Identity Theft Laws & Regulations
A number of Identity Theft laws and regulations were signed into law as part of the Fair and Accurate Credit Transactions Act (FACT Act). In particular, FACT Act requires financial institutions and creditors to develop, and implement, written identity theft programs by November 1, 2008.
We're going to review some of the Identity Theft laws, regulations and guidelines appearing in Section 114 of the Fair and Accurate Credit Transactions Act. This review will include the required elements of an identity theft laws program such as Red Flags. During this review, we'll explain how these programs may affect consumers, as well as the forms of identification you may be asked to produce to prove your identity.
Detecting Identity Theft
As mentioned, the final rules of FACT Act require creditors and financial institutions to developed reasonable procedures to detect, prevent, and mitigate identity theft in connection with the opening or the maintenance of certain accounts. The accounts covered by this legislation include those involving, or those designed to permit, multiple payments or transactions.
Examples include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and / or savings accounts. In addition, accounts where there is "reasonable foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft" are also covered by these regulations.
Identity Theft Laws Programs
The Identity Theft laws required by FACT Act outline several mandatory elements of a financial institution's identity theft program including:
• Identifying the accounts that are at risk for identity theft
• Outlining processes or methods used to open new accounts
• Outlining processes or methods used to access existing account information
• Prior experience with identity theft
• Evaluating changes in identity theft risk over time such as those that might be introduced via new technology
• Providing the program with the appropriate regulatory, supervisory, and / or legal support
Using the above criteria, these financial institutions and creditors are required to conduct a risk assessment of their operations.
One of the cornerstones of these identity theft assessments are what are referred to as "Red Flags." A Red Flag is defined as a pattern, practice, or activity that indicates the possible existence of identity theft. In the same way that a company may have responded to an incident of identity theft in the past, a company needs to monitor the following indicators of possible identity theft activity:
• Alerts, warnings, or notifications from a Consumer Reporting Agency
• Suspicious looking documentation received from a customer
• Suspicious persons providing identifying information
• Unusual or suspicious account activity
• Notices received from customers, victims of identity theft, law enforcement officials, or other persons regarding possible cases of identity theft
Identity theft programs are also required to integrate a Customer Identification Program, or CIP, as part of their identification and verification process or procedure. CIPs were first required by the PATRIOT Act, and applied to companies that fall under the broadly defined term "financial institution."
Here again, companies need to establish, and follow, written procedures that help to ensure the correct identification of customers. These laws recognize that companies of various sizes fall under the definition of financial institution, therefore the exact procedure followed will vary from one company to another.
Proof of Identity
To prevent identity theft, companies are required to collect the following four pieces of information on all new accounts:
• Accountholder Name
• Date of Birth (Individuals)
• Home Address
• Identification Number
If the customer is a citizen of the United States, then the identification number must be a taxpayer identification number such as a Social Security Number or an employee identification number. Non-U.S. citizens must provide an alien identification number, or any other government-issued document providing evidence of nationality that includes a photograph.
In addition to the above, companies may also require the customer to provide proof of identity using a:
• Social Security Card
• Driver's License
• Military Identification Card
• County Identification Card
• Birth Certificate
• Current Auto Insurance Card or Policy
• Utility Bill or Invoice
• Credit Card Bill or Statement
Social Security Numbers as Identification
From the above, it's clear that companies will continue to ask consumers to produce their Social Security Number / Card as proof of identity. However, the government recognizes that the original purpose of SSNs was not as the primary means of identifying an individual.
Until emerging technologies such as biometrics become an industry standard, Social Security Numbers will remain one of the most reliable forms of identification. Credit scores, credit history, and reported information on debt payment behavior require an accurate means of aggregating consumer information. Ironically, the same information that people safeguard as a way of protecting themselves from identity theft is also used as proof of a stolen identity.
Return to the top - Identity Theft Laws
Back to Identity Theft Resource Center
Back to the Home Page