FACT Act: Final Rule on Identity Theft

It's official. The final rule on the identity theft flags and active duty alerts is out. It takes effect on December 1, just in case you had nothing planned for Thanksgiving.

The rule begins with a definition of identity theft which triggers the requirements for both businesses and consumers. The Federal Trade Commission's goal in defining identity theft was to cover all bona fide victims and activities. In addition, the Commission wanted use the definition to help prevent credit repair fraud.

Who is Covered?
Often the most important aspect of any regulation is who is covered, meaning who has to comply. In the case of the identity theft and active duty alerts, the rule applies to consumer reporting agencies (a.k.a. credit bureaus) and to information reporters. This is where the breadth of the rule comes in. Information reporters includes anyone who provides or reports information to credit bureaus. It is the information reporter coverage that brings in financial institutions.

The rule has a fluid quality in coverage. The consumer may contact either an information reporter or a credit reporting agency. For the consumer, the results are the same. Everyone involved in credit related to that consumer and any entity collecting and selling information about that consumer is covered by the rule. The difference is in how information flows. Eventually, all concerned entities should have the alerts in place.

Defining Identity Theft
The Commission proposed to fashion the definition of identity theft to include attempts to commit fraud as well as acts of fraud. This generated a surprising number of comments in opposition to the inclusion of attempts to commit fraud.

Commenters opposed inclusion of attempts on several grounds, none of which were closely related to the FACT Act's purpose. One argument was that inclusion of attempts to commit fraud, rather than proven fraud, could result in diverting resources that should be committed to actual victims. Those putting forward this opinion did not explain why a person who believes themselves to be a victim of identity theft but has not yet proven this should not be able to exercise self protective steps under the act. Nor did they offer any evidence or quantification of the economic hardship that could result from pursuing concerns that did not materialize.

Ideas such as this, when put forward by an industry, can only be described as mean spirited. The focus of this thinking is that consumers will use their new rights to take some form of advantage of the credit reporting industry. It fails to consider the consumer's likely and very real need. The Commission was unimpressed and unpersuaded. The final definition includes the term attempt.

Identifying Information
Another issue for comment was the definition of "identifying information." The FTC had proposed that the FACT Act regulations use the same definition as in the federal criminal code, 18 U.S.C. 1028(d)(7). The reasoning was that this would provide consistency with federal criminal law and that the term for purposes of the FACT Act would include the maximum situations of fraud.

This proposal, too, generated opposition because the coverage would be too broad. The issue here was how unauthorized use could be treated under the rule. Some commenters raised concerns that including unauthorized use in the definition could encourage consumer fraud. Consumers, they argued, could have a family member use a credit or access device and then claim that the use had been unauthorized and that they were therefore victims of identity theft.

Commenters also opposed adopting a broad definition of identity theft because other federal laws (Truth in Lending, Electronic Funds Transfers Act) provide victims with sufficient protection.

Again, the Commission was not impressed. While other federal laws do provide consumer protections, those laws are not designed for prevention and correction of identity theft. Nor do these laws address all aspects of the harm resulting from identity theft. For example, the victim of identity theft could use the Fair Credit Billing Act to dispute unauthorized transactions on their credit card bill. But, the FCBA stops there, while the consumer harmed by identity theft may need additional protections. The commission held to its original proposal and defined identifying information to have the same meaning as "means of identification" in 18 U.S.C. 1028(d)(7).

In one change, the FTC dropped the word "lawful" from the proposal that the definition of identity theft require that the person's identity be used without lawful authority. The final definition simply reads "without authority." After considering a number of hair-splitting comments on whether a consumer could lawfully authorize a fraudulent act (you've just got to love lawyers!), the commission concluded that the term "lawful" was not necessary to the definition and could add to confusion.

Another test suggested was a requirement that the consumer be willing to prosecute anyone identified in the identity theft. The suggestion was that refusal to prosecute could be interpreted as indicating the consumer's collusion and thus relieve the industry member from further investigation. Alternatively, these commenters suggested that the refusal to prosecute could be interpreted to mean that the consumer granted authority to the user of his or her information. The Commission was again unpersuaded. Thus, the consumer is not required to take any formal actions beyond filing an identity theft report and producing the affidavit.

Identity Theft Report
Commenters also made suggestions to narrow the scope of what might constitute an identity theft report. For example, there were suggestions that the report filed with law enforcement must meet certain standards, such as a face-to-face interview between law enforcement and the victim. Limitations such as this, however, could cause serious consumer hardship by limiting or delaying the availability of FACT Act remedies.

The Commission declined to limit the requirements for identity theft reports for several reasons. First, and most important, placing any requirements under the control of law enforcement agencies, when many different procedures and local priorities exist, can lead to unequal and unfair results. Similarly, requiring a face-to-face interview for law enforcement to establish the consumer's identity and intent would make FACT Act protections unavailable in jurisdictions that accept or require filing the report through automated systems. Finally, the Commission believes that in many situations, the credit reporting agency or information reporter should not delay acting to protect the consumer and the financial institution until local law enforcement procedures have been completed.

For similar reasons, the Commission decided that the rule should not limit the consumer's choice of law enforcement agencies. Again, the Commission looked to the goal of the FACT Act and noted that imposing restrictions on consumers that require advance knowledge of law enforcement functions would be inconsistent with the act's purposes.

ACTION STEPS

Your systems for identity theft and active duty alerts must be in place by
December 1. Don't cancel Thanksgiving, but get cracking.
Review communication systems, including customer hotlines, bank contact numbers, and communications with credit bureaus. Establish consistent systems for receiving information about identity theft and active duty.
Consider the need for speed when receiving and making initial determinations on identity theft reports.
Discuss information needs and investigative techniques with your BSA Officer and Security Officer to develop a protocol for FACT Act investigations.
Train! In your training stress the customer service and bank protection aspects of these procedures.
Keep open lines of communication with everyone that is or could be involved with receiving consumer identity theft reports - or simply requests for help.
Put information on identity theft and the FACT Act procedures in your lobby and in statements or other mailings.