To: All Member Banks and Others Concerned in the Third Federal Reserve District

Attention: Chief Executive Officer and Chief Financial Officer

Subject: Request for Comment on Interagency Guidance on Programs to Protect Against Identity Theft


The federal bank and thrift regulatory agencies request public comment on proposed guidance that would require financial institutions to develop programs to respond to incidents of unauthorized access to customer information, including procedures for notifying customers under certain circumstances.

The proposed guidance interprets the interagency customer information security guidelines, issued in February 2001, that require financial institutions to implement information security programs designed to protect their customers’ information. The proposed interpretation describes the components of a response program and sets a standard for providing notice to customers affected by unauthorized access to or use of customer information that could result in substantial harm or inconvenience to those customers, thereby reducing the risk of losses due to fraud or identity theft.

The proposed guidance states that “an institution should notify affected customers when it becomes aware of unauthorized access to sensitive customer information unless the institution, after an appropriate investigation, reasonably concludes that misuse is unlikely to occur and takes appropriate steps to safeguard the interests of affected customers, including monitoring affected customers’ accounts for unusual or suspicious activity.”

The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision are requesting public comment on all aspects of this proposal, including whether the agencies have identified the appropriate standard for financial institutions to provide notice to their customers.

Comment on the proposed guidance is requested by October 14, 2003. Specific information on how to file a comment is contained in the Federal Register notice published August 12, 2003, a copy of which is attached (54 KB, 2 pages).

For Further Information: Donna L. Parker, Supervisory Financial Analyst, Division of Banking Supervision & Regulation, (202) 452-2614;
Thomas E. Scanlon, Counsel, Legal Division, (202) 452-3594; or
Joshua H. Kaplan, Attorney, Legal Division, (202) 452-2249.