Regulatory Compliance should be a by-product of good information security. Our experts know where the two should meet.

You are here

Services > Regulatory Compliance > Fair and Accurate Credit Transactions Act

Fair and Accurate Credit Transactions Act

On October 31, 2007, the FDIC, along with other federal financial institution regulatory agencies and the Federal Trade Commission, issued the final rules and guidelines on identity theft “red flags” and address discrepancies.

The new regulations implement sections 114 (commonly referred to as the “red-flag” provision) and 315 of the Fair and Accurate Credit Transactions Act of 2003.
The new FACTA requirements:

  1. The Fair and Accurate Credit Transactions Act requires that each financial institution and creditor to develop and implement an identity theft prevention program that includes policies and procedures for detecting, preventing, and mitigating identity theft. As part of the FACTA requirements, the agencies have identified 31 indicators or “red flags” of possible identity theft.
  2. To meet FACTA requirements, debit and credit card issuers have to develop policies and procedures to verify the validity of change of address requests before issuing additional or replacement debit or credit cards to help prevent identity theft.
  3. Users of consumer reports to develop policies and procedures that verify the identity of the subject of a consumer report in the event the user receives a notice of address discrepancy from the consumer reporting agency.

Regulations of the Fair and Accurate Credit Transactions Act will be immediately enforced for the New Year, starting precisely on January 1, 2008. Since November 1, 2008 mandatory compliance is required and enforced.

Identity Theft Prevention Program

The Identity Theft Prevention Program is a protective shield designed to uphold security of the financial institution and its customers. In accordance with FACTA requirements, the program is customized according to the bank’s size and location, complexity, and the nature of its activities.

The Identity Theft Prevention Program includes, but is not limited to, the following:

  • The identity theft prevention program should include steps to prevent the risk of identity theft for new and existing accounts, including procedures for verifying information for new account holders.
  • The identity theft prevention program should also contain measures to detect red flags indicating possible identity theft.
  • The identity theft prevention program should offer steps to assess whether a detected red flag indicates possible identity theft.
  • The identity theft prevention program should include steps addressing the mitigation of the risks of identity theft.

Compliance

The most critical component of the Identity Theft Prevention Program is the Identity Theft Risk Assessment in accordance with FACTA requirements. Financial institutions are required to conduct an initial risk assessment to identify the following FACTA requirements:

  1. Covered Accounts and/or other accounts that are subject to possible identity theft and need to be addressed by the program
  2. The need of an Identity Theft Prevention Program.

An identity theft prevention program must be updated on a regular basis according to the changes affecting the institution’s accounts, management methodology and identity theft risks. Additionally, the bank’s board is required to approve and supervise the written program. The Fair and Accurate Credit Transactions Act requires an annual compliance report to the board.

Card Issuers – Change of Address

Companies should consider developing identity theft prevention programs that properly verify the validity of customer’s change-of-address, particularly when the issuance of a credit or debit card is in effect. The card issuer can verify the request by:

  1. Contact cardholder at former address and provide a means to promptly report incorrect address changes.
  2. Notify the cardholder of the request utilizing forms of communication (i.e. land or work phone or via e-mail) that the cardholder and issuer had previously agreed to use.
  3. Other means to verify the accuracy of address change. Any notice sent to the cardholder should be made clear and separate from any regular correspondence with the cardholder.

Address Discrepancies

Section 315 of the FACTA requirements  indicate that financial institutions are to develop policies and procedures for handling notices from consumer reporting agencies when the address on the notice differs from the address known by the bank.

The bank is then required to provide the correct address to the consumer reporting agency once it has properly verified the identity of the consumer, that is,

  1. If the bank has a continuing relationship with the consumer; and
  2. If the bank regularly provides information to that consumer reporting agency.

In accordance with the Fair and Accurate Credit Transactions Act the bank is required to provide the correct address to the consumer reporting agency with its regular reports during the reporting period that it opens a new account. For existing accounts, the bank must provide the corrected address during the reporting period when it confirms the accuracy of the address following all the necessary steps outlined in their identity theft prevention program.