person,'' defined by the FCRA as 
any individual, partnership, corporation, trust, estate, cooperative, 
association, government or governmental subdivision or agency, or other 
entity.\11\
---------------------------------------------------------------------------

    \11\ See 15 U.S.C. 1681a(b).
---------------------------------------------------------------------------

    The Agencies chose this broad definition because, in addition to 
individuals, various types of entities (e.g., small businesses) can be 
victims of identity theft. Although the definition of ``customer'' is 
broad, a financial institution or creditor would have the discretion to 
determine which type of customer accounts will be covered under its 
Program, since the proposed Red Flag Regulations are risk-based.\12\ 
The Agencies solicit comment on the scope of the proposed definition of 
``customer.''
---------------------------------------------------------------------------

    \12\ Under proposed Sec.  ----.90(d)(1), this determination must 
be substantiated by a risk evaluation that takes into consideration 
which customer accounts of the financial institution or creditor are 
subject to a risk of identity theft.
---------------------------------------------------------------------------

    4. Identity Theft. The proposed definition of ``identity theft'' 
states that this term has the same meaning as in 16 CFR 603.2(a). 
Section 111 of the FACT Act added several new definitions to the FCRA, 
including ``identity theft.'' However, section 111 granted authority to 
the FTC to further define this term.\13\ The FTC exercised this 
authority and issued a final rule, which became effective on December 
1, 2004, that defines ``identity theft'' as ``a fraud committed or 
attempted using the identifying information of another person without 
authority.'' \14\ The FTC's rule defines ``identifying information'' to 
mean any name or number that may be used, alone or in conjunction with 
any other information, to identify a specific person, such as a name, 
social security number, date of birth, official State or government 
issued driver's license or identification number, alien registration 
number, government passport number, or employer or taxpayer 
identification number.\15\
---------------------------------------------------------------------------

    \13\ 15 U.S.C. 1681a(q)(3).
    \14\ 69 FR 63922 (Nov. 3, 2004) (codified at 16 CFR 603.2(a)).
    \15\ See 16 CFR 603.2(b) for additional examples of 
``identifying information,'' including unique biometric identifiers.
---------------------------------------------------------------------------

    This definition of ``identity theft'' in the FTC's rule would be 
applicable to the Red Flag Regulations. Accordingly, ``identity theft'' 
within the meaning of the proposed Red Flag Regulations includes both 
actual and attempted identity theft.
    5. Red Flag. The proposed definition of a ``Red Flag'' is a 
pattern, practice, or specific activity that indicates the possible 
risk of identity theft. This definition is based on the statutory 
language. Section 114 states that in developing the Red Flag 
Guidelines, the Agencies must identify patterns, practices, and 
specific forms of activity that indicate ``the possible existence'' of 
identity theft. In other words, the Red Flags identified by the 
Agencies must be indicators of ``the possible existence'' of ``a fraud 
committed or attempted using the identifying information of another 
person without authority.'' \16\
---------------------------------------------------------------------------

    \16\ See 16 CFR 603.2(a)(defining ``identity theft'').
---------------------------------------------------------------------------

    Section 114 also states that the purpose of the Red Flag 
Regulations is to identify ``possible risks'' to account holders or 
customers or to the safety and soundness of the institution or 
``customer'' \17\ from identity theft. The Agencies believe that a 
``possible risk'' of identity theft may exist even where the ``possible 
existence'' of identity theft is not necessarily indicated. For 
example, electronic messages to customers of financial institutions and 
creditors directing them to a fraudulent website in order to obtain 
their personal information (``phishing''), and a security breach 
involving the theft of personal information often are a means to 
acquire the information of another person for use in committing 
identity theft. Because of the linkage between these events and 
identity theft, the Agencies believe that it is important to include 
such precursors to identity theft as Red Flags. Defining these early 
warning signals as Red Flags will better position financial 
institutions and creditors to stop identity theft at its inception. 
Therefore, the Agencies have defined ``Red Flags'' expansively to 
include those precursors to identity theft which indicate ``a possible 
risk'' of identity theft to customers, financial institutions, and 
creditors.
---------------------------------------------------------------------------

    \17\ Use of the term ``customer'' here appears to be a drafting 
error and likely should read ``creditor.'' Use of the term 
``customer'' here appears to be a drafting error and likely should 
read ``creditor.''
---------------------------------------------------------------------------

    The Agencies request comment on the scope of the definition of 
``Red Flags'' and, specifically, whether the definition of Red Flags 
should include precursors to identity theft.
    6. Service Provider. The proposed definition of ``service 
provider'' is a person that provides a service directly to the 
financial institution or creditor. This definition is based upon the 
definition of ``service provider'' in the Agencies'' standards 
implementing section 501(b) of the GLBA.\18\
---------------------------------------------------------------------------

    \18\ 12 CFR part 30, app. B (national banks); 12 CFR part 208, 
app. D-2 and part 225, app. F (state member banks and holding 
companies); 12 CFR part 364, app. B (state non-member banks); 12 CFR 
part 570, app. B (savings associations); 12 CFR part 748, app. A 
(credit unions); 16 CFR part 314 (FTC regulated financial 
institutions).
---------------------------------------------------------------------------

Section ----.90(c) Identity Theft Prevention Program
    Proposed paragraph Sec.  ----.90(c) describes the primary 
objectives of the Program. It states that each financial institution or 
creditor must implement a written Program that includes reasonable 
policies and procedures to address the risk of identity theft to its 
customers and the safety and soundness of the financial institution or 
creditor, in the manner described in Sec.  ----.90(d). The program must 
address financial, operational, compliance, reputation, and litigation 
risks.
    The risks of identity theft to a customer may include financial, 
reputation and litigation risks that occur when another person uses a 
customer's account fraudulently, such as by using the customer's credit 
card account number to make unauthorized purchases. The risks of 
identity theft to the safety and soundness of the financial institution 
or creditor may include: compliance, reputation, or litigation risks 
for failure to adequately protect customers from identity theft; 
operational and financial risks from absorbing losses to customers who 
are the victims of identity theft; or losses to the financial 
institution or creditor from opening an account for a person engaged in 
identity theft. Addressing identity theft in these circumstances would 
not only benefit customers, but would also benefit the financial 
institution or creditor, and any person (who has no relationship with 
the financial institution or creditor) whose identity has been 
misappropriated.
    In addition, proposed paragraph Sec.  ----.90(c) states that the 
Program must be appropriate to the size and complexity of the financial 
institution or creditor and the nature and scope of its activities. 
Thus, the proposed Red Flag Regulations are flexible and take into 
account the operations of smaller institutions.\19\
---------------------------------------------------------------------------

    \19\ Agencies ``are expected to take into account the limited 
personnel and resources available to smaller institutions and craft 
such regulations and guidelines in a manner that does not unduly 
burden these smaller institutions.'' See 149 Cong. Rec. E2513 (daily 
ed. December 8, 2003) (statement Rep. Oxley).
---------------------------------------------------------------------------

    Proposed paragraph Sec.  ----.90(c) also states that the Program 
must address

[[Page 40791]]

changing identity theft risks as they arise based upon the experience 
of the financial institution or creditor with identity theft. In 
addition, the Program must also address changes in methods of identity 
theft, methods to detect, prevent, and mitigate identity theft, in the 
types of accounts the financial institution or creditor offers, and in 
its business arrangements, such as mergers and acquisitions, alliances 
and joint ventures, and service provider arrangements.
    Thus, to ensure the Program's effectiveness in addressing the risk 
of identity theft to customers and to its own safety and soundness, 
each financial institution or creditor must monitor, evaluate, and 
adjust its Program, including the type of accounts covered, as 
appropriate. For example, a financial institution or creditor must 
periodically reassess whether to adjust the types of accounts covered 
by its Program and whether to adjust the Red Flags that are a part of 
its Program based upon any changes in the types and methods of identity 
theft that it experiences.
Section----.90(d) Development and Implementation of Identity Theft 
Prevention Program.
1. Identification and Evaluation of Red Flags
i. Risk-Based Red Flags
    Under proposed paragraph Sec.  ----.90(d)(1)(i), the Program must 
include policies and procedures to identify which Red Flags, singly or 
in combination, are relevant to detecting the possible risk of identity 
theft to customers or to the safety and soundness of the financial 
institution or creditor, using the risk evaluation described in Sec.  
----.90(d)(1)(ii). The Red Flags identified must reflect changing 
identity theft risks to customers and to the financial institution or 
creditor as they arise. At a minimum, the Program must incorporate any 
relevant Red Flags from Appendix J, applicable supervisory guidance, 
incidents of identity theft that the financial institution or creditor 
has experienced, and methods of identity theft that the financial 
institution or creditor has identified that reflect changes in identity 
theft risks.
    The proposed Red Flags enumerated in Appendix J are indicators of a 
possible risk of identity theft that the Agencies compiled from 
literature on the topic, information from credit bureaus, financial 
institutions, creditors, designers of fraud detection software, and the 
Agencies' own experiences. Some of the Red Flags may, by themselves, be 
reliable indicators of a possible risk of identity theft, such as a 
photograph on identification that is not consistent with the appearance 
of the applicant. Some Red Flags may be less reliable except in 
combination with additional Red Flags, such as where a home phone 
number and address submitted on an application match the address and 
number provided by another applicant. Such a match may be attributable 
to identity theft or, for example, it may indicate that the two 
applicants who share a residence are opening separate accounts.
    The Agencies expect that the final Red Flag Regulations will apply 
to a wide variety of financial institutions and creditors that offer 
many different products and services, from credit cards to certain cell 
phone accounts. The Agencies are not proposing to prescribe which Red 
Flags will be relevant to a particular type of financial institution or 
creditor. For this reason, the proposed Regulations provide that each 
financial institution and creditor must identify for itself which Red 
Flags are relevant to detecting the risk of identity theft, based upon 
the risk evaluation described in Sec.  ----.90(d)(1)(ii).
    The Agencies recognize that some Red Flags that are relevant today 
may become obsolete as time passes. While the Agencies expect to update 
Appendix J periodically,\20\ it may be difficult to do so quickly 
enough to keep pace with rapidly evolving patterns of identity theft or 
as quickly as financial institutions and creditors experience new types 
of identity theft. The Agencies may, however, be able to issue 
supervisory guidance more rapidly. Therefore, proposed paragraph Sec.  
----.90(d)(1)(i) provides that each financial institution and creditor 
must have policies and procedures to identify any additional Red Flags 
that are relevant to detecting a possible risk of identity theft from 
applicable supervisory guidance, incidents of identity theft that the 
financial institution or creditor has experienced, and methods of 
identity theft that the financial institution or creditor has 
identified that reflect changes in identity theft risks.
---------------------------------------------------------------------------

    \20\ Section 114 directs the Agencies to update the guidelines 
as often as necessary. See 15 U.S.C. 1681m(e)(1)(a).
---------------------------------------------------------------------------

    Given the changing nature of identity theft, a financial 
institution or creditor must incorporate Red Flags on a continuing 
basis so that its Program reflects changing identity theft risks to 
customers and to the financial institution or creditor as they arise. 
Ultimately, a financial institution or creditor is responsible for 
implementing a Program that is designed to effectively detect, prevent, 
and mitigate identity theft. The Agencies request comment on whether 
the enumerated sources of Red Flags are appropriate.
    The Agencies understand that many financial institutions and 
creditors already have implemented sophisticated policies and 
procedures to detect and prevent fraud, including identity theft, 
through such methods as detection of anomalous patterns of account 
usage. Often these policies and procedures include the use of complex 
computer-based products, such as sophisticated software. The Agencies 
attempted to draft this section in a flexible, technologically neutral 
manner that would not require financial institutions or creditors to 
acquire expensive new technology to comply with the Red Flag 
Regulations, and also would not prevent financial institutions and 
creditors from continuing to use their own or a third party's computer-
based products. The Agencies note, however, that a financial 
institution or creditor that uses a third party's computer-based 
programs to detect fraud and identity theft must independently assess 
whether such programs meet the requirements of the Red Flag Regulations 
and Red Flag Guidelines and should not rely solely on the 
representations of the third party.
    The Agencies request comment on the anticipated impact of this 
proposed paragraph on the policies and procedures that financial 
institutions and creditors currently have to detect, prevent, and 
mitigate identity theft, including on third party computer-based 
products that are currently being used to detect identity theft.
ii. Risk Evaluation
    Proposed paragraph Sec.  ----.90(d)(1)(ii) provides that in order 
to identify which Red Flags are relevant to detecting a possible risk 
of identity theft to its customers or to its own safety and soundness, 
the financial institution or creditor must consider:
    A. Which of its accounts are subject to a risk of identity theft;
    B. The methods it provides to open these accounts;
    C. The methods it provides to access these accounts; and
    D. Its size, location, and customer base.
    This provision describes a key part of the Program of a financial 
institution or creditor. Under proposed paragraph Sec.  --
--.90(d)(1)(ii), the financial institution or creditor must define the 
scope of its Program by assessing which of its accounts are subject to 
a risk of identity theft. For example, the financial institution or 
creditor must assess

[[Page 40792]]

whether it will identify Red Flags in connection with extensions of 
credit only, or whether other types of relationships, such as deposit 
accounts, are likely to be subject to identity theft and should, 
therefore, be included in the scope of its Program. It must also assess 
whether to include solely the accounts of individual customers, or 
whether other types of accounts, such as those of small businesses, 
will be included in the scope of its Program. The financial institution 
or creditor must determine which Red Flags are relevant when it 
initially establishes its Program, and whenever it is necessary to 
address changing risks of identity theft.
    The factors enumerated in proposed Sec.  ----.90(d)(1)(ii) are 
nearly identical to those that each financial institution must consider 
when designing procedures for verifying the identity of customers 
opening new accounts in accordance with the Customer Identification 
Program (CIP) rules, issued to implement section 326 of the USA PATRIOT 
Act, 31 U.S.C. 5318(l).\21\ The Agencies believe that these CIP factors 
are equally relevant in the Red Flags context. For example, the Red 
Flags that may be relevant when an account is opened in a face-to-face 
transaction may be different from those relevant to an account that is 
opened remotely, by telephone, or over the Internet.
---------------------------------------------------------------------------

    \21\ See, e.g., 31 CFR 103.121 (banks, savings associations, 
credit unions, and certain non-federally regulated banks); 31 CFR 
103.122 (broker-dealers); 31 CFR 103.123 (futures commission 
merchants).
---------------------------------------------------------------------------

    The Agencies solicit comment on whether the factors that must be 
considered are appropriate and whether any additional factors should be 
included.
2. Identity Theft Prevention and Mitigation
    Proposed Sec.  ----.90(d)(2) states that the Program must include 
reasonable policies and procedures designed to prevent and mitigate 
identity theft in connection with the opening of an account or any 
existing account. This section then describes the following policies 
and procedures that the Program must include. Some of the policies and 
procedures relate solely to account openings. Others relate to existing 
accounts.
i. Verify Identity of Persons Opening Accounts
    Proposed paragraph Sec.  ----.90(d)(2)(i) states that the Program 
must include reasonable policies and procedures to obtain identifying 
information about, and verify the identity of, a person opening an 
account. This provision is designed to address the risk of identity 
theft to a financial institution or creditor that occurs in connection 
with the opening of new accounts.
    Some financial institutions and creditors already are subject to 
the CIP rules, which require verification of the identity of customers 
opening accounts. A financial institution or creditor may satisfy the 
proposed requirement in Sec.  ----.90(d)(2)(i) to have policies and 
procedures for verifying the identity of a person opening an account by 
applying the policies and procedures for identity verification it has 
developed to comply with the CIP rules. However, the financial 
institution or creditor must use the CIP policies and procedures to 
verify the identity of any ``customer,'' meaning any person that opens 
a new account, in connection with any type of ``account'' that its risk 
evaluation indicates could be the subject of identity theft. By 
contrast, the CIP rules exclude a variety of entities from the 
definition of ``customer'' and exclude a number of products and 
relationships from the definition of ``account.'' The Agencies are not 
proposing any exclusions from either of these terms given the risk-
based nature of the Red Flag Regulations.\22\
---------------------------------------------------------------------------

    \22\ See, e.g., 31 CFR 103.121(a).
---------------------------------------------------------------------------

    The Agencies recognize, however, that not all financial 
institutions and creditors that must implement the Red Flag Regulations 
are required to comply with the CIP rules. This provision would allow 
any financial institution or creditor to follow the CIP rules to 
satisfy the Red Flag requirements to obtain identifying information 
about, and verify the identity of, a person opening an account. This 
approach is designed to ensure that, as stated in section 114, the Red 
Flag Guidelines are not inconsistent with the policies and procedures 
required by the CIP rules.
ii. Detect Red Flags
    Proposed paragraph. Sec.  ----.90(d)(2)(ii) states that the Program 
must include reasonable policies and procedures to detect the Red Flags 
identified pursuant to paragraph Sec.  ----.90(d)(1).
iii. Assess the Risk of Identity Theft
    Proposed paragraph Sec.  ----.90(d)(2)(iii) states that the Program 
must include policies and procedures to assess whether the Red Flags 
the financial institution or creditor has detected pursuant to 
paragraph Sec.  ----.90(d)(2)(ii) evidence a risk of identity theft. It 
also states that a financial institution or creditor must have a 
reasonable basis for concluding that a Red Flag does not evidence a 
risk of identity theft.
    Factors indicating that a Red Flag does not evidence a risk of 
identity theft might include: Patterns of spending that are 
inconsistent with established patterns of activity on an account 
because the customer is traveling abroad, or an inconsistency between 
the social security number on an account application and a consumer 
report because numbers inadvertently were transposed during the 
application process.
iv. Address the Risk of Identity Theft
    Proposed paragraph Sec.  ----.90(d)(2)(iv) states that the Program 
must include policies and procedures that address the risk of identity 
theft to the customer, the financial institution, or creditor, 
commensurate with the degree of risk posed. The Regulations then 
provide an illustrative list of measures that a financial institution 
or creditor may take,\23\ including:
---------------------------------------------------------------------------

    \23\ In the case of credit, the Equal Credit Opportunity Act 
(ECOA), 15 U.S.C. 1691 et seq., applies. Under ECOA, it is unlawful 
for a creditor to discriminate against any applicant for credit 
because the applicant has in good faith exercised any right under 
the Consumer Credit Protection Act (CCPA). 15 U.S.C. 1691(a). A 
consumer who requests the inclusion of a fraud alert or active duty 
alert in his or her credit file is exercising a right under the 
FCRA, which is a part of the CCPA, 15 U.S.C. 1601 et seq. 15 U.S.C. 
1681c-1. Consequently, when a credit file contains a fraud or active 
duty alert, a creditor must take reasonable steps to verify the 
identity of the individual in accordance with the requirements in 15 
U.S.C. 1681c-1 before extending credit, closing an account, or 
otherwise limiting the availability of credit. The inability of a 
creditor to verify the individual's identity may indicate that the 
individual is engaged in identity theft and, in those circumstances, 
the creditor may decline to open an account, close an account or 
take other reasonable actions to limit the availability of credit.
---------------------------------------------------------------------------

    A. Monitoring an account for evidence of identity theft;
    B. Contacting the customer;
    C. Changing any passwords, security codes, or other security 
devices that permit access to a customer's account;
    D. Reopening an account with a new account number;
    E. Not opening a new account;
    F. Closing an existing account;
    G. Notifying law enforcement and, for those that are subject to 31 
U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with 
applicable law and regulation;
    H. Implementing any requirements regarding limitations on credit 
extensions under 15 U.S.C. 1681c-1(h), such as declining to issue an 
additional credit card when the financial institution or creditor 
detects a fraud or active duty alert associated with the

[[Page 40793]]

opening of an account, or an existing account; or
    I. Implementing any requirements for furnishers of information to 
consumer reporting agencies under 15 U.S.C. 1681s-2, to correct or 
update inaccurate or incomplete information.
    Financial institutions and creditors typically use such measures to 
mitigate the risk of identity theft. In addition, measures E through G 
are actions that each financial institution subject to the CIP rules 
must include in its procedures for responding to circumstances in which 
it cannot form a reasonable belief that it knows the true identity of a 
customer.\24\ Measure H describes the procedures required in section 
112 of the FACT Act, 15 U.S.C. 1681c-1(h), that are applicable to a 
prospective user of credit reports when a user obtains a credit report 
that includes a fraud alert or active duty alert. Measure I describes 
the requirements in section 623 of the FCRA, 15 U.S.C. 1681s-2, 
applicable to a furnisher of information to consumer reporting agencies 
that discovers inaccurate or incomplete information about a consumer.
---------------------------------------------------------------------------

    \24\ See, e.g., 31 CFR 103.121(b)(2)(iii).
---------------------------------------------------------------------------

    These measures illustrate various actions that a financial 
institution or creditor may take depending upon the degree of risk that 
is present. For example, a financial institution or creditor may choose 
to contact a customer to determine whether a material change in credit 
card usage reflects purchases made by the customer or unauthorized 
charges. However, if the financial institution or creditor is notified 
that a customer provided his or her password and account number to a 
fraudulent website, it likely will close the customer's existing 
account and reopen it with a new account number.
    The Agencies solicit comment on whether the enumerated measures 
should be included as examples that a financial institution or creditor 
may take and whether additional measures should be included.
3. Train Staff
    Under proposed paragraph Sec.  ----.90(d)(3), each financial 
institution or creditor must train staff to implement its Program. 
Proper training will enable staff to address the risk of identity 
theft. For example, staff should be trained to detect Red Flags with 
regard to new and existing accounts, such as discrepancies in 
identification presented by a person opening an account or anomalous 
wire transfers in connection with a customer's deposit account. Staff 
should also be trained to mitigate identity theft, for example, by 
recognizing when an account should not be opened.
4. Oversee Service Provider Arrangements
    Proposed paragraph Sec.  ----.90(d)(4) states that whenever a 
financial institution or creditor engages a service provider to perform 
an activity on its behalf that is covered by Sec.  ----.90, the 
financial institution or creditor must take steps designed to ensure 
that the activity is conducted in compliance with a Program that meets 
the requirements of paragraphs (c) and (d) of this section. For 
example, a financial institution or creditor that uses a service 
provider to open accounts on its behalf, may reserve for itself the 
responsibility to verify the identity of a person opening a new 
account, may direct the service provider to do so, or may use another 
service provider to verify identity. Ultimately, however, the financial 
institution or creditor remains responsible for ensuring that the 
activity is being conducted in compliance with a Program that meets the 
requirements of the Red Flag Regulations.
    In addition, this provision would allow a service provider that 
provides services to multiple financial institutions and creditors to 
conduct activities on behalf of these entities in accordance with its 
own program to prevent identity theft, as long as the program meets the 
requirements of the Red Flag Regulations. The service provider would 
not need to apply the particular Program of each individual financial 
institution or creditor to whom it is providing services.
    Under the Agencies' Information Security Standards, financial 
institutions must require their service providers by contract to 
safeguard customer information in any manner that meets the objectives 
of the Standards. The Standards provide flexibility for a service 
provider's information security measures to differ from the program 
that a financial institution implements. By contrast, the CIP 
regulations do not contain a service provider provision. Instead, the 
preamble to the CIP regulations simply states that the CIP regulations 
do not affect a financial institution's authority to contract for 
services to be performed by a third party either on or off the 
institution's premises, and also does not alter an institution's 
authority to use an agent to perform services on its behalf.\25\ The 
Agencies invite comment on whether permitting a service provider to 
implement a Program, including policies and procedures to identify and 
detect Red Flags, that differs from the programs of the individual 
financial institution or creditor to whom it is providing services, 
would fulfill the objectives of the Red Flag Regulations. The Agencies 
also invite comment on whether it is necessary to address service 
provider arrangements in the Red Flag Regulations, or whether it is 
self-evident that a financial institution or creditor remains 
responsible for complying with the standards set forth in the 
Regulations, including when it contracts with a third party to perform 
an activity on its behalf.
---------------------------------------------------------------------------

    \25\ 68 FR 25104 (May 9, 2003)(preamble to CIP rule applicable 
to banks, savings associations, and credit unions).
---------------------------------------------------------------------------

5. Involve the Board of Directors and Senior Management
    Proposed Sec.  ----.90(d)(5) highlights the responsibility of the 
board of directors and senior management to develop and implement the 
Program. The board of directors or an appropriate committee of the 
board must approve the written Program. The board, an appropriate 
committee of the board, or senior management is charged with overseeing 
the development, implementation, and maintenance of the Program, 
including assigning specific responsibility for its implementation. In 
addition, persons charged with overseeing the Program must review 
reports that must be prepared at least annually by staff regarding 
compliance by the financial institution or creditor with the Red Flag 
Regulations. The reports must discuss material matters related to the 
Program and evaluate issues such as: The effectiveness of the policies 
and procedures of the financial institution or creditor in addressing 
the risk of identity theft in connection with the opening of accounts 
and with respect to existing accounts; service provider arrangements; 
significant incidents involving identity theft and management's 
response; and recommendations for changes in the Program. This report 
will indicate whether the Program must be adjusted to increase its 
effectiveness.
    The Agencies request comment regarding the frequency with which 
reports should be prepared for the board, a board committee, or senior 
management. The Agencies also request comment on whether this paragraph 
properly allocates the responsibility for oversight and implementation 
of the Program between the board and senior management.

C. Proposed Red Flag Guidelines: Appendix J

    Section 114 of the FACT Act states that in developin