Skip to content

Whom Do We Notify?

Answered by: 

Question: 
We have been notified by VISA Fraud that 23 of our customers debit cards may have been compromised. We have notified each affected customers. To date we have not identified any loss. Do we need to: 1) file a SAR?, 2) notify law enforcement? or 3) notify the FDIC?
Answer: 

Based on your question, I am assuming you have already assessed the incident to determine what customer information may have been compromised. The findings of your assessment will determine what action steps you or your “response team” must take. Financial institutions are encouraged to implement a response program that will address situations where “sensitive” customer information may have been breached.

According to the Interagency Guidance, “sensitive” customer information is defined as a customer’s name, address, or telephone number in conjunction with the customers social security number, drivers license number, account number, credit or debit card number, personal identification number or password that would permit access to a customers account. Sensitive customer information also includes any combination of components of customer’s information that would allow someone to access the customer’s account.

If the compromised data includes “sensitive” information (regardless of the loss amount), you will need to (1) notify your primary Federal regulator as soon as possible to explaining the situation, (2) take steps to prevent additional unauthorized access to customer information, and (3) work closely with your legal counsel, senior management, and regulator to determine if a SAR is required.

First published on BankersOnline.com 10/03/05

First published on 10/03/2005

Search Topics