The Green Sheet Online Edition
January 28, 2008 • Issue 08:01:02
FACTA flags identity fraud
Two amendments to the Fair and Accurate Credit Transactions Act (FACTA) went into effect Jan. 1, 2008. They require bankcard issuers to establish guidelines that red flag and deter potential instances of identity theft.
Section 114 of FACTA deals with procedures for card issuers when they receive a request for a change of address on an existing account and said request is soon followed by another request for an additional or replacement credit or debit card.
Section 315 outlines the policy for financial institutions and consumer reporting agencies when the address on a consumer's new account application is not the same as the one listed on a consumer report.
Unlike the Federal Trade Commission, nearly 10 million U.S. citizens are victims of identity theft annually, making for a $50 billion drain on the economy. The FTC claims 15,000 to 20,000 consumers contact it every week with concerns about identity fraud.
In 2006 testimony to the FTC, card issuers criticized the proposed FACTA rules, arguing the new guidelines would be labor-intensive and costly. Visa Inc. testimony also stated that financial institutions had already set up broad and effective systems for discovering instances of identity fraud. Other organizations have contended the FACTA rules would straightjacket the card issuers' efforts to uncover identity theft.
Before FACTA was signed into law in 2003, financial institutions relied on two sets of federal guidelines to combat identity theft: the Customer Identification Program rule (CIP) in the USA Patriot Act of 2001 and the information security guidelines of the 1999 Gramm-Leach-Bliley Act (GLB). But CIP was meant as a counter-terrorism measure, and GLB has not reportedly stemmed the flow of data security breaches.
According to a letter sent in September 2006 to the FTC by the nonprofit consumer advocacy organization Privacy Rights Clearinghouse, both sets of guidelines gave financial institutions too much leeway in deciding which red flag warnings to heed and which ones to ignore, even if the warnings were obvious indications that identity fraud may have taken place.
The letter stated that failure to make "certain red flags a required part of a company's program will simply lead to token programs that do nothing to deter theft or help victims."
The new FACTA rules, however, are designed to eliminate that tokenism. But will they? Gail Hillebrand, Senior Attorney at the West Coast regional office of Consumer's Union, the nonprofit publisher of Consumer Reports, doesn't think so. "I think it's going to be business as usual," she said.
While Hillebrand believes the new FACTA guidelines are a step in the right direction, she said the red flag warnings "don't go far enough." Hillebrand contends that, despite the new FACTA provisions, the basic problem still exists:
Card issuers get to decide which warnings they address or ignore because the guidelines are only that, guidelines, with no sanctions imposed if businesses do not comply.
But Theodore Svoronos, Vice President, Business Development & Strategic Partnerships for Irvine, Calif.-based Group ISO, said the FACTA guidelines must be there. Svoronos agreed there are no monetary fines levied against businesses that do not become FACTA-compliant.
But, if identity fraud should happen on a scale large enough to capture the FTC's attention, and if it were proven that the fraud occurred due to lax business practices, the FTC could cite the card issuer for failure to comply with the FACTA guidelines, publicly embarrassing the issuer and causing the careless business to lose its reputation and customer base.
"If you're a card issuer, you don't want to be in that spotlight," Svoronos said.
Nessa Feddis, Senior Federal Counsel to the Government Relations Division of the American Banker's Association, said many of the banks "are already complying with the [FACTA guidelines]." In order to maintain trust with consumers, banks have "sufficient incentive to do what they can."
Card issuers are required to be compliant with the new FACTA guidelines by Nov. 1, 2008.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.