CFPB Fair Credit Reporting Act Fcra Procedures
CFPB Fair Credit Reporting Act Fcra Procedures
CFPB Fair Credit Reporting Act Fcra Procedures
1
These reflect FFIEC-approved procedures.
2
15 U.S.C. Secs. 1681–1681x.
3
15 U.S.C. Sec. 1601 et seq.
4
Pub. L. No. 108-159, 117 Stat. 1952.
5
Section 1029 of the Dodd-Frank Act generally excludes from this transfer of authority, subject to certain exceptions, any
rulemaking authority over a motor vehicle dealer that is predominantly engage in the sale and servicing of motor vehicles, the
leasing and servicing of motor vehicles, or both.
6
The agency responsible for supervising and enforcing compliance with the provisions of the FCRA and the implementing
regulations will depend on the person subject to the FCRA (e.g., for financial institutions, jurisdiction will depend on the size and
charter of the institution).
Key Definitions
The FCRA uses a number of definitions. Key definitions include the following:
Adverse Action. With regard to credit transactions, the term “adverse action” has the same
meaning as used in Section 701(d)(6) [15 U.S.C. 1691(d)(6)] of the Equal Credit Opportunity
Act (ECOA), Regulation B, and the official staff commentary. Under the ECOA, it means a
denial or revocation of credit, a change in the terms of an existing credit arrangement, or a
refusal to grant credit in substantially the same amount or on terms substantially similar to those
requested. Under the ECOA, the term does not include a refusal to extend additional credit under
an existing credit arrangement where the applicant is delinquent or otherwise in default, or where
such additional credit would exceed a previously established credit limit.
7
The examination procedures do not currently contain a module on the requirements for consumer reporting agencies.
Legally Permissible Purposes. The FCRA allows a consumer reporting agency to furnish a
consumer report for the following circumstances and no other:
1. In response to a court order or Federal Grand Jury subpoena.
2. In accordance with the written instructions of the consumer.
3. To a person, including a financial institution, that the agency has reason to believe
intends to use the report as information for any of the following reasons:
a. In connection with a credit transaction involving the consumer (includes
extending, reviewing, and collecting credit);
b. For employment purposes; 8
c. In connection with the underwriting of insurance involving the consumer;
d. In connection with a determination of the consumer’s eligibility for a license or
other benefit granted by a governmental instrumentality that is required by law to
consider an applicant’s financial responsibility;
e. As a potential investor or servicer, or current insurer, in connection with a
valuation of, or an assessment of the credit or prepayment risks associated with,
an existing credit obligation;
8
Use of consumer reports for employment purposes requires specific advanced authorization, disclosure notices, and, if
applicable, adverse action notices. These issues are contained in Module 3 of the examination procedures.
The FCRA contains many substantive compliance requirements for consumer reporting agencies
designed to help ensure the accuracy and integrity of the consumer reporting system. As noted in
the definitions section, a consumer reporting agency is a person that generally furnishes
consumer reports to third parties. By their very nature, such third parties as banks, credit unions,
and other financial institutions have a significant amount of consumer information that could
constitute a consumer report, and thus communication of this information could cause the
institution to become a consumer reporting agency. The FCRA contains several exceptions that
enable parties, such as a financial institution, to communicate this type of information, within
strict guidelines, without becoming a consumer reporting agency.
Rather than containing strict information-sharing prohibitions, the FCRA creates a business
disincentive such that if an entity shares consumer report information outside of the exceptions,
then the institution is a consumer reporting agency and will be subject to the significant,
substantive requirements of the FCRA applicable to those entities. Typically, an entity such as a
financial institution will structure its information sharing practices within the exceptions to avoid
becoming a consumer reporting agency. This examination module generally covers the various
information-sharing practices within these exceptions.
Consumer Report and Information Sharing – Section 603(d);
15 U.S.C. 1681a(d)
Section 603(d) defines a consumer report to include information about a consumer such as that
which bears on a consumer’s creditworthiness, character, and capacity among other factors.
Communication of this information may cause a person, including a financial institution, to
become a consumer reporting agency. The statutory definition contains key exceptions to this
definition that enable persons to share this type of information under certain circumstances,
without becoming consumer reporting agencies. Specifically, the term “consumer report” does
not include:
1. A report containing information solely as to transactions or experiences between the
consumer and the person making the report. A person, including a financial
institution, may share information strictly related to its own transactions or
experiences with a consumer (such as the consumer’s payment history, or an account
with the institution) with any third party, without regard to affiliation, without
becoming a consumer reporting agency. The Privacy of Consumer Financial
Information regulations that implement the Gramm-Leach-Bliley Act (GLBA) may
restrict this type of information sharing because it meets the definition of nonpublic
personal information under the Privacy regulations. Therefore, sharing it with
nonaffiliated third parties may be subject to an opt-out notice under the privacy
regulations. In turn, the FCRA may also restrict activities that the GLBA permits. For
example, the GLBA permits a financial institution to share a list of its customers and
Specific Extensions of Credit. In addition, the term consumer report does not include the
communication of a specific extension of credit directly or indirectly by the issuer of a credit
card or similar device. For example, this exception allows a lender to communicate an
authorization through the credit card network to a retailer, to enable a consumer to complete a
purchase using a credit card.
Credit Decision to Third Party (for example, auto dealer). The term consumer report also does
not include any report in which a person, including a financial institution, who has been
requested by a third party to make a specific extension of credit directly or indirectly to a
Section 604(g) generally prohibits creditors from obtaining and using medical information in
connection with any determination of the consumer’s eligibility, or continued eligibility, for
credit. The statute contains no prohibition on creditors obtaining or using medical information
for other purposes that are not in connection with a determination of the consumer’s eligibility,
or continued eligibility for credit.
Section 604(g)(5)(A) requires the federal banking agencies and NCUA to prescribe regulations
that permit transactions that are determined to be necessary and appropriate to protect legitimate
operational, transactional, risk, consumer, and other needs (including administrative verification
purposes), consistent with the Congressional intent to restrict the use of medical information for
inappropriate purposes. On November 22, 2005, the FFIEC Agencies published final rules in the
Federal Register (70 FR 70664). The rules contain the general prohibition on obtaining or using
medical information, and provide exceptions for the limited circumstances when medical
information may be used. The rules define “credit” and “creditor” as having the same meanings
as in Section 702 of the ECOA (15 U.S.C. 1691a). On December 21, 2011, the CFPB restated
the implementing regulation at 12 CFR Part 1022 (76 Fed. Reg. 79308).
Obtaining and Using Unsolicited Medical Information (12 CFR 1022.30(c)). A creditor does not
violate the prohibition on obtaining medical information if it receives the medical information
pertaining to a consumer in connection with any determination of the consumer’s eligibility, or
continued eligibility, for credit without specifically requesting medical information. However,
Section 624 gives a consumer the right to restrict an entity, with which it does not have a pre-
existing business relationship, from using certain information obtained from an affiliate to make
solicitations to that consumer. This provision is distinct from Section 603(d)(2)(A)(iii) that gives
a consumer the right to restrict the sharing of certain consumer information among affiliates. 9
Under Section 624, an entity may not use information received from an affiliate to market its
products or services to a consumer, unless the consumer is given notice and a reasonable
opportunity and a reasonable and simple method to opt out of the making of such solicitations.
The affiliate marketing opt-out requirement applies to both transaction or experience information
and “other” information, such as information from credit reports and credit applications. On
November 7, 2007, the federal financial institution regulators published final regulations in the
9
See Module 2, Section 603(d) Consumer Report and Information Sharing, for provisions pertaining to the sharing of consumer
information. Under Section 603(d)(2)(A)(iii) of the FCRA, entities are responsible for complying with the affiliate sharing notice
and opt-out requirement, where applicable. Thus, under the FCRA, certain consumer information will be subject to two opt-out
notices, a sharing opt-out notice (Section 603(d)) and a marketing use opt-out notice (Section 624). These two opt-out notices
may be consolidated.
Eligibility information (12 CFR 1022.20(b)(3)) includes not only transaction and experience
information, but also the type of information found in consumer reports, such as information
from third-party sources and credit scores. Eligibility information does not include aggregate
or blind data that does not contain personal identifiers such as account numbers, names, or
addresses. 12
Pre-existing business relationship (12 CFR 1022.20(b)(4)) 13 means a relationship between a
person, such as a financial institution (or a person’s licensed agent), and a consumer based on:
1. A financial contract between the person and the consumer that is in force on the date
on which the consumer is sent a solicitation covered by the affiliate marketing
regulation;
2. The purchase, rental, or lease by the consumer of the person’s goods or services, or a
financial transaction (including holding an active account or a policy in force, or
having another continuing relationship) between the consumer and the person, during
the 18-month period immediately preceding the date on which the consumer is sent a
solicitation covered by the affiliate marketing regulation; or
3. An inquiry or application by the consumer regarding a product or service offered by
that person during the three-month period immediately preceding the date on which
the consumer is sent a solicitation covered by the affiliate marketing regulation.
10
See 12 CFR 1022.20(a) for the scope of entities covered by Subpart C of 12 CFR 1022.
11
See 12 CFR 1022.20 for other definitions.
12
Specifically, “eligibility information” is defined in the affiliate marketing regulation as “any information the communication
of which would be a consumer report if the exclusions from the definition of “consumer report” in Section 603(d)(2)(A) of the
[Fair Credit Reporting] Act did not apply.”
13
See 12 CFR 1022.20(b)(4)(ii) and (iii) for examples of pre-existing business relationships and situations where no pre-existing
business relationship exists.
A person, such as a financial institution, and its subsidiaries generally may not use eligibility
information about a consumer that it receives from an affiliate to make a solicitation for
marketing purposes to the consumer, unless:
1. It is clearly and conspicuously disclosed to the consumer in writing or, if the
consumer agrees, electronically, in a concise notice that the person may use eligibility
information about that consumer that it received from an affiliate to make
solicitations for marketing purposes to the consumer;
2. The consumer is provided a reasonable opportunity and a reasonable and simple
method to “opt out” (that is, the consumer prohibits the person from using eligibility
information to make solicitations for marketing purposes to the consumer);14 and
3. The consumer has not opted out.
For example, a consumer has a homeowner’s insurance policy with an insurance company. The
insurance company shares eligibility information about the consumer with its affiliated
depository institution. Based on that eligibility information, the depository institution wants to
make a solicitation to the consumer about its home equity loan products. The depository
institution does not have a pre-existing business relationship with the consumer and none of the
other exceptions apply. The depository institution may not use eligibility information it received
from its insurance affiliate to make solicitations to the consumer about its home equity loan
products unless the insurance company gave the consumer a notice and opportunity to opt out
and the consumer does not opt out.
14
See 12 CFR 1022.24 and 1022.25 for examples of “a reasonable opportunity to opt out” and “reasonable and simple methods
for opting out.”
A person, such as a financial institution, (or a service provider acting on behalf of the person)
makes a solicitation for marketing purposes if:
1. The person receives eligibility information from an affiliate, including when the
affiliate places that information into a common database that the person may access;
2. The person uses that eligibility information to do one or more of the following:
a. Identify the consumer or type of consumer to receive a solicitation;
b. Establish criteria used to select the consumer to receive a solicitation; or
c. Decide which of the person’s products or services to market to the consumer or
tailor the financial institution’s solicitation to that consumer; and
3. As a result of the person’s, such as a financial institution’s, use of the eligibility
information, the consumer is provided a solicitation.
A person, such as a financial institution, does not make a solicitation for marketing
purposes (and therefore the affiliate marketing regulation, with its notice and opt-out
requirements, does not apply) in the situations listed below, commonly referred to as
“constructive sharing.” Constructive sharing occurs when a person, such as a financial
institution, provides criteria to an affiliate to use in marketing the financial institution’s
product and the affiliate uses the criteria to send marketing materials to the affiliate’s own
customers that meet the criteria. In this situation, the financial institution is not using
shared eligibility information to make solicitations.
1. The person provides criteria for consumers to whom it would like its affiliate to
market the person’s products. Then, based on this criteria, the affiliate uses eligibility
information that the affiliate obtained in connection with its own pre-existing
business relationship with the consumer to market the person’s products or services
(or directs its service provider to use the eligibility information in the same manner
and the person does not communicate with the service provider regarding that use).
2. A service provider, applying the person’s criteria, uses information from an affiliate,
such as that in a shared database, to market the person’s products or services to the
consumer, so long as it meets certain requirements, including all of the following.
a. The affiliate controls access to and use of its eligibility information by the service
provider under a written agreement between the affiliate and the service provider.
15
See 12 CFR 1022.21(b)(6) for examples of making solicitations.
The initial notice and opt-out requirements do not apply to a person, such as a financial
institution, if it uses eligibility information that it receives from an affiliate:
1. To make a solicitation for marketing purposes to a consumer with whom the person
has a pre-existing business relationship;
2. To facilitate communications to an individual for whose benefit the person provides
employee benefit or other services pursuant to a contract with an employer;
3. To perform services on behalf of an affiliate (but this would not allow solicitation
where the consumer has opted out);
4. In response to a communication about the person’s products or services initiated by
the consumer;
5. In response to a consumer’s authorization or request to receive solicitations; or
6. If the person’s compliance with the affiliate marketing regulation would prevent it
from complying with State insurance laws pertaining to unfair discrimination in any
state in which the person is lawfully doing business.
16
See 12 CFR 1022.21(d) for examples of exceptions to the initial notice and opt-out requirement.
A person, such as a financial institution, must provide to the consumer a reasonable and simple
method for the consumer to opt out. The opt-out notice must be clear, conspicuous, and concise,
and must accurately disclose specific information outlined in 12 CFR 1022.23(a), including that
the consumer may elect to limit the use of eligibility information to make solicitations to the
consumer. See Appendix C to the regulation for the model notices contained in the affiliate
marketing regulation.
Alternative contents. An affiliate that provides a consumer a broader right to opt out than that
required by the affiliate marketing regulation may satisfy the regulatory requirements by
providing the consumer with a clear, conspicuous, and concise notice that accurately discloses
the consumer’s opt-out rights.
Coordinated, consolidated, and equivalent notices. Opt-out and renewal notices may be
coordinated and consolidated with any other notice or disclosure required under any other
provision of law, such as the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. 6801 et seq.
Renewal notices, which have additional required content (12 CFR 1022.27), may be
consolidated with the annual GLBA privacy notices.
17
Delivery of the Opt-Out Notice – 12 CFR 1022.21(a)(3) and 1022.26
An affiliate that has or previously had a pre-existing business relationship with the consumer
must provide the notice either individually or as part of a joint notice from two or more members
of an affiliated group of companies. The opt-out notice must be provided so that each consumer
can reasonably be expected to receive actual notice. A consumer may not reasonably be expected
to receive actual notice if, for example, the affiliate providing the notice sends the notice via
email to a consumer who has not agreed to receive electronic disclosures by email from the
affiliate providing the notice. 18
19
Scope of Opt-Out – 12 CFR 1022.22(a) and 1022.23(a)(2)
As a general rule, the consumer’s election to opt out prohibits any affiliate covered by the opt-
out notice from using eligibility information received from another affiliate, described in the
notice, to make solicitations to the consumer. If two or more consumers jointly obtain a product
or service, any of the joint consumers may exercise the right to opt out. It is impermissible to
require all joint consumers to opt out before implementing any opt-out direction.
17
See 12 CFR 1022.26(b) and (c) for examples of “reasonable expectation of actual notice” and “no reasonable expectation of
actual notice.”
18
For opt-out notices provided electronically, the notice may be provided in compliance with either the electronic disclosure
provisions of 12 CFR 1022.24(b)(2) and 1022.24(b)(3) or the provisions in section 101 of the Electronic Signatures in Global and
National Commerce Act, 15 U.S.C. 7001 et seq.
19
See 12 CFR 1022.22(a) for examples of the scope of the opt-out notice, including examples of continuing relationships.
A consumer may opt out at any time. The opt-out must be effective for a period of at least five
years beginning when the consumer’s opt-out election is received and implemented, unless the
consumer later revokes the opt-out in writing or, if the consumer agrees, electronically. An opt-
out period may be set at more than five years, including an opt-out that does not expire unless the
consumer revokes it.
20
See 12 CFR 1022.21(c) for exceptions.
21
An opt-out period may not be shortened by sending a renewal notice to the consumer before expiration of the opt-out period,
even if the consumer does not renew the opt-out. If a person provides an annual privacy notice under the Gramm-Leach-Bliley
Act, providing a renewal notice with the last annual privacy notice provided to the consumer before expiration of the opt-out
period is a reasonable period of time before expiration of the opt-out in all cases (12 CFR 1022.27(d)).
Appendix C of the affiliate marketing regulation contains model forms that may be used to comply
with the requirement for clear, conspicuous, and concise notices. The five model forms are:
C-1 Model Form for Initial Opt-Out Notice (Single-Affiliate Notice)
C-2 Model Form for Initial Opt-Out Notice (Joint Notice)
C-3 Model Form for Renewal Notice (Single-Affiliate Notice)
C-4 Model Form for Renewal Notice (Joint Notice)
C-5 Model Form for Voluntary “No Marketing” Notice
Use of the model forms is not required and a person may make certain changes to the language
or format of the model forms without losing the protection from liability afforded by use of the
model forms. These changes may not be so extensive as to affect the substance, clarity, or
meaningful sequence of the language in the model forms. Institutions making such extensive
revisions will lose the safe harbor that Appendix C provides. Examples of acceptable changes are
provided in Appendix C to the regulation.
The FCRA requires entities such as financial institutions to provide consumers with various
notices and information under a variety of circumstances. This module contains examination
responsibilities for these various areas.
Use of Consumer Reports for Employment Purposes – Section 604(b);
15 U.S.C. 1681b(b)
Section 604(b) has specific requirements for persons, such as financial institutions, that obtain
consumer reports of its employees or prospective employees prior to, and/or during, the term of
employment. The FCRA generally requires the written permission of the consumer to procure a
consumer report for “employment purposes.” Moreover, the person must provide to the
consumer in writing a clear and conspicuous disclosure that it may obtain a consumer report for
employment purposes prior to procuring a report.
Prior to taking any adverse action involving employment that is based in whole or in part on the
consumer report, the user generally must provide to the consumer:
1. A copy of the report.
2. A description in writing of the rights of the consumer under this title, as the CFPB
prescribes under Section 609(c)(1).
At the time a financial institution takes adverse action in an employment situation, Section 615
requires that it must provide the consumer with an adverse action notice described later in this
module.
Prescreened Consumer Reports and Opt-Out Notice – Sections 604(c) and
615(d); 15 U.S.C. 1681b(c) and 15 U.S.C. 1681m(d); and 12 CFR 1022.54
Sections 604(c) allow persons, including financial institutions, to obtain and use consumer
reports on any consumer in connection with any credit or insurance transaction that the consumer
does not initiate, to make firm offers of credit or insurance. This process, known as prescreening,
occurs when a financial institution obtains a list from a consumer reporting agency of consumers
who meet certain predetermined creditworthiness criteria and who have not elected to be
excluded from such lists.
These lists may only contain the following information:
1. The name and address of a consumer.
2. An identifier that is not unique to the consumer and that the person uses solely for the
purpose of verifying the identity of the consumer.
Section 615(d) contains consumer protections and technical notice requirements concerning
prescreened offers of credit or insurance. The FCRA requires nationwide consumer reporting
agencies to jointly operate an “opt-out” system, whereby consumers can elect to be excluded
from prescreened lists by calling a toll-free number.
When a person, such as a financial institution, obtains and uses these lists, it must provide
consumers with a Prescreened Opt-Out Notice with the offer of credit or insurance. This notice
alerts consumers that they are receiving the offer because they meet certain creditworthiness
Entities must provide a “short” notice and a “long” notice of the prescreened opt-out information
with each written solicitation made to consumers using prescreened consumer reports. They must
also comply with specific requirements concerning the content and appearance of these notices.
The short notice must be a clear and conspicuous, simple, and easy-to-understand statement as
follows:
1. Content. The short notice must state that the consumer has the right to opt out of
receiving prescreened solicitations. It must provide the toll-free number and direct
consumers to the existence and location of the long notice. It should also state the title
of the long notice. The short notice may not contain any other information.
2. Form. The short notice must be in a type size larger than the principal text on the
same page, but it may not be smaller than 12-point type. If a person, such as a
financial institution, provides the notice by electronic means, it must be larger than
the type size of the principal text on the same page.
3. Location. The short form must be on the front side of the first page of the principal
promotional document in the solicitation. If provided electronically, it must be on the
same page and in close proximity to the principal marketing message. The statement
must be located so that it is distinct from other information, such as inside a border,
and must be in a distinct type style, such as bolded, italicized, underlined, and/or in a
color that contrasts with the principal text on the page, if the solicitation is provided
in more than one color.
The long notice must also be a clear and conspicuous, simple, and easy-to-understand statement
as follows:
1. Content. The long notice must state the information required by Section 615(d) of the
FCRA and may not include any other information that interferes with, detracts from,
contradicts, or otherwise undermines the purpose of the notice.
2. Form. The notice must appear in the solicitation, be in a type size that is no smaller than
the type size of the principal text on the same page, and, for solicitations provided other
than by electronic means, the type size may not be smaller than 8-point type. The notice
must begin with a heading in capital letters, underlined, and identifying the long notice
as the “PRESCREEN & OPT-OUT NOTICE.” It must be in a type style that is distinct
You can choose to stop receiving “prescreened” offers of (credit or insurance) from this
and other companies by calling toll-free (toll-free number). See PRESCREEN & OPT-
OUT NOTICE on other side (or other location) for more information about
prescreened offers.
Section 605(g) provides that persons, including financial institutions, that accept debit and credit
cards for the transaction of business will be prohibited from issuing electronic receipts that
contain more than the last five digits of the card number, or the card expiration date, at the point
of sale or transaction. This requirement applies only to electronically developed receipts and
does not apply to hand-written receipts or those developed with an imprint of the card.
Disclosure of Credit Scores by Certain Mortgage Lenders – Section 609(g);
15 U.S.C. 1681g(g)
Section 609(g) requires creditors, such as financial institutions, that make or arrange mortgage
loans using credit scores to provide the score with accompanying information to the applicants.
Credit score
For purposes of this section, the term “credit score” is defined as a numerical value or a
categorization derived from a statistical tool or modeling system used by a person who makes or
arranges a loan to predict the likelihood of certain credit behaviors, including default (and the
The disclosure requirement applies to both closed-end and open-end loans that are for consumer
purposes and are secured by one- to four-family residential real properties, including purchase
and refinance transactions. This requirement will not apply in circumstances that do not involve
a consumer purpose, such as when a borrower obtains a loan secured by his or her residence to
finance his or her small business.
Specific required notice
Financial institutions in covered transactions that use credit scores must provide a disclosure
containing the following specific language, which is contained in 609(g)(1)(D):
In addition to the notice, a creditor, such as a financial institution, must also disclose the credit
score, the range of possible scores, the date that the score was created, and the “key factors” used
in the score calculation. “Key factors” are all relevant elements or reasons adversely affecting the
credit score for the particular individual, listed in the order of their importance, and based on
their effect on the credit score. The total number of factors to be disclosed must not exceed four.
However, if one of the key factors is the number of inquiries into a consumer’s credit
information, then the total number of factors must not exceed five. These key factors come from
information the consumer reporting agencies supplied with any consumer report that was
furnished containing a credit score (Section 605(d)(2)).
This disclosure requirement applies in any application for a covered transaction, regardless of the
final action the lender takes on the application. The FCRA requires a creditor to disclose all of
the credit scores used in these transactions. For example, if two joint applicants apply for a
mortgage loan to purchase a single-family residence and the lender uses both credit scores, then
the creditor needs to disclose both. The statute specifically does not require more than one
disclosure per loan. Therefore, if the creditor uses multiple scores, it can include all of them in
one disclosure containing the Notice to the Home Loan Applicant.
If a creditor uses a credit score that it did not obtain directly from a consumer reporting agency,
but may contain some information from a consumer reporting agency, the creditor may satisfy
this disclosure requirement by providing a score and associated key factor information that a
consumer reporting agency supplied. For example, certain automated underwriting systems
generate a score used in a credit decision. These systems are often populated by data obtained
from a consumer reporting agency. If a creditor uses this automated system, it may satisfy the
disclosure requirement by providing the applicants with a score and key factors a consumer
reporting agency supplied based on the data, including credit score(s) imported into the
automated underwriting system. This will provide applicants with information about their credit
history and its role in the credit decision, in the spirit of this section of the statute.
Timing
With regard to the timing of the disclosure, the statute requires that the creditor provide it as soon
as is reasonably practicable after using a credit score.
Section 615(a), Duties of Users Taking Adverse Actions on the Basis of Information Contained
in Consumer Reports, provides that when adverse action is taken with respect to any consumer
based in whole or in part on any information contained in a consumer report, the person, such as
a financial institution, must:
1. provide oral, written, or electronic notice of the adverse action to the consumer.
2. provide to the consumer written or electronic disclosures of a numerical credit score
used by such person in taking any adverse action based in whole or in part on any
information in a consumer report and the following information:
a. the range of possible credit scores under the model used;
b. all of the key factors that adversely affected the credit score, which shall not
exceed four key factors, except that if one of the key factors is the number of
enquiries made with respect to the consumer report, the number of key factors
shall not exceed five;
c. the date on which the credit score was created; and
d. the name of the person or entity that provided the credit score or credit file upon
which the credit score was created;
3. provide to the consumer orally, in writing, or electronically:
a. the name, address, and telephone number of the consumer reporting agency from
which it received the information (including a toll-free telephone number
Section 615(b), Adverse Action Based on Information Obtained from Third Parties Other than
Consumer Reporting Agencies, provides that, in general, whenever credit for personal, family, or
household purposes involving a consumer is denied or the charge for such credit is increased
either wholly or partly because of information obtained from a person other than a consumer
reporting agency bearing upon the consumer’s credit worthiness, credit standing, credit capacity,
character, general reputation, personal characteristics, or mode of living, the user of such
information shall:
1. At the time such adverse action is communicated, clearly and accurately disclose to
the consumer his right to make a written request for the reasons for such adverse
action within 60 days after learning of such adverse action; and
2. Within a reasonable period of time after receipt of such written request from the
consumer, disclose the nature of the information to the consumer.
If the adverse action described in 615(b)(2)(B) is (i) taken based in whole or in part on
information from a person related by common ownership or affiliated by common corporate
control to the person taking the action, and (ii) bears on the credit worthiness, credit standing,
credit capacity, character, general reputation, personal characteristics, or mode of living of the
consumer, and (iii) does not include information solely as to transactions or experiences between
the consumer and the person furnishing the information or information in a consumer report,
then the person taking the adverse action shall:
1. Notify the consumer of the action, including a statement that the consumer may
obtain the information upon written request from the consumer received within 60
days after transmittal of the notice required; and
2. Not later than 30 days after receipt of such written request from the consumer,
disclose to the consumer the nature of the information upon which the action is based.
Section 615(g) has specific requirements for persons, such as financial institutions, that act as
debt collectors, whereby they collect debts on behalf of a third party that is a creditor or other
user of a consumer report. The requirements do not apply when a person is collecting its own
loans. When a person is notified that any information relating to a debt that it is attempting to
collect may be fraudulent or may be the result of identity theft, the person must notify the third
party of this fact. In addition, if the consumer, to whom the debt purportedly relates, requests
information about the transaction, the person must provide all of the information the consumer
would otherwise be entitled to if the consumer wished to dispute the debt under other provisions
of law applicable to the person.
Risk-Based Pricing Notice – Section 615(h); 15 U.S.C. 1681m(h);
12 CFR 1022, Subpart H
Section 615(h) of the Fair Credit Reporting Act (FCRA) generally requires a user of consumer
reports, such as a creditor, to provide a risk-based pricing notice to a consumer when the
creditor, based on a consumer report, extends credit to the consumer on terms that are
“materially less favorable” than the terms the creditor has extended to other consumers. On
January 15, 2010, the Federal Reserve and the Federal Trade Commission (FTC) published final
rules in the Federal Register (75 Fed. Reg. 2724) implementing this section of the FCRA.
The risk-based pricing notice requirement is designed primarily to improve the accuracy of
consumer reports by alerting consumers to the existence of negative information in their
consumer reports so that the consumers can, if they choose, check their consumer reports for
accuracy and correct any inaccurate information. This notice provision is meant to complement
an existing provision of the FCRA, Section 615(a), whereby a creditor that denies a consumer’s
application for credit, based in whole or in part on information in a consumer’s report, must
provide an adverse action notice. Section 615(h), covers the situation where credit is offered on
“materially less favorable terms,” rather than being denied.
The Dodd-Frank Act amended Section 615(h) of the FCRA to require a person to disclose a
consumer’s credit score and certain information relating to the credit score, if a credit score is
used in making the credit decision. On July 15, 2011, the Federal Reserve Board and the FTC
published final rules (effective August 15, 2011) amending the risk-based pricing regulation to
effect the Dodd-Frank Act changes (76 FR 41602). On December 21, 2011, the CFPB restated
the FCRA regulations at 12 CFR Part 1022. (76 Fed. Reg. 79308)
Key Definitions – 12 CFR 1022.71
The following definitions pertain to the rules governing the risk-based pricing regulation:
Material terms means in general:
a. for open-end credit (except as provided in (b) and (d) below), the annual percentage
rate (APR) required to be disclosed in the account opening disclosures required under
A person must provide to a consumer a notice (“risk-based pricing notice”) in the form and
manner prescribed by the regulation if:
1. The person uses a consumer report in connection with an application for, or a grant,
extension, or other provision of, credit to a consumer for personal, family, or
household purposes; and
2. Based in whole or in part on the consumer report, the person grants, extends, or
otherwise provides credit to that consumer on material terms that are materially less
favorable than the most favorable material terms available to a substantial proportion
of consumers from that person.
The obligation to provide the notice applies to the creditor to whom the obligation is initially
payable, i.e., the original creditor. This interpretation excludes brokers and other intermediaries
who do not themselves grant, extend, or provide credit to consumers. See preamble to the final
regulation (75 FR 2730)(January 15, 2010).
Determination of which consumers must receive notice (12 CFR 1022.72(b)). A person may
determine, on a case-by-case basis, whether a consumer has received material terms that are
Alternative to 40/60 cutoff. The regulation provides an alternative to the 40/60 cutoff
discussed above for situations where more than 40 percent of consumers (e.g., 80
percent) receive the most favorable material terms. In such situations, the person may set
a different cutoff score based on its historical experience. The cutoff score would be set at
a point at which the approximate percentage of consumers who historically have received
the most favorable material terms based on their credit score would not receive a notice
in the future. Under this alternative, the risk-based pricing notices would be provided to
the approximate percentage of consumers who historically have been granted credit on
material terms other than the most favorable terms.
For example, based on a sample of credit extended in the past six months, a creditor may
determine that approximately 80 percent of its consumers received credit at its lowest
APR (i.e., the most favorable material terms), and 20 percent of its consumers received
credit at a higher APR (i.e., material terms other than the most favorable). Approximately
80 percent of the sampled consumers had a credit score at or above 750, and 20 percent
had a credit score below 750. As a result, the card issuer could select 750 as its cutoff
The rules contain a number of exceptions to the risk-based pricing notice requirement, as
follows:
1. when a consumer applies for specific material terms of credit (e.g., a specific APR),
and receives them, unless those terms were specified by the creditor using a consumer
report after the consumer applied for the credit and after the creditor obtained the
consumer report (12 CFR 1022.74(a));
2. when a person such as a creditor provides a notice of adverse action (12 CFR
1022.74(b));
3. when a person makes a firm offer of credit in a prescreened solicitation even if the
person makes other firm offers of credit to other consumers on more favorable
material terms (12 CFR 1022.74(c));
4. when a person generally provides a credit score disclosure to each consumer that
requests a loan that is or will be secured by residential real property (12 CFR
1022.74(d));
5. when a person generally provides a credit score disclosure to each consumer that
requests a loan that is not or will not be secured by residential real property (12 CFR
1022.74(e));
• in the form of a bar graph containing a minimum of six bars that illustrates the
percentage of consumers with credit scores within the range of scores
reflected in each bar,
• in a clear and readily understandable statement informing the consumer how his
or her credit score compares to the scores of other consumers.
The presentation may use a graph or statement obtained from the entity providing
the credit score if it meets these requirements.
Form of the notice. The 12 CFR 1022.74(d) notice must be:
1. clear and conspicuous;
2. provided on or with the notice required by Section 609(g) of the FCRA;
3. segregated from other information provided to the consumer, except for the notice
required by Section 609(g) of the FCRA; and
4. provided to the consumer in writing and in a form that the consumer may keep.
Timing. The 12 CFR 1022.74(d) notice must be provided to the consumer at the same time as the
disclosure required by Section 609(g) of the FCRA is provided to the consumer, which must be
provided as soon as reasonably practicable after the credit score has been obtained. In any event,
the 12 CFR 1022.74(d) notice must be provided at or before consummation in the case of closed-
end credit or before the first transaction is made under an open-end credit plan.
Content of the notice when using multiple credit scores. When a person obtains two or more
credit scores from consumer reporting agencies in setting material terms of credit, the content of
the 12 CFR 1022.74(d) notice varies depending upon whether the person only relies upon one of
the credit scores or relies upon multiple credit scores.
1. If a person only relies upon one of those credit scores in setting the material terms of
credit granted, extended, or otherwise provided to a consumer (for example, by using
the low, middle, high, or most recent score), the notice must include that credit score
and the other information required by 12 CFR 1022.74(d).
• in the form of a bar graph containing a minimum of six bars that illustrates the
percentage of consumers with credit scores within the range of scores
reflected in each bar;
The rules clarify that, in general, only one risk-based pricing notice or one credit score disclosure
exception notice is required to be provided per credit extension (however, an account review
would still be required, if applicable).
In a transaction involving two or more consumers who are granted, extended, or otherwise
provided credit, a person must provide a risk-based pricing notice to each consumer. If the
consumers have the same address, and the notice does not include a credit score(s), a person may
satisfy the requirements by providing a single notice addressed to both consumers. However, if a
notice includes a credit score(s), the person must provide a separate notice to each consumer
whether the consumers have the same address or not. Each separate notice that includes a credit
score(s) must contain only the credit score(s) of the consumer to whom the notice is provided,
and not the credit score(s) of the other consumer. Similarly, for credit score disclosure exception
notices, whether the consumers have the same address or not, the person must provide a separate
notice to each consumer and each separate notice that includes a credit score(s) must contain
only the credit score(s) of the consumer to whom the notice is provided.
A purchaser or assignee of a credit contract with a consumer is not subject to the risk-based
pricing notice requirements.
Appendix H
Appendix H contains seven optional model forms that may be used to comply with the
regulatory requirements. The seven model forms are:
1. H-1 Model form for risk-based pricing notice
2. H-2 Model form for account review risk-based pricing notice
3. H-3 Model form for credit score disclosure exception for credit secured by one to four
units of residential real property
4. H-4 Model form for credit score disclosure exception for loans not secured by
residential real property
The FCRA contains many responsibilities for persons, such as financial institutions, that furnish
information to consumer reporting agencies. These requirements generally involve ensuring the
accuracy of the data that is placed in the consumer reporting system. This examination module
includes reviews of the various areas associated with furnishers of information. This module will
not apply to persons that do not furnish any information to consumer reporting agencies.
Duties of Users of Credit Reports Regarding Address Discrepancies –
Section 605(h); 15 U.S.C. 1681c(h); 12 CFR 1022.82
Section 605(h)(1) requires that, when providing a consumer report to a person that requests the
report (a user), a nationwide consumer reporting agency (NCRA) must provide a notice of
address discrepancy to the user if the address provided by the user in its request “substantially
differs” from the address the NCRA has in the consumer’s file. Section 605(h)(2) requires the
federal banking agencies and the NCUA (the Agencies), and the FTC to prescribe regulations
providing guidance regarding reasonable policies and procedures that a user of a consumer report
should employ when such user has received a notice of address discrepancy. On November 9,
2007, the Agencies and the FTC published final rules in the Federal Register implementing this
section (72 FR 63718). On December 21, 2011, the CFPB restated the FCRA regulations at 12
CFR Part 1022. (76 Fed. Reg. 79308).
Key Definitions
Nationwide consumer reporting agency (NCRA). Section 603(p) defines an NCRA as one
that compiles and maintains files on consumers on a nationwide basis and regularly engages
in the practice of assembling or evaluating and maintaining the following two pieces of
information about consumers residing nationwide for the purpose of furnishing consumer
reports to third parties bearing on a consumer’s credit worthiness, credit standing, or credit
capacity:
1. public record information.
2. credit account information from persons who furnish that information regularly and in
the ordinary course of business.
Notice of address discrepancy (12 CFR 1022.82(b)). A “notice of address discrepancy” is a
notice sent to a user by an NCRA (Section 603(p)) that informs the user of a substantial
difference between the address for the consumer that the user provided to request the
consumer report and the address(es) in the NCRA’s file for the consumer.
A user must develop and implement reasonable policies and procedures designed to enable the
user to form a reasonable belief that the consumer report relates to the consumer whose report
was requested, when the user receives a notice of address discrepancy in connection with a new
or existing account.
The rules provide the following examples of reasonable policies and procedures for forming a
reasonable belief that a consumer report relates to the consumer whose report was requested:
1. comparing information in the consumer report with information the user:
a. has obtained and used to verify the consumer’s identity as required by the
Customer Identification Program rules (31 CFR 1020.220);
b. maintains in its records; or
c. obtains from a third party; or
2. verifying the information in the consumer report with the consumer.
Requirement to furnish a consumer’s address to an NCRA – 12 CFR 1022.82(d)
A user must develop and implement reasonable policies and procedures for furnishing to the
NCRA an address for the consumer that the user has reasonably confirmed is accurate when the
user does the following:
1. forms a reasonable belief that the report relates to the consumer whose report was
requested;
2. establishes a continuing relationship with the consumer (i.e., in connection with a
new account); and
3. regularly, and in the ordinary course of business, furnishes information to the NCRA
that provided the notice of address discrepancy.
A user’s policies and procedures for furnishing a consumer’s address to an NCRA must require the
user to furnish the confirmed address as part of the information it regularly furnishes to the NCRA
during the reporting period when it establishes a continuing relationship with the consumer.
Section 623(e) required the Agencies and the Federal Trade Commission (FTC) to:
1. issue guidelines for use by furnishers regarding the accuracy and integrity of the
information about consumers that they furnish to consumer reporting agencies;
2. prescribe regulations requiring furnishers to establish reasonable policies and
procedures for implementing the guidelines; and
3. issue regulations identifying the circumstances under which a furnisher must
reinvestigate disputes concerning the accuracy of information contained in a
consumer report based on a direct request from a consumer.
The Agencies and the FTC published final rules in the Federal Register (74 FR 31484)
implementing this section of FCRA. These rules took effect July 1, 2010. On December 21,
2011, the CFPB restated the FCRA regulations at 12 CFR Part 1022. (76 Fed Reg 79308).
Key Definitions – 12 CFR 1022.41
The following definitions pertain to the rules governing the furnishers of information to a
consumer reporting agency:
Accuracy means that the information a furnisher provides to a consumer reporting agency
about an account or other relationship with the consumer correctly:
1. reflects the terms of and liability for the account or other relationship;
2. reflects the consumer’s performance and other conduct with respect to the account or
other relationship; and
3. identifies the appropriate consumer.
Direct dispute means a dispute submitted by a consumer directly to a furnisher (including a
furnisher that is a debt collector) concerning the accuracy of any information contained in a
consumer report and pertaining to an account or other relationship that the furnisher has or
had with the consumer.
Section 623(a) states that a person, including a financial institution, may, but need not, specify
an address for receipt of notices from consumers concerning inaccurate information. If the
person specifies such an address, then it may not furnish information relating to a consumer to
any consumer reporting agency, if (a) the consumer notified the person, at the specified
address, that the information is inaccurate, and (b) the information is inaccurate. If the person
does not specify an address, then it may not furnish any information relating to a consumer to
any consumer reporting agency if the person knows or has reasonable cause to believe that the
information is inaccurate.
When a person that (regularly and in the ordinary course of business) furnishes information to
one or more consumer reporting agencies about its transactions or experiences with any
consumer determines that any such information is not complete or accurate, the person must
promptly notify the consumer reporting agency of that determination. The person must provide
corrections to that information or any additional information necessary to make the information
complete and accurate to the consumer reporting agency. Further, the person thereafter must not
furnish any information that remains incomplete or inaccurate to the consumer reporting agency.
If a consumer disputes the completeness or accuracy of any information a person furnishes to a
consumer reporting agency, that person may not furnish the information to any consumer
reporting agency without notice that the consumer disputes the information.
Reasonable policies and procedures concerning the accuracy and integrity of
furnished information (12 CFR 1022.42) and Interagency Guidelines (Appendix E)
Each furnisher must establish and implement reasonable written policies and procedures
regarding the accuracy and integrity of consumer information that it furnishes to a consumer
reporting agency. The policies and procedures must be appropriate to the nature, size,
complexity, and scope of each furnisher’s activities. In developing its policies and procedures, a
furnisher must consider the Interagency Guidelines and may include its existing policies and
procedures that are relevant and appropriate. Each furnisher must also review its policies and
procedures periodically and update them as necessary to ensure their continued effectiveness.
The guideline’s recommendations include the following:
1. using standard data reporting formats and standard procedures for compiling and
furnishing data, where feasible, such as electronic transmission of information about
consumers to consumer reporting agencies;
2. maintaining records for a reasonable period of time, not less than any applicable
recordkeeping requirement, in order to substantiate the accuracy of any information
furnished about consumers to consumer reporting agencies that is subject to a direct
disputer; and
3. training staff that participates in activities related to the furnishing of information
about consumers to consumer reporting agencies.
This section requires a person, including a financial institution, who regularly and in the ordinary
course of business furnishes information to a consumer reporting agency regarding one of its
consumer credit accountholders, to notify the consumer reporting agency of the consumer’s
voluntary account closure. This notice is to be furnished to the consumer reporting agency as part
of the regularly furnished information for the period in which the account is closed.
Notice involving delinquent accounts – Section 623(a)(5);
15 U.S.C. 1681s-2(a)(5)
This section requires that a person, including a financial institution, that furnishes information to
a consumer reporting agency about a delinquent account placed for collection, charged off, or
subjected to any similar action, must, not later than 90 days after furnishing the information to
the consumer reporting agency, notify the consumer reporting agency of the month and year of
the commencement of the delinquency that immediately preceded the action.
Duties upon notice of dispute from a consumer reporting agency –
Section 623(b); 15 U.S.C. 1681s-2(b)
This section requires that whenever a person, such as a financial institution, receives a notice of
dispute from a consumer reporting agency regarding the accuracy or completeness of any
information the person provided to a consumer reporting agency pursuant to Section 611
(Procedure in Case of Disputed Accuracy), that person must, pursuant to Section 623(b):
1. conduct an investigation regarding the disputed information;
2. review all relevant information the consumer reporting agency provided along with
the notice;
3. report the results of the investigation to the consumer reporting agency;
4. if the investigation finds the information is incomplete or inaccurate, report those
results to all nationwide consumer reporting agencies to which the financial
institution previously provided the information; and
5. if the disputed information is incomplete, inaccurate, or not verifiable by the person,
it must promptly, for purposes of reporting to the consumer reporting agency do one
of the following:
a. modify the item of information.
b. delete the item of information.
c. permanently block the reporting of that item of information.
General rule. A furnisher must conduct a reasonable investigation of a direct dispute (unless
exceptions, described later, apply) if the dispute relates to:
1. the consumer’s liability for a credit account or other debt with the furnisher, such as
direct disputes relating to whether there is or has been identity theft or fraud against
the consumer, whether there is individual or joint liability on an account, or whether
the consumer is an authorized user of a credit account;
2. the terms of a credit account or other debt with the furnisher, such as, direct disputes
relating to the type of account, principal balance, scheduled payment amount on an
account, or the amount of the credit limit on an open-end account;
3. the consumer’s performance or other conduct concerning an account or other
relationship with the furnisher such as, direct disputes relating to the current payment
status, high balance, payment date, the payment amount, or the date an account was
opened or closed; or
4. any other information contained in a consumer report regarding an account or other
relationship with the furnisher that bears on the consumer’s creditworthiness, credit
standing, credit capacity, character, general reputation, personal characteristics, or
mode of living.
Exceptions. The direct dispute requirements do not apply to a furnisher if the direct dispute
relates to:
1. the consumer’s identifying information such as name(s), date of birth, Social Security
number, telephone number(s), or address(es);
2. the identity of past or present employers;
3. inquiries or requests for a consumer report;
4. information derived from public records, such as judgments, bankruptcies, liens, and
other legal matters (unless the information was provided by a furnisher with an
account or other relationship with the consumer);
5. information related to fraud alerts or active duty alerts; or
6. information provided to a consumer reporting agency by another furnisher.
Section 623(a) has specific requirements for furnishers of information, including financial
institutions, to a consumer reporting agency that received notice from a consumer reporting
agency that furnished information may be fraudulent as a result of identity theft. Section 605B,
Block of Information Resulting From Identity Theft, requires consumer reporting agencies to
notify furnishers of information, including financial institutions, that the information may be the
result of identity theft, an identity theft report has been filed, and that a block has been requested.
Upon receiving such notice, Section 623(a)(6) requires furnishers to establish and follow
reasonable procedures to ensure that it does not re-report this information to the consumer
reporting agency, thus “re-polluting” the victim’s consumer report.
Section 623(a)(7) requires a financial institution to provide consumers with a notice either before
it provides negative information to a nationwide consumer reporting agency, or within 30 days
after reporting the negative information.
Institutions may provide this disclosure on or with any notice of default, any billing statement, or
any other materials provided to the customer, as long as the notice is clear and conspicuous.
Institutions may also choose to provide this notice to all customers as an abundance of caution.
However, financial institutions may not include this notice in the initial disclosures provided
under Section 127(a) of the Truth in Lending Act.
Key Definitions
Negative information. For these purposes, “negative information” means any information
concerning a customer’s delinquencies, late payments, insolvency, or any form of default.
Nationwide consumer reporting agency. Section 603(p) of the FCRA defines a “nationwide
consumer reporting agency” as a:
consumer reporting agency that compiles and maintains files on consumers on a
nationwide basis.
It defines this type of consumer reporting agency as one that regularly assembles or evaluates,
and maintains, each of the following regarding consumers residing nationwide for the purpose of
furnishing consumer reports to third parties bearing on a consumer’s creditworthiness, credit
standing, or credit capacity:
1. public record information.
2. credit account information from persons who furnish that information regularly and in
the ordinary course of business.
Institutions may use the following model text to comply with these requirements. The first model
contains text an institution can use when it provides a notice before furnishing negative
information. The second model form contains text to use when an institution provides notice
within 30 days after reporting negative information:
The FCRA contains several provisions for both consumer reporting agencies and users of
consumer reports, including financial institutions, that are designed to help combat identity theft.
This module applies to persons that are not consumer reporting agencies, but are users of
consumer reports.
Two primary requirements exist for users of consumer reports: first, a user of a consumer report
that contains a fraud or active duty alert must take steps to verify the identity of an individual to
whom the consumer report relates, and second, a person must disclose certain information when
consumers allege that they are the victims of identity theft.
Fraud and Active Duty Alerts – Section 605A(h); 15 U.S.C. 1681c-1(h)
Consumers who suspect that they may be the victims of fraud including identity theft may
request nationwide consumer reporting agencies to place initial fraud alerts in their consumer
reports. These alerts must remain in a consumer’s report for no less than 90 days. In addition,
members of the armed services who are called to active duty may also request that active duty
alerts be placed in their consumer reports. Active duty alerts must remain in these service
members’ files for no less than 12 months.
Section 605A(h)(1)(B), Limitations on Use of Information for Credit Extensions, requires users
of consumer reports, including financial institutions, to verify a consumer’s identity if a
consumer report includes a fraud or active duty alert. Unless the user of the consumer report uses
reasonable policies and procedures to form a reasonable belief that it knows the identity of the
person making the request, the user may not:
1. establish a new credit plan or extension credit (other than under an open-end credit
plan) in the name of the consumer;
2. issue an additional card on an existing account; or
3. increase a credit limit.
Extended Alerts
Consumers who allege that they are the victim of an identity theft may also place an extended
alert, which lasts seven years, on their consumer report. Extended alerts require consumers to
submit identity theft reports and appropriate proof of identity to the nationwide consumer
reporting agencies.
Section 605A(h)(2)(B), Limitation on Users, requires a user that obtains a consumer report that
contains an extended alert to contact the consumer in person or by the method the consumer lists
in the alert prior to performing any of the three actions listed above.
Section 609(e) requires a person, such as a financial institution, to provide records of fraudulent
transactions to victims of identity theft within 30 days after the receipt of a request for the
records. These records include the application and business transaction records under the control
of the person whether maintained by the person itself or another person on behalf of the
institution (such as a service provider).
The person should provide this information to any of the following:
1. the victim;
2. any federal, state, or local government law enforcement agency or officer specified by
the victim in the request; or
3. any law enforcement agency investigating the identity theft that was authorized by the
victim to take receipt of these records.
The victim must make the request for the records in writing and send it to the person at the
address specified by the person for this purpose. The person may ask the victim to provide
information, if known, regarding the date of the transaction or application, and any other
identifying information such as an account or transaction number.
Unless the person has a high degree of confidence that it knows the identity of the victim making
the request for information, the person must take prudent steps to positively identify the person
before disclosing any information. Proof of identity can include any of the following:
1. a government-issued identification card;
2. personally identifying information of the same type that was provided to the person
by the unauthorized person; or
3. personally identifying information that the person typically requests from new
applicants or for new transactions.
At the election of the person, the victim must also provide the person with proof of an identity
theft complaint, which may consist of a copy of a police report evidencing the claim of identity
theft and a copy of a properly completed affidavit. The CFPB’s Identity Theft Affidavit is
available on the CFPB’s website (consumerfinance.gov/learnmore). The version of this form
developed by the FTC and available on the FTC’s Website (ftc.gov/idtheft) remains valid and
sufficient for this purpose (12 CFR 1022.3(i)(3)(ii)).
Section 615(e) requires the federal banking agencies and the NCUA (the Agencies) as well as the
FTC to prescribe regulations and guidelines for entities under their enforcement authority
regarding the detection, prevention, and mitigation of identity theft. On November 9, 2007, the
Agencies published final rules and guidelines in the Federal Register implementing this section
(72 FR 63718). The Agencies also have issued examination procedures for the implementing
regulations. CFPB examiners are not expected to examine for compliance with Section 615(e)).
If CFPB examiners become aware of potential issues in this area, the appropriate federal
regulator should be notified.
Duties of Card Issuers Regarding Changes of Address – Section 615(e);
15 U.S.C. 1681m(e)
Section 615(e)(1)(C) requires the Agencies and the FTC to prescribe regulations for debit and
credit card issuers regarding the assessment of the validity of address changes for existing
accounts. On November 9, 2007, the Agencies and the FTC published final rules in the Federal
Register implementing this section (72 FR 63718). The regulations require card issuers to have
procedures to assess the validity of an address change if the card issuer receives a notice of
change of address for an existing account, and within a short period of time (during at least the
first 30 days), receives a request for an additional or replacement card for the same account. The
Agencies also have issued examination procedures for the implementing regulations. CFPB
examiners are not expected to examine for compliance with Section 615(e)). If CFPB examiners
become aware of potential issues in this area, the appropriate federal regulator should be notified.
Disposal of Consumer Information – Section 628; 15 U.S.C. 1681w
Section 628 requires the federal banking agencies to prescribe regulations for entities under their
enforcement authority regarding the proper disposal of consumer information. On December 28,
2004, the federal banking agencies published final rules and guidelines in the Federal Register
implementing this section (69 FR 77610). The agencies also have issued examination procedures
for the implementing regulations. CFPB examiners are not expected to examine for compliance
REFERENCES
Laws
15 U.S.C. 1681 et seq. Fair Credit Reporting Act
Regulations
Consumer Financial Protection Bureau Regulation (12 CFR)
• To assess the quality of the covered entity’s compliance risk management system to ensure
compliance with the FCRA, as amended.
• To determine the reliance that can be placed on the covered entity’s internal controls and
procedures for monitoring the entity’s compliance with the FCRA.
• To direct corrective action when violations of law are identified, or when the covered entity’s
policies or internal controls are deficient.
1
These reflect FFIEC-approved procedures.
2
These procedures do not currently contain a module on the requirements for consumer reporting agencies.
• obtain a copy of a billing statement or other list of consumer reports obtained by the
entity from the consumer reporting agency for a period of time; and
• compare this list, or a sample from this list to the entity’s records to ensure that there is a
permissible purpose for the report(s) obtained. This could include any permissible
purpose, such as the consumer applied for credit, insurance, or employment, etc. The
entity may also obtain a report in connection with the review of an existing account.
1. Review the entity’s policies, procedures, and practices concerning the sharing of consumer
information with third parties, including both affiliated and nonaffiliated third parties.
Determine the type of information shared and with whom the information is shared. (This
portion of the examination process may overlap with a review of the entity’s compliance with
the Privacy of Consumer Financial Information Regulations that implement the Gramm-
Leach-Bliley Act (GLBA).
2. Determine whether the entity’s information sharing practices fall within the exceptions to the
definition of a consumer report. If they do not, the entity could be considered a consumer
reporting agency and subject to the FCRA requirements for consumer reporting agencies.
3. If the entity shares information other than transaction and experience information with
affiliates subject to opt-out provisions, determine whether the entity’s GLBA privacy notice
contains tinformation regarding how to opt out, as required by the Privacy of Consumer
Financial Information regulations.
4. If procedural weaknesses or other risks requiring further investigation are noted, obtain a
sample of opt-out rights exercised by consumers and determine if the entity honored the opt-
out requests by not sharing “other information” about the consumers with the entity’s
affiliates subsequent to receiving a consumer’s opt-out direction.
Protection of Medical Information – Section 604(g); 15 U.S.C. 1681b(g);
12 CFR 1022, Subpart D
1. Review the entity’s policies, procedures, and practices concerning the collection and use of
consumer medical information in connection with any determination of the consumer’s
eligibility, or continued eligibility for credit.
2. If the entity’s policies, procedures, and practices allow for obtaining and using consumer
medical information in the context of a credit transaction, determine whether there are
adequate controls in place to ensure that the information is only used subject to the financial
information exception in the rules, or under a specific exception within the rules.
3. If procedural weaknesses or other risks requiring further investigation are noted, obtain
samples of credit transactions to determine whether the use of medical information pertaining
to a consumer was done strictly under the financial information exception or the specific
exceptions under the regulation.
4. Determine whether the entity has adequate policies and procedures in place to limit the
redisclosure of consumer medical information that was received from a consumer reporting
agency or an affiliate.
1. Determine whether the entity receives consumer eligibility information from an affiliate. Stop
here if it does not because Subpart C of 12 CFR 1022 does not apply.
2. Determine whether the entity uses consumer eligibility information received from an affiliate
to make a solicitation for marketing purposes that is subject to the notice and opt-out
requirements. If it does not, stop here.
3. Evaluate the entity’s policies, procedures, practices and internal controls to ensure that,
where applicable, the consumer is provided with an appropriate notice, a reasonable
opportunity, and a reasonable and simple method to opt out of the entity’s using eligibility
information to make solicitations for marketing purposes to the consumer, and that the entity
is honoring the consumer’s opt-outs.
4. If compliance risk management weaknesses or other risks requiring further investigation are
noted, obtain and review a sample of notices to ensure technical compliance and a sample of
opt-out requests from consumers to determine if the entity is honoring the opt-out requests.
a. Determine whether the opt-out notices are clear, conspicuous, and concise and contain
the required information, including the name of the affiliate(s) providing the notice, a
general description of the types of eligibility information that may be used to make
solicitations to the consumer, and the duration of the opt out (12 CFR 1022.23(a)).
b. Review opt-out notices that are coordinated and consolidated with any other notice or
disclosure that is required under other provisions of law for compliance with the affiliate
marketing regulation (12 CFR 1022.23(b)).
c. Determine whether the opt-out notices and renewal notices provide the consumer a
reasonable opportunity to opt out and a reasonable and simple method to opt out (12 CFR
1022.24 and .25).
d. Determine whether the opt-out notice and renewal notice are provided (by mail, delivery
or electronically) so that a consumer can reasonably be expected to receive that actual
notice (12 CFR 1022.26).
e. Determine whether, after an opt-out period expires, an entity provides a consumer a
renewal notice prior to making solicitations based on eligibility information received
from an affiliate (12 CFR 1022.27).
1. Determine whether the entity obtained and used prescreened consumer reports in connection
with offers of credit and/or insurance.
2. Evaluate the entity’s policies and procedures to determine if a list of the criteria used for
prescreened offers, including all post-application criteria, is maintained in the entity’s files
and the criteria are applied consistently when consumers respond to the offers.
3. Determine if written solicitations contain the required disclosures of the consumers’ right to
opt-out of prescreened solicitations and comply with all requirements applicable at the time
of the offer.
4. If procedural weaknesses or other risks requiring further investigation are noted, obtain and
review a sample of approved and denied responses to the offers to ensure that criteria were
appropriately followed.
Truncation of Credit and Debit Card Account Numbers – Sections 605(g);
15 U.S.C. 1681c(g)
1. Determine whether the entity’s policies and procedures ensure that electronically generated
receipts from automated teller machines and point-of-sale terminals or other machines do not
contain more than the last five digits of the card number and do not contain the expiration dates.
2. If procedural weaknesses or other risks requiring further investigation are noted, review
samples of actual receipts to ensure compliance.
1. Determine if the entity uses credit scores in connection with applications for closed-end or
open-end loans secured by one- to four-family residential real property.
2. Evaluate the entity’s policies and procedures to determine whether accurate disclosures are
provided to applicants as soon as is reasonably practicable after using credit scores.
3. If procedural weaknesses or other risks requiring further investigation are noted, review a
sample of disclosures given to home loan applicants to determine technical compliance with
the requirements.
Adverse Action Disclosures – Sections 615(a) and (b);
15 U.S.C. 1681m(a) and (b)
1. Determine whether the policies and procedures adequately ensure that the creditor or other
person provides the appropriate disclosures, including the consumer’s credit score as
appropriate, when it takes adverse action against consumers based in whole or in part on
information contained in a consumer report or specified information received from third
parties, including affiliates.
2. Review the policies and procedures of the creditor or other person for responding to requests
for information in response to these adverse action notices.
3. If procedural weaknesses or other risks requiring further investigation are noted, review a
sample of adverse action notices to determine if they are accurate and in technical
compliance.
Debt Collector Communications Concerning Identity Theft –
Sections 615(g); 15 U.S.C. 1681m(g)
1. Determine whether the creditor (or other person) uses consumer report information in
consumer credit decisions.
If yes, determine whether the creditor uses such information to provide credit on terms that
are “materially less favorable” than the most favorable material terms available to a
substantial proportion of its consumers. Relevant factors in determining the significance of
differences in the cost of credit include the type of credit product, the term of the credit
extension, and the extent of the difference.
If “yes,” the creditor is subject to the risk-based pricing regulations.
2. Determine the method the creditor uses to identify consumers who must receive a risk-based
pricing notice and whether the method complies with the regulation (12 CFR 1022.72(b)).
a. For creditors that use the direct comparison method (12 CFR 1022.72(b)), determine
whether the creditor directly compares the material terms offered to each consumer and
the material terms offer to other consumers for a specific type of credit product.
b. For creditors that use the credit score proxy method (12 CFR 1022.72(b)(1)):
i. determine whether the creditor calculates the cutoff score by considering the credit
scores of all, or a representative sample, of consumers who have received credit for
a specific type of credit product;
ii. determine whether the creditor recalculates the cutoff score no less than every two
years;
iii. for new entrants into the credit business, for new products subject to risk-based
pricing, or for acquired credit portfolios, determine whether the creditor
recalculates the cutoff scores within time periods specified in the regulation;
iv. for creditors using more than one credit score to set material terms, determine
whether the creditor establishes a cutoff score according to the methods specified
in the regulation; and
v. if no credit score is available for a consumer, determine whether the creditor
provides the consumer a risk-based pricing notice.
c. For creditors that use the tiered pricing method (12 CFR 1022.72(b)(2)):
i. when four or fewer pricing tiers are used, determine if the creditor sends risk-based
pricing notices to consumers who do not qualify for the top, best-priced tier; or
ii. when five or more pricing tiers are used, determine if the creditor provides risk-based
pricing notices to consumers who do not qualify for the two top, best-priced tiers and
• For closed-end credit, the notice generally must be provided to the consumer after the
decision to approve a credit request is communicated to the consumer, but before
consummation of the transaction.
• For open-end credit, the notice generally must be provided after the decision to grant
credit is communicated to the consumer, but before the first transaction under the plan
has been made.
• For account reviews, the notice generally must be provided at the time that the decision to
increase the APR is communicated to the consumer or no later than five days after the
effective date of the change in the APR.
• The credit score disclosure for loans secured by residential real property must be
provided to the consumer at the same time as the disclosure required by Section 609(g) of
the FCRA is provided to the consumer. The Section 609(g) notice must be provided as
soon as reasonably practicable after the credit score has been obtained. In any event, the
credit score disclosure for loans secured by residential real property must be provided at
or before consummation in the case of closed-end credit or before the first transaction is
made under an open-end credit plan.
Credit score disclosures for loans not secured by residential real property
• The notice generally must be provided to the consumer as soon as reasonably practicable
after the credit score has been obtained, but in any event at or before consummation in
the case of closed-end credit or before the first transaction is made under an open-end
credit plan.
• The notice generally must be provided to the consumer as soon as reasonably practicable
after the creditor has requested the credit score, but in any event not later than
consummation of a transaction in the case of closed-end credit or when the first
transaction is made under an open-end credit plan.
Application to certain automobile lending transactions
• For credit that is granted under an open-end credit plan to a consumer in person or by
telephone for contemporaneous purchase of goods or services, the notice may be
provided at the earlier of:
o the time of the first mailing to the consumer after the decision is made to approve the
credit, such as in a mailing containing the account agreement or a credit card; or
o within 30 days after the decision to approve the credit.
14. For all notices, determine whether the creditor follows the rules of construction pertaining to
the number of notices provided to the consumer(s) (12 CFR 1022.75). In a transaction
involving two or more consumers, a creditor must provide a risk-based notice to each
consumer. If the consumers have the same address, and the notice does not include a credit
score(s), a person may satisfy the requirements by providing a single notice addressed to both
consumers. However, if a notice includes a credit score(s), the person must provide a
separate notice to each consumer whether the consumers have the same address or not. Each
separate notice that includes a credit score(s) must contain only the credit score(s) of the
consumer to whom the notice is provided, and not the credit score(s) of the other consumer.
Similarly, for credit score disclosure exception notices, whether the consumers have the same
address or not, the creditor must provide a separate notice to each consumer and each
separate notice that includes a credit score(s) must contain only the credit score(s) of the
consumer to whom the notices is provided.
15. For all notices, determine whether the creditor uses the model forms in Appendix H of the
regulation. If yes, determine that it does not modify the model form so extensively as to
affect the substance, clarity, comprehensibility, or meaningful sequence of the forms
(Appendix H).
1. Determine whether a user of consumer reports has policies and procedures to recognize
notices of address discrepancy that it receives from a nationwide consumer reporting agency
(NCRA) 3 in connection with consumer reports.
2. Determine whether a user that receives notices of address discrepancy has policies and
procedures to form a reasonable belief that the consumer report relates to the consumer
whose report was requested (12 CFR 1022.82(c)).
See examples of reasonable policies and procedures “to form a reasonable belief” in 12 CFR
1022.82(c)(2).
3. Determine whether a user that receives notices of address discrepancy has policies and
procedures to furnish to the NCRA an address for the consumer that the user has reasonably
confirmed is accurate, if the user does the following:
a. forms a reasonable belief that the report relates to the consumer;
b. establishes a continuing relationship with the consumer; and
c. regularly, and in the ordinary course of business, furnishes information to the NCRA (12
CFR 1022.82(d)(1)).
See examples of reasonable confirmation methods in 12 CFR 1022.82(d)(2).
4. Determine whether the user’s policies and procedures require it to furnish the confirmed
address as part of the information it regularly furnishes to an NCRA during the reporting
period when it establishes a relationship with the consumer (12 CFR 1022.82(d)(3)).
5. If procedural weaknesses or other risks requiring further information are noted, obtain a
sample of consumer reports requested by the user from an NCRA that included notices of
address discrepancy and determine:
a. how the user established a reasonable belief that the consumer reports related to the
consumers whose reports were requested; and
b. if a consumer relationship was established:
3
A NCRA compiles and maintains files on consumers on a nationwide basis.
1. If the entity provides information to a consumer reporting agency, review the entity’s policies
and procedures for ensuring that items of information blocked because of an alleged identity
theft are not re-reported to the consumer reporting agency.
2. If weaknesses are noted within the entity’s policies and procedures, review a sample of
notices from a consumer reporting agency of allegedly fraudulent information due to identity
theft furnished by the entity, to determine whether the entity does not re-report the item to a
consumer reporting agency.
3. If procedural weaknesses or other risks requiring further investigation are noted, verify that
the entity has not sold or transferred a debt that resulted from an alleged identity theft.
Negative Information Notice – Section 623(a)(7); 15 U.S.C. 1681s-2(a)(7);
12 CFR 1022.1(b)(1)(ii)
1. If the entity provides negative information to a nationwide consumer reporting agency, verify
that the entity’s policies and procedures ensure tht the approriate notices are provided to
consumers.
2. If procedural weaknesses or other risks requiring further investigation are noted, review a
sample of notices provided to consumers to determine compliance with the technical content
and timing requirements.
1. Determine whether the entity has effective policies and procedures in place to verify the
identity of consumers in situations in which consumer reports include fraud and/or active
duty military alerts.
2. Determine if the entity has effective policies and procedures in place to contact consumers in
situations where consumer reports include extended alerts.
3. If procedural weaknesses or other risks requiring further investigation are noted, review a
sample of transactions in which consumer reports including these types of alerts were
obtained. Verify that the entity complied with the identity verification and/or consumer
contact requirements.
Information Available to Victims – Section 609(e); 15 U.S.C. 1681g(e)
1. Review the entity’s policies, procedures, and/or practices to determine whether identities and
claims of fruadulent transactions are verified and whether information is properly disclosed
to victims of identity theft and/or appropriately authorized law enforcement agents.
2. If procedural weaknesses or other risks requiring further investigation are noted, review a
sample of these types of requests to endetermine whether the entity properly verified the
requestor’s identity prior to disclosing the information.