Recent Final Rulings

CUNA
November 26, 2007 | COMMENTS

FACT Act Guidelines and Rules on Identity Theft “Red Flags” and Change of Address Discrepancies

The National Credit Union Administration (NCUA) and the other financial institution regulators, as well as the Federal Trade Commission (collectively the “Agencies”), have issued guidelines that will help identify “red flags,” which are patterns, practices, or activities that indicate the possible risk of identity theft, along with rules requiring financial institutions and other creditors to implement the guidelines. The guidance and rules are required under the Fair and Accurate Credit Transactions Act, which was enacted in 2003.

The guidelines and rules issued by NCUA will apply to federally-chartered credit unions, and the guidelines and rules issued by the Federal Trade Commission will apply to state-chartered credit unions, although these rules are essentially the same.

The guidelines are intended to assist financial institutions and creditors in formulating and maintaining a written identity theft prevention program (program). The guidelines also list a number of “red flags” that may indicate identify theft. This includes the existence of fraud alerts, altered and inconsistent information, account use that fits a pattern of fraud, notifications of unauthorized charges or fraudulent account charges, attempts to access accounts by unauthorized users, as well as a number of other indicators. Financial institutions and creditors are encouraged to evaluate their existing policies and procedures and to use them for purposes of complying with these requirements to detect “red flags.”

The rules adopt a risk-based, flexible approach that will require creditors to have a program that is appropriate to the size and complexity of the institution, as well as the nature and scope of its activities. The program will require a number of components, such as reasonable policies and procedures, staff training, oversight of service providers, and oversight by the board of directors.

The rules will also require credit and debit card issuers to establish reasonable policies and procedures to assess the validity of a change of address when there is also a request for an additional or replacement card within a short period of time, which is often an indication of identity theft. In this situation, the card issuer may not issue another card without notifying the cardholder at the former address or using some other means to verify the change. Also, users of consumer reports who receive a notice of an address discrepancy from a credit bureau must have procedures in order to form a reasonable belief of the consumer's identity. The user must also have policies and procedures in place when furnishing an address to the credit bureau that the user believes is accurate.

 The rules will be effective as of January 1, 2008, although compliance will not be mandatory until November 1, 2008.

 If you have questions about the final rule, please contact Senior Vice President and Deputy General Counsel Mary Dunn at mdunn@cuna.coop or by telephone at (800) 356-9655, extension 6736, or contact Senior Assistant General Counsel Jeff Bloch at jbloch@cuna.coop or by telephone at (800) 356-9655, extension 6732. If you would like a copy of the rule, contact Jeff by e-mail or by telephone. You may also obtain a copy on the Internet at the following address: http://www.ncua.gov/NCUABoard/draftboardactions/Item2b.pdf

> View/Download the rest of this final rule analysis here

FACT Act Rule on Limiting the Use of Information by Affiliated Entities for Marketing Solicitations

The Fair and Accurate Credit Transactions (FACT) Act was enacted in 2003 and permanently extends the federal preemptions for credit reporting under the Fair Credit Reporting Act (FCRA). It also enhances the ability of consumers to combat identity theft, increases accuracy of credit reports, and allows consumers to exercise greater control regarding the marketing solicitations they receive.

The FACT Act also provides consumers with the opportunity to “opt-out” before a company uses certain information provided by an affiliate to market its products or services to the consumer.

The National Credit Union Administration (NCUA) and the other financial institution regulators, including the Federal Trade Commission (FTC), have issued a final rule to implement these provisions. The NCUA rules will apply to federal credit unions, and the FTC rules will apply to state-chartered credit unions.

Since the final rule has been issued jointly by NCUA and the other federal financial institution regulators, the rule generally refers to “affiliates” and “consumers” instead of “credit union service organizations (CUSOs),” “credit unions,” and “members.”

The rule will be effective as of January 1, 2008, although compliance will not be mandatory until October 1, 2008.

If you have questions about the rule, please contact Senior Vice President and Deputy General Counsel Mary Dunn at mdunn@cuna.coop or by telephone at (800) 356-9655, extension 6736, or contact Senior Assistant General Counsel Jeff Bloch at jbloch@cuna.coop or by telephone at (800) 356-9655, extension 6732. If you would like a copy of the rule, contact Jeff by e-mail or by telephone. You may also obtain a copy on the Internet at the following address: http://www.ncua.gov/news/press_releases/2007/JR07-1025Attachment.pdf

> Read the rest of this final rule analysis here @ CUNA.org