Fair and Accurate Credit Transaction Act (FACTA)

Sd

– The Fair and Accurate Credit Transactions Act (FACTA) added new sections to the Federal Fair Credit Reporting Act, intended to primarily help consumers fight the growing crime of identity theft. Accuracy and privacy of information provided regarding a consumer’s credit profile, limits put on information sharing, and providing consumers with new rights regarding disclosure of information shared are included in FACTA.

CFPB

This Act is designed to focus primarily on the creditors and the credit reporting agencies. Most of the requirements for compliance fall upon these two sectors of the credit industry; however, there are some procedures that MLOs, when acting as users of credit reports, must adhere to.

• A MLO shall provide the Notice to Home Loan Applicant – Credit Score Information Disclosure to the consumer, properly filled out, at the time that a consumer credit report is obtained. This disclosure shall include the scores given by each bureau, and the major factors affecting the scores. • A MLO should take reasonable steps to confirm that an application for credit has not been submitted by an identity thief if a “fraud alert” or “active duty” alert has been placed in a consumer’s credit file. • A MLO and/or mortgage broker shall adopt procedures to assure that consumer credit reports not retained in a consumer’s file be destroyed, to prevent “dumpster divers” from accessing personal data to be used in identity theft

– The Federal Trade Commission (FTC), the Federal bank regulatory agencies, and the National Credit Union Administration (NCUA) have issued regulations (the Red Flags Rules) requiring financial institutions and creditors to develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions Act of 2003. The programs must be in place by November 1, 2008, and must provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft. – The Red Flags Rules apply to “financial institutions” and “creditors” with “covered accounts.”

Under the Red Flags Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers. – The Red Flags Rules provide all financial institutions and creditors the opportunity to design and implement a program that is appropriate to their size and complexity, as well as the nature of their operations. Guidelines issued by the FTC, the Federal banking agencies, and the NCUA (ftc.gov/opa/2007/10/redflag.shtm) should be helpful in assisting covered entities in designing their programs. A supplement to the Guidelines identifies 26 possible red flags. These red flags are not a checklist, but rather, are examples that financial institutions and creditors may want to use as a starting point. They fall into 5 categories: • Alerts, notifications, or warnings from a consumer reporting agency; • Suspicious documents; • Suspicious personally identifying information, such as a suspicious address; • Unusual use of – or suspicious activity relating to – a covered account; and • Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.

As of June 2005, the Federal Trade Commission requires businesses and individuals to take appropriate measures to dispose of sensitive information derived from consumer credit reports and other information. Any business or individual who uses a consumer credit report for a business purpose, is subject to the requirements of the Disposal Rule and required to properly dispose of information in consumer reports and records to protect against “unauthorized access to or use of the information.”