Thursday, January 17, 2008
Section 114 of FACTA deals with procedures for card issuers when they receive a request for a change of address on an existing account and said request is soon followed by another request for an additional or replacement credit or debit card.
Section 315 outlines the policy for financial institutions and consumer reporting agencies when the address on a consumer's new account application is not the same as the one listed on a consumer report. Unlike the Payment Card Industry Data Security Standard, which attempts to stop private customer data from being stolen in the first place, these two FACTA amendments endeavor to flag possible instances when data thieves try to use the data.
According to identity theft solution provider ID Insight Inc., the critical action in an identity theft scenario is when access to an account is diverted from the intended victim and to the thief. The victim's address is the most vulnerable access point for that action. The address is also the most likely piece of consumer information to change over time, potentially disguising the identity theft from being discovered.
The dilemma for card issuers deciding how closely to scrutinize card applications has concerned the cost in time and money associated with checking and verifying addresses on each application. It is estimated that up to 17% of Americans move every year. The card issuers therefore assume the majority of address discrepancies on new card applications are the result of individuals simply moving from one place to another.
In comparison, ID Insight calculated that 1% or less of mismatched address occurrences are the result of identity theft.
This proportionally small number of fraudulent address mismatches go undiscovered until it's too late. And issuers see this as the price of doing business, as opposed to the much more expensive and time-consuming operation of manually screening address mismatches, which ID Insight said costs financial institutions $31 per application.
Though card issuers may write off the cost of identity fraud, the Federal Trade Commission has cited statistics regarding the extent of the problem. According to the FTC, nearly 10 million U.S. citizens are victims of identity theft annually, making for a $50 billion drain on the economy. The FTC claims 15,000 to 20,000 consumers contact them every week with concerns about identity fraud.
In 2006 testimony to the FTC, card issuers criticized the proposed FACTA rules, arguing the new guidelines would be labor-intensive and costly. Visa Inc. testimony also stated that financial institutions had already set up broad and effective systems for discovering instances of identity fraud. Other organizations have even contended the FACTA rules would straightjacket the efforts of card issuers in the pursuit of uncovering identity theft.
Before FACTA was signed into law in 2003, financial institutions relied on two sets of federal guidelines to combat identity theft: the Customer Identification Program rule (CIP) in the USA Patriot Act of 2001 and the information security guidelines of the 1999 Gramm-Leach-Bliley Act (GLB).
But CIP was meant as a counter-terrorism measure, and GLB has not reportedly stemmed the flow of data security breaches.
According to a letter sent in September 2006 to the FTC by the nonprofit consumer advocacy organization Privacy Rights Clearinghouse, both sets of guidelines gave financial institutions too much leeway in deciding which red flag warnings to heed and which ones to ignore, even if the warnings were obvious indications that identity fraud may have taken place.
The letter stated that failure to make "certain red flags a required part of a company's program will simply lead to token programs that do nothing to deter theft or help victims."
The new FACTA rules, however, are designed to eliminate that tokenism. But will they?
Gail Hillebrand, Senior Attorney at the West Coast regional office of Consumer's Union, the nonprofit publisher of Consumer Reports, doesn't think so. "I think it's going to be business as usual," she said.
While Hillebrand believes the new FACTA guidelines are a step in the right direction, she said the red flag warnings "don't go far enough." Hillebrand contends that, despite the new FACTA provisions, the basic problem still exists: Card issuers get to decide which warnings they address or ignore because the guidelines are only that, guidelines, with no sanctions imposed if businesses do not comply.
But Theodore Svoronos, Certified Fraud Examiner for Irvine, Calif.-based Group ISO, said the FACTA guidelines must exist.
Svoronos agreed there are no monetary fines levied against businesses that do not become FACTA-compliant. But, if identity fraud should happen on a scale large enough to capture the FTC's attention, and if it were proven that the fraud occurred due to lax business practices, the FTC could cite the card issuer for failure to comply with the FACTA guidelines, publicly embarrassing the issuer and causing the careless business to lose its reputation and customer base.
If you're a card issuer, you don't want to be in that spotlight," Svoronos said.
Nessa Feddis, Senior Federal Counsel to the Government Relations Division of the American Banker's Association, said many of the banks "are already complying with the [FACTA guidelines]." In order to maintain trust with consumers, banks have "sufficient incentive to do what they can."
Card issuers are required to be compliant with the new FACTA guidelines by Nov. 1, 2008. At the state level, California and Illinois already have implemented laws similar to FACTA's red flag guidelines for combating identity theft.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
