FACTA, The Fair and Accurate Credit Transactions Act: Consumers Win Some, Lose Some 1. Introduction 2. Help for Identity Theft Victims A. Free Credit Reports B. Fraud Alerts and Active Duty Alerts C. Truncation: Credit Cards, Debit Cards, Social Security Numbers D. Information Available to Victims E. Collection Agencies F. Red Flags G. Disposal of Consumer Reports 3. Notice of Consumer Rights 4. Credit Scores 5. Disputing Inaccurate Information 6. Negative Information in a Consumer Report 7. Medical Information and Consumer Reports 8. Nationwide Specialty Consumer Reporting Agencies 9. Workplace Investigations 10. Information Sharing Among Affiliates – Opt-Out for Marketing 11. Risk-Based Pricing 12. FACTA Studies 13. References 1. Introduction The Fair and Accurate Credit Transaction Act of 2003 (FACTA) added new sections to the federal Fair Credit Reporting Act (FCRA, 15 U.S.C. 1681 et seq.), intended primarily to help consumers fight the growing crime of identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights to disclosure are included in FACTA. (Pub. L. 108-159, 111 Stat. 1952) This is all good news for consumers. However, consumers came out on the losing end when Congress virtually barred states from adopting stronger laws. The Notes section at the end of this guide has more information about Congressional pre-emption of state laws. Throughout this guide we use the terms “law” and “regulations” or “rules” when referring to new consumer rights under FACTA. For consumers trying to understand the process, this can be confusing. To simplify, a bill introduced in Congress becomes law after it is approved by both the House of Representatives and the Senate and then signed by the President. The law often directs the appropriate federal agency or agencies to adopt regulations, or rules, that expand upon the provisions included in the law. In most cases, federal agencies publish proposed regulations seeking public comment. Industry representatives, private citizens, other government agencies, consumer organizations, and anyone else with an interest can submit written comments to the agency. After the comment period is completed and the agency has analyzed all the comments, it then issues the final rules. Properly adopted rules have the same effect as a law passed by Congress. Some new sections of FACTA were effective December 1, 2004. Other sections directed federal agencies to solicit public comment and then adopt final regulations. In addition to the Federal Trade Commission (www.ftc.gov), the federal financial agencies have jurisdiction and are involved in writing regulations to implement FACTA. One year later, the rule writing is not finished. Although some rules are now final, other proposed rules have been published for public comment but not yet finalized. And as of this writing, some very important consumer protection rules like the “red flag” guidelines have not yet been released for public comment. This guide is a summary and update of the new FACTA provisions. Information about the rulemaking process is in the References section at the end of this guide. There are still many details to be decided through regulations. We will continue to revise and update these sections as final federal regulations are published. For more about the FACTA rulemaking process, see the Resources section at the end of this guide. 2. Help for Identity Theft Victims The crime of identity theft has continued at epidemic proportions. Several widely reported surveys on the number of identity theft victims were released as Congress went into final hearings on FCRA amendments. A shocking report released by the Federal Trade Commission in September 2003 estimated that approximately 10 million people were victims of identity theft in 2002 alone. To read the FTC's analysis and other surveys on identity theft, visit the PRC web page, “How Many Identity Theft Victims Are There?,” www.privacyrights.org/ar/idtheftsurveys.htm. In response to new findings about identity theft, Congress adopted a number of provisions aimed at prevention and help for victims. The FTC recently published a revised guide for identity theft victims which includes new FACTA provisions. Take Charge: Fighting Back Against Identity Theft can be found at www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm. A. Free Reports Consumer advocates have long encouraged individuals to monitor their credit reports as a way to detect identity theft. The standard advice was to request a copy of your credit report once a year from each of the three national credit bureaus: Experian, TransUnion, and Equifax. Until now, you usually had to pay up to $9.50 to get a copy of your report from each of these credit bureaus. Congress recognized the benefits of self-monitoring. It adopted a new rule that allows you a free copy of your credit report annually from each of the “big three.” (Read more about the rulemaking on this provision.) Should I contact each credit bureau for my free report? No. The only way to get your free reports is through a centralized source, a combined effort by the three national bureaus. Free reports are available through a dedicated web site, www.annualcreditreport.com. You may order by telephone at ( 877) 322-8228 or by mail. For a copy of the mail-in form, go to https://www.annualcreditreport.com/cra/requestformfinal.pdf. What is the best way to order my free reports? We recommend you order free reports by telephone or mail. A World Privacy Forum report released in July 2005 exposed hundreds of imposter web sites. To read the full report and tips for ordering free reports, see www.worldprivacyforum.org/pdf/wpfcalldontclickpt2_7142005.pdf and www.privacyrights.org/media/calldontclickupdate.htm. The FTC filed suit against one imposter site and sent warning letters to many others. Some bogus sites lure you in with “free” offers, but just want to sell you products like credit monitoring services. Others are outright frauds that aim to steal your personal information. To read more about fake sites, see www.ftc.gov/bcp/conline/pubs/alerts/fakealrt.htm. If you still prefer to order your free reports online, make sure you link to the only official web site. The safest way to do this is through the FTC's web site which includes more information on annual reports. www.ftc.gov/bcp/conline/edcams/freereports/index.html. Never visit a site you find through a search for terms like “free credit reports,” “free credit scores,” or “free credit checks.” Am I still entitled to a free credit report if I am unemployed? Yes, and for other reasons as well. You can still get a free copy of your credit report if you certify to the credit reporting agency that: bullet You are unemployed and intend to apply for employment in the 60-day period beginning on the date you make the certification. bullet Or you receive public welfare assistance. bullet Or you believe your file contains inaccurate information due to fraud. FACTA also gives you new rights to a free credit report if you are a victim of identity theft. For more on this, see Section 2B below on fraud and active duty alerts. In addition to free credit reports, FACTA gives you the right to one free report annually from a consumer reporting agency that compiles reports on employment, medical records, check writing, insurance, and housing rental history. For more on what FACTA calls “nationwide specialty consumer reporting agencies,” see Section 8 below and PRC Fact Sheet 6b, The ‘Other' Consumer Reports: What You Should Know About Specialty Reports, www.privacyrights.org/fs/fs6b-SpecReports.htm. I live in one of the states that passed a law prior to FACTA giving residents free reports. Can I order an additional free credit report under my state's law? Yes. The seven states that have laws on the books giving their residents a free credit report annually are: Colorado, Georgia (two per year), Maine, Maryland, Massachusetts, New Jersey, and Vermont. If you live in one of these states, you can obtain a free report from each bureau annually under federal law and an additional free report under your state's law. B. Fraud Alerts and Active Duty Alerts If you are the victim of identity theft, FACTA gives you the right to contact a credit reporting agency to flag your account. To place a fraud alert, you must provide proof of your identity to the credit bureau. The fraud alert is initially effective for 90 days, but may be extended at your request for seven years when you provide a police report to the credit bureaus that indicates you are a victim of identity theft. FACTA creates a new kind of alert, an active duty alert, that allows active duty military personnel to place a notation on their credit report as a way to alert potential creditors to possible fraud. While on duty outside the country, military members are particularly vulnerable to identity theft and lack the means to monitor credit activity. An active duty alert is maintained in the file for at least 12 months. If a fraud alert or active duty alert is placed on your credit report, any business that is asked to extend credit to you must contact you at a telephone number you provide or take other “reasonable steps” to see that the credit application was not made by an identity thief. FACTA gives you the right to a free copy of your credit report when you place a fraud alert. With the extended alert (seven years), you are entitled to two free copies of your report during the 12-month period after you place the alert. New FACTA provisions also allow you to “block” certain items on your credit report that resulted from identity theft. Like the fraud alert, “blocking” was already an option for consumers in some states. With FACTA, Congress has made “blocking” the national standard. (Read more about the rulemaking on this provision.) C. Truncation: Credit Cards, Debit Cards, Social Security Numbers Credit card receipts that include full account numbers and expiration dates are a gold mine for identity thieves. In some states, printing of the full account number is already prohibited. For the future, FACTA sets a national standard requiring truncation of credit card information. FACTA says credit and debit card receipts may not include more than the last five digits of the card number. Nor may the card's expiration date be printed on the cardholder's receipt.However, the effective date of this provision is a long way off, and there are a couple of loopholes: bullet This section does not apply to receipts for which the sole means of recording a credit or debt card number is by handwriting or by an imprint or copy of the card. bullet For machines in use before January 1, 2005, the merchant has three (3) years to comply. bullet For machines in use after January 1, 2005, the merchant has one (1) year to comply. Another FACTA section allows consumers who request a copy of their file to also request that the first 5 digits of their Social Security number (or similar identification number) not be included in the file. D. Information Available to Victims For victims, obtaining copies of the imposter's account application and transactions is an important step toward regaining financial health. A business that provides credit or products and services to someone who fraudulently uses your identity must give you copies of documents such as applications for credit or transaction records. The business must also provide copies of documents to any federal, state, or local law enforcement agency you specify. To obtain account documentation, you must supply proof of your identity. The business may also ask you to provide a police report and an identity theft affidavit. For a copy of the FTC's fraud affidavit, see www.ftc.gov/bcp/conline/pubs/credit/affidavit.pdf. You must also: bullet Make your request in writing. bullet Mail the request to the business at an address it specifies. bullet If the business asks, include relevant information about dates and account numbers. Are there reasons a business would not have to give me this information? Yes, there are some exceptions. A business does not have to provide this information if: bullet There is not a "high degree of confidence" in your true identity. bullet The request contains a misrepresentation of fact. bullet The information is Internet navigational data or similar information about a person's visit to a web site or online service. Can I sue a business for not turning information over to me? The business can be sued only by a government agency. And the business cannot be held civilly liable if it makes a “good faith” effort to comply. E. Collection Agencies A call from a collection agency is often the first sign of trouble for an identity theft victim. Under FACTA, if you are contacted by a collection agency about a debt that resulted from the theft of your identity, the collector must so inform the creditor. You are entitled to receive all information about this debt -- such as applications, account statements, late notices from the creditor -- that you would be entitled to see if the debt were actually yours. In addition, FACTA says that a creditor, once notified that the debt is the work of an identity thief, cannot sell the debt or place it for collection. For more on collection agencies, see the PRC guide Debt Collection Practices: When Hardball Tactics Go Too Far, www.privacyrights.org/fs/fs27-debtcoll.htm. The FTC's guide for identity theft victims also includes information on how to deal with collection agencies. Read Take Charge: Fighting Back Against Identity Theft, www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm. F. Red Flags Financial institutions and creditors must adopt procedures designed to detect the warning signs of fraud and prevent identity theft from occurring. Certain events such as a change of address, a request for a replacement credit card, or efforts to reactivate a dormant credit card account may signal a potential fraud. Consumer advocates have long pointed out that consumers can only go so far in protecting against identity theft, and that much of the problem lies with lax procedures of credit issuers. FACTA requires the FTC and the federal banking agencies to adopt regulations that establish guidelines. As of this writing, “red flag” regulations have not been published for public comment. The FTC and the banking agencies have existing security guidelines and regulations adopted under the Gramm-Leach-Bliley Act (GLB, 15 USC §6801-6809). In October 2003 the banking agencies published proposed regulations to establish guidelines for notice to customers of a security breach. The PRC's comments to these proposed regulations can be found at www.privacyrights.org/ar/secybreach.htm. The banking agencies issued guidelines for financial institutions. www.fdic.gov/news/news/press/2005/pr2605.html However, existing guidelines under GLB are no substitute for FACTA's much needed “red flag” rules. FACTA also requires other consumer protection rules that the banking agencies have yet to propose, such as: * Accuracy guidelines for financial institutions and creditors that furnish information to credit bureaus. (FACTA §312(a), FCRA §623(e)(1)). * Ability of consumers to dispute information with companies that report to credit bureaus. (FACTA §312(c), FCRA §623(a)(8)); * Procedures to reconcile different consumer addresses. (FACTA §315, FCRA §605(h)(2)) G. Disposal of Consumer Reports The practice known as “dumpster diving” provides identity thieves with a treasure trove of personal data. Irresponsible information disposal by businesses has been cited in numerous instances of fraud. Now under new FACTA provisions consumer reporting agencies and any business that uses a consumer report must adopt procedures for proper document disposal. The FTC, the federal banking agencies, and the National Credit Union Administration (NCUA) have published final regulations to implement the new FACTA Disposal Rule. The FTC's disposal rule applies to consumer reporting agencies as well as individuals and any sized business that uses consumer reports. The FTC lists the following as among those that must comply with the rule: * Lenders * Insurers * Employers * Landlords * Government agencies * Mortgage brokers * Automobile dealers * Attorneys and private investigators * Debt collectors * Individuals who obtain a credit report on prospective nannies, contractors, or tenants * Entities that maintain information in consumer reports as part of their role as service providers to other organizations covered by the rule. To read the FTC's full business alert about the disposal rule, see www.ftc.gov/bcp/conline/pubs/alerts/disposalalrt.htm. (Read more about the rulemaking process for this provision.) 3. Notice of Consumer Rights Credit reporting agencies have a new obligation to give identity theft victims a notice of their rights. This includes, among other things, notice of: (1) the right to file a fraud alert, (2) the right to block information in a report that resulted from fraud, and (3) the right to obtain copies of documents used to commit fraud. This new notice of rights is in addition to a general notice of rights already required by earlier FCRA amendments. The FTC has issued final regulations and a sample copy of the identity theft rights. Under the FTC's rule consumers who report fraud to a consumer reporting agency will receive the special victims' notice of rights. The FTC's final rule also includes notices that explain the obligations of companies that furnish information on consumers as well as those that use consumer reports. (Read more about the rulemaking process for this provision.) 4. Credit Scores It has become increasingly common for lenders to make decisions based upon a “score.” Until recently, consumers did not have access to their score or information about the factors that made up the score. Common sense says a series of late payments can lead to a bad credit rating. However, a score is determined by other factors as well, and to give you the chance to improve your score, you should know how the score is calculated. Even if you do not have a history of late payments, your score may be lowered if your credit card balance is close to the limit or if you are just starting out with using credit. If you are looking for a car loan or thinking of refinancing your mortgage, it is a good idea to check your score before you apply for new credit. What is a credit score? FACTA defines a “credit score” as: A numerical value or categorization derived from a statistical tool or modeling system used by a person who makes or arranges a loan to predict the likelihood of certain credit behaviors, including default (and the numerical value or the categorization derived from such analysis may also be referred to as a “risk predictor” or “risk score” (FCRA §609(f)(2)) The definition does not include a mortgage score. FACTA provides separate requirements for scores generated for home loans and mortgage lenders. (FCRA §609(g)) In addition, the score consumers are entitled to see under FACTA is an “educational” score intended to inform consumers about how scoring works. This is not the FICO score that lenders are likely to view. Under new FACTA provisions, consumers may request a credit score including an explanation of the factors that went into computing the score. Consumers will be charged a “reasonable” fee, to be determined by the FTC. In November 2004 the FTC published a proposed rule, but has yet to decide what a reasonable fee would be. To read the proposed rule, and the PRC's comments, go to www.ftc.gov/opa/2004/11/factafrn.htm and www.privacyrights.org/ar/FTC-CredScore.htm. The FTC is currently conducting a study of scores used for credit and insurance purposes as well as a number of other studies required by FACTA. www.ftc.gov/opa/2004/06/fyi0437.htm For more on credit scores, see PRC Fact Sheet 6c, Your Credit Score: How It All Adds Up, www.privacyrights.org/fs/fs6c-CreditScores.htm. See also the FTC publication, www.ftc.gov/bcp/conline/pubs/credit/scoring.htm. Visit the web site for Fair Isaac, the company that originated the credit scoring model, www.myfico.com. For information on credit scores used by insurers, see the PRC publication, CLUE and You: How Insurers Size You Up, www.privacyrights.org/fs/fs26-CLUE.htm. (Read more about the rulemaking process for this provision.) 5. Disputing Inaccurate Information By its very name, the Fair and Accurate Credit Transactions Act places new emphasis on accuracy of information in consumer reports. In a recent study, the U.S. Public Interest Research Group (USPIRG) found that one in four credit reports contain serious errors. To read the PIRG Report, go to: http://uspirg.org/uspirgnewsroom.asp?id2=13650&id3=USPIRGnewsroom&. For other studies on credit reports, see Section 12 at the end of this guide. Previously, disputes about the accuracy of information in a consumer report had to be made directly to the consumer reporting agency. Under new FACTA provisions, a consumer may dispute inaccurate information directly with a “furnisher” such as a creditor that is a financial institution. Upon notice of disputed information, the furnisher must investigate and cannot report negative information while the investigation is pending. FACTA requires the federal banking agencies and the FTC to adopt rules about consumer disputes with companies that furnish information for reports. (FACTA §312(c)), FCRA §623(a)(8)). As of this writing, the agencies have not proposed a rule under this FACTA provision. Even though government agencies have not adopted formal procedures, it is always a good idea to tell the creditor or others that furnish information about your dispute. For disputes about errors with the credit bureaus, see the FTC publication, How to Dispute Credit Report Errors, www.ftc.gov/bcp/conline/pubs/credit/crdtdis.htm and PRC Fact Sheet 6, How Private is My Credit Report, www.privacyrights.org/fs/fs6-crdt.htm. 6. Negative Information in a Consumer Report The number one tip for detecting identity theft is to check your credit report regularly. Erroneous information about late payments and collection actions is what you don't want to see. But catching fraud early enables you to more quickly regain your financial health. FACTA now requires creditors to give you what might be called an “early warning” notice. This notice could alert you that something is amiss with an account. However, the notice is not a substitute for your own monitoring of credit reports, bank accounts, and credit card statements. And, you may have to look closely to even see this new notice. Starting in December 2004 a financial institution that extends credit must send you a notice before or no later than 30 days after negative information is furnished to a credit bureau. Negative information includes late payments, missed payments, partial payments, or any other form of default on the account. Does this apply only to my accounts with a bank? No. A “financial institution” has the same meaning as under the Gramm-Leach-Bliley Act. In addition to a bank, this can mean a merchant that extends credit to you or a collection agency that routinely reports information to a credit bureau. For more on non-bank entities that are considered “financial institutions,” see the FTC publication, How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act, www.ftc.gov/bcp/conline/pubs/buspubs/glblong.htm Do I get a notice every time the account is delinquent? It’s a one-time notice as long as the late payment or other negative information has to do with the same account. After the one-time notice, the financial institution can continue to report negative information about the same account. For example, if you are late on your credit card payment three months straight, you are only entitled to the notice either before or within 30 days after the first late payment is reported. Will I receive a separate notice or registered letter? You will almost certainly not receive a registered letter. FACTA requires the financial institution to give you this notice along with “any notice of default, any billing statement, or any other materials provided to [you].” The one place the notice cannot appear is in the Truth in Lending Act notice you get when you first open an account. The notice must be “clear and conspicuous,” but need not be in bold or enlarged type. The Federal Reserve Board (www.federalreserve.gov) was directed by Congress to write sample notices for financial institutions. The Board has finalized the regulation, at www.federalreserve.gov/BoardDocs/Press/bcreg/2004/200406082/default.htm. The sample notices adopted by the Federal Reserve Board are short and to the point: Notice before negative information is reported: We may report information about your account to credit bureaus. Late payments, missed payments, or other defaults on your account may be reflected in your credit report. Notice after negative information is reported: We have told a credit bureau about a late payment, missed payment or other default on your account. This information may be reflected in your credit report. Will the notice let me know when I’m a victim of identity theft? Not always. When an imposter opens up a new credit account in your name, the thief usually establishes an address different from yours. The address might be a post office box or a vacant apartment used as a mail-pickup by the thief. When the imposter fails to pay on the credit card account, which is usually the case, the creditor will send the warning notice to the address associated with the account. And that is not your address. So you will be in the dark about the impending negative notice to your credit report. The negative information will be recorded in your credit report, however. That is why we emphasize the importance of ordering your credit report at least once a year. If you are a victim of identity theft, you will learn of it on your credit report. As you learned in Section 2A above, FACTA gives consumers the ability to obtain one free credit report per year from each of the three credit bureaus. The major reason the law requires credit bureaus to provide free annual credit reports is so you can check for evidence of identity theft. We strongly encourage you to take advantage of this provision of FACTA. In short, you should not be lulled into a false sense of security just because a creditor must send you a notice before posting negative information to your credit report. Identity thieves operate in various ways. They might attempt to take over your existing accounts. And they might open up new accounts unbeknownst to you. Your best defense against fraud is always to review your credit reports as well as your monthly credit card and bank account statements. 7. Medical Information and Consumer Reports If you're like most people, privacy of your medical information is a top priority. A major concern is that medical information may be used against you when you apply for a job or refinance your mortgage. Even when medical information is protected in one area, it may still be disclosed through other means. A good example of this is the credit report. A collection action noted on a credit report that names a medical facility as creditor could inadvertently reveal an underlying medical condition. This is a significant threat since the Federal Reserve Board found in a 2003 study that over half the collections reported on credit reports are for medical debt. See An Overview of Consumer Data and Credit Reporting, www.federalreserve.gov/pubs/bulletin/2003/0203lead.pdf. Under a new FACTA provision, consumer reporting agencies may not report the name, address, and telephone number of any medical creditor unless the information is provided in codes that do not identify or infer the provider of care or the individual's medical condition. This does not apply to insurance companies selling other than property and casualty insurance. (FCRA §605(a)(6)) Another section of FACTA says a creditor may not obtain or use medical information to make credit decisions. (FCRA §604(g)(2)) But there are exceptions, and federal banking agencies were directed to issue regulations to cover uses of medical information to protect “legitimate operational, transactional, risk, consumer, and other needs.” (FCRA §604(g)(5)(A)) The banking agencies have now adopted final regulations on medical information and credit. The rule prohibits a creditor from obtaining and using medical information to decide a consumer's credit eligibility. Still, creditors can obtain and use financial information if related to medical debts, expenses, and income. (Read more about the rulemaking process for this provision.) One example is a debt for medical bills. You may owe money to a hospital and perhaps you worked out a plan to pay the debt over time. If you apply for a car loan, the bank can check to see if your payments on the hospital bill are up-to-date. If you are late on a payment or two, the bank may consider this in deciding whether you give you the loan. The bank cannot, however, ask about your medical condition or the reason for your hospital stay. In other words, the late payments to the hospital cannot carry any more weight than a late payment on a credit card. It is your history of paying debts only that is allowed. Your health status should not factor into a creditor's decision about whether to give you a loan. To read the final rules on medical information and credit, go to www.federalreserve.gov/boarddocs/press/bcreg/2005/20051117/default.htm Is my consent needed to disclose medical information to an employer? Yes. Even before FACTA, your consent was required to disclose medical information to an employer or for credit or insurance. Now under FACTA your consent to use medical data for employment and credit purposes must be specific and in writing. Further, the consent request must use “clear and conspicuous language” about how the information will be used. FACTA also requires that the medical information requested for employment or credit purposes be “relevant.” (FCRA §605(a)(6)) The same standard does not apply to insurance. 8. Nationwide Specialty Consumer Reporting Agencies Consumer reports are generally thought to mean “credit” reports issued by one of the three national credit bureaus: Experian, TransUnion, or Equifax. However, consumer reports may also be issued for purposes other than credit applications. The FCRA also covers reports for insurance, employment, check writing, and housing rental history. Such reports are quite common and a number of companies now specialize in providing reports for these specific purposes. FACTA defines companies that issue non-credit reports as a “nationwide specialty consumer reporting agency” when reports relate to: bullet Medical records or payments. bullet Residential or tenant history. bullet Check writing history. bullet Employment history. bullet Insurance claims. As of December 2004 consumers may request a free report annually for any of the specialty agencies. The FTC has declined to publish a list of companies that meet the definition of “nationwide specialty consumer reporting agencies.” For some specialties such as employment and rental history, there are many companies that meet the definition of consumer reporting agency and that follow the FCRA. Other specialties are dominated by one or two companies, such as the following: bullet Medical Records: Medical Information Bureau (www.mib.com) For more on the MIB, see PRC Fact Sheet 8, How Private is my Medical Information, http://www.privacyrights.org/fs/fs8-med.htm bullet Insurance Reports: ChoicePoint's CLUE (www.choicetrust.com) and Insurance Services Office ISO A-PLUS Report, (www.iso.com/offices_contacts/index.html). For more on insurance reports, see PRC Fact Sheet 26, CLUE and You: How Insurers Size You Up, www.privacyrights.org/fs/fs26-CLUE.htm Check-writing history: Reports about your check writing history are also “specialty” reports. This includes reports obtained by banks or other financial institutions from ChexSystems. ChexSystems is a consumer reporting agency that collects information from member financial institutions. If, for example, your checking account was closed because of overdrafts, this may appear on a ChexSystems report when you apply to open an account at another bank. Identity theft victims who have had checks stolen may also have a negative ChexSystems report. Check-writing history reports also cover information compiled and reported to member retailers. Check verification systems include information about returned checks or fraud. Check verification works at point of sale. If, for example, you have a check returned, the merchant will probably report this to a verification network. When the same checking account is offered to purchase something from another merchant, the check may be rejected. Identity theft or other check fraud may result in a negative entry with a check verification system. Two major check verifications systems are SCAN and TeleCheck. For bank and merchant verification reports, see: * ChexSystems (www.chexsystems.com). To order your report, visit https://www.consumerdebit.com/consumerinfo/us/en/freereport.htm or call (800) 428-9623 * Shared Check Authorization Network (SCAN) : (800) 262-7771 www.consumerdebit.com/consumerinfo/us/en/consumerreports/index.htm#TopOfPage * TeleCheck www.telecheck.com, (800) 835-3243. For more on “specialty” reports, see PRC Fact Sheet 6b, The ‘Other' Consumer Reports: What You Should Know about ‘Specialty' Reports, www.privacyrights.org/fs/fs6b-SpecReports.htm. 9. Workplace Investigations FACTA sets a new standard for what the law calls "employee misconduct investigations." What is an "employee misconduct investigation"? This is an investigation conducted by a third-party your employer may hire if the employer suspects you of: bullet Misconduct relating to your employment. bullet A violation of federal, state, or local laws or regulations. bullet A violation of any preexisting written policies of the employer. bullet Noncompliance with the rules of a self-regulatory organization, that, for example, oversees the securities and commodity futures industry. Why was this change made to the FCRA? This section was adopted to make it clear that employers do not have to get permission to conduct a misconduct investigation. Prior to this, FTC staff issued an opinion letter, the so-called Vail Letter, that said the disclosure and consent requirement of FCRA applies even when an employee is suspected of misconduct and the employer hires an outside investigator. (www.ftc.gov/os/statutes/fcra/vail.htm) Employers objected to this interpretation of the law because they felt that obtaining consent would tip off the employee to an investigation. (Note: California law already includes an exception for workplace misconduct investigations. www.privacyrights.org/fs/fs16a-califbck.htm.) If my employer suspects me of misconduct, what does this mean for me? It means your employer does not have to give you notice and get your permission to conduct a misconduct investigation. Like other inquiries covered by the FCRA, this only applies if the employer hires an outside party to conduct the investigation. It also means you will not receive a notice of your rights as others who are subject to a standard employment background check normally would. If at the end of the investigation the employer decides to take some action against you, you will receive the "adverse action" notice only after the action has been taken. You will receive only a summary of the investigation report, but not the more detailed report that may include sources . Who will see the investigation report? The report may be communicated to: bullet The employer or its agent. bullet Any federal or state officer, agency or department, or any officer, agency or department of a unit of general local government. bullet Any self-regulatory organization with regulatory authority over the activities of the employer or the employee. bullet A government agency, in accordance with an existing FCRA section that allows a consumer reporting agency to disclose personal identifying information to a government agency. bullet Others, as otherwise required by law; or Can I dispute the findings? Not under the FCRA dispute procedure. That is because this new section on workplace misconduct investigations was established by removing this type of investigation from the definition of "consumer report." Thus, the usual protections that apply to a consumer report conducted for employment purposes do not apply to workplace misconduct investigations. If you find yourself in this position, you will probably want to seek the advice of an employment law attorney. 10. Information Sharing Among Affiliates – Opt-Out for Marketing FACTA will give consumers a new opportunity to stop a corporation's affiliates from sharing customer data for marketing purposes. This opt-out is in addition to the existing opt-out choices for information shared with third-party non-affiliates and an existing opt-out under the FCRA. For more on the existing opt-outs, see PRC Fact Sheet 24, Protecting Financial Privacy in the New Millennium: The Burden Is on You, www.privacyrights.org/fs/fs24-finpriv.htm, and Fact 24a, Financial Privacy: How to Read Your Opt-Out Notices, www.privacyrights.org/fs/fs24a-optout.htm. The FTC and the federal banking agencies have proposed regulations to create this new opt-out procedure. www.ftc.gov/opa/2004/06/factaaffiliate.htm As of this writing, the agencies have not adopted final rules. Existing provisions of the FCRA allow affiliates to share information about your “experience and transactions” But that section of the FCRA enables you to stop affiliates from sharing information about your “credit-worthiness,” also sometimes called “application information.” FACTA does not change these procedures, but adds a new opt-out choice to stop information sharing among affiliates when the purpose is for marketing. You now have the ability to prevent the affiliate receiving your information to solicit you for its products and services. How and when will I be able to opt-out? The details will be known only after the agencies issue final regulations. An important question for the agencies is whether this new opt-out will be included in a separate notice or whether it will be included along with the notice already required. The section of FACTA that establishes the affiliate opt-out provision allows the notice to be included with other notices. The statute also specifies that the notice should be “concise” and “simple.” In addition, this opt-out is in effect for five years, with another five-year extension available. To help prevent confusion, we believe the FTC and banking agencies should move forward in considering a short form opt-out that includes all consumer choices. To read the comments provided by the PRC and other consumer organizations on a short-form notice, visit these web pages: www.privacyrights.org/ar/ftc-noticeANPR.htm, and www.privacyrights.org/ar/GLBshort.htm. 11. Risk-Based Pricing The amount you pay in interest can vary greatly. If you have a poor credit history, you will usually have to pay a higher rate than people with a good history of repayments. Like everyone else, you probably receive direct mail or other solicitations quoting exceptionally low interest rates. But, if you apply for the loan or credit card, the interest rate may end up being several points higher than originally quoted. A new section of FACTA (FCRA §615(h)) says you must receive a notice if you are offered credit on terms that are “materially” less favorable than others you received from the creditor. In short, this covers the situation where you apply for a loan and, although you get the loan, you have to pay a higher interest rate than most people because of something in your credit history. If this happens, you are entitled to notice plus a free copy of your credit report. The FTC and the banking agencies will address the details of this notice requirement through rulemaking. Regulations to implement §615(h) have not yet been published as of this writing. However, this notice requirement appears in a recent FTC proposal to amend notice consumer reporting agencies are required to make to “users” of consumer reports. www.ftc.gov/os/2004/07/040709fcraappxh.pdf 12. FACTA Studies The FTC and other federal agencies have been directed by Congress to conduct several studies of the credit reporting industry. The results of these studies, when combined with earlier studies (see Section 13 below), may help to improve reporting accuracy and consumer awareness. The FTC is currently seeking public comment as part of the studies. The topics under consideration are: bullet Same Report Study (Should a consumer who receives an "adverse action" receive the same copy of the consumer report obtained by the "user?") bullet Accuracy Study. bullet Agency Information Collection Activities Study bullet Credit and Insurance Score Study For more about these studies, visit the FTC web site at www.ftc.gov/os/statutes/fcrajump.htm 13. References Federal Law bullet The Fair Credit Reporting Act, as amended by FACTA. http://www.ftc.gov/os/statutes/031224fcra.pdf bullet H.R. 2622 http://thomas.loc.gov/cgi-bin/query/D?c108:6:./temp/~c108dhfyQ2: This is the version of the House of Representatives Bill that was passed by Congress and signed by the President. bullet H.R. 2622 (To view all versions) http://thomas.loc.gov/cgi-bin/query bullet Gramm-Leach-Bliley Act, 15 USC §6801-6809, www4.law.cornell.edu/uscode/15/6801.html PRC Publications bullet How Private is My Credit Report? www.privacyrights.org/fs/fs6-crdt.htm bullet How Private Is My Medical Information? www.privacyrights.org/fs/fs8-med.htm bullet Employment Background Checks:A Jobseeker's Guide, www.privacyrights.org/fs/fs16-bck.htm bullet Coping with Identity Theft: Reducing the Risk of Fraud, www.privacyrights.org/fs/fs17-it.htm bullet Identity Theft: What to Do if It Happens to You, www.privacyrights.org/fs/fs17a.htm bullet Financial Privacy: How to Read Your "Opt-Out" Notices, www.privacyrights.org/fs/fs24a-optout.htm bullet CLUE and You: How Insurers Size You Up www.privacyrights.org/fs/fs26-CLUE.htm bullet Debt Collection Practices: When Hardball Tactics Go Too Far, www.privacyrights.org/fs/fs27-debtcoll.htm bullet The ‘Other' Consumer Reports: What You Should Know about ‘Specialty' Reports, www.privacyrights.org/fs/fs6b-SpecReports.htm bullet Your Credit Score: How It All Adds Up, www.privacyrights.org/fs/fs6c-CreditScores.htm Publications about Credit Reporting bullet One in Four Credit Reports Contains Errors Serious Enough To Wreak Havoc for Consumers, U.S. PIRG, June 17, 2004, http://uspirg.org/uspirgnewsroom.asp?id2=13650&id3=USPIRGnewsroom& bullet An Overview of Consumer Data and Credit Reporting , Board of Governors of the Federal Reserve, Feb. 2003, www.federalreserve.gov/pubs/bulletin/2003/0203lead.pdf bullet Credit Score Accuracy and Implications for Consumers, Consumer Federation of America, December 17, 2002, www.consumerfed.org/121702CFA_NCRA_Credit_Score_Report_Final.pdf bullet Consumers Lack Essential Knowledge, and Strongly Support New Protections, on Credit Reporting and Credit Scores, Consumer Federation of America Survey, July 28, 2003, www.consumerfed.org/072803creditscores.html bullet Credit Scores & Credit Reports: How the System Really Works, What You Can Do, by Evan Hendricks, Privacy Times, 2004, www.creditscoresandcreditreports.com Additional Resources bullet Analysis of the Fair and Accurate Credit Transactions Act of 2003, Pub. L. No. 108-159 (2003), National Consumer Law Center, www.nclc.org/initiatives/facta/nclc_analysis.shtml bullet After the FACT Act: What States Can Still Do to Prevent Identity Theft, Consumers Union, www.consumersunion.org/pub/core_financial_services/000756.html bullet Federal Trade Commission, FCRA Homepage, FACT Act Actions, www.ftc.gov/os/statutes/fcrajump.htm bullet Federal Trade Commission, Identity Theft Homepage, www.consumer.gov/idtheft/ bullet Federal Trade Commission, Free Annual Credit Reports, www.ftc.gov/bcp/conline/edcams/freereports/index.html Learn More about FACTA's Rulemaking Process Free credit reports. To review public comments submitted to the FTC from consumer advocates, industry representatives, and others in response to the free credit report rule, see: www.ftc.gov/os/comments/factafcr/index.html For the final “free credit report” rule published by the FTC on June 24, 2004, see www.ftc.gov/os/2004/06/040624factafreeannualfrn.pdf Fraud alerts. The FTC proposed regulations to implement the fraud alert sections of FACTA were published on April 21, 2004. www.ftc.gov/opa/2004/04/factafrn0421.htm To see comments submitted in response to this proposal, go to www.ftc.gov/os/comments/factaidt/index.htm The PRC joined Consumers Union and other consumer organizations in commenting on this proposal. www.ftc.gov/os/comments/factaidt/EREG-000002.htm To see the final rule, go to www.ftc.gov/opa/2004/10/facataidtheft.htm “Red flags” and security practices. FACTA requires the FTC and the federal banking agencies to adopt regulations that establish guidelines. As of this writing, “red flag” regulations have not been published for public comment. The FTC and the banking agencies have existing security guidelines and regulations adopted under the Gramm-Leach-Bliley Act (GLB, 15 USC §6801-6809). In October 2003 the banking agencies published proposed regulations to establish guidelines for notice to customers of a security breach. The PRC's comments to these proposed regulations can be found at www.privacyrights.org/ar/secybreach.htm. The banking agencies issued guidelines for financial institutions. www.fdic.gov/news/news/press/2005/pr2605.html Disposal of consumer reports. The FTC's final disposal rule was effective June 2005 and the banking agencies rule was effective July 2005. For the banking agencies' disposal rule, see www.fdic.gov/news/news/financial/2005/fil705.html. To see the comments submitted by the PRC and other consumer organizations in response to these rule proposals, see: www.privacyrights.org/ar/NCUADocDisposal.htm; www.privacyrights.org/ar/FTC-DocDisposal.htm, http://www.privacyrights.org/ar/FDIC-DocDisposal.htm. Notice of consumer rights. To read the FTC's final rule and the content of required notices, go to www.ftc.gov/opa/2004/11/facta.htm. Reasonable fee for credit scores. In November 2004 the FTC published a proposed rule, but has yet to decide what a reasonable fee would be. To read the proposed rule, and the PRC's comments, go to www.ftc.gov/opa/2004/11/factafrn.htm and www.privacyrights.org/ar/FTC-CredScore.htm Disputing inaccurate information. FACTA requires the federal banking agencies and the FTC to adopt rules about consumer disputes with companies that furnish information for reports. (FACTA §312(c)), FCRA §623(a)(8)). As of this writing, the agencies have not proposed a rule under this FACTA provision. Negative information in a consumer report. The Federal Reserve Board (www.federalreserve.gov) was directed by Congress to write sample notices for financial institutions when reporting negative information to consumers. The Board has finalized the regulation, at www.federalreserve.gov/BoardDocs/Press/bcreg/2004/200406082/default.htm. Medical information and consumer reports. In May 2005 the PRC submitted comments about the proposed medical privacy rules. www.privacyrights.org/ar/FDIC-MedFI.htm The agencies adopted final rules in November, 2005. www.federalreserve.gov/boarddocs/press/bcreg/2005/20051117/default.htm Opting out of affiliate sharing. The FTC and the federal banking agencies have proposed regulations to create this new opt-out procedure. www.ftc.gov/opa/2004/06/factaaffiliate.htm As of this writing, the agencies have not adopted final rules. Risk-based pricing of credit. The FTC and the banking agencies will address the details of this notice requirement through rulemaking. Regulations to implement §615(h) have not yet been published as of this writing. However, this notice requirement appears in a recent FTC proposal to amend notice consumer reporting agencies are required to make to “users” of consumer reports. www.ftc.gov/os/2004/07/040709fcraappxh.pdf Notes Pre-emption: For more on the subject of state preemption, see the analysis of the National Consumer Law Center, www.nclc.org/initiatives/facta/nclc_analysis.shtml as well as a separate analysis by Consumers Union, www.consumersunion.org/pub/core_financial_services/000756.html . Financial agencies. The federal agencies with oversight of financial companies are: Office of Comptroller of Currency (www.occ.treas.gov); Office of Thrift Supervision (www.ots.treas.gov); Federal Deposit Insurance Corporation (www.fdic.gov); Federal Reserve Board (www.federalreserve.gov); and the National Credit Union Administration (www.ncua.gov) . The Privacy Rights Clearinghouse developed this guide with funding from the Rose Foundation Consumer Privacy Rights Fund.