Click to return to BOL home page
Banker Store BOL Vendor Connect BOL Career Connect BOL Learning Connect Bankers Information Network
Home Compliance Lending Operations Security Marketing Technology/eBanking
Top Stories Bankers' Threads Background Check CrimeDex Em@il Education ID Verification Record Retention
 


MAIN CONTENT 
Compliance

    Agency Road Maps

    Alphabet Soup

    Compliance Tools

    FACTA/FCRA

    OFAC

Lending

    Article 9

    FACTA/FCRA

    HMDA Heaven

    Lending Tools

    SCRA

Marketing

Operations

    Check 21

    Disaster Updates

    Disaster Recovery

    HR Corner

    IRA Season

    Money Matters

    Operations Tools

    SARResearchGuide

Security

    AML/BSA

    Bank Robbery

    Counterfeits

    ID Fraud/Phishing

    Security Tools

Technology/eBanking

    Disaster Updates

    Disaster Recovery

    Info Security


SPECIAL AREAS 
BOL Archives

BOL Blogs

Briefing Archive

Calendar

Court Watch

Disaster Issuances

Em@il Education

Examiner's Corner

Executive Briefing

Infovault

Launch Pad

Lessons Learned

Monthly Roundup

Risk Management

Site Map

Site Orientation

Top Stories


~ ~ ~
SERVICES 
Background Check
BOL Conferencing

CrimeDex

Em@il Education

ID Verification

Record Retention


~ ~ ~
SHOP 

Banker Store
Bankers Info Ntwk
Books
Vendor Connect

CONNECT 

Career Connect

Learning Connect

Vendor Connect

Guru Central

INTERACT 

Ask a Guru
Bankers Threads

Contact Us

Give Us Feedback


TOOLS 

60 Second Solutions

Alphabet Soup

Banker Tools

BOL Forms

FUN 

Banker Humor

Banker Memories

BOL Recipes

eCard Exchange

LEARN MORE 

About Advertising
About Our Sponsors
About Us

Print Friendly! Email This Article! Discuss NOW!



FACT Act Rules: Disposal of Information

The FACT Act requires any user of a credit report to take steps to protect consumers from mis-use of their information by providing for information security and safe disposal of information. The agencies have issued final rules that will take effect on July 1, 2005. This gives us six months to be sure the information security program meets this FACT Act requirements.

As a special bonus, the agencies have provided covered institutions with an extra year to update service provider contracts. Those contracts must provide for third party information security by July 1, 2006.

The new rules are in the form of amendments to the existing guidelines issued in 2001 to implement the G-L-B information security requirements. Under the new rule, institutions will be required to develop and maintain controls to ensure that consumer information is disposed of without risk of harm to the consumer.

Consumer information
There may be a great deal of confusion about what information is covered. While the term "consumer information" sounds broad, it is limited to information about a consumer contained in or derived from a consumer report. As defined, it means any record that is the consumer report, whether an original or a copy. It also includes information that is derived from a consumer report. The record can be in any physical form - paper, electronic, or other.

The agencies have narrowed the impact of this definition by exempting any information that does not identify a consumer. The rule does not apply to aggregate information or blind data such as credit score data that is not consumer specific.

One complicating issue is that the information security rules now contain two very similar terms with different coverages. Newly defined consumer information appears because of the FACT Act and the FCRA. The term as defined fits under the umbrella of the FCRA and the consumer report information that it protects.

Not to be confused with consumer information is the already familiar term customer information. This term comes from G-L B and the privacy rules. To help bankers distinguish between the two terms, the rule offers some examples. As a practical matter, the customer information includes much more than consumer information. Consumer information is limited by its source and by how it is subsequently used by the institution. Customer information includes much more, such as information about the entire account relationship and information provided directly by the consumer.

Business Loans
Be alert and ready. Information in a consumer report that is obtained in connection with a business purpose loan is covered by these rules. While some commenters argued that business purpose loans should be exempted, the agencies noted that the real issue is not the purpose of the loan but the nature of the information. Information about a consumer - the business owner or principal - that is obtained from a consumer report is subject to FCRA and is therefore clearly covered by the new information rules.

The rule's coverage is triggered by the consumer information when it is obtained and maintained by the institution for a business purpose. That business purpose may be a business loan as well as a consumer loan.

"Derived From"
One of the big questions about this part of the FACT Act was whether information taken from consumer reports and placed in a new context or format would be covered by the rule. This depended on how the agencies interpreted the term "derived from." The final use of "derived from" is broad and not limited to the consumer report itself.

Covered information includes information that is taken from a consumer report and placed in other contexts or formats. It is also covered when it is combined with other information. Thus, a loan memo or underwriting sheet that contains the consumer's credit bureau score or information about late payments identified on the consumer report is a form that contains information protected by this rule.

Disposal
Ignorance is no defense. The obligation to keep secure and safely dispose of consumer information is absolute. The agencies rejected suggestions that the rule only be triggered when the institution had knowledge that the information was derived from a consumer report, noting that the act creates an absolute obligation.

The term "disposal" is not specifically defined. It has, in the view of the agencies, an obvious meaning that needed no further clarification. The ordinary meaning of the term applies. Here, however, the agencies found that the inclusion of consumer information would constitute disposal under the rule. However, the sale, lease, or transfer of consumer information would not constitute disposal.

Third party Vendors
The obligation to protect and properly dispose of consumer information runs with the information. The actions of third party service providers must be managed, by contract, to provide the same protections the financial institution must provide. The rules require covered institutions to pass on the information protection requirements to their third party vendors by including provisions in the contract.

Contracts must be updated by July 1, 2006. But just because the agencies have given you an extra year, don't delay. Protection of consumer information is a highly sensitive topic. Technical defenses won't keep your name out of the newspaper.

The overall plan is to merge the FACT Act requirements into the GLB information security requirements, making the imposition of these additional requirements less burdensome than building a new and separate information security system. For institutions that already have a sound information security system, this change should amount to little more than a check-up and a few changes. For institutions that are behind on information security, this regulation now adds to the consequences of being behind.

ACTION STEPS
  • Review consumer information in files and memoranda and determine what practices in the institution should be included in the FACT Act changes to information security.
  • Compile an inventory of how information from consumer reports is used in other forms and formats. These all must be subject to information security.
  • Review contracts with service providers to see that adequate consumer information protections are included. Set a schedule to revise contracts as necessary.
Copyright © 2004 Compliance Action. Originally appeared in Compliance Action, Vol. 9, No. 15, 12/04



Print Friendly! Email This Article! Discuss NOW!


Privacy Policy    Disclaimer   Recommend This Site !   Contact Us


BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.