For other versions of this document, see http://wikileaks.org/wiki/CRS-RL32535 ------------------------------------------------------------------------------ Order Code RL32535 CRS Report for Congress Received through the CRS Web Implementation of the Fair and Accurate Credit Transactions (FACT) Act of 2003 Updated February 3, 2005 Angie A. Welborn Legislative Attorney American Law Division Grace Chu Law Clerk American Law Division Congressional Research Service ~ The Library of Congress Implementation of the Fair and Accurate Credit Transactions (FACT) Act of 2003 Summary On December 4, 2003, the President signed the Fair and Accurate Credit Transactions (FACT) Act of 2003 (P.L. 108-159), which included a number of amendments to the Fair Credit Reporting Act (FCRA) aimed at protecting the privacy of the information in a consumer's credit report, assisting victims of identity theft, and preventing fraudulent credit transactions. Many provisions of the act required implementation by the Federal Trade Commission and the federal banking agencies. This report provides an overview of the rulemaking proceedings implementing the major provisions of the FACT Act. It will be updated as events warrant. Contents Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Final Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Free Annual File Disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Furnishing of Negative Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Provisions Related to Identity Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Definition of Identity Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Definition of Identity Theft Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Appropriate Proof of Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Duration of an Active Duty Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Disposal of Consumer Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Proposed Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Affiliate Marketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Reporting of Medical Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Implementation of the Fair and Accurate Credit Transactions (FACT) Act of 2003 Background As the preemption provisions of the Fair Credit Reporting Act (FCRA) were set to expire at the end of 2003, both the House and Senate revisited the entire Act, holding a series of hearings on various issues related to consumer credit, the credit reporting system, and financial privacy. These hearings culminated in the passage of the Fair and Accurate Credit Transactions (FACT) Act of 2003.1 On December 4, 2003, the President signed the Fair and Accurate Credit Transactions (FACT) Act of 2003, which became Public Law 108-159. The act included a number of amendments to the Fair Credit Reporting Act (FCRA) aimed at protecting the privacy of the information in a consumer's credit report, assisting victims of identity theft, and preventing fraudulent credit transactions. Many provisions of the act required implementation by the Federal Trade Commission and the federal banking agencies. This report provides an overview of the rulemaking proceedings implementing the major provisions of the FACT Act. Final Rules Free Annual File Disclosures On June 24, 2004, the Federal Trade Commission (FTC) issued its final rule implementing the provision of the FACT Act providing for free annual disclosures of consumer credit reports.2 Under the FACT Act, nationwide credit reporting agencies (CRAs) are required to make all disclosures pursuant to FCRA section 6093 in a consumer report available free of charge once during any 12-month period.4 All information in the consumer's file at the time of the consumer's request must be disclosed, and disclosure must be mailed within 15 days of when the request was 1 For more information about the House and Senate legislation leading to the Fair and Accurate Credit Transactions Act of 2003, see CRS Report RL32121, Fair Credit Reporting Act: A Side-by-Side Comparison of House, Senate and Conference Versions. 2 69 FR 34562 (June 24, 2004). 3 15 U.S.C. 1681g. 4 For more information on the free credit report provisions of the FCRA and the FACT Act, see CRS Report RL32008, A Consumer's Access to a Free Credit Report: A Legal and Economic Analysis. CRS-2 received.5 The FACT Act directed the FTC to promulgate rules establishing a centralized source through which consumers may request free annual file disclosures from each nationwide consumer reporting agency, a standardized form for these requests, and a streamlined process for consumers to request free annual file disclosure from nationwide specialty reporting agencies. Under the final rule, the centralized source includes a centralized Internet website, a toll-free telephone number, and a postal address. It is estimated there will be 30.4 million requests yearly, 75% or 22.8 million by internet, 24% or 4 million by telephone, and 1% or 166,000 by mail. To accommodate the initial volume of requests when the rule becomes effective, availability will roll out from west to east beginning December 1, 2004 and ending in nationwide availability on September 1, 2005. During periods of extraordinary request volume, requests may be redirected or declined so long as nationwide CRAs implement reasonable procedures to anticipate and respond to consumer demand. In order to strike a balance between ease of use of the centralized source and maintaining adequate identification and authentication procedures against fraud and identity theft, the FTC limits the collection of authentication and information collection to that which is "reasonably necessary." This may include but does not require consumers to provide their social security numbers. It is the FTC's position that a flexible standard that adapts over time is the most effective way to ensure that proper procedures are implemented. Furnishing of Negative Information Section 217 of the FACT Act requires that if any financial institution (1) extends credit and regularly and in the ordinary course of business furnishes information to a nationwide consumer reporting agency, and (2) furnishes negative information to such an agency regarding credit extended to a customer, the institution must provide a clear and conspicuous notice in writing to the customer with 30 days of furnishing the negative information.6 There is a safe harbor for failure to perform if, at the time of the failure, the institution maintained reasonable policies and procedures to comply with the section if the institution reasonably believed that it was prohibited by law from contacting the customer. The FACT Act directed the Board of Governors of the Federal Reserve System to publish a concise model notice not exceeding 30 words that financial institutions may but are not required to use to comply with the notice requirement. On June 15, 2004, the Board published two model notices, one for use when notice to the customer precedes the provision of negative information to a CRA, and one for use if notice follows the provision of negative information.7 The two model notices are as follows: 5 15 U.S.C. 1681g(a)(1). 6 Negative information is defined as information concerning a customer's delinquencies, late payments, insolvency, or any form of default. P.L. 108-159, Sec. 217(a). 7 69 FR 33281 (June 15, 2004). CRS-3 We may report information about your account to credit bureaus. Late payments, missed payments, or other defaults on your account may be reflected in your credit report. We have told a credit bureau about a late payment, missed payment or other default on your account. This information may be reflected in your credit report. Provisions Related to Identity Theft On November 3, 2004, the FTC released its final rule establishing definitions for "identity theft" and "identity theft report;" clarifying what constitutes "appropriate proof of identity" for purposes of the FCRA, as amended by the FACT Act; and establishing the duration of an active duty alert created pursuant to the FACT Act.8 Definition of Identity Theft. The FACT Act confers rights on victims of identity theft to assist them in resolving problems cause by identity theft.9 Defining identity theft determines who may avail themselves of the rights conferred by the act. The FACT Act defines "identity theft" as "a fraud committed using the identifying information of another person" subject to further definition by the FTC.10 The FTC's final rule defines "identity theft" as "a fraud committed or attempted using the identifying information of another person without authority."11 The inclusion of "attempted" in the definition will allow both victims and intended victims to avail themselves of the protections provided under the act to have unauthorized inquiries removed from their consumer reports and to have an "initial fraud alert" placed in their file. Definition of Identity Theft Report. Under section 605A of the FCRA, as amended by the FACT Act, victims who provide an identity theft report to consumer reporting agencies can request an extended fraud alert on their files. An extended fraud alert lasts seven years and notifies users that the consumer may be a victim of fraud or identity theft and requires users to contact the consumer before extending credit. An identify theft report may also be provided by consumers to consumer reporting agencies to have information resulting from identity theft blocked from consumer reports, and by consumers to information furnishers to prevent information furnishers from continuing to provide information resulting from identity theft to the consumer reporting agencies. The FTC's final rule defines "identity theft report" as a report that "alleges identity theft with as much specificity as the consumer can provide;" and has been filed by the consumer with a federal, state, or local law enforcement agency.12 The report may also include additional information as requested by an information 8 69 FR 63922 (November 3, 2004). 9 P.L. 108-159, Title I. 10 P.L. 108-159, Sec. 111. 11 69 FR at 63933. 12 69 FR at 63933. CRS-4 furnisher or consumer reporting agency. The final rule allows information furnishers or consumer reporting agencies to make reasonable requests for additional information for the purpose of determining the validity of the identity theft no later than fifteen business days after receiving the law enforcement agency report or the consumer's request, whichever is later. Appropriate Proof of Identity. Section 112(b) of the FACT Act requires the FTC to determine what constitutes appropriate proof of identity for the purposes described above. In it's proposed rule, the Commission found that the two greatest risks of misidentification are that the file of the requesting consumer is confused with another consumer's file, or that a person pretending to be the consumer makes the request successfully. The FTC noted that the risks vary over time, by the method through which requests are made (internet, phone, mail), and between consumer reporting agencies. Considering the nature of the risks, the FTC determined that the consumer reporting agencies were in the best position to assess the risks associated with misidentification, and it proposed to require them to develop reasonable requirements to identify consumers in accordance with the risk of harm from misidentification. The final rule follows the Commission's original proposal, but also imposes certain requirements on the consumer reporting agencies and provides examples of the types of information that may be used to prove identity.13 Under the final rule, the consumer reporting agencies must "ensure that the information is sufficient to enable the consumer reporting agency to match consumers with their files; and adjust the information to be commensurate with an identifiable risk of harm arising from misidentifying the consumer."14 Examples of the type of information that may be used include the consumer's full name, any other previously used names, current and/or recent full address, the full nine digits of the social security number, and date fo birth. Additional proof of identity may include copies of government issued identification documents, utility bills, and answers to questions to which only the consumer may be expected to know the answer. Duration of an Active Duty Alert. Under the FACT Act, military personnel deployed in situations where they are unlikely to be able either to apply for credit or to monitor their financial accounts may place active duty alerts in their files maintained by nationwide consumer reporting agencies. The act sets a minimum period of 12 months for the duration of the active duty alert, but requires the FTC to determine if this period should be longer. The FTC's final rule abides by the duration of 12 months.15 However, the Commission notes that service members deployed for longer than 12 months may request subsequent alerts. 13 69 FR at 63933. 14 69 FR at 63933 - 63934. 15 69 FR at 63933. CRS-5 Disposal of Consumer Information On November 24, 2004, the FTC issued its final rule regarding the proper disposal of consumer report information and records as required under section 216 of the FACT Act.16 The Federal Trade Commission's new rule requires "any person who maintains or otherwise possesses consumer information for a business purpose" to "properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal."17 The final rule includes examples of standards and practices that would constitute reasonable measures in compliance with the requirement articulated above. Such reasonable measures could include, but are not limited to the following: 1) the implementation of and monitoring of compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information; 2) the implementation of and monitoring of compliance with policies and procedures that require the destruction or erasure of electronic media containing such information; and 3) after due diligence, entering into a contract with another party engaged in the business fo record destruction to dispose of such material. Persons subject to the Gramm-Leach-Bliley Act and the Commission's Safeguards Rule can incorporate the disposal of consumer information into the information security program required by the Safeguards Rule.18 On November 29, 2004, the National Credit Union Administration (NCUA) issued a final rule to implement section 216 of the FACT Act by amending its fair credit reporting and security program regulations and NCUA's Guidelines for Safeguarding Member Information.19 The new rule generally requires federal credit unions (FCUs) to develop and maintain controls designed to ensure proper disposal of consumer information as part of their information security programs. Examples of what constitutes proper disposal mirror those articulated by the Federal Trade Commission. On December 28, 2004, the OCC, FRS, FDIC, and OTS (the Agencies) issued a final rule to implement section 216 of the FACT Act by amending the Interagency Guidelines Establishing Standards for Safeguarding Customer Information.20 The new rule amends paragraph II.B of the Guidelines by adding proper disposal of consumer information to the list of objectives. To reach this objective, each institution must, as part of its information security program, develop, implement, and maintain measures to properly dispose of consumer information to guard against identity theft. 16 69 FR 68690 (November 24, 2004). 17 69 FR at 68697. 18 See 16 C.F.R. part 314. 19 69 FR 69269 (November 29, 2004). 20 69 FR 77610 (December 29, 2004). See also 69 FR 71322 for a discussion of the SEC's implementation of the disposal requirements under section 216 of the FACT Act. CRS-6 Proposed Rules Affiliate Marketing Section 214(a) of the FACT Act amended the FCRA by adding a new section 624, which the proposed rule seeks to implement by providing for consumer notice and an opportunity to prohibit affiliates from using certain information to make or send marketing solicitations to the consumer. Section 624 governs the use of information by an affiliate, not the sharing of information with or among affiliates, which is the subject of section 603(d)(2)(A)(iii).21 Though there is some overlap between the two opt-out provisions, they serve distinct purposes. Section 624 does not specify which affiliate must give the consumer notice and opportunity to opt out of the use of the information by an affiliate for marketing purposes. Section 214 (b)(2) of the FACT Act requires the FTC to consider existing affiliate sharing notification practices and to provide for coordinated and consolidated notices, and section 214 allows for the combination of affiliate marketing opt-out notices with other notices required by law such as privacy notices. Therefore, the FTC proposes that the person communicating the information should be responsible for satisfying the notice requirement where applicable because that is the person that would likely provide the affiliate sharing opt-out notice under section 603(d)(2)(A)(iii) of the FCRA and other disclosures required by law.22 The proposed rule also defines the type of information that consumers are able to bar affiliates from using to send marketing solicitations, referring to such information as "eligibility information." Under the proposed rule, "eligibility information" could include "a person's own transaction or experience information, such as information about a consumer's account history with that person, and other information, such as information from credit bureau reports or applications."23 Under the proposed rule, the Commission has determined that a person must give a consumer a reasonable opportunity to opt-out following delivery of the opt-out notice. The proposal provides examples of what may constitute a reasonable opportunity to opt-out, and establishes a 30-day safe harbor period in certain situations. 21 Section 603(d)(2)(A)(iii) provides that a person may communicate non-transaction or experience information that would otherwise be a consumer report among its affiliates without becoming a consumer reporting agency if the person has given the consumer both a clear and conspicuous notice that such information may be communicated among affiliates and an opportunity to opt-out of such communications, and the consumer has not opted out. 22 69 FR 33324 (June 15, 2004). 23 Id. CRS-7 The federal banking agencies and the Securities and Exchange Commission have issued proposed rules that appear to be substantially similar to those proposed by the Federal Trade Commission.24 Reporting of Medical Information On April 28, 2004, the Office of Thrift Supervision of the Department of the Treasury (OTS), the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Agency (NCUA), published proposed regulations implementing section 411 of the FACT Act, restricting the circumstances under which consumer reporting agencies may furnish consumer reports containing medical information about consumers.25 Section 411(a) of the FACT Act added several new sections to the FCRA. Among these, new section 604(g)(1) restricts the furnishing by consumer reporting agencies of consumer reports containing medical information about consumers to the following three circumstances: (1) the report is furnished in connection with an insurance transaction with the consumer's affirmative consent; (2) the report is furnished either for employment purposes or in connection with a credit transaction, the information is relevant to process the employment or credit transaction, and the consumer provides written consent describing in clear and conspicuous language the use for which the information will be furnished; or (3) the information pertains solely to transactions, accounts, or balances relating to debts arising from the receipt of medical services, products, or devices, where such information is not sufficient to allow inference of the specific provider or nature of the services. The new section 604(g)(2) prohibits creditors from obtaining or using medical information pertaining to a consumer in connection with any determination of the consumer's eligibility or continued eligibility for credit. A final new section -- 604(d)(3) -- eliminates the standard exclusions permitting sharing transaction or experience information among affiliates after notice and an opportunity to opt-out where medical-related information is concerned. The Agencies propose two things.26 First, they propose to create exceptions to the general prohibition against obtaining or using medical information in connection with credit eligibility determinations. Also, they propose to create additional exceptions to the restrictions on sharing medical-related information with affiliates. The Agencies believe the exceptions are necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs and are consistent with congressional intent to restrict the use of medical information for inappropriate purposes. 24 See 69 FR 42502 (July 15, 2004); 69 FR 42302 (July 14, 2004). 25 69 FR 23380 (April 28, 2004). 26 Id. ------------------------------------------------------------------------------ For other versions of this document, see http://wikileaks.org/wiki/CRS-RL32535