Fair and Accurate Credit Transactions Act (FACTA)

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) added new sections to the federal Fair Credit Reporting Act (FCRA, 15 U.S.C. 1681 et seq.), intended primarily to help consumers fight the growing crime of identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights to disclosure are included in FACTA. 

The Federal Trade Commission (FTC) requires that when an employer investigates an employee's conduct on the job, including investigations of employee misconduct, the FCRA governs. The FCRA does not apply to investigations conducted by the in-house personnel. In addition, FCRA does not apply when a third-party, who is not in the business of providing such reports, does the investigation (e.g. contractors who do such investigations, but not as their principal business). 

Disposal of Personally Identifiable Information (PII)

The practice known as “dumpster diving” provides identity thieves with a treasure trove of personal data. Irresponsible information disposal by businesses has been cited in numerous instances of fraud. Under FACTA provisions, consumer reporting agencies and any business that uses a consumer report must adopt procedures for proper document disposal. 

The Federal Trade Commission (FTC), the Federal banking agencies, and the National Credit Union Administration (NCUA) have published final regulations to implement the new FACTA Disposal Rule. The FTC's disposal rule applies to consumer reporting agencies as well as individuals and any sized business that uses consumer reports. The FTC lists the following as among those that must comply with the rule:
  ✓ Lenders
  ✓ Insurers
  ✓ Employers
  ✓ Landlords
  ✓ Government agencies
  ✓ Mortgage brokers
  ✓ Automobile dealers
  ✓ Attorneys and private investigators
  ✓ Debt collectors
  ✓ Individuals who obtain a credit report on prospective nannies, contractors, or tenants
  ✓ Entities that maintain information in consumer reports as part of their role as service providers 

The definition of “reasonable measures," in reference to the FACTA Disposal Rule, specifies three possible ways to comply:
  ✓ Burning, pulverizing, or shredding of physical documents
  ✓ Erasure or destruction of all electronic media
  ✓ Outsourcing contract with a third-party engaged in the business of information destruction 

FACTA "Red Flag" Guidelines

Updates to FACTA mandate that financial institutions and creditors must comply with the identity theft “Red Flag” provisions by November 1, 2008. The ruling issued by the Federal Trade Commission (FTC) and 5 Federal bank regulatory agencies applies specifically to Section 114 of FACTA and addresses an array of accounts, organizations, and consumers, including:

The FACTA rules and guidelines implemented in Section 114 of FACTA specify several categories of Red Flags which illustrate the types of activities that need to be identified:

Browse Our Products

  • Digital Security Program (DSP)

    Digital Security Program (DSP) - SCF Policy Template

    Secure Controls Framework (SCF)

    Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about...

    Choose Options

Learn More About Cybersecurity & Data Privacy