IDC Names Securiti a Worldwide Leader in Data PrivacyView
The protection of consumer rights and the accuracy of credit information have become crucial in a world where financial transactions and credit-based decisions are becoming increasingly prevalent.
The Fair Credit Reporting Act (FCRA), a cornerstone of the Consumer Credit Protection Act, is at the core of these concerns. The FCRA is the primary federal law that ensures fairness, accuracy, and privacy in the realm of credit reporting.
In this blog, we explore the Fair Credit Reporting Act, delving into who makes the rules and enforces the law, the scope of its applicability, the obligations placed on covered entities, and the rights granted to the consumers.
The Fair Credit Reporting Act (FCRA) is a federal law enacted in 1970 to regulate the collection of consumers’ credit information and access to their reports to ensure fairness, accuracy, and privacy of consumer credit reports.
The FCRA requires credit reporting agencies to follow reasonable procedures to protect the confidentiality, accuracy, and relevance of credit information. It establishes a framework to protect consumers in their relationships with creditors, employers, and agencies relying on consumer credit reports from CRAs. It regulates the way consumer reporting agencies can collect, access, and share consumer data collected by CRAs in consumer reports.
In 2003, the Fair and Accurate Transaction Act (FACTA) introduced amendments to the FCRA, enhancing the accuracy of consumer credit information and implementing safeguards against identity theft. One notable addition permits consumers to place fraud alerts on their credit files.
The Dodd-Frank Act transferred most of the rulemaking responsibilities added to this Act by the FACTA and the Credit CARD Act to the Consumer Financial Protection Bureau (CFPB). However, the Federal Trade Commission (FTC) is authorized to enforce compliance with the FCRA.
This enforcement extends to consumer reporting agencies and all other entities subject to the FCRA, except when specific enforcement responsibilities are assigned to other government agencies in specific circumstances. Therefore, apart from the FTC, other government agencies such as federal banking agencies and the Securities and Exchange Commission are also responsible for enforcing FCRA compliance under specific circumstances.
The FCRA casts a wide net in terms of its applicability.
The FCRA applies to the files maintained by CRAs known as the consumer report. The consumer report is defined as any communication from a consumer reporting agency that contains information relevant to a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or way of life.
These reports are used or expected to be used, in whole or in part, for determining a consumer's eligibility for credit, insurance primarily for personal, family, or household purposes, employment purposes, or other authorized purposes as detailed in Section 604 of the FCRA.
However, there are exclusions to the definition of a consumer report. Notably, it does not include reports that solely contain information about transactions or experiences between the consumer and the reporting entity, provided that such information is not shared among unrelated parties or affiliates without the consumer's explicit consent. Additionally, it excludes authorization or approval for a specific extension of credit granted by the issuer of a credit card or similar financial instrument.
Moreover, the FCRA limits the duration for which certain types of information can be reported. For instance, the CRA cannot report bankruptcy cases if they occurred more than ten years before the report. Details about civil suits, civil judgments, and records of arrests should not be included in consumer reports if they took place more than seven years prior to the report or until the statute of limitations has expired, whichever is longer. Similarly, information about paid tax lien, records related to accounts placed for collection or charged to profit and loss, and any adverse information except conviction records should not be included if they go back more than seven years.
The Fair and Accurate Credit Transactions Act of 2003 also restricts CRAs from reporting medical information in reports that will be used for employment, credit transactions, or insurance transactions unless the consumer consents to such disclosures. The consent must be (a) in writing, (b) specific, and (c) descriptive of the use for which the agency is disclosing the information (these specific requirements for consent are not necessary if the disclosure is for an insurance transaction).
Furthermore, CRAs are prohibited from disclosing the name, address, and telephone number of the medical furnisher (e.g., the hospital) responsible for specific information in the report. Creditors are disallowed from using consumer medical information in deciding whether to grant or to continue granting credit to a consumer.
Within the domain of consumer reports, the FCRA also has a specific category known as "investigative consumer reports.” These reports gather information pertinent to a consumer's character, reputation, or mode of living from personal interviews with those who know the consumer or have knowledge of his reputation.
Section 604 of the FCRA specifies the permissible purposes for which a consumer report is to be issued. Consumer reports may be furnished in response to specific legal requirements. This includes furnishing reports in response to court orders, federal grand jury subpoenas, or certain subpoenas related to financial regulations.
Furthermore, consumer reports can also be obtained based on the written instructions of the consumer. They are also permissible when required to extend credit as a result of an application from a consumer. Additionally, consumer reports can be used for underwriting of insurance as a result of an application from a consumer, as well as when there is a legitimate business need, and for reviewing a consumer’s account to determine whether the consumer continues to meet the terms of the account.
Permissible purposes also include using consumer reports to determine eligibility for a license or other benefit granted by a governmental instrumentality as required by law to consider an applicant’s financial responsibility or status. Moreover, it can be obtained for use by a potential investor or servicer, or current insurer, in a valuation or assessment of the credit or prepayment risks associated with an existing credit obligation, for use by state and local officials in connection with the determination of child support payments aiding state officials in child support matters, and to certain government agencies issuing travel charge cards.
Consumer reports may also be issued in connection with transactions not initiated by the consumer, but only if authorized by the consumer, or if the transaction is a firm offer for credit or insurance and the consumer has not opted out from having their information shared for this purpose.
It is important to note that medical information in consumer reports can only be used for specific medical-related transactions, accounts, or balances and with the consumer's consent. For employment purposes, consumer reports can be obtained, provided the requester certifies that they will comply with state and federal laws. The prospective employer must inform the consumer that a report may be procured and obtain the consumer's consent. If adverse action is contemplated based on the report, the consumer must be provided with a copy of the report and an explanation of their rights under the FCRA.
Lastly, a consumer report can also be furnished to the Federal Deposit Insurance Corporation or the National Credit Union Administration when they are acting in their capacity as conservators, receivers, or liquidating agents for insured depository institutions or credit unions, especially in cases involving the resolution or liquidation of a struggling financial institution.
The FCRA mandates the CRAs to adhere to the strict requirements in managing consumer credit data, including the following:
Every consumer reporting agency is required to establish and maintain reasonable procedures aimed at preventing violations of requirements relating to information contained in consumer reports and ensuring that consumer reports are only provided to individuals or entities for the permissible purposes. To fulfill this requirement, individuals or organizations seeking access to consumer information must disclose their identity, specify the intended purposes for which they require the information, and confirm that the information will solely be used for those specified purposes.
To ensure that the reports are only used for permissible purposes, the consumer reporting agencies are obligated to exert reasonable efforts to verify the identity of any new prospective user and ensure that the stated purposes are accurate before granting access to consumer reports. If there are valid reasons to suspect that a consumer report will be used for any purpose not permitted under Section 604, the consumer reporting agency is prohibited from furnishing that report to the requesting party.
A CRA, when it compiles and provides public record information that is likely to have an adverse effect on a consumer’s ability to obtain employment, should either notify the consumer at the time such information is provided to an employer or potential employer or maintain strict procedures to ensure that the information is complete and up to date. This requirement is essential for arrests, indictments, convictions, suits, tax liens, and judgments, which should reflect their current status. However, it is essential to note that these obligations do not apply to a federal agency or department when the head of the agency or department (or an appropriate delegate) makes certain written findings.
Consumer Reporting Agencies have a crucial duty not to provide a consumer report containing any adverse item of information if it results from severe forms of trafficking in persons or sex trafficking. This prohibition applies when a consumer provides trafficking documentation to the CRA.
CRAs are required to establish various alerts to prevent identity theft and related fraud. They must place fraud alerts in a consumer's file when requested by a consumer or their representative who suspects identity theft. These alerts last for at least a year but can be removed earlier with proper verification.
CRAs also have to share this information with other CRAs to enhance protection. When fraud alerts are active, consumers have the right to request free copies of their credit reports, and CRAs must promptly provide all disclosures required under the law. Extended alerts last for seven years and provide even greater protection, while active duty alerts help military consumers for a year.
CRAs need to establish policies and procedures to handle these alerts effectively. Resellers must also respect these alerts, and if a consumer contacts a CRA not covered under the law, the agency must provide information on how to contact relevant CRAs.
In addition, as part of their obligation to combat identity theft, CRA must promptly block any information in a consumer's file that the consumer alleges resulted from identity theft. This block should be initiated within four business days upon receipt of specific documentation, including proof of the consumer's identity, an identity theft report, details of the disputed information, and a statement from the consumer confirming that this information doesn't relate to their own transactions.
CRAs are also required to notify the information provider that the data may be linked to identity theft, an identity theft report has been filed, and a block has been requested, including the effective dates of the block. The law allows CRAs to refuse or cancel a block when they find that a request is erroneous or based on material misrepresentation by the consumer. If such a decision is made, the consumer affected must be promptly informed.
This rule does not apply to resellers unless they are currently distributing consumer reports related to the disputed information, in which case they must block the data and inform the consumer. Verification companies are generally exempt, except when the information originates from identity theft, in which case they must abstain from reporting it to national consumer reporting agencies.
A CRA is prohibited from preparing or furnishing an investigative report unless the CRA has received a certification from the person who requested the report. CRAs cannot make inquiries for employment-related investigative reports if such inquiries would breach federal or state equal employment opportunity laws or regulations.
Additionally, when including public record information related to arrests, convictions, or other legal matters in investigative consumer reports, CRAs must verify the accuracy of this data within 30 days of providing the report. Furthermore, CRAs cannot create or provide investigative consumer reports with adverse information gathered through personal interviews with individuals close to the subject unless they follow specific confirmation procedures or the interviewee is the most reliable source of this information.
FCRA imposes additional obligations on CRAs engaged in the resale of consumer reports. When procuring a report for resale, they need to disclose the end-user's identity and the permissible purposes for which the report is provided. A person who procures a consumer report for the purpose of reselling the report should establish and comply with reasonable procedures to ensure that the report is only resold for permissible purposes.
This requires those persons to whom the report is resold (and who subsequently resell or provide it to others) to identify each end-user of the report, certify the intended purpose for using the report, and confirm that it will not be used for any other purposes. Before completing the resale, it must also make diligent efforts to verify the identities and certifications provided by these parties.
However, there is an exception to these requirements when a consumer report is resold to a federal agency or department of the United States Government. In such cases, the CRA is not obliged to disclose the identity of the end-user if the report is being used to determine the consumer's eligibility for access to classified information, and the agency or department certifies in writing that nondisclosure is necessary to safeguard classified information or the safety of individuals involved in the agency or department's operations.
The FCRA outlines specific requirements for users of consumer reports in various situations. These requirements include the following:
If a person takes any adverse action based on information contained in a consumer report, they must provide notice of the adverse action to the consumer, which can be oral, written, or electronic. They must provide the consumer written or electronic disclosure, which must include the consumer's numerical credit score used in any adverse action based in whole or in part on any information in the consumer report, including the range of credit scores, the factors adversely affecting the score, the date the score was created, and the provider of the credit score.
Moreover, the user must also provide the name, address, and telephone number of the consumer reporting agency that furnished the report. This should include a toll-free telephone number if the CRA compiles and maintains files on consumers nationwide. Additionally, the user is obligated to inform the consumer of their right to obtain a free copy of their consumer report and dispute inaccurate information with the consumer reporting agency.
When a consumer's credit for personal, family, or household purposes is denied, or the credit terms are partially or fully unfavorable due to information obtained from a source other than a consumer reporting agency, the user must disclose the nature of this information to the consumer upon written request.
Furthermore, the user must also inform the consumer of their right to make such a written request when communicating the adverse action.In cases where actions are taken based on information provided by affiliates and result in adverse consequences for the consumer, the entity must notify the consumer of the action taken and their ability to request information explaining the basis of this action. This information must be provided to the consumer within 30 days of their written request and submitted within 60 days of receiving the initial notice.
The FCRA also imposes obligations on users of a consumer report when reports are used in connection with a credit or insurance transaction not initiated by the consumer. Written solicitations made to consumers regarding credit or insurance transactions not initiated by the consumer must include a "clear and conspicuous statement" that information from the consumer's credit report was used in connection with the transaction; the consumer received the offer for credit or insurance because he or she satisfied specified criteria; and the credit or insurance may not be extended if, after the consumer responds to the offer, the consumer does not meet additional criteria used to determine creditworthiness or insurability. The statement should also include information about the consumer's right to prohibit the use of their consumer report information in such transactions and how to exercise this right.
Users, including financial institutions and creditors, must establish and maintain guidelines and procedures for preventing identity theft and notify consumers if they suspect identity theft. Additionally, users are prohibited from selling, transferring, or placing for collection any debt they have been notified has resulted from identity theft. Furthermore, when debt collectors act on behalf of a creditor or other user of a consumer report, they must notify the third party of potential identity theft and provide information to the consumer if requested.
Users must provide a notice to consumers if they use a consumer report to offer credit on less favorable terms than those offered to a substantial proportion of consumers. The notice must inform the consumer that the terms offered to the consumer were set based on information from a consumer report, identify the CRA that furnished the report, inform the consumer that he or she may obtain a free copy of the consumer report from that CRA, provide the contact information specified by the CRA for obtaining such reports, and provide the credit score used in deciding the credit terms, the range of credit scores, the factors adversely affecting the score, the date the score was created, and the provider of the credit score.
Under the FCRA, the furnishers of information to CRA have specific responsibilities and duties. These duties are outlined to ensure the accuracy and integrity of the information they provide to CRA. The responsibilities are:
Furnishers have a duty to provide accurate information. Under the FCRA, a furnisher must not provide information to any CRA if they know or have reasonable cause to believe that the information is inaccurate. Furnishers of information are also prohibited from providing information if the consumer has notified them that the information is inaccurate.
Furnishers are also prohibited from providing information that the consumer reports as resulting from identity theft unless the furnisher subsequently knows or is informed by the consumer that the information is correct. After receiving notice from a consumer of inaccurate information, furnishers must correct or confirm the accuracy of the reported information. Furnishers should specify an address for consumers to send dispute notices to avoid certain reporting requirements.
A person who regularly and in the ordinary course of business furnishes information to one or more consumer reporting agencies about the person’s transactions or experiences with any consumer and has furnished to a consumer reporting agency information that the person determines is not complete or accurate, shall promptly notify the consumer reporting agency of that determination and provide to the agency any corrections to that information, or any additional information, that is necessary to make the information provided by the person to the agency complete and accurate, and shall not thereafter furnish to the agency any of the information that remains not complete or accurate.
If a consumer disputes the completeness or accuracy of furnished information, the furnisher cannot report it to CRAs without informing them of the dispute. Furnishers must notify CRAs when a consumer voluntarily closes a credit account they have reported.
Moreover, furnishers must inform CRAs of the date of delinquency on a delinquent account placed for collection, charged off, or subjected to similar actions within 90 days of furnishing the information. Moreover, medical service providers, or their agents, must inform CRAs when they furnish information on consumers, identifying their status as medical information furnishers.
When a person furnishes information to a CRA, they must have reasonable procedures in place to respond to notifications received from a consumer reporting agency concerning information linked to identity theft. These procedures prevent the entity from inadvertently re-furnishing blocked information. If a consumer submits an identity theft report, stating that the information attributed to them resulted from identity theft, the entity cannot furnish this information to a consumer reporting agency unless they subsequently confirm its accuracy.
Moreover, financial institutions extending credit and reporting to consumer reporting agencies are required to notify the consumer in writing when they provide negative information about the customer to such an agency. After the initial notice, they can submit additional negative information without further notification. This notice should be given to the customer before or no later than 30 days after furnishing the negative information, and it can be included in various customer communications as long as it is clear and conspicuous. This notice does not obligate the institution to submit further negative information. Financial institutions would not be held liable for not meeting these obligations if they had reasonable policies in place or reasonably believed that contacting the customer was legally prohibited.
Under the FCRA, consumers have the right to obtain a clear and accurate disclosure of their credit report, for free, every 12 months, upon request. This disclosure includes all the information contained in their file, with the option to exclude the first five digits of their social security number if they can provide appropriate proof of identity. However, credit scores and risk predictors need not be disclosed. The sources of this information should be revealed, except for sources used exclusively for investigative consumer reports.
In case of legal action, the sources must be made available to the plaintiff through appropriate court procedures. Consumers also have the right to know who has requested their consumer report, particularly for employment purposes within the past two years or for other purposes within the past year. This includes identifying the person or business by name or trade name and, upon request, providing their contact information. However, the government agencies involved in determining security clearance eligibility are exempted.
The CRA is also required to provide a record of all inquiries about the consumer in the past year in connection with credit or insurance transactions not initiated by the consumer. If a consumer requests their credit file without the credit score, they must be informed that they can request and obtain the credit score separately.
Alongside these rights, a summary of consumer rights must be provided with each written disclosure from the agency. This summary covers the right to access credit reports, the toll-free telephone number for consumer inquiries (applicable to certain agencies), a list of federal agencies enforcing FCRA provisions with their contact information, a mention of potential additional rights under state law, and a statement that the agency is not required to remove accurate derogatory information unless it's outdated or unverifiable under Section 605 of the FCRA.
Additionally, when a consumer contacts a reporting agency believing they are a victim of such fraud or identity theft, the agency must provide them with the summary of rights prepared by the CFPB and information on how to contact the CFPB for more details.
The consumer has the right to authorize CRA to provide a credit report to employers for employment-related background checks. In this case, the employers must follow specific procedures. First, the employer must make a clear and conspicuous written disclosure to the consumer. This disclosure, presented, must clearly and solely state that a consumer report is requested for employment purposes. Additionally, the consumer must provide written authorization, which may be included in the same document. Furthermore, it is essential that information from the consumer report is not to be used in violation of any applicable Federal or State equal employment opportunity law or regulations.
In cases where a consumer applies for employment through means such as mail, telephone, or electronic methods, the person or employer procuring the consumer report must notify the consumer, either orally, in writing, or electronically, that a consumer report may be obtained for employment purposes. In this case, the consumer's consent to the procurement of their report must be obtained, either orally, in writing, or electronically. However, it is important to note that this procedure applies specifically to positions subject to the Secretary of Transportation's regulatory authority or positions regulated for safety by a State transportation agency.
When a consumer requests their credit score, a CRA must provide a statement indicating that the credit scoring model used may differ from the one employed by lenders. This notice must include the current credit score or the most recent one calculated for credit-related purposes, the range of possible credit scores, key factors adversely affecting the credit score (up to four), the date the credit score was created, and the source of the credit score. It's important to note that this subsection does not compel a consumer reporting agency to develop or reveal a score for certain purposes, such as residential real property loans.
However, it requires them to provide the name, address, and website of the entity that developed the score or methodology used if they distribute credit scores created by others. This subsection does not mandate the maintenance of credit scores in the agency's files. To comply with this provision, a consumer reporting agency must supply a credit score commonly used for residential real property loans or for helping consumers understand their credit behavior.
Consumer reporting agencies are allowed to charge a fair and reasonable fee for providing this information as determined by the CFPB. The use of inquiries as a key factor affecting the credit score must be disclosed, without numerical limits. Certain mortgage lenders must disclose to a consumer without charge the credit score used for the purpose of the loan. Also, when users of credit reports take adverse action or offer credit on terms less favorable than usual, they must disclose the credit score on which such actions were based.
Consumers have the right to dispute the completeness or accuracy of information contained in their files. Once a consumer notifies the CRA of the dispute, the CRA is obliged to reinvestigate and record the current status of the disputed information or delete it from the consumer's file within 30 days.
Additionally, the CRA is responsible for notifying the furnisher of the disputed information of the consumer's dispute and providing the furnisher with all relevant information the CRA has received from the consumer regarding the dispute. In conducting the reinvestigation, the CRA is required to review and consider all relevant information submitted by the consumer. The CRA may terminate the reinvestigation if it reasonably determines that the dispute is frivolous or irrelevant or if the consumer fails to provide sufficient information to investigate the disputed information. If the CRA concludes that the dispute lacks merit, it must inform the consumer of this determination within five business days. In cases where the reinvestigation reveals inaccuracies, incompleteness, or unverifiability, the CRA must promptly remove that item of information from the consumer's credit file.
After completing the reinvestigation, the CRA must provide written notice of the results of the reinvestigation to the consumer within five days. The notice must include a statement that the reinvestigation is completed; a copy of the consumer report reflecting the information in the consumer's file revised during the reinvestigation; a notice that, if requested by the consumer, a description of the procedure used to determine the accuracy and completeness of the information can be provided; a notice that the consumer has the right to add a statement to his/her file disputing the accuracy or completeness of the information contained therein; and a notice that the consumer has the right to request that the CRA send notices regarding deleted information to specified parties.
Consumers have a right to impose a security freeze on their credit reports, prohibiting a consumer reporting agency from disclosing information in their credit report without their explicit authorization.
To place a security freeze, a consumer can make a direct request to the agency, and with proper identification, the agency must implement the freeze within specific timeframes, either one or three business days, depending on the request method. The CRA is also required to confirm the freeze's placement, offer information on how to remove it, and notify the consumer of their rights. A security freeze remains in place until the consumer requests its removal, and upon such request, the agency must act within one hour for electronic requests and three business days for mail requests. If a third party seeks access to a frozen consumer report for a credit application and the consumer denies access, the third party can consider the application incomplete.
However, there are certain exceptions to a security freeze. For example, individuals or entities with a current or potential financial relationship with the consumer, such as those reviewing accounts or collecting debts, are exempt. Government entities, law enforcement, and collection agencies can access reports when acting under court orders, warrants, or subpoenas. Child support agencies are also exempt from security freeze restrictions when operating under certain laws. Additionally, federal and state agencies can access reports for fraud investigations, tax collection, and other statutory responsibilities that align with their specific purposes.
To facilitate this process, CRAs must create a user-friendly webpage allowing consumers to place or remove these freezes. Simultaneously, the FTC is responsible for creating a central webpage that links to the agencies' webpages, simplifying access to these services.
When a person receives consumer information from an affiliated entity for marketing purposes, they must clearly disclose this to the consumer. Consumers are then given the right to opt out of receiving marketing solicitations. They have the choice to block all such solicitations or choose from various options specifying the types of entities, information, and delivery methods they wish to prohibit.
This opt-out choice is effective for at least five years, after which consumers must be offered the opportunity to extend their opt-out period. These rules do not apply in situations where there is a pre-existing business relationship or when information is used to facilitate communications related to employee benefits, among other exceptions. It is essential to note that these rules are not retroactive and do not apply to information received before the compliance date.
If any person intentionally fails to comply with these requirements, they can be held liable to the affected consumer. The damages may include actual losses incurred by the consumer, punitive damages determined by the court, and the costs and reasonable attorney’s fees for successful legal actions.
If someone knowingly obtains a consumer report without a valid purpose, they are liable to the consumer reporting agency for actual damages or $1,000, whichever is higher. The court may award attorney’s fees for bad faith or harassment claims. A provision clarifies that certain practices related to the printing of expiration dates on receipts do not constitute willful noncompliance with FCRA regulations.
Additionally, individuals or entities can be held liable for negligence in failing to comply with FCRA requirements. This liability includes covering the actual damages suffered by the consumer due to the noncompliance and, if the consumer prevails in legal action, paying the associated costs and reasonable attorney's fees. If legal documents are found to be submitted in bad faith or for harassment, the prevailing party is entitled to reasonable attorney's fees related to their response
Moreover, the FTC may take enforcement actions against CRAs and furnishers for violations of FCRA. Penalties can include fines, cease and desist orders, and other corrective actions.
Compliance with the Fair Credit Reporting Act (FCRA) is essential for entities engaged in credit reporting and decision-making processes. To ensure fairness, accuracy, and privacy within the realm of consumer credit information, organizations must:
Develop comprehensive policies and processes outlining your organization's handling of consumer credit information in accordance with FCRA regulations.
Obtain the consumer’s written consent before accessing their credit reports for any permissible purpose. Additionally, consumers should be made fully aware of the purpose and limitations of the credit check.
Implement strong security measures to protect consumer credit information from unauthorized access and data exposure.
Educate and conduct training of employees dealing with consumer data about FCRA regulations, their responsibilities, and the importance of protecting and enabling consumers to exercise their consumer rights.
Collaborate with credit reporting agencies to understand the evolving amendments and ensure accurate and compliant reporting practices.
For additional information, request a demo.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row
San Jose, CA 95128