Date: September 8, 2004
Description: Protecting Customers’ Personal Financial Information
The guidance attached to this bulletin continues to apply to federal savings associations.
As bank customers increasingly use the Internet to perform banking functions, criminals are using more sophisticated methods to steal customers' passwords and access codes and to obtain other personal and confidential information (e.g., names, addresses, Social Security numbers). To assist depository institutions' efforts in raising customer awareness, the Comptroller of the Currency (OCC) and other Federal Financial Examination Council (FFIEC) member agencies have developed the attached brochure outlining steps bank customers should take to reduce the risk of identity theft.
An industry organization, the Anti-Phishing Working Group (http://www.antiphishing.org), reports that identity theft frauds known as "phishing" attacks have increased significantly over the last year. Phishing is a term used for criminals' attempts to steal personal financial information through fraudulent e-mails and Web sites designed to appear as though they were generated from legitimate businesses, financial institutions, and government agencies. These scams are contributing to a rise in identity theft, and credit card and other Internet-based frauds. E-commerce customers, including bank customers, have fallen victim to these scams.
National banks should have information readily available to educate their customers about phishing attacks and related types of online fraud to help customers avoid becoming victims of these illegal activities. These educational efforts should include information to help customers identify the potential risks associated with identity theft, as well as descriptions of the most frequently used fraudulent schemes. Informed customers can help national banks identify many types of fraud.
The attached brochure can be used to supplement national banks' customer education efforts. The brochure, which can be used as a deposit or loan statement stuffer, identifies identity theft risks and the steps customers should take to reduce their chances of becoming victims. The brochure also outlines practical steps customers should take if they fall victim to phishing attacks.
The OCC encourages national banks to consider the use of this brochure by either distributing the actual brochure to customers or posting it to their Web site. National banks should also provide customers additional relevant educational information deemed appropriate. A "camera-ready" version of the brochure is available on the OCC Web site at https://www.occ.gov/news-issuances/bulletins/2004/bulletin-2004-42a.pdf for downloading. For national banks that do not have access to the Internet, limited copies of the brochure can be obtained directly by contacting:
Office of the Comptroller of the Currency
400 7th Street, SW
Washington, D.C. 20219
For questions concerning Internet fraud and phishing attacks, please contact Bank Information Technology Operations (202) 649-6340.
Mark L. O'Dell
Deputy Comptroller for Operational Risk