There are a few legal guideposts that apply to customers’ change of address requests, including general guidance on change of address requests and two regulations that apply only in specific instances, all of which are discussed below. Note that the guidance is not considered mandatory, but the regulations’ requirements are mandatory.
Regulatory Guidance on Change of Address Notifications
In addition to the regulatory requirements, because change of address requests are commonly used by identity thieves to take over financial accounts, the federal banking agencies have released guidance with specific recommendations on verifying change of address requests. As explained in that guidance, “an identity thief may request that a bank change the address on an existing credit card account, thereby diverting billing statements from the true account holder.” To protect against this tactic, the guidance states that banks must “verify the customer information before executing an address change and send a confirmation of the address change to both the new address and the address of record.” OCC Advisory Letter AL 2001-4 (April 30, 2001).
Also, as mentioned above, we are aware of regulatory requirements as to address changes in two limited instances:
Regulatory Requirements: Users of Credit Reports
Any bank that uses credit reports must have policies and procedures in place to resolve any address discrepancies identified in notices of address discrepancies from credit reporting agencies. 12 CFR 1022.82(c). The rule provides several examples of acceptable policies for resolving address discrepancies:
(i) Comparing the information in the consumer report provided by the consumer reporting agency with information the user:
(A) Obtains and uses to verify the consumer's identity in accordance with the requirements of the Customer Identification Program (CIP) rules implementing 31 U.S.C. 5318(l) (31 CFR 1020.220);
(B) Maintains in its own records, such as applications, change of address notifications, other customer account records, or retained CIP documentation; or
(C) Obtains from third-party sources; or
(ii) Verifying the information in the consumer report provided by the consumer reporting agency with the consumer.
Regulatory Requirements: Debit/Credit Card Issuers
Banks that issue credit and/or debit cards must assess the validity of a change of address notification received from a consumer on an existing account if, within a short period of time thereafter (during at least the first 30 days), the bank also receives a request for an additional or replacement card for the same account. This requirement also covers payroll cards if the issuer is a financial institution. Gift cards and other prepaid card products are not covered by the rule. 12 CFR 41.91.
When the rule is triggered, a bank will be prohibited from issuing a new card until it: (1) notifies the cardholder of the request at the cardholder’s former address and provides the cardholder with a reasonable means to promptly report an incorrect address, (2) notifies the cardholder of the address change request by another means of communication previously agreed to by the bank and the cardholder, or (3) uses another means for evaluating the validity of the address change in accordance with its policies and procedures, such as following its policies and procedures under its Customer Identification Program. 12 CFR 41.91(c). Any written or electronic notice provided by the bank to satisfy these requirements must be provided separately from any regular correspondence with the cardholder. 12 CFR 41.91(e).