Client Bulletin #398


For a printer-friendly copy of this Client Bulletin, click here.

The Fair and Accurate Credit Transaction Act of 2003 added several provisions to the Fair Credit Reporting Act of 1970, two of which require compliance starting this month.

What’s new?

Effective November 1, 2008, Financial Institutions and Creditors offering “covered accounts,” as defined in the FACTA, are required to implement Identity Theft Prevention Programs designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account, and to have policies and procedures for reconciling address disputes. The Federal Trade Commission will oversee enforcement, and penalties will vary depending on the circumstances surrounding the infractions.

NOTE: The FTC recently released a statement notifying financial institutions and creditors that it would suspend its enforcement of these new regulations until May 1, 2009, to allow extra time for compliance. However, other federal agencies, such as Office of the Comptroller of the Currency, Treasury, may still choose to use the original compliance date with respect to any entity subject to their authority.

As background, on November 9, 2007, the Federal Register published the final rules implementing Sections 114 and 315 of the FACTA. To read the Final Rules, click here. Section 114 of the FACTA governs the requirements for implementing an Identity Theft Prevention Program, and Section 315 addresses the policies and procedures for reconciling address disputes. Sections 114 and 315 became effective on January 1, 2008. To read the FACTA amendments to the Fair Credit Reporting Act, click here.

Is my company affected?

An entity is covered if it offers “covered accounts.” The rules define a “covered account” as

(1) An account that [the entity] offers or maintains, primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions or

(2) any other account that the [entity] offers or maintains for which there is a reasonably foreseeable risk to customers of the safety and soundness of the [entity] from identity theft, including financial, operational, compliance, reputation, or litigation risks.

Examples of covered accounts include credit card, mortgage loan, auto loan, margin, cell phone, utility, and checking or savings accounts. If your company offers any of these types of accounts, then it would be covered.

What does the identity theft prevention program have to contain?

The program must contain policies and procedures that will (1) identify “red flags” that are relevant to the business, (2) detect red flags that have been incorporated into the program, (3) respond appropriately to any red flags that are detected, and (4) update the program periodically to reflect changes in risk to customers or to the safety and soundness of the entity from identity theft.

Moreover, each program must be overseen by the entity’s board of directors, an appropriate committee, or a member of senior management. An affected entity will need to review and update its program on a periodic basis. Fortunately, the rules allow entities to incorporate existing policies and procedures into this new program.

What is a “red flag”?

The covered entity determines what its red flags will be. However, the entity is required to at least consider the 26 examples included in guidelines that were appended to the Final Rules. An example of a red flag would be when a fraud or active duty alert is included with a consumer report; or when documents provided for identification appear to have been altered or forged; or when a Social Security number is provided that is the same as one submitted by other persons opening accounts or other customers.

My company doesn’t offer covered accounts, but it receives credit information from others. What’s our obligation?

Section 315 applies to any “user” of consumer reports, such as a national bank, a member bank of the Federal Reserve System, an insured state nonmember bank, a savings association, a federal credit union, or any user subject to FTC enforcement of the Fair Credit Reporting Act. According to the rules, “A user must develop and implement reasonable policies and procedures designed to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report, when the user receives a notice of address discrepancy.”

Although awkwardly worded, the rules essentially require the user to take certain steps to obtain accurate address information from its consumers, and to investigate and resolve “substantial discrepancies” between the address provided by the user and the address in the consumer reporting agency’s file.

Are there any additional requirements for entities that issue debit or credit cards?

Yes. The rules impose a duty on certain “issuers” of debit or credit cards, such as national banks, to establish and carry out reasonable policies and procedures to assess the validity of a change of address. Under the new rules, an entity should not issue a replacement debit or credit card if (1) the issuer receives notice of a change of address for the account holder and, (2) within a short period of time (30 days or so) thereafter, the issuer receives a request for an additional or replacement card for the same account. Once the issuer validates the address with the customer, it may issue the new card. To validate, the rules require that the issuer provide clear notice to the card holder at his or her former address and allow the cardholder the opportunity to confirm the change. In the alternative, the rules allow the issuer to use the policy and procedures set forth in its identity theft prevention program.

Can Constangy help us with this?

Yes. We can help you determine whether you are covered by the new rules, review your business practices to ensure that they are compliant, and make appropriate policy changes. If you have any questions or need assistance, please contact any Constangy attorney. 

Constangy, Brooks & Smith, LLP has counseled employers on labor and employment law matters, exclusively, since 1946. A “Go To” Law Firm in Corporate Counsel and Fortune Magazine, it represents Fortune 500 corporations and small companies across the country. Its attorneys are consistently rated as top lawyers in their practice areas by publications such as Chambers USA, Super Lawyers, and Top One Hundred Labor Attorneys in the United States. More than 100 lawyers partner with clients to provide cost-effective legal services and sound preventive advice to enhance the employer-employee relationship. Offices are located in Georgia, Florida, South Carolina, North Carolina, Tennessee, Alabama, Virginia, Missouri, Illinois, Wisconsin, Texas and California. For more information, visit


Back to Page