Fair and Accurate Credit Transaction Act (FACTA)

Fair and Accurate Credit Transaction Act (FACTA) laws and state privacy laws are different from PCI standards but they are a related topic in that they also require securing or eliminating specific data.

Here are the FACTA and Privacy Law and Red Law updates.

Red Flag Rules

In response to growing number of identity thefts, more than 9M victims in 2006 alone, the Fair and Accurate Credit Transaction Act of 2003 (FACTA) was expanded to include provisions around red flag notifications to consumers. Section 114 requires financial institutions and creditors to develop and implement a program to “detect, prevent and mitigate identity theft in connection with existing accounts, and the opening of new accounts.” FACTA became effective on January 1, 2008 with November 1, 2008 as the deadline for compliance.

The Section 114 FACTA Identity Theft Red Flag ruling delivered by the Federal Trade Commission (FTC) and federal bank regulatory agencies focuses on an array of factors relating to commerce, including:

  • Financial Institutions and Creditors
  • Retail and Business Customers
  • Existing and New Accounts

The FACTA Identity Theft Red Flag rules have been finalized and the November 1 compliance deadline is approaching far faster than many financial institutions and credit card issuers had anticipated. It’s no wonder that BankInfoSecurity named keeping up with compliance the top information-security challenge facing the industry in 2008. The ruling specifically calls out the requirement for controls and reporting regarding any Internet-related transactions or account access. The ruling also makes reference to the FFIEC regulation as a starting point for preventing identity theft online but extends new requirements for reporting and notification.