I'm in process of doing a FCRA/FACT ACT audit. Are FIs required to have procedures in place for responding to victims of identity theft, and active duty alerts in credit reports. I'm interpreting the regs to imply that we are. Section 605A(h)2)B)Is this correct?