This letter establishes the Federal Reserve's expectations for Federal Reserve-supervised financial institutions and examination staff with respect to the final rules and guidelines regarding identity theft red flags and other regulations under the Fair Credit Reporting Act (FCRA).¹

The Federal Financial Institutions Examination Council's Task Force on Consumer Compliance recently approved the attached examination procedures for regulations implementing three provisions of the FCRA, as amended by the Fair and Accurate Credit Transactions Act. The three provisions address:

• Duties of users regarding address discrepancies (12 CFR 222.82) (address discrepancy rule);
• Duties regarding the detection, prevention, and mitigation of identity theft (12 CFR 222.90) (identity theft red flags rule); and,
• Duties of card issuers regarding changes of address (12 CFR 222.91) (card issuer rule).

Safety-and-soundness examiners with experience in operational risk will review institutions for compliance with the identity theft red flags rule.²  Consumer compliance examiners will review institutions for compliance with the address discrepancy and card issuer rules.³  Examiners should include an evaluation of a financial institution's compliance with these provisions during the next regularly scheduled examination or supervisory cycle after the mandatory compliance date of November 1, 2008. After an initial evaluation, subsequent examinations should be risk-focused in scoping future reviews of these provisions. Financial institutions are expected to be in compliance with these rules by the mandatory compliance date.

The address discrepancy rule requires a user of consumer reports, including a financial institution, to develop reasonable policies and procedures to enable the user, when it receives a notice of address discrepancy from a consumer reporting agency, to confirm that the consumer report relates to the consumer whose report was requested. In addition, a user must develop reasonable policies and procedures for furnishing to a consumer reporting agency a consumer's address that the user has reasonably confirmed is accurate if the user: (a) establishes a continuing relationship; and (b) regularly furnishes information to the consumer reporting agency from which it received the notice of address discrepancy.

The identity theft red flags rule requires a financial institution to periodically determine whether it offers or maintains accounts covered by the regulation. A covered account generally is a consumer account or any other account the institution determines carries a foreseeable risk of identity theft. For covered accounts, an institution must develop and implement a written identity theft prevention program (program) that is designed to detect, prevent, and mitigate identity theft in connection with any new or existing covered account. The program must be appropriate to the size and complexity of the financial institution and the nature and scope of its activities. Financial institutions may draw upon their existing programs, such as Bank Secrecy Act/Anti-Money Laundering compliance programs, customer identification programs, or customer information security programs, to help formulate their identity theft prevention program.

The card issuer rule requires credit and debit card issuers to develop reasonable policies and procedures to assess the validity of a change of address that is followed closely by a request for an additional or replacement card. In such situations, the card issuer must not issue an additional or replacement card until it assesses the validity of the change of address in accordance with its policies and procedures.

Reserve Banks are asked to distribute this letter to financial institutions supervised by the Federal Reserve in their districts. If you have any questions, please contact Sue Moy, Senior Project Manager, Operational and IT Risk, Division of Banking Supervision and Regulation, at (202) 452-3110; or Paul Robin, Manager, Oversight and Policy Section, Division of Consumer and Community Affairs, at (202) 452-3140. In addition, questions may be sent via the Board's public website.⁴