The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the Federal Trade Commission (collectively, the “Agencies”) issued October 31, 2007 final rules on identity theft red flags and notices of address discrepancies. Financial institutions and creditors are required to comply with the regulations if they offer or maintain “covered accounts,” defined as “(i) an account primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions, or (ii) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft.”
According to the final rules, financial institutions and creditors that offer or maintain covered accounts must develop and implement a written Identity Theft Prevention Program designed to combat theft with respect to both new and existing accounts. Such a program must provide that the financial institution or creditor is able to: (i) identify activity patterns that are “red flags” to possible identity theft (based upon, among other things, supervisory guidance and their own experience) and incorporate such red flags into the program; (ii) detect red flags incorporated into the program; (iii) respond to the red flags and attempt to mitigate any identity theft that has occurred; and (iv) ensure the program is periodically reviewed and updated to determine if components should be added or deleted.
As an aid to financial institutions subject to these rules, the Agencies included a supplement in the proposal that includes “patterns, practices, and specific forms of activity that indicate a possible risk of identity theft.”
Finally, the rules require credit and debit card issuers to develop policies and procedures with respect to accountholders’ request of a change in address followed shortly by a request for an additional or replacement card.
The final rules implement sections of the Fair and Accurate Credit Transactions Act of 2003. Mandatory compliance with the final rules is required by November 1, 2008.