On December 4, 2003, President Bush signed the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which amends the Fair Credit Reporting Act. This legislation strengthens regulations concerning the accuracy and integrity of consumer files and the reports generated from them by credit reporting agencies, and provides consumers with a new arsenal of weapons to fight the growing crime of identity theft.

The following provisions of FACTA will help ensure the accuracy and integrity of consumer files at the credit reporting agencies:

• Consumers have the right to obtain one free credit report annually from each of the three major credit reporting agencies. The request, which may be made by telephone, mail, or over the Internet, must be directed to a newly-created centralized source that will provide the reports. (A toll-free number will be announced at a later date.)
• Upon request, each credit reporting agency must provide a consumer with his or her credit score (which indicates the consumer's credit risk). The credit reporting agency must also provide a summary of how the score is created and what it means. The agency may charge a fee for this service.
• A creditor supplying a credit reporting agency with negative information about a consumer transaction (e.g., late payment, delinquency status, or other default) must inform the consumer it is doing so. Notification must be given prior to, at the same time as, or within 30 days after submitting the information.
• Consumers victimized by identity theft may block creditors from providing information to credit reporting agencies if that information is the result of identity theft. Similarly, at the request of the consumer, credit reporting agencies must notify providers of credit information that the information provided is the result of identity theft, and those providers must take steps to ensure that such information is not resubmitted to the credit reporting agencies.

In addition, several provisions of FACTA are designed to limit the distribution and unauthorized use of individual credit reports. Credit reporting agencies are required to clearly explain to consumers how they may opt out of being added to pre-screened lists that are used to generate unsolicited offers of credit or insurance. Further, a credit reporting agency cannot send a consumer's medical information to a credit report requestor unless that information is relevant to the transaction (be it for credit, insurance, or employment) that generated the request, and the consumer authorizes the release of the information.

Many provisions of FACTA are designed to give consumers more safeguards against identity theft and the deleterious effects it may have on their credit reports.

At the consumer's request, the credit reporting agencies must add an initial fraud alert to any credit reports or scores they send out for at least 90 days after the request. These alerts:

• Indicate that the consumer has been or may be about to become the victim of fraud (including identity theft)
• Notify the user of the credit report or score that the consumer does not authorize granting any new credit, extensions of existing credit, or additional (or replacement) credit cards for existing accounts unless the user verifies the identity of the person making the request
• Entitle the consumer to one free credit report, which must be provided by the credit reporting agency within 3 days of the request

Any credit reporting agency receiving such a fraud alert request must notify the other credit reporting agencies, and these agencies must also follow the same procedures.

If a consumer files an identity theft report with any appropriate federal, state, or local law enforcement agency, the consumer may then request the credit reporting agencies to include an extended fraud alert on any credit reports or credit scores they provide to users. This alert will be included for 7 years from the date of the request, unless the consumer requests earlier termination.

Similar to an initial fraud alert, an extended fraud alert requires any user of the credit report or score to verify the identity of the person making a request for new credit, an extension of existing credit, or an additional (or replacement) credit card for an existing account. This verification must be accomplished by contacting the consumer in person at a telephone number the consumer has provided for this purpose; it is not sufficient for the user to verify the identity of the person making the request by any other means.

Any credit reporting agency receiving an extended fraud alert request must share that request with the other credit reporting agencies, which must follow the same procedures. Upon request, consumers may get two free credit reports from each credit reporting agency within 12 months after filing the extended fraud alert request.

As part of schemes to obtain credit fraudulently, identity thieves often divert consumer mail from creditors. Accordingly, if an issuer of a credit card receives a consumer notification of a change of address, and shortly thereafter (within at least the next 30 days) receives a request for an additional (or replacement) card to be delivered to the new address, FACTA requires the card issuer to notify the consumer of this request at the consumer's previous address before it issues the card. Alternatively, the issuer may contact the consumer by other means (e.g., a telephone call), or take other steps to verify the identity and the true address of the person making the request for the card.

If a credit reporting agency provides a creditor with a consumer's credit report, and the consumer's address as listed on that report doesn't match the address the creditor has for that consumer, the credit reporting agency must call this to the attention of the creditor, and the creditor is required to take steps to verify the identity and the true address of the person it is doing business with.

FACTA also requires creditors and credit reporting agencies to take other measures to prevent identity thefts and/or to mitigate their effects on consumer credit histories. These measures include the following:

• Credit card receipts printed electronically may only print the last 5 digits of the credit card account number on the receipt. (Handwritten receipts and receipts made by taking impressions of the cards are exempted from this requirement.)
• At a consumer's request, a credit reporting agency may not print the first 5 digits of the consumer's Social Security number on any credit reports it sends to the consumer.
• At the consumer's request, a creditor must provide records of any transactions with the perpetrator of an identity theft, once the consumer has been identified as the victim of that theft and has presented a copy of an identity theft report filed with any appropriate federal, state, or local law enforcement agency. These records must be made available to the consumer and/or to any law enforcement agency specified by the consumer.
• As coordinated by the Federal Trade Commission, credit reporting agencies must provide consumers with a summary of their rights to obtain and dispute information contained in their credit reports, and (where appropriate) a summary of their rights as victims of identity theft.