Transcript Document

The FACT Act – An Overview
The FACT Act
An Overview of the Final Rulemaking
on Identity Theft Red Flags and
Address Discrepancies
Naomi Lefkovitz
Attorney, Division of Privacy and Identity Protection
Federal Trade Commission
1
Statutory Provisions Implemented
 The Fair and Accurate Credit
Transactions Act of 2003 (FACT Act)
amended the Fair Credit Reporting Act
(FCRA)
 Sections 114 and 315 of the FACT Act
Rules: 72 Fed. Reg. 63718 (November 9, 2007)
http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf
2
Background
 Joint rulemaking
 Final rules published November 9, 2007
 Full compliance required by November 1, 2008
3
Identity Theft Red Flags
FACT Act Section 114
FCRA Section 615(e)
16 CFR 681.2 and 681.3
4
Identity Theft Red Flags
 Risk-based final rule
 Guidelines (Appendix A)
 Supplement A (26 examples of red flags)
5
Purpose of the Red Flags Rule


To detect and stop identity thieves using
someone else’s identifying information at
your institution to commit fraud.
Distinct from data security
6
Covered Entities
“Financial institutions” and “creditors” must
conduct a periodic risk assessment to
determine if they have “covered accounts.”
7
Definitions
From the FCRA, a “financial institution” is:





A state or national bank
A state or federal savings and loan association
A mutual savings bank
A state or federal credit union, or
Any other person that directly or indirectly holds a
transaction account* belonging to a consumer
* From the Federal Reserve Act, Sec. 19(b) - an account that allows withdrawals by
negotiable or transferable instrument, payment orders of withdrawal, telephone
transfers, or similar items to make payments or transfers to 3rd persons or others.
8
Definitions (cont’d)
From ECOA, a “creditor” is:
 Any person who regularly extends, renews, or
continues credit
 Any person who regularly arranges for the
extension, renewal, or continuation of credit, or
 Any assignee of an original creditor who
participates in the decision to extend, renew, or
continue credit
9
Definitions (cont’d)
An “account” is:
 a continuing relationship established by a
person with an FI or creditor to obtain a
product or service for personal, household,
or business purposes.
10
Definitions (cont’d)
A “covered account” is:
 A consumer account designed to permit multiple
payments or transactions, and
 Any other account for which there is a reasonably
foreseeable risk from identity theft
11
Scenario #1
Rural U. has about 1100 students and is located in
a small town surrounded by miles of farmland.
Tuition is due before classes begin, but a few
students are permitted to pay on an installment
plan. Students can use cash, credit card, or their
student photo ID card for various goods and
services on the campus such as at the bookstore or
the health clinic. For students who use their ID
card, the bookstore sends a bill due upon receipt.
The health clinic also bills for amounts unpaid by
insurance.
12
Scenario #2
Metro U. serves about 40,000 students in an urban
setting. It has many graduate schools, and is
affiliated with a hospital. Students have a variety
of loan options, including the Perkins Loan
Program. In many cases, loan amounts are applied
directly to tuition, but students can also get checks
directly for living expenses. Metro U. also
provides students with a debit card, Metrobucks,
linked to a prepaid declining balance account.
Students can use the Metrobucks card on and off
campus to purchase food, books, etc. Students also
have the option to link the Metrobucks card to a
checking account at Big Bank.
13
Program Requirement
Financial institutions and creditors with
covered accounts must implement a written
Identity Theft Prevention Program to detect,
prevent, and mitigate identity theft in
connection with:
 the opening of a covered account, or
 any existing covered account
14
Program Requirement (con’t)
The Program must be appropriate to the size
and complexity of the financial institution
or creditor and the nature and scope of
activities.
15
Elements of the Program
Must include reasonable policies and procedures to:
 Identify relevant red flags* and incorporate them into the
Program
 Detect red flags that are part of the Program
 Respond appropriately to any red flags that are detected
 Ensure the Program is updated periodically to address
changing risks
* A red flag is a pattern, practice, or specific activity that could indicate
identity theft
16
Administration of the Program
 Obtain approval of the initial Program by the board or a
committee thereof
Thereafter may designate a senior management employee
to oversee:
 Development, implementation, and administration of
the Program
 Training of appropriate staff
 Service provider arrangements
17
Consideration of the Guidelines
Rules require:
 Consideration of the Guidelines
 Incorporation of appropriate Guidelines into the Program
18
Identity Theft
Red Flag Guidelines
19
Overview of the Guidelines
I.
II.
III.
IV.
V.
VI.
VII.
Incorporate existing policies and procedures
Identify relevant red flags
Procedures to detect red flags
Appropriate responses to red flags
Periodic updating of the Program
Administering the Program
Other legal requirements
20
I. Incorporate Existing Policies and Procedures
 Existing anti-fraud program
 Information security program
21
II. Identify Relevant Red Flags
Risk factors for identifying relevant red flags are:
 Types of covered accounts offered or maintained
 Methods provided to open or access covered
accounts
 Previous experiences with identity theft
22
II. Identify Relevant Red Flags (cont’d)
Sources of red flags are:
 Incidents of identity theft that have been
experienced
 Methods of identity theft reflecting changes in
identity theft risks
 Applicable supervisory guidance
23
II. Identify Relevant Red Flags (cont’d)
Five categories of red flags* are:
 Alerts, notifications, or other warnings received from consumer
reporting agencies or service providers
 Presentation of suspicious documents
 Presentation of suspicious personal identifying information
 Unusual use of, or other suspicious activity related to, a covered
account
 Notice from customers, victims of identity theft, or law enforcement
authorities
* 26 examples are found in Supplement A
24
III. Procedures to Detect Red Flags




Verify identity
Authenticate customers
Monitor transactions
Verify validity of address changes
25
IV. Appropriate Responses to Red Flags






Monitor accounts
Contact customer
Change passwords
Close and reopen account
Refuse to open account
Don’t collect on or sell account (against the true
consumer)
 Notify law enforcement
 No response is warranted
26
V. Periodic Updating of the Program
 Experience with identity theft
 Changes in methods of identity theft
 Changes in methods to detect, prevent, and
mitigate identity theft
 Changes in types of accounts offered
 Changes in business arrangements
27
VI. Administering the Program
Oversight of the Program by the Board or a
senior management employee involves:
 Assigning specific responsibility for
implementation
 Reviewing reports
 Approving material changes in the Program
28
VI. Administering the Program (cont’d)
Reports to the Board or senior management employee:
 At least annually
 Address material matters
 Service provider arrangements
 Effectiveness of the policies and procedures in
addressing the risk of identity theft in connection with
covered accounts
 Significant incidents involving identity theft and
management’s response
 Recommendations for material changes to the Program
29
VI. Administering the Program (cont’d)
Oversight of service providers:
 Ensure the service provider’s activities are
conducted in accordance with reasonable policies
and procedures designed to detect, prevent, and
mitigate the risk of identity theft
30
VII. Other Legal Requirements
 Suspicious Activity Reports (SARs)
 Other FCRA provisions (e.g. 15 U.S.C. 1681s-2,
information furnisher duties to update or correct
inaccurate information, and not report inaccurate
information)
31
Examples of Red Flags (Supp. A)
 Warning from consumer
reporting agencies
Fraud or active duty
alert included in consumer
report
 Suspicious documents
Documents provided for
identification appear to be
altered
 Suspicious personal
information
Inconsistent with
external information
sources
32
Examples of Red Flags (cont’d)
 Unusual use of account
Account used in a
manner that is not
consistent with historical
patterns of activity
 Notice from customers
Customer notifies
institution about identity
theft.
33
Enforcement of Red Flags Rules
 Administrative enforcement under Section 621 of
the FCRA.
 No private right of action
 State Attorneys General
 No criminal penalties
34
Don’t Panic!

The Programs are risk-based and flexible.

Consider the bigger picture.
35
Rule on
Duties of Card Issuers
Regarding Changes of
Address
36
Identity Theft Red Flags
FACT Act Section 114
FCRA Section 615(e)
16 CFR 681.3
37
Covered Entities
Financial institutions or creditors that issue
debit or credit cards.
38
Address Validation
A card issuer must have reasonable policies and
procedures to assess an address change when:
A consumer sends a notice of address change, and
 The card issuer receives a request for an
additional or replacement card within at least the
first 30 days after the address change notice.

39
Address Validation (con’t)
Before issuing the additional or replacement card, the card
issuer must:


Notify* the cardholder of the request and allow a
reasonable means to report an incorrect address change, or
Otherwise assess the validity of the address change in
accordance with its Identity Theft Prevention Program
*Notice can be given at the cardholder’s former address or by any other
communication means agreed upon.
40
Alternative Timing
The card issuer may fulfill the requirements
of this rule when it receives the address
change notification, before receiving the
request for the additional or replacement
card.
41
Form of Notice
The notice may be written or electronic, but
it must be clear and conspicuous* and be
provided separately from regular
correspondence with the cardholder.
*reasonably understandable and designed to call attention to the nature
and significance of the information.
42
Rule on
Notices of
Address Discrepancy
43
Notices of Address Discrepancy
FACT Act Section 315
FCRA Section 605(h)
16 CFR 681.1
44
Notices of Address Discrepancy
Duties of users of consumer reports that
receive a “notice of address discrepancy”
from a nationwide consumer reporting agency
(NCRA as defined in FCRA)
45
Notices of Address Discrepancy
“Notice of address discrepancy” notifies the
user of a substantial difference between:
 Address the user provided, and
 Address in the NCRA’s files
46
Notices of Address Discrepancy
Regulatory Requirement:
The user must have reasonable policies and
procedures to establish a reasonable belief that the
consumer report relates to the consumer about
whom the report was requested
47
Notices of Address Discrepancy
Establishing a reasonable belief –– Examples
 Compare information in the consumer report to
information the user:



Maintains in its records
Obtains from third-party sources
Obtained to comply with CIP rules
 Verify information in the consumer report with the
consumer
48
Notices of Address Discrepancy
Regulatory Requirement:
The user must have reasonable policies and procedures to
furnish a confirmed address for the consumer to the NCRA,
when the user:
 Can form a reasonable belief that the report relates to the
consumer
 Establishes a continuing relationship with the consumer
 Regularly furnishes information to the NCRA
49
Naomi Lefkovitz
Federal Trade Commission
[email protected]
(202) 326-3058