It is no secret that identity theft has become a problem for consumers in recent years, costing millions of dollars in fraudulent purchases, credit fixes and litigation. On November 1, 2008, new federal regulations designed to help curb identity theft go into effect. They require specified entities to create new policies and procedures to help find, prevent, and mitigate instances of identity theft. Some of the regulations apply to all “users” of consumer reports, where others are specific to financial institutions and creditors. These terms are defined very broadly in the regulations. This alert focuses on “users” of consumer reports, and what they must to do comply with the law.

The new regulations are part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), and are known generally as the “Red Flag” rules. A “Red Flag” is defined as a pattern, practice, or specific activity that indicates the possible existence of identity theft.

A “user” of a consumer report includes entities such as employers who obtain consumer reports from consumer reporting agencies (CRAs) for the purpose of making employment (hiring, promotion, firing, etc.) decisions, as well as financial institutions and granters of credit who use the information contained in consumer reports to issue credit cards, loans or mortgages, and other such activities. This part of the regulations applies only to consumer reports obtained from “nationwide CRAs” which are CRAs who “maintain credit” information. As such, “users” will likely be limited to any entity that obtains credit reports or other information (such as social trace information) from credit bureaus (or from another third party that gets the information from a credit bureau). Basically, the regulations require all such users to implement a written policy to respond to any “notices of address discrepancy” they receive from a nationwide CRA.

Such a policy must be designed to help the user form a “reasonable belief” that the consumer report and the consumer match—that is, that they both refer to the same individual, and that individual is the one for whom the user requested a consumer report in the first place. The regulations give examples of types of actions a user can take to form such a reasonable belief.

While the new Identity Theft regulations are not complicated, they are detailed, and require covered entities to implement carefully considered policies and procedures.