Identity Theft Regulations

A number of identity theft regulations were signed into law as part of the Fair and Accurate Credit Transactions Act (FACT Act), which required financial institutions and creditors to develop, and implement, written identity theft programs by November 1, 2008.

In this article, we're going to review some of the regulations and guidelines appearing in Section 114 of the Fair and Accurate Credit Transactions Act.  That review will include the required elements of an identity theft program such as Red Flags.  During this review, we'll explain how these programs can affect consumers, as well as the forms of identification a consumer may be asked to produce.

Mitigating Identity Theft

The final rules of FACT Act require creditors and financial institutions to develop reasonable procedures to detect, prevent, and mitigate identity theft in connection with the opening or the maintenance of certain accounts.  The accounts covered by this legislation include those involving, or those designed to permit, multiple payments or transactions.

Examples include credit card accounts, mortgages, automobile loans, margin accounts, cell phone, utility, checking, and / or savings accounts.  In addition, accounts where there is "reasonable foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft" are also covered by these regulations.

Program Requirements

FACT Act outlined several mandatory elements of a financial institution's program including:

  • Identifying the accounts that are at risk
  • Outlining processes or methods used to open new accounts
  • Outlining processes or methods used to access existing account information
  • Prior experience with identity theft
  • Evaluating changes in risk over time such as those that might be introduced via new technology
  • Providing the program with the appropriate regulatory, supervisory, and / or legal support

Using the above criteria, these financial institutions and creditors are required to conduct a risk assessment of their operations.

Red Flags

One of the cornerstones of these assessments is "Red Flags," which is defined as a pattern, practice, or activity that indicates the possible existence of identity theft.  In the same way that a company may have responded to an incident in the past, a company needs to monitor the following indicators:

  • Alerts, warnings, or notifications from a Consumer Reporting Agency
  • Suspicious looking documentation received from a customer
  • Suspicious persons providing identifying information
  • Unusual or suspicious account activity
  • Notices received from customers, victims, law enforcement officials, or other persons regarding possible cases of identity theft

Identification Procedures

Companies are required to integrate a Customer Identification Program, or CIP, as part of their identification and verification process or procedure.  CIPs were first required by the PATRIOT Act, and applied to companies that fall under the broadly defined term "financial institution."

Here again, companies needed to establish, and follow, written procedures that help to ensure the correct identification of customers.  These laws recognize that companies of various sizes fall under the definition of financial institution, therefore the exact procedure followed will vary from one company to another.

Proof of Identity

To prevent identity theft, companies are required to collect the following four pieces of information on all new accounts:

  • Accountholder Name
  • Date of Birth (Individuals)
  • Home Address
  • Identification Number

If the customer is a citizen of the United States, the identification number must be a taxpayer identification number such as a Social Security or an employee identification number.  Non-U.S. citizens must provide an alien identification number, or any other government-issued document providing evidence of nationality that includes a photograph.

In addition to the above, companies may also require the customer to provide proof of identity using a:

  • Social Security Card
  • Driver's License
  • Military Identification Card
  • County Identification Card
  • Birth Certificate
  • Current Auto Insurance Card or Policy
  • Utility Bill or Invoice
  • Credit Card Bill or Statement

Social Security Numbers as Identification

From the above, it's clear that companies will continue to ask consumers to produce their Social Security Number / Card as proof of identity.  However, the government recognizes the original purpose of SSNs was not as the primary means of identifying an individual.

Until emerging technologies such as biometrics become an industry standard, Social Security Numbers will remain one of the most reliable forms of identification.  Credit scores, credit history, and reported information on debt payment behavior require an accurate means of aggregating consumer information.  Ironically, the same information that people safeguard as a way of protecting themselves from identity theft is also used as proof of a stolen identity.


About the Author - Identity Theft Regulations (Last Reviewed on September 21, 2016)