The Fair Credit Reporting Act (FCRA) is a federal law in the United States of America. The law regulates the collection of consumers’ credit information, which is used for numerous purposes, including credit card allocation, loan sanction, employment screening, or tenant screening, and access to their reports to ensure fairness, accuracy, and privacy of consumer credit reports.
Enacted in 1970, the FCRA provides a comprehensive list of requirements, mechanisms, and recommendations for credit reporting agencies (CRAs). These agencies collect, disseminate, and use consumer credit information. The federal regulation requires CRAs to ensure the fair and accurate collection and disclosure of consumer information, enabling banks, employers, and other individuals (such as tenants) to make accurate and informed decisions, such as loan sanctions, background checks, or tenant screening.
In 2003, the 108th Congress passed a list of amendments under the Fair & Accurate Credit Transactions Act (FACTA). The amendments revised many provisions apart from introducing new consumer rights, such as the right to place fraud alerts on their credit files.
Continue reading the FCRA compliance checklist we’ve put together to understand the act's key provisions and streamline compliance efforts.
FCRA Compliance Checklist
The FCRA provides several rights to consumers as well as the victims of identity theft. It further requires the credit reporting bureaus to provide consumers, upon request, with a free credit report once every 12 months. Apart from that, there are numerous other FCRA compliance requirements that CRAs must adhere to. The compliance requirements for the credit reporting agencies include the following:
Establish FCRA Policies
Organizations must develop detailed and thorough policies and processes that delineate how they handle consumer credit information, ensuring strict adherence to the regulations set forth by the FCRA.
Review FCRA Provisions & Applicability
Organizations must review and understand the official latest text of the Fair Credit Reporting Act (FCRA). Data privacy and protection laws are often periodically amended, considering the evolving landscape of consumer data and the industry as a whole. Hence, it is crucial that businesses must understand the current provisions of the act to ensure compliance.
Establish Smooth Consumer Consent Acquisition Processes
It is imperative that businesses or entities review applicable consumer credit report disclosure provisions. The FCRA provides comprehensive regulations separately for different types of disclosures, such as disclosure to investigation entities, disclosure to employers, and disclosure to government agencies. However, before disclosing the credit reports to any third parties or persons, the CRA must obtain written consent from the consumer, authorizing for subsequent collection, sharing, or selling of information.
Ensure Reports Are Used Only for Permissible Purposes
The FCRA goes into greater detail with regard to the permissible use of credit reports. The Act outlines the purposes the CRAs should consider when collecting, using, sharing, or selling the reports. Similarly, it also tells what sort of information the report shouldn’t include and what processes should there be to furnish the report. Businesses may have a look at some of the important provisions from § 604 [15 U.S.C. § 1681b].
Provide Adverse Action Notices
Before taking an adverse action, the entity must provide a copy of the report to the consumer that was used to make the decision. The entity should further provide the consumer with a copy of the summary of their rights under the FCRA. The adverse action notice allows employees to review the details of the action and the information mentioned in the report so they may repeal it if it is incorrect.
In the event that the action has been taken, the entity or the company must provide employees with a notice - either in writing, orally, or electronically - informing them about their rights along with the following details:
- The credit score of the consumer which is used to make the decision.
- Contact address, i.e., the credit reporting bureau's name, address, and telephone number.
- The statement of the CRA should inform the consumer that they didn’t make the adverse action decision.
- The consumers’ right to dispute the adverse action.
Implement Identity Theft Prevention Program
Identity theft means a fraud committed using the identifying information of another person. The FCRA dedicates a complete report section, i.e., § 605A. [15 U.S.C. § 1681c-1], to implement identity theft prevention measures. This section empowers consumers to prevent identity theft by requesting credit reporting agencies to place fraud alerts or a “security freeze.” There are three types of fraud alerts provided in § 605A. These fraud alerts include one-call fraud alerts, extended fraud alerts, and active duty alerts.
Security Freeze
The consumer may request CRAs to put a security freeze on their credit reports. The security freeze prohibits the CRA from disclosing the content or reporting to any third parties. Upon receiving the freeze request, the CRA may place the freeze no later than 1 business day in the case of a request by toll-free telephone or secure electronic means and 3 business days in case of a request by mail and upon verifying and identifying the consumer requesting the freeze. Subsequently, within 5 business days after placing a security freeze, the CRA must provide the confirmation of the freeze to the consumer along with a notice informing them about their rights and the security freeze removal process.
Prohibitions on CRA with respect to Investigative Consumer Report
A CRA is prohibited from preparing or furnishing an investigative report unless the CRA has received a certification from the person who requested the report. CRAs cannot make inquiries for employment-related investigative reports if such inquiries would breach federal or state equal employment opportunity laws or regulations.
Additionally, when including public record information related to arrests, convictions, or other legal matters in investigative consumer reports, CRAs must verify the accuracy of this data within 30 days of providing the report. Furthermore, CRAs cannot create or provide investigative consumer reports with adverse information gathered through personal interviews with individuals close to the subject unless they follow specific confirmation procedures or the interviewee is the most reliable source of this information.
Protect Sensitive Data
CRAs must implement strong security measures to protect consumer credit information from unauthorized access and data exposure. These security measures may include strict access controls, encryption, secure data storage databases, and transmission protocols.
Educate Employees
CRAs must educate and conduct training for employees dealing with consumer data about FCRA regulations is crucial to ensure compliance, responsible data handling, and the protection of consumer rights. Moreover, organizations shall provide trained individuals to explain any information pursuant to this act to the consumer.
Collaborate with Consumer Reporting Agencies
CRAs must collaborate with credit reporting agencies to understand the evolving amendments and ensure accurate complaint reporting practices.
Consumer Reporting Agencies have a crucial duty not to provide a consumer report containing any adverse item of information if it results from severe forms of trafficking in persons or sex trafficking. This prohibition applies when a consumer provides trafficking documentation to the CRA.
Disclosure of Credit Score
When a consumer requests their credit score, a CRA must provide a statement indicating that the credit scoring model used may differ from the one employed by lenders. This notice must include the current credit score or the most recent one calculated for credit-related purposes, the range of possible credit scores, key factors adversely affecting the credit score (up to four), the date the credit score was created, and the source of the credit score. It's important to note that this subsection does not compel a consumer reporting agency to develop or reveal a score for certain purposes, such as residential real property loans.
However, it requires them to provide the name, address, and website of the entity that developed the score or methodology used if they distribute credit scores created by others. This subsection does not mandate the maintenance of credit scores in the agency's files. To comply with this provision, a consumer reporting agency must supply a credit score commonly used for residential real property loans or for helping consumers understand their credit behavior.
Once a consumer notifies the CRA of the dispute, the CRA is obliged to reinvestigate and record the current status of the disputed information or delete it from the consumer's file within 30 days.
Additionally, the CRA is responsible for notifying the furnisher of the disputed information of the consumer's dispute and providing the furnisher with all relevant information the CRA has received from the consumer regarding the dispute. In conducting the reinvestigation, the CRA is required to review and consider all relevant information submitted by the consumer.
When a person receives consumer information from an affiliated entity for marketing purposes, they must clearly disclose this to the consumer. Consumers are then given the right to opt out of receiving marketing solicitations. They have the choice to block all such solicitations or choose from various options specifying the types of entities, information, and delivery methods they wish to prohibit.
This opt-out choice is effective for at least five years, after which consumers must be offered the opportunity to extend their opt-out period. These rules do not apply in situations where there is a pre-existing business relationship or when information is used to facilitate communications related to employee benefits, among other exceptions. It is essential to note that these rules are not retroactive and do not apply to information received before the compliance date.
Additional Obligations on CRAs that Resell Consumer Reports
FCRA imposes additional obligations on CRAs engaged in the resale of consumer reports. When procuring a report for resale, they need to disclose the end-user's identity and the permissible purposes for which the report is provided. A person who procures a consumer report to resell the report should establish and comply with reasonable procedures to ensure that the report is only resold for permissible purposes.
Maintain Fairness & Accuracy of Information
Under § 607 compliance procedures [15 U.S.C. § 1681e], the act requires credit reporting agencies to take reasonable measures to ensure the accuracy of the information when compiling or preparing consumer reports. In connection with § 607, section 611 provides a detailed set of procedures that CRAs must follow in the event of disputed accuracy. For instance, if a consumer files a complaint disputing the accuracy of the information, the CRAs must conduct a reasonable reinvestigation of the matter to determine if the disputed information is inaccurate.
Achieve FCRA Compliance with Securiti PrivacyOps
Rated No.1 in Forrester Wave for the Strong Current Offering, Securiti PrivacyOps, an integration of the Data Command Center, is a leader in data privacy management and compliance. PrivacyOps leverages Sensitive Data Intelligence and the People Data Graph to build a link between individuals and their personal data to automate DSRs and other compliance obligations. With PrivacyOps, organizations can streamline data incident management, assessment automation, consent management, privacy notice automation, and vendor assessments, to name a few.
Request a demo to see how PrivacyOps can help you streamline your FCRA compliance effort.
