The Fair and Accurate Credit Transactions Act of 2003 (FACTA) was enacted in 2003 and outlined specific document destruction rules that would come into effect two years later. The FACTA also amended the existing Fair Credit Reporting Act (FCRA), providing consumers, companies, consumer reporting agencies and regulators with new tools to expand consumer access to credit, enhance the accuracy of consumer financial information and help fight identity theft. The FACTA is administered by the Federal Trade Commission (FTC).
The FACTA applies to any person or company that maintains or retains consumer information, such as consumer reports, for a business purpose. Examples of those who would be impacted by the FACTA include:
- Consumer reporting agencies (CRAs)
- Resellers of consumer reports
- Government agencies
- Mortgage brokers
- Auto dealers
- Waste disposal companies
FACTA added new sections to the existing federal Fair Credit Reporting Act (FCRA), intended primarily to help consumers combat identity theft. FACTA is also concerned with issues such as accuracy, privacy, limits on information sharing and new consumer rights to disclosure.
FACTA includes a specific rule regarding the proper disposal of consumer report information and records. The purpose of this rule is to reduce the risk of identity theft and other consumer harm from the inappropriate disposal of a consumer report, or records derived from such reports. The FACTA rule states:
“Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.”
Helping out Identity Theft Victims
The FACTA includes a number of significant provisions aimed to provide assistance to victims of identity theft. These provisions include:
- Free credit reports – Consumers will receive one free credit report every 12 months from each of the “big three” national credit bureaus.
- Fraud alerts – Victims of identity theft can place a fraud alert on their accounts, which are effective for 90 days, but may be extended (with proof of identity theft) for a period of seven years. Active duty alerts allow active duty military personnel to place a notation on their credit reports to alert potential creditors to possible fraud.
- Truncation – Systems that print payment card receipts must employ PAN truncation so that the consumer’s full account number is not visible on the slip.
- Available information – The FACTA includes provisions that help victims access copies of the imposter’s account application and transactions.
- Collection agencies – Once creditors are notified of debts due to identity theft, they are not permitted to sell the debt or place it for collection.
- Red flags – Financial institutions, creditors and other businesses that rely on consumer reports are required to detect and resolve fraud by identity theft. FACTA includes Red Flag Guidelines and requirements for credit and debit card issuers to assess the validity of a change of address request. The Act also outlines procedures to reconcile different consumer addresses.
FACTA & Workplace Privacy
The FACTA sets a new standard for what is known as “employee misconduct investigations.” Such investigations are conducted by a third-party contracted by the employer, if there is reason to suspect an employee of:
- Misconduct relating to the terms of employment
- A violation of federal, state, or local laws or regulations
- A violation of any preexisting written policies of the employer
- Noncompliance with the rules of a self-regulatory organization
An employer who suspects an employee of misconduct does not have to give notice or get the employee’s permission to conduct a misconduct investigation. Like other inquiries covered by the FCRA, this only applies if the employer hires an outside party to conduct the investigation.
The findings of employee misconduct investigations cannot be disputed under the FCRA dispute procedure. These types of investigations have deliberately been removed from the definition of “consumer report,” thus the usual protections that apply to a consumer report conducted for employment purposes do not apply to employee misconduct investigations.
The Fair and Accurate Credit Transactions Act (FACTA), enacted in 2003, amended the existing Fair Credit Reporting Act of 1970 (FCRA). It also included several important provisions to help consumers avoid and respond to identity theft crimes.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam, a privacy professional should be comfortable with topics related to this post, including:
- Fair and Accurate Credit Transactions Act of 2003 (II.C.b.)