Implementation of the Fair and Accurate Credit Transactions (FACT) Act of 2003
CRS Report for Congress
Implementation of the Fair and Accurate Credit
Transactions (FACT) Act of 2003
Updated February 3, 2005
Angie A. Welborn
American Law Division
American Law Division
Congressional Research Service ˜ The Library of Congress
Implementation of the Fair and Accurate Credit
Transactions (FACT) Act of 2003
On December 4, 2003, the President signed the Fair and Accurate Credit
Transactions (FACT) Act of 2003 (P.L. 108-159), which included a number of
amendments to the Fair Credit Reporting Act (FCRA) aimed at protecting the privacy
of the information in a consumer’s credit report, assisting victims of identity theft,
and preventing fraudulent credit transactions. Many provisions of the act required
implementation by the Federal Trade Commission and the federal banking agencies.
This report provides an overview of the rulemaking proceedings implementing the
major provisions of the FACT Act. It will be updated as events warrant.
Free Annual File Disclosures.....................................1
Furnishing of Negative Information................................2
Provisions Related to Identity Theft...............................3
Definition of Identity Theft..................................3
Definition of Identity Theft Report............................3
Appropriate Proof of Identity.................................4
Duration of an Active Duty Alert.............................4
Disposal of Consumer Information................................5
Reporting of Medical Information.................................7
Implementation of the Fair and Accurate
Credit Transactions (FACT) Act of 2003
As the preemption provisions of the Fair Credit Reporting Act (FCRA) were set
to expire at the end of 2003, both the House and Senate revisited the entire Act,
holding a series of hearings on various issues related to consumer credit, the credit
reporting system, and financial privacy. These hearings culminated in the passage1
of the Fair and Accurate Credit Transactions (FACT) Act of 2003.
On December 4, 2003, the President signed the Fair and Accurate Credit
Transactions (FACT) Act of 2003, which became Public Law 108-159. The act
included a number of amendments to the Fair Credit Reporting Act (FCRA) aimed
at protecting the privacy of the information in a consumer’s credit report, assisting
victims of identity theft, and preventing fraudulent credit transactions. Many
provisions of the act required implementation by the Federal Trade Commission and
the federal banking agencies. This report provides an overview of the rulemaking
proceedings implementing the major provisions of the FACT Act.
Free Annual File Disclosures
On June 24, 2004, the Federal Trade Commission (FTC) issued its final rule
implementing the provision of the FACT Act providing for free annual disclosures2
of consumer credit reports. Under the FACT Act, nationwide credit reporting
agencies (CRAs) are required to make all disclosures pursuant to FCRA section 60934
in a consumer report available free of charge once during any 12-month period. All
information in the consumer’s file at the time of the consumer’s request must be
disclosed, and disclosure must be mailed within 15 days of when the request was
1 For more information about the House and Senate legislation leading to the Fair and
Accurate Credit Transactions Act of 2003, see CRS Report RL32121, Fair Credit Reporting
Act: A Side-by-Side Comparison of House, Senate and Conference Versions.
2 69 FR 34562 (June 24, 2004).
3 15 U.S.C. 1681g.
4 For more information on the free credit report provisions of the FCRA and the FACT Act,
see CRS Report RL32008, A Consumer’s Access to a Free Credit Report: A Legal and
received.5 The FACT Act directed the FTC to promulgate rules establishing a
centralized source through which consumers may request free annual file disclosures
from each nationwide consumer reporting agency, a standardized form for these
requests, and a streamlined process for consumers to request free annual file
disclosure from nationwide specialty reporting agencies.
Under the final rule, the centralized source includes a centralized Internet
website, a toll-free telephone number, and a postal address. It is estimated there will
be 30.4 million requests yearly, 75% or 22.8 million by internet, 24% or 4 million by
telephone, and 1% or 166,000 by mail. To accommodate the initial volume of
requests when the rule becomes effective, availability will roll out from west to east
beginning December 1, 2004 and ending in nationwide availability on September 1,
2005. During periods of extraordinary request volume, requests may be redirected
or declined so long as nationwide CRAs implement reasonable procedures to
anticipate and respond to consumer demand.
In order to strike a balance between ease of use of the centralized source and
maintaining adequate identification and authentication procedures against fraud and
identity theft, the FTC limits the collection of authentication and information
collection to that which is “reasonably necessary.” This may include but does not
require consumers to provide their social security numbers. It is the FTC’s position
that a flexible standard that adapts over time is the most effective way to ensure that
proper procedures are implemented.
Furnishing of Negative Information
Section 217 of the FACT Act requires that if any financial institution (1)
extends credit and regularly and in the ordinary course of business furnishes
information to a nationwide consumer reporting agency, and (2) furnishes negative
information to such an agency regarding credit extended to a customer, the institution
must provide a clear and conspicuous notice in writing to the customer with 30 days
of furnishing the negative information.6 There is a safe harbor for failure to perform
if, at the time of the failure, the institution maintained reasonable policies and
procedures to comply with the section if the institution reasonably believed that it
was prohibited by law from contacting the customer.
The FACT Act directed the Board of Governors of the Federal Reserve System
to publish a concise model notice not exceeding 30 words that financial institutions
may but are not required to use to comply with the notice requirement. On June 15,
2004, the Board published two model notices, one for use when notice to the
customer precedes the provision of negative information to a CRA, and one for use
if notice follows the provision of negative information.7 The two model notices are
5 15 U.S.C. 1681g(a)(1).
6 Negative information is defined as information concerning a customer’s delinquencies, late
payments, insolvency, or any form of default. P.L. 108-159, Sec. 217(a).
7 69 FR 33281 (June 15, 2004).
We may report information about your account to credit bureaus. Late
payments, missed payments, or other defaults on your account may be reflected
in your credit report.
We have told a credit bureau about a late payment, missed payment or other
default on your account. This information may be reflected in your credit report.
Provisions Related to Identity Theft
On November 3, 2004, the FTC released its final rule establishing definitions
for “identity theft” and “identity theft report;” clarifying what constitutes “appropriate
proof of identity” for purposes of the FCRA, as amended by the FACT Act; and
establishing the duration of an active duty alert created pursuant to the FACT Act.8
Definition of Identity Theft. The FACT Act confers rights on victims of9
identity theft to assist them in resolving problems cause by identity theft. Defining
identity theft determines who may avail themselves of the rights conferred by the act.
The FACT Act defines “identity theft” as “a fraud committed using the10
identifying information of another person” subject to further definition by the FTC.
The FTC’s final rule defines “identity theft” as “a fraud committed or attempted11
using the identifying information of another person without authority.” The
inclusion of “attempted” in the definition will allow both victims and intended
victims to avail themselves of the protections provided under the act to have
unauthorized inquiries removed from their consumer reports and to have an “initial
fraud alert” placed in their file.
Definition of Identity Theft Report. Under section 605A of the FCRA, as
amended by the FACT Act, victims who provide an identity theft report to consumer
reporting agencies can request an extended fraud alert on their files. An extended
fraud alert lasts seven years and notifies users that the consumer may be a victim of
fraud or identity theft and requires users to contact the consumer before extending
credit. An identify theft report may also be provided by consumers to consumer
reporting agencies to have information resulting from identity theft blocked from
consumer reports, and by consumers to information furnishers to prevent information
furnishers from continuing to provide information resulting from identity theft to the
consumer reporting agencies.
The FTC’s final rule defines “identity theft report” as a report that “alleges
identity theft with as much specificity as the consumer can provide;” and has been
filed by the consumer with a federal, state, or local law enforcement agency.12 The
report may also include additional information as requested by an information
8 69 FR 63922 (November 3, 2004).
9 P.L. 108-159, Title I.
10 P.L. 108-159, Sec. 111.
11 69 FR at 63933.
12 69 FR at 63933.
furnisher or consumer reporting agency. The final rule allows information furnishers
or consumer reporting agencies to make reasonable requests for additional
information for the purpose of determining the validity of the identity theft no later
than fifteen business days after receiving the law enforcement agency report or the
consumer’s request, whichever is later.
Appropriate Proof of Identity. Section 112(b) of the FACT Act requires
the FTC to determine what constitutes appropriate proof of identity for the purposes
described above. In it’s proposed rule, the Commission found that the two greatest
risks of misidentification are that the file of the requesting consumer is confused with
another consumer’s file, or that a person pretending to be the consumer makes the
request successfully. The FTC noted that the risks vary over time, by the method
through which requests are made (internet, phone, mail), and between consumer
reporting agencies. Considering the nature of the risks, the FTC determined that the
consumer reporting agencies were in the best position to assess the risks associated
with misidentification, and it proposed to require them to develop reasonable
requirements to identify consumers in accordance with the risk of harm from
The final rule follows the Commission’s original proposal, but also imposes
certain requirements on the consumer reporting agencies and provides examples of
the types of information that may be used to prove identity.13 Under the final rule,
the consumer reporting agencies must “ensure that the information is sufficient to
enable the consumer reporting agency to match consumers with their files; and adjust
the information to be commensurate with an identifiable risk of harm arising from
misidentifying the consumer.”14 Examples of the type of information that may be
used include the consumer’s full name, any other previously used names, current
and/or recent full address, the full nine digits of the social security number, and date
fo birth. Additional proof of identity may include copies of government issued
identification documents, utility bills, and answers to questions to which only the
consumer may be expected to know the answer.
Duration of an Active Duty Alert. Under the FACT Act, military personnel
deployed in situations where they are unlikely to be able either to apply for credit or
to monitor their financial accounts may place active duty alerts in their files
maintained by nationwide consumer reporting agencies. The act sets a minimum
period of 12 months for the duration of the active duty alert, but requires the FTC to
determine if this period should be longer.
The FTC’s final rule abides by the duration of 12 months.15 However, the
Commission notes that service members deployed for longer than 12 months may
request subsequent alerts.
13 69 FR at 63933.
14 69 FR at 63933 - 63934.
15 69 FR at 63933.
Disposal of Consumer Information
On November 24, 2004, the FTC issued its final rule regarding the proper
disposal of consumer report information and records as required under section 216
of the FACT Act.16
The Federal Trade Commission’s new rule requires “any person who maintains
or otherwise possesses consumer information for a business purpose” to “properly
dispose of such information by taking reasonable measures to protect against
unauthorized access to or use of the information in connection with its disposal.”17
The final rule includes examples of standards and practices that would constitute
reasonable measures in compliance with the requirement articulated above. Such
reasonable measures could include, but are not limited to the following: 1) the
implementation of and monitoring of compliance with policies and procedures that
require the burning, pulverizing, or shredding of papers containing consumer
information; 2) the implementation of and monitoring of compliance with policies
and procedures that require the destruction or erasure of electronic media containing
such information; and 3) after due diligence, entering into a contract with another
party engaged in the business fo record destruction to dispose of such material.
Persons subject to the Gramm-Leach-Bliley Act and the Commission’s Safeguards
Rule can incorporate the disposal of consumer information into the information
security program required by the Safeguards Rule.18
On November 29, 2004, the National Credit Union Administration (NCUA)
issued a final rule to implement section 216 of the FACT Act by amending its fair
credit reporting and security program regulations and NCUA’s Guidelines for
Safeguarding Member Information.19 The new rule generally requires federal credit
unions (FCUs) to develop and maintain controls designed to ensure proper disposal
of consumer information as part of their information security programs. Examples
of what constitutes proper disposal mirror those articulated by the Federal Trade
On December 28, 2004, the OCC, FRS, FDIC, and OTS (the Agencies) issued
a final rule to implement section 216 of the FACT Act by amending the Interagency
Guidelines Establishing Standards for Safeguarding Customer Information.20 The
new rule amends paragraph II.B of the Guidelines by adding proper disposal of
consumer information to the list of objectives. To reach this objective, each
institution must, as part of its information security program, develop, implement, and
maintain measures to properly dispose of consumer information to guard against
16 69 FR 68690 (November 24, 2004).
17 69 FR at 68697.
18 See 16 C.F.R. part 314.
19 69 FR 69269 (November 29, 2004).
20 69 FR 77610 (December 29, 2004). See also 69 FR 71322 for a discussion of the SEC’s
implementation of the disposal requirements under section 216 of the FACT Act.
Section 214(a) of the FACT Act amended the FCRA by adding a new section
624, which the proposed rule seeks to implement by providing for consumer notice
and an opportunity to prohibit affiliates from using certain information to make or
send marketing solicitations to the consumer. Section 624 governs the use of
information by an affiliate, not the sharing of information with or among affiliates,
which is the subject of section 603(d)(2)(A)(iii).21 Though there is some overlap
between the two opt-out provisions, they serve distinct purposes.
Section 624 does not specify which affiliate must give the consumer notice and
opportunity to opt out of the use of the information by an affiliate for marketing
purposes. Section 214 (b)(2) of the FACT Act requires the FTC to consider existing
affiliate sharing notification practices and to provide for coordinated and
consolidated notices, and section 214 allows for the combination of affiliate
marketing opt-out notices with other notices required by law such as privacy notices.
Therefore, the FTC proposes that the person communicating the information should
be responsible for satisfying the notice requirement where applicable because that is
the person that would likely provide the affiliate sharing opt-out notice under section
The proposed rule also defines the type of information that consumers are able
to bar affiliates from using to send marketing solicitations, referring to such
information as “eligibility information.” Under the proposed rule, “eligibility
information” could include “a person’s own transaction or experience information,
such as information about a consumer’s account history with that person, and other
information, such as information from credit bureau reports or applications.”23
Under the proposed rule, the Commission has determined that a person must
give a consumer a reasonable opportunity to opt-out following delivery of the opt-out
notice. The proposal provides examples of what may constitute a reasonable
opportunity to opt-out, and establishes a 30-day safe harbor period in certain
21 Section 603(d)(2)(A)(iii) provides that a person may communicate non-transaction or
experience information that would otherwise be a consumer report among its affiliates
without becoming a consumer reporting agency if the person has given the consumer both
a clear and conspicuous notice that such information may be communicated among affiliates
and an opportunity to opt-out of such communications, and the consumer has not opted out.
22 69 FR 33324 (June 15, 2004).
The federal banking agencies and the Securities and Exchange Commission
have issued proposed rules that appear to be substantially similar to those proposed
by the Federal Trade Commission.24
Reporting of Medical Information
On April 28, 2004, the Office of Thrift Supervision of the Department of the
Treasury (OTS), the Federal Reserve System (Board), the Federal Deposit Insurance
Corporation (FDIC), and the National Credit Union Agency (NCUA), published
proposed regulations implementing section 411 of the FACT Act, restricting the
circumstances under which consumer reporting agencies may furnish consumer
reports containing medical information about consumers.25
Section 411(a) of the FACT Act added several new sections to the FCRA.
Among these, new section 604(g)(1) restricts the furnishing by consumer reporting
agencies of consumer reports containing medical information about consumers to
the following three circumstances: (1) the report is furnished in connection with an
insurance transaction with the consumer’s affirmative consent; (2) the report is
furnished either for employment purposes or in connection with a credit transaction,
the information is relevant to process the employment or credit transaction, and the
consumer provides written consent describing in clear and conspicuous language the
use for which the information will be furnished; or (3) the information pertains solely
to transactions, accounts, or balances relating to debts arising from the receipt of
medical services, products, or devices, where such information is not sufficient to
allow inference of the specific provider or nature of the services.
The new section 604(g)(2) prohibits creditors from obtaining or using medical
information pertaining to a consumer in connection with any determination of the
consumer’s eligibility or continued eligibility for credit.
A final new section — 604(d)(3) — eliminates the standard exclusions
permitting sharing transaction or experience information among affiliates after notice
and an opportunity to opt-out where medical-related information is concerned.
The Agencies propose two things.26 First, they propose to create exceptions to
the general prohibition against obtaining or using medical information in connection
with credit eligibility determinations. Also, they propose to create additional
exceptions to the restrictions on sharing medical-related information with affiliates.
The Agencies believe the exceptions are necessary and appropriate to protect
legitimate operational, transactional, risk, consumer, and other needs and are
consistent with congressional intent to restrict the use of medical information for
24 See 69 FR 42502 (July 15, 2004); 69 FR 42302 (July 14, 2004).
25 69 FR 23380 (April 28, 2004).