Fair and Accurate Credit Transactions Act (FACTA)

On October 31, 2007, the FDIC, along with other federal financial institution regulatory agencies and the Federal Trade Commission, issued the final rules and guidelines on identity theft "red flags" and address discrepancies.

The new regulations implement sections 114 (commonly referred to as the "red-flag" provision) and 315 of the Fair and Accurate Credit Transactions Act of 2003. The new regulations require:

1. Each financial institution and creditor to develop and implement an identity theft prevention program that includes policies and procedures for detecting, preventing, and mitigating identity theft. As part of the regulation, the agencies have identified 31 indicators or "red flags" of possible identity theft.
2. Debit and credit card issuers to develop policies and procedures to verify the validity of change of address requests before issuing additional or replacement debit or credit cards.
3. Users of consumer reports to develop policies and procedures that verify the identity of the subject of a consumer report in the event the user receives a notice of address discrepancy from the consumer reporting agency.

Regulations will be immediately enforced for the New Year, starting precisely on January 1, 2008. By November 1, 2008 a mandatory compliance is required.

Identity Theft Prevention Program

The Identity Theft Prevention Program is a protective shield designed to uphold security of the financial institution and its customers. The program is customized according to the bank’s size and location, complexity, and the nature of its activities.

The Identity Theft Prevention Program includes, but is not limited to, the following:

• Steps to prevent the risk of identity theft for new and existing accounts, including procedures for verifying information for new account holders.
• Measures to detect red flags indicating possible identity theft.
• Steps to assess whether a detected red flag indicates possible identity theft.
• Steps addressing the mitigation of the risks of identity theft.

Compliance

The most critical component of the Identity Theft Prevention Program is the Identity Theft Risk Assessment. Financial institutions are required to conduct an initial risk assessment to identify the following:

1. Covered Accounts and/or other accounts that are subject to possible identity theft and need to be addressed by the program
2. The need of an Identity Theft Prevention Program.

The risk assessment must be updated on a regular basis according to the changes affecting the institution’s accounts, management methodology and identity theft risks. Additionally, the bank’s board is required to approve and supervise the written program. The regulations require an annual compliance report to the board.

Card Issuers – Change of Address

Companies should consider developing procedures that properly verify the validity of customer’s change-of-address, particularly when the issuance of a credit or debit card is in effect. The card issuer can verify the request by:

1. Contact cardholder at former address and provide a means to promptly report incorrect address changes.
2. Notify the cardholder of the request utilizing forms of communication (i.e. land or work phone or via e-mail) that the cardholder and issuer had previously agreed to use.
3. Other means to verify the accuracy of address change. Any notice sent to the cardholder should be made clear and separate from any regular correspondence with the cardholder.

Address Discrepancies

Section 315 of the FACT Act indicates that financial institutions are to develop policies and procedures for handling notices from consumer reporting agencies when the address on the notice differs from the address known by the bank.

The bank is then required to provide the correct address to the consumer reporting agency once it has properly verified the identity of the consumer, that is,

1. If the bank has a continuing relationship with the consumer; and
2. If the bank regularly provides information to that consumer reporting agency.

The bank is required to provide the correct address to the consumer reporting agency with its regular reports during the reporting period that it opens a new account. For existing accounts, the bank must provide the corrected address during the reporting period when it confirms the accuracy of the address.