Fair and Accurate Credit Transactions Act of 2003

advertisement

1-800-BANKERS www.aba.com

Overview of FCRA Legislation

Fair and Accurate Credit

Transactions Act of 2003

World-Class Solutions,

Leadership & Advocacy

Since 1875

Donald G. Ogilvie

President and CEO

Phone: (202) 663-5011

Fax: (202) 663-7533

Email: dogilvie@aba.com

1120 Connecticut Avenue, NW

Washington, DC 20036

1-800-BANKERS www.aba.com

November 24, 2003

Dear ABA Member:

The ABA is pleased to provide its members with this summary of the Fair and Accurate

Credit Transactions Act of 2003. This act contains a number of important provisions supported by the ABA, particularly the permanent preemption of a wide range of areas of state law. We were also successful in defeating a number of onerous proposals during the legislative process, while significantly improving a large number of other provisions.

Nonetheless, there are some new provisions with which banks will have to comply, which this summary seeks to identify for you.

I believe this summary, prepared immediately after Congress passed the final version of this bill, will provide you with an excellent overview of the law. You should, of course, consult your own attorneys for legal interpretations and advice as to how the law will affect your institution. The ABA will be providing its members with additional material relating to the implementation of this law in the coming months.

The ABA is indebted to the law firm of Morrison & Foerster, which prepared this summary under the direction of L. Richard Fischer, Oliver I. Ireland, and Kristina A. K. Hickerson.

This law firm is a leading firm on financial services law and has particular expertise in consumer law, including the Fair Credit Reporting Act. Mr. Fischer has advised a wide variety of financial institutions and other companies on the full range of financial services, payment system, and retail banking issues. In particular, his practice has a special emphasis on privacy, e-commerce, technology, and joint venture issues. Mr. Ireland’s practice focuses primarily on retail financial services including electronic commerce, compliance with Federal

Reserve regulations, including Regulations Z and E, compliance with the Gramm-Leach-

Bliley Act privacy provisions, the Fair Credit Reporting Act, E-SIGN, the U.S. PATRIOT

Act and telemarketing rules. Prior to joining the firm, Mr. Ireland served as Associate

General Counsel of the Board of Governors of the Federal Reserve System, where he was responsible for drafting or interpreting numerous regulations. Ms. Hickerson is an associate with the firm and was intimately involved in the legislation as it was being developed.

We hope you find this information helpful. We are always interested in knowing how we are doing and what else we can provide our members, so let us know. Our goal is to provide world-class solutions, leadership and advocacy.

Sincerely,

Donald Ogilvie

President and CEO

American Bankers Association

Prepared by

Morrison & Foerster LLP

November 24, 2003

Congress has just completed work on the Fair and Accurate Credit

Transactions Act of 2003 (“FACT Act”). In order to assist you in understanding the many complex provisions of this important legislation, we have prepared both an overview and a more detailed review of the FACT Act.

We worked closely with the American Bankers Association and other organizations throughout the legislative process to achieve the most favorable legislative result possible for banks of all sizes, and for the financial services industry generally. Most of our goals were achieved in the legislation. For example, the FACT Act provides a full and permanent reauthorization of the existing seven key national uniformity provisions. In addition, the FACT Act adds national uniformity for the identity theft prevention measures included in the legislation, as well as for other key provisions — like those dealing with marketing solicitations based on affiliate information and riskbased pricing notices. The FACT Act also includes important limitations on liability for many of the law’s new requirements.

We believe the overview and the detailed review will be helpful to

American Bankers Association members in their compliance efforts.

Nevertheless, we still encourage you and your counsel to do a thorough review of the FACT Act in order to gain a more complete understanding of the impact of the legislation on your organization.

L. Richard Fischer Oliver I. Ireland Kristina A.K. Hickerson

Morrison & Foerster LLP

Washington, D.C.

November 24, 2003 Fair and Accurate Credit Transactions Act of 2003

Table of Contents

Overview of Legislation

National Uniformity Provisions/Preemption of State Law

Affiliate Sharing

Risk-Based Pricing

Identity Theft Prevention

Fraud Alerts

Truncating Credit Card and Debit Card Account Numbers

Red Flag Guidelines and Regulations

Investigating Changes of Address

Blocking of Information

Consumer Notification of Reports of Negative Information

Duties of Furnishers of Information

Limitation on Liability and Enforcement

Other Sections of Interest

I. National Uniformity Provisions

A. Relation to State Law (Title VII, § 711)

1. Existing Seven FCRA National Uniformity Provisions

2. Identity Theft National Uniformity

3. Other National Uniformity Provisions

II. Affiliate Sharing

(Title II, § 214)

III. Risk-Based Pricing Notice

(Title III, § 311)

IV. Furnisher Responsibilities

(Title III, § 312)

A. Procedures to Enhance Accuracy and Integrity

B. Prevention of Repollution of Consumer Reports (Title I, § 154)

C. Improved Disclosure of the Results of Reinvestigation (Title III, § 314)

V. Identity Theft Provisions

A. Fraud Alerts and Active Duty Alerts (Title I, § 112)

B. Obligation of Users Upon Receipt of Alerts (Title I, § 112)

C. Truncation of Credit Card and Debit Card Account Numbers (Title I, § 113)

D. Establishing Procedures for Identification of Possible Identity Theft (Title I, § 114)

1. Red Flag Guidelines

2. Change of Address

Cites in parenthesis refer to sections in the bill.

© 2003 AMERICAN BANKERS ASSOCIATION

10

11

11

12

13

13

13

14

14

15

15

15

7

7

7

7

8

8

1

4

4

3

4

1

1

3

3

5

6

5

5

6 i

Fair and Accurate Credit Transactions Act of 2003 ii

November 24, 2003

E. Authority to Truncate Social Security Numbers (Title I, § 115)

F. Summary of Rights of Identity Theft Victims (Title I, § 151)

G. Obligation to Provide Records to Victims (Title I, § 151)

H. Blocking Information Resulting from Identity Theft (Title I, § 152)

I. Coordination of Identity Theft Investigations (Title I, § 153)

J. Notice by Debt Collectors of Fraudulent Information (Title I, § 155)

VI. Improvement of Credit Report Files 17

A. Free Credit Reports (Title II, § 211)

B. Credit Scores (Title II, § 212)

17

17

C. Enhanced Disclosure on Opt Out of Prescreened Lists (Title II, § 213) 18

D. Requirement to Disclose Communications to a Consumer Reporting Agency (Title II, § 217) 18

E. Reconciling Addresses (Title III, § 315) 19

F. Disposal of Consumer Report Information (Title II, § 216) 19

19 G. Notice of Dispute Through Reseller (Title III, § 316)

H. Reasonable Reinvestigation Requirement (Title III, § 317 )

VII. Statute of Limitations

19

19

A. Statute of Limitations (Title I, § 156) 19

VIII. Limiting the Use and Sharing of Medical Information in the Financial System 20

16

16

16

15

15

16

A. Protection of Medical Information in the Financial System (Title IV, § 411)

B. Confidentiality of Medical Contact Information in Consumer Reports (Title IV, § 412)

IX. Financial Literacy and Education Improvement

20

20

21

21 A. Financial Literacy and Education Commission (Title V, §§ 511-18)

X. Protecting Employee Misconduct Investigations

A. Certain Employee Investigation Communications Excluded from Definition

of Consumer Report (Title VI, § 611)

XI. Additional Federal Studies

21

21

A. FTC Data Base of Consumer Reporting Agency Complaints (Title III, § 313)

B. FTC Study of Issues Relating to the FCRA (Title III, § 318)

C. FTC Study of the Accuracy of Consumer Reports (Title III, § 319)

D. Study on the Use of Technology to Combat Identity Theft (Title I, § 157)

E. Study of Effects of Credit Scores (Title II, § 215)

XII. Effective Dates

21

21

21

22

22

22

22

© 2003 AMERICAN BANKERS ASSOCIATION

November 24, 2003 Fair and Accurate Credit Transactions Act of 2003

Fair and Accurate Credit Transactions Act of 2003

Overview of Legislation

Prepared by Morrison & Foerster LLP

Congress has now passed H.R. 2622 — the “Fair and Accurate Credit Transactions Act of 2003” (“FACT

Act”) — permanently reauthorizing the important national uniformity provisions of the Fair Credit

Reporting Act (“FCRA”) and amending the FCRA to further strengthen this country’s national credit reporting system and to assist both financial institutions and consumers in the fight against identity theft.

Following is an overview of the key provisions in the FACT Act. The applicable effective dates for most of the new FCRA requirements will be established through a special, short-term rulewriting process by the Federal

Reserve Board (“FRB”) and the Federal Trade Commission (“FTC”).

National Uniformity/Preemption of State Law

The FACT Act includes a full and permanent reauthorization of the seven existing FCRA national uniformity provisions, which were scheduled to sunset on January 1, 2004. As a result, states will be prevented permanently from taking action in such areas as furnisher responsibilities, the contents of consumer reports, prescreening and affiliate sharing. Importantly, the FACT Act also provides for preemption for the nine identity theft prevention subjects addressed in the legislation. The new national uniformity established for the identity theft provisions of the legislation focuses on the subjects covered in the FACT Act itself and, thus, does not address other identity theft -related subjects that fall outside the scope of the legislation. As a result, for example, this new national uniformity provision applies to fraud alerts, “red flag” guidelines, identity verification and other identity theft measures addressed in the legislation, as well as those addressed in the corresponding regulations called for by the FACT Act. However, the new national uniformity provisions do not apply to state laws governing the use of social security numbers, alerts for data base hackings or increased criminal penalties for identity theft perpetrators. In addition, the FACT Act includes important national uniformity provisions for many other subjects addressed in the legislation, including the new affiliate marketing solicitation requirements, the risk-based pricing notices and provisions regarding the disclosure of consumer reports and credit scores.

Affiliate Sharing

The FACT Act establishes a new restriction in the FCRA for solicitations made for marketing purposes when those solicitations are based on the use of information received from an affiliate. The restriction applies to identified customer information received from an affiliate that would constitute a consumer report except for the exclusions in the definition of consumer report under the FCRA. As a result, the restriction applies to the use of credit bureau reports, application information and transaction and experience information received from an affiliate for the purpose of making marketing solicitations. While the provision does not further restrict the sharing of information among affiliates, it prevents the affiliate receiving such information from using the information to make a solicitation for marketing purposes to the consumer about that affiliate’s products or services, unless the consumer is first given notice and an opportunity and simple method to opt out of receiving such marketing solicitations. As a result, it is important to understand that the FACT Act does not establish a general restriction on the sharing of information with affiliates and does not limit the ability of affiliated financial organizations to establish common data bases of information. Instead, the FACT

Act only provides that the affiliate receiving that information cannot use that information to make marketing solicitations, absent an applicable exception, without first complying with the new notice and opt-out

© 2003 AMERICAN BANKERS ASSOCIATION 1

Fair and Accurate Credit Transactions Act of 2003 November 24, 2003 requirements of the statute. In addition, the FACT Act leaves undisturbed the existing FCRA notice and optout requirement for the sharing of “non-experience” information (such as consumer report information) between or among affiliated companies.

The various exceptions to these limits on marketing, however, should generally provide financial institutions with significant flexibility to market financial products. For example, this affiliate marketing solicitation restriction does not apply to a person using information to send a solicitation to a consumer with whom that person already has a pre-existing business relationship. So, a financial institution can always send marketing solicitations to its own customers even if those solicitations are based on information from an affiliate. Preexisting business relationship is defined as a relationship between a company and a consumer based on: (1) a financial contract; (2) the purchase, rental or lease by the consumer of that company’s goods or services or a financial transaction (including an active account) between the consumer and that company during the 18month period immediately preceding the date on which the consumer is sent a solicitation; or (3) an inquiry or application by the consumer regarding a product or service offered by that company during the threemonth period immediately preceding the date on which the consumer is sent a solicitation. The affiliate marketing solicitation restriction also does not apply to an affiliate using information to perform servicing functions for the affiliated institution that currently has a customer relationship with the consumer; so, for example, a financial institution can use the services of one of its affiliates to send marketing solicitations to the financial institution’s own customers regarding its own products or the products of an affiliate (other than the affiliate performing the servicing function) or of a third party. In addition, the provision does not apply to consumer-initiated requests for information about products or services, or to solicitations authorized or requested by the consumer.

The notice required under this section must allow the consumer the opportunity to prohibit all solicitations for marketing purposes if those solicitations are based on information received from an affiliate, and may allow, if the financial institution providing the notice so elects, the consumer to choose different options when electing to prohibit the sending of such solicitations. The notice must be clear, conspicuous and concise, and the method of how the notice is provided must be simple. If a consumer elects to opt out of receiving marketing solicitations under this affiliate sharing provision, the election is effective for at least five years, beginning on the date that the financial institution receives the consumer’s election, unless the consumer requests that the election be revoked. After the expiration of the five-year period, the consumer must be given another notice and an opportunity to renew the opt-out election for another period of at least five years, but only if the financial institution wants to begin sending such solicitations; otherwise, no new notice is required. Again, the restrictions in the bill only apply where no exception otherwise applies, and for marketing that is based upon shared information. Marketing to existing consumers, for example, or marketing that does not involve information from an affiliate, are not subject to the restrictions of this bill.

The federal banking agencies (“Banking Agencies”), the National Credit Union Administration (“NCUA”), the Securities and Exchange Commission and the FTC, with respect to the entities subject to their respective enforcement authority, are responsible for prescribing regulations to implement the notice requirements.

These regulations are to provide specific guidance on compliance with the clear notice and simple opt-out standards. Although the FACT Act takes a functional regulator approach for developing these regulations, the agencies are directed to consult and coordinate with each other, so that the rules will be consistent. The section also clarifies that there is no retroactivity; i.e., the affiliate marketing solicitation restriction does not affect the use of affiliate information for marketing if the information was received by the affiliate directly, or was contributed to a common data base, before the effective date of the implementing regulations. In other words, it has prospective application only with respect to the information covered, as well as for the solicitations made.

In addition, a notice or other disclosure that is “equivalent” to the notice required under this section and provided to a consumer as required by any other provision of law will satisfy the requirements of this section.

Accordingly, this affiliate marketing solicitation opt-out notice may be incorporated into a financial

2 © 2003 AMERICAN BANKERS ASSOCIATION

November 24, 2003 Fair and Accurate Credit Transactions Act of 2003 institution’s Gramm-Leach-Bliley Act (“GLBA”) privacy notice. It should be recognized, however, that including a new opt-out provision in the institution’s GLBA notice will further complicate notices that have already been criticized as overly complex.

Risk-Based Pricing

The FACT Act creates a new notice requirement for lenders that use consumer report information in connection with their risk-based credit pricing programs, for example, like those often used for mortgage programs and credit card offers. More specifically, lenders that use risk-based pricing underwriting programs based in whole or in part on credit report information must send a notice to new credit customers or prospective credit customers when consumer report information affects or could affect the terms of credit offered to those customers where the offered credit terms are “materially less favorable than the most favorable terms available to a substantial portion” of the lender’s new customers. This notice requirement does not apply where: (1) the consumer applied for specific material terms and was granted those terms, unless those terms were initially specified by the lender after the transaction was initiated by the consumer and after the lender obtained a consumer report (so, the notice requirement does not apply, for example, to prescreened offers unless the terms are changed after the consumer responds to the prescreened offer); or (2) the lender has provided or will provide a required adverse action notice under the FCRA’s existing adverse action provision; for example, where a consumer’s application is declined or the consumer rejects the lender’s less favorable counter offer.

The notice is intended to be a concise notice that includes a statement informing the consumer that the terms offered to the consumer were estab lished, or will be established, based on consumer report information, identifies the consumer reporting agency that furnished, or will furnish, the report, states that the consumer may obtain a copy of a consumer report from that consumer reporting agency without charge and provides the contact information specified by the consumer reporting agency for obtaining such a consumer report.

The FRB and the FTC are directed to prescribe regulations jointly regarding the form, content, time and manner of delivery of the notice. It is anticipated that lenders will have flexibility in terms of the timing of providing the notice, including the ability of providing the notice in advance with the application or otherwise in connection with the application process, unless the FRB and FTC regulations specifically provide otherwise for that type of credit transaction. Importantly for all banks, and particularly community banks, the agencies also are directed to develop a model notice for this purpose upon which banks can rely.

The joint regulations issued by the FRB and FTC may affect the level of flexibility, and thus, the compliance burdens, resulting from this provision. For example, appropriate exceptions and flexible rules could significantly reduce compliance concerns.

Identity Theft Prevention

The FACT Act includes several new provisions to assist both financial institutions and consumers in combatting identity theft. These include requirements for fraud alerts on consumers’ credit files, truncating credit card and debit card account numbers, “red flag” procedures for the identification of possible instances of identity theft, investigating changes of address and blocking information resulting from identity theft. The

FACT Act preempts state laws governing the conduct of financial institutions in these areas.

Fraud Alerts

Upon the request of a consumer in a manner consistent with the requirements of the FACT Act, a consumer reporting agency must place a fraud alert on a consumer’s credit file. A fraud alert is defined as a statement in a consumer’s file that the consumer may be a victim of identity theft or other fraud.

Fraud alerts may be initial or extended alerts. For an initial alert, which can last up to 90 days, the fraud alert

© 2003 AMERICAN BANKERS ASSOCIATION 3

Fair and Accurate Credit Transactions Act of 2003 November 24, 2003 requirements are triggered by the receipt by a consumer reporting agency of a request from a consumer who asserts in “good faith” a suspicion that he or she has been or is about to become a victim of identity theft. For initial alerts, if a consumer specifies a telephone number in the alert, the user must contact the consumer at that number or take reasonable steps to verify the consumer’s identity and confirm that the credit application is not the result of identity theft.

An extended alert is triggered by the receipt of an identity theft report that is filed by the consumer with an appropriate federal, state or local law enforcement agency and appropriate proof of the consumer’s identity.

For extended alerts, the user must contact the consumer by telephone or by other reasonable method designated by the consumer to confirm that the credit application is not the result of identity theft.

When a fraud alert is placed on a consumer’s credit file, the consumer reporting agency is required to inform the consumer that the consumer may request a free copy of the consumer’s credit report for initial alerts and two free copies for extended alerts. In addition, a consumer who has a fraud alert on his or her credit file is excluded from prescreened lists for five years for an extended alert, unless the consumer requests otherwise.

Truncating Credit Card and Debit Card Account Numbers

The FACT Act prohibits any person that accepts credit cards or debit cards from printing the expiration date or more than the last five digits of the card number upon any terminal-generated receipt provided to the cardholder at the point of the sale.

Red Flag Guidelines and Regulations

The FACT Act requires the Banking Agencies, the NCUA and the FTC to establish procedures for the identification of possible instances of identity theft — “red flag” guidelines and regulations. The Banking

Agencies are expected to develop broad guidelines in this area, with the hope that such policies and procedures will permit variances from institution to institution. These agency guidelines are to be developed jointly. The FACT Act requires that the policies and procedures established under the “red flag” guidelines not be inconsistent with the policies and procedures required by Section 326 of the USA PATRIOT Act.

Thus, regulators may permit the same or similar policies and procedures to satisfy both purposes.

Investigating Changes of Address

The FACT Act also requires the Banking Agencies, the NCUA and the FTC to prescribe regulations applicable to card issuers to require the investigation of changes of address. More specifically, if a card issuer receives a notice of a change of address for an existing account, and within a short period of time thereafter

(which period must be at least 30 days under the card issuer’s procedures) receives a request for an additional or replacement card for that same account, the card issuer must follow reasonable policies and procedures under which the issuer will not issue an additional or replacement card unless the card issuer: (1) notifies the cardholder of the request at the cardholder’s former address and provides the cardholder a means of promptly reporting an incorrect address change; (2) notifies the cardholder of the address change request by other means of communication previously agreed to by the card issuer and the cardholder; or (3) uses other means of assessing the validity of the address change, “in accordance with reasonable policies and procedures established by the card issuer” pursuant to the “red flag” guidelines. The Banking Agencies, the NCUA and the FTC also are required, in connection with developing the “red flag” guidelines, to consider requiring notice to the account holder when a transaction occurs on a consumer account that has been inactive for more than two years.

4 © 2003 AMERICAN BANKERS ASSOCIATION

November 24, 2003 Fair and Accurate Credit Transactions Act of 2003

Blocking of Information

The FACT Act requires consumer reporting agencies to block the reporting of information that a consumer identifies as having resulted from identity theft, after the consumer reporting agency receives appropriate proof of the consumer’s identity, a copy of an identity theft report, as defined in the new law, and the identification of the information that resulted from the identity theft. Once this occurs, the consumer reporting agency must notify the furnisher of the information identified as being the result of identity theft that the information may be the result of identity theft, that an identity theft report has been filed, that a block has been placed on reporting that information and the effective date of the block. Under another provision of this bill, furnishers will have responsibilities to modify, delete or block the future reporting of such information as appropriate.

Consumer Notification of Reports of Negative Information

The FACT Act requires lenders that report negative information regarding customers to a consumer reporting agency to notify customers that the lender has reported, or will report, negative information, to consumer reporting agencies. After the lender provides one such notice to a customer, the lender may submit additional negative information to the consumer reporting agency with respect to the same transaction, extension of credit, account or customer without providing additional notices to the customer. The notice must be provided to the customer prior to, or no later than 30 days after, furnishing the negative information to a consumer reporting agency. The language of this provision appears sufficiently flexible to permit lenders to provide a standardized one-time notice to all of its customers before any negative information is reported; however, if the lender elects to provide the notice in advance, it may not include the notice with its initial

Truth in Lending Act disclosure statement, but can include it with other material sent to customers, such as with the lender’s GLBA privacy notices. Importantly for all banks, and particularly community banks, the

FRB is directed to develop a brief model disclosure of no more than 30 words that an institution may use in order to comply with the notice requirements.

Duties of Furnishers of Information

The FACT Act requires the Banking Agencies, the NCUA and the FTC to establish guidelines and prescribe regulations requiring financial institutions and other furnishers to establish reasonable policies and procedures regarding the accuracy and integrity of information reported to consumer reporting agencies. The agencies are to develop separate regulations on a functional basis, but are directed to coordinate in order to achieve consistent regulations.

The FCRA prohibits furnishers from reporting information with knowledge that it is not accurate. The

FACT Act modifies the standard for furnishers in the FCRA from “knows or consciously avoids knowing that the information is inaccurate” to “knows or has reasonable cause to believe that the information is inaccurate.” The FACT Act defines the phrase “reasonable cause to believe that the information is inaccurate” as “having specific knowledge, other than solely allegations by the consumer, that would cause a reasonable person to have substantial doubt about the accuracy of the information.”

In addition, the FACT Act requires furnishers to have in place reasonable procedures to respond to a notice from a consumer indicating an identity theft-related dispute regarding information that the entity furnished to a consumer reporting agency. Consumers also are given the ability to dispute directly with a furnisher other information furnished to consumer reporting agencies in those circumstances identified in regulations to be developed by the Banking Agencies, the NCUA and the FTC. Under such identified circumstances, if a consumer disputes directly with a furnisher information that was reported to a consumer reporting agency, the furnisher must conduct an investigation of the disputed information provided by the consumer, review all relevant information provided by the consumer and report the results of the investigation to the consumer reporting agency — all within the time frame that would apply if the dispute was submitted directly to the

© 2003 AMERICAN BANKERS ASSOCIATION 5

Fair and Accurate Credit Transactions Act of 2003 November 24, 2003 consumer reporting agency. If the investigation finds that the information is inaccurate, the furnisher must promptly notify each consumer reporting agency to which the furnisher supplied information and provide any correction to that information necessary to make the information accurate.

Limitation on Liability and Enforcement

Although the FACT Act has created new requirements, the FACT Act also limits the liability and enforcement of certain of these additional requirements. For example, there is no private right of action for a violation of the new furnisher responsibilities or the risk-based pricing requirements. In addition, these requirements are subject only to administrative enforcement, and enforcement through injunctions and fines, resulting from a violation of the injunction, in actions brought by State Attorneys General.

Other Sections of Interest

The FACT Act also addresses other areas of importance to banks. Among them: (1) Disclosures of credit scores

— mortgage lenders must provide to mortgage applicants either a credit score created by a consumer reporting agency or a credit score the lender developed or used; (2) Blocking identity theft-related information

— furnishers of information must have reasonable procedures to stop re-reporting information identified by consumer reporting agencies as related to identity theft; and (3) Requirement to provide identity theft victims account information — financial institutions must provide to identity theft victims information related to the accounts opened by an identity thief. You should review the section-by-section summary for more information.

6 © 2003 AMERICAN BANKERS ASSOCIATION

November 24, 2003 Fair and Accurate Credit Transactions Act of 2003

Fair and Accurate Credit Transactions Act of 2003

Detailed Review

Prepared by Morrison & Foerster LLP

I. National Uniformity Provisions

A. Relation to State Law

(Title VII, § 711)

1. Existing Seven FCRA National Uniformity Provisions

This section of the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”) amends section 625

(previously section 624) of the Fair Credit Reporting Act (“FCRA”) to eliminate the January 1, 2004 sunset provision contained in the current FCRA and makes the existing uniform national standards — that is, the preemption of state laws — permanent. The subject matters covered by the existing national uniform provisions are: (1) the information that may be included in consumer reports; (2) the responsibilities of persons who furnish information to consumer reporting agencies; (3) the duties of persons to provide adverse action notices to consumers in connection with the use of consumer reports; (4) the procedures a consumer reporting agency must use if a consumer disputes the accuracy of information; (5) prescreening activities involving the use of consumer reports for credit or insurance transactions not initiated by consumers; (6) the exchange of information among affiliated institutions; and (7) the form or content of the summary of rights required to be provided by a consumer reporting agency to a consumer when a consumer reporting agency provides the consumer with information in the consumer’s credit file.

2. Identity Theft National Uniformity

This FACT Act also amends renumbered section 625 of the FCRA to provide for national uniformity for all of the nine identity theft prevention and mitigation provisions specified in the legislation. More specifically, the new national uniformity provision applies to fraud alerts, “red flag” guidelines, the blocking of information resulting from identity theft, the truncation of credit card and debit card account numbers, the truncation of social security numbers, prohibition of the sale or transfer of debt caused by identity theft, notice by debt collectors of fraudulent information, coordination of identity theft complaint investigations and prevention of repollution of consumer reports. However, the national uniformity provision does not apply to state laws that are outside of the nine areas covered by the statute or the resulting federal agency regulations, such as state laws governing the sale or use of social security numbers, alerts for data base hackings or increased criminal penalties for identity theft perpetrators.

Under this new national uniformity provision, no state, and no jurisdiction within a state, may add to, alter or affect the rules established by the statute in any of these nine areas, nor may any state, or jurisdiction within a state, add to, alter or affect the rules established by any of the regulations adopted in these nine areas.

All of the statutory and regulatory provisions establishing rules and requirements governing the conduct of any person in these nine specified areas are governed solely by federal law and any state action that attempts to impose requirements or prohibitions in these areas would be preempted. For example, no state may pass a law regarding fraud alerts or the identification of customers or prospective customers in connection with credit transactions for identity theft prevention or other anti-fraud purposes.

© 2003 AMERICAN BANKERS ASSOCIATION 7

Fair and Accurate Credit Transactions Act of 2003 November 24, 2003

3. Other National Uniformity Provisions

The FACT Act also adds new national uniformity provisions for other key areas of the law. Specifically, national uniformity will govern the duties of lenders to provide notice in connection with credit transactions under the new FCRA risk-based pricing provision. The legislation also clarifies that national uniformity governs the new requirements with respect to the use of information received from an affiliate to make solicitations for marketing purposes. In fact, there are now two preemption provisions applicable to such activities. In addition, national uniformity applies to provisions addressing the summary of rights of consumers to obtain and dispute information in consumer reports, the right to obtain credit scores, the summary of rights of identity theft victims, and the obligation to provide certain records to identity theft victims.

II. Affiliate Sharing (Title II, § 214)

The current FCRA permits the sharing of identification information and transaction and experience information between and among affiliates under all circumstances. In addition, the FCRA permits the sharing of consumer report information among affiliates if the consumer is first given notice and an opportunity to opt out of such sharing. Accordingly, for example, once a lender obtains a consumer report for a permissible purpose, the FCRA permits the lender to share that information with an affiliate, provided the consumer is given notice and the opportunity to opt out of the sharing and the consumer does not opt out.

The FACT Act adds a new section 624 to the FCRA providing that an institution that receives consumer report or experience information from an affiliate may not use that information to make a marketing solicitation to that consumer about the products or services of that institution, unless it is clearly and conspicuously disclosed to the consumer that information received from affiliates may be used for marketing purposes and the consumer is given an opportunity and simple method to opt out of such marketing solicitations. The notice must allow the consumer to prohibit all such marketing solicitations based on affiliate information, and may (at the institution’s option) allow the consumer to choose from different options when opting out. Under this new section, the opt-out notice may be provided to the consumer together with disclosures required by any other provision of law, such as the Federal Gramm-Leach-Bliley Act

(“GLBA”), and the effective date of this provision is intended to allow initial opt-out notices under this section to be sent with a financial institution’s next GLBA notice after the effective date of the regulations promulgated under the section. The consumer’s election to opt out is effective for at least five years, beginning on the date the person receives the consumer’s election, unless the consumer revokes the opt out.

After the expiration of the five-year period, the consumer must receive another notice and similar opt-out opportunity before the affiliate can send such marketing solicitations to the consumer. Of course, if the affiliate elects not to send such solicitations, no new notice is required.

There are a number of exceptions to the notice and opt-out requirements for the use of affiliate information to make marketing solicitations. For example, the opt out does not apply to a bank using affiliate information to send marketing solicitations to a consumer if the bank already has a pre-existing business relationship with that consumer. A bank that has a pre-existing business relationship with the consumer can send a marketing solicitation to that consumer on its own behalf or on behalf of another affiliate or a third party. A pre-existing business relationship exists between a financial institution and a consumer when the consumer: (1) has a financial contract with the institution; (2) purchases, rents or leases goods or services from the institution, or a financial transaction has occurred, or an account has existed between the consumer and the institution during the 18-month period immediately preceding the date on which the consumer is sent a solicitation; or (3) makes an inquiry or application regarding a financial institution’s products or services during the three-month period immediately preceding the date on which the consumer is sent a solicitation. Regulators may also add to the list of circumstances where a “pre-existing business relationship” may exist for purposes of this section.

8 © 2003 AMERICAN BANKERS ASSOCIATION

November 24, 2003 Fair and Accurate Credit Transactions Act of 2003

Specifically, a “pre-existing business relationship” includes a relationship based on “a financial transaction

(including holding an active account . . . or having another continuing relationship).” For these purposes, an

“active account” should include any account for which a consumer regularly receives statements, even if there have been no recent transactions, such as a securities brokerage, bank, or variable annuity account of a consumer who does not engage in frequent transactions. Similarly, a bank customer who holds a multi-year certificate of deposit in his or her name could be deemed to have an “active account” for these purposes, even if no other transaction was conducted until the CD matured, and so might a customer with a dormant card account or home equity line of credit. These examples may also be swept into the pre-existing business relationship definition if they are considered an in-force “financial contract” between the consumer and the institution.

In addition, the opt out does not apply to an entity using information to facilitate communications with an individual for whose benefit the entity provides employee benefit or other services pursuant to a contract with an employer related to and arising out of the current employment relationship of the individual participant or beneficiary of an employee benefit plan.

The opt out also does not apply to the use of affiliate information to perform services on behalf of an affiliate, unless the affiliate could not send the solicitation itself because of a consumer opt out. Accordingly, one affiliate can send a marketing solicitation on behalf of another affiliate that has a pre-existing business relationship with the consumer regarding the products or services of the affiliate with the pre-existing business relationship or another affiliate that does not have such a relationship except for the affiliate doing the mailing.

Also, the opt out does not apply to an institution responding to a communication initiated by the consumer, or to make solicitations authorized or requested by the consumer.

Each of these exceptions operates independently of one another. For example, a solicitation described in the first exception involving pre-existing consumers, such as a bank providing a statement stuffer about products or services of an affiliate to a consumer with whom the bank has a pre-existing business relationship, would be permitted without regard to the new FCRA affiliate solicitation notice and opt-out requirements. Because such a solicitation is covered by the first exception, the solicitation would be permitted without regard to the new notice and opt-out requirements even if the solicitation were not covered by one of the other exceptions in the new section.

In addition, this new section does not affect the use of information to make marketing solicitations if that information was received, either directly by the affiliate or by the holding company’s affiliate sharing data base, before the effective date of the regulations implementing this section. Furthermore, the section makes clear that any state law that relates to the exchange and use of information from an affiliate to make a solicitation for marketing purposes is preempted. In fact, there are now two separate preemption provisions applicable to this same activity.

The Federal banking agencies, the National Credit Union Administration (“NCUA”), the Securities and

Exchange Commission, and the Federal Trade Commission (“FTC”) are directed to prescribe regulations to implement this new section. These agencies also must jointly conduct studies periodically of the information sharing practices of affiliates of financial institutions and other persons who are lenders or otherwise use consumer reports. In doing so, the agencies must consider: the purposes of information sharing; the types of information being shared; the number of consumer choices with respect to such sharing; whether entities share or may share personally identifiable transaction or experience information with affiliates for purposes related to employment or hiring and the specific uses of such shared information; and the information sharing practices that financial institutions, lenders and other users of consumer reports and their affiliates employ for purposes of making underwriting decisions or customer credit evaluations. The agencies also are directed to examine the information sharing practices that affiliates employ for the purpose of making credit underwriting decisions regarding consumers. The agencies must make an initial report of their findings to

Congress within three years, and must make subsequent reports every three years thereafter of the effects of

© 2003 AMERICAN BANKERS ASSOCIATION 9

Fair and Accurate Credit Transactions Act of 2003 November 24, 2003 any changes in the affiliate information sharing practices of financial institutions and other users of consumer reports.

The section also expressly provides that any notice required by the new affiliate sharing provision may be included with other disclosures required by law, such as GLBA privacy notices. Specifically, the section provides that the regulations implementing the new affiliate sharing provision shall be issued not later than nine months after the date of enactment of the legislation and become effective not later than six months thereafter. The intent in reading these two provisions together is likely to mean that the initial notice to be sent to the consumer after the effective date of the regulations could be delayed to allow the institution to send such notice in the next regularly scheduled mailing to that consumer of another legally required disclosure to that consumer, such as the next annual GLBA privacy notice.

Importantly, as noted above, the FACT Act also clarifies that the FCR A preempts state laws on the use of information received from an affiliate to make solicitations for marketing purposes.

III. Risk-Based Pricing Notice (Title III, § 311)

The existing FCRA requires lenders to provide an “adverse action” notice to a consumer when a consumer credit application is declined, or the consumer rejects the lender’s less favorable counter offer, and such action is based in whole or in part on information from a consumer report. The adverse action notice identifies the consumer reporting agency that furnished the consumer report, and informs the consumer of the right to obtain a copy of a consumer report from that agency and of the consumer’s right to dispute the information’s accuracy.

This section of the FACT Act establishes a new notice requirement for lenders that use consumer report information in connection with a risk-based credit underwriting process for new credit customers. More specifically, if a lender grants credit to a new credit customer “on material terms that are materially less favorable than the most favorable terms available to a substantial proportion of [the user’s] consumers” based on information from a consumer report, the lender must give the consumer a notice stating that the lender will use or has used consumer report information. Nothing in the section, however, precludes a lender from providing such a notice to all of its new credit customers, such as in a loan approval letter or other communication that the credit has been granted. Such a notice is not required, however, if the consumer applied for specific material terms and was granted those terms and those terms are not changed after the consumer responds to the credit offer; thus, for example, the provision does not apply to prescreened offers unless the terms are changed after the consumer responds to the offer. Also, such a notice is not required if the person has provided or will provide a traditional FCRA adverse action notice in connection with an application that is declined or a counter offer that is rejected by the consumer. In addition, the lender is provided with flexibility in the timing of providing such notice, including the potential ability to provide the notice at or before providing the consumer with an application or otherwise in connection with the application process, except where the regulations issued under this section specifically provide otherwise.

The notice is intended to be a concise notice that includes: a statement that the terms offered are based on information from a consumer report; the name of the consumer reporting agency or agencies used by the lender; a statement that the consumer may receive a free consumer report from the consumer reporting agency; and the consumer reporting agency’s contact information for obtaining a free credit report. The lender is not required to tell the consumer that it has taken or may take any unfavorable action, only that it will use or has used credit information in the underwriting process.

The FTC and Federal Reserve Board (“FRB”) are directed to jointly prescribe rules to carry out this section.

The rules are to address the form, content, time, and manner of delivery of the notice; the meaning of the

10 © 2003 AMERICAN BANKERS ASSOCIATION

November 24, 2003 Fair and Accurate Credit Transactions Act of 2003 terms used in the section; exceptions to the notice requirement; and a model notice. Lenders also are given a good faith compliance provision and the section is only subject to administrative enforcement by the appropriate Federal agencies.

This section also adds a national uniformity provision prohibiting any state from imposing any requirement or prohibition relating to the duties of users of consumer reports to provide notice with respect to such credit transactions.

IV. Furnisher Responsibilities (Title III, § 312)

A. Procedures to Enhance Accuracy and Integrity

This section of the FACT Act directs the Federal banking agencies, the NCUA and the FTC to establish guidelines for use by furnishers to enhance the accuracy and integrity of the information they furnish to consumer reporting agencies. The agencies also are directed to prescribe regulations requiring furnishers to establish reasonable policies and procedures for implementing the new guidelines. In developing the guidelines, the agencies are instructed to: identify patterns, practices, and specific forms of activity that can compromise the accuracy and integrity of the information furnished; review the methods used to furnish information; determine whether furnishers maintain and enforce policies to furnish accurate information; and examine the policies and processes that furnishers employ to conduct investigations and correct inaccurate information.

In addition, the FACT Act modifies the standard in the FCRA regarding the duty of furnishers to provide accurate information. The FCRA prohibits furnishers from reporting information with knowledge that it is not accurate. The existing standard in section 623(a)(1) of the FCRA, “knows or consciously avoids knowing that the information is inaccurate,” is replaced with a revised standard of “knows or has reasonable cause to believe that the information is inaccurate.” The new standard, “knows or has reasonable cause to believe that the information is inaccurate,” is defined in the statute itself to mean “having specific knowledge, other than solely allegations by the consumer, that would cause a reasonable person to have substantial doubts about the accuracy of the information.”

This FACT Act also enables a consumer to dispute the accuracy of the information furnished to a nationwide consumer reporting agency directly with the furnisher under certain circumstances. Specifically, the Federal banking agencies, the NCUA and the FTC are required to jointly prescribe regulations that identify those circumstances under which a furnisher is required to reinvestigate a dispute concerning the accuracy of information contained in a consumer report, based on the consumer’s request submitted directly to the furnisher, rather than through the consumer reporting agency. Because the section authorizes a consumer to submit a dispute directly to the furnisher, it is not to be used by credit repair clinics to submit disputes on behalf of one or more consumers.

A consumer who seeks to dispute the accuracy of information must: provide a dispute notice directly to the furnisher at the mailing address specified by the person; identify the specific information disputed; explain the basis for the dispute; and include all supporting documentation needed by the furnisher to substantiate the basis of the dispute. Upon receipt of a consumer’s notice of dispute, the furnisher has specified responsibilities similar to those already in place today if the consumer’s dispute had been initiated with a consumer reporting agency. The furnisher must: conduct an investigation of the disputed information; review all relevant information provided by the consumer with the notice; and complete the investigation and report the results to the consumer before the expiration of the period under section 611(a)(1) “within which a consumer reporting agency would be required to complete its action if the consumer had elected to dispute the information under that section.” Accordingly, for example, where the consumer reporting agency would have

© 2003 AMERICAN BANKERS ASSOCIATION 11

Fair and Accurate Credit Transactions Act of 2003 November 24, 2003 had 30 days to complete the investigation of a dispute if the dispute were submitted to the consumer reporting agency, the furnisher would have 30 days as well. Similarly, where the consumer reporting agency has 45 days to complete its reinvestigation of a consumer dispute because the consumer has requested a consumer report through the centralized system under section 612, the furnisher also would have the 45 days to complete its investigation if the consumer has requested a consumer report through the centralized system and then disputed information on that consumer report directly with the furnisher. In addition, if the investigation finds that the information reported was inaccurate, the furnisher must promptly notify each consumer reporting agency to which that information was furnished and provide the agency with any correction necessary to make the information accurate.

The furnisher requirements do not apply if the furnisher receiving a notice of a dispute directly from a consumer reasonably determines that the dispute is frivolous or irrelevant. Upon making such a determination, the furnisher must notify the consumer of this determination within five business days after making the determination, by mail, or if authorized by the consumer for that purpose, by any other means available to the furnisher. The notice provided to the consumer must include the reasons for the determination.

Section 623 of the FCRA also is amended to clarify liability and enforcement under the FCRA. Specifically, the general FCRA requirements that furnishers of information are not subject to civil liability remain, other than the existing 623(b) reinvestigation provision. As such, the new requirements must be administratively enforced. Moreover, section 623 is expanded to provide that “Except as provided in section 621(c)(1)(B), sections 616 and 617 do not apply to: (1) any violation of” the furnisher responsibilities under section 623(a), which includes the new furnisher responsibilities regarding disclosures about the reporting of negative information and any potential direct inquiries to the furnisher; (2) the accuracy guidelines and regulations under section 623(e); (3) the red flag guidelines and regulations under section 615(e); and (4) the requirements dealing with the prohibition of the sale or transfer of a debt caused by identity theft under sections 615(f). As a result, the various sections cited in section 312(e) will be subject to the administrative enforcement mechanisms provided under the FCRA, and that such mechanisms represent the exclusive remedy for violations of these sections. A similar rule applies to other sections of the legislation that limit enforcement remedies to those administrative remedies set forth under the FCRA, including section 151, which adds a new section 609(e) relating to assistance to identity theft victims and section 311, involving riskbased pricing notices.

The FACT Act also provides for preemption with respect to the rights of consumers to obtain and dispute information in consumer reports.

B. Prevention of Repollution of Consumer Reports

(Title I, § 154)

The FACT Act amends section 623 of the FCRA to require companies that furnish information to consumer reporting agencies to have reasonable procedures in place to respond to notification from a consumer reporting agency that information they furnished to the agency has been blocked because it resulted from identity theft, so that the furnisher will not refurnish this information. Similarly, if a consumer submits an

“identity theft report” (as defined under the FACT Act) directly to a furnisher and the consumer states that the information resulted from identity theft, the furnisher may not later furnish the information to any consumer reporting agency, unless the furnisher subsequently knows or is informed by the consumer that the information is correct.

This section also prohibits an institution from selling, transferring or placing for collection a debt that the entity has been notified is identity theft-related. This prohibition applies to any entity collecting a debt after the date it is notified that the information resulted from identity theft. However, this prohibition does not apply to: the repurchase of a debt where the assignee of the debt requires such repurchase because the debt results from identity theft; the public or private securitization of debt or the pledge of a portfolio of debt as

12 © 2003 AMERICAN BANKERS ASSOCIATION

November 24, 2003 Fair and Accurate Credit Transactions Act of 2003 collateral in another financing transaction; or the transfer of debt as a result of a merger, acquisition, purchase and assumption transaction or transfer of substantially all of the assets of an entity.

The FACT Act also provides for preemption with respect to the prevention of repollution of consumer reports and the prohibition of the sale or transfer of debt caused by identity theft.

C. Improved Disclosure of the Results of Reinvestigation

(Title III, § 314)

The FACT Act amends sections 611 and 623 of the FCRA to require consumer reporting agencies to promptly delete information from a consumer’s file, or modify that item of information as appropriate, if the information is found to be inaccurate, and to promptly notify the furnisher that the information has been modified or deleted from the consumer’s file. In addition, this section requires that furnishers if, upon completion of a reinvestigation, the information is found to be inaccurate or incomplete or cannot be verified, must modify the item of information, delete the information or block the reporting of that information.

V. Identity Theft Provisions

A. Fraud Alerts and Active Duty Alerts

(Title I, § 112)

The FACT Act adds a new section 605A to the FCRA establishing three instances where consumers or military personnel can direct a nationwide consumer reporting agency to include a fraud alert or an active duty alert in each consumer report furnished on those consumers. Fraud alerts must clearly and conspicuously notify users of consumer reports that the consumer may have been a victim of identity theft or other fraud, or is on active duty in the military, so that the users may verify the identity of the consumer before establishing a new credit plan or new loan obligation in the name of the consumer.

Upon request of a consumer who asserts in good faith that he or she has been, or is about to become, a victim of fraud, a nationwide consumer reporting agency that maintains a file on the consumer and that has received appropriate proof of the consumer’s identity must include an initial alert in the consumer’s file for a minimum of 90 days, unless the consumer revokes the alert before the expiration of the 90-day period. The request to place a fraud alert on a consumer’s file may come directly from the consumer or the request may come from an individual acting on behalf of or as a personal representative of the consumer. This is intended to allow a consumer’s spouse, for example, to request a fraud alert for the consumer, but it does not permit credit repair clinics to request fraud alerts on behalf of one or more consumers. In the context of an initial alert, the national consumer reporting agency also must inform the consumer of the right to request a credit report without charge during the 12-month period beginning on the date the fraud alert is inserted into the consumer’s file. The consumer reporting agency also must provide the consumer with all of the disclosures required to be made under section 609, within three business days of the consumer’s request to do so.

In addition, if the consumer qualifies for an extended alert by providing the nationwide consumer reporting agency with an identity theft report regarding the consumer and appropriate proof of the consumer’s identity, the nationwide consumer reporting agency must include an extended alert in the consumer’s file for a sevenyear period beginning on the date of the consumer’s request, unless the consumer revokes the alert before the expiration of that period. An identity theft report is a defined term contemplating a police report or other similar document obtained from an appropriate law enforcement agency. The consumer reporting agency also must inform the consumer of the right to request two free credit reports during the 12-month period beginning on the date the fraud alert is inserted into the consumer’s file. In addition, the consumer reporting agency must provide the consumer with all of the disclosures required to be made under section 609, within three business days of the consumer’s request to do so. A consumer making a request for an extended alert also must be excluded from lists used to make prescreened offers of credit or insurance for five years. Again,

© 2003 AMERICAN BANKERS ASSOCIATION 13

Fair and Accurate Credit Transactions Act of 2003 November 24, 2003 the request for the alert may be made by the consumer directly or by the consumer’s representative, but not by a credit repair clinic.

Upon request by active duty members of the military, after receiving appropriate proof of the consumer’s identity, a nationwide consumer reporting agency must include an active duty alert in the consumer’s file for at least one year and must exclude the consumer from lists used to make prescreened offers of credit or insurance for two years.

Nationwide consumer reporting agencies must establish policies and procedures to comply with this section, including procedures under which consumers may request such fraud alerts and active duty alerts in an easy and simple manner. Also, when a nationwide consumer reporting agency receives a request for a fraud alert or an active duty alert, the agency must pass along the alert request to the other nationwide consumer reporting agencies, which must include a similar alert in any files they maintain on that consumer. Consumer reporting agencies that do not operate on a nationwide basis must provide consumers who express concern over possible identity theft or other fraud with contact information for the FTC and the nationwide consumer reporting agencies.

The FACT Act also provides for preemption with respect to fraud alerts.

B. Obligation of Users Upon Receipt of Alerts

(Title 1, § 112)

Users who obtain a consumer report that includes a fraud alert or an active duty alert are thereby alerted that the consumer may be a victim of identity theft or on active military duty and, therefore, the user must utilize reasonable policies and procedures to form a reasonable belief that the user knows the identity of the person.

The FACT Act applies different standards to initial/active duty alerts and extended alerts. If the consumer report includes an initial alert or an active duty alert, a lender must use reasonable policies and procedures to form a reasonable belief that the lender knows the identity of the person making the request, such as by contacting the consumer using the telephone number designated by the consumer in the fraud alert or taking other reasonable steps to verify the consumer’s identity and confirm that the application for a new credit plan, a credit line increase requested by the consumer or a supplemental card requested by the consumer is not the result of identity theft. If the consumer report includes an extended alert, a lender must contact the consumer, either in person (such as in a bank branch or a retail store location), by telephone, or through another reasonable contact method designated by the consumer, to verify the consumer’s identity and confirm that the application for a new credit plan, a credit line increase requested by the consumer or a supplemental card requested by the consumer is not the result of identity theft.

C. Truncation of Credit Card and Debit Card Account Numbers

(Title I, § 113)

Under this new section of the FCRA, persons who accept credit cards and debit cards in business transactions are directed to print no more than the last five digits of the card account number, and to exclude the expiration date, on any electronically printed receipt provided to the cardholder at the point of the sale or other transaction. This requirement becomes effective three years following enactment for cash registers or other machines that electronically print receipts that are in use before January 1, 2005, and one year after the date of enactment for such cash registers or other machines that are first put into use on or after January 1,

2005. The new truncation requirement only applies to electronically printed receipts — not to handwritten receipts or receipts imprinted with a copy of the card.

The FACT Act also provides for preemption with respect to the truncation of credit card and debit card account numbers.

14 © 2003 AMERICAN BANKERS ASSOCIATION

November 24, 2003 Fair and Accurate Credit Transactions Act of 2003

D. Establishing Procedures for Identification of Possible Identity Theft

(Title I, § 114)

1. Red Flag Guidelines

The Federal banking agencies, together with the NCUA and the FTC, are directed to establish and maintain guidelines for use in identifying patterns, practices and specific forms of activity that indicate the possible existence of identity theft. These agencies also must prescribe regulations under which the institutions they supervise are required to establish and adhere to reasonable policies and procedures for implementing the guidelines. The policies and procedures established under this section are not to be inconsistent with the policies and procedures required by Section 326 of the USA PATRIOT Act.

2. Change of Address

The Federal banking agencies, the NCUA and the FTC are directed to prescribe regulations applicable to issuers of credit cards and debit cards to ensure that if a card issuer receives a request for an additional or replacement card for an existing account, within a short period of time after receiving notification of a change of address for the same account (the statute specifies that this period must be at least 30 days), the card issuer will follow reasonable policies and procedures to ensure that the additional or replacement card is not issued to an identity thief. Specifically, the card issuer may issue an additional or replacement card if the issuer follows one of three procedures: notify the cardholder of the request at the cardholder’s former address and provide a means of promptly reporting an incorrect address change; notify the cardholder of the request in a manner that the card issuer and the cardholder previously agreed to; or otherwise assess the validity of the cardholder’s change of address in accordance with reasonable policies and procedures established by the card issuer pursuant to the “red flag” guidelines applicable to the card issuer.

The Federal banking agencies, the NCUA and the FTC also are directed to consider whether to include in the

“red flag” guidelines instructions for institutions to follow when a transaction occurs on a credit or deposit account that has been inactive for more than two years in order to reduce the likelihood of identity theft.

The FACT Act also provides for preemption with respect to the “red flag” guidelines.

E. Authority to Truncate Social Security Numbers

(Title I, § 115)

A consumer reporting agency must honor a consumer’s request to truncate the first five digits of the consumer’s social security or other identification number when providing the consumer with a copy of the information in the consumer’s credit file under section 609 of the FCRA. Before doing so, the consumer reporting agency must receive proof of the consumer’s identity. This truncation requirement only applies to consumer reports provided to consumers, and not to reports provided to lenders and other users.

The FACT Act also provides for preemption with respect to the truncation of social security numbers.

F. Summary of Rights of Identity Theft Victims

(Title I, § 151)

The FTC, in consultation with the Federal banking agencies and the NCUA, is directed to prepare a model summary of the rights of consumers under the provisions of the FCRA designed to remedy the effects of identity theft and other financial fraud. A consumer reporting agency must provide a copy of this model summary of rights to each consumer who contacts the agency and indicates that he or she may be a victim of identity theft or other fraud. The obligation to provide the notice begins 60 days after the FTC prescribes the final form of the model summary. The FTC also must develop and implement a media campaign to educate the public on how to prevent identity theft.

The FACT Act also provides for preemption with respect to the summary of rights of identity theft victims.

© 2003 AMERICAN BANKERS ASSOCIATION 15

Fair and Accurate Credit Transactions Act of 2003 November 24, 2003

G. Obligation to Provide Records to Victims

(Title I, § 151)

A financial institution or other entity that provides credit to an identity thief, or another person who allegedly has made unauthorized use of a victim’s identification, must provide upon the victim’s request a copy of the application and business transaction records evidencing the transaction under the institution’s control within

30 days after the victim’s request. The records are to be provided directly to the victim or to a law enforcement agency authorized by the victim to receive the records. The institution or other entity can require proof of the identity of the victim and of the claim of identity theft, including a police report and an affidavit of identity theft developed by the FTC or otherwise acceptable to the institution. In certain circumstances, an institution may decline to provide such information; for example, if in the exercise of good faith, the institution determines that the request for information is based on a misrepresentation of facts by the alleged victim. Importantly, the provision does not impose a requirement that institutions retain any records; instead, the obligation only applies to applications and transaction records that the institution already is retaining under its otherwise applicable record retention policy. This section does not require an institution to provide records that do not exist or are not reasonably available. Records that are not reasonably available include those that are not easily retrieved. To the extent that records, such as periodic statements listing transactions made on a credit or deposit account, are easily retrieved, those records should be provided. An institution is not required to produce records not within its direct control or not maintained by another entity on its behalf.

The FACT Act also provides for preemption with respect to the obligation to provide records to victims.

H. Blocking Information Resulting from Identity Theft

(Title I, § 152)

Under this section, consumer reporting agencies are required to block the reporting of information in a consumer’s file that the consumer identifies as resulting from identity theft. The consumer must supply the consumer reporting agency with appropriate proof of his or her identity and a copy of an identity theft report, and must identify the information to be blocked; namely, the information that resulted from the identity theft. The consumer reporting agency must block the information within four business days, and must notify the furnisher of the information that the information may have resulted from identity theft, that an identity theft report has been filed, that a block on reporting the information has been requested and the effective date of the block.

The FACT Act also provides for preemption with respect to the blocking of information resulting from identity theft.

I. Coordination of Identity Theft Investigations

(Title I, § 153)

Nationwide consumer reporting agencies are required to develop and maintain procedures for the referral of consumer complaints alleging identity theft or requesting a fraud alert to the other nationwide consumer reporting agencies. The FTC is directed to create a model form to be used by consumers for reporting identity theft; the model form is to be developed in consultation with the Federal banking agencies and the NCUA.

Also, each nationwide consumer reporting agency must submit to the FTC an annual summary report of consumer identity theft complaints and fraud alert requests received by the consumer reporting agency.

The FACT Act also provides for preemption with respect to the coordination of identity theft complaint investigations.

J. Notice by Debt Collectors of Fraudulent Information

(Title I, § 155)

The FCRA is amended to require third-party debt collectors, as defined under the Federal Fair Debt

Collection Practices Act, who are notified by the consumer that the debts they are attempting to collect may

16 © 2003 AMERICAN BANKERS ASSOCIATION

November 24, 2003 Fair and Accurate Credit Transactions Act of 2003 be the result of identity theft or other fraud, to notify the third party on whose behalf they are collecting the debt that the information may be the result of identity theft or fraud.

The FACT Act also provides for preemption with respect to notice by debt collectors of fraudulent information.

VI. Improvement of Credit Report Files

A. Free Credit Reports

(Title II, § 211)

The FACT Act amends section 612 of the FCRA to empower consumers to receive a free consumer report annually from each of the nationwide consumer reporting agencies, as defined in subsections 603(p) and

603(z) of the FCRA. The consumer’s request for receipt of a report from a subsection 603(p) agency may be made by mail or through an Internet website to a centralized system established in accordance with an FTC rulemaking. The nationwide consumer reporting agencies must provide the report to the consumer within 15 days. Any disputes raised by a consumer who receives a free report under this section must be reinvestigated within 45 days after the consumer raises the dispute, which is a 15-day increase over the 30-day reinvestigation time frame that would otherwise apply. In addition, the FTC is directed to prepare a model summary of the rights of consumers under the FCRA, including: the right to obtain a free consumer report annually and the method of doing so; the right to dispute information in the consumer’s credit file; and the right to obtain a credit score and the method of doing so. The FTC also is directed to publicize actively the availability of the summary of rights, and make the summary available to consumers promptly upon request.

In addition, the FTC is granted the authority to require regional consumer reporting agencies to comply with this section, and the FTC also can develop exceptions to this requirement where appropriate given the business activities of consumer reporting agencies and for new consumer reporting agencies.

B. Credit Scores

(Title II, § 212)

This section amends the FCRA to require consumer reporting agencies to provide credit score information to consumers on request. The information provided would include: the consumer’s most recent credit score; the range of possible credit scores; four key factors that adversely affected the score including inquiries; the date the score was created; and the name of the person that provided the credit score or the credit file on which it was based. Credit scores are to be derived from models that are widely distributed to users or to assist consumers in understanding credit scoring. Credit scores do not include mortgage scores or automated underwriting systems that consider factors other than credit information, such as loan-to-value ratio. A consumer reporting agency is not required to develop or disclose scores if it does not distribute scores that are used in connection with residential mortgage lending or scores that assist lenders in understanding and predicting consumer credit balances. A consumer reporting agency is not required to explain scores developed by another person, although it must provide a consumer with information to enable a consumer to contact the person who developed the score. Unlike the provision relating to free credit reports, consumer reporting agencies may charge a reasonable fee for disclosure of a credit score. If a consumer requests a credit report, but does not request a credit score, the consumer reporting agency must inform the consumer that the consumer also may obtain a credit score.

Any person who uses a credit score to make or arrange consumer credit secured by one to four units of residential real property must provide the consumer with credit scoring information obtained from a consumer reporting agency that the consumer reporting agency would be required to disclose to the consumer, together with a special notice explaining the use of credit scores and how the consumer may obtain credit score information. This requirement for credit score disclosures by entities other than consumer

© 2003 AMERICAN BANKERS ASSOCIATION 17

Fair and Accurate Credit Transactions Act of 2003 November 24, 2003 reporting agencies does not apply to other types of lending transactions; in such cases, it is the consumer reporting agency that must disclose the score. Also, a lender would not be required to disclose a proprietary credit score and instead would be able to arrange for disclosure of a widely available credit score. If a person uses an automated underwriting system, it may meet its disclosure responsibility by disclosing a credit score and associated key factors provided by a consumer reporting agency. A person that uses a credit score that is not provided by a consumer reporting agency may meet its disclosure obligation by disclosing the credit score from a consumer reporting agency, together with the associated key factors. A person has no liability for the content of information provided by a consumer reporting agency. Also, any contractual provision that would prohibit the disclosure of a credit score required by this section is void.

This section also requires a consumer reporting agency to include in any disclosure of a credit score or other risk predictor, where a key factor that adversely affected the credit score was the number of inquiries, a clear and conspicuous statement that inquiries were a key factor, and a copy of the consumer’s credit score, along with the key factors, if any, that adversely affected the score.

This section also includes a national uniformity provision that prohibits any state from regulating the provision of credit scores to consumers, except that certain specified existing state laws regulating such credit score disclosures are grandfathered.

C. Enhanced Disclosure on Opt Out of Prescreened Lists

(Title II, § 213)

The FACT Act amends section 615 of the FCRA to direct the FTC, in consultation with the Federal banking agencies and the NCUA, to develop regulatory guidance concerning the format and type size of the opt-out notification for prescreened solicitations. In addition, section 604 is amended to extend the effective period of the opt out from two to five years. This section further directs the FRB to study and report to Congress on the ability of consumers to opt out of receiving unsolicited written offers of credit or insurance and the impact further restrictions on these offers would have on consumers.

D. Requirement to Disclose Communications to a Consumer Reporting Agency

(Title II, § 217)

The FACT Act amends section 623(a) of the FCRA to add a new paragraph requiring financial institutions that extend credit and regularly furnish information to a consumer reporting agency and that furnish negative information to a consumer reporting agency regarding credit extended to a customer, to provide a written notice of the furnishing of negative information to that customer. The section makes clear that after providing this notice, the financial institution may submit additional negative information to a consumer reporting agency with respect to that same transaction, extension of credit or account or with respect to the same customer without providing any additional notices to the customer. Also, the section makes clear that providing such a notice does not require an institution to report any negative information.

The notice must be provided to the customer either before negative information is reported or within 30 days after negative information is reported to the consumer reporting agency. If the notice is provided to the customer before any negative information is reported to a consumer reporting agency, the notice may not be included with the initial disclosures provided under the federal Truth in Lending Act. This notice requirement affords financial institutions flexibility in terms of providing this notice with other disclosures, such as a notice of default, a billing statement or any other material provided to the customer, except with the initial Truth in Lending Act disclosures. The notice must be clear and conspicuous. The FRB is directed to develop a brief model disclosure of no more than 30 words that an institution may use in order to comply with the notice requirements. A financial institution is not required to use the model notice, but ensures compliance by doing so.

18 © 2003 AMERICAN BANKERS ASSOCIATION

November 24, 2003 Fair and Accurate Credit Transactions Act of 2003

E. Reconciling Addresses

(Title III, § 315)

The FACT Act amends section 605 of the FCRA to require a nationwide consumer reporting agency identified under section 603(p), when it provides a consumer report, to inform the user requesting that consumer report that the request received from the user includes an address for the consumer that substantially differs from the addresses in the file of the consumer. The Federal banking agencies, the NCUA and the FTC are directed to prescribe regulations regarding reasonable policies and procedures that users of consumer reports within the agencies’ respective enforcement jurisdiction should employ when they receive notice of an address discrepancy. These regulations are to identify the types of reasonable policies and procedures that a user may employ to form a reasonable belief that the user knows the identity of the person to whom the consumer report pertains and, if the user establishes a continuing relationship with the consumer, to furnish the consumer reporting agency with corrected address information, as part of information that the user regularly furnishes for the period in which the relationship is established.

F. Disposal of Consumer Report Information

(Title II, § 216)

The FACT Act adds a new section 628 to the FCRA directing the Federal banking agencies, the NCUA and the FTC to issue separate, but coordinated, regulations requiring business entities under their respective jurisdictions that maintain consumer report information, or a compilation of consumer report information, to properly dispose of that information. The focus is on the destruction of consumer report information specifically and not other types of consumer information, unless it contains consumer report information.

Such rules are to be consistent with the security and confidentiality rules imposed under the GLBA.

G. Notice of Dispute Through Reseller

(Title III, § 316)

The FACT Act amends section 611(a) of the FCRA to require consumer reporting agencies to reinvestigate consumer disputes forwarded to them by resellers of consumer reports. Furthermore, if a reseller receives notice from a consumer of a dispute concerning the integrity or accuracy of any item of information contained in a consumer report, the reseller must, within five business days, determine the integrity or accuracy of the information in question and either correct it, if it is the reseller’s error, or convey the notice of dispute to the consumer reporting agencies.

H. Reasonable Reinvestigation Requirement

(Title III, § 317)

The FACT Act amends section 611 of the FCRA to provide that when a consumer disputes the accuracy of information contained in a consumer report, the consumer reporting agency that prepared the report must conduct a reasonable investigation free of charge to determine whether the disputed information is inaccurate.

VII. Statute of Limitations

A. Statute of Limitations

(Title I, § 156)

This section extends the statute of limitations for violations of the FCRA, so that claims may be brought within two years after discovery of the violation, instead of two years after the date on which the violation occurred. But in no event may claims be brought more than five years after the violation occurred.

© 2003 AMERICAN BANKERS ASSOCIATION 19

Fair and Accurate Credit Transactions Act of 2003 November 24, 2003

VIII. Limiting the Use and Sharing of Medical Information in the Financial System

A. Protection of Medical Information in the Financial System

(Title IV, § 411)

The FACT Act amends section 604 of the FCRA to prohibit a consumer reporting agency from furnishing a consumer report that contains medical information in connection with an insurance transaction, unless the consumer consents. In order to furnish a report containing medical information for employment purposes, or in connection with a credit transaction, the information must be relevant to, or affect, the employment or credit transaction, and the consumer must provide written consent. Alternatively, the information may be reported if it is reported using codes that do not identify, or provide information sufficient to infer, the specific provider or the nature of the medical services, products or devices.

In addition, lenders are prohibited from obtaining or using medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility or continued eligibility for credit, unless the information is obtained pursuant to a regulation or order of a Federal banking agency, the NCUA, the FTC or an applicable state insurance authority. Any person who receives medical information pursuant to this exception is prohibited from disclosing the information to any other person, except as necessary to carry out the purpose for which it was originally disclosed. Thus, one of the consumer protections included in the amended statute is a prohibition on lenders using medical information in determining a consumer’s eligibility for credit. The Federal banking agencies, the NCUA and the FTC are authorized to make exceptions to this prohibition that “are determined to be necessary and appropriate to protect legitimate operational, transactional, risk, consumer or other needs…”

The FACT Act also amends section 603 of the FCRA to prohibit the sharing of consumer reports that are medical information among affiliates, unless the information is provided in connection with the issuance of insurance or annuities, in compliance with standards promulgated by the Department of Health and Human

Services under the Health Insurance Portability and Accountability Act (“HIPAA”), or under section 1179 of

HIPAA, or as authorized by a Federal banking agency, the NCUA or the FTC. This prohibition includes the sharing of an individualized list or description based specifically on a consumer’s payment transactions for medical products or services, or an aggregate list of consumers based specifically on payment transactions for medical products or services.

The FACT Act also amends section 603 of the FCRA to define medical information as information or data, other than age or gender, relating to past, present or future physical, mental or behavioral health, the provision of health care to an individual or the payment for the provision of health care to an individual.

B. Confidentiality of Medical Contact Information in Consumer Reports

(Title IV, § 412)

The FACT Act amends the FCRA to provide that a person whose primary business is providing medical services, products or devices to consumers, and who also furnishes information to a consumer reporting agency, must notify the agency of that status and that the consumer reporting agency may not include in a consumer report the name, address or telephone number of that furnisher, unless reported using codes, or the consumer report is provided to an insurance company for insurance purposes, other than property or casualty insurance purposes. The codes must not identify, or provide information sufficient for a user of a consumer report to infer, the specific provider or the medical services, products or devices provided.

20 © 2003 AMERICAN BANKERS ASSOCIATION

November 24, 2003 Fair and Accurate Credit Transactions Act of 2003

IX. Financial Literacy and Education Improvement

A. Financial Literacy and Education Commission

(Title V, §§ 511-18)

This title establishes the Financial Literacy and Education Commission to improve the financial literacy and education of persons in the United States. The Commission must review financial literacy and education efforts throughout the Federal government and must develop and implement within 18 months a national strategy to promote financial literacy and education among all Americans.

X. Protecting Employee Misconduct Investigations

A. Certain Employee Investigation Communications Excluded from Definition of Consumer

Report

(Title VI, § 611)

The FACT Act amends the FCRA by excluding “certain communications for employee investigations” from the definition of consumer report. This section provides that the term “consumer report” does not include communications to an employer in connection with the investigation of employee misconduct or compliance with law, the rules of a self-regulatory organization or the employer’s pre-existing written policies that are not made for the purpose of investigating a consumer’s credit worthiness and that are provided only to the employer, a Federal or state official, a self-regulatory organization or as otherwise required by law. If adverse action is taken based on the communication, however, the employer is required to disclose to the employee a summary containing the nature and the substance of the communication. The source of the information need not be disclosed.

XI. Additional Federal Studies

A. FTC Data Base of Consumer Reporting Agency Complaints

(Title III, § 313)

This section directs the FTC to compile a record of complaints against nationwide consumer reporting agencies. If a complaint is received by the FTC about the accuracy of information maintained by a nationwide consumer reporting agency, the FTC must transmit the complaint to the consumer reporting agency for response. Each nationwide consumer reporting agency under section 603(p) that receives a complaint from the FTC must: review the complaint to determine if the agency has met all legal obligations imposed under the FCRA; report to the FTC the determinations and actions taken by the agency with respect to the complaint; and maintain, for a reasonable time, records regarding the disposition of such complaint in a manner sufficient to demonstrate compliance with the FCRA.

In addition, the FTC and the FRB are directed to study and report jointly on the performance of consumer reporting agencies and furnishers of credit reporting information in complying with the FCRA’s procedures and time frames for the prompt investigation and correction of disputed information in a consumer’s credit file.

B. FTC Study of Issues Relating to the FCRA

(Title III, § 318)

This section requires the FTC to study and report on ways to improve the operation of the FCRA. The FTC is directed to study and report on: the efficacy of increasing the number of points of identifying information that a credit reporting agency must match before releasing a consumer report; the extent to which requiring

© 2003 AMERICAN BANKERS ASSOCIATION 21

Fair and Accurate Credit Transactions Act of 2003 November 24, 2003 additional points of identifying information to match would enhance the accuracy of credit reports and combat the provision of incorrect consumer reports to users; the extent to which requiring an exact match of first and last name, social security number and address and ZIP Code of the consumer would enhance the likelihood of increasing the accuracy of credit reports; and the effects of allowing consumer reporting agencies to use partial matches of social security numbers and name recognition software. The FTC also must report on the impact of providing independent notification to consumers when negative information is included in their credit reports and to consider the effects of requiring that consumers who experience adverse actions receive a copy of the same credit report used by the lender in taking the adverse action. Finally, the FTC is to study and report on common financial transactions not generally reported to consumer reporting agencies that may bear on creditworthiness, and possible steps to encourage the reporting of such transactions within a voluntary system.

C. FTC Study of the Accuracy of Consumer Reports

(Title III, § 319)

This section directs the FTC to conduct an ongoing study of the accuracy of information contained in consumer reports, and to submit both an interim report and a final report to Congress on its findings and conclusions, together with recommendations for legislative and administrative action.

D. Study on the Use of Technology to Combat Identity Theft

(Title I, § 157)

The Secretary of the Treasury is directed to conduct a study, in consultation with the Federal banking agencies, the FTC and other specified public and private sector entities, on the use of biometrics and other similar technologies to reduce the incidence of identity theft.

E. Study of Effects of Credit Scores

(Title II, § 215)

The FTC, in consultation with the Department of Housing and Urban Development, is directed to study and report to Congress on the effects of the use of credit scores and credit-based insurance scores on the availability and affordability of financial products. In conducting this study, the FTC is directed to obtain input from the public.

XII. Effective Dates

A. Effective Dates

(§ 3)

This section directs the FTC and the FRB to prescribe jointly regulations establishing the effective dates for each provision of the FACT Act within two months, unless otherwise provided by the FACT Act. The effective dates established by the FTC and the FRB must be no later than ten months after the FTC and FRB issue the effective date regulations.

22 © 2003 AMERICAN BANKERS ASSOCIATION

1120 Connecticut Avenue, NW

Washington, DC 20036

1-800-BANKERS www.aba.com

Download