OCC Bulletin 2007-45| November 14, 2007
Identity Theft Red Flags and Address Discrepancies: Final Rulemaking
Chief Executive Officers and Compliance Officers of All National Banks, Federal Branches and Agencies, Third-Party Service Providers, Department and Division Heads, and All Examining Personnel
The guidance attached to this bulletin continues to apply to federal savings associations.
The federal financial institution regulatory agencies and the Federal Trade Commission (agencies) are issuing a final rulemaking titled "Identity Theft Red Flags and Address Discrepancies" to implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003. Covered financial institutions and creditors will have until November 1, 2008, to comply with the final rules.
The final rules implementing section 114 require each financial institution and creditor that holds "covered accounts" to develop and implement a written identity theft prevention program that includes policies and procedures for detecting, preventing, and mitigating identity theft in connection with account openings and existing accounts. A covered account is any consumer account, or any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to consumers or to the safety and soundness of the financial institution or creditor from identity theft.
The agencies are issuing guidelines to assist covered entities in developing and implementing an identity theft prevention program. The guidelines include a supplement that identifies 26 patterns, practices, and specific forms of activity that are "red flags" signaling possible identity theft. Entities may consider these examples in identifying red flags that are relevant to detecting identity theft in connection with their own operations.
The final rules implementing section 114 also require credit card and debit card issuers to develop policies and procedures to assess the validity of a notification of a change of address followed closely by a request for an additional or a replacement card.
Additional rules implementing section 315 require users of consumer reports, such as banks that use credit reports, to develop reasonable policies and procedures regarding notices of address discrepancies they receive from a consumer reporting agency (CRA). If a user of a consumer report receives notice from a CRA that a consumer's address it has provided to obtain the report "substantially differs" from the consumer’s address in the CRA's file, the user must provide the CRA with an address for the consumer that the user has reasonably confirmed is accurate.
You may direct any questions to your supervisory office or OCC Compliance Division (202) 649-5470.
Julie L. Williams
First Senior Deputy Comptroller and Chief Counsel