When it comes to identity theft and credit, everyone should know their rights. So, as a courtesy, I am reposting the FACTA here. If you don't understand your rights under the law, please consult with a licensed attorney who is familiar with consumer law.
Here it is (in summary):
IDENTITY THEFT RED FLAGS AND ADDRESS DISCREPANCIES UNDER THE FAIR AND
ACCURATE CREDIT TRANSACTIONS ACT OF 2003
On November 9, 2007, the Federal Trade Commission published final rules implementing part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA)regarding the duties of creditors, card issuers and users of consumer reports with respect to the prevention of identity theft. These new regulations went into effect on January 1, 2008 and compliance is required by November 1, 2008. The regulations are organized in three parts which are summarized in this memo.
I. Duties of Users of Consumer Reports Regarding Address Discrepancies
This regulation is set forth at 16 CFR 681.1 and applies to users of consumer reports that are subject to administrative enforcement of the Fair Credit Reporting Act (FCRA) by the Federal Trade Commission (FTC) pursuant to 15 U.S.C. 1681s(a)(1). A user is someone who obtains a consumer report from a consumer reporting agency for a purpose permitted by FCRA, such as for employment or credit purposes. A university that obtains consumer reports would be subject to this regulation.
A user of consumer reports has the following duties:
1. A user must develop and implement reasonable policies and procedures designed to
enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report, when the user receives a notice of address discrepancy. A notice of address discrepancy means a notice sent to a user by a consumer reporting agency, that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency's file for the consumer.
Examples of reasonable policies and procedures that a user may implement to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report are:
(i) Comparing the information in the consumer report provided by the consumer
reporting agency with information the user:
(A) Obtains and uses to verify the consumer's identity;
(B) Maintains in its own records, such as applications, change of address
notifications, or other customer account records; or
(C) Obtains from third-party sources; or
(ii) Verifying the information in the consumer report provided by the consumer
reporting agency with the consumer.
2. A user must develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the consumer reporting agency from whom it received the notice of address discrepancy when the user:
(i) Can form a reasonable belief that the consumer report relates to the consumer
about whom the user requested the report;
(ii) Establishes a continuing relationship with the consumer; and
(iii) Regularly and in the ordinary course of business furnishes information to the
consumer reporting agency from which the notice of address discrepancy relating to the consumer was obtained.
The user may reasonably confirm an address is accurate by:
(i) Verifying the address with the consumer about whom it has requested the report;
(ii) Reviewing its own records to verify the address of the consumer;
(iii) Verifying the address through third-party sources; or
(iv) Using other reasonable means.
3. The policies and procedures developed in accordance with paragraph 2 above must
provide that the user will furnish the consumer's address that the user has reasonably confirmed is accurate to the consumer reporting agency as part of the information the user regularly furnishes for the reporting period in which it establishes a relationship with the consumer.
II. Duties of Creditors Regarding the Detection, Prevention, and Mitigation of Identity Theft. This regulation is set forth at 16 CFR 681.2 and applies to financial institutions and creditors that are subject to administrative enforcement of the FCRA by the FTC pursuant to 15 U.S.C. 1681s(a)(1). The term ``creditor'' means any person who regularly extends, renews, or continues credit; any person
who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit. 15 U.S.C. 1681a(r)(5). The term ``credit'' means the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor. 15
U.S.C. 1681a(r)(5). A university that meets the definition of a creditor would be subject to this regulation.
1. Each creditor must periodically determine whether it offers or maintains covered
accounts. As a part of this determination, a creditor must conduct a risk assessment to determine whether it offers or maintains covered accounts. An Account means a
continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes. A covered account is:
(i) An account that a creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or
transactions, such as a credit card account, mortgage loan, automobile loan,
margin account, cell phone account, utility account, checking account, or savings
account; and
(ii) Any other account that the creditor offers or maintains for which there is a
reasonably foreseeable risk to customers or to the safety and soundness of the
creditor from identity theft, including financial, operational, compliance,
reputation, or litigation risks.
Such risk assessment should take into consideration:
(i) The methods it provides to open its accounts;
(ii) The methods it provides to access its accounts; and
(iii) Its previous experiences with identity theft.
2. Each creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the creditor and the nature and scope of its activities. The Program must include reasonable policies and procedures to:
(i) Identify relevant Red Flags for the covered accounts that the creditor offers or
maintains, and incorporate those Red Flags into its Program. A Red Flag
means a pattern, practice, or specific activity that indicates the possible existence
of identity theft;
(ii) Detect Red Flags that have been incorporated into the Program of the creditor;
(iii) Respond appropriately to any Red Flags that are detected to prevent and mitigate
identity theft; and
(iv) Ensure the Program (including the Red Flags determined to be relevant) is
updated periodically, to reflect changes in risks to customers and to the safety
and soundness of the creditor from identity theft.
3. Each creditor that is required to implement a Program must provide for the continued administration of the Program and must:
(i) Obtain approval of the initial written Program from either its board of directors
or an appropriate committee of the board of directors;
(ii) Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development,
implementation and administration of the Program;
(iii) Train staff, as necessary, to effectively implement the Program; and
(iv) Exercise appropriate and effective oversight of service provider arrangements.
4. Each creditor that is required to implement a Program must consider the guidelines in Appendix A of the regulations and include in its Program those guidelines that are appropriate.
III. Duties of Card Issuers Regarding Changes of Address.
This regulation is set forth at 16 CFR 681.3 and applies to a person described in 681.2 that issues a debit or credit card (card issuer). The term debit card'' means any card issued by a financial institution to a consumer for use in initiating an electronic fund transfer from the account of the consumer at such financial institution, for the purpose of transferring money between accounts or obtaining money,property, labor, or services. 15 U.S.C. 1681a(r)(3). The term ``financial institution'' means a State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, or any other person that, directly or indirectly, holds a transaction account (as defined in
section 461(b) of title 12) belonging to a consumer. The term ``transaction account'' means a deposit or account on which the depositor or account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the
purpose of making payments or transfers to third persons or others. To the extent a University issues campus cards which can be used as debit cards to make electronic funds transfers from a transaction account to off-campus merchants, such a University would be subject to this regulation.
1. A card issuer must establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer's debit or credit card account and, within a short period of time afterwards (during at least the first 30 days after it receives such notification), the card issuer receives a request for an additional or replacement card for the same account. Under these circumstances, the card issuer may not issue
an additional or replacement card, until, in accordance with its reasonable policies and procedures and for the purpose of assessing the validity of the change of address, the card issuer:
(i) Notifies the cardholder of the request:
(A) At the cardholder's former address; or
(B) By any other means of communication that the card issuer and the cardholder
have previously agreed to use; and
(C) Provides to the cardholder a reasonable means of promptly reporting incorrect
address changes; or
(ii) Otherwise assesses the validity of the change of address in accordance with the policies
and procedures the card issuer has established pursuant to section II above.
2. A card issuer may satisfy the requirements of paragraph 1 of this section if it validates an address pursuant to the methods in paragraph (1)(i) or (1)(ii) of this section when it receives an address change notification, before it receives a request for an additional or replacement card.
3. Any written or electronic notice that the card issuer provides under this paragraph must be clear and conspicuous and provided separately from its regular correspondence with the cardholder
No comments:
Post a Comment