Answer:
This is not dictated by regulation, but more by risk assessment and internal procedures. Under ID Theft Red Flags regs, the bank is required to identify factors that might be indicative of identity theft and put in place appropriate procedures to resolve that risk. How you tackle that is really up to your institution. You may set specific documentation requirements such as a signed request form. You may also put in place other control mechanisms such as sending notices to both old and new addresses confirming the address change.