Regardless of how good a company’s identity theft policy may be, sometimes identity theft happens. Criminals and fraudsters are creative and try to stay a step ahead of the industry and law enforcement.  If a finance company unknowingly facilitates a transaction that results in identity theft, the company may have a legal obligation to help the victim.

In last week’s Federal Law Friday post, we reviewed a key provision of the Fair Credit Reporting Act (FCRA) that requires companies to adopt identity theft policies.  Today, we review a different provision of the FCRA that deals with providing assistance and information to victims once identity theft has occurred.

Under Section 609(e) of the FCRA, a victim of identity theft can request copies of business and transaction records from the company that facilitated the fraudulent transaction.  Specifically, the law provides:

  • Within 30 days of receiving a written request from the victim, the company must provide copies of the application and business transaction records to the victim and/or law enforcement agencies specified by the victim without any cost or charge.
  • However, before releasing such information, unless the company knows the victim, the company can and should verify the identity of the victim and the claim of identity theft.
  • To verify the identity of the victim, the company should require a government-issued identification, personally identifying information that is the same type as was provided by the alleged identity thief, and/or personally identifying information that is normally required when opening a new account with the company.
  • To verify the claim of identity theft, the company can require a copy of a police report and a properly completed affidavit of identity theft. The Federal Trade Commission has published an affidavit that can be used by companies to verify identity theft claims before releasing information.
  • If a company does not have a high degree of confidence in the true identity of the alleged victim after reviewing the information provided, the company should not release any records.

Finance companies should always be very careful when disclosing any consumer information, because of both privacy and identity theft concerns.  For that reason, companies need to understand when disclosure is required and when it is not required.