The Fair and Accurate Credit Transactions Act of 2003 (abbreviated FACT Act or FACTA, Pub.L. 108-159) is a United States federal law, passed by the United States Congress on November 22, 2003, and signed by President George W. Bush on December 4, 2003, as an amendment to the Fair Credit Reporting Act. The act allows consumers to request and obtain a free credit report once every twelve months from each of the three nationwide consumer credit reporting companies (Equifax, Experian and TransUnion). In cooperation with the Federal Trade Commission, the three major credit reporting agencies set up the website, AnnualCreditReport.com, to provide free access to annual credit reports.
The act also contains provisions to help reduce identity theft, such as the ability for individuals to place alerts on their credit histories if identity theft is suspected, or if deploying overseas in the military, thereby making fraudulent applications for credit more difficult. Further, it requires secure disposal of consumer information.
The FACT Act contains seven major titles: Identity Theft Prevention and Credit History Restoration, Improvements in Use of and Consumer Access to Credit Information, Enhancing the Accuracy of Consumer Report Information, Limiting the Use and Sharing of Medical Information in the Financial System, Financial Literacy and Education Improvement, Protecting Employee Misconduct Investigations, and Relation to State Laws.
This title of the act contains provisions that deal mainly with the prevention of identity theft. In particular, it establishes new regulations concerning 'fraud alerts' and 'active duty alerts', establishes new limitations on the printing of customers' credit card numbers on receipts, and prescribes that new regulations be established by certain government agencies regarding the detection of identity theft by financial institutions and creditors.
The title requires that consumer reporting agencies, upon the request of a consumer who believes he is or about to be a victim of fraud or any other related crime, must place a fraud alert on that consumer's file for at least 90 days, and notify all other consumer reporting agencies of the fraud alert. Furthermore, such consumer may request an extended fraud alert, in which case requires the reporting agency to disclose this fraud alert in any credit score that it issues for the consumer during a seven-year period. An extended alert also requires the reporting agency to exclude the consumer from any list distributed to third parties for the purpose of extending credit or offering insurance to that consumer. The title also provides for any active duty member to request an active duty alert, which requires the reporting agency to disclose such alert with any credit report issued within 12 months of the request and to exclude the active duty member from any list distributed to third parties for the purpose of extending credit or offering insurance for two years from the request.
The act also prohibits businesses from printing more than 5 digits of any customer's card number or card expiration date on any receipt provided to the cardholder at the point of sale or transaction. This provision is enforced with statutory damages ranging from $100 to $1000 per violation, and when claims are aggregated in a class action (brought by all the customers of a retailer that failed to truncate credit card numbers) the amount of damages can be massive. The provision excludes receipts that are handwritten or imprinted, where the only method of recording the credit card number is by such means. The act did not become effective for three years after its enactment for any cash register manufactured before January 1, 2005 and did not become effective for one year after its enactment for any cash register manufactured after January 1, 2005.
The act established the Red Flags Rule, which required the Federal banking agencies, the National Credit Union Administration, and the Federal Trade Commission to jointly create regulations regarding identity theft prevention applicable to financial institutions and creditors. The Red Flags Rule also address how card issuers must respond to changes of address. Regulations that were established as a result include:
Another key item was the requirement that mortgage lenders provide consumers with a Credit Disclosure Notice that included their credit scores, range of scores, credit bureaus, scoring models, and factors affecting their scores. This form is typically available from credit reporting agencies, and many will send this directly to the consumer on the lenders' behalf.
Financial institutions faced a mandatory deadline of November 1, 2008, to comply with the Red Flags Rule, section 114 and 315 of the Fair and Accurate Credit Transactions (FACT) Act. However, due to widespread confusion over coverage under the act, specifically whether the term "creditor" applies to particular businesses, members of Congress have repeatedly requested that FTC postpone the deadline for compliance with Section 315 until after December 31, 2010.
According to a Business Alert issued by the Federal Trade Commission in June 2008, the Red Flags Rule apply to a very broad list of businesses including "financial institutions" and "creditors" with "covered accounts". A "creditor" is defined to include "lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies and telecommunications companies". However, this is not an all-inclusive list.
The regulations apply to all businesses that have "covered accounts". A "covered account" includes any account for which there is a foreseeable risk of identity theft. For example, credit cards, monthly billed accounts like utility bills or cell phone bills, social security numbers, drivers license numbers, medical insurance accounts, and many others. This significantly expands the definition to include all companies, regardless of size, that maintain, or otherwise possess, consumer information for a business purpose. Because of the broad definitions in these regulations, few businesses will be able to escape these requirements.
Provisions in this title require that the Federal Trade Commission, in consultation with the Federal banking agencies and the National Credit Union Agency, "prepare a model summary of the rights of consumers ... with respect to the procedures for remedying the effects of fraud or identity theft...". Beginning sixty days after the summary of these rights were established, all reporting agencies are required to provide a copy of this summary to any consumer that contacts an agency and states that he believes he has been a victim of fraud or identity theft.
The Act also allows requires any reporting agency to block the reporting of any information in a consumer's file that the consumer identifies as information that originated from an alleged identity theft. Such agency must block the information within four days of receiving proof, a copy of an identity theft report, the identification of the information by the consumer, and a statement from the consumer that the information is not a result of any transaction he participated in.
Agencies are not required to block any information (and may rescind any existing blocks) in the case that the block was found to be made in error or based on erroneous information as provided by the consumer, or that the consumer "obtained possession of goods, services, or money as a result of the blocked transaction or transactions.
This section requires that all consumer reporting agencies develop a means of communicating to each other consumer complaints regarding fraud or identity theft, or requests for fraud alerts or blocks. Furthermore, the section requires that each consumer reporting agency release a report each year to the Federal Trade Commission of fraud alert requests and complaints involving fraud or identity theft received by the reporting agency. Finally, the section requires the Federal Trade Commission to set up a means by which consumers can contact the reporting agencies and creditors with a complaint involving identity theft or fraud.
After its enactment, some consumer advocacy groups criticised the FACT Act claiming that it preempts some stricter and already-existing state regulations, and provides exceptions that are 'far too generous' to new regulations regarding disclosure of personal information by banks as found in the act. Furthermore, an article in the Washington Post criticised the difficulty in retrieiving the credit reports in some of the states that were first eligible under the act.
Vermont, Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey, and California had all established laws by 1994 requiring credit bureaus to provide a free credit report on demand. However, according to U.S. Pirg, "[w]ith the FACT Act, the financial industry won its primary goal: permanent pre emption of stronger state credit and privacy laws.".
An article dated March 13, 2005 and published in the Washington Post stated that while "[r]esidents of six East Coast statesMaryland, Georgia, Maine, Massachusetts, New Jersey and Vermontare already eligible for free reports from all three agencies as a result of state laws", the phone numbers provided to request these reports connected to automated systems that the article described as "maddening in their complexity and unforgiving if your circumstances vary from the system's programming.". Furthermore, the article criticised automated systems for forcing consumers to "navigate a thicket of recorded information -- including sales pitches for their products, such as a credit 'score' (an evaluation of your creditworthiness) or a 'monitoring' service to help guard against identity theft".
As the Red Flag rule widely defines creditors, many businesses (such as utilities) are not required to collect personal information (such as SSN and driver's license numbers) that they do not need and have no use for. This policy is precisely contrary to the FTC's advice to consumers that they should disclose their social security number to companies only when absolutely necessary.[clarification needed] This aspect of the Red Flag rule has the unintended consequences of increasing the number of businesses that hold consumers' Social Security numbers, thereby putting consumers at greater risk for identity theft through data theft.
Any Republican office holder who voices the slightest support for this type of law should be instantly primaried...if citizens were actually paying attention.