JANUARY 2004

FCRA, the Fact Act and Identity Theft

Last month in this column we reported that Congress passed the Fair and Accurate Credit Transactions Act of 2003 which preserved a uniform national credit reporting system and gave consumers important new protections. This month we provide more detail on how the new act will help consumers cope with and ultimately prevent identity theft. The following summary is based on an excellent article in the American Banker by privacy attorneys L. Richard Fischer and Oliver I. Ireland. They note that many of the specifics have yet to be worked out because the Act gives rule-writing responsibility and authority to various federal agencies that will develop and issue guidelines throughout 2004.

• Fraud alerts: Victims of identity theft, or consumers who suspect that they may be victims, can place a fraud alert on their credit files. Initial fraud alerts based on a consumer’s good-faith suspicion must remain on the file at least 90 days. If a consumer provides the reporting agency with a police report, an extended alert can be placed for up to seven years. The alert signals the user (banks and other lenders) that a new account should not be opened in the consumer’s name unless the issuer takes extra steps to verify the consumer’s identity. When an "initial" alert appears on a file, the lender must contact the consumer at the phone number listed in the alert, or via other "reasonable" steps. Extended alerts require issuers to verify the applicant’s identity in person, or via a phone number specified in the alert. This rule does not apply to transactions on existing accounts (i.e., continued use of an existing credit card), or credit line increases initiated by the lender.

• Ban on printed account numbers: The FACT Act prohibits merchants from printing the customer’s entire account number and expiration date on receipts generated at the point of sale. This should make it more difficult for identity thieves to obtain useful information about a customer’s account.

• Red-flag procedures: Federal regulatory authorities are required to develop "red flag" guidelines and regulations that will require creditors and reporting agencies to consider patterns and practices of transaction activity that signal potential identity theft. One such "red flag" could, for example, specify procedures that lenders must follow in response to certain change-of-address requests.

• Block reporting of ID theft victims’ files: Consumer reporting agencies (credit bureaus) are required to block the reporting of information that consumers’ identify as the result of identity theft. The consumer must provide appropriate identification information, copy of an police report about the identity theft, and specific related information. The reporting agencies must stop reporting the disputed information and notify each furnisher that a block has been placed on information that it provided.