US Private Sector Privacy Chapter 09 Financialp1.pdf

Full Transcript

MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 9 – as of 02/25/2024 © IAPP financial privacy laws related to credit reporting in general are preempted under FACTA, with the exception of state laws discussed in Section 9.2. 7 9.1.1 Key Definitions in the FCRA The FCRA regulates any consumer reporting agency (CRA) that furnishes a consumer report, which is used primarily for assisting in establishing consumer’s eligibility for credit. 8 A CRA is any person or entity that compiles or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee. 9 Three well-known examples of CRAs are Experian, Equifax and TransUnion, which are leading providers of credit information and credit scores. There are thousands of smaller CRAs that compile personal records, such as criminal records or driving histories, for other consumer reporting purposes, such as preemployment screening. 10 The critical nature of the requirement that the CRA furnish the consumer report to invoke the protections of the FCRA can be illustrated by the lawsuits resulting from the 2017 Equifax breach of the data of nearly 150 million consumers. The court’s ruling in one of the main class-action lawsuits was that there had not been a FCRA violation because Equifax had not “furnished” the stolen data to the hackers. 11 A consumer report is any communication by a CRA related to an individual that pertains to the person’s: Credit worthiness Credit standing Credit capacity Character General reputation Personal characteristics or Mode of living and that is used “in whole or in part for the purpose of serving as a factor in establishing a consumer’s eligibility” for credit, insurance, employment or other business purpose. 12 The FCRA specifically requires CRAs to: Provide consumers with access to the information contained in their consumer reports as well as the opportunity to dispute any inaccurate information Take reasonable steps to ensure the maximum possible accuracy of information in the consumer report Not report negative information that is outdated; in most cases, this means account data more than 7 years old or bankruptcies more than 10 years old Provide consumer reports only to entities that have a permissible purpose under the FCRA Maintain records regarding entities that received consumer reports Provide consumer assistance as required by FTC rules 13 2 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 9 – as of 02/25/2024 © IAPP As discussed in further detail in Section 9.1.2, the FCRA imposes obligations on organizations that are not CRAs, including users (lenders, insurers, employers and others who use consumer reports) 14 and furnishers (lenders, retailers and others who furnish credit history or other personal information to the CRAs). 15 Users must meet several main requirements under the FCRA: A user must have a permissible purpose for obtaining a consumer’s credit report. A user must certify to the CRA the permissible purpose for which the user is obtaining the consumer’s credit report. A user must notify the consumer when an adverse action is taken as result of the user obtaining the consumer’s credit report. 16 Additionally, users of consumer reports must comply with other requirements, such as recordkeeping and securely disposing of the consumer report data. 17 Note that when the user of the consumer report is an employer or prospective employer additional requirements may apply. 18 Under the FCRA, furnishers’ duties related to the information they provide to CRAs include to provide accurate information to correct and update information to provide notice of dispute to respond to information resulting from identity theft. 19 Additionally, as also discussed in additional detail in Section 9.2.2, companies that extend credit to consumers, even if they do not use consumer reports to make credit decisions, are now required to implement a “Red Flags” program to detect and deter identity theft. 9.1.2 CRA Requirements Under the FCRA Under the FCRA, CRAs are required to: provide consumers with access to the information in their consumer reports as well as the opportunity to dispute inaccurate information; ensure the accuracy of information in the consumer report; and refrain from reporting negative information that is outdated. CRAs must provide consumers access to the information contained in their consumer reports as well as the opportunity to dispute any inaccurate information. Upon request by the consumer to the CRA, the CRA shall provide the consumer with access to the information, except for certain detailed exceptions. One of these exceptions permits the CRA to refrain from disclosing “credit scores or any other risk scores or predictors relating to the consumer.” 20 The CRA is required to have procedures in place to address a consumer’s dispute of information in the consumer’s file. Once the CRA receives a dispute from a consumer directly or indirectly (through a reseller), the CRA shall undertake a reasonable investigation to determine if the information is accurate. 21 CRAs must take reasonable steps to ensure the maximum possible accuracy of information in the consumer report. 22 CRAS are expected to have procedures in place to 3 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 9 – as of 02/25/2024 © IAPP ensure “assure maximum possible accuracy” of the information about the individual in the credit report. 23 CRAs must not report negative information that is outdated. In most cases, this means account data more than 7 years old or bankruptcies more than 10 years old. Although the law permits consumer reporting agencies to report bankruptcies on credit reports for 10 years from the date that the bankruptcy was filed, a notable practice by larger consumer reporting agencies is to remove Chapter 13 bankruptcies after 7 years - apparently to encourage debtors to file this type of bankruptcy. 24 9.1.3 User Requirements Under the FCRA Users, meaning those who use credit reports, are subject to two main types of requirements related to consumer information that is protected by the FCRA. First, the user must meet certain requirements to obtain a credit report from a CRA. Second, the FCRA imposes notice requirements on the user after the user had made a negative decision, known as an adverse action, based at least in part on consumer information covered by the FCRA; this consumer information can be obtained from a CRA, third party, or affiliate. 9.1.3.1 User Obtaining a Consumer Report from a CRA Users of consumer reports, including employers who use consumer reports in employment decisions as well as lenders, insurers and others, are required to have a “permissible purpose” to obtain a credit report. To obtain the credit report, the user must certify to the CRA the specific permissible purpose(s) for which the credit report was obtained as well as the fact that the consumer report will not be used for any other purpose. Users must have a “permissible purpose.” Congress has limited the use of consumer reports to protect consumers’ privacy. All users must have a permissible purpose under the FCRA to obtain a consumer report. Such purposes include obtaining reports: ° As instructed by the consumer in writing ° For the extension of credit as a result of an application from a consumer, or the review or collection of a consumer’s account ° For employment purposes, including hiring and promotion decisions, where the consumer has given written permission ° For the underwriting of insurance as a result of an application from a consumer ° When there is a legitimate business need, in connection with a business transaction that is initiated by the consumer ° To review a consumer’s account to determine whether the consumer continues to meet the terms of the account ° To determine a consumer’s eligibility for a license or other benefit granted by a governmental instrumentality required by law to consider an applicant’s financial responsibility or status 4 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 9 – as of 02/25/2024 © IAPP ° For use by a potential investor or servicer, or current insurer, in a valuation or assessment of the credit or prepayment risks associated with an existing credit obligation ° For use by state and local officials in connection with the determination of child support payments, or modifications and enforcement thereof ° In response to a lawfully issued court order or subpoena ° In addition, creditors and insurers may obtain certain consumer report information for the purpose of making “prescreened” unsolicited offers of credit or insurance 25 Users must provide certifications. The FCRA prohibits any person from obtaining a consumer report from a CRA unless the person has certified to the CRA the permissible purpose(s) for which the report is being obtained and certifies that the report will not be used for any other purpose. 26 9.1.3.2 User Notice to Consumers Regarding Adverse Actions The FCRA imposes requirements on users to notify the consumer when an adverse action is taken. The term adverse action is defined very broadly to include all business, credit and employment actions affecting consumers that can be considered to have a negative impact, such as denying or canceling credit or insurance or denying employment or promotion. 27 Note that no adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer. The FCRA details a number of adverse actions that can be taken as result of obtaining or reviewing the information contained within a consumer credit report. Adverse actions based on information obtained from a CRA. If a user takes any type of adverse action (as defined by the FCRA, action that is based, even in part, on information contained in a consumer report), the FCRA requires the user to notify the consumer. The notification may be done in writing, orally or by electronic means. It must include the following elements: ° The name, address and telephone number of the CRA (including a toll-free telephone number, if it is a nationwide CRA) that provided the report ° A statement that the CRA did not make the adverse decision and is not able to explain why the decision was made ° A statement setting forth the consumer’s right to obtain a free disclosure of the consumer’s file from the CRA if the consumer makes a request within 60 days ° A statement setting forth the consumer’s right to dispute directly with the CRA the accuracy or completeness of any information provided by the CRA Adverse actions based on information obtained from third parties that are not consumer reporting agencies. If a person denies (or increases the charge for) credit for personal, family or household purposes based either wholly or partly upon information from a person other than a CRA, and the information is the type covered by the FCRA, the law requires 5 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 9 – as of 02/25/2024 © IAPP that the user clearly and accurately disclose to the consumer their right to be informed of the nature of the information that was relied upon if the consumer makes a written request within 60 days of notification. The user must then provide the disclosure within a reasonable period of time following the consumer’s written request. Adverse actions based on information obtained from affiliates. If a person takes an adverse action involving insurance, employment or a credit transaction initiated by the consumer based on the type of information covered by the FCRA, and this information was obtained from an entity affiliated with the user of the information by common ownership or control, the law requires the user to notify the consumer of the adverse action. The notice must inform the consumer that they may obtain a disclosure of the nature of the information relied upon by making a written request within 60 days of receiving the adverse action notice. If the consumer makes such a request, the user must disclose the nature of the information no later than 30 days after receiving the request. If consumer report information is shared among affiliates and then used for an adverse action, the user must make a similar adverse action disclosure. 28 9.1. 4 Furnisher Requirements under the FCRA Furnishers, meaning those who furnish credit history or other personal information to the CRAs, have numerous requirements under the FCRA. To ensure that furnishers comply with these requirements, the Furnisher Rule requires furnishers to have policies in procedures in place to ensure the accuracy and integrity of consumer information reported to CRAs – such as ensuring the information reported pertains to the correct person; taking steps to prevent an inappropriate practice where the date of the first delinquent consumer account is changed to a later date so the delinquency remains on the credit report past the time period allowed by the FCRA; and maintaining records for a certain period of time. 29 Furnishers must provide accurate information. A furnisher is prohibited from reporting to CRAs information about a consumer that the furnisher knows to be inaccurate or that has been disputed by the consumer and been established to be inaccurate. Furnishers must correct and update information. A furnisher is required to promptly notify CRAs if the furnisher realizes previously reported information is incorrect or incomplete. Furnishers must provide notice of dispute. If a consumer disputes the accuracy or completeness of information, the furnisher is required to notify the CRAs that dispute. Furnisher must respond to information resulting from identity theft. A furnisher must have procedures in place to respond to a CRA report to the furnisher related to information resulting from identity theft. 30 9.1.4 Special Disclosures Under FCRA for Certain Activities Several activities require special disclosures under the FCRA. One such activity is using creditworthiness to determine a borrower’s interest rate, known as risk-based pricing. A second is the use of creditworthiness for employment purposes. 6 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 9 – as of 02/25/2024 © IAPP 9.1.4.1 Consumer Reports and Risk-Based Pricing Risk-based pricing is a concept used to describe a practice where lenders offer different interest rates or different loan terms to borrowers based on their creditworthiness. Risk-Based Pricing Rule requires those offering credit to notify customers if they are receiving less favorable terms because of their credit report. 31 The FCRA requires disclosure by all persons who use credit scores in making or arranging loans secured by residential real property. These persons must provide credit scores and other information about credit scores to applicants. 32 Further, in some instances, the person offering credit must provide a risk-based pricing notice to the consumer in accordance with regulations jointly prescribed by the CFPB (formerly the FTC) and the Federal Reserve Board. These notices are required if a consumer report is used by an individual or organization in connection with an application for credit or a grant, extension or provision of credit to a consumer on terms that are less favorable than the most favorable terms available to a substantial proportion of consumers acquiring loans from or through that person. 33 9.1.4.2 Consumer Reports and Employment The FCRA imposes certain additional obligations on organizations that intend to use consumer report information for employment purposes. The user of such information must: Make a clear and conspicuous written notification to the consumer before the report is obtained, in a document that consists solely of the disclosure that a consumer report may be obtained by the employer. Obtain prior written consumer authorization in order to obtain a consumer report. Authorization to access reports during the term of employment may be obtained at the time of employment. Certify to the CRA that the above steps have been followed, that the information being obtained will not be used in violation of any federal or state equal opportunity law or regulation, and that, if any adverse action is to be taken based on the consumer report, a copy of the report and a summary of the consumer’s rights will be provided to the consumer. Before taking an adverse action, provide a copy of the report to the consumer as well as the summary of the consumer’s rights. (The user should receive this summary from the CRA.) An adverse action notice should be sent after the adverse action is taken. An adverse action notice also is required in employment situations if credit information (other than transactions and experience data) obtained from an affiliate is used to deny employment. 34 9.1.3 Special Procedures for Investigations of Suspected Misconduct by Employees The FCRA provides special procedures for investigations of suspected misconduct by an employee or for compliance with federal, state or local laws and regulations or the rules of a self-regulatory organization, and compliance with written policies of the employer. These investigations are not treated as consumer reports as long as (1) the employer or its agent complies with the procedures 7 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 9 – as of 02/25/2024 © IAPP set forth in the act, (2) no credit information is used, and (3) a summary describing the nature and scope of the inquiry is provided to the employee if an adverse action is taken based on the investigation. 35 9.1.4 Investigative Consumer Reports Investigative consumer reports contain information about a consumer’s character, general reputation, personal characteristics, and mode of living. This information is obtained through personal interviews by an entity or person that is a CRA. Consumers who are the subjects of such reports are given special rights under the FCRA. If a user intends to obtain an investigative consumer report, Section 606 of the FCRA requires that the user of the report disclose its use to the consumer. The disclosure is subject to the following requirements: The consumer must be informed that an investigative consumer report may be obtained. The disclosure must be in writing and must be mailed or otherwise delivered to the consumer some time before but not later than five days after the date on which the report was first requested. The disclosure must include a statement informing the consumer of their right to request additional disclosures of the nature and scope of the investigation, and the summary of consumer rights required by the FCRA. The summary of consumer rights will be provided by the CRA that conducts the investigation. The user must certify to the CRA that the required disclosures have been made and that the user will make the necessary disclosure to the consumer. Upon written request of a consumer made within a reasonable period of time after the required disclosures, the user must make a complete disclosure of the nature and scope of the investigation. The nature and scope disclosure must be made in a written statement that is mailed or otherwise delivered to the consumer no later than five days after the date on which the request was received from the consumer or the report was first requested, whichever is later. 36 9.1.5 Medical Information Under FCRA FCRA limits the use of medical information obtained from CRAs, other than payment information that appears in a coded form and does not identify the medical provider. 37 If medical information is to be used for an insurance transaction, the consumer must provide consent to the user of the report, or the information must be coded. If the report is to be used for employment purposes—or in connection with a credit transaction, except as provided in regulations issued by the banking and credit union regulators—the consumer must provide specific written consent and the medical information must be relevant. Any user who receives medical information shall not disclose the information to any other person, except where necessary to carry out the purpose for which the information was disclosed, or as permitted by statute, regulation or order. 38 8 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 9 – as of 02/25/2024 © IAPP 9.1.6 “Prescreened” Lists FCRA permits creditors and insurers to obtain limited consumer report information for use in connection with firm unsolicited offers of credit or insurance, under certain circumstances and conditions. This practice is known as prescreening and typically involves obtaining from a CRA a list of consumers who meet certain preestablished criteria. If any person intends to use prescreened lists, that person must: (1) before the offer is made, establish the criteria that will be relied upon to make the offer and to grant credit or insurance and (2) maintain such criteria on file for a three-year period beginning on the date on which the offer is made to each consumer. In addition, any user must include with each written solicitation a clear and conspicuous statement that: Information contained in a consumer’s CRA file was used in connection with the transaction. The consumer received the offer because they satisfied the criteria for creditworthiness or insurability used to screen for the offer. Credit or insurance may not be extended if, after the consumer responds, it is determined that the consumer does not meet the criteria used for screening or any applicable criteria bearing on creditworthiness or insurability, or the consumer does not furnish required collateral. The consumer may prohibit the use of information in their file in connection with future prescreened offers of credit or insurance by contacting the notification system established by the CRA that provided the report. The statement must include the address and toll-free telephone number of the appropriate notification system. Beginning in 2005, the companies that send prescreened solicitations of credit or insurance were required to supply simple and easy-to-understand notices explaining the consumer’s right to opt out of receiving such offers. 39 The FTC issued a rule requiring a layered notice with opt-out rights included on the first page. The FTC also issued a new consumer education brochure concerning prescreening. 40 9.1.7 Enforcement of the FCRA Enforcement of the FCRA is available through dispute resolution, private litigation, and government actions. 41 The dispute resolution infrastructure permits the consumer to fill a request with the CRA to dispute the accuracy of information and then requires the CRA to investigate the consumer’s complaint. 42 If consumers are not satisfied with the dispute resolution process, the individuals have a private right of action, with recent trends including consumers becoming involved in class actions lawsuits. 43 Noncompliance with the FCRA can lead to civil and criminal penalties. In addition to actual damages, as of the writing of this book, violators are subject to statutory damages of a maximum of $1,000 per violation, and a maximum penalty of $4,705 per willful violation. 44 An officer or employee of a CRA who, both knowingly and willingly, provides information concerning an individual from the company’s files to someone who is not authorized to receive that information can face criminal penalties and imprisonment. 45 Government enforcement actions for violations of the FCRA can be brought by the FTC, the CFPB, and state attorneys general. 46 At the federal level, both the FTC and the CFPB share responsibility to enforce the FCRA. 47 Since 1996, state attorneys general have had concurrent enforcement authority 9 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 9 – as of 02/25/2024 © IAPP with regard to FCRA. 48 The state attorneys general are required to give notice to the FTC prior to filing suit, and the FTC retains the authority to intervene in the cases brought by the state attorneys general. 49 An example of FTC enforcement is the settlement against TeleCheck Services, one of the nation’s largest check authorization service companies, for claims that the company failed to follow dispute procedures; the company agreed to pay to a $3.5 million civil penalty. 50 The settlement was part of a broader initiative by the FTC to target the practices of data brokers that sell information to companies making decisions about consumers. 51 In the FTC’s first FCRA case involving automated background screening practices, RealPage agreed to pay a $3 million civil penalty for claims that the company failed to take reasonable steps to ensure the accuracy of consumer reports. 52 An example of CFPB enforcement against CRAs is the case of Clarity Services. The CFPB alleged that the company failed to properly investigate consumers who attempted to dispute information on their credit reports and obtained credit reports without a permissible purpose. As a result, Clarity Services agreed to pay an $8 million civil penalty. 53 CFPB has also enforced obligations of data furnishers. 54 JPMorgan Chase agreed to a settlement where it paid a civil penalty of $4.6 million related to claims that the company failed to have in place reasonable written policies concerning the accuracy of information that it provided to certain CRAs as well as that the company failed to provide consumers with results of investigations where the consumers disputed accuracy of information directly with JPMorgan Chase. 55 Actions by state attorneys general can be brought by individual states or collectively by multiple states. 56 An example from 2015 involved more than 30 state attorneys general offices that entered into a settlement with three main consumer reporting agencies, Equifax, Experian and TransUnion. The settlement related to claims concerning credit report errors, monitoring of data furnishers, and marketing of credit monitoring products to consumers. These companies agreed to pay the participating states $6 million and to adjust their business practices. 57 9.2 The Fair and Accurate Credit Transactions Act In 2003, Congress passed FACTA, which made substantial amendments to the FCRA. 58 Under FACTA, stricter state laws are preempted in most areas, although states retain some powers to enact laws addressing identity theft. 59 In addition, FACTA specifically identified certain state laws that would remain in effect. With regard to credit scores, state laws in California and Colorado, as well as state insurance laws regulating the use by insurers of credit-based insurance scores, remain in effect. 60 Pertaining to frequency of free credit reports, the federal law permitted state laws in Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey, and Vermont to remain in effect. 61 FACTA enacted a number of consumer protections. It required truncation of credit and debit card numbers, so that receipts do not reveal the full credit or debit card number. It gave consumers new rights to an explanation of their credit scores. It also gave individuals the right to request a free annual credit report from each of the three national consumer credit agencies—Equifax, Experian and TransUnion. Along with other identity theft protections, FACTA required regulators to promulgate a Disposal Rule and a Red Flags Rule. In 2010, the FTC issued new rules updating the manner of disclosure required by the companies advertising free credit reports. 62 The updates “include prominent disclosures designed to prevent consumers from confusing these ‘free’ offers with the federally mandated free annual file 10 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 9 – as of 02/25/2024 © IAPP disclosures.” Such a disclosure must be “easily readable,” and the rules give examples of fonts that are, and are not, easily readable. As of 2011, the CFPB took over rulemaking authority in this area. 63 9.2.1 The Disposal Rule The Disposal Rule requires any individual or entity that uses a consumer report, or information derived from a consumer report, for a business purpose to dispose of that consumer information in a way that prevents unauthorized access and misuse of the data. Consumer reports can be electronic or written. The rule applies to both small and large organizations, including consumer reporting agencies, lenders, employers, insurers, landlords, car dealers, attorneys, debt collectors, and government agencies. “Disposal” includes any discarding, abandonment, donation, sale or transfer of information. The standard for disposal requires practices that are “reasonable” to protect against unauthorized access to or use of the consumer data. Factors to consider include the sensitivity of information being disposed of, the costs and benefits of various disposal methods, and available technology. 64 Examples of acceptable, reasonable measures include developing and complying with policies to: Burn, pulverize or shred papers containing consumer report information so that the information cannot be read or reconstructed Destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed Conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the rule Enforcement of the Disposal Rule is by the FTC, the federal banking regulators, and the CFPB. Violators may face civil liability as well as federal and state enforcement actions. Financial institutions that are subject to both the FACTA Disposal Rule and the GLBA Safeguards Rule (discussed in Section 9.3) should incorporate required disposal practices into the information security program that the Safeguards Rule mandates. They should also be aware of any state disposal rules that may impose broader requirements. 9.2.2 The Red Flags Rule The Red Flags Rule was originally promulgated under FACTA, which required agencies that regulate financial entities to develop a set of rules to mandate the detection, prevention and mitigation of identity theft. The FTC, together with federal banking agencies, authored the Red Flags Rule. 65 As with the rest of the FCRA and FACTA, the CFPB has now gained rulemaking and enforcement authority. The rule requires certain financial entities to develop and implement written identity theft detection programs that can identify and respond to the “red flags” that signal identity theft. Specifically, the rule applies to financial institutions and creditors. “Financial institution” is defined as all banks, savings and loan associations and credit unions. It also includes all other entities that hold a “transaction account” belonging to a consumer. Due to confusion over which entities qualify as covered “creditors,” however, enforcement of the rule was delayed several times until a clarification was published in 2010. 66 11 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 9 – as of 02/25/2024 © IAPP The Red Flag Program Clarification Act of 2010 was passed in response to concern that the definition of creditor extended to implicate unintended entities, such as attorneys and health providers, simply because they allow customers to pay their bills after the time of service. 67 The clarification narrows the previously broad definition of creditor, as well as the circumstances under which they are covered by the rule. It eliminates entities that extend credit only “for expenses incidental to a service.” The rule still applies to entities that, regularly and in the course of business: Obtain or use consumer reports in connection with a credit transaction Furnish information to consumer reporting agencies in connection with a credit transaction Advance funds to or on behalf of someone, except for expenses incidental to a service provided by the creditor to that person 68 The new law also authorizes regulations that apply the rule to businesses whose accounts should be “subject to a reasonably foreseeable risk of identity theft.” The rule does not provide a checklist for specific red flags that must be included in the identity theft detection programs. Rather, the program should generally identify relevant patterns, practices and specific forms of activity that are red flags of possible identity theft, incorporate these flags into the program, and update the program regularly to reflect changes in risks. Each organization is required to develop its own list of red flags, but examples cited by the FTC include alerts, notifications or warnings from a consumer reporting agency; suspicious identification documents; suspicious personal identifying data; and unusual use of a covered account. 9.3 Gramm-Leach-Bliley Act Title V of the Financial Services Modernization Act of 1999 led to the promulgation of both a Privacy Rule and a Safeguards Rule. 69 GLBA was major legislation that reflected and codified the consolidation of the U.S. banking, securities and insurance industries in the late 1990s. As previously separate types of financial institutions began to merge, substantial concerns arose over how consumer data would be collected, used and shared among the newly formed holding companies and their subsidiaries within the financial sector. These privacy provisions were spurred by enforcement actions against major banks for controversial data practices. Prior to GLBA’s passage, some leading financial institutions were found to have shared detailed customer information, including account numbers and other highly sensitive data, with telemarketing firms. Subsequently, the firms used the account numbers to charge customers for unsolicited services. One of the most prominent cases involved U.S. Bancorp and the telemarketing firm MemberWorks. 70 The Minnesota attorney general’s office brought suit in 1999, as Congress was considering GLBA. The suit resulted in a $3 million settlement for allegations that the bank had sent detailed customer information to the telemarketing firm, including account numbers and related information that enabled the marketer to directly withdraw funds from the customer account. 71 The U.S. Bancorp/MemberWorks case focused popular and regulatory attention on the prevalence of data-sharing relationships between banks and third-party marketers. A group of 25 attorneys general brought additional actions against major financial institutions in an attempt to address these practices. Congress responded to these events by including significant privacy and 12 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class.