On June 11, the staff of the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision and the Federal Trade Commission (FTC) (collectively, the Agencies) released frequently asked questions (FAQs) to assist financial institutions, creditors, users of consumer reports, and card issuers in complying with the final rulemaking on Identity Theft Red Flags and Address Discrepancies implementing Section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) and Section 315 of the FACT Act that amended the Fair Credit Reporting Act.
Many of the questions the Agencies have received are answered in the supplemental information to the final rules. These FAQs elaborate on the supplemental information where additional clarification is necessary and also explain the staff’s view of how select provisions of the rulemaking apply to situations that were not specifically addressed in the final rules or supplemental information. The Agencies indicated that staff may supplement or revise these FAQs as necessary or appropriate in light of further questions and experience. The FTC will be issuing additional FAQs to answer questions specific to entities under FTC jurisdiction.
While the three rules themselves do not contain specific record retention requirements, (i) financial institutions and creditors must be able to demonstrate that they have complied with the requirements of the Red Flags and Card Issuers’ Rules, and (ii) users of consumer reports must be able to demonstrate that they have complied with the requirements of the Address Discrepancy Rules, in addition to any other applicable record retention requirements.
The Agencies clarified that their information security standards, which help to reduce identity theft (“a fraud committed or attempted using the identifying information of another person without authority”) by keeping individuals’ sensitive data from falling into the hands of an identity thief, are different that the Red Flags Rules and Guidelines. The information security standards require financial institutions to have reasonable policies and procedures that are designed to safeguard customer information and protect it from unauthorized access or misuse and to ensure the proper disposal of customer and consumer information. By contrast, the Red Flags Rules and Guidelines seek to ensure that financial institutions and creditors are alert for signs or indicators that an identity thief is actively misusing another individual’s sensitive data, typically to obtain products or services from the institution or creditor. The Red Flags Rules require financial institutions and creditors that offer or maintain “covered accounts” to have policies and procedures to identify patterns, practices or activities that indicate the possible existence of identity theft; to detect whether identity theft may be occurring in connection with the opening of a covered account or an existing covered account; and to respond appropriately.