Previous Document IconPrevious Info Memo

Next Document IconNext Info MemoExam Manual Table of Contents IconList of Info Memos

Informational Memorandum
Subject:FTC Regulations to Implement Affiliate Marketing, Identify Theft Red Flags, and Address Discrepancy Provisions of the FACT Act
Date of Memorandum:12/05/2007
Expiration Date:
Office:OE
Signed By:McKenzie, Thomas
FCA Contact Person:Stephens, David (&03) 883-4412
Contact Phone:
List of Attachments:



Farm Credit Administration 1501 Farm Credit Drive
Informational Memorandum



December 3, 2007


To: Chief Executive Officer
All Farm Credit Institutions

From: Thomas G. McKenzie, Director and Chief Examiner
Office of Examination

Subject: FTC Regulations to Implement Affiliate Marketing, Identify Theft Red Flags, and Address Discrepancy Provisions of the FACT Act


The Federal Trade Commission (FTC) recently adopted two sets of final regulations to implement various provisions of the Fair and Accurate Transactions Act (FACT Act) of 2003, which amended the Fair Credit Reporting Act. In certain situations, these regulations may apply to FCS institutions. The rules are effective on January 1, 2008, with a mandatory compliance date of October 1, 2008.

The first final rule was published on October 30, 2007 and implements the affiliate marketing provisions in section 214 of the FACT Act. The rule generally prohibits a person (including an FCS institution) from using certain information received from an affiliate to make a marketing solicitation to a consumer, unless the consumer is first given notice. The notice must provide for a reasonable opportunity and a reasonable and simple method to opt out of such solicitations. Only if the consumer does not opt out can such solicitations be made. The rule applies to information obtained from the consumer's transactions or account relationship with an affiliate, the consumer's application, and credit reports and other third-party sources. The rule also implements the statutory exceptions to the notice and opt-out requirement. The appendix to the rule contains model forms to facilitate compliance with the notice and opt-out requirement. The rule was published at 72 FR 61424 and it will be codified at 16 CFR Part 680 and 16 CFR Part 698 (primarily Appendix C).

The second final rule was published on November 9, 2007 and addresses identity theft "red flags" and “address” discrepancies to implement sections 114 and 315 of the FACT Act. The rule requires each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft and enable a financial institution or creditor to:
  1. Identify relevant patterns, practices, and specific forms of activity that are "red flags" signaling possible identity theft and incorporate those red flags into the Program;

2. Detect “red flags” that have been incorporated into the Program;

3. Respond appropriately to any “red flags” that are detected to prevent and mitigate identity theft; and

4. Ensure the Program is updated periodically to reflect changes in risks from identity theft.

The rule also contains guidelines to assist financial institutions and creditors in developing and implementing a Program, including a supplement that provides examples of “red flags”. The final rule also requires credit and debit card issuers to develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. In addition, the rule requires users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a consumer reporting agency. The rule was published at 72 FR 63718 and it will be codified at 16 CFR Part 681.

FCA has no authority under the FACT Act. The FTC regulates and enforces the FACT Act with respect to FCS institutions. Some provisions of the FACT Act are also enforceable through private litigation, through which institutions may face civil liability. However, FCA may examine institutions for FACT Act compliance under its general authority to protect the safety and soundness of FCS institutions. Because the FACT Act and regulations are complex and compliance obligations are fact-specific, you may wish to consult legal counsel to determine the responsibilities of your institution. You may also contact the FTC personnel listed in the rules with any questions.

If you have any questions about this memorandum, please contact Jennifer A. Cohn, Senior Attorney, Office of General Counsel, at (703) 883-4028, or by e-mail at cohnj@fca.gov; and/or David Stephens, Office of Examination, at (703) 883-4412, or by e-mail at stephensd@fca.gov.