Docstoc

Fact Act Policy 06

Document Sample
Fact Act Policy 06 Powered By Docstoc
					                                                Disclaimer
This sample policy provides a guide or a place to begin. Credit union policies should always be structured to
meet the specific needs of the credit union and its membership. Efforts are made to update the material to
reflect applicable changes in the law. This sample should not be considered legal advice nor relied upon as
a substitute for professional services. Credit unions are encouraged to contact legal counsel for legal
advice. The Kansas Credit Union Association will not be liable for any direct, indirect or consequential
damages resulting from the use of this policy.



                                     Sample Fact Act Policy

POLICY STATEMENT

In compliance with The Fair and Accurate Credit Transactions Act of 2003 as it amends
the Fair Credit Reporting Act Compliance Program, the board of directors of Sample
Credit Union adopted the following policy to comply with the following regulations:

POLICY GOALS

        To ensure compliance with existing federal and state laws with respect to
         implementing the stated sections of the FACT Act as it amends the FCRA.
        To combat identity theft.
        To promote accuracy in reporting credit information.
        To provide proper notices and disclosures.
        To limit sharing of information with affiliates.
        To protect consumer medical and other information.

COMPLIANCE

    __________________ will be responsible for compliance with the FACT Act and will
    conduct or have audits conducted to ensure that the credit union is in compliance.

IDENTITY THEFT

Defined as a fraud committed using the identifying information of another person without
lawful authority. Identifying information is any name or number that may be used, alone
or in conjunction with any other information, to identify a specific individual.

Fraud Alerts and Active Duty Alerts - FACT Act Section 112, FCRA Section 605(A)

Fraud Alerts are placed by credit reporting agencies (CRA). All alerts place limitations
on the extension of credit to the consumer who had an alert in his or her file.

A “fraud alert” is a statement in the file of a consumer stating that the consumer may be
a victim of fraud, including identity theft. An “active duty alert” is a statement in the file of
a consumer stating that the consumer is an “active duty military consumer.” An “active
duty military consumer” means a consumer in military service who is on active duty, or
who is a reservist performing duty under a call or order to active duty, and who is
assigned away from his or her usual duty station.
The FACT Act establishes three types of fraud alerts:
    Initial Fraud Alert: If a nationwide CRA is notified by a consumer, or by someone
      acting on behalf of a consumer, that the consumer suspects he or she has been
      or is about to become a victim of fraud, identity theft, or related crime, and if that
      consumer requests a fraud alert, the CRA must include a fraud alert in the file of
      that consumer and with any credit score generated using that file, for a period of
      90 days beginning with the date of the request.
    Extended Fraud Alert: If the consumer or representative doesn’t just report a
      suspicion, but actually presents the CRA with an identity theft report, and if the
      consumer or representative requests a fraud alert, the CRA must include the
      fraud alert in the file of the consumer with any credit score generated using that
      file, for a period of 7 years beginning with the date of the request.
    Active Duty Alert: Upon the direct request of an active duty military consumer, or
      someone acting on behalf of such a consumer, a CRA must include an active
      duty alert in the file of that consumer and with any credit score generated using
      that file, for a period of 12 months beginning with the date of the request.

Responsibilities upon Receipt of Alerts

Prospective users of any consumer report that includes an initial fraud alert, an extended
fraud alert, or an active duty alert, and prospective users of any credit score generated
using information in a file containing an extended fraud alert, are prohibited from taking
any of the following actions without first verifying the identity of the person making the
request:

       Establishing any new credit transaction not under an open-end credit plan, or any
        new account under an open-end credit plan, in the name of the consumer,
       Issuing an additional card on an existing credit account requested by a
        consumer, or
       Granting any increase in credit limit on an existing credit account.

If the alert was an initial fraud alert or an active duty alert, Credit union will confirm that
the credit request is not the result of identity theft:

       Credit union will only extend credit (other than under an existing open-end credit
        plan) after it forms a reasonable belief that it knows the identity of the person
        making the request.
       If the consumer requesting the alert has specified a telephone number or other
        reasonable contact method to be used for identity verification purposes, Credit
        union will contact the consumer (member or borrower) using that telephone
        number or contact method.
       In the absence of a telephone number or other contact method, Credit union will
        take reasonable steps to verify the member or borrower through other methods
        of identification verification established in the Customer Information Program.

If the alert was an extended alert, Credit union will confirm that the credit request is not
the result of identity theft:
      Credit union will only extend credit (other than under an existing open-end credit
         plan) after it contacts the member or borrower in person, or
      If the consumer requesting the alert has specified a telephone number or other
       reasonable contact method to be used for identity verification purposes, Credit
       union will contact the consumer (member or borrower) using that telephone
       number or contact method.

When a current Credit union member or borrower has reported identity theft, all efforts
will be made to protect the member or borrower:

      Credit union will make no changes to the account (i.e. address changes,
       blocking, or reissuing cards) unless requested in person or reasonable efforts
       have been made to ensure the person is our member or borrower.
      Credit Union, if applicable, will place warnings and passwords at the member
       level on the system to protect the member.

Truncation of Credit/Debit Card Numbers FACT Act Sec. 113, FCRA Sec. 605(g)

Credit union accepts credit or debit cards in business transactions and is prohibited from
electronically printing more than the last five digits of the card number or the expiration
date on any receipt provided to the cardholder at the point of sale or the transaction.
This rule only applies to receipts that are electronically printed. Handwritten receipts or
receipts imprinted with a copy of the card are not affected by this provision.

Credit union complies with this regulation as it applies to all electronic receipts, including
cash advance receipts.

“Red Flag” Guidelines for Possible Instances of Identity Theft

FACT Act Section 114, FCRA Section 615(e). Implementing regulations and compliance
date are not issued yet.

“Red Flag” Guidelines help in identifying possible risks to members or to the safety and
soundness of the credit union.
   Card Issuer
    If Credit Union receives notification of a change of address for an existing
       account and receives a request for an additional or replacement card for the
       same account within 30 days after the address change notification, Credit union
       will not issue the card until it notifies the cardholder.
    Credit Union automatically sends a letter to a member at his or her former
       address when that address is changed. Credit union may also use other means
       of assessing the validity of the change of address.

   Inactive Accounts
    When an account has been inactive for more than 2 years, Credit Union will
      notify the member in an effort to reduce the likelihood of identity theft with respect
      to the account.

Providing Records to Identity Theft Victims - FACT Act Sec. 151, FCRA Sec. 609(d)

This rule applies to a business (credit union) that has provided credit to; provided for
consideration products, good, or services to; accepted payment from; or otherwise
entered into a commercial transaction for consideration; with a person who has allegedly
made unauthorized use of the means of identification of the victim.

Method of Requesting Information: To be a valid request that triggers a duty for Credit
union to respond, the victim’s request for documentation must meet the following
requirements:

      It must be made in writing,
      It must be mailed to Credit Union, Attn: Lending Department, P.O. Box 12345,
       City, ST 12345-1234,
      If Credit union asks, the request must include relevant information that will help
       Credit union identify and investigate the transaction alleged to be a result of
       identity theft, such as, for example, the date of the false application or transaction
       or any other identifying information, all to the extent known to (or readily
       ascertainable by) the victim.

Verification of Identity and Claim before Providing Information: Before Credit union
provides any information pursuant to an alleged victim’s request, Credit union will
(unless it has a high degree of confidence that it knows the identity of the victim making
the request) require the victim to provide proof of identity, and proof of the identity theft,
as follows:

      As positive proof of the identity of the victim making the request and as
       appropriate Credit union will require the victim to provide one or more of the
       following:
            - A government-issued identification card,
            - Identifying information of the same type as was provided to Credit union
               by the unauthorized person, or
            - Identifying information that Credit union typically requests from new
               applicants or for new transactions.

      As proof of the claim of identity theft and as appropriate Credit union will require
       the victim to provide one or more of the following:
           - A copy of the police report evidencing the claim of identity theft,
           - A properly completed affidavit of identity theft as provided by the Federal
               Trade Commission, or
           - A properly completed affidavit of identity theft acceptable to Credit union.

Providing Information: Within 30 days after receiving such a request and such verifying
information, Credit union must, without charge, provide a copy of any application and
business transaction records in the control of Credit union (whether or not in Credit
union’s physical possession) evidencing the transaction alleged to have resulted from
identity theft to:

      The victim,
      Any federal, state, or local government law enforcement agency or officer
       specified by the victim in the request, or
      Any law enforcement agency investigating the identity theft and authorized by the
       victim to obtain the records.
Credit union is not required to retain any particular records by this rule. The obligation
only applies to applications and transaction records that Credit union is already retaining
under its record retention policy. Credit union also is not required to provide records that
do not exist, are not reasonably available, or not within its direct control.

Credit union will have no civil or criminal liability for disclosing information in good faith
reliance on this identity theft rule.

Refusing to Provide Information: Credit union may refuse to provide information under
this rule, if, in good faith, it believes:

       The request does not fall within the scope of this identity theft rule,
       After reviewing the information intended to verify the identity of the alleged victim,
        Credit union does not have a high degree of confidence that it knows the true
        identity of the individual making the request,
       The request for information is based on a misrepresentation of fact by the
        individual making the request, or
       The information requested is Internet navigational data or similar information
        about a person’s visit to a website or online service.

Prevention of Repollution of Consumer Reports - FACT Act Sec.154, FCRA 623(a)

Credit union furnishes information to CRAs and is required to have in place reasonable
procedures to respond to any notification from a CRA that information it furnished may
be the result of an identity theft and has been blocked. The procedures should prevent
Credit union from refurnishing the blocked information.

If a member or borrower directly submits to Credit union, at an address specified for
receiving such reports, an identity theft report that alleges information Credit union
maintains purporting to relate to that member or borrower is the result of identity theft, is
barred from reporting that information to any CRA unless Credit union knows or is
informed by the member or borrower that the information is correct.

Credit union is prohibited from selling, transferring, or placing for collection any debt that
Credit union has been notified is identity theft-related. This rule does not apply to
transfers through mergers or through the pledge of a portfolio.

Notice by Third-Party Debt Collectors with Respect to Fraudulent Information
FACT Act Section 155, FCRA Section 615(g)

If a third-party acting as a debt collector for Credit union is notified that any information
relating to a debt the collector is attempting to recover may be fraudulent or may be the
result of identity theft, the collector must notify Credit union that the information may be
fraudulent or may be the result of identity theft.

Upon request of the member or borrower to whom the debt relates, the debt collector
must provide all information to which the member or borrower would otherwise be
entitled to if the member or borrower were not a victim of identity theft, but wished to
dispute the debt under applicable provisions of law.
Disclosure of Credit Scores Used By Mortgage Lenders
FACT Act Section 212, FCRA Section 609(a)

Credit score means a numerical value or a categorization derived form a statistical tool
or modeling system used by a lender to predict the likelihood of certain credit behaviors.
Credit union uses credit scores in evaluating applications for closed-end and open-end
loans used for consumer purposes that are secured by one to four units of residential
real property.

Since Credit union uses credit scores, it provides disclosure of credit scores and a
Notice to the Home Loan Applicant after the credit score is obtained. The credit score
disclosure includes information on the range of scores possible, the top four negative
key factors used, the date the score was created, and the name of the company
providing the underlying file or score.

Disclosure of Means to Opt Out of Prescreened Lists
FACT Act Section 213, FCRA Section 615(d)(2), FTC 16 CFR Parts 642 & 698

The FCRA allows Credit union to obtain credit reports for credit transactions not initiated
by the member or borrower. These types of transactions are referred to as
prescreenings. To be able to use a credit report in a prescreening, Credit union must be
extending a firm offer of credit, and the offer must include certain disclosures given in a
clear and conspicuous manner with each written solicitation.

The rule requires that each prescreened offer include a statement informing consumers
of their right to opt out and a toll-free number to opt out; and a longer statement
providing more information about prescreening. Financial institutions will be able to
choose whether to provide the short and long disclosures on the same page or on
separate pages. Single-page solicitations require both the short-form and long-form
notices.

The opt-out is effective for 5 years. Anyone who makes a prescreened credit or
insurance offer must maintain a file of the following for 3 years, beginning on the date on
which the offer was made to the consumer:

      The criteria used to select the consumer to receive the offer;
      All criteria bearing on creditworthiness or insurability (as applicable) that are the
       basis for determining whether or not to extend the credit or insurance offer; and

      Any requirement for collateral as a condition of extending the offer.

In addition to being prominent, clear, and conspicuous, the notice must be simple and
easy to understand using plain language designed to be understood by ordinary
consumers; and use of clear and concise sentences, paragraphs, and sections.

Sharing information with Affiliates - FACT Act Section 214, FCRA Section 624

Affiliated entities may not use shared information to make any solicitation for marketing
purposes unless they have first disclosed to the consumer that the information may be
used for this purpose, and the consumer has been provided with an opportunity to opt-
out any such solicitations. The notice may be coordinated and consolidated with any
other notice required by law to be sent to the consumer. If the consumer elects to
prohibit such solicitations, it will be effective for 5 years. In addition, at the end of the 5-
year period, the affiliate must send another notice to the consumer advising him that the
opt-out period is about to expire, and providing the consumer with an opportunity to
extend the election for another 5 years. The election may be revoked at any time. This
new section does not apply when:

       Using information to make a solicitation for marketing purposes to a consumer
        who has a pre-existing business relationship with the affiliated entities;
       Using information to facilitate communications to an individual for whose benefit
        the affiliate provides an employee benefit or other services pursuant to a contract
        with an employer;
       Using information to perform services on behalf of an affiliate, except for
        marketing solicitations that are prohibited by the consumer’s election not to
        receive such solicitations;
       Using information in response to a communication initiated by the consumer;
       Using information in response to solicitations authorized or requested by the
        consumer; or
       If compliance with this section would interfere with state insurance laws
        pertaining to unfair discrimination in any state in which the affiliate is lawfully
        doing business.

Disposal of Consumer Report Information and Records
FACT Act Section 216, FCRA Section 628, 12 CFR Part 682

A business that maintains or otherwise possesses consumer information, or any
compilation of consumer information, derived from consumer credit reports for a
business purpose must properly dispose of that information or compilation by taking
reasonable measures to protect against unauthorized access to or use of the information
in connection with its disposal. Proper disposal ensures that records containing
sensitive financial or personal information are appropriately handled and protected from
illegal use.

Definitions:
    Consumer information – Any record about an individual, whether in paper,
        electronic, or other form that is a consumer report or is derived from a consumer
        report. Consumer information also means a compilation of such records.
        Consumer information does not include information that does not identify
        individuals, such as aggregate information or blind data.
    Consumer report – Includes written or oral communications from a CRA to a third
        party of information used or collected for use in establishing eligibility for credit or
        insurance used primarily for personal, family, or household purposes. For
        example: consumer credit reports, credit scores, bad check lists, and all other
        information in our possession, both public and nonpublic.
    Dispose, disposing or disposal – The discarding or abandonment of consumer
        information, or the sale, donation, or transfer or any medium, including, computer
        equipment, upon which consumer information is stored.
Examples (not exclusive or exhaustive methods of compliance) of reasonable
compliance measures:
    Burning, pulverizing, or shredding papers containing consumer information so
       that the information cannot practicably be read or reconstructed.
    Destruction or erasure of electronic media containing consumer information so
       that the information cannot practicably be read or reconstructed.
    Entering into a written contract with another party engaged in the business of
       record destruction to dispose of consumer information in a manner consistent
       with the rule.

Credit union paperwork handling and disposal:
    Employees are instructed not to leave paperwork within open view if that
        paperwork contains member information.
    Confidential paperwork is to be stored in drawers or cabinets when not in
        immediate use. Credit union has placed enclosed and locked confidential trash
        receptacles throughout the building.
    A company specializing in confidential trash destruction picks up confidential
        trash weekly from all locations and properly disposes it.
    Electronic media is erased or destroyed when it is no longer needed.

Credit union has confidentiality agreements in effect with its service providers to ensure
service providers will keep all member or borrower information private and confidential.
Service providers are not allowed to disclose or use non-public personal information (as
defined by 12 CFR Part 716) provided by Credit union except to the extent necessary to
perform, effect, administer, or enforce any transactions or services contemplated by the
Agreement that Credit union has with the service provider.

Credit union also requires its service providers to maintain their own security program
and implement appropriate measures designed to meet the objectives and requirements
of the security guidelines as set forth in NCUA Rules and regulations 12 CFR Part 748.
Service providers agree to protect information in accordance with all relevant state and
federal laws, regulations, rules, and guidelines.

Negative Information Reporting Notice      - FACT Act Sec 217, FCRA Sec 623(a)(7)
Credit union reports negative credit to CRAs and is required to provide written notice to
members or borrowers regarding furnishing the negative information. Credit union uses
model notice B-1 and provides it prior to reporting negative credit.

Risk-Based Pricing Notice - FACT Act Sec 311, FCRA Sec 615(h).
Implementing regulations and compliance date are not issued yet.

The risk-based pricing notice affects loans for which the interest rate is based in whole
or in part on credit bureau reports, generally referred to as risk-based pricing. The risk-
based pricing notice is only for approved loans and will not eliminate the need to provide
a notice of adverse action in the event of loan denial.
Accuracy and Integrity of Information Furnished to Credit Reporting Agencies
FACT Act Section 312, FCRA Section 623(e).

Implementing regulations and compliance date are not issued yet.

Credit union is responsible for the accuracy and integrity of information furnished to
CRAs. Credit union cannot report information to a CRA that it:
    Knows or consciously avoids knowing that the information is inaccurate; or
    Knows or has reasonable cause to believe that the information is inaccurate; or
    Credit union has been notified by a member or borrower, at the address specified
        by Credit union for such notices, that specific information is inaccurate, and the
        information is, in fact, inaccurate.

Member or borrowers can dispute the accuracy of the furnished information directly with
Credit union under certain circumstances. Credit union has a duty to complete an
investigation of the dispute before the end of a 30-day period that begins upon receipt of
the notice. If the investigation finds that the information reported was inaccurate, Credit
union must promptly notify each CRA to which inaccurate information was furnished and
provide to the CRA any corrections.

Limited action is required if the dispute is deemed frivolous or irrelevant. No action is
required if the notice of the dispute is submitted by, or on a form provided by, a credit
repair organization.

Results of Reinvestigation – Delete Wrong Information
FACT Act Section 314, FCRA Section 623(b)(1)

After receiving notice of a dispute with regard to the completeness or accuracy of any
information provided to a CRA, Credit union must conduct an investigation.

CRAs and furnishers of information (Credit union) must delete, modify, or block
information from a consumer's (member’s or borrower’s) file if the information is found to
be inaccurate, incomplete, or cannot be verified.

Member or Borrower Disputing Accuracy of Information Directly with Credit union
FACT Act Section 312, FCRA Section 623(a)(8).

Implementing regulations and compliance date are not issued yet.

A Credit Union member who seeks to dispute the accuracy of information shall provide a
dispute notice directly to Credit Union, Attn: Lending Department, P.O. Box 12345, City,
KS 12345.

The dispute notice shall:
    Be in writing;
    Be received at the above address;
    Identify the specific information that is being disputed;
    Explain the basis for the dispute; and
    Include all supporting documentation to substantiate the basis of the dispute.
After receiving a notice of dispute from a member or borrower, Credit union must:
     Update system to block the information while an investigation is being conducted.
     If identity theft or fraud is suspected, update system by putting a Warning Code
        at the member level to reflect the account is fraudulent.
     Block credit bureau reporting on the loan while an investigation is being
        conducted.
     Conduct an investigation with respect to the disputed information and review all
        relevant information provided by the member or borrower with the notice;
     Complete the investigation of the dispute and report the results of the
        investigation to the member or borrower before the end of a 30-day period that
        begins upon receipt of the notice.

If the investigation finds that the information reported was inaccurate, Credit union must:
      Promptly notify each CRA to which Credit union furnished the inaccurate
         information and provide to the CRA any correction that is necessary to make the
         information accurate.
      If the loan is not fraudulent, make any adjustments to the loan so that accurate
         information will be reported each month, resume reporting, and remove the
         warning code and remove the block from credit bureau reporting on the loan.
      If the loan is fraudulent, delete the information and permanently block further
         reporting on the fraudulent information.

If the investigation finds that the information is accurate, Credit union will:
      Change the Credit Reporting Code to resume reporting and remove the warning
          code remove the block from credit bureau reporting on the loan.

Credit union does not have to follow the above steps if Credit union determines that the
dispute is frivolous or irrelevant, including: by reason of the failure of a member or
borrower to provide sufficient information to investigate the disputed information; or the
submission by a member or borrower of a dispute that is substantially the same as a
dispute previously submitted by or for the member or borrower, either directly to Credit
union or through a CRA.

Not later than 5 business days after making any determination that a dispute is frivolous
or irrelevant, Credit union must provide a notice to the member or borrower by mail or, if
authorized by the member or borrower, by any other means available to Credit union.
The notice must include the reasons for the determination and identification of any
information required to investigate the disputed information, which may consist of a
standardized form describing the general nature of such information.

Investigating a Claim Received by a CRA and Blocking Information
     Update system to block the information while an investigation is being conducted.
     If identity theft or fraud is suspected, update system by putting a Warning Code
        at the member level to reflect the account is fraudulent.
     Block credit bureau reporting on the loan while an investigation is being
        conducted.
     Conduct an investigation with respect to the disputed information;
     Review all relevant information provided by the CRA;
     Report the results of the investigation to the CRA;
      If the investigation finds that the information is incomplete or inaccurate, report
       those results to all other CRAs to which Credit union furnished the information
       and that compile and maintain files on consumers on a nationwide basis; and
      If an item of information is found to be inaccurate or incomplete or cannot be
       verified based on the results of the reinvestigation promptly:
            - Modify that item of information;
            - Delete that item of information; or
            - Permanently block the reporting of that item of information.
      If the investigation finds that the information is accurate, resume reporting and
       remove the warning code.

Reconciling Addresses     - FACT Act Section 315, FCRA Section 605(h).
Implementing regulations and compliance date are not issued yet.

If credit reporting information (first and last name, address, social security number and
employment) does not match within a reasonable degree of certainty, reasonable steps
must be taken to verify the accuracy of the information provided on the application
through other methods of identification verification established in the Customer
Information Program. Additionally, the member should explain any differences, in
writing.

If a continuing relationship is established with the member or borrower, Credit union will
furnish the correct information to the CRA as part of information regularly furnished.

Protection of Medical Information - FACT Act Section 411, FCRA Section 604(g).

Medical information means information or data, whether oral or recorded, in any form or
medium, created by or derived from a health care provider or the member or borrower
that relates to:
            - The past, present, or future physical, mental, or behavioral health or
                 condition of an individual;
            - The provision of health care to an individual; or
            - The payment for the provision of health care to an individual.

And does not include:
          - The age or gender of a member or borrower;
          - Demographic information about the member or borrower, including a
              member’s or borrower’s residence address or e-mail address; or
          - Any other information about a member or borrower that does not relate to
              the physical, mental or behavioral health or condition of a member or
              borrower, including the existence or value of any insurance policy.

Limitation on Creditors

Credit union will not obtain or use medical information pertaining to a member or
borrower in connection with any determination of the member’s or borrower’s eligibility,
or continued eligibility, for credit.
Eligibility, or continued eligibility, for credit means the member’s or borrower’s
qualification or fitness to receive, or continue to receive, credit, including the terms on
which credit is offered, primarily for personal, family, or household purposes. The term
does not include:

      The member’s or borrower’s qualification or fitness to be offered employment,
       insurance products, or other non-credit products or services;
      Any determination of whether the provisions of a debt cancellation contract, debt
       suspension agreement, credit insurance product, or similar forbearance practice
       or program are triggered;
      Authorizing, processing, or documenting a payment or transaction on behalf of
       the member or borrower in a manner that does not involve a determination of the
       member’s or borrower’s eligibility, or continued eligibility, for credit; or
      Maintaining or servicing the member’s or borrower’s account in a manner that
       does not involve a determination of the member’s or borrower’s eligibility, or
       continued eligibility, for credit.

A creditor that receives unsolicited medical information may use that information in
connection with any determination of the consumer’s eligibility, or continued eligibility, for
credit only to the extent the creditor can rely on one of the exceptions in the rule.

The exception applies when medical information is provided by the consumer in
response to a general inquiry that does not specifically request medical information or is
provided by the consumer voluntarily on an unsolicited basis.

The financial information exception consists of a three-part test:
  The information must be information routinely used in making credit eligibility
     determinations, such as information relating to debts, expenses, income, benefits,
     assets, collateral, or the purpose of the loan, including the use of proceeds.
  The creditor must use the information in a manner and to an extent no less
     favorable than it would use comparable information that is not medical information
     in a credit transaction.
  The creditor must not take the consumer’s physical, mental, or behavioral health,
     condition or history, type of treatment, or prognosis into account as part of any such
     determination of credit eligibility.


Approved by the Board of Directors on

				
DOCUMENT INFO