Fair and Accurate Credit Transactions Act

Last updated
Fair and Accurate Credit Transactions Act
Great Seal of the United States (obverse).svg
Other short titlesFinancial Literacy and Education Improvement Act
Long titleAn Act to amend the Fair Credit Reporting Act, to prevent identity theft, improve resolution of consumer disputes, improve the accuracy of consumer records, make improvements in the use of, and consumer access to, credit information, and for other purposes.
Acronyms (colloquial)FACTA, FLEIA
NicknamesFair and Accurate Credit Transactions Act of 2003
Enacted bythe 108th United States Congress
EffectiveDecember 4, 2003
Citations
Public law 108-159
Statutes at Large 117  Stat.   1952
Codification
Titles amended 15 U.S.C.: Commerce and Trade
U.S.C. sections amended
Legislative history

The Fair and Accurate Credit Transactions Act of 2003 (FACT Act or FACTA, Pub. L. Tooltip Public Law (United States)  108–159 (text) (PDF)) is a U.S. federal law, passed by the United States Congress on November 22, 2003, [1] and signed by President George W. Bush on December 4, 2003, [2] as an amendment to the Fair Credit Reporting Act. The act allows consumers to request and obtain a free credit report once every 12 months from each of the three nationwide consumer credit reporting companies (Equifax, Experian, and TransUnion). In cooperation with the Federal Trade Commission, the three major credit reporting agencies set up the web site AnnualCreditReport.com to provide free access to annual credit reports. [3]

Contents

The act also contains provisions to help reduce identity theft, such as the ability for individuals to place alerts on their credit histories if identity theft is suspected, or if deploying overseas in the military, thereby making fraudulent applications for credit more difficult. Further, it requires secure disposal of consumer information.

Provisions

The FACT Act contains seven major titles: Identity Theft Prevention and Credit History Restoration, Improvements in Use of and Consumer Access to Credit Information, Enhancing the Accuracy of Consumer Report Information, Limiting the Use and Sharing of Medical Information in the Financial System, Financial Literacy and Education Improvement, Protecting Employee Misconduct Investigations, and Relation to State Laws. [4]

Identity Theft Prevention and Credit History Restoration

This title of the act contains provisions that deal mainly with the prevention of identity theft. In particular, it establishes new regulations concerning 'fraud alerts' and 'active duty alerts', establishes new limitations on the printing of customers' credit card numbers on receipts, and prescribes that new regulations be established by certain government agencies regarding the detection of identity theft by financial institutions and creditors.

Fraud alerts

The title requires that consumer reporting agencies, upon the request of a consumer who believes he is or about to be a victim of fraud or any other related crime, must place a fraud alert on that consumer's file for at least 90 days, and notify all other consumer reporting agencies of the fraud alert. [5]

Consumers may request an extended fraud alert, in which case requires the reporting agency to disclose this fraud alert in any credit score that it issues for the consumer during a seven-year period. An extended alert also requires the reporting agency to exclude the consumer from any list distributed to third parties for the purpose of extending credit or offering insurance to that consumer. [5]

The title also provides for any active duty member to request an active duty alert, which requires the reporting agency to disclose such alert with any credit report issued within 12 months of the request and to exclude the active duty member from any list distributed to third parties for the purpose of extending credit or offering insurance for two years from the request. [5]

Truncation of credit and debit card numbers

The act also prohibits businesses from printing more than five digits of any customer's card number or card expiration date on any receipt provided to the cardholder at the point of sale or transaction. This provision is enforced with statutory damages ranging from $100 to $1000 per violation, and when claims are aggregated in a class action (brought by all the customers of a retailer that failed to truncate credit card numbers) the amount of damages can be massive. [6] The provision excludes receipts that are handwritten or imprinted, where the only method of recording the credit card number is by such means. The act did not become effective for three years after its enactment for any cash register manufactured before January 1, 2005, and did not become effective for one year after its enactment for any cash register manufactured after January 1, 2005. [7]

Identification of possible identity theft (Red Flags rule)

The act established the Red Flags Rule , which required the federal banking agencies, the National Credit Union Administration, and the Federal Trade Commission to jointly create regulations regarding identity theft prevention applicable to financial institutions and creditors. The Red Flags Rule also addresses how card issuers must respond to changes of address. [8] Regulations that were established as a result include: [9]

  • One that requires financial institutions or creditors to develop and implement an Identity Theft Prevention Program in connection with both new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft;
  • Another that requires users of consumer reports to respond to Notices of Address Discrepancies that they receive; and
  • A third that places special requirements on issuers of debit or credit cards to assess the validity of a change of address if they receive notification of a change of address for a consumer's debit or credit card account and, within a short period of time afterward they receive a request for an additional or replacement card for the same account.

Another key item was the requirement that mortgage lenders provide consumers with a Credit Disclosure Notice that included their credit scores, range of scores, credit bureaus, scoring models, and factors affecting their scores. This form is typically available from credit reporting agencies, and many will send this directly to the consumer on the lenders' behalf.

Confusion with the scope of the Red Flags rule

Financial institutions faced a mandatory deadline of November 1, 2008, to comply with the Red Flags Rule, [10] section 114 and 315 of the Fair and Accurate Credit Transactions (FACT) Act. However, due to widespread confusion over coverage under the act, specifically whether the term "creditor" applies to particular businesses, members of Congress repeatedly requested that FTC postpone the deadline for compliance with Section 315 until after December 31, 2010. [11]

According to a Business Alert issued by the Federal Trade Commission in June 2008, [12] the Red Flags Rule applies to a very broad list of businesses including "financial institutions" and "creditors" with "covered accounts". A "creditor" is defined to include "lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies and telecommunications companies". However, this is not an all-inclusive list.

The regulations apply to all businesses that have "covered accounts". A "covered account" includes any account for which there is a foreseeable risk of identity theft. For example, credit cards, monthly billed accounts like utility bills or cell phone bills, social security numbers, drivers license numbers, medical insurance accounts, and many others. This significantly expands the definition to include all companies, regardless of size, that maintain, or otherwise possess, consumer information for a business purpose. Because of the broad definitions in these regulations, few businesses will be able to escape these requirements. [13]

Protection and restoration of identity theft victim credit history

Summary of rights of identity theft victims

Provisions in this title require that the Federal Trade Commission, in consultation with the Federal banking agencies and the National Credit Union Agency, "prepare a model summary of the rights of consumers ... with respect to the procedures for remedying the effects of fraud or identity theft...". Beginning sixty days after the summary of these rights were established, all reporting agencies are required to provide a copy of this summary to any consumer that contacts an agency and states that he believes he has been a victim of fraud or identity theft. [14]

Blocking of information resulting from identity theft

The Act also requires any reporting agency to block the reporting of any information in a consumer's file that the consumer identifies as information that originated from an alleged identity theft. Such agency must block the information within four days of receiving proof, a copy of an identity theft report, the identification of the information by the consumer, and a statement from the consumer that the information is not a result of any transaction he participated in.

Agencies are not required to block any information (and may rescind any existing blocks) in the case that the block was found to be made in error or based on erroneous information as provided by the consumer, or that the consumer "obtained possession of goods, services, or money as a result of the blocked transaction or transactions. [15]

Coordination of identity theft complaint investigations

This section requires that all consumer reporting agencies develop a means of communicating to each other consumer complaints regarding fraud or identity theft, or requests for fraud alerts or blocks. Furthermore, the section requires that each consumer reporting agency release a report each year to the Federal Trade Commission of fraud alert requests and complaints involving fraud or identity theft received by the reporting agency. Finally, the section requires the Federal Trade Commission to set up a means by which consumers can contact the reporting agencies and creditors with a complaint involving identity theft or fraud. [16]

Criticism

After its enactment, some consumer advocacy groups criticized the FACT Act claiming that it preempts some stricter and already-existing state regulations, and provides exceptions that are 'far too generous' to new regulations regarding disclosure of personal information by banks as found in the act. [17] Furthermore, an article in The Washington Post criticized the difficulty in retrieving the credit reports in some of the states that were first eligible under the act. [18]

Preemption of state laws

Vermont, Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey, and California had all established laws by 1994 requiring credit bureaus to provide a free credit report on demand. However, according to U.S. Pirg, "[w]ith the FACT Act, the financial industry won its primary goal: permanent preemption of stronger state credit and privacy laws." [19] Specifically, state laws are preempted in certain areas, such as the content of a consumer report, the responsibilities of "furnishers", responses of consumer reporting agencies to disputes over inaccurate information (although there is an exception for statutes in place before 1996), and duties of those who take an adverse action based on a report. [20]

Difficulty in obtaining credit reports

An article dated March 13, 2005 and published in the Washington Post stated that while "[r]esidents of six East Coast states—Maryland, Georgia, Maine, Massachusetts, New Jersey and Vermont—are already eligible for free reports from all three agencies as a result of state laws", the phone numbers provided to request these reports connected to automated systems that the article described as "maddening in their complexity and unforgiving if your circumstances vary from the system's programming." Furthermore, the article criticised automated systems for forcing consumers to "navigate a thicket of recorded information -- including sales pitches for their products, such as a credit 'score' (an evaluation of your creditworthiness) or a 'monitoring' service to help guard against identity theft". [18] Since 2012, the Consumer Financial Protection Bureau (CFPB) has published a list of consumer reporting agencies (CRAs). It enables consumers to see which CRAs might be important to them and gives them the contact information of each CRA in the list, so consumers can more easily order their personal consumer reports. Many of the CRAs in the list provide personal reports to consumers for free. The 2016 edition of the list is available on the CFPB's website here.

The Red Flag rule as a cause of identity theft

As the Red Flag rule widely defines creditors, many businesses (such as utilities) [21] are now required to collect personal information (such as SSN and driver's license numbers) that they do not need and have no use for. This policy is precisely contrary to the FTC's advice to consumers that they should disclose their social security number to companies only when absolutely necessary. [22] This aspect of the Red Flag rule has the unintended consequences of increasing the number of businesses that hold consumers' Social Security numbers, thereby putting consumers at greater risk for identity theft through data theft.

Mass Lawsuits for Including Expiration Date on Printed Receipts

The Act prohibits merchants from including credit- and debit-card expiration dates on electronically printed receipts. When the Act went into effect in 2004, courts received massive amounts of expiration date lawsuits, all federal circuit to have expressly considered the issue now refuse to hear related class-action lawsuits. In 2008 Congress passed the Credit and Debit Card Receipt Clarification Act (Clarification Act), which made merchants who printed expiration dates on receipts, but otherwise complied with the Act, to not in willful noncompliance up to June 3, 2008. [23] In the Clarification Act, Congress found that "Experts in the field agree that proper truncation of the card number, by itself ... regardless of the inclusion of the expiration date, prevents a potential fraudster from perpetrating identity theft or credit card fraud." [24] However, despite court rulings and the Clarification Act, the text of the Act remains largely unchanged regarding expiration dates on receipts after June 3, 2008.

See also

Related legislation

Related Research Articles

<span class="mw-page-title-main">Identity theft</span> Deliberate use of someone elses identity, usually as a method to gain a financial advantage

Identity theft, identity piracy or identity infringement occurs when someone uses another's personal identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. The term identity theft was coined in 1964. Since that time, the definition of identity theft has been legally defined throughout both the U.K. and the U.S. as the theft of personally identifiable information. Identity theft deliberately uses someone else's identity as a method to gain financial advantages or obtain credit and other benefits. The person whose identity has been stolen may suffer adverse consequences, especially if they are falsely held responsible for the perpetrator's actions. Personally identifiable information generally includes a person's name, date of birth, social security number, driver's license number, bank account or credit card numbers, PINs, electronic signatures, fingerprints, passwords, or any other information that can be used to access a person's financial resources.

Bank fraud is the use of potentially illegal means to obtain money, assets, or other property owned or held by a financial institution, or to obtain money from depositors by fraudulently posing as a bank or other financial institution. In many instances, bank fraud is a criminal offence. While the specific elements of particular banking fraud laws vary depending on jurisdictions, the term bank fraud applies to actions that employ a scheme or artifice, as opposed to bank robbery or theft. For this reason, bank fraud is sometimes considered a white-collar crime.

<span class="mw-page-title-main">Fair Debt Collection Practices Act</span>

The Fair Debt Collection Practices Act (FDCPA), Pub. L. 95-109; 91 Stat. 874, codified as 15 U.S.C. § 1692 –1692p, approved on September 20, 1977, is a consumer protection amendment, establishing legal protection from abusive debt collection practices, to the Consumer Credit Protection Act, as Title VIII of that Act. The statute's stated purposes are: to eliminate abusive practices in the collection of consumer debts, to promote fair debt collection, and to provide consumers with an avenue for disputing and obtaining validation of debt information in order to ensure the information's accuracy. The Act creates guidelines under which debt collectors may conduct business, defines rights of consumers involved with debt collectors, and prescribes penalties and remedies for violations of the Act. It is sometimes used in conjunction with the Fair Credit Reporting Act.

<span class="mw-page-title-main">Fair Credit Reporting Act</span> U.S. federal legislation

The Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., is federal legislation enacted to promote the accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies. It was intended to shield consumers from the willful and/or negligent inclusion of erroneous data in their credit reports. To that end, the FCRA regulates the collection, dissemination, and use of consumer information, including consumer credit 909-306-4989 information. Together with the Fair Debt Collection Practices Act (FDCPA), the FCRA forms the foundation of consumer rights law in the United States. It was originally passed in 1970, and is enforced by the U.S. Federal Trade Commission, the Consumer Financial Protection Bureau, and private litigants.

A credit history is a record of a borrower's responsible repayment of debts. A credit report is a record of the borrower's credit history from a number of sources, including banks, credit card companies, collection agencies, and governments. A borrower's credit score is the result of a mathematical algorithm applied to a credit report and other sources of information to predict future delinquency.

<span class="mw-page-title-main">Debt collection</span> Pursuit of debt payments owed by an individual or business

Debt collection is the process of pursuing payments of money or other agreed-upon value owed to a creditor. The debtors may be by individuals or businesses. An organization that specializes in debt collection is known as a collection agency or debt collector. Most collection agencies operate as agents of creditors and collect debts for a fee or percentage of the total amount owed. Historically, debtors could face debt slavery, debtor's prison, or coercive collection methods. In the 21st century in many countries, legislation regulates debt collectors, and limits harassment and practices deemed unfair.

A credit bureau is a data collection agency that gathers account information from various creditors and provides that information to a consumer reporting agency in the United States, a credit reference agency in the United Kingdom, a credit reporting body in Australia, a credit information company (CIC) in India, Special Accessing Entity in the Philippines, and also to private lenders. It is not the same as a credit rating agency.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

The Fair Credit Billing Act (FCBA) is a United States federal law enacted on October 28, 1974 as an amendment to the Truth in Lending Act and as the third title of the same bill signed into law by President Gerald Ford that also enacted the Equal Credit Opportunity Act. Its purpose is to protect consumers from unfair billing practices and to provide a mechanism for addressing billing errors in "open end" credit accounts, such as credit card or charge card accounts.

<span class="mw-page-title-main">Electronic Fund Transfer Act</span> Act passed by the U.S. Congress in 1978

The Electronic Fund Transfer Act was passed by the U.S. Congress in 1978 and signed by President Jimmy Carter, to establish the rights and liabilities of consumers as well as the responsibilities of all participants in electronic funds transfer activities.

An identity score is a system for detecting identity theft. Identity scores are increasingly being adopted as a means to prevent fraud in business and as a tool to verify and correct public records.

The North Carolina Identity Theft Protection Act of 2005 is a series of broad laws that was passed by the General Assembly of the U.S. state of North Carolina to prevent or discourage identity theft as well as guarding and protecting individual privacy.

OptOutPrescreen.com is a joint venture among Equifax, Experian, Innovis, and TransUnion, allowing customers to opt out of receiving credit card solicitations by mail.

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

Wireless identity theft, also known as contactless identity theft or RFID identity theft, is a form of identity theft described as "the act of compromising an individual’s personal identifying information using wireless mechanics." Numerous articles have been written about wireless identity theft and broadcast television has produced several investigations of this phenomenon. According to Marc Rotenberg of the Electronic Privacy Information Center, wireless identity theft is a serious issue as the contactless (wireless) card design is inherently flawed, increasing the vulnerability to attacks.

Bank regulation in the United States is highly fragmented compared with other G10 countries, where most countries have only one bank regulator. In the U.S., banking is regulated at both the federal and state level. Depending on the type of charter a banking organization has and on its organizational structure, it may be subject to numerous federal and state banking regulations. Apart from the bank regulatory agencies the U.S. maintains separate securities, commodities, and insurance regulatory agencies at the federal and state level, unlike Japan and the United Kingdom. Bank examiners are generally employed to supervise banks and to ensure compliance with regulations.

The Red Flags Rule was created by the Federal Trade Commission (FTC), along with other government agencies such as the National Credit Union Administration (NCUA), to help prevent identity theft. The rule was passed in January 2008, and was to be in place by November 1, 2008, but due to push-backs by opposition, the FTC delayed enforcement until December 31, 2010.

<span class="mw-page-title-main">Identity Theft Resource Center</span>

The Identity Theft Resource Center (ITRC) is a United States non-profit organization that provides identity crime victim assistance and education, free of charge, through a toll-free call center, live chat, website, podcasts, and social media. The ITRC educates consumers, businesses, government agencies, policymakers, and other organizations on best practices for identity theft and fraud detection, reduction, and mitigation; and, serves as an objective national resource on trends related to cybersecurity, data breaches, social media, fraud, scams, and other identity issues. 

<i>United States v. Clark</i> Court case

United States of America v. Clark is the name of a lawsuit against Jason Elliott Clark by the U.S. government based on identity theft, bank fraud and conspiracy. This was an appeal from the United States District Court for the District of Minnesota. Clark appealed his conviction for aggravated identity theft based on the sufficiency of the evidence and the court's admission of certain prior acts of evidence.

Financial privacy laws regulate the manner in which financial institutions handle the nonpublic financial information of consumers. In the United States, financial privacy is regulated through laws enacted at the federal and state level. Federal regulations are primarily represented by the Bank Secrecy Act, Right to Financial Privacy Act, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act. Provisions within other laws like the Credit and Debit Card Receipt Clarification Act of 2007 as well as the Electronic Funds Transfer Act also contribute to financial privacy in the United States. State regulations vary from state to state. While each state approaches financial privacy differently, they mostly draw from federal laws and provide more stringent outlines and definitions. Government agencies like the Consumer Financial Protection Bureau and the Federal Trade Commission provide enforcement for financial privacy regulations.

References

  1. Library of Congress Congress.gov, searched for H.R. 2622 (108th Congress) Major Congressional Actions on September 7, 2008
  2. White House fact sheet, December 4, 2003
  3. Facts for Consumers, Federal Trade Commission, March 2008
  4. FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003, vol. Public Law 108-159, 108th Congress, retrieved 2009-02-02
  5. 1 2 3 FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003, vol. Public Law 108-159, 108th Congress, pp. 117 STAT. 1955–117 STAT. 1959, retrieved 2009-02-02
  6. Bray, Samuel L. (2012). "Announcing Remedies". Cornell Law Review. 97. SSRN   1967184.
  7. FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003, vol. Public Law 108-159, 108th Congress, pp. 117 STAT. 1959–117 STAT. 1960, retrieved 2009-02-02
  8. FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003, vol. Public Law 108-159, 108th Congress, pp. 117 STAT. 1960–117 STAT. 1961, retrieved 2009-02-02
  9. "Agencies Issue Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy". 31 October 2007.
  10. Red Flags Resource Center
  11. "FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule". 28 May 2010.
  12. FTC Business Alert Archived 2008-08-13 at the Wayback Machine , Federal Trade Commission, June 2008
  13. "Red Flags Rule | Federal Trade Commission". 16 June 2023.
  14. FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003, vol. Public Law 108-159, 108th Congress, p. 117 STAT. 1961, retrieved 2009-02-02
  15. FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003, vol. Public Law 108-159, 108th Congress, pp. 117 STAT. 1964–1965, retrieved 2009-02-02
  16. FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003, vol. Public Law 108-159, 108th Congress, p. 117 STAT. 1966, retrieved 2009-02-02
  17. Singletary, Michelle (2003-12-11). "Somewhat More Fair And Increasingly Accurate". The Washington Post. p. Financial; E03.
  18. 1 2 "It's Free, But Not So Easy; Another Try at Helping You Get That Credit Report". The Washington Post. 2005-03-15. p. Outlook; B04.
  19. "Mistakes Do Happen: A Look at Errors in Consumer Credit Reports". June 2004. Archived from the original on 2010-04-23. Retrieved 2009-02-02.
  20. More S. (2006). Fair and Accurate Credit Transactions Act: More Protection for Consumers Archived 2015-10-28 at the Wayback Machine . The Information Management Journal.
  21. "Start or Install Service".
  22. ftc.gov. "Deter Minimize Your Risk". Archived from the original on 2011-10-13.
  23. "Recklessly Disregarding a Nonexistent Risk of Harm: Does Including the Expiration Date on Electronically Printed Receipts Constitute Willful Noncompliance under FACTA?". Business Law Today from ABA. 2020-05-04. Retrieved 2021-10-02.
  24. Pub. L. Tooltip Public Law (United States)  110–241: Credit and Debit Card Receipt Clarification Act of 2007 (text) (PDF)
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.