NCUA will be issuing a proposed rule requiring credit unions to develop programs to take action when they have reason to believe a member has been the victim of identity theft or is vulnerable to being victimized.
The new rules follow similar standards proposed by the four banking and thrift agencies last week.
"We are working on such regulation, but we are doing it on our own," NCUA Spokesperson Cliff Northup told The Credit Union Journal. "We are working on ours separately because we want to do things a little differently since credit unions are different from banks. But we were in on three meetings with the (Federal Financial Institutions Examination Council) on this topic, and we are aware of what the other agencies are doing."
Under the proposed bank rules, financial institutions would have to develop "Identity Theft Response Programs" that would flag accounts demonstrating unusual activity, and then prevent unauthorized transactions. If a bank uncovered circumstances where customer information was compromised, it would have to secure all accounts associated with that information and, in some situations, the bank would be required to notify victims and/or groups of customers whose accounts are at risk.
The banking regulators' guidance provide that notices sent to customers would offer information on how to stop potential harm to their accounts, access to review their credit reports, and a contact point for getting more information. In cases where the institution "can specifically identify affected customers from its logs, notifications may be limited to those persons only." But if the bank can't show exactly who was affected, notices would have to be sent to "each customer in those groups likely to be affected."
If the bank can show it has to reason to believe a customer will not be harmed, it can opt not to notify that customer.
Northup said he wasn't sure how NCUA's guidance might differ from what the bank regulators have issued.