In looking at the new FAQ's Q. 11 indicates that check forgery or use of a stolen credit card is Identity theft.

We had a check forgery on a commercial account. I believe that commercial accounts are excluded from the ID theft part of the regulation. If so, that is not something that needs to be logged and reported.

Is that a correct assumptions?
Thanks

Correct.

No, they aren't. Here is one of the new FAQs from page 5:

2. Under what circumstances are business accounts "covered accounts?"

Business accounts are "accounts" if they establish a continuing relationship between a person and a financial institution or creditor to obtain a product or service for business purposes. The FCRA definition of person, 15 U.S.C. § 1681a(b), is not limited to individuals. However, business accounts are not covered by the first part of the definition of "covered account" (set out above under II.B.1) because they are not primarily for personal, family, or household purposes.
Instead, each financial institution or creditor must determine which of its business accounts, if any, present a reasonably foreseeable risk of identity theft under the second part of the definition of a "covered account." For example, the accounts of small businesses or sole proprietorships may be particularly vulnerable to identity theft.

"must determine which of its business accounts, if any, present a reasonably foreseeable risk of identity"

Ted, you are correct and I did read that Q&A. I would suggest within the bank's risk assessment that a bank determine they have no business accounts with a reasonable foreseeable risk of identity theft outside of maybe sole proprietorships.

Thank you Randy and Ted.

I wonder why they felt the need to specify that a stolen credit card was ID theft, but didn't mention anything about debit cards.