FCRA guru Pam Devata, Labor and Employment Attorney for Seyfarth Shaw, was kind enough to draft an exclusive article for employeescreen University about the new FACT Act regulations aimed at curbing the affects of identity theft. While many of the regulations are aimed at the Big Three Credit Bureaus, Experian, Trans Union and Equifax, there are some compliance issues that will affect employers and other financial institutions. See excerpt from the article below:
It is no secret that identity theft has become a problem for consumers in recent years, costing millions of dollars in fraudulent purchases, credit fixes and litigation. As a result, the legislature and many government agencies including the Federal Trade Commission have taken measures to curb this rising trend. Indeed, recent regulations issued by the FTC and mandated by The Fair and Accurate Credit Transactions Act of 2003 (FACTA) have specific directives for users of consumer information that are aimed at uncovering and preventing incidents of identity theft. These new regulations go into effect on November 1, 2008 and require the creation of a number of new policies and procedures for specified entities. Some of the regulations apply to all users of consumer reports, where others are specific to financial institutions and creditors.
FACTA or the FACT Act as it is sometimes referred to went into effect in December 2003 and amended the federal Fair Credit Reporting Act (FCRA) in a number of ways. As it relates to identity theft prevention, FACTA instituted a procedure to help users of consumer reports combat identity theft by creating a notion of “red flags” when identity theft was suspected. In FACTA, a “Red Flag” is defined as a pattern, practice, or specific activity that indicates the possible existence of identity theft. A ???user” of a consumer report includes entities such as employers who obtain consumer reports for the purpose of making employment (hiring, promotion, firing, etc.) decisions, as well as financial institutions, and granters of credit who use the information contained in consumer reports to issue credit cards, loans or mortgages, and other such activities.
FACTA’s identity theft prevention sections require various federal agencies to implement regulations describing exactly what users must do to comply with the law. Two sections of the Act, 15 U.S.C. § 1681m (FACTA section 114), and 15 U.S.C. 1681c (FACTA section 315), refer specifically to the creation of such regulations. FACTA section 114, which addresses procedures users must implement in the case of an address discrepancy between themselves and a consumer reporting agency (CRA), applies to all users. FACTA section 315, which requires the implementation of an Identity Theft program pursuant to the Red Flags rule, is applicable only to financial institutions and creditors, as described below.
Because the law itself does not provide a lot of guidance on exactly what users need to do to be in compliance with the identity theft red flags, employers and other users should be aware of their responsibilities under these new regulations.