Top Emerging Trends

Professor Ann Graham on Our Credit Reporting System and Identity Theft-New Regulations for 2008

With passage of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), Congress amended the Fair Credit Reporting Act (FCRA) and adopted new weapons to combat identity theft. Several implementing regulations are effective in 2008, with compliance implications for entities that furnish credit information to a credit reporting agency and for entities that use credit information obtained from a credit reporting agency. Law Professor Ann Graham examines the most recent FACTA regulations that implement the four key provisions of identity theft red flags, affiliate marketing restrictions, accuracy and integrity of consumer information regulations and guidelines, and direct dispute regulations.



On the first point, Professor Graham writes:



     Financial institutions and creditors that offer “covered accounts” must implement a written Identity Theft Prevention Program. Covered accounts are those used primarily for personal, family, or household purposes that involve or permit multiple payments or transactions, in addition to any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft. Note that financial institutions are not the only entities affected by these regulations. Other creditors who must comply may include, for example, automobile dealers, and telecommunications providers. Although the definition of “covered account” is broad enough to cover business accounts as well as consumer accounts, the rules are “risk-based” and flexible, which permits each financial institution or creditor to conduct its own risk evaluation process to determine which business accounts will be included in that entity’s Identity Theft Prevention Program. Obligations apply not only to existing accounts but also to account openings.





     Each Identity Theft Prevention Program must contain four basic elements, reasonable policies, and procedures to:






• Identify “red flags” or indicators of possible identity theft, based on an evaluation of particular types of accounts and circumstances;



• Detect “red flags” that have been incorporated into an Identity Theft Prevention Program;



• Respond appropriately to any “red flags” that are detected to prevent or mitigate identity theft; and



• Ensure that the Program is updated periodically to reflect changes in risk.




Professor Graham explains how those requirements are implemented:


     The Board of Directors, or a committee of the Board, must approve the initial written Identity Theft Prevention Program, must provide oversight of the development, implementation, and administration of the Program, must ensure staff training, and must oversee service provider arrangements. Detailed Guidance is intended to assist in the formulation and maintenance of a Program. As Guidance, 26 Red Flags are listed in an Appendix, not to be used as a mandatory checklist but as suggested items for consideration in drafting an individualized Identity Theft Prevention Program.



Subscribers to may purchase Professor Graham’s entire expert commentary at Professor Ann Graham on Our Credit Reporting System and Identity Theft-New Regulations for 2008.