The Fair and Accurate Credit Transactions Act of 2003 (FACT Act or FACTA, Pub.L. 108-159) is a United States federal law, passed by the United States Congress on November 22, 2003, and signed by President George W. Bush on December 4, 2003, as an amendment to the Fair Credit Reporting Act. The act allows consumers to request and obtain a free credit report once every twelve months from each of the three nationwide consumer credit reporting companies (Equifax, Experian and TransUnion). In cooperation with the Federal Trade Commission, the three major credit reporting agencies set up the website, www.annualcreditreport.com, to provide free access to annual credit reports.
The act also contains provisions to help reduce identity theft, such as the ability for individuals to place alerts on their credit histories if identity theft is suspected, or if deploying overseas in the military, thereby making fraudulent applications for credit more difficult. Further, it requires secure disposal of consumer information.
Financial institutions face a mandatory deadline of November 1, 2008, to comply 3 new FACT Act regulations referred to as the Red Flag Rules, section 114 and 315 of the Fair and Accurate Credit Transactions (FACT) Act. However, due to widespread confusion over coverage under the act, specifically whether the term "creditor" applies to particular businesses, the FTC had postponed the deadline for compliance with Section 315 to May 1, 2009.
According to a Business Alert issued by the Federal Trade Commission in June 2008, the Red Flag Rules apply to a very broad list of businesses including "financial institutions" and "creditors" with "covered account". A "creditor" is defined to include "lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies and telecommunications companies." However, this is not an all-inclusive list.
The regulations apply to all businesses that have "covered accounts". A "covered account" includes any account for which there is a foreseeable risk of identity theft. For example, credit cards, monthly billed accounts like utility bills or cell phone bills, social security numbers, drivers license numbers, medical insurance accounts, and many others. This significantly expands the definition to include all companies, regardless of size that maintain, or otherwise possess, consumer information for a business purpose. Because of the broad definitions in these regulations, few businesses will be able to escape these requirements.
There are three new regulations:
- One that requires financial institutions or creditors to develop and implement an Identity Theft Prevention Program in connection with both new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft;
- Another that requires users of consumer reports to respond to Notices of Address Discrepancies that they receive; and
- A third that places special requirements on issuers of debit or credit cards to assess the validity of a change of address if they receive notification of a change of address for a consumer's debit or credit card account and, within a short period of time afterward they receive a request for an additional or replacement card for the same account.
Another key item was the requirement that mortgage lenders provide consumers with a Credit Disclosure Notice that included their credit scores, range of scores, credit bureaus, scoring models, and factors affecting their scores. This form is typically available from credit reporting agencies, and many will send this directly to the consumer on the lenders' behalf.
For more information, read about the UC Financial Red Flag Program.
To view PDF files, you will need Adobe Acrobat Reader, a free download.