1. 1 The FACT Act – An Overview The FACT Act An Overview of the Final Rulemaking on Identity Theft Red Flags and Address Discrepancies Naomi Lefkovitz Attorney, Division of Privacy and Identity Protection Federal Trade Commission

2. 2 Statutory Provisions Implemented  The Fair and Accurate Credit Transactions Act of 2003 (FACT Act) amended the Fair Credit Reporting Act (FCRA)  Sections 114 and 315 of the FACT Act Rules: 72 Fed. Reg. 63718 (November 9, 2007) http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf

3. 3 Background  Joint rulemaking  Final rules published November 9, 2007  Full compliance required by November 1, 2008

4. 4 Identity Theft Red Flags FACT Act Section 114 FCRA Section 615(e) 16 CFR 681.2 and 681.3

5. 5 Identity Theft Red Flags  Risk-based final rule  Guidelines (Appendix A)  Supplement A (26 examples of red flags)

6. 6 Purpose of the Red Flags Rule To detect and stop identity thieves using someone else’s identifying information at your institution to commit fraud. Distinct from data security

7. 7 Covered Entities “Financial institutions” and “creditors” must conduct a periodic risk assessment to determine if they have “covered accounts.”

8. 8 Definitions From the FCRA, a “financial institution” is:  A state or national bank  A state or federal savings and loan association  A mutual savings bank  A state or federal credit union, or  Any other person that directly or indirectly holds a transaction account* belonging to a consumer * From the Federal Reserve Act, Sec. 19(b) - an account that allows withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or similar items to make payments or transfers to 3 rd persons or others.

9. 9 Definitions (cont’d) From ECOA, a “creditor” is:  Any person who regularly extends, renews, or continues credit  Any person who regularly arranges for the extension, renewal, or continuation of credit, or  Any assignee of an original creditor who participates in the decision to extend, renew, or continue credit

10. 10 Definitions (cont’d) An “account” is: a continuing relationship established by a person with an FI or creditor to obtain a product or service for personal, household, or business purposes.

11. 11 Definitions (cont’d) A “covered account” is:  A consumer account designed to permit multiple payments or transactions, and  Any other account for which there is a reasonably foreseeable risk from identity theft

12. 12 Scenario #1 Rural U. has about 1100 students and is located in a small town surrounded by miles of farmland. Tuition is due before classes begin, but a few students are permitted to pay on an installment plan. Students can use cash, credit card, or their student photo ID card for various goods and services on the campus such as at the bookstore or the health clinic. For students who use their ID card, the bookstore sends a bill due upon receipt. The health clinic also bills for amounts unpaid by insurance.

13. 13 Scenario #2 Metro U. serves about 40,000 students in an urban setting. It has many graduate schools, and is affiliated with a hospital. Students have a variety of loan options, including the Perkins Loan Program. In many cases, loan amounts are applied directly to tuition, but students can also get checks directly for living expenses. Metro U. also provides students with a debit card, Metrobucks, linked to a prepaid declining balance account. Students can use the Metrobucks card on and off campus to purchase food, books, etc. Students also have the option to link the Metrobucks card to a checking account at Big Bank.

14. 14 Program Requirement Financial institutions and creditors with covered accounts must implement a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with:  the opening of a covered account, or  any existing covered account

15. 15 Program Requirement (con’t) The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of activities.

16. 16 Elements of the Program Must include reasonable policies and procedures to:  Identify relevant red flags* and incorporate them into the Program  Detect red flags that are part of the Program  Respond appropriately to any red flags that are detected  Ensure the Program is updated periodically to address changing risks * A red flag is a pattern, practice, or specific activity that could indicate identity theft

17. 17 Administration of the Program  Obtain approval of the initial Program by the board or a committee thereof Thereafter may designate a senior management employee to oversee:  Development, implementation, and administration of the Program  Training of appropriate staff  Service provider arrangements

18. 18 Consideration of the Guidelines Rules require:  Consideration of the Guidelines  Incorporation of appropriate Guidelines into the Program

19. 19 Identity Theft Red Flag Guidelines

20. 20 Overview of the Guidelines I. Incorporate existing policies and procedures II. Identify relevant red flags III. Procedures to detect red flags IV. Appropriate responses to red flags V. Periodic updating of the Program VI. Administering the Program VII. Other legal requirements

21. 21 I. Incorporate Existing Policies and Procedures  Existing anti-fraud program  Information security program

22. 22 II. Identify Relevant Red Flags Risk factors for identifying relevant red flags are:  Types of covered accounts offered or maintained  Methods provided to open or access covered accounts  Previous experiences with identity theft

23. 23 II. Identify Relevant Red Flags (cont’d) Sources of red flags are:  Incidents of identity theft that have been experienced  Methods of identity theft reflecting changes in identity theft risks  Applicable supervisory guidance

24. 24 II. Identify Relevant Red Flags (cont’d) Five categories of red flags* are:  Alerts, notifications, or other warnings received from consumer reporting agencies or service providers  Presentation of suspicious documents  Presentation of suspicious personal identifying information  Unusual use of, or other suspicious activity related to, a covered account  Notice from customers, victims of identity theft, or law enforcement authorities * 26 examples are found in Supplement A

25. 25 III. Procedures to Detect Red Flags  Verify identity  Authenticate customers  Monitor transactions  Verify validity of address changes

26. 26 IV. Appropriate Responses to Red Flags  Monitor accounts  Contact customer  Change passwords  Close and reopen account  Refuse to open account  Don’t collect on or sell account (against the true consumer)  Notify law enforcement  No response is warranted

27. 27 V. Periodic Updating of the Program  Experience with identity theft  Changes in methods of identity theft  Changes in methods to detect, prevent, and mitigate identity theft  Changes in types of accounts offered  Changes in business arrangements

28. 28 VI. Administering the Program Oversight of the Program by the Board or a senior management employee involves:  Assigning specific responsibility for implementation  Reviewing reports  Approving material changes in the Program

29. 29 VI. Administering the Program (cont’d) Reports to the Board or senior management employee:  At least annually  Address material matters  Service provider arrangements  Effectiveness of the policies and procedures in addressing the risk of identity theft in connection with covered accounts  Significant incidents involving identity theft and management’s response  Recommendations for material changes to the Program

30. 30 VI. Administering the Program (cont’d) Oversight of service providers:  Ensure the service provider’s activities are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft

31. 31 VII. Other Legal Requirements  Suspicious Activity Reports (SARs)  Other FCRA provisions (e.g. 15 U.S.C. 1681s-2, information furnisher duties to update or correct inaccurate information, and not report inaccurate information)

32. 32 Examples of Red Flags (Supp. A)  Warning from consumer reporting agencies  Suspicious documents  Suspicious personal information  Inconsistent with external information sources  Documents provided for identification appear to be altered  Fraud or active duty alert included in consumer report

33. 33 Examples of Red Flags (cont’d)  Unusual use of account  Notice from customers  Customer notifies institution about identity theft.  Account used in a manner that is not consistent with historical patterns of activity

34. 34 Enforcement of Red Flags Rules  Administrative enforcement under Section 621 of the FCRA.  No private right of action  State Attorneys General  No criminal penalties

35. 35 Don’t Panic! The Programs are risk-based and flexible. Consider the bigger picture.

36. 36 Rule on Duties of Card Issuers Regarding Changes of Address

37. 37 Identity Theft Red Flags FACT Act Section 114 FCRA Section 615(e) 16 CFR 681.3

38. 38 Covered Entities Financial institutions or creditors that issue debit or credit cards.

39. 39 Address Validation A card issuer must have reasonable policies and procedures to assess an address change when:  A consumer sends a notice of address change, and  The card issuer receives a request for an additional or replacement card within at least the first 30 days after the address change notice.

40. 40 Address Validation (con’t) Before issuing the additional or replacement card, the card issuer must:  Notify* the cardholder of the request and allow a reasonable means to report an incorrect address change, or  Otherwise assess the validity of the address change in accordance with its Identity Theft Prevention Program *Notice can be given at the cardholder’s former address or by any other communication means agreed upon.

41. 41 Alternative Timing The card issuer may fulfill the requirements of this rule when it receives the address change notification, before receiving the request for the additional or replacement card.

42. 42 Form of Notice The notice may be written or electronic, but it must be clear and conspicuous* and be provided separately from regular correspondence with the cardholder. *reasonably understandable and designed to call attention to the nature and significance of the information.

43. 43 Rule on Notices of Address Discrepancy

44. 44 Notices of Address Discrepancy FACT Act Section 315 FCRA Section 605(h) 16 CFR 681.1

45. 45 Notices of Address Discrepancy Duties of users of consumer reports that receive a “notice of address discrepancy” from a nationwide consumer reporting agency (NCRA as defined in FCRA)

46. 46 Notices of Address Discrepancy “Notice of address discrepancy” notifies the user of a substantial difference between:  Address the user provided, and  Address in the NCRA’s files

47. 47 Notices of Address Discrepancy Regulatory Requirement: The user must have reasonable policies and procedures to establish a reasonable belief that the consumer report relates to the consumer about whom the report was requested

48. 48 Notices of Address Discrepancy Establishing a reasonable belief –– Examples  Compare information in the consumer report to information the user:  Maintains in its records  Obtains from third-party sources  Obtained to comply with CIP rules  Verify information in the consumer report with the consumer

49. 49 Notices of Address Discrepancy Regulatory Requirement: The user must have reasonable policies and procedures to furnish a confirmed address for the consumer to the NCRA, when the user:  Can form a reasonable belief that the report relates to the consumer  Establishes a continuing relationship with the consumer  Regularly furnishes information to the NCRA

50. Naomi Lefkovitz Federal Trade Commission redflags@ftc.gov (202) 326-3058