Proposed rulemaking against identity theft

The long view of security strategies for your network.

Last July a consortium of federal agencies published a Notice of Proposed Rulemaking to help protect customers of banks and other financial institutions against identity theft.

The agencies included the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Federal Trade Commission, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.

The press release described the Notice of Proposed Rulemaking (NPRM):

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Last July a consortium of federal agencies published a Notice of Proposed Rulemaking to help protect customers of banks and other financial institutions against identity theft.

The agencies included the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Federal Trade Commission, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.

The press release described the Notice of Proposed Rulemaking (NPRM):

"The regulations that the agencies are jointly proposing would require each financial institution and creditor to develop and implement an identity theft prevention program that includes policies and procedures for detecting, preventing, and mitigating identity theft in connection with account openings and existing accounts. The proposed regulations include guidelines listing patterns, practices, and specific forms of activity that should raise a 'red flag' signaling a possible risk of identity theft. Under the proposed regulations, an identity theft prevention program established by a financial institution or creditor would have to include policies and procedures for detecting any 'red flag' relevant to its operations and implementing a mitigation strategy appropriate for the level of risk.

"The proposed regulations also would require credit and debit card issuers to develop policies and procedures to assess the validity of a request for a change of address followed closely by a request for an additional or replacement card.

"Additional proposed regulations would require users of consumer reports to develop reasonable policies and procedures that they must apply when they receive a notice of address discrepancy from a consumer reporting agency."

The report was published in three PDF files which, for reasons best known to the federal agencies involved, did not include any usable text - they are scanned from the original double-spaced paper NPRM.

In my next column, I’ll briefly review the red flags compiled by the working group.

Read more about security in Network World's Security section.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.