Fair and Accurate Credit Transactions Act- Red Flag Rules

August 01, 2008

Changes to the Fair Credit Reporting Act by passage of the Fair and Accurate Credit Transactions Act (FACTA) place certain requirements on financial institutions and creditors, effective November 1, 2008.

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) is a federal law passed by Congress as an amendment to the Fair Credit Reporting Act. The act allows consumers to request and obtain a free credit report once every twelve months from each of the three nationwide consumer credit reporting agencies. There are also provisions in the act to help reduce identity theft, such as the ability for individuals to place alerts on their credit histories if identity theft is suspected.

FACTA also placed requirements on certain businesses. For example, financial institutions face a mandatory deadline of November 1, 2008 to comply with three FACTA regulations referred to as the Red Flag Rules. The first requires financial institutions or creditors to develop and implement an Identity Theft Prevention Program in connection with new and existing accounts. The program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft.

Another regulation requires users of consumer reports to respond to Notices of Address Discrepancies that they receive; and a third regulation places special requirements on issuers of debit or credit cards to assess the validity of a change of address if they receive notification of a change of address for a consumer's debit or credit card account, and within a short period of time afterward they receive a request for an additional or replacement card for the same account.

What is a Red Flag?

Red Flag means a pattern, practice, or specific activity that indicates the possible existence of identity theft. Red Flags generally fall into one of five categories:

? Alerts, notification, or warnings from a consumer reporting agency
? Suspicious documents
? Suspicious personally identifying information, such as a suspicious address
? Unusual use of ? or suspicious activity related to ? a covered account
? Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts

Who must comply with the Red Flag Rules?

These rules apply to "financial institutions" and "creditors" with "covered accounts." A financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a "transaction account" belonging to a consumer. A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts. Most of these institutions are regulated by the Federal bank regulatory agencies and the NCUA. Financial institutions under the Federal Trade Commission's jurisdiction include state-chartered credit unions and certain other entities that hold consumer transaction accounts.

A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they too are considered creditors.

A covered account is an account that a financial institution or creditor offers or maintains primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft ? for example small business or sole proprietorship accounts.

Complying with the Red Flag Rules

Each financial institution or creditor that offers or maintains covered accounts must develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities. The program must include reasonable policies and procedures to enable the financial institution or creditor to:

? Identify relevant patterns, practices, and specific forms of activity that are "red flags" signaling possible identity theft and incorporate those red flags into the program;

? Detect red flags that have been incorporated into the program;

? Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and

? Ensure the program is updated periodically to reflect changes in risks from identity theft.

FACTA also prescribes certain requirements for administering the program:

? The initial written program should be approved by the entity's board of directors or an appropriate committee of the board of directors.

? The program should involve the board of directors, an appropriate committee of the board, or a designated employee of senior management in the oversight, development, implementation, and administration of the program.

? Train staff, as necessary, to effectively implement the program.

? Exercise appropriate and effective oversight of any third party service provider arrangements.