|BOARD OF GOVERNORS
FEDERAL RESERVE SYSTEM
WASHINGTON, D. C. 20551
|DIVISION OF BANKING
SUPERVISION AND REGULATION
|SR 01-11 (SUP)
April 26, 2001
The Gramm-Leach-Bliley Act directs the Board and other federal agencies to ensure that financial institutions have policies, procedures and controls in place to prevent the unauthorized disclosure of customer financial information and to deter and detect fraudulent access to such information. Consistent with section 525 of the Gramm-Leach-Bliley Act (15 U.S.C. 6825), this SR letter addresses how state member banks and other banking organizations supervised by the Federal Reserve that provide products or services to the public or that maintain customer account information should protect customer information against identity theft. Guidance is also provided on completing Suspicious Activity Reports ("SARs") that report offenses associated with identity theft and pretext calling. In addition, banking organizations are reminded that guidance was recently issued by the Board and the other banking agencies concerning the safeguards that institutions can put into place to ensure the security of customer information.
The fraudulent use of an individual's personal identifying information, such as social security number, date of birth, or bank account number, to commit a financial crime like credit card, check, loan or mortgage fraud - - which is commonly referred to as "identity theft" - - is a growing problem. One way that wrongdoers improperly obtain personal information of bank customers so as to be able to commit identity theft is by contacting a bank, posing as a customer or someone authorized to have the customer's information, and through the use of trickery and deceit, convincing an employee of the bank to release customer identifying information. This practice is referred to as "pretext calling."
There are several federal criminal statutes that address illegal conduct associated with identity theft and pretext calling. These include:
Protecting Customer Information
Banking organizations can take various steps to safeguard customer information and reduce the risk of loss from identity theft. These include: (1) establishing procedures to verify the identity of individuals applying for financial products; (2) establishing procedures to prevent fraudulent activities related to customer information; and (3) maintaining a customer information security program.
1. Verification Procedures. Verification procedures for new accounts should include, as appropriate, steps to ensure the accuracy and veracity of application information. These could involve using independent sources to confirm information submitted by a customer; calling a customer to confirm that the customer has opened a credit card or checking account; or verifying information through an employer identified on an application form. A financial institution can also independently verify that the zip code and telephone area code provided on an application are from the same geographical area.
2. Fraud Prevention. To prevent fraudulent address changes, banking organizations should verify customer information before executing an address change and send a confirmation of the address change to both the new address and the address of record. If an organization receives a request for a new credit card or new checks in conjunction with a change of address notification, it should verify the request with the customer.
When opening a new account, a banking organization should, where possible, check to ensure that information provided on an application has not previously been associated with fraudulent activity. For example, if a banking organization uses a consumer report to process a new account application and the report is issued with a fraud alert, the banking organization's system for credit approval should flag the application and ensure that the individual is contacted before it is processed. In addition, fraud alerts should be shared across the organization's various lines of business.
3. Information Security. In early 2001, the Board and the other federal banking agencies issued Interagency Guidelines Establishing Standards for Safeguarding Customer Information, a copy of which is attached.1 The Guidelines require banking organizations to establish and implement a comprehensive information security program that includes appropriate administrative, technical, and physical safeguards for customer information. To prevent pretext callers from using pieces of personal information to impersonate account holders in order to gain access to their account information, the Guidelines require banks and other financial institutions to establish written policies and procedures to control access to customer information.
Other measures that may reduce the incidence of pretext calling include limiting the circumstances under which customer information may be disclosed by telephone. For example, a banking organization may not permit employees to release information over the telephone unless the requesting individual provides a proper authorization code (other than a commonly used identifier). Banking organizations can also use caller identification technology or a request for a call back number as tools to verify the authenticity of a request.
Banking organizations should train employees to recognize and report possible indicators of attempted pretext calling. They should also implement testing to determine the effectiveness of controls designed to thwart pretext callers, and may consider using independent staff or third parties to conduct unscheduled pretext phone calls to various departments.
Reporting Suspected Identity Theft and Pretext Calling
Current regulations require state member banks and other banking organizations supervised by the Federal Reserve to report all known or suspected criminal violations to law enforcement and the Board on SARs. Criminal activity related to identity theft or pretext calling has historically manifested itself as credit or debit card fraud, loan or mortgage fraud, or false statements to the institution, among other things.
As a means of better identifying and tracking known or suspected criminal violations related to identity theft and pretext calling, a banking organization should, in addition to reporting the underlying fraud (such as credit card or loan fraud) on a SAR, also indicate within the SAR that such a known or suspected violation is the result of identity theft or pretext calling. Specifically, when identity theft or pretext calling is believed to be the underlying cause of the known or suspected criminal activity, the reporting institution should, consistent with the existing SAR instructions, complete a SAR in the following manner:
Consumer Education and Assistance
Banking organizations should provide their customers with information about how to prevent identity theft and necessary steps to take in the event a customer becomes a victim of identity theft. An excellent source of information for consumers is the Federal Trade Commission's website at http://www.ftc.gov/bcp/edu/microsites/idtheft/.
Banking organizations should also assist their customers who are victims of identity theft and fraud by having trained personnel to respond to customer inquiries, by determining whether an account should be closed immediately after a report of unauthorized use and by prompt issuance of new checks or new credit, debit or ATM cards. If a customer has multiple accounts with the institution, it should assess whether any other account has been the subject of potential fraud.
Reserve Banks are asked to send a copy of this letter to regulated institutions in their districts and to their supervisory staff. Questions concerning identity theft, pretext calling, and suspicious activity reporting should be directed to Richard A. Small, Deputy Associate Director, at (202) 452-5235. Questions concerning information security should be directed to Heidi Richards, Assistant Director, at (202) 452-2598.
1. These guidelines are attached to the January 17, 2001 interagency press release that can be obtained on the Federal Reserve’s website at http://www.federalreserve.gov/boarddocs/press/boardacts/2001/20010117/default.htm Return to text
SR letters | 2001