Legal Resources
QuickCounsel
The Fair and Accurate Credit Transactions Act (FACTA)
| Overview Rate this QuickCounsel |  |
Overview
The Fair and Accurate Credit Transactions Act of 2003 (FACTA) is a federal consumer-rights law that was enacted in 2003, amending the Fair Credit Reporting Act. Its primary purpose is to reduce the risk of identity theft by regulating how consumer account information (such as Social Security numbers) is handled. FACTA is enforced by the Federal Trade Commission (FTC), the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.
FACTA Rules
FACTA Red Flag Rules jointly promulgated by the FTC and the referenced federal financial regulatory agencies in November of 2007 to implement FACTA, require financial institutions and creditors with covered accounts to develop and implement a written Identity Theft Prevention Program (Program) designed “to detect, prevent and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts,” including special provisions requiring debit and credit card issuers to validate changes of customer addresses.
Under the rules, a “financial institution” is defined as:
- A state or national bank,
- A state or federal savings and loan association,
- A mutual savings bank,
- A state or federal credit union, or
- Any other person that, directly or indirectly, holds a transaction account belonging to a consumer. Transaction accounts include checking accounts, negotiable order or withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.
A “creditor” is defined to include any business, organization or individual who:
- Regularly grants loans,
- Arranges for loans or the extension of credit,
- Makes credit decisions, or
- Regularly defers payment for goods and services or provides goods or services and bills customers later.
The FTC has identified such creditors as including finance companies, automobile dealers that provide or arrange financing, mortgage brokers, utility companies, telecommunications companies, non-profit and government entities that defer payment for goods or services; and businesses that provide services and bill later, including many lawyers, doctors, and other professionals.
A “covered account” is defined as:
- An account that a financial institution or creditor offers or maintains primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account or savings account; and
- Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.
The Program required should be appropriate for the “size and complexity of the financial institution or creditor and the nature and scope of its activities”, but must include reasonable policies and procedures that:
- Identify red flags that may arise in its employees’ handling of consumer data;
- Detect those red flags when they occur;
- Respond appropriately to prevent and mitigate identity theft; and
- Ensure that the Program (including the red flags) is updated periodically to reflect changes in risks to customers and the safety and soundness of the financial institution or creditor from identity theft.
Under the rules, a red flag is any pattern, practice or activity that indicates possible identity theft. Red flags are categorized as follows:
- Warnings from consumer reporting agencies or service providers;
- Suspicious documents;
- Suspicious personal identifying information;
- Suspicious accounts or other suspicious activity related to a covered account; and
- Notice or alerts of possible identity theft from customers, law enforcement or other persons.
In identifying red flags, companies must consider the risk factors associated with each type of covered account, methods used to open the account (by phone, online or face-to-face), account access, etc., as well as the sources of red flags.
The regulations provide examples of ways to respond to red flags once detected:
- Monitor an account for evidence of identity theft;
- Contact the customer;
- Change any passwords, security codes or other security devices that permit access to the customer’s account;
- Reopen a covered account with a new account number;
- Not open a new account;
- Close an existing account;
- Not attempt to collect on an account or not sell the account to a debt collector;
- Notify law enforcement; or
- Determine that no response is warranted under the circumstance.
Identity Theft Programs must:
- Initially be approved by the financial institution or creditor’s board of directors, or an appropriate committee of the board;
- Be overseen by the board, or an appropriate committee of the board, or senior management;
- Provide for appropriate training of staff; and
- Exercise appropriate oversight over service vendors.
Although the Red Flag Rule went into effect on January 1, 2008, the FTC has announced that it will delay enforcement of the rule, most recently to August 1, 2009. In announcing this second delay, the FTC noted that among other things it would:
- Give creditors and financial institutions more time to develop and implement written identity theft prevention programs.
- Allow the FTC to release a template designed to assist businesses that have a low risk of identity theft; and
- Allow industries and associations to share guidance on how to comply with the rules with their members.
Resources
Government Resources and Information
- Summaries of Rights and Notices of Duties under the Fair Credit Reporting Act (FTC)
- Remedying the Effects of Identity Theft (FTC)
- Report to Congress on FACTA (FTC 2004)
- Fighting Fraud with the Red Flags Rule: A How-To Guide for Business (FTC)
- FTC Business Alert
- Combating Identity Theft: A Strategic Plan (Department of Justice and FTC)
- FDIC webpage on FACTA
Have an idea for a quick counsel or interested in writing one?
- Email ACC at quickcounsel@acc.com or call +1 202.293.4103 ex341 with your ideas and inquiries.
| The information in this QuickCounsel should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or the ACC. This QuickCounsel is not intended as a definitive statement on the subject addressed. Rather, it is intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers. |
Published June 15, 2009
additional resources
Financial Services Committee
provides resources and services to ACC members who serve clients in securities, insurance and other financial services businesses.
ACC Newsstand
Sign up for the ACC Newsstand, a daily newsfeed, tailored to your chosen practice areas, providing you with a depth of free practical know-how. Look for news items and stories related to the topic discussed in this QuickCounsel.
Find a Member
Search by expertise and find an ACC Member with in-depth knowledge of the topic discussed in this QuickCounsel who is willing to help.