The federal banking agencies have proposed a rule that would require each financial institution and creditor to develop and implement an identity theft prevention program that includes policies and procedures for detecting, preventing and mitigating identity theft in connection with account opening and existing accounts.
The proposed regulations include guidelines listing patterns, practices and specific forms of activity that should raise a "red flag" signaling a possible risk of identity theft. Under proposed regulations, an identity theft prevention program established by a financial institution or creditor would have to include policies and procedures for detecting any "red flag" relevant to its own operations and implementing a mitigation strategy appropriate for the level of risk, according to a release from the agencies.
The proposed rule would implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). Regulators also would require credit and debit card issuers to develop policies and procedures to assess the validity of a request for a change of address followed closely by a request for additional or replacement card.
The proposal lists 31 red flags in connection with an account application or an existing account, including:
As of press time, only two comments had been submitted to the FDIC in response to the proposal. Jim Franks, EVP at $69 million-asset Bank of Prescott (Prescott, Ariz.), entered his "strong objection" to the proposed rule. "Our bank is not a law enforcement agency. Identity theft can occur through no fault of a person, or it can be completely that person's fault because of gross negligence or incompetence. Either way, it is not the fault of our bank. Therefore, it begs the question as to why my bank should foot the bill and have to implement procedures to detect such things," Franks said in his comment letter, written on July 18.
"It is definitely apparent that identity theft is a growing problem," writes Tim Cooper, EVP, Spearman, Tex.-based First State Bank ($75 million), in his comment letter. "However, banks should not be placed in the position of policing this problem and definitely not be regulated to do so."
Banking advocates find fault with the documentation involved in the proposed rules. "Our concern is primarily the compliance burden," says Nessa Feddis, senior federal council at the American Bankers Association (Washington). The proposal listed numerous potential red flags, some of which aren't appropriate or effective for some institutions, Feddis says.
There should be a lot of flexibility in developing and crafting an identity theft prevention program. It shouldn't be one size fits all, Feddis says. The ABA plans to submit comments on the proposals urging the agencies to consider less rigid requirements.
"It's always hard requesting formal plans from financial institutions because things vary so much from institution to institution," says Ariana-Michele Moore, senior analyst in Celent's (Boston) banking group. Moore also expressed concerns about the effect the proposed rules could have on customers' access to credit. The rules could possibly delay the approval process, she says.
The proposal, released on July 18, has been reviewed and approved by the federal banking agencies, including the Federal Reserve, the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and the National Credit Union Association, and the Federal Trade Commission.
Comments on the proposal are due by Sept. 18.