Linda, could I have a copy of your id theft policy/procedures also?

Thanks so much!

crombough@americanbanktrust.net

I am adding the provisions of the FACT Act to our existing FCRA policy. This is what I have so far. REPEAT: This is still in DRAFT Form. Use at your discretion. Any feedback offered is appreciated, but be gentle. I also used elements from the policy example that was given at one of the BOL FACT Act webinars. Thank you BOL! You are a WONDERFUL resource. Remember the formatting changes when posting here.

FAIR CREDIT REPORTING ACT/FAIR AND ACCURATE CREDIT TRANSACTION ACT POLICY

STATEMENT OF NEED AND DEFINITION
In general, the consumer reporting industry consists of credit bureaus, investigative reporting companies, and similar organizations whose business is to gather and report information about consumers for others to use in deciding whether to make mortgage loans, grant other types of credit, underwrite insurance, or employ the subject of those reports. “Consumer reporting agencies” (CRAs) are required to adopt reasonable procedures for providing accurate information to banks, other credit grantors, insurers, employers, and other legitimate users of that information in a manner that is fair and equitable to the consumer. Those who use reported credit information are required to disclose that fact, as well as certain other information to the consumer affected.

The Fair and Accurate Credit Transaction Act (the FACT Act) amended the Fair Credit Reporting Act (FCRA). The FCRA and FACT Act establish numerous requirements that provide protection for the victims of identity theft, provide more information to consumers about credit reports and credit scoring, limits sharing of information with affiliates, and protect consumer medical and other information.

The _________ and its Banks acknowledge their responsibility to fully comply with all applicable requirements of the FCRA and the FACT Act.

PURPOSE
These acts are designed to regulate the consumer reporting industry, but also places specific responsibilities on financial institutions that use credit information provided by others.
SPECIFIC GOALS

This policy has the specific goals:
• To define authority and responsibility for implementing the FCRA and FACT Act to ____; and
• To establish standards for responsibility, record retention, and enforcement for the FCRA and FACT Act policy.

POLICY ELEMENTS
___ avoids the activities that would allow them to be considered a consumer reporting agency. Even though ____ is not a consumer reporting agency there are still duties under both acts that ____ must comply with. ____ uses credit reports in a variety of ways including mortgage loan evaluation, credit extension, purchase of dealer paper, issuing credit cards, and employee hiring.

It is the policy of ____ to:
• Respond to fraud and active duty alerts;
• Properly dispose of consumer report information;
• Provide information to victims of identity theft;
• Properly handle notice of identity theft;
• Respond to any notification received from a Credit Reporting Agency (CRA) relating to information resulting from identity theft, to prevent refurnishing blocked information;
• Truncate the last 5-digits of a debit or credit card;
• Comply with the rules regarding sharing information with affiliates;
• Provide an oral, written, or electronic notice to those who receive less favorable terms;
• Comply with guidelines adopted by the Federal banking agencies, and the FTC for use when furnishing information to a CRA regarding the accuracy and integrity of the information relating to consumers that such entities furnish to CRAs;
• Provide the required notice and credit scores;
• Provide the required notice regarding negative information;
• Take appropriate action when the bank receives a notice of discrepancy in a consumer’s address;
• Comply with the “red flag” guidelines;
• Protect medical information in the financial system; and
• To establish standards for responsibility, record retention, and enforcement for the FCRA/FACT Act policy.

RESPONSIBILITIES
Responsibilities that arise under the act are triggered by the preparation, distribution and use of a “consumer report.” Any information, good or bad, written or oral, that bears on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living is a consumer report if it is used, expected to be used, or collected, in whole or in part, either for the purpose of considering the consumer’s eligibility for consumer credit, insurance, or employment, or for other purposes permitted by the act.
RESPONSIBILITIES OF A CONSUMER REPORTING AGENCY
Many of the FCRA and FACT Act requirements apply to “consumer reporting agencies”. A consumer reporting agency is any person who assembles or evaluates consumer credit information or other information for the purpose of preparing or furnishing “consumer reports”. The information involved need not be derogatory.

• If _____ reports information from its own files to another user of credit information it is not considered a consumer reporting agency as long as that information reflects only _____’s own experience. A bank that regularly reports information that reflects experience other than its own, however, will usually be considered a consumer reporting agency within the meaning of the act and will be subject to a broad array of statutory requirements. For example, if banker A called banker B and asked for his banking experience with Mr. Brown, the reporting by banker B of Mr. Brown’s payment record with him would not be a consumer report. However, if banker B informs banker A that Mr. Brown has been paying him properly but has been defaulting in his obligation to banker C, banker B is making a consumer report and must satisfy his statutory responsibilities. There are exceptions to this rule that provide the ability for affiliates to centralize and share customer information including consumer reports if certain compliance procedures are established and followed.
RESPONSIBILITIES OF A USER OF OTHER CONSUMER INFORMATION
The act along with this policy imposes disclosure requirements on the users of consumer information. These duties apply to all banks that obtain any credit information regarding a consumer from sources outside of the bank.

RESPONSIBILITIES OF ____ WHO REPORTS INFORMATION TO CREDIT REPORTING AGENCIES
Internal Controls –
Bank Management and the Bank Compliance Officers are responsible for developing, implementing and complying with appropriate controls to assure that the procedures are followed.
Officers Responsible for Compliance –
The _____ Compliance Department is responsible for assuring written policy is adopted for all Banks. Bank Management is responsible for assuring that appropriate procedures and internal controls are adopted for all departments of their independent Banks to assure compliance with both the FCRA and FACT Acts. Additionally, Bank Management is responsibility for developing, implementing and complying with those procedures.
Independent Testing –
The _____ Compliance Officer, or persons so designated, will conduct periodic reviews to monitor ____’s compliance with the FCRA and FACT Act, at all ____ locations. Results of the compliance review(s) will be reported to the Audit/Compliance Committee of ____ and to the Bank’s Board of Directors at their regular scheduled meetings.

RECORD RETENTION REQUIREMENTS
When processing a loan, the ____ loan officer should assemble a record of compliance with this policy.
Required Records –
Consumer credit reporting agencies (including banks that release information other than that resulting from their own experience) that disclose reports for employment, credit, or other purposes must keep records of the recipients of any consumer report that they furnish. The act also places disclosure responsibilities on ____ and on other users of reports from persons other than credit reporting agencies.
Retention Period –
The period of retention of a consumer report depends on the purpose for which the report was released. If released for employment purposes, the report must be retained for two years. If released for any other purpose, the report must be retained for six months. The law provides that a civil action can be brought against a credit reporting agency or user for a period of two years, so ____ will maintain evidence of compliance with disclosure requirements for at least two years. ____ will retain all information relative to a solicited offer that was made using a prescreened list until the expiration of three years beginning on the date that the offer was made to the consumer. If a material and willful misrepresentation is made in a required disclosure, the two-year period does not begin to run until the misrepresentation is discovered.

Please add me to the list. jnoellert@firststatefl.com Thank you, Pop Pop

Linda - I would REALLY appreciate a copy of your policy too. Please send to d6bar@mcsbank.net. Thank you in advance!

Linda, could you please forward a copy of your Identity Theft Policy to me at cdsabin@fsb-spencer.com. Thanks so much for your help.

This will be in the BOL Banker Tools later today. Please give Linda a break.

Could someone please send me this policy? I would GREATLY appreciate it! Thanks!

crombough@americanbanktrust.net

I don't see that this policy is posted as of yet in Bankers Tools - will it be?

Thanks.

I am working on a "draft" policy. Thank you for being willing to send a copy of your policy. By viewing your policy, hopefully, I will be able to make sure I have covered all areas. My e-mail address is: cjhale@ovbc.com
Again, thanks!

After all, two compliance minds are better than one!!!!!!

I would like to receive a copy of your policy. Please e-mail to VColeman@rbt.com. Thank you.

It's out there now...

Yes, the Tools page has both the claim form and the two sets of procedures. I combined the customer claim form and instructions.

Linda, could you send me a copy to? Thanks, I appreciate all the help I can get.

I would be interested in receiving what you have drafted also. Send to sburdick@northwestfederal.com. Thanks.

May I have a copy of your policy also? My email is annettepigg@first-community.net. I appreciate your help.

I am a new BOL user. I would like to know if you would send me a working copy of ID Theft/FACT Act provisions.
Thank you. My email address is ksalcido@buttecommunity.com

-Katie Salcido
Butte Community Bank

Thanks for submiting your Procedures to the BOL Tools Linda. It has been very helpfull to myself and others in my bank. =)

I can't locate this in the BOL Tools. Please direct me.

Please send me the policy and procedures you have developed so far. I noticed several other people are requesting them also. Thanks.

This may be a stupid question and I apologize in advance, but am asking anyway. First I asked at our bank what they do if a customer alleges they may have been involved in identity theft. The response is "we just direct them to the credit bureau." Here's the question, does the bank have any obligation to process a ID theft claim on behalf of the customer?

Linda, please forward me a copy also. Thanks Pam
Send to p.wolfe@dcb-t.com

Could I please get a copy of your ID Policy too! Thanks a bunch! jhawkins@dakotacommunitybank.com

My policy (only a draft so far) is as follows:
A. General
1. Upon the request of a consumer that he or she is (or is about to become) a victim of fraud or related crime, including identity theft, a consumer reporting agency will post a fraud alert in that consumer’s file and with the credit score of that person.
2. When the credit report or credit score of a loan applicant has a fraud alert, bank personnel must take the measures noted in this policy to verify the identity of the applicant before a new loan or refinance can be made and before an increase in a line of credit can be given.
B. Types of Alerts
1. Fraud Alerts
a. Initial Alert
The credit bureaus will send an initial fraud alert with the consumer’s credit report and credit score for 90 days unless the consumer cancels the request earlier.
b. Extended Fraud Alert
The credit bureaus will send an extended fraud alert with the consumer’s credit report and credit score for 7 years unless the consumer cancels the request earlier.
2. Active Duty Alerts
The credit bureaus will send an alert indicating the consumer is on active duty in the military, and is assigned to service away from the usual station of duty. This remains in the consumer’s file for 12 months.
C. Bank Response to an Alert
1. Contact the consumer by using a telephone number designated by the consumer (on the credit report alert) to confirm that a proposed transaction is not the result of fraud or identity theft. Initial and Active Duty Alerts do not require the consumer to provide a contact number.
2. If a telephone number is not supplied with the alert, or the customer cannot be reached by telephone at a number known to be correct for the victim, verify the person’s identity using the bank's CIP procedures and confirm that the proposed transaction is not the result of fraud or identity theft.
3. Proceed with the transaction only when verification gives a reasonable belief that the true identity of the person making the request is known and you have documented the verification. If you determine the transaction is fraudulent, complete a Suspicious Activity Report form and send it to the Regional Security Officer within two days of the discovery.
D. Documentation
1. Document in writing how you confirmed a transaction was or was not an attempted fraud or identity theft beside the Alert on the credit report. The documentation must be retained in the applicable file.
2. A form to use for documentation is in Exhibit __ of these procedures.
E. Further Procedures to Protect Victim
1. Upon learning about the theft of an identity involving an account or transaction at the bank further transactions to the ID theft must cease.

2. The bank is prohibited from providing negative information to credit reporting agencies about an account or transaction that was the result of an identity theft.
3. Accounts that are a result of identity theft cannot be sold or transferred or placed for collection.

Providing information to Victims
A. General
Upon request, a financial institution is required to provide a victim of identity theft with a copy of the application and business transaction records evidencing any transaction alleged to be the result of identity theft.
B. Identification Requirements
1. General
a. Prior to releasing information to a victim of identification theft, the identification of the person making the request must be verified and documented.
b.. The requested information must be declined, if after reviewing the information provided, the bank does not have a high degree of confidence in knowing the true identity of the individual requesting the information or if the request is based on a misrepresentation of fact by the individual requesting the information
c.. If you determine the request to be fraudulent, complete a Suspicious Activity Report form and send it to the Regional Security Officer within two days of the discovery).
2. Acceptable identification for requested information
a. a government-issued identification card (the same type requested of new applicants under the bank’s CIP program) and
b. a copy of a police report evidencing the claim of the victim of identity theft; and
c. a completed copy of a standardized affidavit of identity theft or an affidavit of fact that is acceptable to the bank for that purpose.
3. Procedure
a. The request of a victim for information shall be in writing; mailed (or presented) to an address specified by the bank and if requested, must include relevant information about any transaction alleged to be a result of identity theft to facilitate compliance with this section.
b. Other required information includes whether the person who conducted transactions in the victim’s name is known by the victim, the date of the fraudulent application or transaction; and any other identifying information such as an account or transaction number.
4. Information required under this section must be provided to the victim without charge.
5. Requested records evidencing a transaction or account resulting from identity theft must be provided to the victim of the theft within 30 days of a request
6. Place the written request form, copies of ID and any other information in the file.

THANKS FOR THE STARTING POINT!!