FDIC Backs Bank Warning on ID Theft
U.S. regulators voted Friday for a policy that would require banks to notify customers in certain cases of identity theft -- a proposal that consumer activists called inadequate.
Federal Deposit Insurance Corp. officials said the proposal, which its board of directors approved, had nothing to do with recent disclosures of security breaches at information brokers ChoicePoint Inc. and LexisNexis, as well as at Bank of America Corp.
“This has been in process since 2003, long before the heightened interest in the topic,” said Sandra Thompson, deputy director of the FDIC’s consumer protection division.
The proposal, which sets the rules for financial institutions to follow in designing their notification policies, still must be approved by the Federal Reserve before taking effect.
It requires banks to quickly notify federal regulators if there is a security breach that might have compromised personal files. It defines sensitive data to include names, addresses, Social Security numbers and credit card numbers.
Still, the policy would require banks infiltrated by identity thieves to notify affected customers only if the bank determined that it was “reasonably possible” that his or her private information had been misused.
The standard for when banks must notify customers is weaker than in a first draft of the proposal released in 2003. Under the original standard, banks would have had to notify customers unless they could prove “misuse of the information accessed is unlikely to occur,” according to a report released Friday by the FDIC and three other federal agencies.
Bankers had complained that the original standard would have caused too many false alarms.
“You have to have a chance to investigate” the scope of a data loss, said Nessa Feddis, senior federal counsel for the American Bankers Assn., a trade group. “If you inundate customers with notices, they stop being effective.”
Feddis said banks were satisfied with the revision. The FDIC heeded several objections that bankers had with the 2003 draft, she said, resulting in a proposal that is more “refined and narrow in its scope.”
Privacy advocates, however, said the proposal did not pro- vide enough consumer protection.
“It gives the banks too much discretion to decide whether a breach requires notification,” said Edmund Mierzwinski, consumer program director for the advocacy organization U.S. Public Interest Research Group.
A stronger standard, Mierzwinski said, was set by a 2003 California law. It requires all companies -- not just banks -- to notify consumers when they learn confidential information has been lost. It does not require a finding of possible harm.
The difference is especially important, said Mierzwinski, because in the wake of recent high-profile breaches, several members of Congress are calling for tighter controls on information brokers of all types.
“The danger is that the weaker FDIC regulations could provide a cover for Congress to give the same provisions to companies like ChoicePoint,” Mierzwinski said. “It creates a weaker standard.”
It’s unclear what effect the rule would have on the California law. The proposal does not address the question of whether it would supersede state notification requirements.
