Made substantial amendments to FCRA
Enforcement: FTC, Federal Banking Regulators, and the CFPB.
Stricter state laws are preempted -states retain some powers to enact laws addressing identity theft
Required truncation of debit and credit card numbers so receipts do not reveal in full
Requires more detailed “know your customer” documentation for both domestic and foreign financial institutions.
Gave consumers rights to explanation of their credit scores and the right to request a free annual credit report
Note: Promulgated Disposal Rule and Red Flags Rule
Requires any individual or entity that uses a consumer report, or information derived from a consumer report, for a business purpose to dispose of that information in a way that prevents unauthorized access and misuse of the data.
Enforcement: FTC, the federal banking regulators, and the CFPB
Violations: civil liability and may face federal and state enforcement actions
State disposal rules may impose broader requirements
Requires certain financial entities to develop and implement written identity theft detection programs that can identify and respond to the “red flags” that signal identity theft.
The Red Flags Program Clarification Act of 2010 narrows the previously broad definition of creditor to not implicate entities that extend credit only for “expenses incidental to a service.” Applies to:
Obtain or use of consumer reports in connection with a credit transaction
Furnish information to CRA
Advance funds to or on behalf of someone, except for expenses incidental to a service provided by the creditor to that person
Each entity is required to define their own list of red flags. FTC recommends:
Alerts from CRA
Suspicious identification documents
Suspicious personal identifying data
Unusual use of a covered account
FACTA provides that an employer is no longer required to notify an employee that it is obtaining an investigative consumer report on the employee from an outside org in the context of an internal investigation.
Changed the definition of consumer report under FCRA to exclude communications relating to employee investigations from the definition if three requirements are met:
Communication is made to an employer in connection with the investigation of:
Suspected misconduct relating to employment
Compliance with federal, state, local laws
Communication is not made for the purpose of investigating a consumer’s creditworthiness, credit standing or credit capacity and does not include info pertaining to those factors
Communication is not provided to any person except
The employer or agent of employer o A federal or state officer, agency, or department
Self-regulating org with authority over the activities of the employer or employee
As otherwise required by law
Pursuant to 15 U.S.C 1681f which addresses disclosures to gov agencies
If adverse action is taken, employers must disclose a summary of the nature and substance of the communication or report to the employee