Comment Text:
I applaud the purpose of Dodd/Frank title X and the thoughtful effort of the SEC and CFTC towards consumer protection for our newest and most insidious form of theft. I wish to comment on A.1. iii. "Definition of Covered Account and Other Terms" where there is language stating that "Under the proposed rules, entities that adopt Red Flags Programs would focus their attention on “covered accounts” for indicia of possible identity theft. . . . "
As there have been well over half a million personal identity records breached since 2005. Less than 23% of these losses were directly financial. Application documents, such as the mortgage loan originator's 1003 or a broker/dealer's financial fact find, suitability documents and related servicing accounts not only contain personally identifiable but also confidential and sensitive information that may represent far more value to a thief than just the covered account. These documents contain all of their consumer's complete identifying information including race, eye color, height as well as other PII and CSI. These thefts can become more valuable for credit, medical insurance and illegal personal identity abuses than the covered account they may be attributed to. As an example, consider a case of a wanted person with a life threatening illness. Which accounts would this person need to construct first and which would they create or access last?
The purpose of these regulations must ultimately serve to protect each consumer with meaningful guidelines for every entity or covered person mandated to follow them in the protection of their customer's and client's virtual safety and defense against illegal activities. It is my position that a singular or weighted focus on covered accounts with regards to Red Flags would not fully embrace this purpose. Financial institutions and Creditors should become focused on their overall origination, usage, storage, privacy and destruction of their consumer's PII and CSI with a focus on the social engineering, education and habits of their workforce and workplace. Studies from the Ponemon Institute and others since 2005 have demonstrated that these are the key areas from which these thefts are proven to occur most.
It should be noted to all businesses who collect or utilize consumer's personally identifiable information that, even if they are exempt from these rules, if they are breached and have not created a reasonable affirmative defense for their consumer's, they are not exempt from the liabilities that their lack of a defense has created.
Kenneth Orgoglioso
Trusted Advisor
