Fair Credit Reporting Act (FCRA): Explanation of Compliance
Introduction
The goal of this article is to give readers an explanation of the Fair Credit Reporting Act (FCRA) requirements. The FCRA is a regulation created with the goal of placing controls on the fairness and accuracy of credit reporting. Initially, the regulation pertained mainly to Consumer Reporting Agencies (CRAs), but it has since been expanded upon to encompass users and furnishers of consumer reports. The FCRA is enforced by the Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission (FTC).
In this article, we will mainly cover those parts of the FCRA that are pertinent to employers and financial institutions (particularly creditors). The major sections will cover:
- Who can obtain consumer reports and under what circumstances
- The sharing of consumer information with affiliates
- The handling of medical information
- Required notices, including opt-out and adverse action notices
- The duties of furnishers
- Protections against fraud and identity theft
This article summarizes the main points of the FCRA and explains the LoanPro features that can help lenders comply. However, the very act of summarizing means we're taking out details, so this is by no means an authoritative or complete guide. We encourage you to consult with your legal team to ensure you stay in compliance with the rule.
Obtaining Consumer Reports (section 604(a))
As a way to protect consumers, the FCRA mandates that prospective users of consumer reports (lenders, insurers, landlords, employers) must have a "legally permissible purpose" in order to obtain a report in the first place.
What are the legally permissible purposes that allow you to obtain a consumer report?
A Consumer Reporting Agency (CRA) can give a consumer report only if it meets one of these requirements:
- There is a court order or Federal Grand Jury subpoena
- There are written instructions from the consumer in question
- The consumer report is for a financial institution that the CRA has reason to believe will use the report for purposes allowed by the FCRA
Financial institutions are permitted use consumer reports for any of the following purposes:
- to extend, review, or collect credit,
- for employment purposes,
- for the underwriting of insurance involving the consumer,
- to determine the consumer's eligibility for a license or other benefit granted by the government that is required by law to consider the consumer's financial responsibility,
- for the evaluation or assessment of credit or prepayment risks associated with an existing credit obligation (by a potential investor, servicer, or current insurer),
- if there is a legitimate business need for information.
An institution is considered to have a legitimate need for information if:
- it has to do with a business transaction initiated by the consumer,
- it's to review an account and determine whether the consumer is meeting the terms, or
- it's for use by state or local officials to determine child support payments or modifications and enforcement thereof.
Investigative Consumer Reports (section 606 p.42)
Reports that contain information about a consumer's character, reputation, personal characteristics, or mode of living are called investigative consumer reports. The information in this type of report is obtained through personal interviews with neighbors, friends, or associates of the consumer.
What requirements does a financial institution have to meet before they can obtain an investigative consumer report?
In order to procure an investigative consumer report, you need to meet all of the following requirements:
- You need to "clearly and accurately" disclose that you might obtain an investigative consumer report to the consumer.
- The disclosure has to contain a statement of the consumer's right to request other information about the report and a summary of their rights under the FCRA.
- You need to mail the written disclosure or deliver it by other means to the consumer within 3 business days of the request for the report.
- You have to certify to the CRA that you have complied with the disclosure requirements and will comply if the consumer requests additional disclosures about the report.
Prescreened Reports (section 604(c)) (§ 1022.54)
Financial institutions are allowed to obtain and use prescreened consumer reports on any consumer in connection with any credit or insurance transaction that the consumer does not initiate in order to make firm offers of credit. This occurs when a financial institution obtains a list of consumers who meet certain criteria and who have not elected to be excluded from such lists from a CRA.
Each name on the list is considered an individual consumer report, and a financial institution must make a "firm offer of credit or insurance" to each person on the list in order to obtain and use the list. However, the financial institution is not required to grant credit to a responding consumer if the consumer no longer meets the criteria.
What kind of consumer information can these lists contain?
The lists can only contain:
- The name and address of the consumer
- An identifier that isn't unique to the consumer and is used solely to verify the identity of the consumer.
- Information pertaining to a consumer that doesn't identify what relationship or experience the consumer has with a particular creditor (or any other entity).
A prescreened consumer report from a CRA should never contain information about a consumer under the age of 21 in keeping with amendments made by the CARD Act.
Sharing Information Without Becoming a CRA (section 603(d))
Consumer reports are defined as including information about a consumer which bears on a consumer’s creditworthiness, character, capacity, etc. As a matter of course, financial institutions have a large amount of information that could constitute a consumer report. If a financial institution communicates this type of information, it may cause them to be defined as a CRA, and since the FCRA contains a multitude of requirements specific to CRA's, it's understandable that a financial institution would want to avoid being defined as such.
How can you avoid becoming a CRA if you need to share information?
Thankfully, there are some exceptions to the definition of a consumer report that allow financial institutions to share this type of information without becoming a CRA. Communicated information will not qualify as a consumer report as long as it meets one of the following requirements:
- The report only contains information about transactions or experiences between the consumer and the person making the report. If the information is strictly related to your own transactions or experiences with a consumer, you may share it with any third party without regard to affiliation. (However, this kind of information may still be restricted by the GLBA if it qualifies as "nonpublic personal information.")
- You're communicating about transaction or experience information among financial institutions that are related by common ownership or affiliated by corporate control.
- You're communicating other information that would usually be considered a consumer report among persons related by common ownership or affiliated by corporate control. However, you have to clearly disclose to the consumer that the information will be communicated among these entities, and the consumer must be given the opportunity to opt-out before you share the information.
- You're communicating about a specific extension of credit (directly or indirectly)if you're the issuer of a credit card or similar. This allows a consumer to complete a transaction using a credit card by enabling a lender to communicate an authorization through the credit card network to a retailer.
- Any report in which you convey a decision about a request by a third party to make a specific extension of credit to a consumer. (The third party in question has to tell the consumer your name and address, and they have to make any adverse action disclosures as required by the FCRA.)
- If you're using a consumer report, you may share information if you and another user are jointly involved in a decision to approve a consumer's request for a product or service as long as you both have permissible purpose in obtaining the consumer report.
Medical Information (section 604(g)) (12 CFR 1022.30)
Creditors are prohibited from obtaining and using medical information to determine a consumer's eligibility for credit. However, there is no prohibition on creditors obtaining or using medical information for purposes other than eligibility for credit.
If a creditor receives medical information in connection with any determination of a consumer's eligibility for credit without specifically requesting the information, they are not in violation of the prohibition. However, a creditor may only use the information in the determination of eligibility in accordance with the listed exceptions.
Financial Information Exception
The financial information exception allows a creditor to obtain and use medical information in connection with a consumer's eligibility for credit if they meet all of the following requirements:
- It is the type of information usually used in determining eligibility for credit. (This includes information about debts, expenses, income, benefits, assets, collateral, the purpose of the loan, and use of the loan proceeds.)
- The outcome is just as favorable as it would be if using comparable, non-medical information.
- The creditor doesn't take physical, mental, or behavioral health, condition or history, type of treatment, or prognosis into account as part of any determination.
Exceptions for Sharing Medical Information with Affiliates
A creditor cannot disclose medical information to an affiliate (exclusions to the definition of a "consumer report" do not apply). If medical information is shared, the creditor will no longer meet the qualifications to be exempt from being defined as a CRA, and they will become subject to the numerous FCRA requirements that are specific to CRAs.
The only exceptions for sharing medical information with affiliates are as follows:
- In connection with insurance or annuities.
- For any permitted reason that doesn't require authorization under HIPPA.
- For any purpose referred to in Section 1179 of HIPPA.
- For any purpose described in Section 502(e) of the Gramm-Leach-Bliley Act.
- When dealing with a consumer's eligibility for credit if it is consistent with the financial information exceptions or other specific exceptions.
- As otherwise permitted by order of the CFPB.
Other Exceptions for the Use of Medical Information
- To determine if a consumer has experienced a medical condition and whether another individual has Power of Attorney or can act as a legal representative for them.
- If it complies with applicable requirements of local, state, or Federal laws.
- To determine, at a consumer's request, whether they qualify for a legally permissible special credit program or credit-related assistance program.
- To prevent or detect fraud.
- To determine and verify the medical purpose of a loan and the use of the proceeds if the credit is for financing medical products or services.
- If a consumer (or their legal representative) requests that a creditor use medical information to evaluate the consumer's eligibility for credit in order to accommodate the consumer's particular circumstances. (This exception does not require a creditor to make such an accommodation or grant a loan that is not consistent with safe and sound banking practices.)
- To determine if a forbearance practice or program that is triggered by a medical condition or event applies to a customer. (This does not require the creditor to grant forbearance but provides an exception so creditors can consider medical information in these instances.)
- To determine whether a consumer is eligible for the triggering or reactivation of a debt cancellation contract or debt suspension agreement if a medical condition or event is a trigger.
- To determine a consumer's eligibility for the triggering or reactivation of a credit insurance product if a medical condition or event is the trigger.
A creditor can't disclose any medical information received for any reason other than the purpose for which the information was originally disclosed, except as permitted by order, statute, or regulation.
Notices and Disclosures
There are many notices and disclosures required by the FCRA, including:
- Opt-Out Notices
- Prescreened Opt-Out Notices
- Risk-Based Pricing Notices
- Negative Information Notices
- Adverse Action Disclosures
- Credit Score Disclosures
In the sections below, we'll give an detailed description of the requirements for each of these notices and disclosures.
Opt-Out Notices (§ 1022.21) (section 624)
Until a consumer has been presented with an opt-out notice, an entity that does not have a pre-existing business relationship with a consumer is not allowed to use a consumer's information that it obtained from an affiliate to make solicitations. This section covers the use of information shared by an affiliate, which is separate from the sharing of information to an affiliate.
In what circumstances can you use consumer information obtained from an affiliate to make solicitations?
You are not allowed to use eligibility information you've received from an affiliate about a consumer for marketing purposes unless all of the following apply:
- You give the consumer a clear and conspicuous written disclosure in a concise notice that such information may be used to make solicitations. (You can only give this notice electronically if you have the consumer's permission.)
- You give the consumer the opportunity and a reasonable and simple method to opt out.
- The consumer does not opt out.
Additionally, an affiliate who has a pre-existing business relationship with the consumer has to be the one to provide this notice.
An affiliated group of companies can provide this notice as long as at least one of them has a pre-existing relationship with the consumer.
What is considered a solicitation?
You are making a solicitation for marketing purposes if any of the following apply:
- You receive eligibility information from an affiliate in any way
- You use that information to identify a consumer or type of consumer to receive a solicitation, establish criteria to select a consumer to receive a solicitation, or decide which of your products or services to market to a consumer or tailor a solicitation to that consumer.
- A consumer receives a solicitation as a result of your use of their eligibility information.
What is the scope of the opt-out requirement?
- If you give a consumer a menu of alternatives to prohibit solicitations, at least one of the options must allow the consumer to prohibit all solicitations from all affiliates covered by the notice.
- If you have a continuing relationship with a consumer, an opt-out notice might apply to eligibility information obtained from one or more continuing relationships, or even future relationships, if the notice adequately describes the relationships that would be covered.
- Let's say that a consumer establishes a new relationship with you after a previous relationship was terminated. If they chose to opt-out in their previous relationship, but opt-in for the current relationship, the opt-out still holds for any eligibility information from the previous relationship.
- If you receive a consumer's eligibility information in connection with a transaction, and there is no continuing relationship, an opt-out notice you provide to the consumer only applies to eligibility information in connection with that transaction.
Are there exceptions to the opt-out?
You are exempt from the rule if you use eligibility information received from an affiliate for any of the following purposes:
- To make a solicitation to a consumer the person already has an existing relationship with.
- For communications to a consumer who you provide employee benefit or other services for by contract with their employer.
- To perform services on behalf of an affiliate (as long as the consumer hasn't opted out).
- After you receive a consumer's communication about your products or services. (The communication must be initiated by the consumer.)
- In response to a consumer's authorization or request to receive solicitations.
- If compliance with the regulation would prevent you from complying with State insurance laws pertaining to unfair discrimination.
How long does an opt-out last, and what are the renewal requirements?
- A consumer can opt-out at any time.
- The opt-out must be effective for at least five years after the opt-out election is implemented unless the consumer revokes the opt-out in writing or electronically. This includes each opt-out renewal.
- After the opt-out period expires, you must give the consumer a renewal notice and the opportunity to opt-out again.
- The renewal notice has to be provided by the same affiliate that provided the previous opt-out notice. If the previous notice was provided jointly by affiliates, the renewal notice can be provided by a part of the group of affiliates.
- You can give the renewal notice to a consumer either a reasonable period of time before the expiration of the opt-out period or any time after the expiration of the opt-out period. However, you need to provide the renewal notice before you make any solicitations to the consumer that would have been prohibited by the expired opt-out.
You can't shorten the opt-out period by sending a renewal notice to a consumer before it expires, even if the consumer chooses not to renew the opt-out.
How does the opt-out notice need to be delivered?
There are four methods you can use to deliver the opt-out notice:
- Hand delivering a printed copy
- Mailing a printed copy to the consumer's last known address
- Providing an email notice (only if the consumer has agreed to receive electronic disclosures)
- Posting the notice on you website and requiring the consumer to acknowledge receipt of the notice before they can obtain a product or service electronically.
Constructive Sharing – No eligibility information is used in what is commonly referred to as "constructive sharing." As such, it is not subject to this rule. Constructive sharing occurs when an affiliate to a financial institution sends out the financial institution's marketing information to the affiliate's own customers based on criteria provided by the financial institution.
Prescreened Opt-Out Notices (section 604(c)) (§ 1022.54)
All Nationwide Consumer Reporting Agencies (NCRAs) are required to jointly operate an 'opt-out' system, through which consumers can choose to be excluded from prescreened lists by calling a toll-free number. As such, a financial institution that uses these lists must provide consumers with both a "short" and a "long" form Prescreened Opt-Out Notice with any offer of credit or insurance.
Risk-based Pricing Notices (section 615(4) (§ 1022.70)
Creditors are required to provide a risk-based pricing notice to a consumer if the creditor extends credit that is "materially less favorable" than the terms the creditor has extended to other consumers based on the consumer report. If the credit score was used to make a credit decision, creditors are required to disclose the consumer's credit score and certain information relating to it. Not including the account review risk-based pricing notice, only one risk-based or credit score disclosure exception notice is required per credit extension.
How do creditors determine who needs a risk-based pricing notice?
There are two alternative methods provided by the rule you can use to determine if you need to give a consumer a Risk-Based Pricing Notice.
- The credit score proxy method – You can determine a cutoff score that represents the point where approximately 40% of your consumers have higher credit scores and 60% have lower credit scores. You then need to give the risk-based pricing notice to every consumer with a lower credit score than the cutoff. There is also an alternative that allows you to set a different cut off if, based on their historical experience, more than 40% of consumers receive the most favorable terms.
- The tiered pricing method – You can assign consumers to a number of pricing tiers based on their consumer report. If you're using four or fewer pricing tiers, you would need to provide a risk-based pricing notice to all consumers who aren't qualified for the top tier. If you're using five or more tiers, you would need to provide the notice to all consumers that don't qualify for the best-priced tiers.
What is an account review risk-based pricing notice?
If you make a decision to increase the consumer's APR based on their consumer report after a review of their account, you need to send them an account review risk-based pricing notice.
What happens in the case of joint credit?
If you have provided credit jointly to two or more consumers, you need to provide a risk-based pricing notice to each consumer. If the consumers have the same address and there is no credit score included, you only need to provide a single notice. If credit scores are included, you need to give each consumer a separate notice containing their own credit score. The same goes for the credit score disclosure exception notice.
A creditor who purchased or was assigned a credit contract with a consumer is not subject to the risk-based pricing notice requirements. The original creditor is responsible.
Are there any exceptions for sending out risk-based pricing notices?
You do not need to send the Risk-Based Pricing Notice if any of these apply:
- The consumer specifically applied for the material terms of credit and received them, i.e. you didn't specify the terms after obtaining a consumer report.
- You have provided an adverse action notice.
- You made a firm offer of credit in a prescreened solicitation, even if you've made more favorable offers of credit to other consumers.
- You provide a credit score disclosure to each consumer that requests a loan.
- If you otherwise provide a credit score disclosure to each consumer, but the consumer's credit score was not available.
Negative Information Notices (section 623(a)(7))
A financial institution must provide a negative information notice to a consumer either before or within 30 days of reporting negative information to a CRA. Once the notice has been provided, the financial institution does not need to send additional negative information notices regarding negative information reported to a CRA involved with the same transaction, extension of credit, account, or customer.
Adverse Action Disclosures (sections 615(a) and (b))
Creditors have to make certain disclosures when they:
- take adverse actions with respect to consumers based on information contained in a consumer report
- deny credit or increase the charge for credit based on information obtained from a person other than a consumer reporting agency that regards the consumer's credit worthiness
- take adverse actions based on information from an affiliate.
What happens when a third party provides information that leads to an adverse action?
If anyone other than a CRA provides information that leads to a creditor taking adverse action, the creditor must 1) clearly and accurately disclose that the consumer has a right to make a written request for the reasons behind the adverse reaction within 60 days after learning of the adverse action and 2) disclose the nature of the information within a reasonable time period after receipt of a written request from the consumer.
The same rules apply if 1) the third party is related by common ownership or affiliated by common corporate control to the creditor and 2) the information given is not related to transactions or experiences between the consumer and the third party. However, the creditor needs to disclose the nature of the information within 30 days of a written request from the consumer instead of 60.
What should be included in the adverse action disclosure?
- A notice containing information about the adverse action
- A disclosure containing
- the credit score in the consumer report used to make the decision
- the range of possible credit scores
- all of the key factors that adversely affected the credit score of the consumer in the model used (no more than 4 key factors listed)
- the date on which the credit score was created; and
- the name of the person or entity that provided the credit score or credit file upon which the credit score was created.
- The name, address, and phone number of the CRA the report was obtained from
- A statement that the CRA didn't make the decision and is unable to provide the reasoning behind the decision
- A notice of the consumer's right
- to obtain a free copy of their consumer report from the CRA (including the 60-day period for which this applies)
- to dispute the accuracy or completeness of any information in the consumer report with the CRA
Credit Score Disclosures for Mortgage Loans (section 609(g))
Creditors that make or arrange mortgage loans using credit scores are required to provide the score and its accompanying information to the applicants. This applies to both closed-end and open-end loans that are for consumer purposes and are secured by 1-4 family residential real properties, and includes both purchase and refinance transactions. It also applies regardless of the final action the lender takes on the application.
What information does a credit score disclosure have to contain?
The disclosure also needs to contain all of the following information:
- the credit score
- the range of possible scores
- the date the score was created
- the "key factors" used in the calculation.
If you use an automated underwriting system to generate a credit score, you can satisfy the disclosure requirement by using a score and key factors supplied by CRA.
What are key factors?
Key factors are relevant factors that adversely affect the credit score of a consumer, such as amounts owed or credit history length. They are listed in order of how much they impacted the credit score, and no more than four can be disclosed. However, if one of the factors is the number of inquiries into a consumer's credit then the number is increased to five.
In the case of multiple or joint applicants, each credit score used needs to be disclosed. However, multiple credit scores can be included in a single disclosure.
Employer Requirements (section 604(b))
There are many institutions that obtain consumer reports of their employees or potential employees before or while they are employed. In order to do so, they must provide a disclosure that they might obtain a consumer report and acquire written permission prior to procuring a report. If the consumer submits an application for employment by any means other than in person, the employer must also give the consumer a summary of their rights under the FCRA section 615(a)(3).
What are the requirements if an employer (or potential employer) take adverse action?
Before taking any adverse action based on the consumer report, you must give the consumer a copy of the report and a description of their rights under the FCRA section (609(c)). If the consumer had applied by any means other than in person, and there was never an in person interaction, the description of their rights will be under FCRA section 615(a). You must also provide a notice that an adverse action has been taken based on their consumer report within 3 business days, which must include all of the following information:
- the name, address, and phone number of the CRA that provided the consumer report
- that the CRA was not responsible for the decision and can't provide reasons why the action was taken to the consumer
- that the consumer can request a free copy of their report and dispute the accuracy or completeness of the information in the report with the CRA if they provide the proper identification.
(If the consumer does request a copy of the report, the report must be sent within 3 business days of the request along with a copy of the consumer's rights under section 609(c)(3).)
Truncation of Account Numbers (section 605(g))
If you accept debit and credit cards for transactions, you are prohibited from issuing electronic receipts that display more than the last five digits of the card number. This does not apply to handwritten receipts or those developed with an imprint of the card.
Furnisher Duties (section 605(h)) (section 623(b)(§1022.82)
Every furnisher must create and follow written policies and procedures to ensure the accuracy and integrity of the consumer information they furnish to a CRA. They must also periodically review these policies and procedures and update them as needed.
What are the duties of a furnisher?
- A NCRA (Nationwide Consumer Reporting Agency) must give you notice of address discrepancy if the address you provide in your request for a report is substantially different from the address the NCRA has in the consumer's file.
- If you're a furnisher, you need to confirm that an address is correct before giving it to an NCRA.
- Your policies and procedures for giving a consumer’s address to an NCRA have to require you to give the confirmed address as part of the information you regularly furnish to the NCRA during the reporting period when you establish a continuing relationship with a consumer.
- If you receive a notice of address discrepancy, you have to develop and implement policies and procedures that allow you to make sure a consumer report is actually related to the consumer whose report was requested.
- You have a duty to ensure that the information you supply to CRAs is reasonably accurate, and you must establish written policies and procedures to that end.
- If you furnish information regarding an account holder to a CRA regularly and in the usual course of business, you must notify the CRA of any voluntary account closure as part of the regularly furnished information.
- You must notify the CRA of the month and year of the commencement of a delinquency no later than 90 days after originally supplying the information about a delinquent account.
- Upon receiving notice of possible identity theft, you are required to establish and follow procedures to ensure you don't re-report the information and "re-pollute" the victim's consumer report.
- You are required to provide consumers with a negative information notice either before or within 30 days of reporting negative information to a NCRA.
What should a furnisher do after receiving a notice of dispute from a CRA?
If you receive a notice of dispute from a CRA, you need to perform all of the following duties:
- conduct an investigation about the information that was disputed,
- review the information the CRA provided with the notice, and
- report the results to the CRA.
If you find that the information was incomplete or inaccurate over the course of the investigation, those results need to be reported to all NCRAs you have given information to in the past. If the information is incomplete, inaccurate, or isn't verifiable, you need to modify, delete, or permanently block the reporting of the piece of information.
All aspects of the investigation, including reports, are due within 30 days. If the CRA receives additional information from the consumer, this may be extended by a further 15 days.
What is a direct dispute?
A direct dispute is any dispute by a consumer relating to:
- the consumer's liability for credit or other debt with you, such as identity theft or fraud,
- the terms of credit or other debt with you,
- the consumer's conduct concerning an account or relationship with you, or
- any other information regarding an account or relationship with you that would be in a consumer report.
Direct dispute requirements do not apply if the dispute is submitted by a credit repair organization, prepared for the consumer by a credit repair organization, or submitted on a form supplied by a credit repair organization.
What is a furnisher required to do if they receive a direct dispute?
- Conduct an investigation on the disputed information.
- Review the information provided in the dispute notice.
- Complete the investigation and report the results to the consumer within 30 days.
If the information is found to be inaccurate, notify the CRAs that the information has been given to and provide correction.
The consumer's direct dispute notice must include all of the following:
- information to identify the account or relationship in dispute,
- what specific information is being disputed and the basis for the dispute,
- all supporting documentation you might require to substantiate the basis of the dispute.
A dispute does not apply to you if it relates to:
- name, DOB, SSN, phone number, or address,
- identity of employers,
- public record information,
- fraud or active duty alerts, or
- information given to a CRA by a different furnisher.
You are only required to investigate if a dispute notice is submitted by the consumer at your specified address. If you don't have a specified address, the dispute notice may be submitted to any of your business addresses.
Additionally, if you reasonably determine that a dispute is frivolous or irrelevant, you are not required to investigate. You can reasonably determine that a dispute is frivolous or irrelevant if:
- insufficient information was provided by the consumer in the notice,
- the dispute is substantially the same as a previously submitted dispute which you have already followed the requirements for, or
- you are not required to investigate because the dispute does not apply to you for one of the other reasons listed above.
Consumer Alerts and Identity Theft Protections (section 605A(h))
Consumers who suspect they may be the victims of fraud or identity theft can request NCRAs to place initial fraud alerts in their consumer reports. These alerts have to remain in a consumer’s report for at least 90 days.
A member of the military who is called to active duty may request that an active duty alert be placed in their consumer report, which has to remain in the service member's file for at least 12 months.
What are financial institutions required to do when they deal with a report that has an alert?
If there is a fraud or active duty alert on a consumer report, you are required to verify a consumer's identity before establishing a new credit plan or extension credit, issuing an additional card on an existing account, or increasing the credit limit.
Additionally, you are required to provide records of fraudulent transactions to victims of identity theft, any law enforcement agency or officer specified by the victim in the request, or any law enforcement agency investigating the identity theft that was authorized to receive the records by the victim. If a consumer who is the victim of identity theft makes a written request for records of fraudulent transactions, you are required to provide the records at no charge within 30 days of receipt of the request. Before disclosing the information, you must verify the consumer's identity by government-issued ID card, personally identifying information of the same type that was provided to you by the unauthorized person, or personally identifying information that you typically request for new transactions. You can also elect to require the victim to provide proof of an identity theft complaint.
You are not required to provide any information if any of the following is applicable:
- Section 609(e) doesn't require it
- You don't have confidence in knowing the true identity of the requestor based on the ID/proof provided.
- The requester misrepresents the facts
- The requested information is internet navigational data or similar about a your institution's visit to a website or online service
Debt Collector Communications (section 615(g))
Institutions that act as debt collectors, who collect debts on behalf of a creditor or other consumer report user, are required to notify the creditor if they are notified that any information relating to a debt is fraudulent or may be the result of identity theft. If the consumer to whom the debt relates requests any of the information, the debt collector must provide all information that the consumer would be entitled to if they wanted to dispute the debt under provisions of the law.
Resources
- 12 CFR Part 1022 - Fair Credit Reporting (Regulation V)
- FCRA Procedures
- 15 U.S.C § 1681
- Title 12 Chapter X Part 1022
- Final rules and guidelines for the duties regarding the detection, prevention, and mitigation of identity theft are published in the Federal Register (72 FR 63718).
- The final rules and guidelines for duties of card issuers regarding changes of address are published in the Federal Register (72 FR 63718).
- The final rules and guidelines for the disposal of consumer information are published in the Federal Register (69 FR 77610).
Was this article helpful?