The Fair and Accurate Credit Transactions Act (FACTA)
Aug 04, 2011 QuickCounsel Download PDF
The Fair and Accurate Credit Transactions Act of 2003 (FACTA) is a federal consumer-rights law that amended the Fair Credit Reporting Act of 1970 (FCRA). Its primary purpose is to reduce the risk of identity theft by regulating how consumer account information (such as Social Security numbers) is handled. FACTA is enforced by the Federal Trade Commission (FTC), the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.
FACTA Red Rules
The FACTA enforcement agencies promulgated Red Flag Rules in 2007 to implement FACTA. These rules require financial institutions and creditors with covered accounts to develop and implement a written Identity Theft Prevention Program designed “to detect, prevent and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts,” including special provisions requiring debit and credit card issuers to validate changes of customer addresses.
Under the rules, a “financial institution” is defined as:
A “creditor” is defined as one who falls within the definition of "creditor" under section 702 of the Equal Credit Opportunity Act (ECOA) that regularly and in the ordinary course of business:
The Red Flag Clarification Act of 2010 amended the FACTA provisions of the FCRA to clarify that the definition of "creditor" does not include entities, such as law firms and healthcare providers, “that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.” However, other types of creditors may be subject to the Red Flag Rule if the FACTA enforcement agency finds that the creditor has accounts that present a reasonably foreseeable risk of identity theft.
A “covered account” is defined as:
Identity Theft Programs
The Identity Theft Program should be appropriate for the “size and complexity of the financial institution or creditor and the nature and scope of its activities," but must include reasonable policies and procedures that:
Under the rules, a red flag is any pattern, practice or activity that indicates possible identity theft. Red flags are categorized as follows:
In identifying red flags, companies must consider the risk factors associated with each type of covered account, methods used to open the account (by phone, online or face-to-face), account access, etc., as well as the sources of red flags.
The regulations provide examples of ways to respond to red flags once detected:
Identity Theft Programs must:
FACTA requires certain financial institutions and creditors to protect consumer account information against identity theft. Its regulations include "Red Flag Rules" that mandate Identity Theft Prevention Programs to prevent and detect of identity theft. In-house counsel of financial institutions and creditors must have a good understanding of FACTA and the Red Flag Rules to serve their organizations effectively.
Additional ACC Resources
ACC Resource Library - QuickCounsel
ACC Resource Library - Sample Form & Policy
ACC Resource Library - ACC Docket
Have an idea for a quickcounsel or interested in writing one?
This resource is sponsored by:
Table of Contents