Overview of FCRA Legislation
Fair and Accurate Credit
Transactions Act of 2003
➤
➤
➤
➤
➤
1-800-BANKERS
www.aba.com
1120 Connecticut Avenue, NW
Washington, DC 20036
1-800-BANKERS
www.aba.com
World-Class Solutions,
Leadership & Advocacy
Since 1875
November 24, 2003
Dear ABA Member:
Donald G. Ogilvie
President and CEO
Phone: (202) 663-5011
Fax: (202) 663-7533
Email: [email protected]
The ABA is pleased to provide its members with this summary of the Fair and Accurate
Credit Transactions Act of 2003. This act contains a number of important provisions
supported by the ABA, particularly the permanent preemption of a wide range of areas of
state law. We were also successful in defeating a number of onerous proposals during the
legislative process, while significantly improving a large number of other provisions.
Nonetheless, there are some new provisions with which banks will have to comply, which
this summary seeks to identify for you.
I believe this summary, prepared immediately after Congress passed the final version of this
bill, will provide you with an excellent overview of the law. You should, of course, consult
your own attorneys for legal interpretations and advice as to how the law will affect your
institution. The ABA will be providing its members with additional material relating to the
implementation of this law in the coming months.
The ABA is indebted to the law firm of Morrison & Foerster, which prepared this summary
under the direction of L. Richard Fischer, Oliver I. Ireland, and Kristina A. K. Hickerson.
This law firm is a leading firm on financial services law and has particular expertise in
consumer law, including the Fair Credit Reporting Act. Mr. Fischer has advised a wide
variety of financial institutions and other companies on the full range of financial services,
payment system, and retail banking issues. In particular, his practice has a special emphasis
on privacy, e-commerce, technology, and joint venture issues. Mr. Ireland’s practice focuses
primarily on retail financial services including electronic commerce, compliance with Federal
Reserve regulations, including Regulations Z and E, compliance with the Gramm-LeachBliley Act privacy provisions, the Fair Credit Reporting Act, E-SIGN, the U.S. PATRIOT
Act and telemarketing rules. Prior to joining the firm, Mr. Ireland served as Associate
General Counsel of the Board of Governors of the Federal Reserve System, where he was
responsible for drafting or interpreting numerous regulations. Ms. Hickerson is an associate
with the firm and was intimately involved in the legislation as it was being developed.
We hope you find this information helpful. We are always interested in knowing how we are
doing and what else we can provide our members, so let us know. Our goal is to provide
world-class solutions, leadership and advocacy.
Sincerely,
Donald Ogilvie
President and CEO
American Bankers Association
Prepared by
Morrison & Foerster LLP
November 24, 2003
Congress has just completed work on the Fair and Accurate Credit
Transactions Act of 2003 (“FACT Act”). In order to assist you in
understanding the many complex provisions of this important
legislation, we have prepared both an overview and a more detailed
review of the FACT Act.
We worked closely with the American Bankers Association and other
organizations throughout the legislative process to achieve the most
favorable legislative result possible for banks of all sizes, and for the
financial services industry generally. Most of our goals were achieved
in the legislation. For example, the FACT Act provides a full and
permanent reauthorization of the existing seven key national
uniformity provisions. In addition, the FACT Act adds national
uniformity for the identity theft prevention measures included in the
legislation, as well as for other key provisions — like those dealing
with marketing solicitations based on affiliate information and riskbased pricing notices. The FACT Act also includes important
limitations on liability for many of the law’s new requirements.
We believe the overview and the detailed review will be helpful to
American Bankers Association members in their compliance efforts.
Nevertheless, we still encourage you and your counsel to do a
thorough review of the FACT Act in order to gain a more complete
understanding of the impact of the legislation on your organization.
L. Richard Fischer
Oliver I. Ireland
Kristina A.K. Hickerson
Morrison & Foerster LLP
Washington, D.C.
November 24, 2003
Fair and Accurate Credit Transactions Act of 2003
Table of Contents
Overview of Legislation
I.
II.
1
National Uniformity Provisions/Preemption of State Law
1
Affiliate Sharing
1
Risk-Based Pricing
3
Identity Theft Prevention
3
Fraud Alerts
3
Truncating Credit Card and Debit Card Account Numbers
4
Red Flag Guidelines and Regulations
4
Investigating Changes of Address
4
Blocking of Information
5
Consumer Notification of Reports of Negative Information
5
Duties of Furnishers of Information
5
Limitation on Liability and Enforcement
6
Other Sections of Interest
6
National Uniformity Provisions
7
A. Relation to State Law (Title VII, § 711)
7
1. Existing Seven FCRA National Uniformity Provisions
7
2. Identity Theft National Uniformity
7
3. Other National Uniformity Provisions
8
Affiliate Sharing (Title II, § 214)
8
III. Risk-Based Pricing Notice (Title III, § 311)
10
IV.
Furnisher Responsibilities (Title III, § 312)
11
A. Procedures to Enhance Accuracy and Integrity
11
B. Prevention of Repollution of Consumer Reports (Title I, § 154)
12
C. Improved Disclosure of the Results of Reinvestigation (Title III, § 314)
13
Identity Theft Provisions
13
A. Fraud Alerts and Active Duty Alerts (Title I, § 112)
13
B. Obligation of Users Upon Receipt of Alerts (Title I, § 112)
14
C. Truncation of Credit Card and Debit Card Account Numbers (Title I, § 113)
14
D. Establishing Procedures for Identification of Possible Identity Theft (Title I, § 114)
15
V.
1. Red Flag Guidelines
15
2. Change of Address
15
Cites in parenthesis refer to sections in the bill.
© 2003 AMERICAN BANKERS ASSOCIATION
i
Fair and Accurate Credit Transactions Act of 2003
VI.
November 24, 2003
E. Authority to Truncate Social Security Numbers (Title I, § 115)
15
F. Summary of Rights of Identity Theft Victims (Title I, § 151)
15
G. Obligation to Provide Records to Victims (Title I, § 151)
16
H. Blocking Information Resulting from Identity Theft (Title I, § 152)
16
I. Coordination of Identity Theft Investigations (Title I, § 153)
16
J. Notice by Debt Collectors of Fraudulent Information (Title I, § 155)
16
Improvement of Credit Report Files
17
A. Free Credit Reports (Title II, § 211)
17
B. Credit Scores (Title II, § 212)
17
C. Enhanced Disclosure on Opt Out of Prescreened Lists (Title II, § 213)
18
D. Requirement to Disclose Communications to a Consumer Reporting Agency (Title II, § 217)
18
E. Reconciling Addresses (Title III, § 315)
19
F. Disposal of Consumer Report Information (Title II, § 216)
19
G. Notice of Dispute Through Reseller (Title III, § 316)
19
H. Reasonable Reinvestigation Requirement (Title III, § 317)
19
VII. Statute of Limitations
19
A. Statute of Limitations (Title I, § 156)
19
VIII. Limiting the Use and Sharing of Medical Information in the Financial System 20
A. Protection of Medical Information in the Financial System (Title IV, § 411)
20
B. Confidentiality of Medical Contact Information in Consumer Reports (Title IV, § 412)
20
IX. Financial Literacy and Education Improvement
X.
21
A. Financial Literacy and Education Commission (Title V, §§ 511-18)
21
Protecting Employee Misconduct Investigations
21
A. Certain Employee Investigation Communications Excluded from Definition
of Consumer Report (Title VI, § 611)
XI.
Additional Federal Studies
21
A. FTC Data Base of Consumer Reporting Agency Complaints (Title III, § 313)
21
B. FTC Study of Issues Relating to the FCRA (Title III, § 318)
21
C. FTC Study of the Accuracy of Consumer Reports (Title III, § 319)
22
D. Study on the Use of Technology to Combat Identity Theft (Title I, § 157)
22
E. Study of Effects of Credit Scores (Title II, § 215)
22
XII. Effective Dates
ii
21
22
© 2003 AMERICAN BANKERS ASSOCIATION
November 24, 2003
Fair and Accurate Credit Transactions Act of 2003
Fair and Accurate Credit Transactions Act of 2003
Overview of Legislation
Prepared by Morrison & Foerster LLP
Congress has now passed H.R. 2622 — the “Fair and Accurate Credit Transactions Act of 2003” (“FACT
Act”) — permanently reauthorizing the important national uniformity provisions of the Fair Credit
Reporting Act (“FCRA”) and amending the FCRA to further strengthen this country’s national credit
reporting system and to assist both financial institutions and consumers in the fight against identity theft.
Following is an overview of the key provisions in the FACT Act. The applicable effective dates for most of the
new FCRA requirements will be established through a special, short-term rulewriting process by the Federal
Reserve Board (“FRB”) and the Federal Trade Commission (“FTC”).
National Uniformity/Preemption of State Law
The FACT Act includes a full and permanent reauthorization of the seven existing FCRA national uniformity
provisions, which were scheduled to sunset on January 1, 2004. As a result, states will be prevented
permanently from taking action in such areas as furnisher responsibilities, the contents of consumer reports,
prescreening and affiliate sharing. Importantly, the FACT Act also provides for preemption for the nine
identity theft prevention subjects addressed in the legislation. The new national uniformity established for the
identity theft provisions of the legislation focuses on the subjects covered in the FACT Act itself and, thus,
does not address other identity theft -related subjects that fall outside the scope of the legislation. As a result,
for example, this new national uniformity provision applies to fraud alerts, “red flag” guidelines, identity
verification and other identity theft measures addressed in the legislation, as well as those addressed in the
corresponding regulations called for by the FACT Act. However, the new national uniformity provisions do
not apply to state laws governing the use of social security numbers, alerts for data base hackings or increased
criminal penalties for identity theft perpetrators. In addition, the FACT Act includes important national
uniformity provisions for many other subjects addressed in the legislation, including the new affiliate
marketing solicitation requirements, the risk-based pricing notices and provisions regarding the disclosure of
consumer reports and credit scores.
Affiliate Sharing
The FACT Act establishes a new restriction in the FCRA for solicitations made for marketing purposes when
those solicitations are based on the use of information received from an affiliate. The restriction applies to
identified customer information received from an affiliate that would constitute a consumer report except for
the exclusions in the definition of consumer report under the FCRA. As a result, the restriction applies to the
use of credit bureau reports, application information and transaction and experience information received
from an affiliate for the purpose of making marketing solicitations. While the provision does not further
restrict the sharing of information among affiliates, it prevents the affiliate receiving such information from
using the information to make a solicitation for marketing purposes to the consumer about that affiliate’s
products or services, unless the consumer is first given notice and an opportunity and simple method to opt
out of receiving such marketing solicitations. As a result, it is important to understand that the FACT Act
does not establish a general restriction on the sharing of information with affiliates and does not limit the
ability of affiliated financial organizations to establish common data bases of information. Instead, the FACT
Act only provides that the affiliate receiving that information cannot use that information to make marketing
solicitations, absent an applicable exception, without first complying with the new notice and opt-out
© 2003 AMERICAN BANKERS ASSOCIATION
1
Fair and Accurate Credit Transactions Act of 2003
November 24, 2003
requirements of the statute. In addition, the FACT Act leaves undisturbed the existing FCRA notice and optout requirement for the sharing of “non-experience” information (such as consumer report information)
between or among affiliated companies.
The various exceptions to these limits on marketing, however, should generally provide financial institutions
with significant flexibility to market financial products. For example, this affiliate marketing solicitation
restriction does not apply to a person using information to send a solicitation to a consumer with whom that
person already has a pre-existing business relationship. So, a financial institution can always send marketing
solicitations to its own customers even if those solicitations are based on information from an affiliate. Preexisting business relationship is defined as a relationship between a company and a consumer based on: (1) a
financial contract; (2) the purchase, rental or lease by the consumer of that company’s goods or services or a
financial transaction (including an active account) between the consumer and that company during the 18month period immediately preceding the date on which the consumer is sent a solicitation; or (3) an inquiry
or application by the consumer regarding a product or service offered by that company during the threemonth period immediately preceding the date on which the consumer is sent a solicitation. The affiliate
marketing solicitation restriction also does not apply to an affiliate using information to perform servicing
functions for the affiliated institution that currently has a customer relationship with the consumer; so, for
example, a financial institution can use the services of one of its affiliates to send marketing solicitations to the
financial institution’s own customers regarding its own products or the products of an affiliate (other than the
affiliate performing the servicing function) or of a third party. In addition, the provision does not apply to
consumer-initiated requests for information about products or services, or to solicitations authorized or
requested by the consumer.
The notice required under this section must allow the consumer the opportunity to prohibit all solicitations
for marketing purposes if those solicitations are based on information received from an affiliate, and may
allow, if the financial institution providing the notice so elects, the consumer to choose different options
when electing to prohibit the sending of such solicitations. The notice must be clear, conspicuous and
concise, and the method of how the notice is provided must be simple. If a consumer elects to opt out of
receiving marketing solicitations under this affiliate sharing provision, the election is effective for at least five
years, beginning on the date that the financial institution receives the consumer’s election, unless the
consumer requests that the election be revoked. After the expiration of the five-year period, the consumer
must be given another notice and an opportunity to renew the opt-out election for another period of at least
five years, but only if the financial institution wants to begin sending such solicitations; otherwise, no new
notice is required. Again, the restrictions in the bill only apply where no exception otherwise applies, and for
marketing that is based upon shared information. Marketing to existing consumers, for example, or marketing
that does not involve information from an affiliate, are not subject to the restrictions of this bill.
The federal banking agencies (“Banking Agencies”), the National Credit Union Administration (“NCUA”),
the Securities and Exchange Commission and the FTC, with respect to the entities subject to their respective
enforcement authority, are responsible for prescribing regulations to implement the notice requirements.
These regulations are to provide specific guidance on compliance with the clear notice and simple opt-out
standards. Although the FACT Act takes a functional regulator approach for developing these regulations, the
agencies are directed to consult and coordinate with each other, so that the rules will be consistent. The
section also clarifies that there is no retroactivity; i.e., the affiliate marketing solicitation restriction does not
affect the use of affiliate information for marketing if the information was received by the affiliate directly, or
was contributed to a common data base, before the effective date of the implementing regulations. In other
words, it has prospective application only with respect to the information covered, as well as for the
solicitations made.
In addition, a notice or other disclosure that is “equivalent” to the notice required under this section and
provided to a consumer as required by any other provision of law will satisfy the requirements of this section.
Accordingly, this affiliate marketing solicitation opt-out notice may be incorporated into a financial
2
© 2003 AMERICAN BANKERS ASSOCIATION
November 24, 2003
Fair and Accurate Credit Transactions Act of 2003
institution’s Gramm-Leach-Bliley Act (“GLBA”) privacy notice. It should be recognized, however, that
including a new opt-out provision in the institution’s GLBA notice will further complicate notices that have
already been criticized as overly complex.
Risk-Based Pricing
The FACT Act creates a new notice requirement for lenders that use consumer report information in
connection with their risk-based credit pricing programs, for example, like those often used for mortgage
programs and credit card offers. More specifically, lenders that use risk-based pricing underwriting programs
based in whole or in part on credit report information must send a notice to new credit customers or
prospective credit customers when consumer report information affects or could affect the terms of credit
offered to those customers where the offered credit terms are “materially less favorable than the most favorable
terms available to a substantial portion” of the lender’s new customers. This notice requirement does not
apply where: (1) the consumer applied for specific material terms and was granted those terms, unless those
terms were initially specified by the lender after the transaction was initiated by the consumer and after the
lender obtained a consumer report (so, the notice requirement does not apply, for example, to prescreened
offers unless the terms are changed after the consumer responds to the prescreened offer); or (2) the lender has
provided or will provide a required adverse action notice under the FCRA’s existing adverse action provision;
for example, where a consumer’s application is declined or the consumer rejects the lender’s less favorable
counter offer.
The notice is intended to be a concise notice that includes a statement informing the consumer that the terms
offered to the consumer were estab lished, or will be established, based on consumer report information,
identifies the consumer reporting agency that furnished, or will furnish, the report, states that the consumer
may obtain a copy of a consumer report from that consumer reporting agency without charge and provides
the contact information specified by the consumer reporting agency for obtaining such a consumer report.
The FRB and the FTC are directed to prescribe regulations jointly regarding the form, content, time and
manner of delivery of the notice. It is anticipated that lenders will have flexibility in terms of the timing of
providing the notice, including the ability of providing the notice in advance with the application or
otherwise in connection with the application process, unless the FRB and FTC regulations specifically provide
otherwise for that type of credit transaction. Importantly for all banks, and particularly community banks, the
agencies also are directed to develop a model notice for this purpose upon which banks can rely.
The joint regulations issued by the FRB and FTC may affect the level of flexibility, and thus, the compliance
burdens, resulting from this provision. For example, appropriate exceptions and flexible rules could
significantly reduce compliance concerns.
Identity Theft Prevention
The FACT Act includes several new provisions to assist both financial institutions and consumers in
combatting identity theft. These include requirements for fraud alerts on consumers’ credit files, truncating
credit card and debit card account numbers, “red flag” procedures for the identification of possible instances
of identity theft, investigating changes of address and blocking information resulting from identity theft. The
FACT Act preempts state laws governing the conduct of financial institutions in these areas.
Fraud Alerts
Upon the request of a consumer in a manner consistent with the requirements of the FACT Act, a consumer
reporting agency must place a fraud alert on a consumer’s credit file. A fraud alert is defined as a statement in
a consumer’s file that the consumer may be a victim of identity theft or other fraud.
Fraud alerts may be initial or extended alerts. For an initial alert, which can last up to 90 days, the fraud alert
© 2003 AMERICAN BANKERS ASSOCIATION
3
Fair and Accurate Credit Transactions Act of 2003
November 24, 2003
requirements are triggered by the receipt by a consumer reporting agency of a request from a consumer who
asserts in “good faith” a suspicion that he or she has been or is about to become a victim of identity theft. For
initial alerts, if a consumer specifies a telephone number in the alert, the user must contact the consumer at
that number or take reasonable steps to verify the consumer’s identity and confirm that the credit application
is not the result of identity theft.
An extended alert is triggered by the receipt of an identity theft report that is filed by the consumer with an
appropriate federal, state or local law enforcement agency and appropriate proof of the consumer’s identity.
For extended alerts, the user must contact the consumer by telephone or by other reasonable method
designated by the consumer to confirm that the credit application is not the result of identity theft.
When a fraud alert is placed on a consumer’s credit file, the consumer reporting agency is required to inform
the consumer that the consumer may request a free copy of the consumer’s credit report for initial alerts and
two free copies for extended alerts. In addition, a consumer who has a fraud alert on his or her credit file is
excluded from prescreened lists for five years for an extended alert, unless the consumer requests otherwise.
Truncating Credit Card and Debit Card Account Numbers
The FACT Act prohibits any person that accepts credit cards or debit cards from printing the expiration date
or more than the last five digits of the card number upon any terminal-generated receipt provided to the
cardholder at the point of the sale.
Red Flag Guidelines and Regulations
The FACT Act requires the Banking Agencies, the NCUA and the FTC to establish procedures for the
identification of possible instances of identity theft — “red flag” guidelines and regulations. The Banking
Agencies are expected to develop broad guidelines in this area, with the hope that such policies and
procedures will permit variances from institution to institution. These agency guidelines are to be developed
jointly. The FACT Act requires that the policies and procedures established under the “red flag” guidelines
not be inconsistent with the policies and procedures required by Section 326 of the USA PATRIOT Act.
Thus, regulators may permit the same or similar policies and procedures to satisfy both purposes.
Investigating Changes of Address
The FACT Act also requires the Banking Agencies, the NCUA and the FTC to prescribe regulations
applicable to card issuers to require the investigation of changes of address. More specifically, if a card issuer
receives a notice of a change of address for an existing account, and within a short period of time thereafter
(which period must be at least 30 days under the card issuer’s procedures) receives a request for an additional
or replacement card for that same account, the card issuer must follow reasonable policies and procedures
under which the issuer will not issue an additional or replacement card unless the card issuer: (1) notifies the
cardholder of the request at the cardholder’s former address and provides the cardholder a means of promptly
reporting an incorrect address change; (2) notifies the cardholder of the address change request by other
means of communication previously agreed to by the card issuer and the cardholder; or (3) uses other means
of assessing the validity of the address change, “in accordance with reasonable policies and procedures
established by the card issuer” pursuant to the “red flag” guidelines. The Banking Agencies, the NCUA and
the FTC also are required, in connection with developing the “red flag” guidelines, to consider requiring
notice to the account holder when a transaction occurs on a consumer account that has been inactive for more
than two years.
4
© 2003 AMERICAN BANKERS ASSOCIATION
November 24, 2003
Fair and Accurate Credit Transactions Act of 2003
Blocking of Information
The FACT Act requires consumer reporting agencies to block the reporting of information that a consumer
identifies as having resulted from identity theft, after the consumer reporting agency receives appropriate
proof of the consumer’s identity, a copy of an identity theft report, as defined in the new law, and the
identification of the information that resulted from the identity theft. Once this occurs, the consumer
reporting agency must notify the furnisher of the information identified as being the result of identity theft
that the information may be the result of identity theft, that an identity theft report has been filed, that a
block has been placed on reporting that information and the effective date of the block. Under another
provision of this bill, furnishers will have responsibilities to modify, delete or block the future reporting of
such information as appropriate.
Consumer Notification of Reports of Negative Information
The FACT Act requires lenders that report negative information regarding customers to a consumer reporting
agency to notify customers that the lender has reported, or will report, negative information, to consumer
reporting agencies. After the lender provides one such notice to a customer, the lender may submit additional
negative information to the consumer reporting agency with respect to the same transaction, extension of
credit, account or customer without providing additional notices to the customer. The notice must be
provided to the customer prior to, or no later than 30 days after, furnishing the negative information to a
consumer reporting agency. The language of this provision appears sufficiently flexible to permit lenders to
provide a standardized one-time notice to all of its customers before any negative information is reported;
however, if the lender elects to provide the notice in advance, it may not include the notice with its initial
Truth in Lending Act disclosure statement, but can include it with other material sent to customers, such as
with the lender’s GLBA privacy notices. Importantly for all banks, and particularly community banks, the
FRB is directed to develop a brief model disclosure of no more than 30 words that an institution may use in
order to comply with the notice requirements.
Duties of Furnishers of Information
The FACT Act requires the Banking Agencies, the NCUA and the FTC to establish guidelines and prescribe
regulations requiring financial institutions and other furnishers to establish reasonable policies and procedures
regarding the accuracy and integrity of information reported to consumer reporting agencies. The agencies are
to develop separate regulations on a functional basis, but are directed to coordinate in order to achieve
consistent regulations.
The FCRA prohibits furnishers from reporting information with knowledge that it is not accurate. The
FACT Act modifies the standard for furnishers in the FCRA from “knows or consciously avoids knowing that
the information is inaccurate” to “knows or has reasonable cause to believe that the information is
inaccurate.” The FACT Act defines the phrase “reasonable cause to believe that the information is inaccurate”
as “having specific knowledge, other than solely allegations by the consumer, that would cause a reasonable
person to have substantial doubt about the accuracy of the information.”
In addition, the FACT Act requires furnishers to have in place reasonable procedures to respond to a notice
from a consumer indicating an identity theft-related dispute regarding information that the entity furnished
to a consumer reporting agency. Consumers also are given the ability to dispute directly with a furnisher other
information furnished to consumer reporting agencies in those circumstances identified in regulations to be
developed by the Banking Agencies, the NCUA and the FTC. Under such identified circumstances, if a
consumer disputes directly with a furnisher information that was reported to a consumer reporting agency,
the furnisher must conduct an investigation of the disputed information provided by the consumer, review all
relevant information provided by the consumer and report the results of the investigation to the consumer
reporting agency — all within the time frame that would apply if the dispute was submitted directly to the
© 2003 AMERICAN BANKERS ASSOCIATION
5
Fair and Accurate Credit Transactions Act of 2003
November 24, 2003
consumer reporting agency. If the investigation finds that the information is inaccurate, the furnisher must
promptly notify each consumer reporting agency to which the furnisher supplied information and provide
any correction to that information necessary to make the information accurate.
Limitation on Liability and Enforcement
Although the FACT Act has created new requirements, the FACT Act also limits the liability and
enforcement of certain of these additional requirements. For example, there is no private right of action for a
violation of the new furnisher responsibilities or the risk-based pricing requirements. In addition, these
requirements are subject only to administrative enforcement, and enforcement through injunctions and fines,
resulting from a violation of the injunction, in actions brought by State Attorneys General.
Other Sections of Interest
The FACT Act also addresses other areas of importance to banks. Among them: (1) Disclosures of credit scores
— mortgage lenders must provide to mortgage applicants either a credit score created by a consumer
reporting agency or a credit score the lender developed or used; (2) Blocking identity theft-related information
— furnishers of information must have reasonable procedures to stop re-reporting information identified by
consumer reporting agencies as related to identity theft; and (3) Requirement to provide identity theft victims
account information — financial institutions must provide to identity theft victims information related to the
accounts opened by an identity thief. You should review the section-by-section summary for more
information.
6
© 2003 AMERICAN BANKERS ASSOCIATION
November 24, 2003
Fair and Accurate Credit Transactions Act of 2003
Fair and Accurate Credit Transactions Act of 2003
Detailed Review
Prepared by Morrison & Foerster LLP
I. National Uniformity Provisions
A. Relation to State Law (Title VII, § 711)
1. Existing Seven FCRA National Uniformity Provisions
This section of the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”) amends section 625
(previously section 624) of the Fair Credit Reporting Act (“FCRA”) to eliminate the January 1, 2004 sunset
provision contained in the current FCRA and makes the existing uniform national standards — that is, the
preemption of state laws — permanent. The subject matters covered by the existing national uniform
provisions are: (1) the information that may be included in consumer reports; (2) the responsibilities of
persons who furnish information to consumer reporting agencies; (3) the duties of persons to provide adverse
action notices to consumers in connection with the use of consumer reports; (4) the procedures a consumer
reporting agency must use if a consumer disputes the accuracy of information; (5) prescreening activities
involving the use of consumer reports for credit or insurance transactions not initiated by consumers; (6) the
exchange of information among affiliated institutions; and (7) the form or content of the summary of rights
required to be provided by a consumer reporting agency to a consumer when a consumer reporting agency
provides the consumer with information in the consumer’s credit file.
2. Identity Theft National Uniformity
This FACT Act also amends renumbered section 625 of the FCRA to provide for national uniformity for all
of the nine identity theft prevention and mitigation provisions specified in the legislation. More specifically,
the new national uniformity provision applies to fraud alerts, “red flag” guidelines, the blocking of
information resulting from identity theft, the truncation of credit card and debit card account numbers, the
truncation of social security numbers, prohibition of the sale or transfer of debt caused by identity theft,
notice by debt collectors of fraudulent information, coordination of identity theft complaint investigations
and prevention of repollution of consumer reports. However, the national uniformity provision does not
apply to state laws that are outside of the nine areas covered by the statute or the resulting federal agency
regulations, such as state laws governing the sale or use of social security numbers, alerts for data base hackings
or increased criminal penalties for identity theft perpetrators.
Under this new national uniformity provision, no state, and no jurisdiction within a state, may add to, alter
or affect the rules established by the statute in any of these nine areas, nor may any state, or jurisdiction
within a state, add to, alter or affect the rules established by any of the regulations adopted in these nine areas.
All of the statutory and regulatory provisions establishing rules and requirements governing the conduct of
any person in these nine specified areas are governed solely by federal law and any state action that attempts to
impose requirements or prohibitions in these areas would be preempted. For example, no state may pass a law
regarding fraud alerts or the identification of customers or prospective customers in connection with credit
transactions for identity theft prevention or other anti-fraud purposes.
© 2003 AMERICAN BANKERS ASSOCIATION
7
Fair and Accurate Credit Transactions Act of 2003
November 24, 2003
3. Other National Uniformity Provisions
The FACT Act also adds new national uniformity provisions for other key areas of the law. Specifically,
national uniformity will govern the duties of lenders to provide notice in connection with credit transactions
under the new FCRA risk-based pricing provision. The legislation also clarifies that national uniformity
governs the new requirements with respect to the use of information received from an affiliate to make
solicitations for marketing purposes. In fact, there are now two preemption provisions applicable to such
activities. In addition, national uniformity applies to provisions addressing the summary of rights of
consumers to obtain and dispute information in consumer reports, the right to obtain credit scores, the
summary of rights of identity theft victims, and the obligation to provide certain records to identity theft
victims.
II. Affiliate Sharing (Title II, § 214)
The current FCRA permits the sharing of identification information and transaction and experience
information between and among affiliates under all circumstances. In addition, the FCRA permits the sharing
of consumer report information among affiliates if the consumer is first given notice and an opportunity to
opt out of such sharing. Accordingly, for example, once a lender obtains a consumer report for a permissible
purpose, the FCRA permits the lender to share that information with an affiliate, provided the consumer is
given notice and the opportunity to opt out of the sharing and the consumer does not opt out.
The FACT Act adds a new section 624 to the FCRA providing that an institution that receives consumer
report or experience information from an affiliate may not use that information to make a marketing
solicitation to that consumer about the products or services of that institution, unless it is clearly and
conspicuously disclosed to the consumer that information received from affiliates may be used for marketing
purposes and the consumer is given an opportunity and simple method to opt out of such marketing
solicitations. The notice must allow the consumer to prohibit all such marketing solicitations based on
affiliate information, and may (at the institution’s option) allow the consumer to choose from different
options when opting out. Under this new section, the opt-out notice may be provided to the consumer
together with disclosures required by any other provision of law, such as the Federal Gramm-Leach-Bliley Act
(“GLBA”), and the effective date of this provision is intended to allow initial opt-out notices under this
section to be sent with a financial institution’s next GLBA notice after the effective date of the regulations
promulgated under the section. The consumer’s election to opt out is effective for at least five years,
beginning on the date the person receives the consumer’s election, unless the consumer revokes the opt out.
After the expiration of the five-year period, the consumer must receive another notice and similar opt-out
opportunity before the affiliate can send such marketing solicitations to the consumer. Of course, if the
affiliate elects not to send such solicitations, no new notice is required.
There are a number of exceptions to the notice and opt-out requirements for the use of affiliate information
to make marketing solicitations. For example, the opt out does not apply to a bank using affiliate information
to send marketing solicitations to a consumer if the bank already has a pre-existing business relationship with
that consumer. A bank that has a pre-existing business relationship with the consumer can send a marketing
solicitation to that consumer on its own behalf or on behalf of another affiliate or a third party. A pre-existing
business relationship exists between a financial institution and a consumer when the consumer: (1) has a
financial contract with the institution; (2) purchases, rents or leases goods or services from the institution, or a
financial transaction has occurred, or an account has existed between the consumer and the institution during
the 18-month period immediately preceding the date on which the consumer is sent a solicitation; or (3)
makes an inquiry or application regarding a financial institution’s products or services during the three-month
period immediately preceding the date on which the consumer is sent a solicitation. Regulators may also add
to the list of circumstances where a “pre-existing business relationship” may exist for purposes of this section.
8
© 2003 AMERICAN BANKERS ASSOCIATION
November 24, 2003
Fair and Accurate Credit Transactions Act of 2003
Specifically, a “pre-existing business relationship” includes a relationship based on “a financial transaction
(including holding an active account . . . or having another continuing relationship).” For these purposes, an
“active account” should include any account for which a consumer regularly receives statements, even if there
have been no recent transactions, such as a securities brokerage, bank, or variable annuity account of a
consumer who does not engage in frequent transactions. Similarly, a bank customer who holds a multi-year
certificate of deposit in his or her name could be deemed to have an “active account” for these purposes, even
if no other transaction was conducted until the CD matured, and so might a customer with a dormant card
account or home equity line of credit. These examples may also be swept into the pre-existing business
relationship definition if they are considered an in-force “financial contract” between the consumer and the
institution.
In addition, the opt out does not apply to an entity using information to facilitate communications with an
individual for whose benefit the entity provides employee benefit or other services pursuant to a contract with
an employer related to and arising out of the current employment relationship of the individual participant or
beneficiary of an employee benefit plan.
The opt out also does not apply to the use of affiliate information to perform services on behalf of an affiliate,
unless the affiliate could not send the solicitation itself because of a consumer opt out. Accordingly, one
affiliate can send a marketing solicitation on behalf of another affiliate that has a pre-existing business
relationship with the consumer regarding the products or services of the affiliate with the pre-existing business
relationship or another affiliate that does not have such a relationship except for the affiliate doing the mailing.
Also, the opt out does not apply to an institution responding to a communication initiated by the consumer,
or to make solicitations authorized or requested by the consumer.
Each of these exceptions operates independently of one another. For example, a solicitation described in the
first exception involving pre-existing consumers, such as a bank providing a statement stuffer about products
or services of an affiliate to a consumer with whom the bank has a pre-existing business relationship, would be
permitted without regard to the new FCRA affiliate solicitation notice and opt-out requirements. Because
such a solicitation is covered by the first exception, the solicitation would be permitted without regard to the
new notice and opt-out requirements even if the solicitation were not covered by one of the other exceptions
in the new section.
In addition, this new section does not affect the use of information to make marketing solicitations if that
information was received, either directly by the affiliate or by the holding company’s affiliate sharing data
base, before the effective date of the regulations implementing this section. Furthermore, the section makes
clear that any state law that relates to the exchange and use of information from an affiliate to make a
solicitation for marketing purposes is preempted. In fact, there are now two separate preemption provisions
applicable to this same activity.
The Federal banking agencies, the National Credit Union Administration (“NCUA”), the Securities and
Exchange Commission, and the Federal Trade Commission (“FTC”) are directed to prescribe regulations to
implement this new section. These agencies also must jointly conduct studies periodically of the information
sharing practices of affiliates of financial institutions and other persons who are lenders or otherwise use
consumer reports. In doing so, the agencies must consider: the purposes of information sharing; the types of
information being shared; the number of consumer choices with respect to such sharing; whether entities
share or may share personally identifiable transaction or experience information with affiliates for purposes
related to employment or hiring and the specific uses of such shared information; and the information sharing
practices that financial institutions, lenders and other users of consumer reports and their affiliates employ for
purposes of making underwriting decisions or customer credit evaluations. The agencies also are directed to
examine the information sharing practices that affiliates employ for the purpose of making credit
underwriting decisions regarding consumers. The agencies must make an initial report of their findings to
Congress within three years, and must make subsequent reports every three years thereafter of the effects of
© 2003 AMERICAN BANKERS ASSOCIATION
9
Fair and Accurate Credit Transactions Act of 2003
November 24, 2003
any changes in the affiliate information sharing practices of financial institutions and other users of consumer
reports.
The section also expressly provides that any notice required by the new affiliate sharing provision may be
included with other disclosures required by law, such as GLBA privacy notices. Specifically, the section
provides that the regulations implementing the new affiliate sharing provision shall be issued not later than
nine months after the date of enactment of the legislation and become effective not later than six months
thereafter. The intent in reading these two provisions together is likely to mean that the initial notice to be
sent to the consumer after the effective date of the regulations could be delayed to allow the institution to
send such notice in the next regularly scheduled mailing to that consumer of another legally required
disclosure to that consumer, such as the next annual GLBA privacy notice.
Importantly, as noted above, the FACT Act also clarifies that the FCR A preempts state laws on the use of
information received from an affiliate to make solicitations for marketing purposes.
III. Risk-Based Pricing Notice (Title III, § 311)
The existing FCRA requires lenders to provide an “adverse action” notice to a consumer when a consumer
credit application is declined, or the consumer rejects the lender’s less favorable counter offer, and such action
is based in whole or in part on information from a consumer report. The adverse action notice identifies the
consumer reporting agency that furnished the consumer report, and informs the consumer of the right to
obtain a copy of a consumer report from that agency and of the consumer’s right to dispute the information’s
accuracy.
This section of the FACT Act establishes a new notice requirement for lenders that use consumer report
information in connection with a risk-based credit underwriting process for new credit customers. More
specifically, if a lender grants credit to a new credit customer “on material terms that are materially less
favorable than the most favorable terms available to a substantial proportion of [the user’s] consumers” based
on information from a consumer report, the lender must give the consumer a notice stating that the lender
will use or has used consumer report information. Nothing in the section, however, precludes a lender from
providing such a notice to all of its new credit customers, such as in a loan approval letter or other
communication that the credit has been granted. Such a notice is not required, however, if the consumer
applied for specific material terms and was granted those terms and those terms are not changed after the
consumer responds to the credit offer; thus, for example, the provision does not apply to prescreened offers
unless the terms are changed after the consumer responds to the offer. Also, such a notice is not required if the
person has provided or will provide a traditional FCRA adverse action notice in connection with an
application that is declined or a counter offer that is rejected by the consumer. In addition, the lender is
provided with flexibility in the timing of providing such notice, including the potential ability to provide the
notice at or before providing the consumer with an application or otherwise in connection with the
application process, except where the regulations issued under this section specifically provide otherwise.
The notice is intended to be a concise notice that includes: a statement that the terms offered are based on
information from a consumer report; the name of the consumer reporting agency or agencies used by the
lender; a statement that the consumer may receive a free consumer report from the consumer reporting
agency; and the consumer reporting agency’s contact information for obtaining a free credit report. The
lender is not required to tell the consumer that it has taken or may take any unfavorable action, only that it
will use or has used credit information in the underwriting process.
The FTC and Federal Reserve Board (“FRB”) are directed to jointly prescribe rules to carry out this section.
The rules are to address the form, content, time, and manner of delivery of the notice; the meaning of the
10
© 2003 AMERICAN BANKERS ASSOCIATION
November 24, 2003
Fair and Accurate Credit Transactions Act of 2003
terms used in the section; exceptions to the notice requirement; and a model notice. Lenders also are given a
good faith compliance provision and the section is only subject to administrative enforcement by the
appropriate Federal agencies.
This section also adds a national uniformity provision prohibiting any state from imposing any requirement
or prohibition relating to the duties of users of consumer reports to provide notice with respect to such credit
transactions.
IV. Furnisher Responsibilities (Title III, § 312)
A. Procedures to Enhance Accuracy and Integrity
This section of the FACT Act directs the Federal banking agencies, the NCUA and the FTC to establish
guidelines for use by furnishers to enhance the accuracy and integrity of the information they furnish to
consumer reporting agencies. The agencies also are directed to prescribe regulations requiring furnishers to
establish reasonable policies and procedures for implementing the new guidelines. In developing the
guidelines, the agencies are instructed to: identify patterns, practices, and specific forms of activity that can
compromise the accuracy and integrity of the information furnished; review the methods used to furnish
information; determine whether furnishers maintain and enforce policies to furnish accurate information; and
examine the policies and processes that furnishers employ to conduct investigations and correct inaccurate
information.
In addition, the FACT Act modifies the standard in the FCRA regarding the duty of furnishers to provide
accurate information. The FCRA prohibits furnishers from reporting information with knowledge that it is
not accurate. The existing standard in section 623(a)(1) of the FCRA, “knows or consciously avoids knowing
that the information is inaccurate,” is replaced with a revised standard of “knows or has reasonable cause to
believe that the information is inaccurate.” The new standard, “knows or has reasonable cause to believe that
the information is inaccurate,” is defined in the statute itself to mean “having specific knowledge, other than
solely allegations by the consumer, that would cause a reasonable person to have substantial doubts about the
accuracy of the information.”
This FACT Act also enables a consumer to dispute the accuracy of the information furnished to a nationwide
consumer reporting agency directly with the furnisher under certain circumstances. Specifically, the Federal
banking agencies, the NCUA and the FTC are required to jointly prescribe regulations that identify those
circumstances under which a furnisher is required to reinvestigate a dispute concerning the accuracy of
information contained in a consumer report, based on the consumer’s request submitted directly to the
furnisher, rather than through the consumer reporting agency. Because the section authorizes a consumer to
submit a dispute directly to the furnisher, it is not to be used by credit repair clinics to submit disputes on
behalf of one or more consumers.
A consumer who seeks to dispute the accuracy of information must: provide a dispute notice directly to the
furnisher at the mailing address specified by the person; identify the specific information disputed; explain the
basis for the dispute; and include all supporting documentation needed by the furnisher to substantiate the
basis of the dispute. Upon receipt of a consumer’s notice of dispute, the furnisher has specified responsibilities
similar to those already in place today if the consumer’s dispute had been initiated with a consumer reporting
agency. The furnisher must: conduct an investigation of the disputed information; review all relevant
information provided by the consumer with the notice; and complete the investigation and report the results
to the consumer before the expiration of the period under section 611(a)(1) “within which a consumer
reporting agency would be required to complete its action if the consumer had elected to dispute the
information under that section.” Accordingly, for example, where the consumer reporting agency would have
© 2003 AMERICAN BANKERS ASSOCIATION
11
Fair and Accurate Credit Transactions Act of 2003
November 24, 2003
had 30 days to complete the investigation of a dispute if the dispute were submitted to the consumer
reporting agency, the furnisher would have 30 days as well. Similarly, where the consumer reporting agency
has 45 days to complete its reinvestigation of a consumer dispute because the consumer has requested a
consumer report through the centralized system under section 612, the furnisher also would have the 45 days
to complete its investigation if the consumer has requested a consumer report through the centralized system
and then disputed information on that consumer report directly with the furnisher. In addition, if the
investigation finds that the information reported was inaccurate, the furnisher must promptly notify each
consumer reporting agency to which that information was furnished and provide the agency with any
correction necessary to make the information accurate.
The furnisher requirements do not apply if the furnisher receiving a notice of a dispute directly from a
consumer reasonably determines that the dispute is frivolous or irrelevant. Upon making such a
determination, the furnisher must notify the consumer of this determination within five business days after
making the determination, by mail, or if authorized by the consumer for that purpose, by any other means
available to the furnisher. The notice provided to the consumer must include the reasons for the
determination.
Section 623 of the FCRA also is amended to clarify liability and enforcement under the FCRA. Specifically,
the general FCRA requirements that furnishers of information are not subject to civil liability remain, other
than the existing 623(b) reinvestigation provision. As such, the new requirements must be administratively
enforced. Moreover, section 623 is expanded to provide that “Except as provided in section 621(c)(1)(B),
sections 616 and 617 do not apply to: (1) any violation of” the furnisher responsibilities under section 623(a),
which includes the new furnisher responsibilities regarding disclosures about the reporting of negative
information and any potential direct inquiries to the furnisher; (2) the accuracy guidelines and regulations
under section 623(e); (3) the red flag guidelines and regulations under section 615(e); and (4) the
requirements dealing with the prohibition of the sale or transfer of a debt caused by identity theft under
sections 615(f). As a result, the various sections cited in section 312(e) will be subject to the administrative
enforcement mechanisms provided under the FCRA, and that such mechanisms represent the exclusive
remedy for violations of these sections. A similar rule applies to other sections of the legislation that limit
enforcement remedies to those administrative remedies set forth under the FCRA, including section 151,
which adds a new section 609(e) relating to assistance to identity theft victims and section 311, involving riskbased pricing notices.
The FACT Act also provides for preemption with respect to the rights of consumers to obtain and dispute
information in consumer reports.
B. Prevention of Repollution of Consumer Reports (Title I, § 154)
The FACT Act amends section 623 of the FCRA to require companies that furnish information to consumer
reporting agencies to have reasonable procedures in place to respond to notification from a consumer
reporting agency that information they furnished to the agency has been blocked because it resulted from
identity theft, so that the furnisher will not refurnish this information. Similarly, if a consumer submits an
“identity theft report” (as defined under the FACT Act) directly to a furnisher and the consumer states that
the information resulted from identity theft, the furnisher may not later furnish the information to any
consumer reporting agency, unless the furnisher subsequently knows or is informed by the consumer that the
information is correct.
This section also prohibits an institution from selling, transferring or placing for collection a debt that the
entity has been notified is identity theft-related. This prohibition applies to any entity collecting a debt after
the date it is notified that the information resulted from identity theft. However, this prohibition does not
apply to: the repurchase of a debt where the assignee of the debt requires such repurchase because the debt
results from identity theft; the public or private securitization of debt or the pledge of a portfolio of debt as
12
© 2003 AMERICAN BANKERS ASSOCIATION
November 24, 2003
Fair and Accurate Credit Transactions Act of 2003
collateral in another financing transaction; or the transfer of debt as a result of a merger, acquisition, purchase
and assumption transaction or transfer of substantially all of the assets of an entity.
The FACT Act also provides for preemption with respect to the prevention of repollution of consumer
reports and the prohibition of the sale or transfer of debt caused by identity theft.
C. Improved Disclosure of the Results of Reinvestigation (Title III, § 314)
The FACT Act amends sections 611 and 623 of the FCRA to require consumer reporting agencies to
promptly delete information from a consumer’s file, or modify that item of information as appropriate, if the
information is found to be inaccurate, and to promptly notify the furnisher that the information has been
modified or deleted from the consumer’s file. In addition, this section requires that furnishers if, upon
completion of a reinvestigation, the information is found to be inaccurate or incomplete or cannot be verified,
must modify the item of information, delete the information or block the reporting of that information.
V. Identity Theft Provisions
A. Fraud Alerts and Active Duty Alerts (Title I, § 112)
The FACT Act adds a new section 605A to the FCRA establishing three instances where consumers or
military personnel can direct a nationwide consumer reporting agency to include a fraud alert or an active
duty alert in each consumer report furnished on those consumers. Fraud alerts must clearly and conspicuously
notify users of consumer reports that the consumer may have been a victim of identity theft or other fraud, or
is on active duty in the military, so that the users may verify the identity of the consumer before establishing a
new credit plan or new loan obligation in the name of the consumer.
Upon request of a consumer who asserts in good faith that he or she has been, or is about to become, a victim
of fraud, a nationwide consumer reporting agency that maintains a file on the consumer and that has received
appropriate proof of the consumer’s identity must include an initial alert in the consumer’s file for a
minimum of 90 days, unless the consumer revokes the alert before the expiration of the 90-day period. The
request to place a fraud alert on a consumer’s file may come directly from the consumer or the request may
come from an individual acting on behalf of or as a personal representative of the consumer. This is intended
to allow a consumer’s spouse, for example, to request a fraud alert for the consumer, but it does not permit
credit repair clinics to request fraud alerts on behalf of one or more consumers. In the context of an initial
alert, the national consumer reporting agency also must inform the consumer of the right to request a credit
report without charge during the 12-month period beginning on the date the fraud alert is inserted into the
consumer’s file. The consumer reporting agency also must provide the consumer with all of the disclosures
required to be made under section 609, within three business days of the consumer’s request to do so.
In addition, if the consumer qualifies for an extended alert by providing the nationwide consumer reporting
agency with an identity theft report regarding the consumer and appropriate proof of the consumer’s identity,
the nationwide consumer reporting agency must include an extended alert in the consumer’s file for a sevenyear period beginning on the date of the consumer’s request, unless the consumer revokes the alert before the
expiration of that period. An identity theft report is a defined term contemplating a police report or other
similar document obtained from an appropriate law enforcement agency. The consumer reporting agency also
must inform the consumer of the right to request two free credit reports during the 12-month period
beginning on the date the fraud alert is inserted into the consumer’s file. In addition, the consumer reporting
agency must provide the consumer with all of the disclosures required to be made under section 609, within
three business days of the consumer’s request to do so. A consumer making a request for an extended alert
also must be excluded from lists used to make prescreened offers of credit or insurance for five years. Again,
© 2003 AMERICAN BANKERS ASSOCIATION
13
Fair and Accurate Credit Transactions Act of 2003
November 24, 2003
the request for the alert may be made by the consumer directly or by the consumer’s representative, but not
by a credit repair clinic.
Upon request by active duty members of the military, after receiving appropriate proof of the consumer’s
identity, a nationwide consumer reporting agency must include an active duty alert in the consumer’s file for
at least one year and must exclude the consumer from lists used to make prescreened offers of credit or
insurance for two years.
Nationwide consumer reporting agencies must establish policies and procedures to comply with this section,
including procedures under which consumers may request such fraud alerts and active duty alerts in an easy
and simple manner. Also, when a nationwide consumer reporting agency receives a request for a fraud alert or
an active duty alert, the agency must pass along the alert request to the other nationwide consumer reporting
agencies, which must include a similar alert in any files they maintain on that consumer. Consumer reporting
agencies that do not operate on a nationwide basis must provide consumers who express concern over possible
identity theft or other fraud with contact information for the FTC and the nationwide consumer reporting
agencies.
The FACT Act also provides for preemption with respect to fraud alerts.
B. Obligation of Users Upon Receipt of Alerts (Title 1, § 112)
Users who obtain a consumer report that includes a fraud alert or an active duty alert are thereby alerted that
the consumer may be a victim of identity theft or on active military duty and, therefore, the user must utilize
reasonable policies and procedures to form a reasonable belief that the user knows the identity of the person.
The FACT Act applies different standards to initial/active duty alerts and extended alerts. If the consumer
report includes an initial alert or an active duty alert, a lender must use reasonable policies and procedures to
form a reasonable belief that the lender knows the identity of the person making the request, such as by
contacting the consumer using the telephone number designated by the consumer in the fraud alert or taking
other reasonable steps to verify the consumer’s identity and confirm that the application for a new credit plan,
a credit line increase requested by the consumer or a supplemental card requested by the consumer is not the
result of identity theft. If the consumer report includes an extended alert, a lender must contact the consumer,
either in person (such as in a bank branch or a retail store location), by telephone, or through another
reasonable contact method designated by the consumer, to verify the consumer’s identity and confirm that
the application for a new credit plan, a credit line increase requested by the consumer or a supplemental card
requested by the consumer is not the result of identity theft.
C. Truncation of Credit Card and Debit Card Account Numbers (Title I, § 113)
Under this new section of the FCRA, persons who accept credit cards and debit cards in business transactions
are directed to print no more than the last five digits of the card account number, and to exclude the
expiration date, on any electronically printed receipt provided to the cardholder at the point of the sale or
other transaction. This requirement becomes effective three years following enactment for cash registers or
other machines that electronically print receipts that are in use before January 1, 2005, and one year after the
date of enactment for such cash registers or other machines that are first put into use on or after January 1,
2005. The new truncation requirement only applies to electronically printed receipts — not to handwritten
receipts or receipts imprinted with a copy of the card.
The FACT Act also provides for preemption with respect to the truncation of credit card and debit card
account numbers.
14
© 2003 AMERICAN BANKERS ASSOCIATION
November 24, 2003
Fair and Accurate Credit Transactions Act of 2003
D. Establishing Procedures for Identification of Possible Identity Theft (Title I, § 114)
1. Red Flag Guidelines
The Federal banking agencies, together with the NCUA and the FTC, are directed to establish and maintain
guidelines for use in identifying patterns, practices and specific forms of activity that indicate the possible
existence of identity theft. These agencies also must prescribe regulations under which the institutions they
supervise are required to establish and adhere to reasonable policies and procedures for implementing the
guidelines. The policies and procedures established under this section are not to be inconsistent with the
policies and procedures required by Section 326 of the USA PATRIOT Act.
2. Change of Address
The Federal banking agencies, the NCUA and the FTC are directed to prescribe regulations applicable to
issuers of credit cards and debit cards to ensure that if a card issuer receives a request for an additional or
replacement card for an existing account, within a short period of time after receiving notification of a change
of address for the same account (the statute specifies that this period must be at least 30 days), the card issuer
will follow reasonable policies and procedures to ensure that the additional or replacement card is not issued
to an identity thief. Specifically, the card issuer may issue an additional or replacement card if the issuer
follows one of three procedures: notify the cardholder of the request at the cardholder’s former address and
provide a means of promptly reporting an incorrect address change; notify the cardholder of the request in a
manner that the card issuer and the cardholder previously agreed to; or otherwise assess the validity of the
cardholder’s change of address in accordance with reasonable policies and procedures established by the card
issuer pursuant to the “red flag” guidelines applicable to the card issuer.
The Federal banking agencies, the NCUA and the FTC also are directed to consider whether to include in the
“red flag” guidelines instructions for institutions to follow when a transaction occurs on a credit or deposit
account that has been inactive for more than two years in order to reduce the likelihood of identity theft.
The FACT Act also provides for preemption with respect to the “red flag” guidelines.
E. Authority to Truncate Social Security Numbers (Title I, § 115)
A consumer reporting agency must honor a consumer’s request to truncate the first five digits of the
consumer’s social security or other identification number when providing the consumer with a copy of the
information in the consumer’s credit file under section 609 of the FCRA. Before doing so, the consumer
reporting agency must receive proof of the consumer’s identity. This truncation requirement only applies to
consumer reports provided to consumers, and not to reports provided to lenders and other users.
The FACT Act also provides for preemption with respect to the truncation of social security numbers.
F. Summary of Rights of Identity Theft Victims (Title I, § 151)
The FTC, in consultation with the Federal banking agencies and the NCUA, is directed to prepare a model
summary of the rights of consumers under the provisions of the FCRA designed to remedy the effects of
identity theft and other financial fraud. A consumer reporting agency must provide a copy of this model
summary of rights to each consumer who contacts the agency and indicates that he or she may be a victim of
identity theft or other fraud. The obligation to provide the notice begins 60 days after the FTC prescribes the
final form of the model summary. The FTC also must develop and implement a media campaign to educate
the public on how to prevent identity theft.
The FACT Act also provides for preemption with respect to the summary of rights of identity theft victims.
© 2003 AMERICAN BANKERS ASSOCIATION
15
Fair and Accurate Credit Transactions Act of 2003
November 24, 2003
G. Obligation to Provide Records to Victims (Title I, § 151)
A financial institution or other entity that provides credit to an identity thief, or another person who allegedly
has made unauthorized use of a victim’s identification, must provide upon the victim’s request a copy of the
application and business transaction records evidencing the transaction under the institution’s control within
30 days after the victim’s request. The records are to be provided directly to the victim or to a law
enforcement agency authorized by the victim to receive the records. The institution or other entity can
require proof of the identity of the victim and of the claim of identity theft, including a police report and an
affidavit of identity theft developed by the FTC or otherwise acceptable to the institution. In certain
circumstances, an institution may decline to provide such information; for example, if in the exercise of good
faith, the institution determines that the request for information is based on a misrepresentation of facts by
the alleged victim. Importantly, the provision does not impose a requirement that institutions retain any
records; instead, the obligation only applies to applications and transaction records that the institution already
is retaining under its otherwise applicable record retention policy. This section does not require an institution
to provide records that do not exist or are not reasonably available. Records that are not reasonably available
include those that are not easily retrieved. To the extent that records, such as periodic statements listing
transactions made on a credit or deposit account, are easily retrieved, those records should be provided. An
institution is not required to produce records not within its direct control or not maintained by another entity
on its behalf.
The FACT Act also provides for preemption with respect to the obligation to provide records to victims.
H. Blocking Information Resulting from Identity Theft (Title I, § 152)
Under this section, consumer reporting agencies are required to block the reporting of information in a
consumer’s file that the consumer identifies as resulting from identity theft. The consumer must supply the
consumer reporting agency with appropriate proof of his or her identity and a copy of an identity theft report,
and must identify the information to be blocked; namely, the information that resulted from the identity
theft. The consumer reporting agency must block the information within four business days, and must notify
the furnisher of the information that the information may have resulted from identity theft, that an identity
theft report has been filed, that a block on reporting the information has been requested and the effective date
of the block.
The FACT Act also provides for preemption with respect to the blocking of information resulting from
identity theft.
I. Coordination of Identity Theft Investigations (Title I, § 153)
Nationwide consumer reporting agencies are required to develop and maintain procedures for the referral of
consumer complaints alleging identity theft or requesting a fraud alert to the other nationwide consumer
reporting agencies. The FTC is directed to create a model form to be used by consumers for reporting identity
theft; the model form is to be developed in consultation with the Federal banking agencies and the NCUA.
Also, each nationwide consumer reporting agency must submit to the FTC an annual summary report of
consumer identity theft complaints and fraud alert requests received by the consumer reporting agency.
The FACT Act also provides for preemption with respect to the coordination of identity theft complaint
investigations.
J. Notice by Debt Collectors of Fraudulent Information (Title I, § 155)
The FCRA is amended to require third-party debt collectors, as defined under the Federal Fair Debt
Collection Practices Act, who are notified by the consumer that the debts they are attempting to collect may
16
© 2003 AMERICAN BANKERS ASSOCIATION
November 24, 2003
Fair and Accurate Credit Transactions Act of 2003
be the result of identity theft or other fraud, to notify the third party on whose behalf they are collecting the
debt that the information may be the result of identity theft or fraud.
The FACT Act also provides for preemption with respect to notice by debt collectors of fraudulent
information.
VI. Improvement of Credit Report Files
A. Free Credit Reports (Title II, § 211)
The FACT Act amends section 612 of the FCRA to empower consumers to receive a free consumer report
annually from each of the nationwide consumer reporting agencies, as defined in subsections 603(p) and
603(z) of the FCRA. The consumer’s request for receipt of a report from a subsection 603(p) agency may be
made by mail or through an Internet website to a centralized system established in accordance with an FTC
rulemaking. The nationwide consumer reporting agencies must provide the report to the consumer within 15
days. Any disputes raised by a consumer who receives a free report under this section must be reinvestigated
within 45 days after the consumer raises the dispute, which is a 15-day increase over the 30-day
reinvestigation time frame that would otherwise apply. In addition, the FTC is directed to prepare a model
summary of the rights of consumers under the FCRA, including: the right to obtain a free consumer report
annually and the method of doing so; the right to dispute information in the consumer’s credit file; and the
right to obtain a credit score and the method of doing so. The FTC also is directed to publicize actively the
availability of the summary of rights, and make the summary available to consumers promptly upon request.
In addition, the FTC is granted the authority to require regional consumer reporting agencies to comply with
this section, and the FTC also can develop exceptions to this requirement where appropriate given the
business activities of consumer reporting agencies and for new consumer reporting agencies.
B. Credit Scores (Title II, § 212)
This section amends the FCRA to require consumer reporting agencies to provide credit score information to
consumers on request. The information provided would include: the consumer’s most recent credit score; the
range of possible credit scores; four key factors that adversely affected the score including inquiries; the date
the score was created; and the name of the person that provided the credit score or the credit file on which it
was based. Credit scores are to be derived from models that are widely distributed to users or to assist
consumers in understanding credit scoring. Credit scores do not include mortgage scores or automated
underwriting systems that consider factors other than credit information, such as loan-to-value ratio. A
consumer reporting agency is not required to develop or disclose scores if it does not distribute scores that are
used in connection with residential mortgage lending or scores that assist lenders in understanding and
predicting consumer credit balances. A consumer reporting agency is not required to explain scores developed
by another person, although it must provide a consumer with information to enable a consumer to contact
the person who developed the score. Unlike the provision relating to free credit reports, consumer reporting
agencies may charge a reasonable fee for disclosure of a credit score. If a consumer requests a credit report, but
does not request a credit score, the consumer reporting agency must inform the consumer that the consumer
also may obtain a credit score.
Any person who uses a credit score to make or arrange consumer credit secured by one to four units of
residential real property must provide the consumer with credit scoring information obtained from a
consumer reporting agency that the consumer reporting agency would be required to disclose to the
consumer, together with a special notice explaining the use of credit scores and how the consumer may obtain
credit score information. This requirement for credit score disclosures by entities other than consumer
© 2003 AMERICAN BANKERS ASSOCIATION
17
Fair and Accurate Credit Transactions Act of 2003
November 24, 2003
reporting agencies does not apply to other types of lending transactions; in such cases, it is the consumer
reporting agency that must disclose the score. Also, a lender would not be required to disclose a proprietary
credit score and instead would be able to arrange for disclosure of a widely available credit score. If a person
uses an automated underwriting system, it may meet its disclosure responsibility by disclosing a credit score
and associated key factors provided by a consumer reporting agency. A person that uses a credit score that is
not provided by a consumer reporting agency may meet its disclosure obligation by disclosing the credit score
from a consumer reporting agency, together with the associated key factors. A person has no liability for the
content of information provided by a consumer reporting agency. Also, any contractual provision that would
prohibit the disclosure of a credit score required by this section is void.
This section also requires a consumer reporting agency to include in any disclosure of a credit score or other
risk predictor, where a key factor that adversely affected the credit score was the number of inquiries, a clear
and conspicuous statement that inquiries were a key factor, and a copy of the consumer’s credit score, along
with the key factors, if any, that adversely affected the score.
This section also includes a national uniformity provision that prohibits any state from regulating the
provision of credit scores to consumers, except that certain specified existing state laws regulating such credit
score disclosures are grandfathered.
C. Enhanced Disclosure on Opt Out of Prescreened Lists (Title II, § 213)
The FACT Act amends section 615 of the FCRA to direct the FTC, in consultation with the Federal banking
agencies and the NCUA, to develop regulatory guidance concerning the format and type size of the opt-out
notification for prescreened solicitations. In addition, section 604 is amended to extend the effective period of
the opt out from two to five years. This section further directs the FRB to study and report to Congress on
the ability of consumers to opt out of receiving unsolicited written offers of credit or insurance and the impact
further restrictions on these offers would have on consumers.
D. Requirement to Disclose Communications to a Consumer Reporting Agency
(Title II, § 217)
The FACT Act amends section 623(a) of the FCRA to add a new paragraph requiring financial institutions
that extend credit and regularly furnish information to a consumer reporting agency and that furnish negative
information to a consumer reporting agency regarding credit extended to a customer, to provide a written
notice of the furnishing of negative information to that customer. The section makes clear that after providing
this notice, the financial institution may submit additional negative information to a consumer reporting
agency with respect to that same transaction, extension of credit or account or with respect to the same
customer without providing any additional notices to the customer. Also, the section makes clear that
providing such a notice does not require an institution to report any negative information.
The notice must be provided to the customer either before negative information is reported or within 30 days
after negative information is reported to the consumer reporting agency. If the notice is provided to the
customer before any negative information is reported to a consumer reporting agency, the notice may not be
included with the initial disclosures provided under the federal Truth in Lending Act. This notice
requirement affords financial institutions flexibility in terms of providing this notice with other disclosures,
such as a notice of default, a billing statement or any other material provided to the customer, except with the
initial Truth in Lending Act disclosures. The notice must be clear and conspicuous. The FRB is directed to
develop a brief model disclosure of no more than 30 words that an institution may use in order to comply
with the notice requirements. A financial institution is not required to use the model notice, but ensures
compliance by doing so.
18
© 2003 AMERICAN BANKERS ASSOCIATION
November 24, 2003
Fair and Accurate Credit Transactions Act of 2003
E. Reconciling Addresses (Title III, § 315)
The FACT Act amends section 605 of the FCRA to require a nationwide consumer reporting agency
identified under section 603(p), when it provides a consumer report, to inform the user requesting that
consumer report that the request received from the user includes an address for the consumer that
substantially differs from the addresses in the file of the consumer. The Federal banking agencies, the NCUA
and the FTC are directed to prescribe regulations regarding reasonable policies and procedures that users of
consumer reports within the agencies’ respective enforcement jurisdiction should employ when they receive
notice of an address discrepancy. These regulations are to identify the types of reasonable policies and
procedures that a user may employ to form a reasonable belief that the user knows the identity of the person
to whom the consumer report pertains and, if the user establishes a continuing relationship with the
consumer, to furnish the consumer reporting agency with corrected address information, as part of
information that the user regularly furnishes for the period in which the relationship is established.
F. Disposal of Consumer Report Information (Title II, § 216)
The FACT Act adds a new section 628 to the FCRA directing the Federal banking agencies, the NCUA and
the FTC to issue separate, but coordinated, regulations requiring business entities under their respective
jurisdictions that maintain consumer report information, or a compilation of consumer report information, to
properly dispose of that information. The focus is on the destruction of consumer report information
specifically and not other types of consumer information, unless it contains consumer report information.
Such rules are to be consistent with the security and confidentiality rules imposed under the GLBA.
G. Notice of Dispute Through Reseller (Title III, § 316)
The FACT Act amends section 611(a) of the FCRA to require consumer reporting agencies to reinvestigate
consumer disputes forwarded to them by resellers of consumer reports. Furthermore, if a reseller receives
notice from a consumer of a dispute concerning the integrity or accuracy of any item of information
contained in a consumer report, the reseller must, within five business days, determine the integrity or
accuracy of the information in question and either correct it, if it is the reseller’s error, or convey the notice of
dispute to the consumer reporting agencies.
H. Reasonable Reinvestigation Requirement (Title III, § 317)
The FACT Act amends section 611 of the FCRA to provide that when a consumer disputes the accuracy of
information contained in a consumer report, the consumer reporting agency that prepared the report must
conduct a reasonable investigation free of charge to determine whether the disputed information is inaccurate.
VII. Statute of Limitations
A. Statute of Limitations (Title I, § 156)
This section extends the statute of limitations for violations of the FCRA, so that claims may be brought
within two years after discovery of the violation, instead of two years after the date on which the violation
occurred. But in no event may claims be brought more than five years after the violation occurred.
© 2003 AMERICAN BANKERS ASSOCIATION
19
Fair and Accurate Credit Transactions Act of 2003
November 24, 2003
VIII. Limiting the Use and Sharing of Medical Information
in the Financial System
A. Protection of Medical Information in the Financial System (Title IV, § 411)
The FACT Act amends section 604 of the FCRA to prohibit a consumer reporting agency from furnishing a
consumer report that contains medical information in connection with an insurance transaction, unless the
consumer consents. In order to furnish a report containing medical information for employment purposes, or
in connection with a credit transaction, the information must be relevant to, or affect, the employment or
credit transaction, and the consumer must provide written consent. Alternatively, the information may be
reported if it is reported using codes that do not identify, or provide information sufficient to infer, the
specific provider or the nature of the medical services, products or devices.
In addition, lenders are prohibited from obtaining or using medical information pertaining to a consumer in
connection with any determination of the consumer’s eligibility or continued eligibility for credit, unless the
information is obtained pursuant to a regulation or order of a Federal banking agency, the NCUA, the FTC
or an applicable state insurance authority. Any person who receives medical information pursuant to this
exception is prohibited from disclosing the information to any other person, except as necessary to carry out
the purpose for which it was originally disclosed. Thus, one of the consumer protections included in the
amended statute is a prohibition on lenders using medical information in determining a consumer’s eligibility
for credit. The Federal banking agencies, the NCUA and the FTC are authorized to make exceptions to this
prohibition that “are determined to be necessary and appropriate to protect legitimate operational,
transactional, risk, consumer or other needs…”
The FACT Act also amends section 603 of the FCRA to prohibit the sharing of consumer reports that are
medical information among affiliates, unless the information is provided in connection with the issuance of
insurance or annuities, in compliance with standards promulgated by the Department of Health and Human
Services under the Health Insurance Portability and Accountability Act (“HIPAA”), or under section 1179 of
HIPAA, or as authorized by a Federal banking agency, the NCUA or the FTC. This prohibition includes the
sharing of an individualized list or description based specifically on a consumer’s payment transactions for
medical products or services, or an aggregate list of consumers based specifically on payment transactions for
medical products or services.
The FACT Act also amends section 603 of the FCRA to define medical information as information or data,
other than age or gender, relating to past, present or future physical, mental or behavioral health, the
provision of health care to an individual or the payment for the provision of health care to an individual.
B. Confidentiality of Medical Contact Information in Consumer Reports (Title IV, § 412)
The FACT Act amends the FCRA to provide that a person whose primary business is providing medical
services, products or devices to consumers, and who also furnishes information to a consumer reporting
agency, must notify the agency of that status and that the consumer reporting agency may not include in a
consumer report the name, address or telephone number of that furnisher, unless reported using codes, or the
consumer report is provided to an insurance company for insurance purposes, other than property or casualty
insurance purposes. The codes must not identify, or provide information sufficient for a user of a consumer
report to infer, the specific provider or the medical services, products or devices provided.
20
© 2003 AMERICAN BANKERS ASSOCIATION
November 24, 2003
Fair and Accurate Credit Transactions Act of 2003
IX. Financial Literacy and Education Improvement
A. Financial Literacy and Education Commission (Title V, §§ 511-18)
This title establishes the Financial Literacy and Education Commission to improve the financial literacy and
education of persons in the United States. The Commission must review financial literacy and education
efforts throughout the Federal government and must develop and implement within 18 months a national
strategy to promote financial literacy and education among all Americans.
X. Protecting Employee Misconduct Investigations
A. Certain Employee Investigation Communications Excluded from Definition of Consumer
Report (Title VI, § 611)
The FACT Act amends the FCRA by excluding “certain communications for employee investigations” from
the definition of consumer report. This section provides that the term “consumer report” does not include
communications to an employer in connection with the investigation of employee misconduct or compliance
with law, the rules of a self-regulatory organization or the employer’s pre-existing written policies that are not
made for the purpose of investigating a consumer’s credit worthiness and that are provided only to the
employer, a Federal or state official, a self-regulatory organization or as otherwise required by law. If adverse
action is taken based on the communication, however, the employer is required to disclose to the employee a
summary containing the nature and the substance of the communication. The source of the information need
not be disclosed.
XI. Additional Federal Studies
A. FTC Data Base of Consumer Reporting Agency Complaints (Title III, § 313)
This section directs the FTC to compile a record of complaints against nationwide consumer reporting
agencies. If a complaint is received by the FTC about the accuracy of information maintained by a nationwide
consumer reporting agency, the FTC must transmit the complaint to the consumer reporting agency for
response. Each nationwide consumer reporting agency under section 603(p) that receives a complaint from
the FTC must: review the complaint to determine if the agency has met all legal obligations imposed under
the FCRA; report to the FTC the determinations and actions taken by the agency with respect to the
complaint; and maintain, for a reasonable time, records regarding the disposition of such complaint in a
manner sufficient to demonstrate compliance with the FCRA.
In addition, the FTC and the FRB are directed to study and report jointly on the performance of consumer
reporting agencies and furnishers of credit reporting information in complying with the FCRA’s procedures
and time frames for the prompt investigation and correction of disputed information in a consumer’s credit
file.
B. FTC Study of Issues Relating to the FCRA (Title III, § 318)
This section requires the FTC to study and report on ways to improve the operation of the FCRA. The FTC
is directed to study and report on: the efficacy of increasing the number of points of identifying information
that a credit reporting agency must match before releasing a consumer report; the extent to which requiring
© 2003 AMERICAN BANKERS ASSOCIATION
21
Fair and Accurate Credit Transactions Act of 2003
November 24, 2003
additional points of identifying information to match would enhance the accuracy of credit reports and
combat the provision of incorrect consumer reports to users; the extent to which requiring an exact match of
first and last name, social security number and address and ZIP Code of the consumer would enhance the
likelihood of increasing the accuracy of credit reports; and the effects of allowing consumer reporting agencies
to use partial matches of social security numbers and name recognition software. The FTC also must report
on the impact of providing independent notification to consumers when negative information is included in
their credit reports and to consider the effects of requiring that consumers who experience adverse actions
receive a copy of the same credit report used by the lender in taking the adverse action. Finally, the FTC is to
study and report on common financial transactions not generally reported to consumer reporting agencies
that may bear on creditworthiness, and possible steps to encourage the reporting of such transactions within a
voluntary system.
C. FTC Study of the Accuracy of Consumer Reports (Title III, § 319)
This section directs the FTC to conduct an ongoing study of the accuracy of information contained in
consumer reports, and to submit both an interim report and a final report to Congress on its findings and
conclusions, together with recommendations for legislative and administrative action.
D. Study on the Use of Technology to Combat Identity Theft (Title I, § 157)
The Secretary of the Treasury is directed to conduct a study, in consultation with the Federal banking
agencies, the FTC and other specified public and private sector entities, on the use of biometrics and other
similar technologies to reduce the incidence of identity theft.
E. Study of Effects of Credit Scores (Title II, § 215)
The FTC, in consultation with the Department of Housing and Urban Development, is directed to study
and report to Congress on the effects of the use of credit scores and credit-based insurance scores on the
availability and affordability of financial products. In conducting this study, the FTC is directed to obtain
input from the public.
XII. Effective Dates
A. Effective Dates (§ 3)
This section directs the FTC and the FRB to prescribe jointly regulations establishing the effective dates for
each provision of the FACT Act within two months, unless otherwise provided by the FACT Act. The
effective dates established by the FTC and the FRB must be no later than ten months after the FTC and FRB
issue the effective date regulations.
22
© 2003 AMERICAN BANKERS ASSOCIATION
1120 Connecticut Avenue, NW
Washington, DC 20036
1-800-BANKERS
www.aba.com