Fair and Accurate Credit Transactions Act

From The Secure Arc Wiki

Jump to: navigation, search

Information in italics below is referenced from wikipedia, reproduced in accordance with the GNU Free Documentation License.

The Fair and Accurate Credit Transactions Act of 2003 (FACT Act or FACTA, Pub.L. 108-159) is a United States federal law, passed by the United States Congress on December 4, 2003, as an amendment to the Fair Credit Reporting Act. The act allows consumers to request and obtain a free credit report once every twelve months from each of the three nationwide consumer credit reporting companies (Equifax, Experian and TransUnion). In cooperation with the Federal Trade Commission, the three major credit reporting agencies set up the website, annualcreditreport.com, to provide free access to annual credit reports.

The act also contains provisions to help reduce identity theft, such as the ability for individuals to place alerts on their credit histories if identity theft is suspected, or if deploying overseas in the military, thereby making fraudulent applications for credit more difficult. Further, it requires secure disposal of consumer information.

Each requirement of the law relating to Information Security is broken down further into more specific sub-requirements that can be mapped back to both the Security Principles that drive them and the Design Patterns that satisfy them.

Compliance

Financial institutions face a mandatory deadline of November 1, 2008 to comply 3 new FACT Act regulations referred to as the Red Flag rules [2], section 114 and 315 of the Fair and Accurate Credit Transactions (FACT) Act.

According to a Business Alert issued by the Federal Trade Commission in June 2008 [3], the Red Flag Rules apply to a very broad list of businesses including “financial institutions” and “creditors” with “covered accounts”. A “creditor” is defined to include “lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies and telecommunications companies”. However, unfortunately this is not an all-inclusive list.

The regulations apply to all businesses that have “covered accounts”. A “covered account” includes any account for which there is a foreseeable risk of identity theft. For example, credit cards, monthly billed accounts like utility bills or cell phone bills, social security numbers, drivers license numbers, medical insurance accounts, and many others. This significantly expands the definition to include all companies, regardless of size that maintain, or otherwise possess, consumer information for a business purpose. Because of the broad definitions in these regulations, few businesses will be able to escape these requirements.

Documentation

This legal publication is freely available on the internet. link

Navigation

Personal tools