FACTA changes which took effect on December 1, 2004 or before include: 

1)  The Fraud and Credit Report Alert Requirements.  This regulation requires Consumer Reporting Agencies (CRAs) to insert an Initial Alert, an Extended Alert, or an Active Duty Alert in a consumer’s credit report when the consumer meets certain regulations as to making a report and proving the consumer’s own identity.  The statute goes on to require that users of a consumer credit report which contains an Initial Alert, or an Active Duty Alert, such as lenders, shall not establish a new credit plan, or an extension of credit in the name of the consumer (other than on an existing open ended credit plan), or grant an additional card or an increase in credit limit on an existing account unless the creditor utilizes reasonable policies and procedures to form a reasonable belief that the creditor knows the identity of the person making the request.  (FACTA § 112, 15 U.S.C. § 1681c-1.)  If the consumer who requested the alert specified a telephone number to be used for identity verification purposes, the creditor shall contact the consumer using that telephone number or take reasonable steps to verify the consumer’s identity and confirm that the application for a new credit plan is not the result of identity theft.

Where the consumer has requested and been granted an Extended Alert, that alert shall give notice that the consumer does not authorize the establishment of any new credit plan or extension of credit as described above, other than on an existing open ended credit plan, unless the creditor contacts the consumer in person or contacts the consumer through a telephone number or other method specified by the consumer in the extended alert.

3)  Prevention of Repollution of Consumer Reports.  Section 154, 15 U.S.C. § 1681s-2(a) requires that furnishers of credit information (creditors reporting to CRA's) shall have in place reasonable procedures to respond to a notification from a CRA that it has blocked information which had been placed on the credit report as a result of identity theft.  These regulations shall prevent that furnisher from refurnishing the blocked information.  In addition, if the consumer submits an identity theft report to a furnisher of credit information, then the furnisher shall not furnish that information to a CRA unless the furnisher subsequently knows or is informed by the consumer that the information is correct.  This is significant because if a creditor received what it believed was a false report that an unpaid account was the result of identity theft, if the CRA blocked the information, the creditor could not report it in the future.  If the report came from the consumer, but the CRA did not block it, the creditor could only report it in the future if the creditor “knows” that the information is correct, or if the consumer informed the creditor that the information is correct. 

In what is probably the most significant element of the FACTA amendments for creditors, Section 154 goes on to amend 15 U.S.C. § 1681m to provide that where the CRA blocks reporting of a charge on the credit report as a result of an identity theft report, the creditor is prohibited from selling, transferring or placing for collection the debt reported to the lender by the CRA as being the result of identity theft.  (Section 1681m(f).)  This provision is significant because it gives the CRA the final decision on whether the debt is valid.  The creditor can submit more information and request that the CRA rescind its decision under Section 1681c-2(c).  However, if the CRA refuses, the creditor apparently has no recourse.  Disputes about the validity of an identity theft report are common in scenarios such as a divorced or estranged unmarried couple, where credit obtained in one person's name is claimed to have been procured by the other partner, without the person's knowledge or permission.  The CRA may have no way to discover that the couple are still residing or doing business together, making the validity of the identity theft claim doubtful.  The statute is silent regarding whether the creditor could foreclose on or repossess property given as security for such a debt, or whether a court could compel the CRA to remove the identity theft block.  Note however, that a loan subject to an identity theft credit report block can still be securitized or pledged as collateral as a part of a portfolio.

4)  Disclosure of Credit Scores.  Section 212(c), 15 U.S.C. § 1681g(g), requires where a consumer credit score is used by a mortgage lender in connection with an application by a consumer for a closed end loan or an open end loan for a consumer purpose that is secured by 1 to 4 units of residential real property, that the lender must supply to the consumer, as soon as is reasonably practicable, the current or most recent credit score calculated by the CRA for a purpose related to the extension of credit, the range of possible scores, all key factors that adversely affected the credit score (up to a maximum of 4 factors), the date on which the credit score was created and the name of the person or entity that provided the credit score or the file upon which the credit score was created.  In addition, the lender must give this notice to the consumer:

NOTICE TO THE HOME LOAN APPLICANT

   "In connection with your application for a home loan, the lender must disclose to you the score that a consumer reporting agency distributed to users and the lender used in connection with your home loan, and the key factors affecting your credit scores.

   "The credit score is a computer generated summary calculated at the time of the request and based on information that a consumer reporting agency or lender has on file. The scores are based on data about your credit history and payment patterns. Credit scores are important because they are used to assist the lender in determining whether you will obtain a loan. They may also be used to determine what interest rate you may be offered on the mortgage. Credit scores can change over time, depending on your conduct, how your credit history and payment patterns change, and how credit scoring technologies change.

   "Because the score is based on information in your credit history, it is very important that you review the credit-related information that is being furnished to make sure it is accurate. Credit records may vary from one company to another.

   "If you have questions about your credit score or the credit information that is furnished to you, contact the consumer reporting agency at the address and telephone number provided with this notice, or contact the lender, if the lender developed or generated the credit score. The consumer reporting agency plays no part in the decision to take any action on the loan application and is unable to provide you with specific reasons for the decision on a loan application.

   "If you have questions concerning the terms of the loan, contact the lender."

5)  Requirement to Disclose Communications to a Consumer Reporting Agency. Section 217(a), 15 U.S.C. § 1681s-2, requires that either before, or within 30 days after, furnishing negative information to a CRA, the furnisher must give notice to the consumer.  This may be given in a regular monthly statement or in a notice of default.  Notice given in the initial TILA disclosure will not suffice.  The model clause for pre-communication notice reads:

“We may report information about your account to credit bureaus. Late payments, missed payments, or other defaults on your account may be reflected in your credit report.”

The model clause for post-communication notice reads:  “We have told a credit bureau about a late payment, missed payment or other default on your account. This information may be reflected in your credit report.” 

6)  Risk Based Pricing Notices.  Section 311, 15 U.S.C. § 1681m.  This provision becomes effective December 1, 2004, but these provisions are only enforceable by certain Federal agencies (i.e., no private right of consumer to sue.)  Since the FTC and the Federal Reserve Board will establish parameters for compliance, including the requirements for consumer notice, the date of compliance with these standards will be set out.  This joint pronouncement by letter from the various Federal agencies does not clarify what they mean by “effective December 1, 2004.”  Basically this is another species of the credit denial letter.  This notice must be given when, even though credit was not denied, when a lender, on the basis of a consumer credit report offers credit to the consumer “on material terms that are materially less favorable than the most favorable terms available to a substantial proportion of consumers” from or through the lender.  For example, if many HELOC customers are getting 1% below prime as their margin on the HELOC and a person with spotty credit on the CRA report is offered 1% above prime, this notice would have to be sent.  No notice shall be required from under this subsection if the consumer applied for specific material terms and was granted those terms, unless those terms were initially specified by the person after the transaction was initiated by the consumer and after the person obtained a consumer report; or if a notice of denial is being sent.  This latter exception would apply, for example, if the consumer applied for a prime minus one HELOC and was offered a prime plus 1 HELOC and declined.  Then the normal letter when a person was declined for credit reasons would be sent, but not this new notice.  It does not appear that this will be enforced until a regulation setting out the notice which must be sent is completed.

The FACTA requirements for safe Disposal of consumer information became effective on June 1, 2005, after the promulgation of 16 CFR 682.3 by the FTC.  This section spells out the disposal requirements as follows: 

  § 682.3 Proper disposal of consumer information.  (a) Standard. Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.  (b) Examples. Reasonable measures to protect against unauthorized access to or use of consumer information in connection with its disposal include the following examples. These examples are illustrative only and are not exclusive or exhaustive methods for complying with the rule in this part.

 (1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed.

 (2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed.

 (3) After due diligence, entering into and monitoring compliance with a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule. In this context, due diligence could include reviewing an independent audit of the disposal company's operations and/or its compliance with this rule, obtaining information about the disposal company from several references or other reliable sources, requiring that the disposal company be certified by a recognized trade association or similar third party, reviewing and evaluating the disposal company's information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the potential disposal company.

 (4) For persons or entities who maintain or otherwise possess consumer information through their provision of services directly to a person subject to this part, implementing and monitoring compliance with policies and procedures that protect against unauthorized or unintentional disposal of consumer information, and disposing of such information in accordance with examples (b)(1) and (2) of this section.

 (5) For persons subject to the Gramm-Leach-Bliley Act, 15 U.S.C. 6081 et seq., and the Federal Trade Commission's Standards for Safeguarding Customer Information, 16 CFR part 314 ("Safeguards Rule"), incorporating the proper disposal of consumer information as required by this rule into the information security program required by the Safeguards Rule.