Skip to content

The FACT Act Helps Bankers Mitigate Risks

Thursday, July 1, 2004

Customers continue to increase their use of remote electronic access to conduct financial transactions with their banks. While this method is convenient, it also increases the risk of doing business with unauthorized or incorrectly identified parties.

Last year, the Federal Trade Commission received more than 500,000 consumer-fraud and identity-theft complaints-up from 400,000 in 2002-with losses of more than $400 million. Approximately half of all identity-theft complaints in Eighth District states included credit card and bank fraud.

The Fair and Accurate Credit Transactions Act (the FACT Act) is a comprehensive statute that, in part, enhances a consumer's ability to combat identity theft. It also increases the accuracy of consumer reports. Here is a brief summary of what your bank needs to know about certain provisions of the FACT Act.

Fraud Alerts

The FACT Act contains a new provision permitting a consumer to place a "fraud alert" on a consumer credit report. If a financial institution obtains a consumer report that contains a fraud alert, the institution cannot:

  • extend new credit-other than an open-end credit plan,
  • issue an additional card in the consumer's name or
  • increase any credit limit without taking additional steps to identify the person making the request.

If consumers who request a fraud alert provide a contact telephone number for verifying their identities, financial institutions must either use the contact number provided or take other reasonable steps to verify a consumer's identity. As part of this process, the financial institution must confirm that the request for new or additional credit is not the result of identity theft.

Encountering an Identify Thief

The FACT Act imposes new obligations on a financial institution that enters into a transaction with an alleged identity thief. Within 30 days of an identify-theft victim's request, the institution must provide copies of records that document the transaction, regardless of whether those records are maintained by the institution or another business entity on the institution's behalf.

Before disclosing these records, the institution may require that requestors provide proof of their identities and also prove that a claim of identity theft has been made. The institution must also provide certain documents related to the transaction to law-enforcement agencies.

In some situations, a consumer reporting agency may block information from a consumer report-if the consumer adequately documents that the transaction resulted from identity theft. In that case, the consumer reporting agency will notify the furnisher of the information that the information has been blocked. This affects financial institutions because they must have reasonable procedures in place that prevent the resending of the previously blocked information. Additionally, the institution may not sell or place the related debt into collection.

Mortgage Lenders and Credit Scores

The FACT Act also includes new rules for mortgage lenders that disclose credit scores. Any lender that uses a consumer credit score to arrange a residential mortgage loan must provide the consumer a:

  • copy of the credit score information obtained from a consumer reporting agency or developed and used by the lender,
  • copy of the key factors that affected the consumer's credit score and
  • new notice to the applicant-explaining the credit score in general terms.

Creating Guidelines and Plans

Finally, the FACT Act directs the federal banking agencies, the NCUA and the FTC to adopt identity-theft guidelines for a creditor's account holders and/or customers. These new guidelines are in addition to those adopted in 2001 by federal banking agencies for Safeguarding Customer Information.

The Guidelines for Safeguarding Customer Information Act required institutions to:

  • establish an information-security program to identify and assess the risks that may threaten customer information, and
  • develop a written plan that contains policies and procedures to manage and control these risks.

In addition to implementing and testing the plan, institutions also must adjust the plan periodically to account for changes in technology, sensitivity of customer information and internal or external threats to information security.

Because of significant increases in the new crime of identity theft, part of your bank's information-security plan must include an effective authentication program that verifies new customers and authenticates existing customers. All financial institutions will be required to establish policies and procedures for implementing the FACT Act guidelines while also ensuring the security and confidentiality of customer records.