FACTA

• Made substantial amendments to FCRA

• Enforcement: FTC, Federal Banking Regulators, and the CFPB.

• Stricter state laws are preempted -states retain some powers to enact laws addressing identity theft

• Required truncation of debit and credit card numbers so receipts do not reveal in full

• Requires more detailed “know your customer” documentation for both domestic and foreign financial institutions.

• Gave consumers rights to explanation of their credit scores and the right to request a free annual credit report

Note: Promulgated Disposal Rule and Red Flags Rule

The Disposal Rule

• Requires any individual or entity that uses a consumer report, or information derived from a consumer report, for a business purpose to dispose of that information in a way that prevents unauthorized access and misuse of the data.

• Enforcement: FTC, the federal banking regulators, and the CFPB

• Violations: civil liability and may face federal and state enforcement actions

• State disposal rules may impose broader requirements

The Red Flags Rule

Requires certain financial entities to develop and implement written identity theft detection programs that can identify and respond to the “red flags” that signal identity theft.

The Red Flags Program Clarification Act of 2010 narrows the previously broad definition of creditor to not implicate entities that extend credit only for “expenses incidental to a service.” Applies to:

• Obtain or use of consumer reports in connection with a credit transaction

• Furnish information to CRA

• Advance funds to or on behalf of someone, except for expenses incidental to a service provided by the creditor to that person

Each entity is required to define their own list of red flags. FTC recommends:

• Alerts from CRA

• Suspicious identification documents

• Suspicious personal identifying data

• Unusual use of a covered account

FACTA provides that an employer is no longer required to notify an employee that it is obtaining an investigative consumer report on the employee from an outside org in the context of an internal investigation.

• Changed the definition of consumer report under FCRA to exclude communications relating to employee investigations from the definition if three requirements are met:

• Communication is made to an employer in connection with the investigation of:

  • • Suspected misconduct relating to employment

    • Compliance with federal, state, local laws

• Communication is not made for the purpose of investigating a consumer’s creditworthiness, credit standing or credit capacity and does not include info pertaining to those factors

• Communication is not provided to any person except

  • • The employer or agent of employer o A federal or state officer, agency, or department

    • Self-regulating org with authority over the activities of the employer or employee

    • As otherwise required by law

    • Pursuant to 15 U.S.C 1681f which addresses disclosures to gov agencies

• If adverse action is taken, employers must disclose a summary of the nature and substance of the communication or report to the employee