Question: Where can I find all the compliance provisions required by the Fair Credit Reporting Act?
Answer: Here, there, and everywhere.
The Fair Credit Reporting Act (FCRA) was a law passed in the 1970’s and was fairly straight forward. The primary purpose of the FCRA was to provide guidance to consumer reporting agencies about collecting and disseminating information about consumers to be used in credit evaluations and for other purposes, including insurance applications and employment. The FCRA also had rules for users of consumer reports and consumer information, such as creditors and employers.
The Fair and Accurate Credit Transaction Act (FACTA) became law in 2003 and revised the FCRA. To understand all provisions of the law today, you must include research of the FCRA, FACTA, and the Federal Regulation V – Fair Credit Reporting.
Who is covered by the law(s)?
Credit Reporting Agencies – Credit bureaus (credit reporting agencies) are common types of consumer reporting agencies. Under FCRA, credit bureaus must verify the accuracy of credit records they maintain when consumers dispute the accuracy. A credit bureau must notify the consumer if it reinserts negative information that it had removed because of the consumer’s dispute. Under the FACTA, consumers may obtain a free credit report once every 12 months. Consumers must request the reports, and they may be obtained from three national consumer credit reporting agencies – TransUnion, Experian, and Equifax.
Creditors – A creditor is covered by the FCRA if it provides information to consumer reporting agencies. Under FCRA, if a creditor provides information to consumer reporting agencies, it must:
- Provide complete and accurate information;
- Investigate information disputed by the consumer and correct the error or provide an explanation about its accuracy within 30 days of receiving the dispute; and
- Inform consumers about negative information reported or about to be reported to a consumer reporting agency within 30 days.
Most Common Violations
To give you a flavor for where the highest FCRA risk may be lurking, here are the more common ways creditors and credit reporting agencies violate the FCRA.
- failing to report that a debt was discharged in bankruptcy;
- reporting old debts as new or re-aged;
- reporting an account as active when it was voluntarily closed by a consumer; and
- reporting information that is more than seven years old (bankruptcy) or ten years old (civil judgments).
FACTA – To FCRA and Beyond
The Fair and Accurate Credit Transactions Act (FACTA) was signed into federal law in December 2003, and most of the requirements became effective in December 2004. The guidance in FACTA builds on provisions for credit reporting that are found in the Fair Credit Reporting Act (FCRA), and it implements guidance for identity theft prevention.
The FACTA contains seven separate titles and includes these major compliance provisions:
Identity Theft Prevention and Credit History Protection – FACTA is intended to deter fraudulent use of consumers’ credit histories. The law provides for alerts to protect consumers’ credit records; limits how credit card account information is used on receipts; and requires new regulations to compel financial institutions and creditors to implement procedures to detect identity theft. FACTA mandates proper destruction and disposal of certain information that is collected about consumers.
Fraud Alerts – FACTA allows individuals who suspect they may be subject to identity theft or who are deployed overseas with the military to implement alert notifications on their credit records. Such alerts deter many fraudulent uses of credit records.
Credit and Debit Card Numbers – FACTA requires that businesses print no more than five digits of a customer’s card number or card expiration date receipts for point-of-sale or purchase transactions. All types of receipts are covered by the requirements, including those that are imprinted or handwritten. The credit and debit card number truncation rules became effective in 2005.
Red Flags Rule – The FACTA Red Flags Rule required federal agencies to create joint regulations about identity theft prevention that was applicable to financial institutions and creditors. The coverage of the FACTA Red Flags Rule extends to covered accounts at “financial institutions and creditors” which have been defined by the Federal Trade Commission (FTC) to include “lenders such as banks, finance companies, automobile dealers, mortgage brokers, utilities companies and telecommunications companies”. The FTC has also defined “covered accounts” to mean any account for which there is a foreseeable risk of identity theft. For example, credit cards, monthly billed accounts like utility bills or cell phone bills, social security numbers, driver’s license numbers, medical insurance accounts, and many others.
Consumer Credit Report Access – Consumers may obtain a free credit report once every 12 months. Consumers must request the reports, and they may be obtained from three national consumer credit reporting agencies – TransUnion, Experian, and Equifax. The three agencies worked with the Federal Trade Commission to implement a website for consumers to more easily access credit reports (www.AnnualCreditReport.com).
Span of FCRA/FACTA/Regulation V Compliance Impact
Where will you look for compliance with FCRA, FACTA, and Regulation V? In some respects, that will depend on your financial institution’s business model and product array. However, to begin evaluating the Compliance Management System (CMS), keep these compliance disciplines in mind:
Users of Consumer Reports (most common use to creditors)
- Duties of Users Regarding Obtaining and Using Consumer Reports
• Duties of Users Regarding Risk Pricing
• Duties of Users of Consumer Reports Regarding Identity Theft
• Duties of Users of Consumer Reports Regarding Address Discrepancies and Records Disposal
- Affiliate Sharing
- Use of Medical Information
- Free Credit Reports
- Disclosure on Opt-Out of Prescreened Lists
• Disclosure of Credit Scores
• Notice of Negative Information
Reporting Credit Information
- Duties of Furnishers of Consumer Information
- Investigation of Complaints
- Notice of Negative Information
Marketing and Advertising
- Affiliate Marketing
- Identity Theft Red Flags
- Providing Information to Victims
- Blocking Information
Consumer Reporting Agencies (CRA)
Note: A CRA is defined in Section 603(f) the FCRA as “any entity which for monetary fees, dues, or on a cooperative nonprofit basis regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers.” A financial institution that reports its own information about credit experiences with a consumer does not meet the definition of a CRA.
- Duties of Consumer Reporting Agencies Regarding Identity Theft
• Duties of Consumer Reporting Agencies Regarding Disclosures to Consumers
• Duties of Consumer Reporting Agencies for Accuracy of Information
- Investigation of Complaints
- Free Credit Reports
- Disclosure of Credit Scores
For additional information regarding scope of FCRA compliance, see the CFPB Supervision and Examination Manual, Version 2 – October 2012, Page 582.
Around the Industry:
CFPB took action against a lender for its alleged inequitable credit terms practices. How does your institution’s credit terms landscape look?
On the Horizon:
Could the CFPB be deemed unconstitutional?
Have you assessed the coverage and effectiveness of your vendor management program? See this for help.