Our FirmOur OfficesOur PracticeOur AttorneysPublicationsNews

(202) 349-8000
1250 24 th St NW · Suite 700 · Washington D.C. 20037
www.buckleykolar.com

InfoBytes

CONSUMER FINANCE HEADLINES & DEADLINES FOR OUR CLIENTS AND FRIENDS

Special Alert

October 16 , 2007

FDIC Adopts Final FACTA Affiliate-Marketing and Red Flag/Address Discrepancy Rules; Other Agencies to Follow

At a meeting of the Federal Deposit Insurance Corporation (FDIC) board today, the FDIC board of directors unanimously adopted in final form several long-delayed rules implementing the Fair and Accurate Credit Transactions Act of 2003 (FACTA). A final regulation provides for a separate right for the consumer to opt-out before a company that receives information from an affiliate can use that information in marketing. Another set of regulations and guidelines addresses procedures that financial institutions and creditors will be required to follow to identify “red flags” that indicate potential identity theft and to respond to a request for a credit or debit that they receive soon after receiving a change-of-address notice. The draft Federal Register notices adopted today by the FDIC include draft final rules that are expected to be issued soon by the other agencies that share joint responsibility for issuing the FACTA regulation—the OCC, OTS, Federal Reserve Board, and National Credit Union Administration for the affiliate-marketing rule and those agencies and the FTC for the red-flag and change-of-address rules and guidelines.

The affiliate-marketing proposal has been pending since June of 2004, while the red-flag and change-of-address proposals were published in July of 2006. They were issued in final after House Financial Services Committee Chairman Barney Frank (D-MA) proposed and then withdrew legislation that would have made the FTC the lead agency for the red-flag rules, with the other agencies required to issue substantially similar regulations. At the FDIC meeting, OCC Chief Counsel Julie Williams, representing the Comptroller of the Currency, who is an ex officio FDIC Board member, stated that the agencies expect in November to publish proposed regulations specifying the circumstances under which consumers may dispute credit report items directly with the company that furnished the information to the consumer reporting agency. There was no word on when the remaining major pending FACTA regulation—the risk-based pricing notice requirement—will be issued. That regulation has not yet been published for comment.

AFFILIATE MARKETING

An earlier amendment to FCRA has allowed companies to share “consumer report” information with their affiliates without being subject to the restrictions that normally apply to sharing such information with third parties, if they give the consumer an opportunity to opt-out from sharing and the consumer does not opt-out. Under FACTA’s new affiliate-marketing provision, consumers must be given an opportunity to opt out of the use for marketing by a company of any financial information obtained from an affiliate, including both consumer reports and direct transaction-and-experience information. Sharing of information, as opposed to use of that information by the recipient, is not restricted beyond the previous FCRA requirements. Compliance with the final rules will become mandatory on October 1, 2008.

Key provisions of the final rules include:

  • The opt-out notice must be provided either by a company that has or has had a preexisting business relationship with the consumer, or jointly by a group of affiliates if at least one of the companies has or has had a preexisting relationship. The agencies rejected requests by industry to allow the affiliate that is receiving the information to provide the notice, stating that the notice should come from an entity known to the consumer. The draft Federal Register notice states, however, that a company may use an agent (which could, presumably, include the receiving company) to provide the notice on its behalf.
  • The opt-out notice must be provided in writing, or electronically if the consumer consents.  The agencies decided not to allow oral notices.
  • The agencies decided not to extend the rule to cover “constructive sharing,” where a company solicits its own customers for products or services offered by an affiliate. They reasoned that no information is shared with the affiliate before that company sends the solicitation, and, therefore, coverage is not triggered. On the other hand, the opt-out right applies when an affiliate accesses data in a shared database and then asks the company that has the relationship with the customer to send a solicitation.
  • As in the proposal, a company may use information obtained from an affiliate without providing an opt-out right if the company using the information has a current business relationship with the consumer, had a relationship within the past 18 months, or has received a product-related inquiry within three months. The rule provides that a purchaser of mortgage servicing rights has a pre-existing business relationship with the consumer if it deals directly with the consumer. 

"RED FLAG" IDENTITY THEFT GUIDELINES AND CHANGE-OF-ADDRESS RULES

The final “red flag” regulations require financial institutions or creditors to have a written program that includes controls to address identity theft risks (“red flags”). Compliance with the regulations becomes mandatory on November 1, 2008.

Under the regulations, every program must contain “reasonable policies and procedures” to:

  • Identify relevant red flags — defined as in FACTA as “a pattern, practice, or specific activity that indicates the possible existence of identify theft” — and incorporate those red flags into the program;
  • Detect red flags that have been incorporated into the program;
  • Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
  • Ensure the program is updated periodically to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft.

The regulations also include requirements to have the initial program approved by the board of directors or a board committee; ensure oversight of the development, implementation, and administration of the program; train staff; and oversee service providers.

To provide more flexibility to financial institutions and creditors, the agencies moved some detail that was contained in the proposed regulations to the accompanying red-flag guidelines. The guidelines make clear that existing risk-control programs may be incorporated “as appropriate” into the institution’s or creditor’s red-flag program.

An appendix to the guidelines lists examples of possible red flags that could be included in an institution’s or creditor’s program, such as a fraud or active duty alert on a credit report, an unusual increase in the number of inquiries or new credit relationships shown on the credit report, discrepancies in identifying documents or personal information, and unusual use of the account.

The draft Federal Register notice states that the agencies believe that routinely rejecting credit applicants who have filed a FCRA fraud or active-duty alert with the credit bureau, as part of a red-flag program, violates the prohibition in the Equal Credit Opportunity Act (ECOA) against discrimination based on exercise of rights under the Consumer Credit Protection Act. But they withdrew a proposed footnote that would have stated that position explicitly, noting that this rulemaking is not the appropriate vehicle for addressing ECOA issues.

The final address-discrepancy regulations apply to a credit or debit card issuer that receives a change-of-address notice and then, within a short time (at least 30 days) afterwards receives a request for an additional or replacement card. The issuer is prohibited from issuing a new card unless it takes steps to assess whether the change of address is valid – notifying the cardholder at the old address; notifying the cardholder through some other means of communication that the cardholder has previously agreed to; or using another method of assessing the validity of the change of address that the issuer has included in its red flag program. Compliance with those regulations also becomes mandatory on November 1, 2008.

For a copy of the materials distributed at the meeting, please find the red flag rules at http://www.buckleykolar.com/resources/documents/FDICFACTAFinalRuleRedFlags.pdf and find the affiliate marketing rules at http://www.buckleykolar.com/resources/documents/FDICFACTAFinalRuleAffilateMarketing.pdf.

© Buckley Kolar, LLP 2005. INFOBYTES is not intended as legal advice to any person or firm. It is provided as a client service and information contained herein is drawn from various public sources, including other publications.

We welcome reader comments and suggestions regarding issues or items of interest to be covered in future editions of InfoBytes. Email:

For back issues of INFOBYTES (or other Buckley Kolar LLP publications), visit http://www.buckleykolar.com/publications.


Home | Our Firm | Our Offices | Our Practice | Our Attorneys | Publications | News
Contact Us | Disclaimer