FAIR CREDIT REPORTING ACT DISPOSAL RULE AND PROPOSED RULE FOR ADDRESS DISCREPANCIES AND IDENTITY THEFT PREVENTION PROGRAMS. Materials Prepared by:



Similar documents
Risk Management Examiners

IDENTITY THEFT RED FLAGS, ADDRESS DISCREPANCIES, AND CHANGE OF ADDRESS REGULATIONS Examination Procedures

Identity Theft Prevention Program

Number of Pages: 5 Number of Forms: 0 Saved As: X:/Policies & Procedures/13. JCAHO STD s (if applicable): N/A

Identity Theft Red Flags Rule

CHAPTER 101: IDENTITY THEFT PREVENTION PROGRAM

UNION COUNTY S IDENTITY THEFT PREVENTION PROGRAM

Frequently Asked Questions: Identity Theft Red Flags and Address Discrepancies

N a t i o n a l F u n e r a l D i r e c t o r s A s s o c i a t i o n

An Overview of the Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003 Final Rules

Featured Article Federal Red Flag and Related Identity Theft Prevention Rules: Is Your Organization in Compliance?

IDENTITY THEFT DETECTION POLICY

THE UNIVERSITY OF MICHIGAN IDENTITY THEFT PREVENTION PROGRAM

Identity Theft Prevention Program

The FACT Act: An Overview of the Final Rulemaking on Identity Theft Red Flags and Address Discrepancies

Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation

Identity Theft Red Flags Procedures

CFTC and SEC Jointly Propose Identity Theft Rules

RESOLUTION NO IDENTITY THEFT PREVENTION PROGRAM

Red Flag Rules and Aging Services: What You Need to Know

FAIR CREDIT REPORTING ACT

Identity Theft Red Flags & Address Discrepancies under the FACT Act of Summary of Final Rule

IDENTITY THEFT PREVENTION PROGRAM COUNTY OF DUPLIN, NORTH CAROLINA

DHHS POLICIES AND PROCEDURES

University of Nebraska - Lincoln Identity Theft Prevention Program

Identity Theft Prevention Program. Approved by the Arizona Board of Regents on May 1, 2009

WHEREAS the Federal Trade Commission regulations include utility companies in the definition of creditor;

CENTENARY COLLEGE POLICIES UNDER THE FAIR & ACCURATE CREDIT TRANSACTION ACT S RED FLAG RULES

ORDINANCE NO. Ot ~ft,

EXHIBIT A Identity Theft Protection Program. Definitions. For purposes of the Policy, the following definitions apply (1);

Newhall County Water District N. Pine Street P.O. Box Santa Clarita, CA Telephone: (661) Facsimile: (661)

Lake Havasu City. Identity Theft Prevention Program

Administrative Procedure 5800 Prevention of Identity Theft in Student Financial Transactions

NEVADA SYSTEM OF HIGHER EDUCATION PROCEDURES AND GUIDELINES MANUAL CHAPTER 13 IDENTITY THEFT PREVENTION PROGRAM (RED FLAG RULES)

identity TheFT PREVENTION Programs and Response

IDENTITY THEFT PREVENTION PROGRAM

Section 10: Fair Credit Reporting Act (FCRA) Policy

FACTA Identity Theft Red Flags Program.

Identity Theft Policy

State Of Florida's Real Estate Law

DEPARTMENT OF THE TREASURY. Office of the Comptroller of the Currency. Agency Information Collection Activities:

Wake Forest University. Identity Theft Prevention Program. Effective May 1, 2009

IDENTITY THEFT PREVENTION PROGRAM

NOTICE TO USERS OF CONSUMER REPORTS: OBLIGATIONS OF USERS UNDER THE FCRA I. OBLIGATIONS OF ALL USERS OF CONSUMER REPORTS

Identity Theft Prevention Program Red Flag Rules Policy P Issued: May 2009

ACCG Identity Theft Prevention Program. ACCG 50 Hurt Plaza, Suite 1000 Atlanta, Georgia (404) (404)

Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business

Lincoln Financial Group. FTC/SEC Red Flags Identity Theft Prevention Program

Central Oregon Community College. Identity Theft Prevention Program

RADLEY ACURA RED FLAG IDENTITY THEFT PROTECTION PROGRAM and ADDRESS DISCREPANCY PROGRAM

RESOLUTION TO ADOPT IDENTITY THEFT POLICY

Identity Theft Prevention Program (FACTA Identity Theft Red Flags Rule)

Identity theft. A fraud committed or attempted using the identifying information of another person without authority.

Request for City Council Action

Policies and Procedures: IDENTITY THEFT PREVENTION

CHAPTER 99: IDENTITY THEFT PREVENTION PROGRAM

Christopher Newport University Policy and Procedures

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

Questions and Answers About the Identity Theft Red Flag Requirements

IDENTITY THEFT PREVENTION PROGRAM TRAINING MODULE February 2009

Table of Contents. Table of Contents Chapter 1 Introduction Sample. Chapter 2 Monitoring and Quality Control... 8

Delta Township Compiled Policy Manual

ADRIAN COLLEGE IDENTITY THEFT POLICY

The National Association of Community Health Centers, Inc. ISSUE BRIEF

IDENTITY THEFT PREVENTION PROGRAM (RED FLAGS)

YOUR DUTIES UNDER THE FAIR CREDIT REPORTING ACT

VCU Identity Theft Prevention Policy

Pacific University. Policy Governing. Identity Theft Prevention Program. Red Flag Guidelines. Approved June 10, 2009

The New England College of Optometry Identity Theft Prevention Program October 30, 2009 _

The University of North Carolina at Charlotte Identity Theft Prevention Program

Red Flags Rule Identity Theft Prevention Program Master Policy

Northeast Technology Center Board Policy 2110 Page 1 IDENTITY THEFT PREVENTION (MANY COVERED ACCOUNTS)

Identity Theft Prevention Program

UNIVERSITY OF MASSACHUSETTS IDENTITY THEFT PREVENTION PROGRAM

1. Entities and Accounts Covered by the New Rules Covered Entities

COUNTY OF SONOMA AND SONOMA COUNTY COMMUNITY DEVELOPMENT COMMISSION IDENTITY THEFT PREVENTION PROGRAM

NORTHEAST COMMUNITY COLLEGE ADMINISTRATIVE PROCEDURE NUMBER: AP FOR POLICY NUMBER: BP 3250 IDENITY THEFT PREVENTION PROGRAM PROCEDURES

SOUTH TEXAS COLLEGE. Identity Theft Prevention Program and Guidelines. FTC Red Flags Rule

David Coble Internal Control Officer

University of Arkansas at Monticello Identity Theft Prevention Program

I. Purpose. Definition. a. Identity Theft - a fraud committed or attempted using the identifying information of another person without authority.

Identification of Red Flags, Detecting Red Flags, and Preventing and Mitigating Identity Theft

DEPARTMENT OF THE TREASURY Office of the Comptroller of the Currency 12 CFR Part 41 [Docket No ] RIN 1557-AC87

2.1 IDENTITY THEFT PREVENTION PROGRAM

Wisconsin Rural Water Association Identity Theft Prevention Program Compliance Model

Fair Credit Reporting

Oklahoma State University Policy and Procedures. Red Flags Rules and Identity Theft Prevention

Identity Theft Prevention Program

COUNCIL POLICY NO. C-13

IDENTITY THEFT AND MUNICIPAL UTILITIES

Identity Theft Prevention Program

CITY OF ANDREWS IDENTITY THEFT PREVENTION PROGRAM

F air Credit Reporting Act

Wheaton College Audit Committee Red Flag Identity Theft Prevention Program Meeting of February 20, 2009

University Policy: Identity Theft Prevention Policy

City of Caro Identity Theft Prevention Policy

Green University. Identity Theft Prevention Program. Effective beginning October 31, 2008

Identity Theft Prevention Policy

FSA. Auditing FCRA Compliance. Auditing FCRA Compliance. Internal auditors should know the issues surrounding protection of consumer information.

Identity Theft Prevention Program (Approved by the Board of Trustees)

Transcription:

FAIR CREDIT REPORTING ACT DISPOSAL RULE AND PROPOSED RULE FOR ADDRESS DISCREPANCIES AND IDENTITY THEFT PREVENTION PROGRAMS Materials Prepared by: Joseph E. ( Jed ) Mayk Blank Rome, LLP (215) 569-5576 mayk@blankrome.com

DISPOSAL RULE Added to FCRA by the Fair and Accurate Credit Transactions Act of 2003 ( FACT Act ). Section 628, 15 U.S.C. 1681w, required the FTC, federal banking agencies, National Credit Union Administration and Securities and Exchange Commission to promulgate consistent regulations requiring any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose to properly dispose of any such information. The Disposal Rule covers any person, corporation, or other organization that uses consumer reports. The FTC has jurisdiction over the vast majority of individuals and entities that are subject to the Disposal Rule. The Disposal Rule applies to consumer information, which is defined as any record about an individual that is a consumer report or derived from a consumer report, and also includes any compilation of such records. However, consumer information does not include information that does not identify individuals, such as aggregate information or blind data. See 16 C.F.R. 682.1(b). A consumer report is the communication of any information by a consumer reporting agency that bears on a consumer s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected to serve as a factor in establishing a consumer s eligibility for credit, insurance, employment purposes, or any other permissible purpose under FCRA. See 15 U.S.C. 1681a(d).

DISPOSAL RULE (Continued) Thus, credit reports obtained on principals, guarantors or others in connection with an extension of trade credit are covered by the Disposal Rule. Further, any records that are derived from a consumer report are similarly covered (e.g., underwriting sheets that contain information from a consumer report). The standard for proper disposal is reasonable measures to protect against unauthorized access to or use of consumer information in connection with its disposal. See 16 C.F.R. 682.3(a). Examples of reasonable measures include: Policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information. Policies and procedures that require the destruction or erasure of electronic media containing consumer information. Performing appropriate due diligence on and monitoring the services of any company engaged to destroy or dispose of such material. Such due diligence could include reviewing an independent audit of the disposal company s operations, obtaining information about the disposal company from references, requiring the disposal company to be certified by a recognized trade association or similar third party, reviewing and evaluating the disposal company s information security policies and procedures, or taking other appropriate measures to determine the competency and integrity of the disposal company.

PROPOSED RULE ON ADDRESS DISCREPANCIES AND IDENTITY THEFT PREVENTION PROGRAMS The FACT Act also added Sections 605(h) (15 U.S.C. 1681c(h)) and 615(e) (15 U.S.C. 1681m(e)). For both of these sections, guidelines and regulations must be promulgated jointly by the federal banking agencies, NCUA and FTC. On July 18, 2006, the regulators released their proposed rule. There are four components: Reasonable policies and procedures that users of consumer reports must employ when a user receives notice of an address discrepancy from a consumer reporting agency; Guidelines for each financial institution and creditor regarding identity theft with respect to account holders or other customers; Reasonable policies and procedures that a financial institution or creditor must employ to help prevent identity theft. Specific regulations for credit card issuers regarding change of address notices for existing accounts. Note that these are PROPOSED regulations. They have not been finalized yet, nor is there any indication at this time when the regulations will be effective once finalized

COVERAGE OF PROPOSED RULE The proposed address discrepancy regulations apply to any user of a consumer report. The proposed identity theft guidelines and regulations apply to financial institutions (i.e., banks) and creditors. FCRA defines a creditor by reference to the federal Equal Credit Opportunity Act ( ECOA ). See 15 U.S.C. 1681a(r)(5). Under ECOA, a creditor includes someone who sells goods or services and accepts payment on a deferred basis. See 15 U.S.C. 1691a(d), (e). Thus, both the address discrepancy provisions of the proposed rule and the identity theft guidelines and regulations (other than the credit card issuer provisions) will apply to companies that extend trade credit.

ADDRESS DISCREPANCIES Since December 1, 2004, nationwide consumer reporting agencies have been required to notify requestors of consumer reports when there is a substantial difference between the address of the consumer given by the requestor of the report and the address information in the consumer reporting agency s file on the consumer. See 15 U.S.C. 1681c(h)(1). The proposed rule is intended to provide guidance on the policies and procedures that a user of the consumer report should employ when it receives notice of such an address discrepancy. See 15 U.S.C. 1681c(h)(2). Under the proposed rule, there are two principal obligations that a user would have when it receives notice of an address discrepancy. The user must have in place reasonable policies and procedures to verify the identity of the consumer. The customer identification and verification procedures required of many financial institutions by the USA PATRIOT Act would suffice as appropriate methods of verifying a consumer s identity (e.g., collect name, address, date of birth and social security number and verify by documentary methods). If the user (1) can form a reasonable belief that it knows the consumer s identity; (2) establishes or maintains a continuing relationship with the consumer; and (3) regularly and in the ordinary course of business furnishes information to the consumer reporting agency from which the notice of address discrepancy was obtained, there are additional requirements from reporting the consumer s address to the consumer reporting agency for the duration of the relationship.

IDENTITY THEFT RED FLAG GUIDELINES/REGULATIONS The proposed rule on identity theft guidelines and regulations is intended to address the risk of identity theft with respect to the customers of a financial institution or creditor. As proposed, customer would be defined as a person that has an account with a financial institution or creditor. This definition is significant for two reasons: A person is defined in FCRA as including partnerships, corporations, trusts, etc. The regulators could have chosen to use the term consumer, which is more narrowly defined in FCRA as an individual. Thus, the proposed identity theft guidelines and regulations cover potential identity theft involving a corporate entity. The proposed rule defines account as including an extension of credit for a business purpose.

IDENTITY THEFT RED FLAG GUIDELINES/REGULATIONS (CONTINUED) The proposed guidelines identify numerous broad indicators of potential identity theft. In more general terms, these red flags of identity theft may be derived from numerous sources, such as information from a consumer reporting agency, documentary identification, personal information provided by the customer, address changes, and anomalous use of the account.

DEVELOPMENT OF IDENTITY THEFT PREVENTION PROGRAMS ( ITPP ) Each financial institution and creditor must implement a written ITPP that includes reasonable policies and procedures to address the risk of identity theft to its customers and the safety and soundness of the financial institution or creditor. The ITPP must be appropriate for the size and complexity of the financial institution or creditor and the nature and scope of its activities. The ITPP must be designed for address changing identity theft risks based on the experiences of the financial institution or creditor and changes in the methods of identity theft and the methods to detect and prevent identity theft.

CONTENTS OF THE ITPP Policies and procedures to identify indicators of identity theft (i.e., red flags ) based upon a risk evaluation. The ITPP must incorporate applicable red flags from the guidelines, applicable supervisory guidance, incidents of identity theft that the institution or creditor has experienced, and methods of identity theft that the institution or creditor has identified that reflect changes in identity theft risks. In determining which red flags to incorporate into its ITPP, the financial institution or creditor would have to consider which of its accounts are subject to a risk of identity theft; the methods it provides to open accounts; the method it provides for access to the accounts; and its size, location and customer base. There will be no one size fits all ITPP.

CONTENTS OF THE ITPP (CONTINUED) The ITPP would have to include policies and procedures designed to mitigate identity theft risk in connection with the opening of an account or any existing account, including procedures to: Obtain identifying information about, and verify the identity of, the person opening the account (use of the USA PATRIOT Act customer identification rules would suffice); Detect the existence of any red flags; Assess whether the red flags detected evidence a risk of identity theft; and Address the risk of identity theft, commensurate with the degree of the risk posed (e.g., monitor the account, contact the customer, refuse to open an account, etc.). The ITPP would have to include policies and procedures for training staff to implement the ITPP. Policies and procedures would have to address the oversight of service providers (e.g. using third parties to help open accounts).

CONTENTS OF THE ITPP (CONTINUED) The ITPP would have to be approved by the board of directors or an appropriate committee. In addition, the board, an appropriate committee or senior management must oversee the development, implementation and maintenance of the program and review an annual report prepared by staff regarding compliance with the identity theft regulations.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information