| Comment Number: | 523455-00033 |
| Received: | 9/18/2006 6:11:59 PM |
| Organization: | National Council of Higher Education Loan Programs |
| Commenter: | Brett Lief |
| State: | DC |
| Agency: | Federal Trade Commission |
| Rule: | Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003 |
| No Attachments |
Comments:
September 18, 2006 Federal Trade Commission Office of the Secretary Room H ? 135 (Annex M) 600 Pennsylvania Avenue NW Washington, DC 20580 RE: The Red Flags Rule, Project No. R611019 Dear Sirs: This letter is in response to the request for comments on the proposed rule entitled ?Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003? that was published by the Federal Trade Commission, the Office of the Comptroller of the Currency, the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, and the National Credit Union Administration in the Federal Register on July 18, 2006 (Volume 71, Number 137). The National Council of Higher Education Loan Programs (NCHELP) is a trade association that represents a nationwide network of guaranty agencies, secondary markets, lenders, loan servicers, collection agencies, schools and others that administer loan programs, including the Federal Family Education Loan (FFEL) Program, that make loan assistance available to students and parents to pay for the costs of postsecondary education. We write in strong support of the statement on Federal Register Page 40793 (preamble), Item 4, concerning the proposed rule on oversight of service provider arrangements (? ____.90(d)(4)). Specifically, we applaud the statement that service providers providing services to multiple financial institutions and creditors be allowed to conduct activities on behalf of these entities in accordance with their own programs to prevent identity theft, as long as the programs meet the requirements of the Red Flag regulations. Many of our members provide loan origination and/or loan account servicing to a number of lenders. It would be extremely burdensome for these service providers to follow the identity theft prevention program of each of the lenders for which it provides services. In fact, such a requirement would be counterproductive, since the administrative complexity involved in complying with diverse provisions could very well result in less, not better, effectiveness. Service providers should be permitted to focus their compliance efforts on a single identity theft prevention program. We strongly suggest that this concept enunciated in the preamble be incorporated in the final rule itself. Further, in response to your question on Federal Register Page 40824 concerning the adequacy of the regulation on oversight of service providers, we believe the proposed rule (? ____.90(d)(4)) clearly explains the oversight role of financial institutions and creditors. With respect to the proposed rule on receipt of notice of address discrepancies (? ____.82), we recommend that the final rule clarify that users of consumer reports receiving a notice of discrepancy are not required to re-verify the identity of the receipt of a discrepancy notice if they have already verified identity pursuant to customer identification program (CIP) requirements. To require otherwise would be to create an unnecessary and duplicative requirement. As a general comment, we recommend that the final rule emphasize the risk based nature of identity theft prevention programs and the flexibility financial institutions have in developing policies that address real risk. We fear that an overly prescriptive rule will create burdens without benefits. In the student loan world, identity theft risk is mitigated by the role schools play in verifying identity as part of the loan certification and loan disbursement processes. The final rule should make clear that a loan participant?s identity theft prevention program should be need based and does not need to mechanically include procedures that may have relevance in other sectors but not student lending. Finally, we strongly recommend that financial institutions be given 18 months to comply with the requirements of the final rule. Because compliance will require organization wide involvement and information system enhancements (the requirements of which are generally scheduled in advance), an 18 month implementation period is needed. We appreciate the opportunity to comment on the proposed Red Flags Rule. Should you have any questions, please contact Tim Fitzgibbon, Vice President for Debt Management Services, at (515) 224-1400 (tfitzgibbon@nchelp.org). Sincerely, Brett E. Lief President