If your institution’s ID Theft Affidavit is used for purposes of fulfilling the FCRA’s obligations to provide certain records to consumers who are victims of identity theft, we recommend using that law’s definition of an identity theft victim: “a consumer whose means of identification or financial information has been used or transferred (or has been alleged to have been used or transferred) without the authority of that consumer, with the intent to commit, or to aid or abet, an identity theft or a similar crime.”
Regulation V also provides a concise definition of “identity theft”: “a fraud committed or attempted using the identifying information of another person without authority.” Your primary regulator, the FDIC, has adopted a nearly identical definition in its Supervisory Policy on Identity Theft.
We do not believe that your bank is required to file a suspicious activity report. A SAR would be required if the transaction involved $25,000 or more where there is no identified suspect, or if it involved $5,000 or more where there is an identified suspect. Because this identity theft incident involved an unknown individual, the $25,000 threshold applies and a SAR is not required. Of course, your institution is free to voluntarily file a SAR if it so chooses.
For resources related to our guidance, please see:
- FCRA, 15 USC 1681g(e)(2) (“Before a business entity provides any information . . . the [identity theft] victim shall provide to the business entity . . . (B) as proof of a claim of identity theft, at the election of the business entity (i) a copy of a police report evidencing the claim of the victim of identity theft; and (ii) a properly completed (I) copy of a standardized affidavit of identity theft developed and made available by the [CFPB]; or (II) an affidavit of fact that is acceptable to the business entity for that purpose.”)
- FCRA, 15 USC 1681g(e)(11) (“For purposes of this subsection, the term ‘victim’ means a consumer whose means of identification or financial information has been used or transferred (or has been alleged to have been used or transferred) without the authority of that consumer, with the intent to commit, or to aid or abet, an identity theft or a similar crime.”)
- Regulation V, 12 CFR 1022.3(h) (“Identity theft means a fraud committed or attempted using the identifying information of another person without authority.”)
- FDIC, Supervisory Policy on Identity Theft (April 11, 2007) (“Identity theft is fraud committed or attempted by using the identifying information of another person without his or her authority. . . .”)
- FDIC Rules, 12 CFR 353.3(a) (“A bank shall file a suspicious activity report . . . in the following circumstances: (1) Insider abuse involving any amount. . . . (2) Transactions aggregating $5,000 or more where a suspect can be identified. . . (3) Transactions aggregating $25,000 or more regardless of potential suspects. . . or (4)Transactions aggregating $5,000 or more that involve potential money laundering or violations of the Bank Secrecy Act. . . .”)
- FDIC Rules, 12 CFR 353.3(h) (The safe harbor provisions protecting banks from liability when filing a SAR “cover all reports of suspected or known criminal violations and suspicious activities to law enforcement and financial institution supervisory authorities, including supporting documentation, regardless of whether such reports are filed pursuant to this part or are filed on a voluntary basis.”)