FDIC’s Supervisory Policy on Identity Theft

For those financial institutions that have been putting off the education of their customers, it’s now time to sit up, take notice, and begin to take action. The FDIC’s issuance of a supervisory policy on identity theft on Wednesday means that all banks and financial institutions will be expected to take a more active role in detecting AND preventing identity theft of its customers.

The most recent data breach of TJX is a clear signal that business as usual for banks in regard to how they approach customer’s concerns about their identity is about to change. The FDIC’s expectations are also included in the letter, the active role that institutions need to take is laid out in the words, “detect, prevent and mitigate the effects of identity theft in order to protect consumers…”

See Also: IoT is Happening Now: Are You Prepared?

This supervisory policy outlines the characteristics of identity theft, the FDIC response and its steps to address it, including its consumer education efforts. The letter refers to guidelines issued by the FDIC, together with other federal agencies, that require banks to develop and implement a written program to safeguard customer information, including the proper disposal of consumer information. This letter -- along with other guidance on strong authentication measures are included with a number of other supervisory guidance documents outlining the FDIC’s position and expectations concerning identity theft. Industry compliance with these expectations will help to prevent and mitigate the effects of identity theft.

The supervisory policy also outlines the actions that are taken by FDIC’s Risk Management/IT examiners in conjunction with BSA to identify identity theft issues. The IT examiners will consult with BSA examiners during an exam to make sure that banks are using methods to verify identify of new customers that are consistent with the existing laws and regulations.

Banks will also want to be familiar with the revised exam procedures for the Fair Credit Reporting Act (FCRA), issued in February 2006. These procedures check for compliance with FCRA’s fraud and active duty provisions. The provisions allow customers of the bank to place alerts on their credit reports, and require those using these reports, including banks, to check with the customer before new credit is extended. The procedures also include reviews of institutions' compliance with requirements governing the accuracy of data provided to consumer reporting agencies. This requirement also blocks data that might be the result of an identity theft. The supervisory letter also notes that consumers are protected from identity theft through the vigilant enforcement of all the examination programs, including Risk Management, Compliance, IT and BSA.

The Fair and Accurate Credit Transactions Act (FACTA) directed federal agencies to write regulations and guidelines to focus on identity theft “red flags” and customer address discrepancies. As proposed, the guidelines would require financial institutions and creditors start programs to identify patterns, practices, and specific forms of activity that indicate possible identity theft. It would also require them to create “reasonable” policies to start these programs. One of the provisions would require debit and credit card issuers to check the validity of a change of address request; users of a consumer credit reports will also need to have a follow up procedure when they receive a notice of address discrepancy.

Consumer Education

The FDIC’s Supervisory Letter also notes that the FDIC’s role in educating the consumer will continue its consumer education efforts during 2007, to make consumers more aware of the ways they can protect themselves from identity thieves. The letter states that consumers can benefit from accurate, up-to-date information designed to educate them about the steps they should take to lower the risk of this type of fraud. It notes many institutions prominently display anti-fraud tips on their web site and send customers information about avoiding identity theft along as statement stuffers. Banks redistribution of the FTC’s educational materials to customers was also observed.

What financial institutions need to do: Read the letter and related referenced regulations and guidance; talk to your examiner and review how you are identifying customers and handling new credit requests, address changes, and most importantly, how actively you are educating your customers about identity theft.

Click here to read the complete letter: https://www.bankinfosecurity.com/regulations.php?reg_id=415


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network