Fair And Accurate Credit Transactions Act (FACTA)

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) added new sections to the federal Fair Credit Reporting Act (FCRA, 15 U.S.C. 1681 et seq.), intended primarily to help consumers fight the growing crime of identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights to disclosure are included in FACTA.

The Federal Trade Commission (FTC) requires that when an employer investigates an employee's conduct on the job, including investigations of employee misconduct, the FCRA governs. The FCRA does not apply to investigations conducted by the in-house personnel. In addition, FCRA does not apply when a third-party, who is not in the business of providing such reports, does the investigation (e.g. contractors who do such investigations, but not as their principal business).

Key Takeaways - FACTA Compliance

FACTA (2003) amends the Fair Credit Reporting Act (FCRA) to help consumers fight identity theft.
The Disposal Rule requires any business that uses consumer reports to adopt proper document destruction procedures.
The Red Flags Rule requires financial institutions and creditors to implement identity theft prevention programs.
FACTA applies broadly. From banks to landlords, employers, debt collectors and even individuals who pull credit reports.
Three acceptable disposal methods. Physical destruction, electronic erasure, or outsourced destruction contracts.
Enforced by the FTC, federal banking agencies and NCUA. Non-compliance carries statutory penalties.

"Dumpster Diving"

Disposal of Personally Identifiable Information (PII)

The practice known as “dumpster diving” provides identity thieves with a treasure trove of personal data. Irresponsible information disposal by businesses has been cited in numerous instances of fraud. Under FACTA provisions, consumer reporting agencies and any business that uses a consumer report must adopt procedures for proper document disposal.

The Federal Trade Commission (FTC), the Federal banking agencies, and the National Credit Union Administration (NCUA) have published final regulations to implement the new FACTA Disposal Rule. The FTC's disposal rule applies to consumer reporting agencies as well as individuals and any sized business that uses consumer reports. The FTC lists the following as among those that must comply with the rule:

Lenders

Insurers

Individuals who obtain a credit report on prospective nannies, contractors, or tenants

Employers

Landlords

Government agencies

Mortgage brokers

Automobile dealers

Attorneys and private investigators

Debt collectors

Entities that maintain information in consumer reports as part of their role as service providers

Lenders

The definition of “reasonable measures," in reference to the FACTA Disposal Rule, specifies three possible ways to comply:

1. Burning, pulverizing, or shredding of physical documents

2. Erasure or destruction of all electronic media

3. Outsourcing contract with a third-party engaged in the business of information destruction

FACTA "Red Flag" Guidelines

What Updated With The FACTA Mandate?

Updates to FACTA mandate that financial institutions and creditors must comply with the identity theft “Red Flag” provisions by November 1, 2008. The ruling issued by the Federal Trade Commission (FTC) and 5 Federal bank regulatory agencies applies specifically to Section 114 of FACTA and addresses an array of accounts, organizations, and consumers, including:

Retail and business customers
Existing and new accounts
Financial institutions and creditors

The FACTA rules and guidelines implemented in Section 114 of FACTA specify several categories of Red Flags which illustrate the types of activities that need to be identified:

Alerts, notifications or warnings from a Consumer Reporting Agency
Suspicious documents
Suspicious personal identifying information
Unusual use of, or suspicious activity related to, the covered account