FCRA: New and Improved?
Congress has taken decisive action on the Fair Credit Reporting Act. The 2003 Fair and Accurate Credit Transactions Act ("FACTA") provides major overhauls of several important parts of the FCRA as we have known it.
The most positive component of this action is the extension of the federal preemption of state activity in regulating information sharing. The federal preemption stands and chaos introduced by state action has been prevented.
This victory came at a price: more compliance. The law contains several significant revisions to FCRA. One of these is not really new - it simply ups the ante for compliance. Under the new law, reporters of credit performance to credit bureaus have a heightened duty to investigate customer allegations that the information is incorrect. And of course the penalties for failures are also steeper.
Several of the provisions will have a greater effect on the credit bureaus than on financial institutions. For example, consumers will now have a right to receive a free copy of their credit report once a year. This burden falls on the credit bureaus rather than on the creditors. Credit bureaus will also be required to notify consumers about their rights with respect to their credit report. The notice format will be developed by the Federal Trade Commission.
Financial institutions can use this credit bureau burden to some advantage. A statement stuffer with information about the right to a free copy and how to obtain one (including phone numbers and web addresses) would be a customer-friendly service with almost no cost to the institution. It would also help to meet the act's mandates for customer education.
Looming largest among the new provisions are a variety of techniques for dealing with identity theft. The momentum behind FACTA was concern about identity theft. The FCRA became the vehicle for acting on these concerns. In fact, FCRA is a useful tool for both consumers and creditors in preventing and correcting identity theft. The act defines identity theft as a fraud committed using the identifying information of another person. The act also authorizes FTC to expand upon the definition in its regulations.
The first step in identity theft protections is that, when a consumer (or a person properly representing a consumer) reports identity theft, the report must be taken seriously. When the report is made in good faith that the consumer is or is about to become the victim of a fraud such as identity theft, certain actions are triggered.
The credit bureau must put a 90-day flag in the consumer's file. The flag stays in the file and goes out with each report for 90 days unless the consumer requests that it be removed before the 90 days is up.
When the credit bureau receives the fraud alert, it must also share the information with other consumer reporting agencies. The idea is to get the fraud alert information as widely distributed as possible as rapidly as possible.
The consumer may also ask for an extended alert. This takes the in-file warning from 90 days to seven years. As a practical matter, 90 days is a very short period of time if identity theft has occurred. It can take several years for the harmed individual to clear things up. It is therefore likely that many consumers harmed by identity theft will request the extended protection.
Fraud alerts must stay in place for 90 days or seven years unless the consumer requests that they be removed.
The alert on the credit report creates certain constraints on the credit reporter and on the creditor. The consumer's name must be excluded from any list that is provided by the credit reporter to a third party for the purpose of offering credit or insurance. In other words, when a creditor requests a pre-screened list from the credit reporter, the names of consumers who have reported fraud should not be produced for the purpose of credit solicitations. After all, the solicitation could be going to the identity thief instead of the legitimate consumer.
The initial fraud alert notifications will include a notification to all prospective users of the consumer report that the consumer does not authorize the establishment of any new credit product in the consumers name. Creditors will also be notified that they may not issue an additional card or increase the line of credit unless and until requested by the consumer. And the consumer making the request must establish his or her identity.
This takes us to CIP. The FTC is authorized to issue regulations on what constitutes proof of identity when identity theft is involved. Whether the FTC refers to the existing CIP regulations remains to be seen. It would certainly make life simpler if the two rules are at least very similar.
FACTA suggests that a telephone number provided by the consumer or a question suggested (earlier, we presume) by the consumer may be used to create a reasonable belief that the creditor or bureau is dealing with the legitimate consumer rather than the thief. This will be an extra step between taking an application and underwriting it.
The act requires the bureaus to provide two free copies of credit reports to consumers that file fraud alerts. The FTC will design a notice of information and rights that the bureaus will also provide to consumers filing fraud alerts.
As a practical matter, the user of the report - the financial institution, employer, insurer and the like, must take the fraud information into account when taking action. This ties in to several other regulations and processes.
For example, denials involving credit bureau information trigger adverse action notices. For purposes of Regulation B, this means reasons. When there is a fraud alert in the consumer's file, and that alert is a reason for denial, the alert becomes a reason that Regulation B requires.
In addition, the user of the credit report now has information that must be put together with the information received from the applicant and evaluated. The result may be a conclusion that you are dealing with the thief and that means filing a Suspicious Activity Report.
Both the credit bureau and the creditor must take steps to develop a reasonable belief that the consumer presenting the request or application is the legitimate consumer. The act sets the standard of reasonable belief that the creditor know who the consumer is (or isn't, in the case of a thief.) This is likely to look a great deal like your customer identification program.
Soldiers and Sailors?
There are special provisions for persons in the military on active duty. These customers basically get the same protections as the victims of identity theft. The assumption supporting this is that while on active duty a person is vulnerable to identity theft and not likely to identify it quickly. The protections put into place prevent creditors from taking actions - such as opening new accounts - that a person on active duty is unlikely to request.
Similar protections and procedures to the fraud protections apply to any consumer who has notified the credit reporter that he or she is on active duty. Restrictions on offering credit apply for a two year period.
Regulations and studies
FACTA requires both the Federal Reserve Board and the Federal Trade Commission to conduct studies of practices that are or will be affected by this legislation and to report to Congress. During the next two years, there should be some interesting information produced.
As for regulations, the agencies have two months from the date of enactment (the President's Signature) to publish proposed regulations for most of the provisions in the act. This means that regulations should be published by the end of January. Congress directed that regulations take effect as early as possible but no later than 10 months after the date of issuance of regulations in final form. There will be no asking for postponements.
- First, start studying.
- Discuss with lenders how fraud alerts and responses should be built into procedures.
- Review lending and deposit policies to identify how they should be revised to accommodate the requirements in FACTA.
- Look at your CIP in the context of FACTA. Think about how one process can accomplish compliance with both laws.
Copyright © 2004 Compliance Action. Originally appeared in Compliance Action, Vol. 8, No. 14, 1/04
First published on 01/01/2004