The regulations also enumerate certain steps that financial institutions and creditors must take to administer the Program. These steps include obtaining approval of the initial written Program by the board of directors or a committee of the board, ensuring oversight of the development, implementation and administration of the Program, training staff, and overseeing service provider arrangements.

In order to provide financial institutions and creditors with more flexibility in developing a Program, the Agencies have moved certain detail formerly contained in the proposed regulations to the guidelines located in Appendix J. This detailed guidance should assist financial institutions and creditors in the formulation and maintenance of a Program that satisfies the requirements of the regulations to detect, prevent, and mitigate identity theft. Each financial institution or creditor that is required to implement a Program must consider the guidelines and include in its Program those guidelines that are appropriate. The guidelines provide policies and procedures for use by institutions and creditors, where appropriate, to satisfy the requirements of the final rules, including the four elements listed above. While an institution or creditor may determine that particular guidelines are not appropriate to incorporate into its Program, the Program must nonetheless contain reasonable policies and procedures to meet the specific requirements of the final rules. The illustrative examples of Red Flags formerly in Appendix J are now listed in a supplement to the guidelines.
4. SectionbySection Analysis \8\
\8\ The OCC, Board, FDIC, OTS and NCUA are placing the regulations and guidelines implementing section 114 in the part of their regulations that implement the FCRA12 CFR parts 41, 222, 334, 571, and 717, respectively. In addition, the FDIC cross references the regulations and guidelines in 12 CFR part 364. For ease of reference, the discussion in this preamble uses the shared numerical suffix of each of these agency's regulations. The FTC also is placing the final regulations and guidelines in the part of its regulations implementing the FCRA, specifically 16 CFR part 681. However, the FTC uses different numerical suffixes that equate to the numerical suffixes discussed in the preamble as follows: preamble suffix .82 = FTC suffix .1, preamble suffix .90 = FTC suffix .2, and preamble suffix .91 = FTC suffix .3. In addition, Appendix J referenced in the preamble is the FTC's Appendix A. Section .90(a) Purpose and Scope

Proposed Sec. .90(a) described the statutory authority for the proposed regulations, namely, section 114 of the FACT Act. It also defined the scope of this section; each of the Agencies proposed tailoring this paragraph to describe those entities to which this section would apply. The Agencies received no comments on this section, and it is adopted as proposed.

Section .90(b) Definitions

Proposed Sec. .90(b) contained definitions of various terms that applied to the proposed rules and guidelines. While Sec. .90(b) of the final rules continues to describe the definitions applicable to the final rules and guidelines, changes have been made to address the comments, as follows.

Section .90(b)(1) Account. The Agencies proposed using the term ``account'' to describe the relationships covered by section 114 that an account holder or customer may have with a financial institution or creditor.\9\ The proposed definition of ``account'' was ``a continuing relationship established to provide a financial product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under section 4(k) of the Bank Holding Company Act, 12 U.S.C. 1843(k).'' The definition also gave examples of types of ``accounts.''
\9\ The Agencies acknowledged that section 114 does not use the term ``account'' and, in other contexts, the FCRA defines the term ``account'' narrowly to describe certain consumer deposit or asset accounts. See 15 U.S.C. 1681a(r)(4).

Some commenters stated that the regulations do not need a definition of ``account'' to give effect to their terms. Some commenters maintained that a new definition for ``account'' would be confusing as this term is already defined inconsistently in several regulations and in section 615(e) of the FCRA. These commenters recommended that the Agencies use the term ``continuing relationship'' instead, and define this phrase in a manner consistent with the Agencies'' privacy rules \10\ implementing Title V of the GrammLeach Bliley Act (GLBA), 15 U.S.C. 6801.\11\ These commenters urged that the definition of ``account'' not be expanded to include relationships that are not ``continuing.'' They stated that it would be very burdensome to gather and maintain information on noncustomers for onetime transactions. Other commenters suggested defining the term ``account'' in a manner consistent with the CIP rules.
\10\ See 12 CFR 40 (OCC); 12 CFR 216 (Board); 12 CFR 332 (FDIC); 12 CFR 573 (OTS); 12 CFR 716 (NCUA); and 16 CFR 313 (FTC).

\11\ Pub. L. 106102.

Many commenters stated that defining ``account'' to cover both consumer and business accounts was too broad, exceeded the scope of the FACT Act, and would make the regulation too burdensome. These commenters recommended limiting the scope of the regulations and guidelines to cover only consumer financial services, specifically accounts established for personal, family and household purposes, because these types of accounts typically are targets of identity theft. They asserted that identity theft has not historically been common in connection with business or commercial accounts.

Consumer groups maintained that the proposed definition of ``account'' was too narrow. They explained that because the proposed definition was tied to financial products and services that can be offered under the Bank Holding Company Act, it inappropriately excluded certain transactions involving creditors that are not financial institutions that should be covered by the regulations. Some of these commenters recommended that the definition of ``account'' include any relationship with a financial institution or creditor in which funds could be intercepted or credit could be extended, as well as any other transaction which could obligate an individual or other covered entity, including transactions that do not result in a continuing relationship. Others suggested that there should be no flexibility to exclude any account that is held by an individual or which generates information about individuals that reflects on their financial or credit reputations.

The Agencies have modified the definition of ``account'' to address these comments. First, the final rules now apply to ``covered accounts,'' a term that the Agencies have added to the definition section to eliminate
[[Page 63721]]
confusion between these rules and other rules that apply to an ``account.'' The Agencies have retained a definition of ``account'' simply to clarify and provide context for the definition of ``covered account.''

Section 114 provides broad discretion to the Agencies to prescribe regulations and guidelines to address identity theft. The terminology in section 114 is not confined to ``consumer'' accounts. While identity theft primarily has been directed at consumers, the Agencies are aware that small businesses also have been targets of identity theft. Over time, identity theft could expand to affect other types of accounts. Thus, the definition of ``account'' in Sec. .90(b)(1) of the final rules continues to cover any relationship to obtain a product or service that an account holder or customer may have with a financial institution or creditor.\12\ Through examples, the definition makes clear that the purchase of property or services involving a deferred payment is considered to be an account.
\12\ Accordingly, the definition of ``account'' still applies to fiduciary, agency, custodial, brokerage and investment advisory activities.

Although the definition of ``account'' includes business accounts, the riskbased nature of the final rules allows each financial institution or creditor flexibility to determine which business accounts will be covered by its Program through a risk evaluation process.

The Agencies also recognize that a person may establish a relationship with a creditor, such as an automobile dealer or a telecommunications provider, primarily to obtain a product or service that is not financial in nature. To make clear that an ``account'' includes relationships with creditors that are not financial institutions, the definition is no longer tied to the provision of ``financial'' products and services. Accordingly, the Agencies have deleted the reference to the Bank Holding Company Act.

The definition of ``account'' still includes the words ``continuing relationship.'' The Agencies have determined that, at this time, the burden that would be imposed upon financial institutions and creditors by a requirement to detect, prevent and mitigate identity theft in connection with single, noncontinuing transactions by noncustomers would outweigh the benefits of such a requirement. The Agencies recognize, however, that identity theft may occur at the time of account opening. Therefore, as detailed below, the obligations of the final rule apply not only to existing accounts, where a relationship already has been established, but also to account openings, when a relationship has not yet been established.

Section .90(b)(2) Board of Directors. The proposed regulations discussed the role of the board of directors of a financial institution or creditor. For financial institutions and creditors covered by the regulations that do not have boards of directors, the proposed regulations defined ``board of directors'' to include, in the case of a branch or agency of a foreign bank, the managing official in charge of the branch or agency. For other creditors that do not have boards of directors, the proposed regulations defined ``board of directors'' as a designated employee.

Consumer groups objected to the proposed definition as it applied to creditors that do not have boards of directors. These commenters recommended that for these entities, ``board of directors'' should be defined as a designated employee at the level of senior management. They asserted that otherwise, institutions that do not have a board of directors would be given an unfair advantage for purposes of the substantive provisions of the rules, because they would be permitted to assign any employee to fulfill the role of the ``board of directors.''

The Agencies agree this important role should be performed by an employee at the level of senior management, rather than any designated employee. Accordingly, the definition of ``board of directors'' has been revised in Sec. .90(b)(2) of the final rules so that, in the case of a creditor that does not have a board of directors, the term ``board of directors'' means ``a designated employee at the level of senior management.''

Section .90(b)(3) Covered Account. As mentioned previously, the Agencies have added a new definition of ``covered account'' in Sec. .90(b)(3) to describe the type of ``account'' covered by the final rules. The proposed rules would have provided a financial institution or creditor with broad flexibility to apply its Program to those accounts that it determined were vulnerable to the risk of identity theft, and did not mandate coverage of any particular type of account.

Consumer group commenters urged the Agencies to limit the discretion afforded to financial institutions and creditors by requiring them to cover consumer accounts in their Programs. While seeking to preserve their discretion, many industry commenters requested that the Agencies limit the final rules to consumer accounts, where identity theft is most likely to occur.

The Agencies recognize that consumer accounts are presently the most common target of identity theft and acknowledge that Congress expected the final regulation to address risks of identity theft to consumers.\13\ For this reason, the final rules require each Program to cover accounts established primarily for personal, family or household purposes, that involve or are designed to permit multiple payments or transactions, i.e., consumer accounts. As discussed above in connection with the definition of ``account,'' the final rules also require the Programs of financial institutions and creditors to cover any other type of account that the institution or creditor offers or maintains for which there is a reasonably foreseeable risk from identity theft. \13\ See S. Rep. No. 108166 at 13 (Oct. 17, 2003) (accompanying S. 1753).

Accordingly, the definition of ``covered account'' is divided into two parts. The first part refers to ``an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions.'' The definition provides examples to illustrate that these types of consumer accounts include, ``a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account.''\14\
\14\ These examples reflect the fact that the rules are applicable to a variety of financial institutions and creditors. They are not intended to confer any additional powers on covered entities. Nonetheless, some of the Agencies have chosen to limit the examples in their rule texts to those products covered entities subject to their jurisdiction are legally permitted to offer.

The second part of the definition refers to ``any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.'' This part of the definition reflects the Agencies' belief that other types of accounts, such as small business accounts or sole proprietorship accounts, may be vulnerable to identity theft, and, therefore, should be considered for coverage by the Program of a financial institution or creditor.

In response to the proposed definition of ``account,'' a trade association representing credit unions suggested that the term ``customer'' in the definition be revised to refer to
[[Page 63722]]
``member'' to better reflect the ownership structure of some financial institutions or to ``consumer'' to include all individuals doing business at all types of financial institutions. The definition of ``account'' in the final rules no longer makes reference to the term ``customer''; however, the definition of ``covered account'' continues to employ this term, to be consistent with section 114 of the FACT Act, which uses the term ``customer.'' Of course, in the case of credit unions, the final rules and guidelines will apply to the accounts of members that are maintained primarily for personal, family, or household purposes, and those that are otherwise subject to a reasonably foreseeable risk of identity theft.

Sections .90(b)(4) and (b)(5) Credit and Creditor. The proposed rules defined these terms by crossreference to the relevant sections of the FCRA. There were no comments on the definition of ``credit'' and Sec. .90(b)(4) of the final rules adopts the definition as proposed.

Some commenters asked the Agencies to clarify that the term ``creditor'' does not cover thirdparty debt collectors who regularly arrange for the extension, renewal, or continuation of credit.

Section 114 applies to financial institutions and creditors. Under the FCRA, the term ``creditor'' has the same meaning as in section 702 of the Equal Credit Opportunity Act (ECOA), 15 U.S.C. 1691a.\15\ ECOA defines ``creditor'' to include a person who arranges for the extension, renewal, or continuation of credit, which in some cases could include thirdparty debt collectors. 15 U.S.C. 1691a(e). Therefore, the Agencies are not excluding thirdparty debt collectors from the scope of the final rules, and Sec. .90(b)(5) of the final rules adopts the definition of ``creditor'' as proposed.

\15\ See 15 U.S.C. 1681a(r)(5).

Section .90(b)(6) Customer. Section 114 of the FACT Act refers to ``account holders'' and ``customers'' of financial institutions and creditors without defining either of these terms. For ease of reference, the Agencies proposed to use the term ``customer'' to encompass both ``customers'' and ``account holders.'' ``Customer'' was defined as a person that has an account with a financial institution or creditor. The proposed definition of ``customer'' applied to any ``person,'' defined by the FCRA as any individual, partnership, corporation, trust, estate, cooperative, association, government or governmental subdivision or agency, or other entity.\16\ The proposal explained that the Agencies chose this broad definition because, in addition to individuals, various types of entities (e.g., small businesses) can be victims of identity theft. Under the proposed definition, however, a financial institution or creditor would have had the discretion to determine which type of customer accounts would be covered under its Program, since the proposed regulations were risk based.\17\
\16\ See 15 U.S.C. 1681a(b).
\17\ Proposed Sec. .90(d)(1) required this determination to be substantiated by a risk evaluation that takes into consideration which customer accounts of the financial institution or creditor are subject to a risk of identity theft.

As noted above, most industry commenters maintained that including all persons, not just consumers, within the definition of ``customer'' would impose a substantial financial burden on financial institutions and creditors, and make compliance with the regulations more burdensome. These commenters stated that business identity theft is rare, and maintained that financial institutions and creditors should be allowed to direct their fraud prevention resources to the areas of highest risk. They also noted that businesses are more sophisticated than consumers, and are in a better position to protect themselves against fraud than consumers, both in terms of prevention and in enforcing their legal rights.

Some financial institution commenters were concerned that the broad definition of ``customer'' would create opportunities for commercial customers to shift responsibility from themselves to the financial institution for not discovering Red Flags and alerting business customers about embezzlement or other fraudulent transactions by the commercial customer's own employees. These commenters suggested narrowing the definition to cover natural persons and to exclude business customers. Some of these commenters suggested that the definition of ``customer'' should be consistent with the definition of this term in the Information Security Standards and the Agencies' privacy rules.

Consumer groups commented that the proposed definition of ``customer'' was too narrow. They recommended that the definition be amended, so that the regulations would not only protect persons who are already customers of a financial institution or creditor, but also persons whose identities are used by an imposter to open an account.

Section .90(b)(6) of the final rule defines ``customer'' to mean a person that has a ``covered account'' with a financial institution or creditor. Under the definition of ``covered account,'' an individual who has a consumer account will always be a ``customer.'' A ``customer'' may also be a person that has another type of account for which a financial institution or creditor determines there is a reasonably foreseeable risk to its customers or to its own safety and soundness from identity theft.

The Agencies note that the Information Security Standards and the privacy rules implemented various sections of Title V of the GLBA, 15 U.S.C. 6801, which specifically apply only to customers who are consumers. By contrast, section 114 does not define the term ``customer.'' Because the Agencies continue to believe that a business customer can be a target of identity theft, the final rules contain a riskbased process designed to ensure that these types of customers will be covered by the Program of a financial institution or creditor, when the risk of identity theft is reasonably foreseeable.

The definition of ``customer'' in the final rules continues to cover only customers that already have accounts. The Agencies note, however, that the substantive provisions of the final rules, described later, require the Program of a financial institution or creditor to detect, prevent, and mitigate identity theft in connection with the opening of a covered account as well as any existing covered account. The final rules address persons whose identities are used by an imposter to open an account in these substantive provisions, rather than through the definition of ``customer.''

Section .90(b)(7) Financial Institution. The Agencies received no comments on the proposed definition of ``financial institution.'' It is adopted in Sec. .90(b)(7), as proposed, with a crossreference to the relevant definition in the FCRA.

Section .90(b)(8) Identity Theft. The proposal defined ``identity theft'' by crossreferencing the FTC's rule that defines ``identity theft'' for purposes of the FCRA.\18\
\18\ 69 FR 63922 (Nov. 3, 2004) (codified at 16 CFR 603.2(a)). Section 111 of the FACT Act added several new definitions to the FCRA, including ``identity theft,'' and authorized the FTC to further define this term. See 15 U.S.C. 1681a.

Most industry commenters objected to the breadth of the proposed definition of ``identity theft.'' They recommended that the definition include only actual fraud committed using identifying information of a consumer, and exclude attempted fraud, identity theft committed against businesses, and any identity fraud involving the creation of a fictitious identity using fictitious data combined with real information from
[[Page 63723]]
multiple individuals. By contrast, consumer groups supported a broad interpretation of ``identity theft,'' including the incorporation of ``attempted fraud'' in the definition.

Section .90(b)(8) of the final rules adopts the definition of ``identity theft'' as proposed. The Agencies believe that it is important to ensure that all provisions of the FACT Act that address identity theft are interpreted in a consistent manner. Therefore, the final rule continues to define identity theft with reference to the FTC's regulation, which as currently drafted provides that the term ``identity theft'' means ``a fraud committed or attempted using the identifying information of another person without authority.'' \19\ The FTC defines the term ``identifying information'' to mean ``any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any
\19\ See 16 CFR 603.2(a).
(1) Name, social security number, date of birth, official State or government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number;
(2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;
(3) Unique electronic identification number, address, or routing code; or
(4) Telecommunication identifying information or access device (as defined in 18 U.S.C. 1029(e)).

Thus, under the FTC's regulation, the creation of a fictitious identity using any single piece of information belonging to a real person falls within the definition of ``identity theft'' because such a fraud involves ``using the identifying information of another person without authority.'' \20\

\20\ See 16 CFR 603.2(b).

Section .90(b)(9) Red Flag. The proposed regulations defined ``Red Flag'' as a pattern, practice, or specific activity that indicates the possible risk of identity theft. The preamble to the proposed rules explained that indicators of a ``possible risk'' of identity theft would include precursors to identity theft such as phishing,\21\ and security breaches involving the theft of personal information, which often are a means to acquire the information of another person for use in committing identity theft. The preamble explained that the Agencies included such precursors to identity theft as ``Red Flags'' to better position financial institutions and creditors to stop identity theft at its inception.
\21\ Electronic messages to customers of financial institutions and creditors directing them to provide personal information in response to a fraudulent email.

Most industry commenters objected to the broad scope of the definition of ``Red Flag,'' particularly the phrase ``possible risk of identity theft.'' These commenters believed that this definition would require financial institutions and creditors to identify all risks and develop procedures to prevent or mitigate them, without regard to the significance of the risk. They asserted that the statute does not support the use of ``possible risk'' and suggested defining a ``Red Flag'' as an indicator of significant, substantial, or the probable risk of identity theft. These commenters stated that this would allow a financial institution or creditor to focus compliance in areas where it is most needed.

Most industry commenters also stated that the inclusion of precursors to identity theft in the definition of ``Red Flag'' would make the regulations even broader and more burdensome. They stated that financial institutions and creditors do not have the ability to detect and respond to precursors, such as phishing, in the same manner as other Red Flags that are more indicative of actual ongoing identity theft.

By contrast, consumer groups supported the inclusion of the phrase ``possible risk of identity theft'' and the reference to precursors in the proposed definition of ``Red Flag.'' These commenters stated that placing emphasis on detecting precursors to identity theft, instead of waiting for proven cases, is the right approach.

The Agencies have concluded that the phrase ``possible risk'' in the proposed definition of ``Red Flag'' is confusing and could unduly burden entities with limited resources. Therefore, the final rules define ``Red Flag'' in Sec. .90(b)(9) using language derived directly from section 114, namely, ``a pattern, practice, or specific activity that indicates the possible existence of identity theft.'' \22\

\22\ 15 U.S.C. 1681m(c)(2)(A).

The Agencies continue to believe, however, that financial institutions and creditors should consider precursors to identity theft in order to stop identity theft before it occurs. Therefore, as described below, the Agencies have chosen to address precursors directly, through a substantive provision in section IV of the guidelines titled ``Prevention and Mitigation,'' rather than through the definition of ``Red Flag.'' This provision states that a financial institution or creditor should consider aggravating factors that may heighten the risk of identity theft in determining an appropriate response to the Red Flags it detects.

Section .90(b)(10) Service Provider. The proposed regulations defined ``service provider'' as a person that provides a service directly to the financial institution or creditor. This definition was based upon the definition of ``service provider'' in the Information Security Standards.\23\
\23\ The Information Security Standards define ``service provider'' to mean any person or entity that maintains, processes, or otherwise is permitted access to customer information or consumer information through the provision of services directly to the financial institution. 12 CFR part 30, app. B (national banks); 12 CFR part 208, app. D2 and part 225, app. F (state member banks and holding companies); 12 CFR part 364, app. B (state nonmember banks); 12 CFR part 570, app. B (savings associations); 12 CFR part 748, App. A (credit unions).

One commenter agreed with this definition. However, two other commenters stated that the definition was too broad. They suggested narrowing the definition of ``service provider'' to persons or entities that have access to customer information.

Section .90(b)(10) of the final rules adopts the definition as proposed. The Agencies have concluded that defining ``service provider'' to include only persons that have access to customer information would inappropriately narrow the coverage of the final rules. The Agencies have interpreted section 114 broadly to require each financial institution and creditor to detect, prevent, and mitigate identity theft not only in connection with any existing covered account, but also in connection with the opening of an account. A financial institution or creditor is ultimately responsible for complying with the final rules and guidelines even if it outsources an activity to a thirdparty service provider. Thus, a financial institution or creditor that uses a service provider to open accounts will need to provide for the detection, prevention, and mitigation of identity theft in connection with this activity, even when the service provider has access to the information of a person who is not yet, and may not become, a ``customer.''

Section .90(c) Periodic Identification of Covered Accounts

To simplify compliance with the final rules, the Agencies added a new provision in Sec. .90(c) that requires each financial institution and creditor to periodically determine whether it offers or maintains any covered accounts. As a part of this determination, a financial institution or creditor must conduct a risk assessment to determine whether it
[[Page 63724]]
offers or maintains covered accounts described in Sec. .90(b)(3)(ii) (accounts other than consumer accounts), taking into consideration:

Thus, a financial institution or creditor should consider whether, for example, a reasonably foreseeable risk of identity theft may exist in connection with business accounts it offers or maintains that may be opened or accessed remotely, through methods that do not require face toface contact, such as through the internet or telephone. In addition, those institutions and creditors that offer or maintain business accounts that have been the target of identity theft should factor those experiences with identity theft into their determination.

This provision is modeled on various processoriented and risk based regulations issued by the Agencies, such as the Information Security Standards. Compliance with this type of regulation is based upon a regulated entity's own preliminary risk assessment. The risk assessment required here directs a financial institution or creditor to determine, as a threshold matter, whether it will need to have a Program.\24\ If a financial institution or creditor determines that it does need a Program, then this risk assessment will enable the financial institution or creditor to identify those accounts the Program must address. This provision also requires a financial institution or creditor that initially determines that it does not need to have a Program to reassess periodically whether it must develop and implement a Program in light of changes in the accounts that it offers or maintains and the various other factors set forth in the provision. \24\ The Agencies anticipate that some financial institutions and creditors, such as various creditors regualted by the FTC that solely engage in businesstobusiness transactions, will be able to determine that they do not need to develop and implement a Program. Section .90(d)(1) Identity Theft Prevention Program Requirement

Proposed Sec. .90(c) described the primary objectives of a Program. It stated that each financial institution or creditor must implement a written Program that includes reasonable policies and procedures to address the risk of identity theft to its customers and to the safety and soundness of the financial institution or creditor, in the manner described in proposed Sec. .90(d), which described the development and implementation of a Program. It also stated that the Program must address financial, operational, compliance, reputation, and litigation risks and be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.

Some commenters believed that the proposed regulations exceeded the scope of section 114 by covering deposit accounts and by requiring a response to the risk of identity theft, not just the identification of the risk of identity theft. One commenter expressed concern about the application of the Program to existing accounts.

The SBA commented that requiring all small businesses covered by the regulations to create a written Program would be overly burdensome. Several financial institution commenters objected to what they perceived as a proposed requirement that financial institutions and creditors have a written Program solely to address identity theft. They recommended that the final regulations allow a covered entity to simply maintain or expand its existing fraud prevention and information security programs as long as they included the detection, prevention, and mitigation of identity theft. Some of these commenters stated that requiring a written program would merely focus examiner attention on documentation and cause financial institutions to produce needless paperwork.

While commenters generally agreed that the Program should be appropriate to the size and complexity of the financial institution or creditor, and the nature and scope of its activities, many industry commenters objected to the prescriptive nature of this section. They urged the Agencies to provide greater flexibility to financial institutions and creditors by allowing them to implement their own procedures as opposed to those provided in the proposed regulations. Several other commenters suggested permitting financial institutions and creditors to take into account the cost and effectiveness of policies and procedures and the institution's history of fraud when designing its Program.

Several financial institution commenters maintained that the Program required by the proposed rules was not sufficiently flexible. They maintained that a true riskbased approach would permit institutions to prioritize the importance of various controls, address the most important risks first, and accept the good faith judgments of institutions in differentiating among their options for conducting safe, sound, and compliant operations. Some of these commenters urged the Agencies to revise the final rules and guidelines and adopt an approach similar to the Information Security Standards which they characterized as providing institutions with an outline of issues to consider without requiring specific approaches.

Although a few commenters believed that the proposed requirement to update the Program was burdensome and should be eliminated, most commenters agreed that the Program should be designed to address changing risks over time. A number of these commenters, however, objected to the requirement that the Program must be designed to address changing identity theft risks ``as they arise,'' as too burdensome a standard. Instead, they recommended that the final regulations require a financial institution or creditor to reassess periodically whether to adjust the types of accounts covered or Red Flags to be detected based upon any changes in the types and methods of identity theft that an institution or creditor has experienced.

Section .90(d) of the final rules requires each financial institution or creditor that offers or maintains one or more covered accounts to develop and implement a written Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. To signal that the final rules are flexible, and allow smaller financial institutions and creditors to tailor their Programs to their operations, the final rules state that the Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.

The guidelines are appended to the final rules to assist financial institutions and creditors in the formulation and maintenance of a Program that satisfies the requirements of the regulation. Section I of the guidelines, titled ``The Program,'' makes clear that a covered entity may incorporate into its Program, as appropriate, its existing processes that control reasonably foreseeable risks to customers or to the safety and soundness of the financial institution or creditor from identity theft, such as those already developed in connection with the entity's fraud prevention program. This will avoid duplication and allow covered entities to benefit from existing policies and procedures.

The Agencies do not agree with those commenters who asserted that the scope of the proposed regulations (and hence the final rules that adopt the identical approach with respect to these issues)
[[Page 63725]]
exceed the Agencies'' statutory mandate. First, section 114 clearly permits the Agencies to issue regulations and guidelines that address more than the mere identification of the risk of identity theft. Section 114 contains a broad mandate directing the Agencies to issue guidelines ``regarding identity theft'' and to prescribe regulations requiring covered entities to establish reasonable policies and procedures for implementing the guidelines. Second, two provisions in section 114 indicate that Congress expected the Agencies to issue final regulations and guidelines requiring financial institutions and creditors to detect, prevent, and mitigate identity theft.

The first relevant provision is codified in section 615(e)(1)(C) of the FCRA, where Congress addressed a particular scenario involving card issuers. In that provision, Congress directed the Agencies to prescribe regulations requiring a card issuer to take specific steps to assess the validity of a change of address request when it receives such a request and, within a short period of time, also receives a request for an additional or replacement card. The regulations must prohibit a card issuer from issuing an additional or replacement card under such circumstances, unless it notifies the cardholder or ``uses other means of assessing the validity of the change of address in accordance with reasonable policies and procedures established by the card issuer in accordance with the regulations prescribed [by the Agencies] * * *.'' This provision makes clear that Congress contemplated that the Agencies' regulations would require a financial institution or creditor to have policies and procedures not only to identify Red Flags, but also, to prevent and mitigate identity theft.

The second relevant provision is codified in section 615(e)(2)(B) of the FCRA, and directs the Agencies to consider addressing in the identity theft guidelines transactions that occur with respect to credit or deposit accounts that have been inactive for more than two years. The Agencies must consider whether a creditor or financial institution detecting such activity should ``follow reasonable policies that provide for notice to be given to the consumer in a manner reasonably designed to reduce the likelihood of identity theft with respect to such account.'' This provision signals that the Agencies are authorized to prescribe regulations and guidelines that comprehensively address identity theftin a manner that goes beyond the mere identification of possible risks.

The Agencies' interpretation of section 114 is also supported by the legislative history that indicates Congress expected the Agencies to issue regulations and guidelines for the purposes of ``identifying and preventing identity theft.'' \25\
\25\ See S. Rep. No. 108166 at 13 (Oct. 17, 2003) (accompanying S. 1753).

Finally, the Agencies' interpretation of section 114 is broad, based on a public policy perspective that regulations and guidelines addressing the identification of the risk of identity theft, without addressing the prevention and mitigation of identity theft, would not be particularly meaningful or effective.

The Agencies also have concluded that the scope of section 114 does not only apply to credit transactions, but also applies, for example, to deposit accounts. Section 114 refers to the risk of identity theft, generally, and not strictly in connection with credit. Because identity theft can and does occur in connection with various types of accounts, including deposit accounts, the final rules address identity theft in a comprehensive manner.

Furthermore, nothing in section 114 indicates that the regulations must only apply to identity theft in connection with account openings. The FTC has defined ``identity theft'' as ``a fraud committed or attempted using the identifying information of another person without authority.'' \26\ Such fraud may occur in connection with account openings and with existing accounts. Section 615(e)(3) states that the guidelines that the Agencies prescribe ``shall not be inconsistent'' with the policies and procedures required under 31 U.S.C. 5318(l), a reference to the CIP rules which require certain financial institutions to verify the identity of customers opening new accounts. However, the Agencies do not read this phrase to prevent them from prescribing rules directed at existing accounts. To interpret the provision in this manner would solely authorize the Agencies to prescribe regulations and guidelines identical to and duplicative of those already issuedmaking the Agencies' regulatory authority in this area superfluous and meaningless.\27\
\26\ 16 CFR 603.2(a).
\27\ The Agencies' conclusion is also supported by case law interpreting similar terminology, albeit in a different context, finding that ``inconsistent'' means it is impossible to comply with two laws simultaneously, or one law frustrates the purposes and objectives of another. See, e.g., Davenport v. Farmers Ins. Group, 378 F.3d 839 (8th Cir. 2004); Retail Credit Co. v. Dade County, Florida, 393 F. Supp. 577 (S.D. Fla. 1975); Alexiou v. Brad Benson Mitsubishi, 127 F. Supp.2d 557 (D.N.J. 2000).

The Agencies recognize that requiring a written Program will impose some burden. However, the Agencies believe the benefit of being able to assess a covered entity's compliance with the final rules by evaluating the adequacy and implementation of its written Program outweighs the burdens imposed by this requirement.

Moreover, although the final rules continue to require a written Program, as detailed below, the Agencies have substantially revised the proposal to focus the final rules and guidelines on reasonably foreseeable risks, make the final rules less prescriptive, and provide financial institutions and creditors with more discretion to develop policies and procedures to detect, prevent, and mitigate identity theft.

Proposed Sec. .90(c) also provided that the Program must address changing identity theft risks as they arise based upon the experience of the financial institution or creditor with identity theft and changes in: Methods of identity theft; methods to detect, prevent, and mitigate identity theft; the types of accounts the financial institution or creditor offers; and its business arrangements, such as mergers and acquisitions, alliances and joint ventures, and service provider arrangements.

The Agencies continue to believe that, to ensure a Program's continuing effectiveness, it must be updated, at least periodically. However, in order to simplify the final rules, the Agencies moved this requirement into the next section, where it is one of the required elements of the Program, as discussed below.
Development and Implementation of Identity Theft Prevention Program

The remaining provisions of the proposed rules were set forth under the abovereferenced section heading. Many commenters asserted that the Agencies should simply articulate certain objectives and provide financial institutions and creditors the flexibility and discretion to design policies and procedures to fulfill the objectives of the Program without the level of detail required under this section.

As described earlier, to ensure that financial institutions and creditors are able to design Programs that effectively address identity theft in a manner tailored to their own operations, the Agencies have made significant changes in the proposal by deleting whole provisions or moving them into the guidelines in Appendix J. More specifically, the Agencies abbreviated the proposed requirements formerly located in the provisions titled
[[Page 63726]]
``Identification and Evaluation of Red Flags'' and ``Identity Theft Prevention and Mitigation'' and have placed them under a section of the final rules titled ``Elements of a Program.'' The proposed requirements on ``Staff Training,'' ``Oversight of Service Provider Arrangements,'' and ``Involvement of Board of Directors and Senior Management'' are now in a section of the final rules titled ``Administration of the Program.'' The guidelines in Appendix J elaborate on these requirements. A discussion of the comments received on these sections of the proposed rules, and the corresponding sections of the final rules and guidelines follows.
Section .90(d)(2)(i) Element I of the Program: Identification of Red Flags

Proposed Sec. .90(d)(1)(i) required a Program to include policies and procedures to identify which Red Flags, singly or in combination, are relevant to detecting the possible risk of identity theft to customers or to the safety and soundness of the financial institution or creditor, using the risk evaluation described in Sec. .90(d)(1)(ii). It also required the Red Flags identified to reflect changing identity theft risks to customers and to the financial institution or creditor as they arise.

Proposed Sec. .90(d)(1)(i) provided that each financial institution and creditor must incorporate into its Program relevant Red Flags from Appendix J. The preamble to the proposed rules acknowledged that some Red Flags that are relevant today may become obsolete as time passes. The preamble stated that the Agencies expected to update Appendix J periodically,\28\ but that it may be difficult to do so quickly enough to keep pace with rapidly evolving patterns of identity theft or as quickly as financial institutions and creditors experience new types of identity theft. Therefore, proposed Sec. .90(d)(1)(i) also provided that each financial institution and creditor must incorporate into its Program relevant Red Flags from applicable supervisory guidance, incidents of identity theft that the financial institution or creditor has experienced, and methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks.
\28\ Section 114 directs the Agencies to update the guidelines as often as necessary. See 15 U.S.C. 1681m(e)(1)(a).

Some commenters objected to the proposed requirement that the Program contain policies and procedures to identify which Red Flags, singly or in combination, are relevant to detecting the possible risk of identity theft to customers or to the safety and soundness of the financial institution or creditor. They criticized the phrase ``possible risk'' as too broad and stated that it was unrealistic to impose upon covered entities a continuing obligation to incorporate into their Programs Red Flags to address virtually any new identity theft incident or trend and potential fraud prevention measure. These commenters stated that this would be a burdensome compliance exercise that would limit flexibility and add costs, which in turn, would take away limited resources from the ultimate objective of combating identity theft.

Many commenters objected to the proposed requirement that the Red Flags identified by a financial institution or creditor reflect changing identity theft risks to customers and to the financial institution or creditor ``as they arise.'' These commenters requested that the final rules permit financial institutions and creditors a reasonable amount of time to adjust the Red Flags included in their Programs.

Some commenters agreed that the enumerated sources of Red Flags were appropriate. A few commenters stated that financial institutions and creditors should not be required to include in their Programs any Red Flags except for those set forth in Appendix J or in supervisory guidance, or that they had experienced. However, most commenters objected to the requirement that, at a minimum, the Program incorporate any relevant Red Flags from Appendix J.

Some financial institution commenters urged deletion of the proposed requirement to include a list of relevant Red Flags in their Program. They stated that a financial institution should be able to assess which Red Flags are appropriate without having to justify to an examiner why it failed to include a specific Red Flag on a list. Other commenters recommended that the list of Red Flags in Appendix J be illustrative only. These commenters recommended that a financial institution or creditor be permitted to include any Red Flags on its list that it concludes are appropriate. They suggested that the Agencies encourage institutions to review the list of Red Flags, and use their own experience and expertise to identify other Red Flags that become apparent as fraudsters adapt and develop new techniques. They maintained that in this manner, institutions and creditors would be able to identify the appropriate Red Flags and not waste limited resources and effort addressing those Red Flags in Appendix J that were obsolete or not appropriate for their activities.

By contrast, consumer groups criticized the flexibility and discretion afforded to financial institutions and creditors in this section of the proposed rules. These commenters urged the Agencies to make certain Red Flags from Appendix J mandatory, such as a fraud alert on a consumer report.

Proposed Sec. .90(d)(1)(ii) provided that in order to identify which Red Flags are relevant to detecting a possible risk of identity theft to its customers or to its own safety and soundness, the financial institution or creditor must consider:

A. Which of its accounts are subject to a risk of identity theft;

B. The methods it provides to open these accounts;

C. The methods it provides to access these accounts; and

D. Its size, location, and customer base.

While some industry commenters thought the enumerated factors were appropriate, other commenters stated that the factors on the list were not necessarily the ones used by financial institutions to identify risk and were irrelevant to any determination of identity theft or actual fraud. These commenters maintained that this proposed requirement would require financial institutions to develop entirely new programs that may not be as effective or efficient as those designed by antifraud experts. Therefore, they recommended that the final rules provide financial institutions and creditors with wide latitude to determine what factors they should consider and how they categorize them. These commenters urged the Agencies to refrain from providing a list of factors that financial institutions and creditors would have to consider because a finite list could limit their ability to adapt to new forms of identity theft.

Some commenters suggested that the risk evaluation include an assessment of other factors such as the likelihood of harm, the cost and operational burden of using a particular Red Flag and the effectiveness of a particular Red Flag for that institution or creditor. Some commenters suggested that the factors refer to the likely risk of identity theft, while others suggested that the factors be modified to refer to the possible risk of identity theft to which each type of account offered by the financial institution or creditor is subject. Other commenters, including a trade association representing small financial institutions, asked the Agencies to provide guidelines on how to conduct a risk assessment.

[[Page 63727]]

The final rules continue to address the identification of relevant Red Flags, but simply state that the first element of a Program must be reasonable policies and procedures to identify relevant Red Flags for the covered accounts that the financial institution or creditor offers or maintains. The final rules also state that a financial institution or creditor must incorporate these Red Flags into its Program.

The final rules do not require policies and procedures for identifying which Red Flags are relevant to detecting a ``possible risk'' of identity theft. Moreover, as described below, a covered entity's obligation to update its Red Flags is now a separate element of the Program. The section of the proposed rules describing the various factors that a financial institution or creditor must consider to identify relevant Red Flags, and the sources from which a financial institution or creditor must derive its Red Flags, are now in section II of the guidelines titled `` Identifying Relevant Red Flags.''

The Agencies acknowledge that establishing a finite list of factors that a financial institution or creditor must consider when identifying relevant Red Flags for covered accounts could limit the ability of a financial institution or creditor to respond to new forms of identity theft. Therefore, section II of the guidelines contains a list of factors that a financial institution or creditor ``should consider * * * as appropriate'' in identifying relevant Red