Does the Rule apply to us even if we do not obtain credit reports? Yes, if the business is a “creditor” or “financial institution” (defined as a depository institution). The Rule applies to creditors and financial institutions without regard to whether they obtain or use credit reports.
Step 1 — Assessing whether you offer covered accounts
What is a “covered account”? A “covered account” is a consumer credit account or consumer deposit account involving multiple payments or transactions. Commercial credit and deposit accounts also can be “covered accounts” where there is a “reasonably foreseeable risk” from identity theft to customers or to safety and soundness.
How do I determine if there is a “reasonably foreseeable risk” from identity theft in a business or commercial account? Risk is defined to include financial, operational, compliance, reputation or litigation risk. In making your risk determination, you should consider the risk of identity theft presented by the methods that you provide to open business accounts and the methods that you provide to access business accounts, as well as your previous experiences with identity theft with a business account.
Is a commercial real-estate loan a covered account? Commercial credit accounts can be “covered accounts” where there is a “reasonably foreseeable risk” from identity theft to customers or to safety and soundness.
I service residential mortgage loans. Do I offer or maintain covered accounts? Residential mortgage loans are covered accounts, and as a servicer you may be considered to be “maintaining” such accounts. Unless, however, you are considered to be a creditor, such as by regularly participating in credit decisions, you are not subject to the Rule. However, you may have contractual duties imposed upon you by the lenders for which you provide services that are related to their Programs.
I am an indirect lender — I do not open accounts directly with a consumer but purchase loans in the secondary market. Am I required to have a Program?Am I required to consider the risk of identity theft at the point of receiving the assignment of the account? Or is my only obligation to consider the risk of identity theft in the maintaining of the covered account? If the loans that you purchase would be considered “covered accounts,” you may be required to have a Program. As a secondary market purchaser of loans, however, you may not be considered to “regularly participate” in credit decisions and therefore may not be a “creditor” under the ECOA. In addition, the Rule requires you to address the risks of identity theft in connection with account opening and access. Because you do not originate or “open” accounts but rather purchase them on the secondary market, even if the loans you purchase are “covered” accounts, you should be required only to address the risk of identity theft in connection with account access.