I understand as a user of a consumer report we must take additional steps to ensure the true identity of the applicant if we see a fraud alert on a consumer report (initial, active duty or extended). It also states that we can not "establish a new credit plan or extension of credit, issue an additional card on an existing credit account or grant any increase in credit limit on an existing account unless we do certain things to verify identity." What if you are using the consumer report in connection with a deposit account, either opening one, issuing a debit card, etc? I would assume we should apply the same due diligence if a fraud alert is present, but FACTA only talks about credit accounts? Have I missed something here?

yes, you have. The Red Flag guidelines to speak to the issuance of a debit card as well as a credit card, and state that there are requirements for ensuring the identity of your customer if a debit card is requested within 30 days of an address change. See §615(e)(1)of the FCRA.
BC

BC,

Thanks for the reply. I understand (at least as best I can) about the Reg Flag guidelines,address changes, ordering new debit cards and verifying identity for card requests that come within 30 days of an address change request. What about the instance where I have a new deposit account customer (for example sake I will leave out the debit card option) where I pull a consumer report in connection with opening that account and that CR has a fraud alert on it? My definition of a deposit account is not "a new credit plan or extension of credit." Should I be following the same procedures for fraud alerts in connection with deposits accounts that I do for credit accounts? My due diligence instincts would tell me yes, but like many compliance peers I like to see it in writing someplace. I just don't see where it talks about deposit relationships, only credit extensions. Am I looking/reading this section too closely?

If no request for credit is involved, how would you know abouot the the fraud alert?

I believe Travelgirl is referring to the situations where a bank routinely pulls a credit report from one of the 3 major credit bureaus before opening a deposit account.

I hope someone can help with this question because deposit accounts are mostly a "side show" for these requirements. But I do think quite a few of us use credit reports in deposit account opening process, which may include an overdraft line of credit or not. It is always good for compliance professionals know if a requirement is "nice to do", the "right thing to do", the "risk thing to do", but also is it a legal requirement. Deposits with use of credit reporting agency information have me stumped.

Yes, Anon, that is the exact instance I am talking about. We routinely pull credit reports in connection with opening deposit accounts. Is anyone else considering applying the fraud alert requirements to credit reports pulled in connection with deposit products? I don't see how you could do nothing (nor should you do nothing) if you see an alert in this type of transaction. Thanks for the replies!

I understand your confusion, but the way we were looking at it was whether or not the FACTA may require it, the fraud alerts are a new tool for banks as well as consumers. If you pull a credit report and see a fraud alert, wouldn't it be wise to take additional steps to identify the customer in light of BSA due diligence/CIP requirements and to protect the bank from possible losses?

Does Section 112 apply if a consumer credit report is pulled in conjunction with a commercial purpose loan and there is a fraud alert?

My question is - why would you NOT apply the law to these situations? FACTA and FCRA are consumer protection laws. I have a hard time understanding why you would even think of applying them in one situation versus another - isn't the whole idea to protect our customers against fraud and identity theft? How would you respond to a commercial customer whose identity was stolen - "Gee, I'm sorry my bank made a loan to someone pretending to be you and ruined your credit and your good name; we saw the fraud alert on your credit file, but we ignored it because we didn't think it applied to commercial loans!"?
I think we have to think outside the box here and do what is right for our customers.
BC

It is my understanding that additional guidance is to be issued for this section. This has not come out yet, correct? So then I assume as of now it is not effective Dec 1?

My understanding is regulations will be issued for consumer reporting agencies to follow with regards to fraud alerts; however, regulations are not required for report users (such as banks), meaning its Dec. 1 for us. Am I mistaken?

We also pull credit reports for deposit accounts. There is always the possibility that a transaction account can become overdrawn - wouldn't this be considered "credit" under FCRA? Wouldn't a "bounce" product be considered "credit" as well?

We plan to follow the same procedures for deposit accounts as for loans with regards to fraud alerts to be safe. I think its the right thing to do to help keep our customers and the bank from being victims.

I have a question regarding 112. The reg says that the Commission shall perscribe regulations to define what constitutes appropriate proof of identity for purposes of sections 605A, 605B and 609(a)(1). Does anyone know if any rules have been issued yet? If so, where would I find them?

Here are procedures we developed for responding to fraud alerts. Any comments?

Procedures Concerning Fraud Alerts on Credit Reports:

"Initial Fraud Alert" - alert indicating consumer has been or is about to become a victim of fraud or related crime, including identity theft - stays in the consumer's file for 90 days.
"Extended Fraud Alert" - similar to the "initial fraud alert" except it remains in the consumer's file for 7 years (the credit bureau requires more documentation from the consumer prior to putting this alert in file).
"Active Duty Alerts" - alert indicating consumer is on active duty in the military, and is assigned to service away from the usual station of duty - stays in the consumer's file for 12 months.

An Alert on a credit report means a consumer has been, or feels there is good reason to believe they may become, a victim of fraud or identity theft. Personnel must follow the procedures below when Alerts appear on credit reports before completing a requested transaction (this includes establishing new loans, refinancing existing loans, increasing credit lines, opening new deposit accounts, etc. – anything where a credit report is pulled):

Initial Fraud Alerts and Active Duty Alerts:

· Contact the consumer by using a telephone number provided with the alert (if supplied), or
· Verify the consumer's identity using the bank's CIP procedures,
· And, confirm the proposed transaction is not the result of fraud or identity theft.

Extended Fraud Alerts:

· Use a telephone number or other contact method designated by the consumer as provided on credit report alert,
· And, confirm the proposed transaction is not the result of fraud or identity theft by using the bank's CIP procedures.

Initial and Active Duty Alerts do not require the consumer to provide a contact number; therefore, the only option may be to verify the customer's identity using CIP procedures. However, Extended Fraud Alerts require a consumer to provide a contact number or other contact method which the bank is required to use in addition to identifying a customer using CIP. In all cases, you must confirm that a proposed transaction is not the result of fraud or identity theft before proceeding. This will likely mean that the account application will be delayed for a short period; however, it is vital that we protect our customers and the bank from fraud and identity theft.

Document how you confirmed a transaction was not an attempted fraud or identity theft beside the Alert on the credit report. If you determine the transaction is indeed fraudulent, do not proceed with it, and alert the Compliance Department immediately.

I think you have written a good procedure. A couple of suggestions: the time frames for all the 3 alerts are as you state, unless the consumer removes the alert before the end of the time period. Additionally, re: Active Duty alert - the time period is as you state or such longer period as the FTC determines & unless the consumer removes the alert before the end of the period. You can verify telephone #s by utilizing the WhitePages website (www.whitepages.com/reverse-phone) for a reverse phone # look up. If necessary, follow-up with calls to the customer's residence or place of employment. Disconnected telephone service or no record of employment requires further investigation. Document in writing verification process & results & file in the credit or customer file. Obtain consumer's written authorization to process or proceed with the transaction & retain the authorization in the credit or customer file. Proceed with the transaction only upon forming a reasonable belief that the true identity of the person nmaking the request is known. If cannot form a reasonable belief that the true identity of the person making the request is known: deny the request (adverse action - unable to verify identity); file a SAR if appropriate. These are just some of my thoughts.

There is much controversy re: deposit accounts right now because a bank asked the FRB the wrong question, & the FRB gave a wrong answer. However, as it stands, the FRB has stated that if you report an overdraft (which is not credit) or other negative information to an agency such as ChexSystems (which is not a credit reporting agency), you have to provide the negative credit reporting notice to the customer. Following through on this illogical answer, I think it is prudent to follow the requirements for fraud alerts if you obtain a credit report on a deposit customer. We were recently advised at the CA Bankers Association Regulatory Compliance Conference that it's better not to fight the battle with the FRB at this time; just wait for some clarification from them (when or if it ever comes). I think it is a prudent safe & sound banking practice to deal with a fraud alert on a deposit account if you know one is present. My bank does not regularly obtain a consumer credit report on a deposit customer (we only get a ChecksSystems report); however, if we did & a fraud alert was present, I would follow the procedure we set up for our loans. These are just my thoughts.

I really don't understand what the confusion is all about. If there is a fraud alert on a credit report, wouldn't it be prudent to exercise cautionary measures in providing all banking service - regardless of whether you're trying to open a deposit account to a consumer or extend credit? Would a fraudster not use information obtained fraudulently from a credit report to open a deposit account? The way I look at it is a fraud is a fraud regardless of how I come to know about the alert - unless I completely missed the point of this Bol.