QuickCounsel

The Fair and Accurate Credit Transactions Act (FACTA)

By Ken Grosserode, WeComply, Inc.

Overview
Facta Red Flag Rules
Additional Resources

Rate this QuickCounsel

 wecomply_logo

Overview

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) is a federal consumer-rights law that amended the Fair Credit Reporting Act of 1970 (FCRA). Its primary purpose is to reduce the risk of identity theft by regulating how consumer account information (such as Social Security numbers) is handled. FACTA is enforced by the Federal Trade Commission (FTC), the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.

Back to top

FACTA Red  Rules

The FACTA enforcement agencies promulgated Red Flag Rules in 2007 to implement FACTA.  These rules require financial institutions and creditors with covered accounts to develop and implement a written Identity Theft Prevention Program designed “to detect, prevent and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts,” including special provisions requiring debit and credit card issuers to validate changes of customer addresses.

Under the rules, a “financial institution” is defined as:

  • A state or national bank,
  • A state or federal savings and loan association,
  • A mutual savings bank,
  • A state or federal credit union, or
  • Any other person that, directly or indirectly, holds a transaction account belonging to a consumer. Transaction accounts include checking accounts, negotiable order or withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.

A “creditor” is defined as one who falls within the definition of "creditor" under section 702 of the Equal Credit Opportunity Act (ECOA) that regularly and in the ordinary course of business:

  • Obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction;
  • Furnishes information to consumer reporting agencies, as described in section 623 of the ECOA, in connection with a credit transaction; or
  • Advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.

The Red Flag Clarification Act of 2010 amended the FACTA provisions of the FCRA to clarify that the definition of "creditor" does not include entities, such as law firms and healthcare providers, “that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.” However, other types of creditors may be subject to the Red Flag Rule if the FACTA enforcement agency finds that the creditor has accounts that present a reasonably foreseeable risk of identity theft.

A “covered account” is defined as:

  • An account that a financial institution or creditor offers or maintains primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account or savings account; and

  • Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.

Identity Theft Programs

The Identity Theft Program should be appropriate for the “size and complexity of the financial institution or creditor and the nature and scope of its activities," but must include reasonable policies and procedures that:

  • Identify red flags that may arise in its employees’ handling of consumer data;
  • Detect those red flags when they occur;
  • Respond appropriately to prevent and mitigate identity theft; and
  • Ensure periodic updates (including the red flags) that reflect changes concerning the risks of identity theft, including the ability of the financial institution or creditor to protect customers against identity theft.

Under the rules, a red flag is any pattern, practice or activity that indicates possible identity theft. Red flags are categorized as follows:

  • Warnings from consumer reporting agencies or service providers;
  • Suspicious documents;
  • Suspicious personal identifying information;
  • Suspicious accounts or other suspicious activity related to a covered account; and
  • Notice or alerts of possible identity theft from customers, law enforcement or other persons.

In identifying red flags, companies must consider the risk factors associated with each type of covered account, methods used to open the account (by phone, online or face-to-face), account access, etc., as well as the sources of red flags.

The regulations provide examples of ways to respond to red flags once detected:

  • Monitor an account for evidence of identity theft;
  • Contact the customer;
  • Change any passwords, security codes or other security devices that permit access to the customer’s account;
  • Reopen a covered account with a new account number;
  • Not open a new account;
  • Close an existing account;
  • Not attempt to collect on an account or not sell the account to a debt collector;
  • Notify law enforcement; or
  • Determine that no response is warranted under the circumstance.

Identity Theft Programs must:

  • Initially be approved by the financial institution or creditor’s board of directors, or an appropriate committee of the board;
  • Be overseen by the board, or an appropriate committee of the board, or senior management;
  • Provide for appropriate training of staff; and
  • Exercise appropriate oversight over service vendors.

Conclusion

FACTA requires certain financial institutions and creditors to protect consumer account information against identity theft.  Its regulations include "Red Flag Rules" that mandate Identity Theft Prevention Programs to prevent and detect of identity theft.  In-house counsel of financial institutions and creditors must have a good understanding of FACTA and the Red Flag Rules to serve their organizations effectively.

Back to top

additional Resources

ACC Resources

Web Resources

Back to top

Have an idea for a quick counsel or interested in writing one?

The information in this QuickCounsel should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or the ACC. This QuickCounsel is not intended as a definitive statement on the subject addressed. Rather, it is intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.


Back to top

Published June 15, 2009 (last updated August 5, 2011)

Download PDF

Login to rate this document

Back to Resource Center

 

Download PDF

 

Share  

Questions?

Contact legalresources@acc.com
phone:01- 202-293-4103
ext. 456

additional tools

Financial Services Committee

provides resources and services to ACC members who serve clients in securities, insurance and other financial services businesses.

Join the committee

ACC Newsstand

Sign up for the ACC Newsstand, a daily newsfeed, tailored to your chosen practice areas, providing you with a depth of free practical know-how. Look for news items and stories related to the topic discussed in this QuickCounsel.

Find a Member

Search by expertise and find an ACC Member with in-depth knowledge of the topic discussed in this QuickCounsel who is willing to help.