Seal of the Board of Governors of the Federal Reserve System
BOARD OF GOVERNORS
OF THE
FEDERAL RESERVE SYSTEM
WASHINGTON, D. C.  20551
DIVISION OF BANKING
SUPERVISION AND REGULATION
DIVISION OF CONSUMER
AND COMMUNITY AFFAIRS
SR 08-7 / CA 08-10
October 10, 2008
TO THE OFFICER IN CHARGE OF SUPERVISION AND APPROPRIATE SUPERVISORY AND EXAMINATION STAFF AT EACH FEDERAL RESERVE BANK AND TO BANKING ORGANIZATIONS SUPERVISED BY THE FEDERAL RESERVE
SUBJECT:   Interagency Examination Procedures for the Identity Theft Red Flags and Other Regulations under the Fair Credit Reporting Act

This letter establishes the Federal Reserve's expectations for Federal Reserve-supervised financial institutions and examination staff with respect to the final rules and guidelines regarding identity theft red flags and other regulations under the Fair Credit Reporting Act (FCRA).1

The Federal Financial Institutions Examination Council's Task Force on Consumer Compliance recently approved the attached examination procedures for regulations implementing three provisions of the FCRA, as amended by the Fair and Accurate Credit Transactions Act. The three provisions address:

Safety-and-soundness examiners with experience in operational risk will review institutions for compliance with the identity theft red flags rule.2  Consumer compliance examiners will review institutions for compliance with the address discrepancy and card issuer rules.3  Examiners should include an evaluation of a financial institution's compliance with these provisions during the next regularly scheduled examination or supervisory cycle after the mandatory compliance date of November 1, 2008. After an initial evaluation, subsequent examinations should be risk-focused in scoping future reviews of these provisions. Financial institutions are expected to be in compliance with these rules by the mandatory compliance date.

The address discrepancy rule requires a user of consumer reports, including a financial institution, to develop reasonable policies and procedures to enable the user, when it receives a notice of address discrepancy from a consumer reporting agency, to confirm that the consumer report relates to the consumer whose report was requested. In addition, a user must develop reasonable policies and procedures for furnishing to a consumer reporting agency a consumer's address that the user has reasonably confirmed is accurate if the user: (a) establishes a continuing relationship; and (b) regularly furnishes information to the consumer reporting agency from which it received the notice of address discrepancy.

The identity theft red flags rule requires a financial institution to periodically determine whether it offers or maintains accounts covered by the regulation. A covered account generally is a consumer account or any other account the institution determines carries a foreseeable risk of identity theft. For covered accounts, an institution must develop and implement a written identity theft prevention program (program) that is designed to detect, prevent, and mitigate identity theft in connection with any new or existing covered account. The program must be appropriate to the size and complexity of the financial institution and the nature and scope of its activities. Financial institutions may draw upon their existing programs, such as Bank Secrecy Act/Anti-Money Laundering compliance programs, customer identification programs, or customer information security programs, to help formulate their identity theft prevention program.

The card issuer rule requires credit and debit card issuers to develop reasonable policies and procedures to assess the validity of a change of address that is followed closely by a request for an additional or replacement card. In such situations, the card issuer must not issue an additional or replacement card until it assesses the validity of the change of address in accordance with its policies and procedures.

Reserve Banks are asked to distribute this letter to financial institutions supervised by the Federal Reserve in their districts. If you have any questions, please contact Sue Moy, Senior Project Manager, Operational and IT Risk, Division of Banking Supervision and Regulation, at (202) 452-3110; or Paul Robin, Manager, Oversight and Policy Section, Division of Consumer and Community Affairs, at (202) 452-3140. In addition, questions may be sent via the Board's public website.4

signed by
Roger T. Cole
Director
Division of Banking
Supervision and Regulation
signed by
Sandra F. Braunstein
Director
Division of Consumer
and Community Affairs


Attachments:
  1. Interagency Examination Procedures for Section 605(h), Duties of Users Regarding Address Discrepancies (12 CFR 222.82) (171 KB PDF)
  2. Interagency Examination Procedures for Section 615(e), Duties Regarding the Detection, Prevention, and Mitigation of Identity Theft (12 CFR 222.90) (271 KB PDF)
  3. Interagency Examination Procedures for Section 615(e), Duties of Card Issuers Regarding Changes of Address (12 CFR 222.91) (143 KB PDF)
Cross Reference:
CA letter 06-10, "Updated Examination Procedures for the Fair Credit Reporting Act"
 
Notes:
  1. See the October 31, 2007, interagency press release titled "Agencies Issue Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy" (http://www.federalreserve.gov/newsevents/press/bcreg/20071031a.htm).  Return to text
  2. The Identity Theft Red Flags procedures will be incorporated into the Federal Reserve's Commercial Bank Examination Manual in the October 2008 revision, and the Bank Holding Company Supervision Manual in the January 2009 revision.  Return to text
  3. The Address Discrepancy and Card Issuer procedures will be consolidated into the FCRA chapter of the Consumer Compliance Handbook in a 2009 release. Please note that FCRA examination procedures cover provisions required either by statute (FCRA) or regulation (Regulation V). Thus, examination reports (and data entry into the National Examination Data system) should reflect the appropriate statutory or regulatory cite.  Return to text
  4. See http://www.federalreserve.gov/feedback.cfm.  Return to text
SR letters | 2008
Home | Banking information and regulation
Accessibility | Contact Us
Last update:  October 14, 2008