Supervisory Policy on Identity Theft
Identity theft is fraud committed or attempted by using the identifying information of another person without his or her authority. Identifying information may include such things as a Social Security number, account number, date of birth, driver's license number, passport number, biometric data and other unique electronic identification numbers or codes. As more financial transactions are done electronically and remotely, and as more sensitive information is stored in electronic form, the opportunities for identity theft have increased significantly. 1 This policy statement describes the characteristics of identity theft and emphasizes the FDIC's well-defined expectations that institutions under its supervision detect, prevent and mitigate the effects of identity theft in order to protect consumers and help ensure safe and sound operations.
Characteristics of Identity Theft
At this time, the majority of identity theft is committed using hard-copy identification or other documents obtained from the victim without his or her permission. 2 A smaller, but significant, amount of identity theft is committed electronically via phishing, spyware, hacking and computer viruses. 3 Financial institutions are among the most frequent targets of identity thieves 4 since they store sensitive information about their customers and hold customer funds in accounts that can be accessed remotely and transferred electronically.
Identity theft may harm consumers in several ways. First, an identity thief may gain access to existing accounts maintained by consumers and either transfer funds out of deposit accounts or incur charges to credit card accounts. Identity thieves may also open new accounts in the consumer's name, incur expenses, and then fail to pay. This is likely to prompt creditors to attempt to collect payment from the consumer for debts the consumer did not incur. In addition, inaccurate adverse information about the consumer's payment history may prevent the consumer from obtaining legitimate credit when he or she needs it. An identity theft victim can spend months or years attempting to correct errors in his or her credit record.
FDIC Response to Identity Theft
The FDIC's supervisory programs include many steps to address identity theft. The FDIC acts directly, often in conjunction with other Federal regulators, by promulgating standards that financial institutions are expected to meet to protect customers' sensitive information and accounts. The FDIC enforces these standards against the institutions under its supervision and encourages all financial institutions to educate their customers about steps they can take to reduce the chances of becoming an identity theft victim. The FDIC also sponsors and conducts a variety of consumer education efforts to make consumers more aware of the ways they can protect themselves from identity thieves.
Supervisory Action
As a result of guidelines issued by the FDIC, together with other federal agencies, financial institutions are required to develop and implement a written program to safeguard customer information, including the proper disposal of consumer information (Security Guidelines). 5 The FDIC considers this programmatic requirement to be one of the foundations of identity theft prevention. In guidance that became effective on January 1, 2007, the federal banking agencies made it clear that they expect institutions to use stronger and more reliable methods to authenticate the identity of customers using electronic banking systems. 6 Moreover, the FDIC has also issued guidance stating that financial institutions are expected to notify customers of unauthorized access to sensitive customer information under certain circumstances. 7 The FDIC has issued a number of other supervisory guidance documents articulating its position and expectations concerning identity theft. 8 Industry compliance with these expectations will help to prevent and mitigate the effects of identity theft.
Risk management examiners trained in information technology (IT) and the requirements of the Bank Secrecy Act (BSA) evaluate a number of aspects of a bank's operations that raise identity theft issues. IT examiners are well-qualified to evaluate whether banks are incorporating emerging IT guidance into their Identity Theft Programs and GLBA 501(b) Information Security Programs; responsibly overseeing service provider arrangements; and taking action when a security breach occurs. In addition, IT examiners will consult with BSA examiners during the course of an examination to ensure that the procedures institutions employ to verify the identity of new customers are consistent with existing laws and regulations to prevent financial fraud, including identity theft.
The FDIC has also issued revised examination procedures for the Fair Credit Reporting Act (FCRA), through the auspices of the Federal Financial Institutions Examination Council's (FFIEC) Consumer Compliance Task Force. 9 These procedures are used during consumer compliance examinations and include steps to ensure that institutions comply with the FCRA's fraud and active duty alert provisions. These provisions enable consumers to place alerts on their consumer reports that require users, such as banks, to take additional steps to identify the consumer before new credit is extended. The procedures also include reviews of institutions' compliance with requirements governing the accuracy of data provided to consumer reporting agencies. These requirements include the blocking of data that may be the result of an identity theft. Compliance examiners are trained in the various requirements of the FCRA and ensure that institutions have effective programs to comply with the identity theft provisions. Consumers are protected from identity theft through the vigilant enforcement of all the examination programs, including Risk Management, Compliance, IT and BSA.
The Fair and Accurate Credit Transactions Act directed the FDIC and other federal agencies to jointly promulgate regulations and guidelines that focus on identity theft "red flags" and customer address discrepancies. As proposed, 10 the guidelines would require financial institutions and creditors to establish a program to identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. The proposed joint regulation would require financial institutions and creditors to establish reasonable policies to implement the guidelines, including a provision requiring debit and credit card issuers to assess the validity of a request for a change of address. In addition, the agencies proposed joint regulations that provide guidance regarding reasonable policies and procedures that a user of consumer reports must employ when the user receives a notice of address discrepancy. When promulgated in final form, these joint regulations and guidelines will comprise another element of the FDIC's program to prevent and mitigate identity theft.
Consumer Education
The FDIC believes that consumers have an important role to play in protecting themselves from identity theft. As identity thieves become more sophisticated, consumers can benefit from accurate, up-to-date information designed to educate them concerning steps they should take to reduce their vulnerability to this type of fraud. The financial services industry, the FDIC and other federal regulators have made significant efforts to raise consumers' awareness of this type of fraud and what they can do to protect themselves.
In 2005, the FDIC sponsored four identity theft symposia entitled Fighting Back Against Phishing and Account-Hijacking . At each symposium (held in Washington, D.C., Atlanta, Los Angeles and Chicago), panels of experts from government, the banking industry, consumer organizations and law enforcement discussed efforts to combat phishing and account hijacking, and to educate consumers on avoiding scams that can lead to account hijacking and other forms of identity theft. Also in 2006, the FDIC sponsored a symposia series entitled Building Confidence in an E-Commerce World . Sessions were held in San Francisco, Phoenix and Miami. Further consumer education efforts are planned for 2007.
In 2006, the FDIC released a multi-media educational tool, Don't Be an On-line Victim , to help online banking customers avoid common scams. It discusses how consumers can secure their computer, how they can protect themselves from electronic scams that can lead to identity theft, and what they can do if they become the victim of identity theft. The tool is being distributed through the FDIC's web site and via CD-ROM. Many financial institutions also now display anti-fraud tips for consumers in a prominent place on their public web site and send customers informational brochures discussing ways to avoid identity theft along with their account statements. Financial institutions are also redistributing excellent educational materials from the Federal Trade Commission, the federal government's lead agency for combating identity theft.
President’s Identity Theft Task Force
On May 10, 2006, the President issued an executive order establishing an Identity Theft Task Force (Task Force). The Chairman of the FDIC is a principal member of the Task Force and the FDIC is an active participant in its work. The Task Force has been charged with delivering a coordinated strategic plan to further improve the effectiveness and efficiency of the federal government's activities in the areas of identity theft awareness, prevention, detection, and prosecution. On September 19, 2006, the Task Force adopted interim recommendations on measures that can be implemented immediately to help address the problem of identity theft. Among other things, these recommendations dealt with data breach guidance to federal agencies, alternative methods of "authenticating" identities, and reducing access of identity thieves to Social Security numbers. The final strategic plan is expected to be publicly released soon.
Conclusion
Financial institutions have an affirmative and continuing obligation to protect the privacy of customers' nonpublic personal information. Despite generally strong controls and practices by financial institutions, methods for stealing personal data and committing fraud with that data are continuously evolving. The FDIC treats the theft of personal financial information as a significant risk area due to its potential to impact the safety and soundness of an institution, harm consumers, and undermine confidence in the banking system and economy. The FDIC believes that its collaborative efforts with the industry, the public and its fellow regulators will significantly minimize threats to data security and consumers.
1 See Study on "Account-Hijacking" Identity Theft and Suggestions for Reducing Online Fraud , FDIC FIL-132-2004, December 14, 2004; Study Supplement on "Account-Hijacking" Identity Theft , FDIC FIL-59-2005, July 5, 2005.
2 2006 Identity Fraud Survey Report , Javelin Strategy & Research, January 2006.
3 Ibid.
4 ID Theft Resource Center, security breaches as of January 16, 2007, http://www.idtheftcenter.org/breaches.shtml.
5 12 CFR 364, Appendix B.
6 Authentication in an Internet Banking Environment , FDIC FIL-103-2005, October 12, 2005.
7 Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice , FDIC FIL-27-2005, April 1, 2005.
8 See Guidance on Security Risks of VOIP , FDIC FIL-69-2005, July 27, 2005; Guidance on Mitigating Risks from Spyware , FDIC FIL-66-2005, July 22, 2005; How Financial Institutions Can Protect Against Pharming Attacks , FDIC FIL-64-2005, July 18, 2005; Interagency Informational Brochure on Internet "Phishing" Scams , FDIC FIL-103-3004, September 13, 2004; Identity Theft and Pretext Calling , FDIC FIL-39-2001, May 9, 2001.
9 Fair Credit Reporting Act – Revised Examination Procedures , FDIC FIL-18-2006, February 22, 2006.
10 See , 71 Federal Register 40786, published on July 18, 2006.