12 CFR Part 717

12CFR717 1-1-20 ED.pdf

Fair Credit Reporting (FCRA); Regulation V and 12 CFR 717

12 CFR Part 717

OMB: 3133-0165

Document [pdf]
Download: pdf | pdf
National Credit Union Administration

§ 717.82

PART 716—PRIVACY OF CONSUMER FINANCIAL INFORMATION

Subpart I—Duties of Users of Consumer Reports Regarding Address
Discrepancies
and
Records Disposal

AUTHORITY: 15 U.S.C. 6801 et seq., 12 U.S.C.
1751 et seq.

§§ 717.80–717.81

SOURCE: 78 FR 32545, May 31, 2013, unless
otherwise noted.

§ 716.1

Cross reference.

The rules formerly at 12 CFR part 716
have been republished by the Consumer
Financial Protection Bureau at 12 CFR
part 1016, ‘‘Privacy of Consumer Financial Information (Regulation P)’’.

PART 717—FAIR CREDIT REPORTING
Subparts A–H [Reserved]
Subpart I—Duties of Users of Consumer Reports Regarding Address Discrepancies and Records Disposal
Sec.
717.80–717.81 [Reserved]
717.82 Duties of users regarding address discrepancies.
717.83 Disposal of consumer information.

Subpart J—Identity Theft Red Flags
717.90 Duties regarding the detection, prevention, and mitigation of identity theft.
717.91 Duties of card issuers regarding
changes of address.
APPENDIXES A–D TO PART 717 [RESERVED]
APPENDIX E TO PART 717—INTERAGENCY
GUIDELINES CONCERNING THE ACCURACY
AND INTEGRITY OF INFORMATION FURNISHED TO CONSUMER REPORTING AGENCIES

APPENDIXES F–I TO PART 717 [RESERVED]
APPENDIX J TO PART 717—INTERAGENCY
GUIDELINES ON IDENTITY THEFT DETECTION, PREVENTION, AND MITIGATION
AUTHORITY: 12 U.S.C. 1766(a), 1789; 15 U.S.C.
1681m(e).
SOURCE: 69 FR 69273, Nov. 29, 2004, unless
otherwise noted.

kpayne on VMOFRWIN702 with $$_JOB

Subparts A–H [Reserved]

[Reserved]

§ 717.82 Duties of users regarding address discrepancies.
(a) Scope. This section applies to a
user of consumer reports (user) that receives a notice of address discrepancy
from a consumer reporting agency described in 15 U.S.C. 1681a(p), and that is
federal credit union.
(b) Definition. For purposes of this
section, a notice of address discrepancy
means a notice sent to a user by a consumer reporting agency described in 15
U.S.C. 1681a(p) pursuant to 15 U.S.C.
1681c(h)(1), that informs the user of a
substantial difference between the address for the consumer that the user
provided to request the consumer report and the address(es) in the agency’s
file for the consumer.
(c) Reasonable belief—(1) Requirement
to form a reasonable belief. A user must
develop and implement reasonable policies and procedures designed to enable
the user to form a reasonable belief
that a consumer report relates to the
consumer about whom it has requested
the report, when the user receives a notice of address discrepancy.
(2) Examples of reasonable policies and
procedures. (i) Comparing the information in the consumer report provided
by the consumer reporting agency with
information the user:
(A) Obtains and uses to verify the
consumer’s identity in accordance with
the requirements of the Customer Identification Program (CIP) rules implementing 31 U.S.C. 5318(l) (31 CFR
1020.220);
(B) Maintains in its own records,
such as applications, change of address
notifications, other member account
records, or retained CIP documentation; or
(C) Obtains from third-party sources;
or
(ii) Verifying the information in the
consumer report provided by the consumer reporting agency with the consumer.
(d) Consumer’s address—(1) Requirement to furnish consumer’s address to a

927

VerDate Sep<11>2014

11:10 Feb 07, 2020

Jkt 250041

PO 00000

Frm 00937

Fmt 8010

Sfmt 8010

Q:\12\12V7.TXT

PC31

§ 717.83

12 CFR Ch. VII (1–1–20 Edition)

consumer reporting agency. A user must
develop and implement reasonable policies and procedures for furnishing an
address for the consumer that the user
has reasonably confirmed is accurate
to the consumer reporting agency described in 15 U.S.C. 1681a(p) from whom
it received the notice of address discrepancy when the user:
(i) Can form a reasonable belief that
the consumer report relates to the consumer about whom the user requested
the report;
(ii) Establishes a continuing relationship with the consumer; and
(iii) Regularly and in the ordinary
course of business furnishes information to the consumer reporting agency
from which the notice of address discrepancy relating to the consumer was
obtained.
(2) Examples of confirmation methods.
The user may reasonably confirm an
address is accurate by:
(i) Verifying the address with the
consumer about whom it has requested
the report;
(ii) Reviewing its own records to
verify the address of the consumer;
(iii) Verifying the address through
third-party sources; or
(iv) Using other reasonable means.
(3) Timing. The policies and procedures developed in accordance with
paragraph (d)(1) of this section must
provide that the user will furnish the
consumer’s address that the user has
reasonably confirmed is accurate to
the consumer reporting agency described in 15 U.S.C. 1681a(p) as part of
the information it regularly furnishes
for the reporting period in which it establishes a relationship with the consumer.

kpayne on VMOFRWIN702 with $$_JOB

[72 FR 63768, Nov. 9, 2007, as amended at 74
FR 22644, May 14, 2009; 76 FR 18365, Apr. 4,
2011]

§ 717.83 Disposal of consumer information.
(a) In general. You must properly dispose of any consumer information that
you maintain or otherwise possess in a
manner consistent with the Guidelines
for Safeguarding Member Information,
in appendix A to part 748 of this chapter.
(b) Examples. Appropriate measures
to properly dispose of consumer infor-

mation include the following examples.
These examples are illustrative only
and are not exclusive or exhaustive
methods for complying with this section.
(1) Burning, pulverizing, or shredding
papers containing consumer information so that the information cannot
practicably be read or reconstructed.
(2) Destroying or erasing electronic
media containing consumer information so that the information cannot
practicably be read or reconstructed.
(c) Rule of construction. This section
does not:
(1) Require you to maintain or destroy any record pertaining to a consumer that is not imposed under any
other law; or
(2) Alter or affect any requirement
imposed under any other provision of
law to maintain or destroy such a
record.
(d) Definitions. As used in this section:
(1) Consumer information means any
record about an individual, whether in
paper, electronic, or other form, that is
a consumer report or is derived from a
consumer report and that is maintained or otherwise possessed by or on
behalf of the credit union for a business
purpose. Consumer information also
means a compilation of such records.
The term does not include any record
that does not identify an individual.
(i) Consumer information includes:
(A) A consumer report that you obtain;
(B) Information from a consumer report that you obtain from your affiliate after the consumer has been given
a notice and has elected not to opt out
of that sharing;
(C) Information from a consumer report that you obtain about an individual who applies for but does not receive a loan, including any loan sought
by an individual for a business purpose;
(D) Information from a consumer report that you obtain about an individual who guarantees a loan (including a loan to a business entity); or
(E) Information from a consumer report that you obtain about an employee or prospective employee.
(ii) Consumer information does not include:

928

VerDate Sep<11>2014

11:10 Feb 07, 2020

Jkt 250041

PO 00000

Frm 00938

Fmt 8010

Sfmt 8010

Q:\12\12V7.TXT

PC31

National Credit Union Administration

§ 717.90

(A) Aggregate information, such as
the mean credit score, derived from a
group of consumer reports; or
(B) Blind data, such as payment history on accounts that are not personally identifiable, you use for developing credit scoring models or for
other purposes.
(2) Consumer report has the same
meaning as set forth in the Fair Credit
Reporting Act, 15 U.S.C. 1681a(d). The
meaning of consumer report is broad
and subject to various definitions, conditions and exceptions in the Fair
Credit Reporting Act. It includes written or oral communications from a
consumer reporting agency to a third
party of information used or collected
for use in establishing eligibility for
credit or insurance used primarily for
personal, family or household purposes,
and eligibility for employment purposes. Examples include credit reports,
bad check lists, and tenant screening
reports.

Subpart J—Identity Theft Red Flags

kpayne on VMOFRWIN702 with $$_JOB

SOURCE: 72 FR 63768, Nov. 9, 2007, unless
otherwise noted.

§ 717.90 Duties regarding the detection, prevention, and mitigation of
identity theft.
(a) Scope. This section applies to a financial institution or creditor that is a
federal credit union.
(b) Definitions. For purposes of this
section and appendix J, the following
definitions apply:
(1) Account means a continuing relationship established by a person with a
federal credit union to obtain a product
or service for personal, family, household or business purposes. Account includes:
(i) An extension of credit, such as the
purchase of property or services involving a deferred payment; and
(ii) A share or deposit account.
(2) The term board of directors refers
to a federal credit union’s board of directors.
(3) Covered account means:
(i) An account that a federal credit
union offers or maintains, primarily
for personal, family, or household purposes, that involves or is designed to
permit multiple payments or trans-

actions, such as a credit card account,
mortgage
loan,
automobile
loan,
checking account, or share account;
and
(ii) Any other account that the federal credit union offers or maintains
for which there is a reasonably foreseeable risk to members or to the safety
and soundness of the federal credit
union from identity theft, including financial, operational, compliance, reputation, or litigation risks.
(4) Credit has the same meaning as in
15 U.S.C. 1681a(r)(5).
(5) Creditor has the same meaning as
in 15 U.S.C. 1681a(r)(5).
(6) Customer means a member that
has a covered account with a federal
credit union.
(7) Financial institution has the same
meaning as in 15 U.S.C. 1681a(t).
(8) Identity theft has the same meaning as in 16 CFR 603.2(a).
(9) Red Flag means a pattern, practice, or specific activity that indicates
the possible existence of identity theft.
(10) Service provider means a person
that provides a service directly to the
federal credit union.
(c) Periodic Identification of Covered
Accounts. Each federal credit union
must periodically determine whether it
offers or maintains covered accounts.
As a part of this determination, a federal credit union must conduct a risk
assessment to determine whether it offers or maintains covered accounts described in paragraph (b)(3)(ii) of this
section, taking into consideration:
(1) The methods it provides to open
its accounts;
(2) The methods it provides to access
its accounts; and
(3) Its previous experiences with identity theft.
(d) Establishment of an Identity Theft
Prevention Program—(1) Program requirement. Each federal credit union that offers or maintains one or more covered
accounts must develop and implement
a written Identity Theft Prevention
Program (Program) that is designed to
detect, prevent, and mitigate identity
theft in connection with the opening of
a covered account or any existing covered account. The Program must be appropriate to the size and complexity of
the federal credit union and the nature
and scope of its activities.

929

VerDate Sep<11>2014

11:10 Feb 07, 2020

Jkt 250041

PO 00000

Frm 00939

Fmt 8010

Sfmt 8010

Q:\12\12V7.TXT

PC31

§ 717.91

12 CFR Ch. VII (1–1–20 Edition)

(2) Elements of the Program. The Program must include reasonable policies
and procedures to:
(i) Identify relevant Red Flags for the
covered accounts that the federal credit union offers or maintains, and incorporate those Red Flags into its Program;
(ii) Detect Red Flags that have been
incorporated into the Program of the
federal credit union;
(iii) Respond appropriately to any
Red Flags that are detected pursuant
to paragraph (d)(2)(ii) of this section to
prevent and mitigate identity theft;
and
(iv) Ensure the Program (including
the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to members and
to the safety and soundness of the federal credit union from identity theft.
(e) Administration of the Program.
Each federal credit union that is required to implement a Program must
provide for the continued administration of the Program and must:
(1) Obtain approval of the initial
written Program from either its board
of directors or an appropriate committee of the board of directors;
(2) Involve the board of directors, an
appropriate committee thereof, or a
designated employee at the level of
senior management in the oversight,
development, implementation and administration of the Program;
(3) Train staff, as necessary, to effectively implement the Program; and
(4) Exercise appropriate and effective
oversight of service provider arrangements.
(f) Guidelines. Each federal credit
union that is required to implement a
Program must consider the guidelines
in appendix J of this part and include
in its Program those guidelines that
are appropriate.

kpayne on VMOFRWIN702 with $$_JOB

§ 717.91 Duties of card issuers regarding changes of address.
(a) Scope. This section applies to an
issuer of a debit or credit card (card
issuer) that is a federal credit union.
(b) Definitions. For purposes of this
section:
(1) Cardholder means a member who
has been issued a credit or debit card.

(2) Clear and conspicuous means reasonably understandable and designed
to call attention to the nature and significance of the information presented.
(c) Address validation requirements. A
card issuer must establish and implement reasonable policies and procedures to assess the validity of a change
of address if it receives notification of
a change of address for a member’s
debit or credit card account and, within a short period of time afterwards
(during at least the first 30 days after
it receives such notification), the card
issuer receives a request for an additional or replacement card for the
same account. Under these circumstances, the card issuer may not
issue an additional or replacement
card, until, in accordance with its reasonable policies and procedures and for
the purpose of assessing the validity of
the change of address, the card issuer:
(1)(i) Notifies the cardholder of the
request:
(A) At the cardholder’s former address; or
(B) By any other means of communication that the card issuer and the
cardholder have previously agreed to
use; and
(ii) Provides to the cardholder a reasonable means of promptly reporting
incorrect address changes; or
(2) Otherwise assesses the validity of
the change of address in accordance
with the policies and procedures the
card issuer has established pursuant to
§ 717.90 of this part.
(d) Alternative timing of address validation. A card issuer may satisfy the requirements of paragraph (c) of this section if it validates an address pursuant
to the methods in paragraph (c)(1) or
(c)(2) of this section when it receives an
address change notification, before it
receives a request for an additional or
replacement card.
(e) Form of notice. Any written or
electronic notice that the card issuer
provides under this paragraph must be
clear and conspicuous and provided
separately from its regular correspondence with the cardholder.

930

VerDate Sep<11>2014

11:10 Feb 07, 2020

Jkt 250041

PO 00000

Frm 00940

Fmt 8010

Sfmt 8002

Q:\12\12V7.TXT

PC31

National Credit Union Administration

Pt. 717, App. E

APPENDIXES A–D TO PART 717
[RESERVED]
APPENDIX E TO PART 717—INTERAGENCY
GUIDELINES CONCERNING THE ACCURACY AND INTEGRITY OF INFORMATION FURNISHED TO CONSUMER REPORTING AGENCIES
The NCUA encourages voluntary furnishing of information to consumer reporting agencies. Section 717.42 of this part requires each furnisher to establish and implement reasonable written policies and procedures concerning the accuracy and integrity
of the information it furnishes to consumer
reporting agencies. Under § 717.42(b), a furnisher must consider the guidelines set forth
below in developing its policies and procedures. In establishing these policies and procedures, a furnisher may include any of its
existing policies and procedures that are relevant and appropriate. Section 717.42(c) requires each furnisher to review its policies
and procedures periodically and update them
as necessary to ensure their continued effectiveness.

kpayne on VMOFRWIN702 with $$_JOB

I. NATURE, SCOPE, AND OBJECTIVES OF
POLICIES AND PROCEDURES
(a) Nature and Scope. Section 717.42(a) of
this part requires that a furnisher’s policies
and procedures be appropriate to the nature,
size, complexity, and scope of the furnisher’s
activities. In developing its policies and procedures, a furnisher should consider, for example:
(1) The types of business activities in
which the furnisher engages;
(2) The nature and frequency of the information the furnisher provides to consumer
reporting agencies; and
(3) The technology used by the furnisher to
furnish information to consumer reporting
agencies.
(b) Objectives. A furnisher’s policies and
procedures should be reasonably designed to
promote the following objectives:
(1) To furnish information about accounts
or other relationships with a consumer that
is accurate, such that the furnished information:
(i) Identifies the appropriate consumer;
(ii) Reflects the terms of and liability for
those accounts or other relationships; and
(iii) Reflects the consumer’s performance
and other conduct with respect to the account or other relationship;
(2) To furnish information about accounts
or other relationships with a consumer that
has integrity, such that the furnished information:
(i) Is substantiated by the furnisher’s
records at the time it is furnished;
(ii) Is furnished in a form and manner that
is designed to minimize the likelihood that

the information may be incorrectly reflected
in a consumer report; thus, the furnished information should:
(A) Include appropriate identifying information about the consumer to whom it pertains; and
(B) Be furnished in a standardized and
clearly understandable form and manner and
with a date specifying the time period to
which the information pertains; and
(iii) Includes the credit limit, if applicable
and in the furnisher’s possession;
(3) To conduct reasonable investigations of
consumer disputes and take appropriate actions based on the outcome of such investigations; and
(4) To update the information it furnishes
as necessary to reflect the current status of
the consumer’s account or other relationship, including, for example:
(i) Any transfer of an account (e.g., by sale
or assignment for collection) to a third
party; and
(ii) Any cure of the consumer’s failure to
abide by the terms of the account or other
relationship.
II. ESTABLISHING AND IMPLEMENTING POLICIES
AND PROCEDURES
In establishing and implementing its policies and procedures, a furnisher should:
(a) Identify practices or activities of the
furnisher that can compromise the accuracy
or integrity of information furnished to consumer reporting agencies, such as by:
(1) Reviewing its existing practices and activities, including the technological means
and other methods it uses to furnish information to consumer reporting agencies and
the frequency and timing of its furnishing of
information;
(2) Reviewing its historical records relating to accuracy or integrity or to disputes;
reviewing other information relating to the
accuracy or integrity of information provided by the furnisher to consumer reporting
agencies; and considering the types of errors,
omissions, or other problems that may have
affected the accuracy or integrity of information it has furnished about consumers to
consumer reporting agencies;
(3) Considering any feedback received from
consumer reporting agencies, consumers, or
other appropriate parties;
(4) Obtaining feedback from the furnisher’s
staff; and
(5) Considering the potential impact of the
furnisher’s policies and procedures on consumers.
(b) Evaluate the effectiveness of existing
policies and procedures of the furnisher regarding the accuracy and integrity of information furnished to consumer reporting
agencies; consider whether new, additional,
or different policies and procedures are necessary; and consider whether implementation of existing policies and procedures

931

VerDate Sep<11>2014

11:10 Feb 07, 2020

Jkt 250041

PO 00000

Frm 00941

Fmt 8010

Sfmt 8002

Q:\12\12V7.TXT

PC31

Pt. 717, App. J

12 CFR Ch. VII (1–1–20 Edition)

should be modified to enhance the accuracy
and integrity of information about consumers furnished to consumer reporting
agencies.
(c) Evaluate the effectiveness of specific
methods (including technological means) the
furnisher uses to provide information to consumer reporting agencies; how those methods may affect the accuracy and integrity of
the information it provides to consumer reporting agencies; and whether new, additional, or different methods (including technological means) should be used to provide
information to consumer reporting agencies
to enhance the accuracy and integrity of
that information.

kpayne on VMOFRWIN702 with $$_JOB

III. SPECIFIC COMPONENTS OF POLICIES AND
PROCEDURES
In developing its policies and procedures, a
furnisher should address the following, as appropriate:
(a) Establishing and implementing a system for furnishing information about consumers to consumer reporting agencies that
is appropriate to the nature, size, complexity, and scope of the furnisher’s business
operations.
(b) Using standard data reporting formats
and standard procedures for compiling and
furnishing data, where feasible, such as the
electronic transmission of information about
consumers to consumer reporting agencies.
(c) Maintaining records for a reasonable
period of time, not less than any applicable
recordkeeping requirement, in order to substantiate the accuracy of any information
about consumers it furnishes that is subject
to a direct dispute.
(d) Establishing and implementing appropriate internal controls regarding the accuracy and integrity of information about consumers furnished to consumer reporting
agencies, such as by implementing standard
procedures and verifying random samples of
information provided to consumer reporting
agencies.
(e) Training staff that participates in activities related to the furnishing of information about consumers to consumer reporting
agencies to implement the policies and procedures.
(f) Providing for appropriate and effective
oversight of relevant service providers whose
activities may affect the accuracy or integrity of information about consumers furnished to consumer reporting agencies to ensure compliance with the policies and procedures.
(g) Furnishing information about consumers to consumer reporting agencies following mergers, portfolio acquisitions or
sales, or other acquisitions or transfers of
accounts or other obligations in a manner
that prevents re-aging of information, duplicative reporting, or other problems that may

similarly affect the accuracy or integrity of
the information furnished.
(h) Deleting, updating, and correcting information in the furnisher’s records, as appropriate, to avoid furnishing inaccurate information.
(i) Conducting reasonable investigations of
disputes.
(j) Designing technological and other
means of communication with consumer reporting agencies to prevent duplicative reporting of accounts, erroneous association of
information with the wrong consumer(s), and
other occurrences that may compromise the
accuracy or integrity of information provided to consumer reporting agencies.
(k) Providing consumer reporting agencies
with sufficient identifying information in
the furnisher’s possession about each consumer about whom information is furnished
to enable the consumer reporting agency
properly to identify the consumer.
(l) Conducting a periodic evaluation of its
own practices, consumer reporting agency
practices of which the furnisher is aware, investigations of disputed information, corrections of inaccurate information, means of
communication, and other factors that may
affect the accuracy or integrity of information furnished to consumer reporting agencies.
(m) Complying with applicable requirements under the Fair Credit Reporting Act
and its implementing regulations.
[74 FR 31524, July 1, 2009]

APPENDIXES F–I TO PART 717
[RESERVED]
APPENDIX J TO PART 717—INTERAGENCY
GUIDELINES ON IDENTITY THEFT DETECTION, PREVENTION, AND MITIGATION

Section 717.90 of this part requires each
federal credit union that offers or maintains
one or more covered accounts, as defined in
§ 717.90(b)(3) of this part, to develop and provide for the continued administration of a
written Program to detect, prevent, and
mitigate identity theft in connection with
the opening of a covered account or any existing covered account. These guidelines are
intended to assist federal credit unions in
the formulation and maintenance of a Program that satisfies the requirements of
§ 717.90 of this part.
I. The Program
In designing its Program, a federal credit
union may incorporate, as appropriate, its
existing policies, procedures, and other arrangements that control reasonably foreseeable risks to members or to the safety and
soundness of the federal credit union from
identity theft.

932

VerDate Sep<11>2014

11:10 Feb 07, 2020

Jkt 250041

PO 00000

Frm 00942

Fmt 8010

Sfmt 8002

Q:\12\12V7.TXT

PC31

National Credit Union Administration

Pt. 717, App. J

II. Identifying Relevant Red Flags

IV. Preventing and Mitigating Identity Theft

(a) Risk Factors. A federal credit union
should consider the following factors in identifying relevant Red Flags for covered accounts, as appropriate:
(1) The types of covered accounts it offers
or maintains;
(2) The methods it provides to open its covered accounts;
(3) The methods it provides to access its
covered accounts; and
(4) Its previous experiences with identity
theft.
(b) Sources of Red Flags. Federal credit
unions should incorporate relevant Red
Flags from sources such as:
(1) Incidents of identity theft that the federal credit union has experienced;
(2) Methods of identity theft that the federal credit union has identified that reflect
changes in identity theft risks; and
(3) Applicable supervisory guidance.
(c) Categories of Red Flags. The Program
should include relevant Red Flags from the
following categories, as appropriate. Examples of Red Flags from each of these categories are appended as Supplement A to
this appendix J.
(1) Alerts, notifications, or other warnings
received from consumer reporting agencies
or service providers, such as fraud detection
services;
(2) The presentation of suspicious documents;
(3) The presentation of suspicious personal
identifying information, such as a suspicious
address change;
(4) The unusual use of, or other suspicious
activity related to, a covered account; and
(5) Notice from members, victims of identity theft, law enforcement authorities, or
other persons regarding possible identity
theft in connection with covered accounts
held by the federal credit union.

The Program’s policies and procedures
should provide for appropriate responses to
the Red Flags the federal credit union has
detected that are commensurate with the degree of risk posed. In determining an appropriate response, a federal credit union should
consider aggravating factors that may
heighten the risk of identity theft, such as a
data security incident that results in unauthorized access to a member’s account
records held by the federal credit union or a
third party, or notice that a member has
provided information related to a covered account held by the federal credit union to
someone fraudulently claiming to represent
the federal credit union or to a fraudulent
website. Appropriate responses may include
the following:
(a) Monitoring a covered account for evidence of identity theft;
(b) Contacting the member;
(c) Changing any passwords, security
codes, or other security devices that permit
access to a covered account;
(d) Reopening a covered account with a
new account number;
(e) Not opening a new covered account;
(f) Closing an existing covered account;
(g) Not attempting to collect on a covered
account or not selling a covered account to
a debt collector;
(h) Notifying law enforcement; or
(i) Determining that no response is warranted under the particular circumstances.

kpayne on VMOFRWIN702 with $$_JOB

III. Detecting Red Flags
The Program’s policies and procedures
should address the detection of Red Flags in
connection with the opening of covered accounts and existing covered accounts, such
as by:
(a) Obtaining identifying information
about, and verifying the identity of, a person
opening a covered account; for example,
using the policies and procedures regarding
identification and verification set forth in
the Customer Identification Program rules
implementing 31 U.S.C. 5318(l) (31 CFR
1020.220); and
(b) Authenticating members, monitoring
transactions, and verifying the validity of
change of address requests, in the case of existing covered accounts.

V. Updating the Program
Federal credit unions should update the
Program (including the Red Flags determined to be relevant) periodically, to reflect
changes in risks to members or to the safety
and soundness of the federal credit union
from identity theft, based on factors such as:
(a) The experiences of the federal credit
union with identity theft;
(b) Changes in methods of identity theft;
(c) Changes in methods to detect, prevent,
and mitigate identity theft;
(d) Changes in the types of accounts that
the federal credit union offers or maintains;
and
(e) Changes in the business arrangements
of the federal credit union, including mergers, acquisitions, alliances, joint ventures,
and service provider arrangements.
VI. Methods for Administering the Program
(a) Oversight of Program. Oversight by the
board of directors, an appropriate committee
of the board, or a designated employee at the
level of senior management should include:
(1) Assigning specific responsibility for the
Program’s implementation;
(2) Reviewing reports prepared by staff regarding compliance by the federal credit
union with § 717.90 of this part; and

933

VerDate Sep<11>2014

11:10 Feb 07, 2020

Jkt 250041

PO 00000

Frm 00943

Fmt 8010

Sfmt 8002

Q:\12\12V7.TXT

PC31

Pt. 717, App. J

12 CFR Ch. VII (1–1–20 Edition)

(3) Approving material changes to the Program as necessary to address changing identity theft risks.
(b) Reports. (1) In general. Staff of the federal credit union responsible for development, implementation, and administration
of its Program should report to the board of
directors, an appropriate committee of the
board, or a designated employee at the level
of senior management, at least annually, on
compliance by the federal credit union with
§ 717.90 of this part.
(2) Contents of report. The report should address material matters related to the Program and evaluate issues such as: the effectiveness of the policies and procedures of the
federal credit union in addressing the risk of
identity theft in connection with the opening of covered accounts and with respect to
existing covered accounts; service provider
arrangements; significant incidents involving identity theft and management’s response; and recommendations for material
changes to the Program.
(c) Oversight of service provider arrangements. Whenever a federal credit union engages a service provider to perform an activity in connection with one or more covered
accounts the federal credit union should
take steps to ensure that the activity of the
service provider is conducted in accordance
with reasonable policies and procedures designed to detect, prevent, and mitigate the
risk of identity theft. For example, a federal
credit union could require the service provider by contract to have policies and procedures to detect relevant Red Flags that may
arise in the performance of the service provider’s activities, and either report the Red
Flags to the federal credit union, or to take
appropriate steps to prevent or mitigate
identity theft.

kpayne on VMOFRWIN702 with $$_JOB

VII. Other Applicable Legal Requirements
Federal credit unions should be mindful of
other related legal requirements that may be
applicable, such as:
(a) Filing a Suspicious Activity Report
under 31 U.S.C. 5318(g) and 12 CFR 748.1(c);
(b) Implementing any requirements under
15 U.S.C. 1681c–1(h) regarding the circumstances under which credit may be extended when the federal credit union detects
a fraud or active duty alert;
(c) Implementing any requirements for furnishers of information to consumer reporting
agencies under 15 U.S.C. 1681s–2, for example,
to correct or update inaccurate or incomplete information, and to not report information that the furnisher has reasonable cause
to believe is inaccurate; and
(d) Complying with the prohibitions in 15
U.S.C. 1681m on the sale, transfer, and placement for collection of certain debts resulting
from identity theft.

Supplement A to Appendix J
In addition to incorporating Red Flags
from the sources recommended in section
II.b. of the Guidelines in appendix J of this
part, each federal credit union may consider
incorporating into its Program, whether singly or in combination, Red Flags from the
following illustrative examples in connection with covered accounts:
Alerts, Notifications or Warnings From a
Consumer Reporting Agency
1. A fraud or active duty alert is included
with a consumer report.
2. A consumer reporting agency provides a
notice of credit freeze in response to a request for a consumer report.
3. A consumer reporting agency provides a
notice of address discrepancy, as defined in
§ 717.82(b) of this part.
4. A consumer report indicates a pattern of
activity that is inconsistent with the history
and usual pattern of activity of an applicant
or member, such as:
a. A recent and significant increase in the
volume of inquiries;
b. An unusual number of recently established credit relationships;
c. A material change in the use of credit,
especially with respect to recently established credit relationships; or
d. An account that was closed for cause or
identified for abuse of account privileges by
a financial institution or creditor.
Suspicious Documents
5. Documents provided for identification
appear to have been altered or forged.
6. The photograph or physical description
on the identification is not consistent with
the appearance of the applicant or member
presenting the identification.
7. Other information on the identification
is not consistent with information provided
by the person opening a new covered account
or member presenting the identification.
8. Other information on the identification
is not consistent with readily accessible information that is on file with the federal
credit union, such as a signature card or a
recent check.
9. An application appears to have been altered or forged, or gives the appearance of
having been destroyed and reassembled.
Suspicious Personal Identifying Information
10. Personal identifying information provided is inconsistent when compared against
external information sources used by the federal credit union. For example:
a. The address does not match any address
in the consumer report; or
b. The Social Security Number (SSN) has
not been issued, or is listed on the Social Security Administration’s Death Master File.

934

VerDate Sep<11>2014

11:10 Feb 07, 2020

Jkt 250041

PO 00000

Frm 00944

Fmt 8010

Sfmt 8002

Q:\12\12V7.TXT

PC31

National Credit Union Administration

Pt. 721

11. Personal identifying information provided by the member is not consistent with
other personal identifying information provided by the member. For example, there is
a lack of correlation between the SSN range
and date of birth.
12. Personal identifying information provided is associated with known fraudulent
activity as indicated by internal or thirdparty sources used by the federal credit
union. For example:
a. The address on an application is the
same as the address provided on a fraudulent
application; or
b. The phone number on an application is
the same as the number provided on a fraudulent application.
13. Personal identifying information provided is of a type commonly associated with
fraudulent activity as indicated by internal
or third-party sources used by the federal
credit union. For example:
a. The address on an application is fictitious, a mail drop, or prison; or
b. The phone number is invalid, or is associated with a pager or answering service.
14. The SSN provided is the same as that
submitted by other persons opening an account or other members.
15. The address or telephone number provided is the same as or similar to the address
or telephone number submitted by an unusually large number of other persons opening
accounts or by other members.
16. The person opening the covered account
or the member fails to provide all required
personal identifying information on an application or in response to notification that the
application is incomplete.
17. Personal identifying information provided is not consistent with personal identifying information that is on file with the
federal credit union.
18. For federal credit unions that use challenge questions, the person opening the covered account or the member cannot provide
authenticating information beyond that
which generally would be available from a
wallet or consumer report.

Notice From Members, Victims of Identity Theft,
Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in
Connection With Covered Accounts Held by
the Federal Credit Union
26. The federal credit union is notified by a
member, a victim of identity theft, a law enforcement authority, or any other person
that it has opened a fraudulent account for a
person engaged in identity theft.
[72 FR 63769, Nov. 9, 2007, as amended at 74
FR 22644, May 14, 2009; 76 FR 18365, Apr. 4,
2011]

PART 721—INCIDENTAL POWERS

Unusual Use of, or Suspicious Activity Related
to, the Covered Account

kpayne on VMOFRWIN702 with $$_JOB

b. The member fails to make the first payment or makes an initial payment but no
subsequent payments.
21. A covered account is used in a manner
that is not consistent with established patterns of activity on the account. There is, for
example:
a. Nonpayment when there is no history of
late or missed payments;
b. A material increase in the use of available credit;
c. A material change in purchasing or
spending patterns;
d. A material change in electronic fund
transfer patterns in connection with a deposit account; or
e. A material change in telephone call patterns in connection with a cellular phone account.
22. A covered account that has been inactive for a reasonably lengthy period of time
is used (taking into consideration the type of
account, the expected pattern of usage and
other relevant factors).
23. Mail sent to the member is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the member’s covered account.
24. The federal credit union is notified that
the member is not receiving paper account
statements.
25. The federal credit union is notified of
unauthorized charges or transactions in connection with a member’s covered account.

19. Shortly following the notice of a change
of address for a covered account, the institution or creditor receives a request for a new,
additional, or replacement card or a cell
phone, or for the addition of authorized users
on the account.
20. A new revolving credit account is used
in a manner commonly associated with
known patterns of fraud. For example:
a. The majority of available credit is used
for cash advances or merchandise that is easily convertible to cash (e.g., electronics
equipment or jewelry); or

Sec.
721.1 What does this part cover?
721.2 What is an incidental powers activity?
721.3 What categories of activities are
preapproved as incidental powers necessary or requisite to carry on a credit
union’s business?
721.4 How may a credit union apply to engage in an activity that is not
preapproved as within a credit union’s
incidental powers?
721.5 What limitations apply to a credit
union engaging in activities approved
under this part?

935

VerDate Sep<11>2014

11:10 Feb 07, 2020

Jkt 250041

PO 00000

Frm 00945

Fmt 8010

Sfmt 8010

Q:\12\12V7.TXT

PC31


File Typeapplication/pdf
File TitleCFR-2020-title12-vol7-part717.pdf
AuthorDWOLFGANG
File Modified2021-02-26
File Created2021-02-26

© 2024 OMB.report | Privacy Policy