Joint Developing a Privacy Framework: An Enterprise Risk Management Tool
Re: Identity Theft Rules16 CFR part 681Project No. 188402Request for public comment83 Federal Register 63604 (December 11, 2018)
Dear Sir or Madam,
The American Bankers Association(ABA) is pleased to submit our comments to the Federal TradeCommission’s (Commission) request for comment on its Identity Theft Rules as part of its systemicreview of all current Commission regulations and guides.
Section 615(e) of the Fair Credit Reporting Actrequires the Commission and certain other federalagencies jointly to establish guidelines for financial institutions and creditors to identify patterns,practices, and activities that might indicate identity theft and to prescribe regulations requiring financialinstitutions and creditors to establish reasonable policies and procedures for implementing theguidelines. The federal agencies published final rules and guidelines in November 2007 (Red Flag Rule). The core of the Red Flag Rule is the requirement that financial institutions and creditors develop,implement, and update an “Identity Theft Program” to “detect, prevent, and mitigate identity theft inconnection with the opening of covered accounts or any existing covered account.” In addition, thefederal agencies must prescribe regulations requiring debit and credit card issuers to validate address change requests made shortly prior to requests for a replacement or additional card (Card Issuers Rule).7Under the Card Issuers Rule, card issuers must (1) notify the cardholder of the request and provide areasonable means for the cardholder to report promptly an incorrect address change or (2) otherwiseassess the validity of the address change. Collectively, the two rules are the “Identify Theft Rules”(Rules).
ABA and its members have a demonstrated long history of combatting identity theft and financialfraud. Indeed, banks have strong incentives to prevent such fraud: they generally suffer the financiallosses and risk customer and public dissatisfaction. Their extensive experience and exposuredemonstrate that financial institutions must have broad flexibility to develop, implement, and alterappropriate controls to respond effectively to evolving financial crime threats. Criminals’ methods andtargets change constantly, requiring banks’ fraud detection and prevention techniques and strategies toadapt.
In general, the Red Flag Rule is sufficiently flexible to accommodate these changing identify theftpatterns and strategies and innovations in technology. In addition, to minimize regulatory burden andduplication, the Red Flag Rule permits banks to rely on other existing rules and practices to demonstratecompliance with the rule, including those related to customer identification programs, privacy policies,and multi-factor authentication. Importantly, the Red Flag Rule specifically recognizes that aninstitution’s identify theft program will vary based on the “size and complexity” of the institution andthe “nature and scope of its activities.”
Many of the examples of red flags listed in the Red Flag Rule remain useful and relevant. Whilesome of them are now less relevant than they were when the rule was adopted, and new ones haveemerged, it is unnecessary, at this time, to update the rule’s red flag list, as banks continuallysupplement their lists based on trends, new technology, and their experience, as the Red Flag Rulerequires.
Similarly, the Card Issuers Rule provides appropriate flexibility and efficiency by allowing financialinstitutions broad discretion in how they assess the validity of the address change request. The generalrather than prescriptive directive allows financial institutions to take advantage of technology that isfaster, more effective, less intrusive to customers, and less costly than verifying the address change withthe customer.
Overall, we believe that both rules provide appropriate flexibility to accommodate changes inidentify theft trends and the technology needed to combat identify theft. We do not believe it isnecessary to amend them at this time.
We appreciate the opportunity to comment on the Identify Theft Rules and are happy to provideany additional information.
Sincerely,
Nessa Feddis