Skip to content
 

FACT Act requires records release for I.D. theft victims - Mary Beth Guard

FACT Act requires records release for I.D. theft victims
Answer by Mary Beth Guard, BOL Guru
Guru BIOS

One of the frustrating experiences identity theft victims have had to endure in the past is finding out that a credit account was opened in their name, using their identifying information, then not being able to obtain information or records relating to that account. Some financial institutions refused to provide copies because they took the position that the financial institution itself was the real victim. In other instances, they claimed privacy laws prevented disclosure of the information. Some refused to supply it simply because there was no law that required them to.

Well, now there is a law that requires records to be provided, and every financial institution needs to have procedures in place to comply. The portion of Section 151 of the FACT Act that deals with providing information to victims of identity theft became effective June 4, 2004. Unlike the other portions of Section 151, the requirement to provide information is not dependent upon regulations being promulgated and its effective date is not delayed until December 1, 2004.

The Basic Requirement
The basic requirement is that a financial institution (or business) must provide a copy of application and business transaction records alleged to be the result of identity theft, upon a victim's request.

Form of request
The victim's request for the records must meet three requirements:

  1. It must be in writing;
  2. It must be mailed to an address specified by the business entity; and
  3. It must include relevant information about the transaction alleged to be a result of identity theft, including, the date of application (if known, or readily obtainable, by the victim), and any other identifying information, such as an account or transaction number (if known, or readily obtainable, by the victim), if that information is requested by the business entity to facilitate compliance.

Definition of "Victim"
For purposes of FACTA Section 151, the term "victim" means "a consumer whose means of identification or financial information has been used or transferred (or has been alleged to have been used or transferred) without the authority of that consumer, with the intent to commit, or to aid or abet, an identity theft or a similar crime."

Timing
Generally, a copy of the application and business transaction records must be provided no later than 30 days after the date of receipt of a request from a victim.

Other requirements
Before providing the records, the entity must first verify the identity of the victim and verify the claim of identity theft.

Verification of identity
Obviously, there is a danger that the request might not be legitimate. The very person requesting the copies could be an identity thief and you could cause the customer harm unless you take steps to verify identity. The statute says that before a business entity provides the requested information, it must either l) already have a high degree of confidence that it knows the identity of the victim making a request , or 2) it should require the victim to provide verification of identity.

To verify identity, the victim must provide, at your election:

  • a government-issued identification card;
  • personally identifying information of the same type as was provided to the business entity by the unauthorized person; or
  • personally identifying information that the business entity typically requests from new applicants or for new transactions, at the time of the victim's request for information.

Proof of claim of identity theft
In addition, steps should be taken to verify the claim of identity theft. To make that verification, the financial institution or business entity may, at its election, require:

  • a copy of a police report evidencing the claim of the victim of identity theft; and
  • a properly completed-
    • copy of a standardized affidavit of identity theft developed and made available by the Federal Trade Commission; or
    • an affidavit of fact that is acceptable to the business entity for that purpose.

Recipient of records
The victim may request that the records be provided directly to the victim, or may instead specify that they be provided to a Federal, State, or local government law enforcement agency or officer, or to any law enforcement agency investigating the identity theft authorized by the victim to take receipt of these records.

No charge
This can't be a moneymaking enterprise. The statute specifically states that information required to be provided under under this part shall be so provided without charge.

Declining to provide information
A financial institution or business entity may decline to provide information, but only if it believes in good faith one of the following:

  • Section 151 does not require disclosure of the information (e.g., the facts don't fit the legal requirements);
  • even after reviewing the information the victim provides, the FI or entity does not have a high degree of confidence that it knows the true identity of the requester;
  • the request for the information is based on a misrepresentation of fact by the individual requesting the information relevant to the request for information; or
  • the information requested is Internet navigational data or similar information about a person's visit to a website or online service.

Privacy laws and rules do not interfere
To avoid the problem of financial institutions saying "We can't provide these records because the GLB privacy laws and rules won't allow it," FACTA addresses the issue head-on and states: "No provision of subtitle A of title V of Public Law 106-102, prohibiting the disclosure of financial information by a business entity to third parties shall be used to deny disclosure of information to the victim under this subsection."

Financial privacy
Don't get carried away with this provision. While it allows you to provide these limited records to certain law enforcement agencies at the direct request of the victim, it does not otherwise interfere with the Right to Financial Privacy Act or any other Federal or State law that might prohibit a broader dissemination of the records or information. Limit your release to precisely what this statute permits.

If you get sued
If you have disclosed records under this section in good faith, you cannot be held civilly liable under any provision of Federal, State, or other law for the disclosure.

If you cannot produce the records and the victim sues in civil court to enforce this section, the law allows you to raise, as an affirmative defense, via affidavit or answer, the defense that you made a reasonably diligent search of your available business records and the records requested under this subsection either do not exist or are not reasonably available. The burden is on you to establish this defense by a preponderance of the evidence.

What you need to do

  • Develop procedures for these requests.
  • Specify an address where these types of requests must be submitted. Make sure all your employees are familiar with this provision of FACTA and understand who to route the requests to.
  • Designate at least one point person to deal with the requests.
  • Create a log to log in the requests to ensure they are processed in a timely manner.
  • Decide what you are going to require to verify identity and prove the existence of a claim of identity theft.
  • Consider developing a form to provide to requesters that spells out your requirements, and also supplies space for them to designate to whom they want the records released.
  • Have a checklist to keep in the file that shows when you received the written request, how and when you verified identity, and how and when you validated the claim of ID theft. After the necessary information has all been obtained, and before the expiration of the 30 day period, the records should be released as requested.
  • Document any decisions to decline to produce the records. Be very clear about the basis upon which the decision was made.
  • Be ready for the examiners to ask about your preparations to comply with this section! The examiners will undoubtedly be asking about it long before you start receiving your first actual requests from victims.

The original version appeared in the July/August 2004 edition of the Oklahoma Bankers Association Compliance Informer.

First published on BankersOnline.com 12/1/04

First published on 12/01/2004

Filed under: 
Lending
Filed under lending as: 
Compliance/Compliance Management
FACTA
Financial Privacy
ID
Internet

Report a problem with this page

Search Topics