In addition to some great followup questions I got from Andy in response to my blog posting yesterday, “FTC Now Requires Organizations to Have an Identity Theft Prevention Program” I have also received some interesting questions from others about the new Identity Theft Prevention Program Rule, along with having the opportunity to have some interesting discussions with several folks today, such as Linda McGlasson at bankinfosecurity.com.
Keep in mind this requirement for organizations handling consumer credit information is in partial fulfillment of the Fair and Accurate Credit Transactions Act (FACTA).
So what entities must comply with FACTA, and as a result with the Identity Theft Prevention Program requirements?
Basically organizations that are considered as “financial institutions” or “creditors.” Some organizations may be surprised to find that they fall under one or both of these labels because of the services they are providing or performing for their customers or employees.
FACTA defines a “financial institution” as:
“FINANCIAL INSTITUTION.‚ÄîThe term ‚Äòfinancial institution‚Äô means a State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, or any other person that, directly or indirectly, holds a transaction account (as defined in section 19(b) of the Federal Reserve Act) belonging to a consumer.”
Section 19(b) of the Federal Reserve Act defines a “transaction account” as:
“(C) The term ‚Äútransaction account‚Äù means a deposit or account on which the depositor or account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others. Such term includes demand deposits, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts”
So, a person or organization that provides individuals with a service, or services, that allows them to keep money in accounts, and to withdraw it or use the money for payments could be considered as a “financial institution” or at leach that part of the business that performs this service.
The definition of the term “creditor” is that found within Section 702 of the Equal Credit Opportunity Act:
“(e) The term “creditor” means any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.”
Think about all the many different types of organizations that provides such types of credit to their customers!
I know of many retail organizations that provide credit services to their customers. I also know of many other types of organizations that provide such credit, such as some schools, entertainment companies, communications companies, local stores and shops, online retail sites, transportation organizations, professional services organizations, barbershops and hairstyling shops, medical services organizations, healthcare providers, and the list goes on and on.
This should not be considered as legal advice, but as information that you need to take to your legal counsel to discuss to determine, in your lawyer’s opinion, whether or not your organization must comply with FACTA and the associated implementation rules, such as this Identity Theft Prevention Program Rule, as well as the Disposal Rule and other rules that are created in compliance with FACTA.
Some good questions to ask your legal counsel:
1) Do we provide our customers with any services that allow them to deposit money in any way, and then use that money at a later date in any way?
2) Do we provide a way to sell our customers products or services on a credit type of plan?
3) Do we provide our personnel with any credit union or banking types of services?
4) Do we provide scholarships to our personnel, or personnel family members, or others? If so, how do we provide that scholarship money; as a check to the family/student, or as direct payments to the schools?
5) Do we give loans to our personnel or customers for any reason?
This list should get your conversation with your lawyer off to a good start!
I’m really glad to get questions such as these; thanks Andy! I like to do some digging into details and provide information to help you start a good dialogue with your colleagues and coworkers.
Any other thoughts about the Identity Theft Prevention Program Rule?
Tags: awareness and training, FACTA, FCRA, Federal Reserve Act, FTC, Identity Theft Prevention Program, Information Security, IT compliance, policies and procedures, privacy, privacy training, risk management, security training