TreasuryDirect; customer-based authentication mechanisms for customer account access,

[Federal Register: June 5, 2007 (Volume 72, Number 107)]

[Rules and Regulations]

[Page 30977-30978]

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

[DOCID:fr05jn07-11]

DEPARTMENT OF THE TREASURY

Fiscal Service

31 CFR Part 363

Regulations Governing Securities Held in TreasuryDirect

AGENCY: Bureau of the Public Debt, Fiscal Service, Treasury.

ACTION: Final rule.

SUMMARY: TreasuryDirect is an account-based, book-entry, online system for purchasing, holding, and conducting transactions in Treasury securities. An account owner currently accesses his or her account using a password to authenticate the account owner's identity. Treasury is now introducing additional customer-based authentication mechanisms for accessing accounts. This final rule provides Treasury the flexibility to require additional methods of authentication for the protection of customer accounts. Treasury is also strengthening its ability to respond to attempted fraud and abuse of TreasuryDirect. Currently, Treasury has the authority to close any account. This rule explicitly permits Treasury to liquidate the securities held in the account to be closed and pay the proceeds to the person entitled.

DATES: Effective: June 5, 2007.

ADDRESSES: You can download this final rule at the following Internet addresses: http://www.publicdebt.treas.gov or http://www.gpoaccess.gov/ecfr .

FOR FURTHER INFORMATION CONTACT:

Elisha Whipkey, Director, Division of Program Administration, Office of Securities Operations, Bureau of the Public Debt, at (304) 480-6319 or elisha.whipkey@bpd.treas.gov.

Susan Sharp, Attorney-Adviser, Dean Adams, Assistant Chief Counsel, Edward Gronseth, Deputy Chief Counsel, Office of the Chief Counsel, Bureau of the Public Debt, at (304) 480-8692 or susan.sharp@bpd.treas.gov.

SUPPLEMENTARY INFORMATION: Treasury is committed to protecting its TreasuryDirect investors from potential losses through authentication of the investor at account access. Authentication is the process of ensuring that the person accessing his or her account is the same as the person whose identity was initially verified at account establishment. Authentication methods involve something that the user knows (such as a password), something that the user has (such as a gridcard), or something that the user is (such as a fingerprint). Multifactor authentication consists of requiring two or more methods of authentication to access an account. To date, Treasury has used single factor authentication, requiring passwords and other information that an account holder knows to conduct transactions in TreasuryDirect. Treasury now intends to introduce technology that uses multifactor authentication, which is more reliable and difficult to compromise than single factor authentication. Through this final rule, Treasury will have the flexibility to introduce additional methods of authentication for TreasuryDirect users to ensure that their accounts remain secure.

In addition, Treasury is strengthening its ability to respond to attempted fraud

[[Page 30978]]

and abuse of TreasuryDirect. Treasury has the authority to refuse to open an account, to close any existing account, to suspend transactions in an account or any security held in an account, and to take any other action with regard to an account that we deem necessary, if it is not inconsistent with existing law and rights. This rule clarifies Treasury's authority to close an account, by specifically including the authority to liquidate securities held in an account to be closed and pay the proceeds to the person entitled.

This final rule also clarifies certain terms that we have used in the past. We have used the term ``authentication service'' to refer to the verification of the identity of the account owner at account establishment through a verification service; we have used the term ``authentication'' to refer to the confirmation of the identity of an account owner when accessing his or her account. We will now use the term ``verification'' to refer to confirmation of the identity of the account owner at account establishment; we will use the term ``authentication'' to refer to confirmation of the identity of the account owner when accessing his or her account after account establishment.

Because it provides multifactor authentication for transactions in TreasuryDirect accounts, this authentication enhancement has significant benefits for both investors and the government. Increasing from single to multifactor authentication will help protect investors from losses in their TreasuryDirect accounts due to identity theft and fraud. This rule will benefit the government by increasing investor confidence in the security of online transactions in the TreasuryDirect system.

Procedural Requirements

This final rule does not meet the criteria for a ``significant regulatory action'' as defined in Executive Order 12866. Therefore, a regulatory assessment is not required.

Because this final rule relates to matters of public contract and procedures for United States securities, notice and public procedure and delayed effective date requirements are inapplicable, pursuant to 5 U.S.C. 553(a)(2).

As no notice of proposed rulemaking is required, the Regulatory Flexibility Act (5 U.S.C. 601 et seq.) does not apply.

We ask for no new collections of information in this final rule. Therefore, the Paperwork Reduction Act (44 U.S.C. 3507) does not apply.

List of Subjects in 31 CFR Part 363

Bonds, Electronic funds transfer, Federal Reserve system, Government securities, Securities.

0 Accordingly, for the reasons set out in the preamble, 31 CFR Chapter II, Subchapter B, is amended as follows:

PART 363--REGULATIONS GOVERNING SECURITIES HELD IN TREASURYDIRECT

0 1. The authority citation for part 363 continues to read as follows:

Authority: 5 U.S.C. 301; 12 U.S.C. 391; 31 U.S.C. 3102, et seq.; 31 U.S.C. 3121, et seq.

0 2. Amend Sec. 363.6 by: 0 a. Removing the definition of ``Authentication service''; 0 b. adding the definitions of ``Authentication,'' ``Verification,'' and ``Verification service'' to read in alphabetical order as follows:

Sec. 363.6 What special terms do I need to know to understand this part?

Authentication means confirming that the person accessing a TreasuryDirect account is the same person whose identity was initially verified at account establishment. * * * * *

Verification means confirming the identity of an online applicant for a TreasuryDirect account at account establishment using a verification service.

Verification service means a public or private service that confirms the identity of an online applicant for a TreasuryDirect account at account establishment using information provided by the applicant. * * * * *

0 3. Amend Sec. 363.13 by revising the final sentence and adding a sentence at the end of the section, to read as follows:

Sec. 363.13 How can I open a TreasuryDirect [supreg] account?

* * * We will verify your identity and send your account number to you by e-mail when your account application is approved. In addition to your password, we may require you to use any other form(s) of authentication that we consider necessary for the protection of your account.

0 4. Revise Sec. 363.14 to read as follows:

Sec. 363.14 How will you verify my identity?

We may use a verification service to verify your identity using information you provide about yourself on the online application. At our option, we may require offline verification.

0 5. Amend Sec. 363.15 by revising the heading and the first sentence to read as follows:

Sec. 363.15 What is the procedure for offline verification?

In the event we require offline verification, we will provide a printable verification form. * * *

0 6. Revise Sec. 363.16 to read as follows:

Sec. 363.16 How do I access my account?

You may access your account online using your account number, password, and any other form(s) of authentication that we may require.

0 7. Revise Sec. 363.17 to read as follows:

Sec. 363.17 Who is liable if someone else accesses my TreasuryDirect

[reg] account using my password?

You are solely responsible for the confidentiality and use of your account number, password, and any other form(s) of authentication we may require. We will treat any transactions conducted using your password as having been authorized by you. We are not liable for any loss, liability, cost, or expense that you may incur as a result of transactions made using your password.

0 8. Revise Sec. 363.19 to read as follows:

Sec. 363.19 What should I do if I become aware that my password or other form of authentication has become compromised?

If you become aware that your password has become compromised, that any other form of authentication has been compromised, lost, stolen, or misused, or that there have been any unauthorized transactions in your account, you may place a hold on your account so that it cannot be accessed by anyone, and you should notify us immediately by e-mail or telephone. Contact information is available on the TreasuryDirect Web site.

0 9. Amend Sec. 363.29 by revising paragraph (b) to read as follows:

Sec. 363.29 May Treasury close an account, suspend transactions in an account, or refuse to open an account?

* * * * *

(b) Close any existing account, redeem, sell, or liquidate the securities held in the account, and pay the proceeds to the person entitled; * * * * *

Kenneth E. Carfine, Fiscal Assistant Secretary.

[FR Doc. 07-2744 Filed 6-4-07; 8:45 am]

BILLING CODE 4810-39-P