You'll find the regulatory definition of identity theft in 1022.3 (h)
Identity theft means a fraud committed or attempted using the identifying information of another person without authority.
And the definition of "identifying information" immediately prior in 1022.3(g)
Identifying information means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any:
(1) Name, social security number, date of birth, official state or government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number;
(2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;
(3) Unique electronic identification number, address, or routing code; or
(4) Telecommunication identifying information or access device (as defined in 18 U.S.C. 1029(e)).
And finally the definition of "access device" from 18 U.S.C. 1029(e)
(1) the term “access device†means any card, plate, code, account number, electronic serial number, mobile identification number, personal identification number, or other telecommunications service, equipment, or instrument identifier, or other means of account access that can be used, alone or in conjunction with another access device, to obtain money, goods, services, or any other thing of value, or that can be used to initiate a transfer of funds (other than a transfer originated solely by paper instrument);
So it took a lot of cross referencing, but as you can see we end at a card. Your auditor is correct. Credit card fraud is a form of identity theft under FACT Act.
_________________________
Sola Gratia, Sola Fides, Sola Scriptura, Solus Christus, Soli Deo Gloria!
www.tcaregs.com