FACT Act and Customer Privacy

Question: We have been discussing the FACT Act and have some concerns about privacy. If we report to another creditor that the consumer has filed an identity theft flag, do we violate the consumer's privacy?

Answer: No. You are protecting the consumer, not violating their privacy. You may be telling on the identity thief, but no-one is particularly concerned about that.

We are getting many questions about possible privacy infractions, so we'd like to clear up some questions about privacy. There are two primary privacy laws that affect banking on a day-to-day basis. These are the G-L-B Privacy Act and the FCRA including the amendments from the FACT Act. G-L-B is designed to prevent the use of customer information for marketing and for other for-profit uses that the consumer did not authorize. To accomplish this, we have a series of prohibitions and requirements. However, remember that these are oriented toward preventing the sale or inappropriate use of your customer data base.

Then there is the FCRA which is sets rules for the use and sale of credit history information. The FACT Act amends the FCRA. So there are two ways of looking at your question. The first is that because the FACT Act specifically requires this information exchange about identity theft, the requirement would override any possible prohibition elsewhere within the
FCRA.

The second way of looking at this is very important. When the consumer files an identity theft flag, the consumer is making certain requests, including a request that you share the identity theft information with the credit bureau and with other creditors. Thus, by reporting the information you are not violating your customer's privacy. Instead, you are carrying out your customer's request.

Copyright © 2004 Compliance Action. Originally appeared in Compliance Action, Vol. 9, No. 11, 10/04