FAIR CREDIT REPORTING ACT DISPOSAL RULE AND PROPOSED RULE FOR ADDRESS DISCREPANCIES AND IDENTITY THEFT PREVENTION PROGRAMS. Materials Prepared by:

Transcription

1 FAIR CREDIT REPORTING ACT DISPOSAL RULE AND PROPOSED RULE FOR ADDRESS DISCREPANCIES AND IDENTITY THEFT PREVENTION PROGRAMS Materials Prepared by: Joseph E. ( Jed ) Mayk Blank Rome, LLP (215) mayk@blankrome.com

2 DISPOSAL RULE Added to FCRA by the Fair and Accurate Credit Transactions Act of 2003 ( FACT Act ). Section 628, 15 U.S.C. 1681w, required the FTC, federal banking agencies, National Credit Union Administration and Securities and Exchange Commission to promulgate consistent regulations requiring any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose to properly dispose of any such information. The Disposal Rule covers any person, corporation, or other organization that uses consumer reports. The FTC has jurisdiction over the vast majority of individuals and entities that are subject to the Disposal Rule. The Disposal Rule applies to consumer information, which is defined as any record about an individual that is a consumer report or derived from a consumer report, and also includes any compilation of such records. However, consumer information does not include information that does not identify individuals, such as aggregate information or blind data. See 16 C.F.R (b). A consumer report is the communication of any information by a consumer reporting agency that bears on a consumer s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected to serve as a factor in establishing a consumer s eligibility for credit, insurance, employment purposes, or any other permissible purpose under FCRA. See 15 U.S.C. 1681a(d).

3 DISPOSAL RULE (Continued) Thus, credit reports obtained on principals, guarantors or others in connection with an extension of trade credit are covered by the Disposal Rule. Further, any records that are derived from a consumer report are similarly covered (e.g., underwriting sheets that contain information from a consumer report). The standard for proper disposal is reasonable measures to protect against unauthorized access to or use of consumer information in connection with its disposal. See 16 C.F.R (a). Examples of reasonable measures include: Policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information. Policies and procedures that require the destruction or erasure of electronic media containing consumer information. Performing appropriate due diligence on and monitoring the services of any company engaged to destroy or dispose of such material. Such due diligence could include reviewing an independent audit of the disposal company s operations, obtaining information about the disposal company from references, requiring the disposal company to be certified by a recognized trade association or similar third party, reviewing and evaluating the disposal company s information security policies and procedures, or taking other appropriate measures to determine the competency and integrity of the disposal company.

4 PROPOSED RULE ON ADDRESS DISCREPANCIES AND IDENTITY THEFT PREVENTION PROGRAMS The FACT Act also added Sections 605(h) (15 U.S.C. 1681c(h)) and 615(e) (15 U.S.C. 1681m(e)). For both of these sections, guidelines and regulations must be promulgated jointly by the federal banking agencies, NCUA and FTC. On July 18, 2006, the regulators released their proposed rule. There are four components: Reasonable policies and procedures that users of consumer reports must employ when a user receives notice of an address discrepancy from a consumer reporting agency; Guidelines for each financial institution and creditor regarding identity theft with respect to account holders or other customers; Reasonable policies and procedures that a financial institution or creditor must employ to help prevent identity theft. Specific regulations for credit card issuers regarding change of address notices for existing accounts. Note that these are PROPOSED regulations. They have not been finalized yet, nor is there any indication at this time when the regulations will be effective once finalized

5 COVERAGE OF PROPOSED RULE The proposed address discrepancy regulations apply to any user of a consumer report. The proposed identity theft guidelines and regulations apply to financial institutions (i.e., banks) and creditors. FCRA defines a creditor by reference to the federal Equal Credit Opportunity Act ( ECOA ). See 15 U.S.C. 1681a(r)(5). Under ECOA, a creditor includes someone who sells goods or services and accepts payment on a deferred basis. See 15 U.S.C. 1691a(d), (e). Thus, both the address discrepancy provisions of the proposed rule and the identity theft guidelines and regulations (other than the credit card issuer provisions) will apply to companies that extend trade credit.

6 ADDRESS DISCREPANCIES Since December 1, 2004, nationwide consumer reporting agencies have been required to notify requestors of consumer reports when there is a substantial difference between the address of the consumer given by the requestor of the report and the address information in the consumer reporting agency s file on the consumer. See 15 U.S.C. 1681c(h)(1). The proposed rule is intended to provide guidance on the policies and procedures that a user of the consumer report should employ when it receives notice of such an address discrepancy. See 15 U.S.C. 1681c(h)(2). Under the proposed rule, there are two principal obligations that a user would have when it receives notice of an address discrepancy. The user must have in place reasonable policies and procedures to verify the identity of the consumer. The customer identification and verification procedures required of many financial institutions by the USA PATRIOT Act would suffice as appropriate methods of verifying a consumer s identity (e.g., collect name, address, date of birth and social security number and verify by documentary methods). If the user (1) can form a reasonable belief that it knows the consumer s identity; (2) establishes or maintains a continuing relationship with the consumer; and (3) regularly and in the ordinary course of business furnishes information to the consumer reporting agency from which the notice of address discrepancy was obtained, there are additional requirements from reporting the consumer s address to the consumer reporting agency for the duration of the relationship.

7 IDENTITY THEFT RED FLAG GUIDELINES/REGULATIONS The proposed rule on identity theft guidelines and regulations is intended to address the risk of identity theft with respect to the customers of a financial institution or creditor. As proposed, customer would be defined as a person that has an account with a financial institution or creditor. This definition is significant for two reasons: A person is defined in FCRA as including partnerships, corporations, trusts, etc. The regulators could have chosen to use the term consumer, which is more narrowly defined in FCRA as an individual. Thus, the proposed identity theft guidelines and regulations cover potential identity theft involving a corporate entity. The proposed rule defines account as including an extension of credit for a business purpose.

8 IDENTITY THEFT RED FLAG GUIDELINES/REGULATIONS (CONTINUED) The proposed guidelines identify numerous broad indicators of potential identity theft. In more general terms, these red flags of identity theft may be derived from numerous sources, such as information from a consumer reporting agency, documentary identification, personal information provided by the customer, address changes, and anomalous use of the account.

9 DEVELOPMENT OF IDENTITY THEFT PREVENTION PROGRAMS ( ITPP ) Each financial institution and creditor must implement a written ITPP that includes reasonable policies and procedures to address the risk of identity theft to its customers and the safety and soundness of the financial institution or creditor. The ITPP must be appropriate for the size and complexity of the financial institution or creditor and the nature and scope of its activities. The ITPP must be designed for address changing identity theft risks based on the experiences of the financial institution or creditor and changes in the methods of identity theft and the methods to detect and prevent identity theft.

10 CONTENTS OF THE ITPP Policies and procedures to identify indicators of identity theft (i.e., red flags ) based upon a risk evaluation. The ITPP must incorporate applicable red flags from the guidelines, applicable supervisory guidance, incidents of identity theft that the institution or creditor has experienced, and methods of identity theft that the institution or creditor has identified that reflect changes in identity theft risks. In determining which red flags to incorporate into its ITPP, the financial institution or creditor would have to consider which of its accounts are subject to a risk of identity theft; the methods it provides to open accounts; the method it provides for access to the accounts; and its size, location and customer base. There will be no one size fits all ITPP.

11 CONTENTS OF THE ITPP (CONTINUED) The ITPP would have to include policies and procedures designed to mitigate identity theft risk in connection with the opening of an account or any existing account, including procedures to: Obtain identifying information about, and verify the identity of, the person opening the account (use of the USA PATRIOT Act customer identification rules would suffice); Detect the existence of any red flags; Assess whether the red flags detected evidence a risk of identity theft; and Address the risk of identity theft, commensurate with the degree of the risk posed (e.g., monitor the account, contact the customer, refuse to open an account, etc.). The ITPP would have to include policies and procedures for training staff to implement the ITPP. Policies and procedures would have to address the oversight of service providers (e.g. using third parties to help open accounts).

12 CONTENTS OF THE ITPP (CONTINUED) The ITPP would have to be approved by the board of directors or an appropriate committee. In addition, the board, an appropriate committee or senior management must oversee the development, implementation and maintenance of the program and review an annual report prepared by staff regarding compliance with the identity theft regulations.