Rulemaking Under the FACT Act
Last month, federal banking regulators jointly issued final rules under the Fair and Accurate Credit Transactions Act of 2003 (the FACT Act). These rules established for the first time the requirements for identity theft prevention programs implemented by financial institutions and other consumer creditors. Shortly thereafter, the agencies issued a proposed rule to provide guidelines for financial institutions and other creditors that furnish information to consumer reporting agencies with the goal of improving the accuracy and integrity of the furnished information. Under the proposed rule, consumers for the first time will be able to dispute credit report inaccuracies directly with the entities that furnished the information to consumer reporting agencies.
The FACT Act amended the Fair Credit Reporting Act in a legislative effort to inhibit consumer identity theft and required federal banking regulators to adopt implementing regulations. In November, culminating a two-year effort, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, the National Credit Union Association, and the Federal Trade Commission jointly issued final rules titled “Identity Theft Red Flags and Address Discrepancies” to implement Sections 114 and 315 of the FACT Act. In addition, the agencies shortly thereafter also issued a proposed rule to implement Section 312 of the FACT Act, which concerns credit reporting.
“Red Flag” Regulations — Identity Theft Prevention Programs
The so-called “Red Flag” regulations, promulgated under Section 114 of the FACT Act, have two basic goals:
- To establish requirements for financial institutions and other creditors to develop and implement written identity theft prevention programs; and
- To establish guidelines describing what financial institutions and other consumer creditors should include in their identity theft prevention programs, policies, and procedures.
These regulations require that financial institutions and other creditors maintain written “Identity Theft Prevention Programs” for all covered accounts. “Covered accounts” are defined as continuing deposit or credit relationships used for personal, family, or household purposes as well as any other accounts (including non-personal accounts) that have a reasonably foreseeable risk of identity theft. As for the definition of financial institutions and other consumer creditors, the regulations and accompanying commentary suggest that, in addition to financial institutions, the regulations will apply to other issuers of consumer credit such as car dealers and telecommunications providers. In particular, the regulations require that covered creditors develop programs that:
- Identify the red flags of identity theft for covered accounts and outline those red flags in the program;
- Monitor for and detect the identity theft red flags outlined in the program;
- Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
- Ensure that the program is updated periodically to reflect changes in the risks presented to customers or to the safety and soundness of financial institutions or other creditors from identity theft.
Appendix J to the Red Flag regulations contains guidelines for developing and maintaining an identity theft prevention program. Although all financial institutions and other creditors must comply with these guidelines, each may customize the program to fit individual business. Whatever the resulting program involves, the business’s Board of Directors or a designated committee of the Board must approve that program.
Address Change Requests
The Red Flag regulations also require that all credit and debit card issuers confirm the validity of address change requests when such requests are closely followed by requests for new cards. Accordingly, credit and debit card issuers must adopt address verification policies and procedures. Card issuers must follow these policies and procedures before honoring any requests for new cards.
The interagency final rules also establish mandatory requirements for handling address discrepancies, which include:
- Requiring credit and debit card issuers to assess the validity of change-of-address requests; and
- Requiring consumer reports users to develop policies and procedures that apply whenever those users receive notices of address discrepancies from consumer reporting agencies.
FACT Act Section 315 requires consumer reporting agencies to notify users of consumer reports when addresses provided by users “substantially differ” from addresses contained in consumers’ files. The new regulations therefore require that users of consumer reports develop policies and procedures that allow them to form a reasonable belief that a consumer report relates to the consumer about whom the report was requested. Additional precautions are required under certain circumstances.
Section 312 of the FACT Act requires the development of guidelines for those who furnish information to consumer reporting agencies to improve the accuracy and integrity of that information. Accordingly, federal banking regulators have proposed regulations that, when finalized, will impose obligations on information furnishers, such as financial institutions and other consumer creditors. Among other things, the regulations will allow consumers to dispute the accuracy of consumer report information directly with the furnisher of that information.
Al of the final rules and guidelines implementing Section 114 and 315 of the FACT Act will become effective the first day of the calendar quarter following their publication in the Federal Register. Mandatory compliance with these rules is required by November 1, 2008. Notice and comment on the proposed credit reporting rules implementing Section 312 will begin once those rules have been published in the Federal Register and will conclude 60 days thereafter.