ID Theft: Protecting Consumers from ID Theft

FACTA creates a consumer bill of rights with respect to identity theft. As with most federal concepts, the consumer rights begin with a notice that explains the rights. The Federal Trade Commission is directed to develop a model summary of consumer rights and contact information.

Within 60 days after the summary of rights is issued in final form, any credit bureau to which a consumer reports information indicating identity theft, the bureau must provide the notice to the consumer. Needless to say, anyone else - including financial institutions - may make these notices available. Statement stuffers and web sites are good vehicles for making this information as available as possible.

The second step to protecting consumers from ID theft is to provide consumers with the tools and information needed to resolve the problem. This responsibility falls on creditors. When a victim requests assistance, the creditor must respond within 30 days with information and documentation.

Information that creditors must produce includes applications, business transactions in the creditor's control (such as billing statements and payment records- if any) that relate to the account or transaction(s) that the customer alleges to be fraudulent. These documents must be made available to the victim and law enforcement investigating the allegations - at no cost. However, before passing documents all around in an effort to be helpful and compliant, the provider of documents (you) must first verify the identity of the consumer making the claim and the legitimacy of the claim. This means taking steps to review information that identifies the consumer such as review of a government issued ID or use of an identification system established by the creditor and consumer. It also means taking steps to verify that the consumer did in fact take steps to investigate and enforce the theft by filing a police report or affidavit. If CIP wasn't enough, you will need specific steps to implement this verification process.

For example, certain steps and information must be required of the consumer. This is to protect your institution and also to limit the ability of using a false claim to obtain information that will be put to illegal use. The procedures must specify that:

the consumer's request be in writing;
be mailed to a specific address that you specify;
include relevant information about the transaction or theft to enable you to identify what product or transactions are affected;
the dates of fraudulent transactions if known by the victim; and
any identifying information including account numbers and dates.

This required information is designed to protect the institution as well as the consumer. Proper documentation of a fraud allegation and proof of identity ensures that you are giving the right help to the right person rather than facilitating a crime.

Your procedures shouldn't stop at when and how to provide information to victims. You also need to provide criteria for deciding when not to provide information. Should you face a request that gives rise to concerns, you will want to have procedures and criteria already in place. You will also need to document any decision not to produce information. In spite of this obvious documentation necessity, the act specifies that there is to be no new recordkeeping obligation.

Requests from government investigators will always be subject to the requirements of the Right to Financial Privacy Act. Be sure to include that in your procedures and training. Much of this investigative support process already exists. FACTA simply puts it into an organized and mandated format.

There is an invisible bottom line here. Financial institutions cannot look only to their primary regulator as the total source for information and regulations. Other agencies, including the FTC, must be on your watch list. The FTC is the lead agency on identity theft and this promises to be an area of high activity.

ACTION STEPS

Review the status of procedures and training for Right to Financial Privacy and other privacy concerns. Identify additional elements that will be required under this FACTA provision.
Review complaint investigation procedures and consider how thorough the process is. If it needs strengthening, start working on it.
Compare CIP steps to what will be needed for consumer allegations of identity theft and requests for help. Consider ways to build a CIP program that will automatically provide you with the right information to implement FACTA.
Find some efficiencies. Take a close look at your BSA program and look for ways that FACTA and BSA work together - with one step by staff instead of many.
Start work now to develop the process and documentation for identity theft investigations. Keep in mind that investigations of identity theft will probably involve filing a SAR. Design procedures to support both activities.