The Fair and Accurate Credit Transactions Act (FACTA) is a federal law that was enacted by the United States Congress in 2003. Its stated purpose is to improve consumer protections against identity theft. The Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) have the authority to enforce the law.
The most widely known feature of the Act is that it gives every citizen of the U.S. free access to their credit reports one time per year through the website, www.annualcreditreport.com.
FACTA provides rules for lenders, credit reporting agencies, businesses, and financial service providers to use in detecting and protecting consumers from fraud and identity theft.
Provisions of FACTA
According to the FTC, the most important provisions of the FACTA include the following:
- Free Annual Credit Report: The three major credit reporting agencies are required to provide consumers with one free credit report a year. This allows consumers to make sure that bank accounts, credit cards or other credit accounts have not been opened by other people using their name. The three credit reporting agencies are Experian, TransUnion and Equifax. The national specialty credit reporting agencies must also provide one free credit report a year. National specialty credit reporting agencies are agencies that maintain information on medical payments or records, tenant history, check-writing history, employment history, or insurance claims;
- National Fraud Alert System: The Act also establishes a National Fraud Alert System, which allows consumers to alert their creditors of potential fraud. This alerts creditors of the fact that they need to proceed with caution when extending credit in a consumer’s name;
- Shortened Numbers on Receipts: A requirement that credit card numbers be shortened on all receipts given by retailers, restaurants, etc. This improves credit card security;
- Reporting I.D. Theft Information: The credit reporting agencies are required to stop reporting adverse credit information once a consumer establishes that they were the victim of identity theft;
- Records of Fraudulent Transactions: Businesses are required to produce records of fraudulent transactions, so that consumers can prove they have been victims of identity theft;
- Consumer Reporting of I.D. Theft: There is a provision that allows consumers to report identity theft directly to creditors, and not just credit reporting agencies.
As a result of FACTA, numerous reforms have been implemented relating to the use and protection of consumer information. For example, the level of oversight that lenders, payment processors, and regulators must provide when searching for suspicious transactions has been increased.
Similarly, consumers can now register fraud alerts on their own credit cards, in order to signal the authorities when suspected fraud has taken place.
FACTA was passed under the administration of then-President George W. Bush in response to an increase in the incidence of identity theft. Unfortunately, identity theft has continued to increase since that time, because of an increase in e-commerce, social networking, and other online activities.
In addition to the provisions intended to reduce identity theft, FACTA also contains measures whose goal is to strengthen consumer protection more generally. Some examples of these protections are as follows:
- Mortgage Lender Disclosures: FACTA places new requirements on mortgage lenders to disclose the credit scores and other factors that influence their decisions about whether or not to approve a mortgage loan application. This includes telling applicants the so-called “risk-based-pricing” factors used in their decisions on loan applications, as well as any specific issues that they have noted on the consumer’s credit report;
- Red Flag Rules: FACTA also includes many new rules that apply to businesses and financial service providers. In particular, it gives enforcement agencies the authority to take action on any violations of “red flag” rules. A “red flag” in the context of the FACTA is any activity or pattern of activities that is suspicious and indicates the possibility of identity theft. Each business has its own distinct operations and activities, a “red flag” action taken by a customer at one business may not be considered a “red flag” activity by another business.
- In any event, “red flag” rules require creditors and financial institutions, such as banks and credit unions, to implement identity theft prevention programs that help detect and prevent identity theft. For example, institutions that issue credit and debit cards must take steps to validate any changes to customers’ addresses.
- The purpose of FACTA’s “red flag” rules is to provide guidance to businesses for developing, implementing, and administering a written identity theft prevention program.
- In order to comply with FACTS’s “red flag” rules for an identity theft prevention program, a business must meet 4 main requirements:
- Identify Relevant Red Flags: A business must identify reasonable policies and procedures that can successfully identify “red flag” activities that occur in the day-to-day operations of the business;
- Detect Red Flags: Procedures need to be able to detect those “red flags”
- Prevent and Mitigate Identity Theft: Procedures need to provide the steps for the prevention of “red flag” incidents and mitigation once a “red flag” is detected;
- Update the Program: A business must determine how its program can be updated to address any new identity theft threats.
- The development and implementation of an effective detection system for “red flags” is the key to running a successful identity theft prevention program. For example, if a business regularly checks identification documents, e.g. driver’s licenses, for certain transactions, an i.d. that appears to be fake would be considered a “red flag” for that . business. Having procedures in place that helps employees detect any potential fake, forged, or altered forms of identification is absolutely critical to its identity theft prevention program.
- Personal Information: One of the unintended consequences of FACTA is that it may have increased the amount of personal identity information that businesses are required to obtain from their customers. For example, a business that is required to confirm the identity or whereabouts of a customer in a more rigorous manner may have to request multiple forms of identification in order to meet certain provisions of FACTA.
- On one hand, these changes might make the business and consumer less vulnerable to identity theft or other types of fraud. On the other hand, in the event that a business’s records are hacked or stolen, there is more information available to the hacker or the thief about that business’s customers. Arguably this could potentially be more damaging for those customers;
- Credit Bureaus Selling Marketing Lists: Another feature of FACTA concerns the fact that sometimes credit bureaus sell to banks and insurance companies prescreened lists of consumers for marketing purposes. Consumers who do not want to receive unsolicited offers can opt out of this prescreening process. Any business that shares consumer information for affiliate sharing is required by FACTA to let the consumers know and allow the consumer to opt out.
FACTA bans credit reporting agencies from sharing medical information for employment, credit, or insurance purposes unless the consumer gives their permission. Also, lenders generally are not allowed to use medical information to qualify or disqualify consumers for borrowing.
Do I Need a Lawyer?
If you suspect that you have been the victim of identity theft or are having trouble with a credit reporting agency, then you need to consult a credit lawyer. Your lawyer can advise you as to the protections that your bank, creditors and the credit reporting agencies should provide.
Or if you are in the business of lending to consumers or providing consumers with other financial services and are not sure of how you can fully comply with FACTA, you too should consult a credit dispute lawyer who can advise you on the steps you need to take to comply with this important federal law and fully protect your customers and your business from identity theft and fraud.