FACT Act Rules: Disposal of Information
The FACT Act requires any user of a credit report to take steps to protect consumers from mis-use of their information by providing for information security and safe disposal of information. The agencies have issued final rules that will take effect on July 1, 2005. This gives us six months to be sure the information security program meets this FACT Act requirements.
As a special bonus, the agencies have provided covered institutions with an extra year to update service provider contracts. Those contracts must provide for third party information security by July 1, 2006.
The new rules are in the form of amendments to the existing guidelines issued in 2001 to implement the G-L-B information security requirements. Under the new rule, institutions will be required to develop and maintain controls to ensure that consumer information is disposed of without risk of harm to the consumer.
There may be a great deal of confusion about what information is covered. While the term "consumer information" sounds broad, it is limited to information about a consumer contained in or derived from a consumer report. As defined, it means any record that is the consumer report, whether an original or a copy. It also includes information that is derived from a consumer report. The record can be in any physical form - paper, electronic, or other.
The agencies have narrowed the impact of this definition by exempting any information that does not identify a consumer. The rule does not apply to aggregate information or blind data such as credit score data that is not consumer specific.
One complicating issue is that the information security rules now contain two very similar terms with different coverages. Newly defined consumer information appears because of the FACT Act and the FCRA. The term as defined fits under the umbrella of the FCRA and the consumer report information that it protects.
Not to be confused with consumer information is the already familiar term customer information. This term comes from G-L B and the privacy rules. To help bankers distinguish between the two terms, the rule offers some examples. As a practical matter, the customer information includes much more than consumer information. Consumer information is limited by its source and by how it is subsequently used by the institution. Customer information includes much more, such as information about the entire account relationship and information provided directly by the consumer.
Be alert and ready. Information in a consumer report that is obtained in connection with a business purpose loan is covered by these rules. While some commenters argued that business purpose loans should be exempted, the agencies noted that the real issue is not the purpose of the loan but the nature of the information. Information about a consumer - the business owner or principal - that is obtained from a consumer report is subject to FCRA and is therefore clearly covered by the new information rules.
The rule's coverage is triggered by the consumer information when it is obtained and maintained by the institution for a business purpose. That business purpose may be a business loan as well as a consumer loan.
One of the big questions about this part of the FACT Act was whether information taken from consumer reports and placed in a new context or format would be covered by the rule. This depended on how the agencies interpreted the term "derived from." The final use of "derived from" is broad and not limited to the consumer report itself.
Covered information includes information that is taken from a consumer report and placed in other contexts or formats. It is also covered when it is combined with other information. Thus, a loan memo or underwriting sheet that contains the consumer's credit bureau score or information about late payments identified on the consumer report is a form that contains information protected by this rule.
Ignorance is no defense. The obligation to keep secure and safely dispose of consumer information is absolute. The agencies rejected suggestions that the rule only be triggered when the institution had knowledge that the information was derived from a consumer report, noting that the act creates an absolute obligation.
The term "disposal" is not specifically defined. It has, in the view of the agencies, an obvious meaning that needed no further clarification. The ordinary meaning of the term applies. Here, however, the agencies found that the inclusion of consumer information would constitute disposal under the rule. However, the sale, lease, or transfer of consumer information would not constitute disposal.
Third party Vendors
The obligation to protect and properly dispose of consumer information runs with the information. The actions of third party service providers must be managed, by contract, to provide the same protections the financial institution must provide. The rules require covered institutions to pass on the information protection requirements to their third party vendors by including provisions in the contract.
Contracts must be updated by July 1, 2006. But just because the agencies have given you an extra year, don't delay. Protection of consumer information is a highly sensitive topic. Technical defenses won't keep your name out of the newspaper.
The overall plan is to merge the FACT Act requirements into the GLB information security requirements, making the imposition of these additional requirements less burdensome than building a new and separate information security system. For institutions that already have a sound information security system, this change should amount to little more than a check-up and a few changes. For institutions that are behind on information security, this regulation now adds to the consequences of being behind.
- Review consumer information in files and memoranda and determine what practices in the institution should be included in the FACT Act changes to information security.
- Compile an inventory of how information from consumer reports is used in other forms and formats. These all must be subject to information security.
- Review contracts with service providers to see that adequate consumer information protections are included. Set a schedule to revise contracts as necessary.
Copyright © 2004 Compliance Action. Originally appeared in Compliance Action, Vol. 9, No. 15, 12/04
First published on 12/01/2004