January 23, 2008
The final weeks of 2007 saw a flurry of regulatory activity by the federal banking regulatory agencies and the Federal Trade Commission. These issuances, whether in the form of final rules and guidelines or proposed rules or guidelines, all address aspects of identity theft prevention and consumer data privacy protection.
Identity Theft Red Flags Rules Apply to Financial Institutions and other Creditors.The Customer Information (CIP) Programs required of financial institutions will need to be reviewed and modified to address the requirements imposed by the Identity Theft Red Flags rules and guidelines. Having been charged with promulgating regulations implementing various requirements of the Fair and Accurate Credit Transactions Act of 2003 (the FACT Act), the agencies issued final regulations implementing section 114, requiring financial institutions and creditors to adopt and maintain a written Identity Theft Prevention Program (Program). The rules and guidelines require both financial institutions and other creditors, provided that they offer “covered accounts”, to maintain a written Program to detect, prevent, and mitigate identity theft in connection with the opening of “covered accounts.” “Covered accounts” are defined as (1) an account primarily for personal, family or household purposes, that permits multiple transactions, or (2) any other account “for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the creditor or financial institution from identity theft.” Examples of accounts that permit multiple transactions are a credit card account, mortgage loan, automobile loan, cell phone account, utility account, margin account, checking account or savings account. Thus, most financial institutions will be subject to the regulations by virtue of the first part of the definition. The second part of the definition is intended to address the vulnerability to identity theft of certain types of non-personal accounts, such as sole proprietorship and small business accounts.
The final rules also describe the objectives of the Program, the elements of the Program, and how the Program must be administered. The Program must include reasonable policies and procedures to
- Identify relevant Red Flags for covered accounts and incorporate them into the Program
- Detect Red Flags that have been incorporated into the Program
- Respond appropriately to any Red Flags that are detected to prevent and mitigate the occurrence of identity theft
- Ensure that the Program is updated periodically
The Program is required to be approved by the Board of Directors of the financial institution or creditor, or a committee of that Board. In order to afford financial institutions and creditors with more flexibility in developing a Program, certain detailed guidance has been included in the guidelines issued in connection with the regulations, so that an institution or creditor’s Program can address only those policies and procedures appropriate to its organization. Thus, the Identity Theft Rules consist of only two sections added to the FCRA regs, while Appendix J provides substantial detail and assistance as to the components of the Program.
The requirements of this new regulation are effective January 1, 2008, and compliance is mandatory November 1, 2008.
Duties of Users of Consumer Reports Upon Notice of Address Discrepancies. Section 315 of the FACT Act applies to an “user” of a consumer credit report, including employers who obtain consumer credit reports on prospective employees. The Act required the federal agencies to issue rules with respect to the policies and procedures necessary to enable to the user to form a reasonable belief as to the identity of the consumer for whom it obtained a consumer report. In addition, the Rules provide guidance for users of consumer reports when they receive a notice of address discrepancy from a consumer reporting agency (CRA). Following receipt of such a notice, a user is required to “form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report.” There were ample comments to the proposed regulations concerning the fact that the CIP procedures to which financial institutions must adhere were sufficient to satisfy the requirements of this section. The final rule provides examples of reasonable policies and procedures that a user may employ to enable the user to form such a “reasonable belief,” such as comparing the information in the consumer report with information obtained in connection with the user’s CIP procedures, maintained in its own records, or obtained from third party sources.
Another requirement is for users to develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the CRA from whom it received the notice. The rule provides what it considers to be reasonable confirmation methods, such as verifying it with the consumer, reviewing its own records, or using a third party source.
The requirements of this new regulation are effective January 1, 2008, and compliance is mandatory November 1, 2008
Rules Concerning Affiliate Marketing.The Federal Trade Commission approved a final rule on affiliate marketing that will provide consumers with an opportunity to “opt out” before a person or company uses personal information provided by an affiliated company to market its products and services to the consumer. This rule implements Section 214 of the Fact Act, and a similar rule was issued separately by each of the FRB, the OCC, the FDIC, the OTS, the NCUA, and the SEC. The final rule generally prohibits a company from using certain information received from an affiliate to make a solicitation to a consumer about that company’s products and services, unless the consumer has been given notice and a reasonable opportunity and method to opt out of the solicitation, and consumer does not opt out. This rule does not supercede or amend a consumer’s existing right to opt out of the sharing of non-transaction or experience information under the FCRA.
The requirements of this new regulation are effective January 1, 2008, and compliance is mandatory October 1, 2008.
Procedures to Enhance the Accuracy and Integrity of Information Furnished to CRAs.Section 312 of the FACT Act requires that the OCC, Board, FDIC, OTS, NCUA and FTC (Agencies) issue joint guidelines for use by furnishers of information to CRAs, regarding the accuracy and integrity of consumer information that they furnish. Section 312 also provides for direct dispute resolution and the jointly issued guidelines implement those requirements. The Agencies issued an Advance Notice of Proposed Rulemaking (ANPR) on these issues in March 2006. This proposal takes into account comments submitted in response to that ANPR.
The proposed rules consist of three components: the proposed accuracy and integrity regulations, the proposed accuracy and integrity guidelines, and the proposed direct dispute regulations. The statute requires the Agencies to establish and maintain guidelines for use by each furnisher. It directs the Agencies to develop the guidelines by doing the following: identify specific forms of activity that can compromise the accuracy and integrity of information, review the methods used to furnish the information to CRAs, determine whether furnishers maintain and enforce policies to assure the accuracy and integrity of the information, and examine the policies and processes employed by furnishers to conduct reinvestigations and correct inaccurate information. The furnishers are also required to adopt reasonable policies and procedures for implementing the guidelines. Finally, the proposed rules require a furnisher to investigate a direct dispute revealed by a consumer report if it relates to: the consumer’s liability for a credit account or other debt with the furnisher; the terms of a credit account or other debt with the furnisher; the consumer’s performance or other conduct concerning a credit account or other debt; or any other information contained in a consumer report regarding an account or other relationship with the furnisher that bears on the consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, and the like. Furnishers would not be required to investigate disputes that relate to information derived from public records, which may be obtained directly from public sources, and information about requests for consumer reports, both of which are more appropriately directed to the CRA.
The proposed rules present alternative approaches to pertaining to the accuracy and integrity regulations and guidelines, and recognize a consistent theme voiced by the commenters that the guidelines and regulations should be sensitive to the voluntary nature of the reporting of information about consumers by CRAs, and the potential burden these may present to furnishers of consumer credit information, so as not to discourage reporting. In the case of both the accuracy and integrity issues as well as the direct dispute resolution, the Agencies pointed to studies that indicate that consumer report accuracy may be affected by the presence of stale account information, the practice of furnishing only negative information about an account, inaccurate or incomplete public record data, inaccurate or incomplete collection account data, and unreported credit limits. These studies have influenced the approach the Agencies have taken in the proposed rules.
Comments are due by February 11, 2008.
Online Behavioral AdvertisingThe FTC has issued for comment proposed Self-Regulatory Principles for Online Behavioral Advertising. In the preamble to the principles, the FTC explains that it has been engaged in investigations, law enforcement, studies and other policy developments to protect online consumer privacy since the 1990’s. It has recently held public hearings and Town Hall forums to discuss privacy issues raised by online behavioral advertising. It identified key questions related to behavioral advertising which produced three issues:
- the practice benefits consumers in the form of free web content and personalized ads that many consumers value, but the practice is largely invisible and unknown to consumers
- business and consumer groups cherish the values of transparency and consumer autonomy, and view them as critical to the development and maintenance of consumer trust in the online marketplace
- no matter what one’s view of behavioral advertising, there are reasonable concerns about consumer data collected for this purpose falling into the wrong hands or being misused.
From these issues, the FTC developed the following proposed principles:
- Transparency and control – Every website where data is collected for behavioral advertising should provide a clear disclosure of the fact of the collecting activity, and that consumers can choose whether or not to participate. A clear and easy-to-use method must be made available to consumers.
- Reasonable security, and limited data retention, for consumer data – Companies that collect and store consumer data for behavioral advertising should provide reasonable security for that data. Companies should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.
- Affirmative express consent for material changes to existing privacy promises – A company must keep any promises that it makes concerning how it will handle or protect consumer data it collects. If it intend to change its practices, it must obtain express affirmative consent from the affected consumers.
- Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising – Companies should only collect sensitive data for behavioral advertising if they obtain express affirmative consent from consumers to receive such advertising.
- Call for additional information – The FTC seeks comment on the potential uses for tracking data beyond behavioral advertising, and in particular, whether such secondary use raises concerns, if companies are in fact using data, whether the concerns apply to personally identifiable information or to non-personally identifiable information as well, and whether secondary uses, if they occur, merit some form of heightened protection.
Comments on these principles are due to the FTC by Friday, February 22, 2008.
FDIC Issues Revised IT Officer’s QuestionnaireOn December 4, 2007, the FDIC issued updated Information Technology Examination Procedures for FDIC-supervised financial institutions. The updated procedures include a revised IT Officer’s Questionnaire which was enhanced to provide greater coverage of vendor management and outsourcing topics, credit card and ACH payment system risks, as well as an institution’s overall information security program.
The revised Questionnaire includes a new “Vendor Management and Service Provider Oversight” section to reflect potential reliance on outside firms for technology-related products and services. It also includes new questions for payment system risks, particularly focusing on electronic funds transfer methods, as well as credit card merchant processing and remote deposit capture.
View the full questionnaire.
Reprinted from the February 2008 issue of the Privacy & Data Security Law Journal.