A number of identity theft regulations were signed into law as part of the Fair and Accurate Credit Transactions Act (FACT Act), which required financial institutions and creditors to develop, and implement, written identity theft programs by November 1, 2008.
In this article, we're going to review some of the regulations and guidelines appearing in Section 114 of the Fair and Accurate Credit Transactions Act. That review will include the required elements of an identity theft program such as Red Flags. During this review, we'll explain how these programs can affect consumers, as well as the forms of identification a consumer may be asked to produce.
The final rules of FACT Act require creditors and financial institutions to develop reasonable procedures to detect, prevent, and mitigate identity theft in connection with the opening or the maintenance of certain accounts. The accounts covered by this legislation include those involving, or those designed to permit, multiple payments or transactions.
Examples include credit card accounts, mortgages, automobile loans, margin accounts, cell phone, utility, checking, and / or savings accounts. In addition, accounts where there is "reasonable foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft" are also covered by these regulations.
FACT Act outlined several mandatory elements of a financial institution's program including:
Using the above criteria, these financial institutions and creditors are required to conduct a risk assessment of their operations.
One of the cornerstones of these assessments is "Red Flags," which is defined as a pattern, practice, or activity that indicates the possible existence of identity theft. In the same way that a company may have responded to an incident in the past, a company needs to monitor the following indicators:
Companies are required to integrate a Customer Identification Program, or CIP, as part of their identification and verification process or procedure. CIPs were first required by the PATRIOT Act, and applied to companies that fall under the broadly defined term "financial institution."
Here again, companies needed to establish, and follow, written procedures that help to ensure the correct identification of customers. These laws recognize that companies of various sizes fall under the definition of financial institution, therefore the exact procedure followed will vary from one company to another.
To prevent identity theft, companies are required to collect the following four pieces of information on all new accounts:
If the customer is a citizen of the United States, the identification number must be a taxpayer identification number such as a Social Security or an employee identification number. Non-U.S. citizens must provide an alien identification number, or any other government-issued document providing evidence of nationality that includes a photograph.
In addition to the above, companies may also require the customer to provide proof of identity using a:
From the above, it's clear that companies will continue to ask consumers to produce their Social Security Number / Card as proof of identity. However, the government recognizes the original purpose of SSNs was not as the primary means of identifying an individual.
Until emerging technologies such as biometrics become an industry standard, Social Security Numbers will remain one of the most reliable forms of identification. Credit scores, credit history, and reported information on debt payment behavior require an accurate means of aggregating consumer information. Ironically, the same information that people safeguard as a way of protecting themselves from identity theft is also used as proof of a stolen identity.
About the Author - Identity Theft Regulations (Last Reviewed on September 21, 2016)