Federal Deposit Insurance Corporation
550 17th Street NW, Washington, DC 20429-9990
Financial Institution Letter
FIL-100-2007
November 15, 2007
Identity Theft Red Flags
Interagency Final Regulation and Guidelines
Summary: The FDIC, along with the other federal financial institution regulatory agencies and the Federal Trade
Commission, has issued the attached final rule and guidelines on identity theft "red flags" and address discrepancies.
The rule requires that financial institutions and creditors implement a written identity theft prevention program, that card
issuers assess the validity of change of address requests, and that users of consumer reports reasonably verify the
identity of the subject of a consumer report in the event of a notice of address discrepancy.
Distribution:
FDIC-Supervised Banks (Commercial and Savings)
Suggested Routing:
Chief Executive Officer
Chief Information Security Officer
Related Topics:
FIL-22-2006, Prohibition Against Discrimination in
Credit
Transactions, issued March 9, 2006
FIL-27-2005, Guidance on Response Programs
for Unauthorized Access to Customer Information
and Customer Notice, issued April 1, 2005
FIL-7-2005, Guidelines Requiring the Proper
Disposal of Consumer Information, issued
February 2, 2005
FIL-22-2001, Guidelines Establishing Standards
for Safeguarding Customer Information, issued
March 14, 2001
Attachment:
Interagency Final Rule Regarding Identity Theft Red
Flags and Address Discrepancies
Contact:
Senior Policy Analyst Jeffrey Kopchik at (202) 898-3872
or JKopchik@fdic.gov, or Counsel Richard Schwartz at
(202) 898-7424 or rischwartz@fdic.gov
Note:
FDIC financial institution letters (FILs) may be accessed
from the FDIC's Web site
at www.fdic.gov/news/news/financial/2007/index.html.
To receive FILs electronically, please
visit http://www.fdic.gov/about/subscriptions/fil.html.
Paper copies of FDIC financial institution letters may be
obtained through the FDIC's Public Information Center,
3501 Fairfax Drive, E-1102, Arlington, VA 22226 (1-877-
275-3342 or 202-416-6940).
Highlights:
The regulation and guidelines implement sections
114 and 315 of the Fair and Accurate Credit
Transactions Act of 2003.
The regulation requires financial institutions and
creditors to implement a written identity theft
prevention program.
The regulation requires card issuers to assess the
validity of change of address requests before issuing
additional or replacement debit or credit cards.
The regulation requires users of consumer reports to
reasonably verify the identity of the subject of a
consumer report in the event the user receives a
notice of address discrepancy from the consumer
reporting agency.
The guidelines are intended to assist financial
institutions in implementing the regulation.
Supplement A to the guidelines contains a list of 26
"red flags" that financial institutions and creditors may
consider incorporating into their identity theft
prevention programs.
The regulation and guidelines are effective on
January 1, 2008, and mandatory compliance is
required by November 1, 2008.Inactive
550 17th Street NW, Washington, DC 20429-9990
Financial Institution Letter
FIL-100-2007
November 15, 2007
Identity Theft Red Flags
Interagency Final Regulation and Guidelines
Summary: The FDIC, along with the other federal financial institution regulatory agencies and the Federal Trade
Commission, has issued the attached final rule and guidelines on identity theft "red flags" and address discrepancies.
The rule requires that financial institutions and creditors implement a written identity theft prevention program, that card
issuers assess the validity of change of address requests, and that users of consumer reports reasonably verify the
identity of the subject of a consumer report in the event of a notice of address discrepancy.
Distribution:
FDIC-Supervised Banks (Commercial and Savings)
Suggested Routing:
Chief Executive Officer
Chief Information Security Officer
Related Topics:
FIL-22-2006, Prohibition Against Discrimination in
Credit
Transactions, issued March 9, 2006
FIL-27-2005, Guidance on Response Programs
for Unauthorized Access to Customer Information
and Customer Notice, issued April 1, 2005
FIL-7-2005, Guidelines Requiring the Proper
Disposal of Consumer Information, issued
February 2, 2005
FIL-22-2001, Guidelines Establishing Standards
for Safeguarding Customer Information, issued
March 14, 2001
Attachment:
Interagency Final Rule Regarding Identity Theft Red
Flags and Address Discrepancies
Contact:
Senior Policy Analyst Jeffrey Kopchik at (202) 898-3872
or JKopchik@fdic.gov, or Counsel Richard Schwartz at
(202) 898-7424 or rischwartz@fdic.gov
Note:
FDIC financial institution letters (FILs) may be accessed
from the FDIC's Web site
at www.fdic.gov/news/news/financial/2007/index.html.
To receive FILs electronically, please
visit http://www.fdic.gov/about/subscriptions/fil.html.
Paper copies of FDIC financial institution letters may be
obtained through the FDIC's Public Information Center,
3501 Fairfax Drive, E-1102, Arlington, VA 22226 (1-877-
275-3342 or 202-416-6940).
Highlights:
The regulation and guidelines implement sections
114 and 315 of the Fair and Accurate Credit
Transactions Act of 2003.
The regulation requires financial institutions and
creditors to implement a written identity theft
prevention program.
The regulation requires card issuers to assess the
validity of change of address requests before issuing
additional or replacement debit or credit cards.
The regulation requires users of consumer reports to
reasonably verify the identity of the subject of a
consumer report in the event the user receives a
notice of address discrepancy from the consumer
reporting agency.
The guidelines are intended to assist financial
institutions in implementing the regulation.
Supplement A to the guidelines contains a list of 26
"red flags" that financial institutions and creditors may
consider incorporating into their identity theft
prevention programs.
The regulation and guidelines are effective on
January 1, 2008, and mandatory compliance is
required by November 1, 2008.Inactive