How To Get Up To Speed In Complying With Two Laws
Two pieces of legislation-the FACT Act and the USA Patriot Act-have created enormous compliance requirements for credit unions.
Some analysts have suggested that as a result many credit unions are not in compliance with the laws, which Catherine Arra, research and information consultant to the California and Nevada Credit Union Leagues, sought to address during the Credit Union Lending Network's conference here. The Credit Union Lending Network is one of eight peer-driven professional networks overseen by the California CU League.
"It's as if we are Secret Service agents," said Arra in describing what the two pieces of federal legislation seek to accomplish.
Below is a look at each law and the advice shared:
A FACT Act Checklist
Under the FACT, or Fair and Accurate Credit Transactions, Act, Catherine Arra said there are 10 sections of particular importance. All CUs must follow the provisions detailed in these sections to be in compliance with the FACT Act. Arra said she supplied the section numbers for people who wished to read the details of each provision, but she provided the following thumbnail sketches:
Fraud and active duty alerts (Section 112)-effective Dec. 1, 2004, active duty military personnel can request an alert be placed in their credit file for renewable one-year terms. "If a credit union sees a fraud or active duty alert: stop and verify the person it is working with actually is the member," Arra said.
Duty to delete wrong information (Section 314)-effective Dec. 1, 2004, consumer reporting agencies and the furnishers of information are required to delete, modify or block information from a consumer's file if it is found to be inaccurate.
Disposal of consumer report information (Section 216)-effective July 1, 2005, financial institutions must develop and maintain controls to ensure they properly dispose of consumer information derived from a consumer report. These controls must be part of the institution's information security program.
Repollution of consumer reports (Section 154)-effective Dec. 1, 2004, CUs must have reasonable procedures in place to respond to notification from a consumer reporting agency that information the credit union furnished to the agency has been blocked because it resulted from identity theft. This is designed to prevent CUs from refurnishing the information, Arra explained.
Disclosing and using consumers' medical information (Section 411)-effective March 7, 2006, creditors are broadly prohibited from obtaining or using "medical information" when making initial or continuing evaluations of consumers' eligibility for credit. "However, there are exceptions," she said. "Credit unions can use information if it is the type regularly used in making credit decisions, and as long as it is used in a manner no less favorable than non-medical information. But, the applicant's physical, mental or behavioral health, prognosis, condition, history, or type of treatment cannot be used as part of the determination."
Disclosure of credit scores (Section 212)-effective Dec. 1, 2004, if a lender uses a credit score to make or arrange consumer credit secured by one to four units of residential real estate, the lender must disclose to the consumer his or her current credit score, the range of possible scores, up to four key factors that adversely affected the score, the date the score was created, the name of the person or entity that provided the score, and the name, address and telephone number of each credit bureau providing a score that was used.
Discrepancy with consumers' address (Section 315)-effective Dec. 1, 2004, when a CU requests a consumer report from a credit reporting agency, if the report includes an address for the consumer that differs substantially from the addresses in the consumer's file, the agency is required to inform the credit union of the discrepancy. Arra said NCUA and the Federal Trade Commission have yet to issue regulations regarding policies and procedures CU management should employ upon receipt of an address discrepancy notice.
Risk-based pricing notice (Section 311)-effective Dec. 1, 2004, this section requires credit unions to provide notice to consumers who receive credit on terms that are materially less favorable than the most favorable terms available. As is the case with Section 315, regulations from the Federal Reserve and the FTC still are pending.
Reporting negative credit (Section 217)-effective Dec. 1, 2004, CUs must notify members they will report negative credit information to a consumer reporting agency. This notice must be provided either before the negative information is reported, or within 30 days of reporting. "Credit unions can send this notice at any time prior to reporting, as long as it is not sent with Reg Z disclosures," she said.
Prescreen opt-out disclosure (Section 213)-effective Aug. 1, 2005, disclosure notices informing consumers they can opt out of "pre-screened" solicitations must be simpler and easier for them to understand. All marketers must use both a short and long notice. The short notice telling consumers how to opt out of future solicitations must appear on the first page of a promotional document, and it must direct the consumer to the long notice by name: "Prescreen and Opt Out Notice." Arra said this is an issue for both the marketing and compliance departments in a CU. "Marketing and compliance are always at odds. Marketing wants to put out a flashy piece, and doesn't want to clutter it with required notices."
Patriot Act Checklist
Catherine Arra said credit unions should pay attention to three sections: 314(a), which concerns the sharing of information between a CU and the government; 314(b), sharing of information between financial institutions; and 326, which requires CUs to establish and maintain a customer identification program, or CIP.
In 1990, the U.S. Treasury Department established the Financial Crimes Enforcement Network, or FinCEN, to fight money laundering. According to the Patriot Act, if a credit union receives a Section 314(a) request from FinCEN, it is required to search its records to determine if it maintained or has maintained accounts for, or has engaged in transactions with, any individual, entity or organization listed in the request. The CU must respond within 14 calendar days.
Under section 314(b), a financial institution or an association of financial institutions- which includes CUNA and the California CU League, Arra pointed out-may share information with another financial institution regarding individuals, entities, organizations or countries for purposes of identifying and reporting activities the institutions suspects may involve terrorism or money laundering, but this sharing is required to follow guidelines: both institutions must submit a 314(b) notice to FinCEN prior to sharing, a new notice must be filed annually and both institutions must take "reasonable steps" to ensure the other has submitted the required notice. The notices can be submitted online at: www.fincen.gov.
Effective Oct. 1, 2003, credit unions must have a CIP. Arra said the four basic elements of a CIP are: providing the member with a notice of the information collection requirement, verification of the identity of any person seeking to open an account, maintaining records of the information used to verify identity and checking to see if the person is on any "government lists." One glitch: "Two years later, we still are awaiting the government lists."
CUs are required to collect identity information from any person or entity opening an account, she continued. For individuals, this means name, date of birth, physical address and an identification number. For corporations, partnerships, trusts or any other type of entity: name, principal place of business, mailing address if different from the business address and an identification number.
If the person is a U.S. citizen, the identification number can be a Social Security number or an IRS employer identification number. If the person is not a citizen, he or she must provide a resident alien number, an individual taxpayer identification number, a passport number with the country of issuance, an alien identification card number, or the number and country of any other government-issued document with a photo. Entities must provide documents evidencing the existence of the corporation, partnership or trust.