CFPB Fair Credit Reporting Act Fcra Procedures

Download as pdf or txt
Download as pdf or txt
You are on page 1of 86

CFPB Consumer

Laws and Regulations FCRA


1
Fair Credit Reporting Act
The Fair Credit Reporting Act (FCRA) 2 became effective on April 25, 1971. The FCRA is a part
of a group of acts contained in the Federal Consumer Credit Protection Act 3 such as the Truth in
Lending Act and the Fair Debt Collection Practices Act.
Congress substantively amended the FCRA upon the passage of the Fair and Accurate Credit
Transactions Act of 2003 (FACT Act). 4 The FACT Act created many new responsibilities for
consumer reporting agencies and users of consumer reports. It contained many new consumer
disclosure requirements as well as provisions to address identity theft. In addition, it provided
free annual consumer report rights for consumers and improved access to consumer report
information to help increase the accuracy of data in the consumer reporting system.
In 2010, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act
(Dodd-Frank Act), which granted rule-making authority under FCRA (except for Section 615(e)
(red flag guidelines and regulation) and Section 628 (disposal of records)) to the Consumer
Financial Protection Bureau (CFPB). The Dodd-Frank Act also amended two provisions of the
FCRA to require the disclosure of a credit score and related information when a credit score is
used in taking an adverse action or in risk-based pricing. 5 6
On December 21, 2011, the CFPB restated FCRA regulations under its authority at 12 CFR Part
1022 (76 Fed. Reg. 79308).

1
These reflect FFIEC-approved procedures.
2
15 U.S.C. Secs. 1681–1681x.
3
15 U.S.C. Sec. 1601 et seq.
4
Pub. L. No. 108-159, 117 Stat. 1952.
5
Section 1029 of the Dodd-Frank Act generally excludes from this transfer of authority, subject to certain exceptions, any
rulemaking authority over a motor vehicle dealer that is predominantly engage in the sale and servicing of motor vehicles, the
leasing and servicing of motor vehicles, or both.
6
The agency responsible for supervising and enforcing compliance with the provisions of the FCRA and the implementing
regulations will depend on the person subject to the FCRA (e.g., for financial institutions, jurisdiction will depend on the size and
charter of the institution).

CFPB Manual V.2 (October 2012) FCRA 1


CFPB Consumer
Laws and Regulations FCRA
The FCRA contains responsibilities both for entities that are consumer reporting agencies and for
persons that operate in any of the following capacities:
1. Procurers and users of information (for example, as credit grantors, purchasers of dealer
paper, or when opening deposit accounts);
2. Furnishers and transmitters of information (by reporting information to consumer
reporting agencies, other third parties, or to affiliates);
3. Marketers of credit or insurance products; and
4. Employers.

Structure and Overview of Examination Modules


The examination procedures are structured as a series of modules, grouping similar requirements
together. 7 The modules contain general information about each of the requirements:
Module 1 Obtaining Consumer Reports
Module 2 Obtaining Information and Sharing Among Affiliates
Module 3 Disclosures to Consumers and Miscellaneous Requirements
Module 4 Furnishers of Information
Module 5 Consumer Alerts and Identity Theft Protections
Financial institutions and other persons are subject to a number of different requirements under
the FCRA; some are contained directly in the statute, while others are in 12 CFR 1022.

Key Definitions
The FCRA uses a number of definitions. Key definitions include the following:
Adverse Action. With regard to credit transactions, the term “adverse action” has the same
meaning as used in Section 701(d)(6) [15 U.S.C. 1691(d)(6)] of the Equal Credit Opportunity
Act (ECOA), Regulation B, and the official staff commentary. Under the ECOA, it means a
denial or revocation of credit, a change in the terms of an existing credit arrangement, or a
refusal to grant credit in substantially the same amount or on terms substantially similar to those
requested. Under the ECOA, the term does not include a refusal to extend additional credit under
an existing credit arrangement where the applicant is delinquent or otherwise in default, or where
such additional credit would exceed a previously established credit limit.

7
The examination procedures do not currently contain a module on the requirements for consumer reporting agencies.

CFPB Manual V.2 (October 2012) FCRA 2


CFPB Consumer
Laws and Regulations FCRA
For non-credit transactions, the term has the following additional meanings for purposes of the
FCRA:
1. a denial or cancellation of, an increase in any charge for, or a reduction or other
adverse or unfavorable change in the terms of coverage or amount of, any insurance,
existing or applied for, in connection with the underwriting of insurance;
2. a denial of employment or any other decision for employment purposes that adversely
affects any current or prospective employee;
3. a denial or cancellation of, an increase in any charge for, or any other adverse or
unfavorable change in the terms of, any license or benefit described in Section
604(a)(3)(D) (15 U.S.C. 1681b(a)(3)(D)); and
4. an action taken or determination that is:
a. Made in connection with an application made by, or transaction initiated by, any
consumer or in connection with a review of an account to determine whether the
consumer continues to meet the terms of the account.
b. Adverse to the interests of the consumer.
Consumer. A “consumer” is defined as an individual.
Consumer Report. A “consumer report” is any written, oral, or other communication of any
information by a consumer reporting agency that bears on a consumer’s creditworthiness, credit
standing, credit capacity, character, general reputation, personal characteristics, or mode of living
that is used or expected to be used or collected, in whole or in part, for the purpose of serving as
a factor in establishing the consumer’s eligibility for any of the following:
1. credit or insurance to be used primarily for personal, family, or household purposes;
2. employment purposes; or
3. any other purpose authorized under Section 604 (15 U.S.C. 1681b).
The term “consumer report” does not include any of the following:
1. any report containing information solely about transactions or experiences between
the consumer and the person making the report;
2. any communication of that transaction or experience information among entities
related by common ownership or affiliated by corporate control (for example,
different institutions that are members of the same holding company, or subsidiary
companies of an insured institution);

CFPB Manual V.2 (October 2012) FCRA 3


CFPB Consumer
Laws and Regulations FCRA
3. communication of other information among persons related by common ownership or
affiliated by corporate control if:
a. it is clearly and conspicuously disclosed to the consumer that the information may
be communicated among such persons; and
b. the consumer is given the opportunity, before the time that the information is
communicated, to direct that the information not be communicated among such
persons;
4. any authorization or approval of a specific extension of credit directly or indirectly by
the issuer of a credit card or similar device;
5. any report in which a person who has been requested by a third party to make a
specific extension of credit directly or indirectly to a consumer, such as a lender who
has received a request from a broker, conveys his or her decision with respect to such
request, if the third party advises the consumer of the name and address of the person
to whom the request was made, and such person makes the disclosures to the
consumer required under Section 615 (15 U.S.C. 1681m), Requirements on Users of
Consumer Reports; or
6. a communication described in subsection (o) or (y) of Section 603 (15 U.S.C. 1681a
(o) or (y)) (which relates to certain investigative reports and certain reports to
prospective employers).
Consumer Reporting Agency. The term “consumer reporting agency” means any person who, for
monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in
the practice of assembling or evaluating consumer credit information or other information on
consumers for the purpose of furnishing consumer reports to third parties, and who uses any means
or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.
Credit Score. The term “credit score” means a numerical value or a categorization derived from
a statistical tool or modeling system used by a person who makes or arranges a loan to predict
the likelihood of certain credit behaviors, including default (and the numerical value or the
categorization derived from such analysis may also be referred to as a “risk predictor” or “risk
score”). The term does not include any mortgage score or rating of an automated underwriting
system that considers one or more factors in addition to credit information, including the loan to
value ratio, the amount of down payment, or the financial assets of a consumer; or any other
elements of the underwriting process or underwriting decision.
Creditor. Generally in FCRA, the terms “credit” and “creditor” have the same meanings as in
section 702 of ECOA (15 U.S.C. 1691a).
Employment Purposes. The term “employment purposes” when used in connection with a
consumer report means a report used for the purpose of evaluating a consumer for employment,
promotion, reassignment or retention as an employee.

CFPB Manual V.2 (October 2012) FCRA 4


CFPB Consumer
Laws and Regulations FCRA
Investigative Consumer Report. An “investigative consumer report” means a consumer report or
portion thereof in which information on a consumer’s character, general reputation, personal
characteristics, or mode of living is obtained through personal interviews with neighbors, friends,
or associates of the consumer reported on or with others with whom he is acquainted or who may
have knowledge concerning any such items of information. However, such information does not
include specific factual information on a consumer’s credit record obtained directly from a
creditor of the consumer or from a consumer reporting agency when such information was
obtained directly from a creditor of the consumer or from the consumer.
Person. A “person” means any individual, partnership, corporation, trust, estate, cooperative,
association, government or governmental subdivision or agency, or other entity.

CFPB Manual V.2 (October 2012) FCRA 5


CFPB Consumer
Laws and Regulations FCRA
Module 1 – Obtaining Consumer Reports
Overview

Consumer reporting agencies have a significant amount of personal information about


consumers. This information is invaluable in assessing a consumer’s creditworthiness for a
variety of products and services, including loan and deposit accounts, insurance, and utility
services, among others. The FCRA governs access to this information to ensure that a
prospective user of the information obtains it for permissible purposes and does not exploit it for
illegitimate purposes.
The FCRA requires any prospective user of a consumer report, for example, a lender, insurer,
landlord, or employer, among others, to have a legally permissible purpose to obtain a report.
Permissible Purposes of Consumer Reports – Section 604; 15 U.S.C. 1681b
Investigative Consumer Reports – Section 606; 15 U.S.C. 1681d

Legally Permissible Purposes. The FCRA allows a consumer reporting agency to furnish a
consumer report for the following circumstances and no other:
1. In response to a court order or Federal Grand Jury subpoena.
2. In accordance with the written instructions of the consumer.
3. To a person, including a financial institution, that the agency has reason to believe
intends to use the report as information for any of the following reasons:
a. In connection with a credit transaction involving the consumer (includes
extending, reviewing, and collecting credit);
b. For employment purposes; 8
c. In connection with the underwriting of insurance involving the consumer;
d. In connection with a determination of the consumer’s eligibility for a license or
other benefit granted by a governmental instrumentality that is required by law to
consider an applicant’s financial responsibility;
e. As a potential investor or servicer, or current insurer, in connection with a
valuation of, or an assessment of the credit or prepayment risks associated with,
an existing credit obligation;

8
Use of consumer reports for employment purposes requires specific advanced authorization, disclosure notices, and, if
applicable, adverse action notices. These issues are contained in Module 3 of the examination procedures.

CFPB Manual V.2 (October 2012) FCRA 6


CFPB Consumer
Laws and Regulations FCRA
f. Otherwise has a legitimate business need for the information:
i. In connection with a business transaction that the consumer initiates; or
ii. To review an account to determine whether the consumer continues to meet
the terms of the account.
iii. In response to a request by the head of a State or local child support
enforcement agency (or authorized appointee) if the person certifies various
information to the consumer reporting agency regarding the need to obtain the
report. (Generally, this particular purpose does not impact a person, such as a
financial institution, that is not a consumer reporting agency.)
Prescreened Consumer Reports. Users of consumer reports, such as financial institutions, may
obtain prescreened consumer reports to make firm offers of credit or insurance to consumers,
unless the consumers elected to opt out of being included on prescreened lists. The FCRA
contains many requirements, including an opt-out notice requirement when prescreened
consumer reports are used. In addition to defining prescreened consumer reports, Module 3
covers these requirements.
Investigative Consumer Reports. Section 606 contains specific requirements for use of an
investigative consumer report. This type of consumer report contains information about a
consumer’s character, general reputation, personal characteristics, or mode of living obtained in
whole or in part through personal interviews with neighbors, friends, or associates of the
consumer. If a user, such as a financial institution, procures an investigative consumer report, or
causes the preparation of one, the user institution must meet the following requirements:
4. The user clearly and accurately discloses to the consumer that it may obtain an
investigative consumer report.
5. The disclosure contains a statement of the consumer’s right to request other
information about the report and a summary of the consumer’s rights under the
FCRA.
6. The disclosure is in writing and is mailed or otherwise delivered to the consumer not
later than three business days after the date on which the report was first requested.
7. The user procuring the report certifies to the consumer reporting agency that it has
complied with the disclosure requirements and will comply in the event that the
consumer requests additional disclosures about the report.
Procedures. Given the preponderance of electronically available information and the growth of
identity theft, a user should manage the risks associated with obtaining and using consumer
reports. Users should employ procedures, controls, or other safeguards to ensure that they obtain
and use consumer reports only in situations for which there are permissible purposes.

CFPB Manual V.2 (October 2012) FCRA 7


CFPB Consumer
Laws and Regulations FCRA
Module 2 – Obtaining Information and
Sharing Among Affiliates
Overview

The FCRA contains many substantive compliance requirements for consumer reporting agencies
designed to help ensure the accuracy and integrity of the consumer reporting system. As noted in
the definitions section, a consumer reporting agency is a person that generally furnishes
consumer reports to third parties. By their very nature, such third parties as banks, credit unions,
and other financial institutions have a significant amount of consumer information that could
constitute a consumer report, and thus communication of this information could cause the
institution to become a consumer reporting agency. The FCRA contains several exceptions that
enable parties, such as a financial institution, to communicate this type of information, within
strict guidelines, without becoming a consumer reporting agency.
Rather than containing strict information-sharing prohibitions, the FCRA creates a business
disincentive such that if an entity shares consumer report information outside of the exceptions,
then the institution is a consumer reporting agency and will be subject to the significant,
substantive requirements of the FCRA applicable to those entities. Typically, an entity such as a
financial institution will structure its information sharing practices within the exceptions to avoid
becoming a consumer reporting agency. This examination module generally covers the various
information-sharing practices within these exceptions.
Consumer Report and Information Sharing – Section 603(d);
15 U.S.C. 1681a(d)

Section 603(d) defines a consumer report to include information about a consumer such as that
which bears on a consumer’s creditworthiness, character, and capacity among other factors.
Communication of this information may cause a person, including a financial institution, to
become a consumer reporting agency. The statutory definition contains key exceptions to this
definition that enable persons to share this type of information under certain circumstances,
without becoming consumer reporting agencies. Specifically, the term “consumer report” does
not include:
1. A report containing information solely as to transactions or experiences between the
consumer and the person making the report. A person, including a financial
institution, may share information strictly related to its own transactions or
experiences with a consumer (such as the consumer’s payment history, or an account
with the institution) with any third party, without regard to affiliation, without
becoming a consumer reporting agency. The Privacy of Consumer Financial
Information regulations that implement the Gramm-Leach-Bliley Act (GLBA) may
restrict this type of information sharing because it meets the definition of nonpublic
personal information under the Privacy regulations. Therefore, sharing it with
nonaffiliated third parties may be subject to an opt-out notice under the privacy
regulations. In turn, the FCRA may also restrict activities that the GLBA permits. For
example, the GLBA permits a financial institution to share a list of its customers and

CFPB Manual V.2 (October 2012) FCRA 8


CFPB Consumer
Laws and Regulations FCRA
information such as their credit scores with another financial institution to jointly
market or sponsor other financial products or services. This communication may be a
consumer report under the FCRA and could potentially cause the sharing financial
institution to become a consumer reporting agency.
2. Communication of such transaction or experience information among persons,
including financial institutions related by common ownership or affiliated by
corporate control.
3. Communication of other information (for example, other than transaction or
experience information) among persons related by common ownership or affiliated by
corporate control, if it is clearly and conspicuously disclosed to the consumer that the
information will be communicated among such entities, and before the information is
initially communicated, the consumer is given the opportunity to opt out of the
communication. This allows a person, such as a financial institution, to share other
information (that is, information other than its own transaction and experience
information) that could otherwise be a consumer report, without becoming a
consumer reporting agency under both of the following circumstances:
a. The sharing of the “other” information is done with affiliates.
b. Consumers are provided with the notice and an opportunity to opt out of this
sharing before the information is first communicated among affiliates.
For example, “other” information can include information a consumer provides on an
application form concerning accounts with other financial institutions. It can also
include information a financial institution obtains from a consumer reporting agency,
such as the consumer’s credit score. If a financial institution shares other information
with affiliates without providing a notice and an opportunity to opt out, the financial
institution may become a consumer reporting agency subject to all of the other
requirements of the FCRA.
The opt-out right required by this section must be contained in a person’s, such as a
financial institution’s, Privacy Notice as required by GLBA and its implementing
regulations.
Other Exceptions

Specific Extensions of Credit. In addition, the term consumer report does not include the
communication of a specific extension of credit directly or indirectly by the issuer of a credit
card or similar device. For example, this exception allows a lender to communicate an
authorization through the credit card network to a retailer, to enable a consumer to complete a
purchase using a credit card.
Credit Decision to Third Party (for example, auto dealer). The term consumer report also does
not include any report in which a person, including a financial institution, who has been
requested by a third party to make a specific extension of credit directly or indirectly to a

CFPB Manual V.2 (October 2012) FCRA 9


CFPB Consumer
Laws and Regulations FCRA
consumer, conveys the decision with respect to the request. The third party must advise the
consumer of the name and address of the person, such as a financial institution, to which the
request was made, and such person makes the adverse action disclosures required by Section 615
of the FCRA. For example, this exception allows a lender to communicate a credit decision to an
automobile dealer who is arranging financing for a consumer purchasing an automobile and who
requires a loan to finance the transaction.
“Joint User” Rule. The Federal Trade Commission (FTC) staff commentary discusses another
exception known as the “Joint User Rule.” Under this exception, users of consumer reports,
including financial institutions, may share information if they are jointly involved in the decision
to approve a consumer’s request for a product or service, provided that each has a permissible
purpose to obtain a consumer report on the individual. For example, a consumer applies for a
mortgage loan that will have a high loan-to-value ratio, and thus the lender will require private
mortgage insurance (PMI) in order to approve the application. An outside company provides the
PMI. The lender and the PMI company can share consumer report information about the
consumer because both entities have permissible purposes to obtain the information and both are
jointly involved in the decision to grant the products to the consumer. This exception applies to
entities that are affiliated or nonaffiliated third parties. It is important to note that the GLBA will
still apply to the sharing of nonpublic, personal information with nonaffiliated third parties;
therefore, a person, such as a financial institution, should be aware the GLBA may still limit or
prohibit sharing allowed under the FCRA joint user rule.
Protection of Medical Information – Section 604(g); 15 U.S.C. 1681b(g);
12 CFR 1022, Subpart D

Section 604(g) generally prohibits creditors from obtaining and using medical information in
connection with any determination of the consumer’s eligibility, or continued eligibility, for
credit. The statute contains no prohibition on creditors obtaining or using medical information
for other purposes that are not in connection with a determination of the consumer’s eligibility,
or continued eligibility for credit.
Section 604(g)(5)(A) requires the federal banking agencies and NCUA to prescribe regulations
that permit transactions that are determined to be necessary and appropriate to protect legitimate
operational, transactional, risk, consumer, and other needs (including administrative verification
purposes), consistent with the Congressional intent to restrict the use of medical information for
inappropriate purposes. On November 22, 2005, the FFIEC Agencies published final rules in the
Federal Register (70 FR 70664). The rules contain the general prohibition on obtaining or using
medical information, and provide exceptions for the limited circumstances when medical
information may be used. The rules define “credit” and “creditor” as having the same meanings
as in Section 702 of the ECOA (15 U.S.C. 1691a). On December 21, 2011, the CFPB restated
the implementing regulation at 12 CFR Part 1022 (76 Fed. Reg. 79308).
Obtaining and Using Unsolicited Medical Information (12 CFR 1022.30(c)). A creditor does not
violate the prohibition on obtaining medical information if it receives the medical information
pertaining to a consumer in connection with any determination of the consumer’s eligibility, or
continued eligibility, for credit without specifically requesting medical information. However,

CFPB Manual V.2 (October 2012) FCRA 10


CFPB Consumer
Laws and Regulations FCRA
the creditor may only use this medical information in connection with a determination of the
consumer’s eligibility, or continued eligibility, for credit in accordance with either the financial
information exception or one of the specific other exceptions provided in the rules. We discuss
these exceptions below.
Financial Information Exception (12 CFR 1022.30(d)). The rules allow a creditor to obtain and
use medical information pertaining to a consumer in connection with any determination of the
consumer’s eligibility or continued eligibility for credit, so long as:
1. The information is the type of information routinely used in making credit eligibility
determinations, such as information relating to debts, expenses, income, benefits,
assets, collateral, or the purpose of the loan, including the use of the loan proceeds.
2. The creditor uses the medical information in a manner and to an extent that is no less
favorable than it would use comparable information that is not medical information in
a credit transaction.
3. The creditor does not take the consumer’s physical, mental, or behavioral health,
condition or history, type of treatment, or prognosis into account as part of any such
determination.
The financial information exception is designed in part to allow creditors to consider a
consumer’s medical debts and expenses in the assessment of that consumer’s ability to repay the
loan according to the loan terms. In addition, the financial information exception also allows a
creditor to consider the dollar amount and continued eligibility for disability income, worker’s
compensation income, or other benefits related to health or a medical condition that is relied on
as a source of repayment.
The creditor may use the medical information in a manner and to an extent that is no less
favorable than it would use comparable, nonmedical information. For example, a consumer
includes on an application for credit information about two $20,000 debts. One debt is to a
hospital; the other is to a retailer. The creditor may use and consider the debt to the hospital in
the same manner in which it considers the debt to the retailer, such as including the debts in the
calculation of the consumer’s proposed debt-to-income ratio. In addition, the consumer’s
payment history of the debt to the hospital may be considered in the same manner as the debt to
the retailer. For example, if the creditor does not grant loans to applicants who have debts that
are 90-days past due, the creditor could consider the past-due status of a debt to the hospital, in
the same manner as the past-due status of a debt to the retailer.
A creditor may use medical information in a manner that is more favorable to the consumer,
according to its regular policies and procedures. For example, if a creditor has a routine policy of
declining consumers who have a 90-day past due installment loan to a retailer, but does not
decline consumers who have a 90-day past due debt to a hospital, the financial information
exception would allow a creditor to continue this policy without violating the rules because in
these cases, the creditor’s treatment of the debt to the hospital is more favorable to the consumer.

CFPB Manual V.2 (October 2012) FCRA 11


CFPB Consumer
Laws and Regulations FCRA
A creditor may not take the consumer’s physical, mental, or behavioral health, condition or
history, type of treatment, or prognosis into account as part of any determination regarding the
consumer’s eligibility, or continued eligibility for credit. The creditor may only consider the
financial implications as discussed above, such as the status of a debt to a hospital, continued
eligibility for disability income, etc.
Specific Exceptions for Obtaining and Using Medical Information (12 CFR 1022.30(e)). In
addition to the financial information exception, the rules also provide for the following nine
specific exceptions under which a creditor can obtain and use medical information in its
determination of the consumer’s eligibility, or continued eligibility for credit:
1. To determine whether the use of a power of attorney or legal representative that is
triggered by a medical condition or event is necessary and appropriate, or whether the
consumer has the legal capacity to contract when a person seeks to exercise a power
of attorney or act as a legal representative for a consumer based on an asserted
medical condition or event. For example, if Person A is attempting to act on behalf of
Person B under a Power of Attorney that is invoked based on a medical event, a
creditor is allowed to obtain and use medical information to verify that Person B has
experienced a medical condition or event such that Person A is allowed to act under
the Power of Attorney.
2. To comply with applicable requirements of local, state, or Federal laws.
3. To determine, at the consumer’s request, whether the consumer qualifies for a legally
permissible special credit program or credit-related assistance program that is:
a. Designed to meet the special needs of consumers with medical conditions and
b. Established and administered pursuant to a written plan that:
i. Identifies the class of persons that the program is designed to benefit; and
ii. Sets forth the procedures and standards for extending credit or providing other
credit-related assistance under the program.
4. To the extent necessary for purposes of fraud prevention or detection.
5. In the case of credit for the purpose of financing medical products or services, to
determine and verify the medical purpose of the loan and the use of the proceeds.
6. Consistent with safe and sound banking practices, if the consumer or the consumer’s
legal representative requests that the creditor use medical information in determining
the consumer’s eligibility, or continued eligibility, for credit, to accommodate the
consumer’s particular circumstances, and such request is documented by the creditor.
For example, at the consumer’s request, a creditor may grant an exception to its
ordinary policy to accommodate a medical condition that the consumer has
experienced. This exception allows a creditor to consider medical information in this

CFPB Manual V.2 (October 2012) FCRA 12


CFPB Consumer
Laws and Regulations FCRA
context, but it does not require a creditor to make such an accommodation nor does it
require a creditor to grant a loan that is unsafe or unsound.
7. Consistent with safe and sound practices, to determine whether the provisions of a
forbearance practice or program that is triggered by a medical condition or event
apply to a consumer. For example, if a creditor has a policy of delaying foreclosure in
cases where a consumer is experiencing a medical hardship, this exception allows the
creditor to use medical information to determine if the policy would apply to the
consumer. Like the exception listed in the bullet above, this exception does not
require a creditor to grant forbearance, it merely provides an exception so that a
creditor may consider medical information in these instances.
8. To determine the consumer’s eligibility for the triggering of, or the reactivation of a
debt cancellation contract or debt suspension agreement, if a medical condition or
event is a triggering event for the provision of benefits under the contract or
agreement.
9. To determine the consumer’s eligibility for the triggering of, or the reactivation of a
credit insurance product, if a medical condition or event is a triggering event for the
provision of benefits under the product.
Limits on redisclosure of information (12 CFR 1022.31(b)). If a creditor subject to the medical
information rules receives medical information about a consumer from a consumer reporting
agency or its affiliate, the creditor must not disclose that information to any other person, except
as necessary to carry out the purpose for which the information was initially disclosed, or as
otherwise permitted by statute, regulation, or order.
Sharing medical information with affiliates (12 CFR 1022.32(b)). In general, the exclusions from
the definition of “consumer report” in Section 603(d)(2) of the FCRA allow the sharing of non-
medical information among affiliates. With regard to medical information, Section 603(d) (3) of
the FCRA provides that the exclusions in Section 603(d)(2) do not apply when a person subject
to the medical information rules shares any of the following information with an affiliate:
1. Medical information.
2. An individualized list or description based on the payment transactions of the
consumer for medical products or services.
3. An aggregate list of identified consumers based on payment transactions for medical
products or services.
If a person who is subject to the medical rules shares with an affiliate the type of information
discussed above, the exclusions from the definition of “consumer report” do not apply.
Effectively, this means that if a person shares medical information, that person becomes a
consumer reporting agency, subject to all of the other substantive requirements of the FCRA.

CFPB Manual V.2 (October 2012) FCRA 13


CFPB Consumer
Laws and Regulations FCRA
The rules provide exceptions to these limitations on sharing medical information with affiliates
(12 CFR 1022.32(c)). A person, such as a bank, thrift, or credit union, may share medical
information with its affiliates without becoming a consumer reporting agency under any of the
following circumstances:
1. In connection with the business of insurance or annuities (including the activities
described in Section 18B of the model Privacy of Consumer Financial and Health
Information Regulation issued by the National Association of Insurance
Commissioners, as in effect on January 1, 2003).
2. For any purpose permitted without authorization under the regulations promulgated
by the Department of Health and Human Services pursuant to the Health Insurance
Portability and Accountability Act of 1996 (HIPAA).
3. For any purpose referred to in Section 1179 of HIPAA.
4. For any purpose described in Section 502(e) of the Gramm-Leach-Bliley Act.
5. In connection with a determination of the consumer’s eligibility, or continued
eligibility, for credit consistent with the financial information exceptions or specific
exceptions.
6. As otherwise permitted by order of the CFPB.
Affiliate Marketing Opt-Out Requirement – Section 624; 15 U.S.C. 1681s-3;
12 CFR 1022, Subpart C

Section 624 gives a consumer the right to restrict an entity, with which it does not have a pre-
existing business relationship, from using certain information obtained from an affiliate to make
solicitations to that consumer. This provision is distinct from Section 603(d)(2)(A)(iii) that gives
a consumer the right to restrict the sharing of certain consumer information among affiliates. 9
Under Section 624, an entity may not use information received from an affiliate to market its
products or services to a consumer, unless the consumer is given notice and a reasonable
opportunity and a reasonable and simple method to opt out of the making of such solicitations.
The affiliate marketing opt-out requirement applies to both transaction or experience information
and “other” information, such as information from credit reports and credit applications. On
November 7, 2007, the federal financial institution regulators published final regulations in the

9
See Module 2, Section 603(d) Consumer Report and Information Sharing, for provisions pertaining to the sharing of consumer
information. Under Section 603(d)(2)(A)(iii) of the FCRA, entities are responsible for complying with the affiliate sharing notice
and opt-out requirement, where applicable. Thus, under the FCRA, certain consumer information will be subject to two opt-out
notices, a sharing opt-out notice (Section 603(d)) and a marketing use opt-out notice (Section 624). These two opt-out notices
may be consolidated.

CFPB Manual V.2 (October 2012) FCRA 14


CFPB Consumer
Laws and Regulations FCRA
Federal Register to implement this section (72 FR 62910). On December 21, 2011, the CFPB
restated the implementing regulation at 12 CFR Part 1022 (76 Fed. Reg. 79308). 10
Exceptions to the notice and opt-out requirements apply when an entity uses eligibility
information in certain ways, as described later in these procedures.
11
Key Definitions – 12 CFR 1022.20

Eligibility information (12 CFR 1022.20(b)(3)) includes not only transaction and experience
information, but also the type of information found in consumer reports, such as information
from third-party sources and credit scores. Eligibility information does not include aggregate
or blind data that does not contain personal identifiers such as account numbers, names, or
addresses. 12
Pre-existing business relationship (12 CFR 1022.20(b)(4)) 13 means a relationship between a
person, such as a financial institution (or a person’s licensed agent), and a consumer based on:
1. A financial contract between the person and the consumer that is in force on the date
on which the consumer is sent a solicitation covered by the affiliate marketing
regulation;
2. The purchase, rental, or lease by the consumer of the person’s goods or services, or a
financial transaction (including holding an active account or a policy in force, or
having another continuing relationship) between the consumer and the person, during
the 18-month period immediately preceding the date on which the consumer is sent a
solicitation covered by the affiliate marketing regulation; or
3. An inquiry or application by the consumer regarding a product or service offered by
that person during the three-month period immediately preceding the date on which
the consumer is sent a solicitation covered by the affiliate marketing regulation.

10
See 12 CFR 1022.20(a) for the scope of entities covered by Subpart C of 12 CFR 1022.
11
See 12 CFR 1022.20 for other definitions.
12
Specifically, “eligibility information” is defined in the affiliate marketing regulation as “any information the communication
of which would be a consumer report if the exclusions from the definition of “consumer report” in Section 603(d)(2)(A) of the
[Fair Credit Reporting] Act did not apply.”
13
See 12 CFR 1022.20(b)(4)(ii) and (iii) for examples of pre-existing business relationships and situations where no pre-existing
business relationship exists.

CFPB Manual V.2 (October 2012) FCRA 15


CFPB Consumer
Laws and Regulations FCRA
Solicitation (12 CFR 1022.20(b)(5)) means the marketing of a product or service initiated by
a person, such as a financial institution, to a particular consumer that is:
1. Based on eligibility information communicated to that person by its affiliate; and
2. Intended to encourage the consumer to purchase or obtain such product or service.
Examples of a solicitation include a telemarketing call, direct mail, email, or other form of
marketing communication directed to a particular consumer that is based on eligibility
information received from an affiliate. A solicitation does not include marketing communications
that are directed at the general public (e.g., television, general circulation magazine, and
billboard advertisements).
Initial Notice and Opt-Out Requirement – 12 CFR 1022.21(a), 1022.24,
and 1022.25

A person, such as a financial institution, and its subsidiaries generally may not use eligibility
information about a consumer that it receives from an affiliate to make a solicitation for
marketing purposes to the consumer, unless:
1. It is clearly and conspicuously disclosed to the consumer in writing or, if the
consumer agrees, electronically, in a concise notice that the person may use eligibility
information about that consumer that it received from an affiliate to make
solicitations for marketing purposes to the consumer;
2. The consumer is provided a reasonable opportunity and a reasonable and simple
method to “opt out” (that is, the consumer prohibits the person from using eligibility
information to make solicitations for marketing purposes to the consumer);14 and
3. The consumer has not opted out.
For example, a consumer has a homeowner’s insurance policy with an insurance company. The
insurance company shares eligibility information about the consumer with its affiliated
depository institution. Based on that eligibility information, the depository institution wants to
make a solicitation to the consumer about its home equity loan products. The depository
institution does not have a pre-existing business relationship with the consumer and none of the
other exceptions apply. The depository institution may not use eligibility information it received
from its insurance affiliate to make solicitations to the consumer about its home equity loan
products unless the insurance company gave the consumer a notice and opportunity to opt out
and the consumer does not opt out.

14
See 12 CFR 1022.24 and 1022.25 for examples of “a reasonable opportunity to opt out” and “reasonable and simple methods
for opting out.”

CFPB Manual V.2 (October 2012) FCRA 16


CFPB Consumer
Laws and Regulations FCRA
15
Making Solicitations – 12 CFR 1022.21(b)

A person, such as a financial institution, (or a service provider acting on behalf of the person)
makes a solicitation for marketing purposes if:
1. The person receives eligibility information from an affiliate, including when the
affiliate places that information into a common database that the person may access;
2. The person uses that eligibility information to do one or more of the following:
a. Identify the consumer or type of consumer to receive a solicitation;
b. Establish criteria used to select the consumer to receive a solicitation; or
c. Decide which of the person’s products or services to market to the consumer or
tailor the financial institution’s solicitation to that consumer; and
3. As a result of the person’s, such as a financial institution’s, use of the eligibility
information, the consumer is provided a solicitation.
A person, such as a financial institution, does not make a solicitation for marketing
purposes (and therefore the affiliate marketing regulation, with its notice and opt-out
requirements, does not apply) in the situations listed below, commonly referred to as
“constructive sharing.” Constructive sharing occurs when a person, such as a financial
institution, provides criteria to an affiliate to use in marketing the financial institution’s
product and the affiliate uses the criteria to send marketing materials to the affiliate’s own
customers that meet the criteria. In this situation, the financial institution is not using
shared eligibility information to make solicitations.
1. The person provides criteria for consumers to whom it would like its affiliate to
market the person’s products. Then, based on this criteria, the affiliate uses eligibility
information that the affiliate obtained in connection with its own pre-existing
business relationship with the consumer to market the person’s products or services
(or directs its service provider to use the eligibility information in the same manner
and the person does not communicate with the service provider regarding that use).
2. A service provider, applying the person’s criteria, uses information from an affiliate,
such as that in a shared database, to market the person’s products or services to the
consumer, so long as it meets certain requirements, including all of the following.
a. The affiliate controls access to and use of its eligibility information by the service
provider under a written agreement between the affiliate and the service provider.

15
See 12 CFR 1022.21(b)(6) for examples of making solicitations.

CFPB Manual V.2 (October 2012) FCRA 17


CFPB Consumer
Laws and Regulations FCRA
b. The affiliate establishes, in writing, specific terms and conditions under which the
service provider may access and use the affiliate’s eligibility information to
market the person’s products and services (or those of affiliates generally) to the
consumer.
c. The affiliate requires the service provider, under a written agreement, to
implement reasonable policies and procedures designed to ensure that the service
provider uses the affiliate’s eligibility information in accordance with the terms
and conditions established by the affiliate relating to the marketing of the person’s
products or services.
d. The affiliate is identified on or with the marketing materials provided to the
consumer.
e. The person does not directly use its affiliate’s eligibility information in the manner
described above under “Making Solicitations (12 CFR 1022.21(b)),” item 2.
16
Exceptions to Initial Notice and Opt-Out Requirements – 12 CFR 1022.21(c)

The initial notice and opt-out requirements do not apply to a person, such as a financial
institution, if it uses eligibility information that it receives from an affiliate:
1. To make a solicitation for marketing purposes to a consumer with whom the person
has a pre-existing business relationship;
2. To facilitate communications to an individual for whose benefit the person provides
employee benefit or other services pursuant to a contract with an employer;
3. To perform services on behalf of an affiliate (but this would not allow solicitation
where the consumer has opted out);
4. In response to a communication about the person’s products or services initiated by
the consumer;
5. In response to a consumer’s authorization or request to receive solicitations; or
6. If the person’s compliance with the affiliate marketing regulation would prevent it
from complying with State insurance laws pertaining to unfair discrimination in any
state in which the person is lawfully doing business.

16
See 12 CFR 1022.21(d) for examples of exceptions to the initial notice and opt-out requirement.

CFPB Manual V.2 (October 2012) FCRA 18


CFPB Consumer
Laws and Regulations FCRA
Contents of Opt-Out Notice – 12 CFR 1022.23

A person, such as a financial institution, must provide to the consumer a reasonable and simple
method for the consumer to opt out. The opt-out notice must be clear, conspicuous, and concise,
and must accurately disclose specific information outlined in 12 CFR 1022.23(a), including that
the consumer may elect to limit the use of eligibility information to make solicitations to the
consumer. See Appendix C to the regulation for the model notices contained in the affiliate
marketing regulation.
Alternative contents. An affiliate that provides a consumer a broader right to opt out than that
required by the affiliate marketing regulation may satisfy the regulatory requirements by
providing the consumer with a clear, conspicuous, and concise notice that accurately discloses
the consumer’s opt-out rights.
Coordinated, consolidated, and equivalent notices. Opt-out and renewal notices may be
coordinated and consolidated with any other notice or disclosure required under any other
provision of law, such as the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. 6801 et seq.
Renewal notices, which have additional required content (12 CFR 1022.27), may be
consolidated with the annual GLBA privacy notices.
17
Delivery of the Opt-Out Notice – 12 CFR 1022.21(a)(3) and 1022.26

An affiliate that has or previously had a pre-existing business relationship with the consumer
must provide the notice either individually or as part of a joint notice from two or more members
of an affiliated group of companies. The opt-out notice must be provided so that each consumer
can reasonably be expected to receive actual notice. A consumer may not reasonably be expected
to receive actual notice if, for example, the affiliate providing the notice sends the notice via
email to a consumer who has not agreed to receive electronic disclosures by email from the
affiliate providing the notice. 18
19
Scope of Opt-Out – 12 CFR 1022.22(a) and 1022.23(a)(2)

As a general rule, the consumer’s election to opt out prohibits any affiliate covered by the opt-
out notice from using eligibility information received from another affiliate, described in the
notice, to make solicitations to the consumer. If two or more consumers jointly obtain a product
or service, any of the joint consumers may exercise the right to opt out. It is impermissible to
require all joint consumers to opt out before implementing any opt-out direction.

17
See 12 CFR 1022.26(b) and (c) for examples of “reasonable expectation of actual notice” and “no reasonable expectation of
actual notice.”
18
For opt-out notices provided electronically, the notice may be provided in compliance with either the electronic disclosure
provisions of 12 CFR 1022.24(b)(2) and 1022.24(b)(3) or the provisions in section 101 of the Electronic Signatures in Global and
National Commerce Act, 15 U.S.C. 7001 et seq.
19
See 12 CFR 1022.22(a) for examples of the scope of the opt-out notice, including examples of continuing relationships.

CFPB Manual V.2 (October 2012) FCRA 19


CFPB Consumer
Laws and Regulations FCRA
Menu of alternatives. A consumer may be given the opportunity to choose from a menu of
alternatives when electing to prohibit solicitations, such as by:
1. Electing to prohibit solicitations from certain types of affiliates covered by the opt-out
notice but not other types of affiliates covered by the notice.
2. Electing to prohibit solicitations based on certain types of eligibility information but
not other types of eligibility information.
3. Electing to prohibit solicitations by certain methods of delivery but not other methods
of delivery.
One of the alternatives, however, must allow the consumer to prohibit all solicitations from all
of the affiliates that are covered by the notice.
Continuing relationship. If the consumer establishes a continuing relationship with a person,
such as a financial institution, or its affiliate, an opt-out notice may apply to eligibility
information obtained from one or more continuing relationships (such as a deposit account, a
mortgage loan, or a credit card), if the notice adequately describes the continuing relationships
covered. The opt-out notice can also apply to future continuing relationships if the notice
adequately describes the continuing future relationships that would be covered.
Special rule for a notice following termination of all continuing relationships. After all
continuing relationships with a person or its affiliate(s) are terminated, a consumer must be
given a new opt-out notice if the consumer later establishes another continuing relationship
with the person or its affiliate(s) and the consumer’s eligibility information is to be used to
make a solicitation. The consumer’s decision not to opt out after receiving the new opt-out
notice would not override a prior opt-out election that applies to eligibility information
obtained in connection with a terminated relationship, regardless of whether the new opt-out
notice applies to eligibility information obtained in connection with a terminated relationship.
No continuing relationship (isolated transaction). If the consumer does not establish a
continuing relationship with a person or its affiliate, but the person or its affiliate obtains
eligibility information about the consumer in connection with a transaction with the consumer
(such as an ATM cash withdrawal, purchase of traveler’s checks, or a credit application that is
denied), an opt-out notice provided to the consumer only applies to eligibility information
obtained in connection with that transaction.
Time, Duration, and Renewal of Opt-Out – 12 CFR 1022.22(b) and (c) and 1022.27

A consumer may opt out at any time. The opt-out must be effective for a period of at least five
years beginning when the consumer’s opt-out election is received and implemented, unless the
consumer later revokes the opt-out in writing or, if the consumer agrees, electronically. An opt-
out period may be set at more than five years, including an opt-out that does not expire unless the
consumer revokes it.

CFPB Manual V.2 (October 2012) FCRA 20


CFPB Consumer
Laws and Regulations FCRA
Renewal after opt-out period expires. After the opt-out period expires, a person, such as a
financial institution, may not make solicitations based on eligibility information it receives from
an affiliate to a consumer who previously opted out, unless:
1. The consumer receives a renewal notice and opportunity to opt out, and the consumer
does not renew the opt-out; or
2. An exception to the notice and opt-out requirements applies.20
Contents of renewal notice. The renewal notice must be clear, conspicuous, and concise, and
must accurately disclose most of the elements of the original opt-out notice, as well as the
following information as applicable:
1. The consumer previously elected to limit the use of certain information to make
solicitations to the consumer.
2. The consumer’s election has expired or is about to expire.
3. The consumer may elect to renew the consumer’s previous election.
4. If applicable, that the consumer’s election to renew will apply for the specified period
of time stated in the notice and that the consumer will be allowed to renew the
election once that period expires.
See 12 CFR 1022.27(b) for all the content requirements of a renewal notice.
Renewal period. Each opt-out renewal must be effective for a period of at least five years.
Affiliate who may provide the notice. The renewal notice must be provided by the affiliate that
provided the previous opt-out notice, or its successor; or as part of a joint renewal notice from
two or more members of an affiliated group of companies, or their successors, that jointly
provided the previous opt-out notice.
Timing of the renewal notice. A renewal notice may be provided to the consumer either a
reasonable period of time before the expiration of the opt-out period 21 or any time after the
expiration of the opt-out period but before solicitations are made to the consumer that would
have been prohibited by the expired opt-out.

20
See 12 CFR 1022.21(c) for exceptions.
21
An opt-out period may not be shortened by sending a renewal notice to the consumer before expiration of the opt-out period,
even if the consumer does not renew the opt-out. If a person provides an annual privacy notice under the Gramm-Leach-Bliley
Act, providing a renewal notice with the last annual privacy notice provided to the consumer before expiration of the opt-out
period is a reasonable period of time before expiration of the opt-out in all cases (12 CFR 1022.27(d)).

CFPB Manual V.2 (October 2012) FCRA 21


CFPB Consumer
Laws and Regulations FCRA
Model Forms for Opt-Out Notices – 12 CFR Part 1022, Appendix C

Appendix C of the affiliate marketing regulation contains model forms that may be used to comply
with the requirement for clear, conspicuous, and concise notices. The five model forms are:
C-1 Model Form for Initial Opt-Out Notice (Single-Affiliate Notice)
C-2 Model Form for Initial Opt-Out Notice (Joint Notice)
C-3 Model Form for Renewal Notice (Single-Affiliate Notice)
C-4 Model Form for Renewal Notice (Joint Notice)
C-5 Model Form for Voluntary “No Marketing” Notice
Use of the model forms is not required and a person may make certain changes to the language
or format of the model forms without losing the protection from liability afforded by use of the
model forms. These changes may not be so extensive as to affect the substance, clarity, or
meaningful sequence of the language in the model forms. Institutions making such extensive
revisions will lose the safe harbor that Appendix C provides. Examples of acceptable changes are
provided in Appendix C to the regulation.

CFPB Manual V.2 (October 2012) FCRA 22


CFPB Consumer
Laws and Regulations FCRA
Module 3 – Disclosures to Consumers and
Miscellaneous Requirements
Overview

The FCRA requires entities such as financial institutions to provide consumers with various
notices and information under a variety of circumstances. This module contains examination
responsibilities for these various areas.
Use of Consumer Reports for Employment Purposes – Section 604(b);
15 U.S.C. 1681b(b)

Section 604(b) has specific requirements for persons, such as financial institutions, that obtain
consumer reports of its employees or prospective employees prior to, and/or during, the term of
employment. The FCRA generally requires the written permission of the consumer to procure a
consumer report for “employment purposes.” Moreover, the person must provide to the
consumer in writing a clear and conspicuous disclosure that it may obtain a consumer report for
employment purposes prior to procuring a report.
Prior to taking any adverse action involving employment that is based in whole or in part on the
consumer report, the user generally must provide to the consumer:
1. A copy of the report.
2. A description in writing of the rights of the consumer under this title, as the CFPB
prescribes under Section 609(c)(1).
At the time a financial institution takes adverse action in an employment situation, Section 615
requires that it must provide the consumer with an adverse action notice described later in this
module.
Prescreened Consumer Reports and Opt-Out Notice – Sections 604(c) and
615(d); 15 U.S.C. 1681b(c) and 15 U.S.C. 1681m(d); and 12 CFR 1022.54

Sections 604(c) allow persons, including financial institutions, to obtain and use consumer
reports on any consumer in connection with any credit or insurance transaction that the consumer
does not initiate, to make firm offers of credit or insurance. This process, known as prescreening,
occurs when a financial institution obtains a list from a consumer reporting agency of consumers
who meet certain predetermined creditworthiness criteria and who have not elected to be
excluded from such lists.
These lists may only contain the following information:
1. The name and address of a consumer.
2. An identifier that is not unique to the consumer and that the person uses solely for the
purpose of verifying the identity of the consumer.

CFPB Manual V.2 (October 2012) FCRA 23


CFPB Consumer
Laws and Regulations FCRA
3. Other information pertaining to a consumer that does not identify the relationship or
experience of the consumer with respect to a particular creditor or other entity.
Each name appearing on the list is considered an individual consumer report. In order to obtain
and use these lists, persons, such as financial institutions, must make a “firm offer of credit or
insurance” as defined in Section 603(l) to each person on the list. A person is not required to
grant credit or insurance if the consumer is not creditworthy or insurable, or cannot furnish
required collateral, provided that the person determines the underwriting criteria in advance, and
applies it consistently.
Example 1: Assume a home mortgage lender obtains a list from a consumer reporting agency of
everyone in County X, with a current home mortgage loan and a credit score of 700. The lender
will use this list to market a second lien home equity loan product. The lender’s other non-
consumer report criteria, in addition to those used in the prescreened list for this product, include
a maximum total debt-to-income ratio (DTI) of 50 percent or less. The consumer reporting
agency can screen some of the criteria but the lender must determine other criteria individually,
such as the DTI, when consumers respond to the offer. If a consumer responds to the offer, but
already has a DTI of 60 percent, the lender does not have to grant the loan.
In addition, the person is allowed to obtain a full consumer report on anyone responding to the
offer to verify that the consumer continues to meet the creditworthiness criteria. If the consumer
no longer meets those criteria, the person does not have to grant the loan.
Example 2: On January 1, a credit card lender obtains a list from a consumer reporting agency of
consumers in County Y who have credit scores of 720, and no previous bankruptcy records. The
lender mails solicitations offering a pre-approved credit card to everyone on the list on January 2.
On January 31, a consumer responds to the offer and the lender obtains and reviews a full
consumer report that shows a bankruptcy record was added on January 15. Since this consumer no
longer meets the lender’s predetermined criteria, the lender is not required to issue the credit card.
These basic requirements help prevent a person from obtaining prescreened lists without
following through with an offer of credit or insurance. The person must maintain the criteria used
for the product (including the criteria used to generate the prescreened report and any other
criteria such as collateral requirements) on file for a period of three years, beginning on the date
that the person made the offer to the consumer.
Technical Notice and Opt-Out Requirements – Section 615(d)

Section 615(d) contains consumer protections and technical notice requirements concerning
prescreened offers of credit or insurance. The FCRA requires nationwide consumer reporting
agencies to jointly operate an “opt-out” system, whereby consumers can elect to be excluded
from prescreened lists by calling a toll-free number.
When a person, such as a financial institution, obtains and uses these lists, it must provide
consumers with a Prescreened Opt-Out Notice with the offer of credit or insurance. This notice
alerts consumers that they are receiving the offer because they meet certain creditworthiness

CFPB Manual V.2 (October 2012) FCRA 24


CFPB Consumer
Laws and Regulations FCRA
criteria. The notice must also provide the toll-free telephone number operated by the nationwide
consumer reporting agencies for consumers to call to opt out of prescreened lists.
The FCRA contains the basic requirement to provide notices to consumers at the time the
prescreened offers are made. The implementing regulation, 12 CFR 1022.54, contains the
technical requirements of the notice. This regulation is applicable to anyone, including banks,
credit unions, and saving associations, that obtains and uses prescreened consumer reports.
Short and Long Notice – 12 CFR 1022.54(c)

Entities must provide a “short” notice and a “long” notice of the prescreened opt-out information
with each written solicitation made to consumers using prescreened consumer reports. They must
also comply with specific requirements concerning the content and appearance of these notices.
The short notice must be a clear and conspicuous, simple, and easy-to-understand statement as
follows:
1. Content. The short notice must state that the consumer has the right to opt out of
receiving prescreened solicitations. It must provide the toll-free number and direct
consumers to the existence and location of the long notice. It should also state the title
of the long notice. The short notice may not contain any other information.
2. Form. The short notice must be in a type size larger than the principal text on the
same page, but it may not be smaller than 12-point type. If a person, such as a
financial institution, provides the notice by electronic means, it must be larger than
the type size of the principal text on the same page.
3. Location. The short form must be on the front side of the first page of the principal
promotional document in the solicitation. If provided electronically, it must be on the
same page and in close proximity to the principal marketing message. The statement
must be located so that it is distinct from other information, such as inside a border,
and must be in a distinct type style, such as bolded, italicized, underlined, and/or in a
color that contrasts with the principal text on the page, if the solicitation is provided
in more than one color.
The long notice must also be a clear and conspicuous, simple, and easy-to-understand statement
as follows:
1. Content. The long notice must state the information required by Section 615(d) of the
FCRA and may not include any other information that interferes with, detracts from,
contradicts, or otherwise undermines the purpose of the notice.
2. Form. The notice must appear in the solicitation, be in a type size that is no smaller than
the type size of the principal text on the same page, and, for solicitations provided other
than by electronic means, the type size may not be smaller than 8-point type. The notice
must begin with a heading in capital letters, underlined, and identifying the long notice
as the “PRESCREEN & OPT-OUT NOTICE.” It must be in a type style that is distinct

CFPB Manual V.2 (October 2012) FCRA 25


CFPB Consumer
Laws and Regulations FCRA
from the principal type style used on the same page, such as bolded, italicized,
underlined, and/or in a color that contrasts from the principal text, if the solicitation is
in more than one color. The notice must be set apart from other text on the page, such
as by including a blank line above and below the statement, and by indenting both the
left and right margins from other text on the page.
The model prescreened opt-out notices are contained in Appendix D to 12 CFR Part 1022.
Appendix D contains complete sample solicitations for context. The model prescreen notice text
is contained below:
Sample Short Notice:

You can choose to stop receiving “prescreened” offers of (credit or insurance) from this
and other companies by calling toll-free (toll-free number). See PRESCREEN & OPT-
OUT NOTICE on other side (or other location) for more information about
prescreened offers.

Sample Long Notice:

PRESCREEN & OPT-OUT NOTICE: This “prescreened” offer of (credit or insurance)


is based on information in your credit report indicating that you meet certain criteria.
This offer is not guaranteed if you do not meet our criteria (including providing
acceptable property as collateral). If you do not want to receive prescreened offers of
(credit or insurance) from this and other companies, call the consumer reporting
agencies (or name of consumer reporting agency) toll-free, (toll-free number); or write:
(consumer reporting agency name and mailing address).

Truncation of Credit and Debit Card Account Numbers – Section 605(g);


15 U.S.C. 1681c(g)

Section 605(g) provides that persons, including financial institutions, that accept debit and credit
cards for the transaction of business will be prohibited from issuing electronic receipts that
contain more than the last five digits of the card number, or the card expiration date, at the point
of sale or transaction. This requirement applies only to electronically developed receipts and
does not apply to hand-written receipts or those developed with an imprint of the card.
Disclosure of Credit Scores by Certain Mortgage Lenders – Section 609(g);
15 U.S.C. 1681g(g)

Section 609(g) requires creditors, such as financial institutions, that make or arrange mortgage
loans using credit scores to provide the score with accompanying information to the applicants.
Credit score

For purposes of this section, the term “credit score” is defined as a numerical value or a
categorization derived from a statistical tool or modeling system used by a person who makes or
arranges a loan to predict the likelihood of certain credit behaviors, including default (and the

CFPB Manual V.2 (October 2012) FCRA 26


CFPB Consumer
Laws and Regulations FCRA
numerical value or the categorization derived from such analysis may also be referred to as a
“risk predictor” or “risk score”). The credit score does not include either of the following:
1. Any mortgage score or rating by an automated underwriting system that considers
one or more factors in addition to credit information, such as the loan-to-value ratio,
the amount of down payment, or the financial assets of a consumer.
2. Any other elements of the underwriting process or underwriting decision.
Covered transactions

The disclosure requirement applies to both closed-end and open-end loans that are for consumer
purposes and are secured by one- to four-family residential real properties, including purchase
and refinance transactions. This requirement will not apply in circumstances that do not involve
a consumer purpose, such as when a borrower obtains a loan secured by his or her residence to
finance his or her small business.
Specific required notice

Financial institutions in covered transactions that use credit scores must provide a disclosure
containing the following specific language, which is contained in 609(g)(1)(D):

Notice to The Home Loan Applicant


In connection with your application for a home loan, the lender must disclose to you
the score that a consumer reporting agency distributed to users and the lender used in
connection with your home loan, and the key factors affecting your credit scores.
The credit score is a computer generated summary calculated at the time of the
request and based on information that a consumer reporting agency or lender has on file. The
scores are based on data about your credit history and payment patterns. Credit scores are
important because they are used to assist the lender in determining whether you will obtain a
loan. They may also be used to determine what interest rate you may be offered on the
mortgage. Credit scores can change over time, depending on your conduct, how your credit
history and payment patterns change, and how credit scoring technologies change.
Because the score is based on information in your credit history, it is very important
that you review the credit-related information that is being furnished to make sure it is
accurate. Credit records may vary from one company to another.
If you have questions about your credit score or the credit information that is
furnished to you, contact the consumer reporting agency at the address and telephone
number provided with this notice, or contact the lender, if the lender developed or generated
the credit score. The consumer reporting agency plays no part in the decision to take any
action on the loan application and is unable to provide you with specific reasons for the
decision on a loan application.
If you have questions concerning the terms of the loan, contact the lender.

CFPB Manual V.2 (October 2012) FCRA 27


CFPB Consumer
Laws and Regulations FCRA
The notice must include the name, address, and telephone number of each consumer reporting
agency that provided a credit score that was used.
Credit score and key factors disclosed

In addition to the notice, a creditor, such as a financial institution, must also disclose the credit
score, the range of possible scores, the date that the score was created, and the “key factors” used
in the score calculation. “Key factors” are all relevant elements or reasons adversely affecting the
credit score for the particular individual, listed in the order of their importance, and based on
their effect on the credit score. The total number of factors to be disclosed must not exceed four.
However, if one of the key factors is the number of inquiries into a consumer’s credit
information, then the total number of factors must not exceed five. These key factors come from
information the consumer reporting agencies supplied with any consumer report that was
furnished containing a credit score (Section 605(d)(2)).
This disclosure requirement applies in any application for a covered transaction, regardless of the
final action the lender takes on the application. The FCRA requires a creditor to disclose all of
the credit scores used in these transactions. For example, if two joint applicants apply for a
mortgage loan to purchase a single-family residence and the lender uses both credit scores, then
the creditor needs to disclose both. The statute specifically does not require more than one
disclosure per loan. Therefore, if the creditor uses multiple scores, it can include all of them in
one disclosure containing the Notice to the Home Loan Applicant.
If a creditor uses a credit score that it did not obtain directly from a consumer reporting agency,
but may contain some information from a consumer reporting agency, the creditor may satisfy
this disclosure requirement by providing a score and associated key factor information that a
consumer reporting agency supplied. For example, certain automated underwriting systems
generate a score used in a credit decision. These systems are often populated by data obtained
from a consumer reporting agency. If a creditor uses this automated system, it may satisfy the
disclosure requirement by providing the applicants with a score and key factors a consumer
reporting agency supplied based on the data, including credit score(s) imported into the
automated underwriting system. This will provide applicants with information about their credit
history and its role in the credit decision, in the spirit of this section of the statute.
Timing

With regard to the timing of the disclosure, the statute requires that the creditor provide it as soon
as is reasonably practicable after using a credit score.

CFPB Manual V.2 (October 2012) FCRA 28


CFPB Consumer
Laws and Regulations FCRA
Adverse Action Disclosures – Section 615(a) and (b);
15 U.S.C. 1681m(a) and (b)
Section 615(a)-(b) requires users of consumer reports, such as creditors, to make certain
disclosures when they:
1. take adverse actions with respect to consumers, based in whole or in part on
information contained in a consumer report;
2. deny credit for personal, family, or household purposes or increase the charge for
such credit based in whole or in part on information obtained from a person other
than a consumer reporting agency bearing upon the consumer’s credit worthiness,
credit standing, credit capacity, character, general reputation, personal characteristics,
or mode of living or
3. take certain adverse action based in whole or in part on information from an affiliate.
The disclosure requirements are discussed separately below.
Information Obtained From a Consumer Reporting Agency

Section 615(a), Duties of Users Taking Adverse Actions on the Basis of Information Contained
in Consumer Reports, provides that when adverse action is taken with respect to any consumer
based in whole or in part on any information contained in a consumer report, the person, such as
a financial institution, must:
1. provide oral, written, or electronic notice of the adverse action to the consumer.
2. provide to the consumer written or electronic disclosures of a numerical credit score
used by such person in taking any adverse action based in whole or in part on any
information in a consumer report and the following information:
a. the range of possible credit scores under the model used;
b. all of the key factors that adversely affected the credit score, which shall not
exceed four key factors, except that if one of the key factors is the number of
enquiries made with respect to the consumer report, the number of key factors
shall not exceed five;
c. the date on which the credit score was created; and
d. the name of the person or entity that provided the credit score or credit file upon
which the credit score was created;
3. provide to the consumer orally, in writing, or electronically:
a. the name, address, and telephone number of the consumer reporting agency from
which it received the information (including a toll-free telephone number

CFPB Manual V.2 (October 2012) FCRA 29


CFPB Consumer
Laws and Regulations FCRA
established by the agency, if the consumer reporting agency maintains files on a
nationwide basis); and
b. a statement that the consumer reporting agency did not make the decision to take
the adverse action and is unable to provide the consumer the specific reasons why
the adverse action was taken;
4. provide to the consumer an oral, written, or electronic notice of the consumer’s right
to obtain a free copy of the consumer report from the consumer reporting agency
within 60 days of receiving notice of the adverse action, and the consumer’s right to
dispute the accuracy or completeness of any information in the consumer report with
the consumer reporting agency.
Information Obtained from Third Parties Other than Consumer Reporting Agencies
(Including Affiliates)

Section 615(b), Adverse Action Based on Information Obtained from Third Parties Other than
Consumer Reporting Agencies, provides that, in general, whenever credit for personal, family, or
household purposes involving a consumer is denied or the charge for such credit is increased
either wholly or partly because of information obtained from a person other than a consumer
reporting agency bearing upon the consumer’s credit worthiness, credit standing, credit capacity,
character, general reputation, personal characteristics, or mode of living, the user of such
information shall:
1. At the time such adverse action is communicated, clearly and accurately disclose to
the consumer his right to make a written request for the reasons for such adverse
action within 60 days after learning of such adverse action; and
2. Within a reasonable period of time after receipt of such written request from the
consumer, disclose the nature of the information to the consumer.
If the adverse action described in 615(b)(2)(B) is (i) taken based in whole or in part on
information from a person related by common ownership or affiliated by common corporate
control to the person taking the action, and (ii) bears on the credit worthiness, credit standing,
credit capacity, character, general reputation, personal characteristics, or mode of living of the
consumer, and (iii) does not include information solely as to transactions or experiences between
the consumer and the person furnishing the information or information in a consumer report,
then the person taking the adverse action shall:
1. Notify the consumer of the action, including a statement that the consumer may
obtain the information upon written request from the consumer received within 60
days after transmittal of the notice required; and
2. Not later than 30 days after receipt of such written request from the consumer,
disclose to the consumer the nature of the information upon which the action is based.

CFPB Manual V.2 (October 2012) FCRA 30


CFPB Consumer
Laws and Regulations FCRA
Debt Collector Communications Concerning Identity Theft –
Section 615(g); 15 U.S.C. 1681m(g)

Section 615(g) has specific requirements for persons, such as financial institutions, that act as
debt collectors, whereby they collect debts on behalf of a third party that is a creditor or other
user of a consumer report. The requirements do not apply when a person is collecting its own
loans. When a person is notified that any information relating to a debt that it is attempting to
collect may be fraudulent or may be the result of identity theft, the person must notify the third
party of this fact. In addition, if the consumer, to whom the debt purportedly relates, requests
information about the transaction, the person must provide all of the information the consumer
would otherwise be entitled to if the consumer wished to dispute the debt under other provisions
of law applicable to the person.
Risk-Based Pricing Notice – Section 615(h); 15 U.S.C. 1681m(h);
12 CFR 1022, Subpart H

Section 615(h) of the Fair Credit Reporting Act (FCRA) generally requires a user of consumer
reports, such as a creditor, to provide a risk-based pricing notice to a consumer when the
creditor, based on a consumer report, extends credit to the consumer on terms that are
“materially less favorable” than the terms the creditor has extended to other consumers. On
January 15, 2010, the Federal Reserve and the Federal Trade Commission (FTC) published final
rules in the Federal Register (75 Fed. Reg. 2724) implementing this section of the FCRA.
The risk-based pricing notice requirement is designed primarily to improve the accuracy of
consumer reports by alerting consumers to the existence of negative information in their
consumer reports so that the consumers can, if they choose, check their consumer reports for
accuracy and correct any inaccurate information. This notice provision is meant to complement
an existing provision of the FCRA, Section 615(a), whereby a creditor that denies a consumer’s
application for credit, based in whole or in part on information in a consumer’s report, must
provide an adverse action notice. Section 615(h), covers the situation where credit is offered on
“materially less favorable terms,” rather than being denied.
The Dodd-Frank Act amended Section 615(h) of the FCRA to require a person to disclose a
consumer’s credit score and certain information relating to the credit score, if a credit score is
used in making the credit decision. On July 15, 2011, the Federal Reserve Board and the FTC
published final rules (effective August 15, 2011) amending the risk-based pricing regulation to
effect the Dodd-Frank Act changes (76 FR 41602). On December 21, 2011, the CFPB restated
the FCRA regulations at 12 CFR Part 1022. (76 Fed. Reg. 79308)
Key Definitions – 12 CFR 1022.71

The following definitions pertain to the rules governing the risk-based pricing regulation:
Material terms means in general:
a. for open-end credit (except as provided in (b) and (d) below), the annual percentage
rate (APR) required to be disclosed in the account opening disclosures required under

CFPB Manual V.2 (October 2012) FCRA 31


CFPB Consumer
Laws and Regulations FCRA
Regulation Z. This does not include a temporary initial rate that is lower than the rate
that will apply when the temporary rate expires, any penalty rate that applies upon the
occurrence of specific events (such as a late payment), or any fixed APR option for a
home equity line of credit;
b. for credit cards (other than a credit card used to access a home equity line of credit or
a charge card), the APR that applies for purchases. For credit cards without a
purchase APR, “material terms” means the APR that varies based on consumer report
information and that has the most significant financial impact on consumers;
c. for closed-end credit, the APR required to be disclosed prior to consummation under
the closed-end provisions of Regulation Z; and
d. for credit that does not have an APR, the financial term that varies based on consumer
report information and that has the most significant financial impact on consumers,
such as an annual membership fee for a charge card.
Materially less favorable means, generally, that the terms granted, extended, or otherwise
provided to a consumer differ from the terms granted, extended, or otherwise provided to another
consumer such that the cost of credit to a consumer would be significantly greater than the cost
of credit granted, extended, or otherwise provided to the other consumer. Relevant factors in
determining the significance of a difference in cost include the type of credit product, the term of
the credit extension, and the extent of the difference between the material terms granted,
extended, or otherwise provided to the two consumers.

General requirements – 12 CFR 1022.72-73

A person must provide to a consumer a notice (“risk-based pricing notice”) in the form and
manner prescribed by the regulation if:
1. The person uses a consumer report in connection with an application for, or a grant,
extension, or other provision of, credit to a consumer for personal, family, or
household purposes; and
2. Based in whole or in part on the consumer report, the person grants, extends, or
otherwise provides credit to that consumer on material terms that are materially less
favorable than the most favorable material terms available to a substantial proportion
of consumers from that person.
The obligation to provide the notice applies to the creditor to whom the obligation is initially
payable, i.e., the original creditor. This interpretation excludes brokers and other intermediaries
who do not themselves grant, extend, or provide credit to consumers. See preamble to the final
regulation (75 FR 2730)(January 15, 2010).
Determination of which consumers must receive notice (12 CFR 1022.72(b)). A person may
determine, on a case-by-case basis, whether a consumer has received material terms that are

CFPB Manual V.2 (October 2012) FCRA 32


CFPB Consumer
Laws and Regulations FCRA
materially less favorable by comparing the material terms offered to the consumer to the
material terms offered to other consumers for a specific type of credit product. A “specific type
of credit product” means one or more credit products with similar features that are designed for
similar purposes. Examples include student loans, unsecured credit cards, secured credit cards,
new automobile loans, used automobile loans, fixed-rate mortgage loans, and variable-rate
mortgage loans.
Because making such a direct comparison between consumers may not be operationally feasible,
the rules provide two alternative methods, a credit score proxy method and a tiered pricing
method, both of which are described as follows:
1. Credit score proxy method (12 CFR 1022.72(b)(1)). If a person uses credit scores to
set the material terms of credit, the person may determine a cutoff score that
represents the point at which approximately 40 percent of its consumers have higher
credit scores and 60 percent of its consumers have lower credit scores. The person
may then provide a risk-based pricing notice to each consumer who has a credit score
lower than the cutoff score.
Credit Score Proxy Example
The number of all, or a representative sample of, consumers to whom the 10,000
person granted credit for a specific type of credit product
40 percent of consumers 4,000
Credit scores of the 4,000 consumers with the highest credit scores 700 or
higher
Cutoff score 700
Credit scores of those consumers to whom the person must provide a 699 or
risk-based pricing notice, because the consumers’ scores are lower than lower
cutoff score

Alternative to 40/60 cutoff. The regulation provides an alternative to the 40/60 cutoff
discussed above for situations where more than 40 percent of consumers (e.g., 80
percent) receive the most favorable material terms. In such situations, the person may set
a different cutoff score based on its historical experience. The cutoff score would be set at
a point at which the approximate percentage of consumers who historically have received
the most favorable material terms based on their credit score would not receive a notice
in the future. Under this alternative, the risk-based pricing notices would be provided to
the approximate percentage of consumers who historically have been granted credit on
material terms other than the most favorable terms.
For example, based on a sample of credit extended in the past six months, a creditor may
determine that approximately 80 percent of its consumers received credit at its lowest
APR (i.e., the most favorable material terms), and 20 percent of its consumers received
credit at a higher APR (i.e., material terms other than the most favorable). Approximately
80 percent of the sampled consumers had a credit score at or above 750, and 20 percent
had a credit score below 750. As a result, the card issuer could select 750 as its cutoff

CFPB Manual V.2 (October 2012) FCRA 33


CFPB Consumer
Laws and Regulations FCRA
score. Consumers who have credit scores lower than 750 would receive the risk-based
pricing notice. See preamble to the final regulation (75 FR at 2733)(January 15, 2010).
Recalculation. A person must recalculate the score no less than every two years.
Specific type of product (sampling approach). A person must calculate the cutoff score by
considering the credit scores of all, or a representative sample of, the consumers who
have received credit for a specific type of credit product.
New entrants or new products (secondary approach in limited circumstances). For new
entrants into the credit business or for new products subject to risk-based pricing, a
person may determine the cutoff score based on information from market research or
other third-party sources for a specific type of credit product. For a newly acquired credit
portfolio, a person may determine the cutoff score from information obtained from the
party from which it acquired the portfolio. The person must recalculate the cutoff score
using the scores of its own consumers within one year after it begins using a score
derived from market research, third-party data, or the party from which it acquired the
portfolio. If, within that one year, it has not granted credit to a sufficient number of new
consumers, thus preventing it from having sufficient data with which to recalculate a cut-
off score based on the credit scores of its own consumers, it may continue to use the
original cutoff score until it obtains sufficient data on which to base the calculation.
However, within two years, it must calculate its own cutoff score if it has granted credit
to some new consumers within those two years.
Use of multiple credit scores. For a person that generally uses two or more credit scores
to set material credit terms, the person must determine the cutoff score using the same
method used to evaluate multiple scores when making credit decisions (for example,
using an average credit score). If the person does not consistently use the same method
for evaluating multiple scores, the person must use a reasonable means. For example, the
person may use any one of the methods that the person ordinarily uses or the average
credit score of each consumer to calculate the credit score by a reasonable means.
No credit score available for a consumer. If no credit score is available for a consumer, a
person must assume that it is granting credit on materially less favorable terms and thus
must provide a risk-based pricing notice to the consumer.
2. Tiered pricing method (12 CFR 1022.72(b)(2)). If a person sets the material terms of
credit by assigning each consumer to one of a discrete number of pricing tiers for a
specific type of credit product, based in whole or in part on a consumer report, the
person may provide a risk-based pricing notice to each consumer who is not assigned
to the top pricing tier or tiers.
If the person uses four or fewer pricing tiers, it complies by providing risk-based pricing
notices to all consumers who do not qualify for the top, best-priced tier. If the person uses
five or more pricing tiers, it complies by providing the notices to all consumers who do
not qualify for the two top, best-priced tiers and any other tier that, combined with the top

CFPB Manual V.2 (October 2012) FCRA 34


CFPB Consumer
Laws and Regulations FCRA
two tiers, equals no less than the top 30 percent and no more than the top 40 percent of
the total number of tiers.

Tiered Pricing Example


Four or fewer tiers
Top tier = best APR Notice requirements.
rate
Tier 1 (top) 8% No risk-based pricing notice required.
Tier 2 10% Risk-based pricing notice required for Tiers 2, 3,
and 4.
Tier 3 12%
Tier 4 14%

Five or more tiers (5 tiers)


Top tier = best APR
rate
Tier 1 (top) 8% No risk-based pricing notice required for top 30% to
40% of tiers.
Tier 2 10%
Top two tiers comprise 2 out of 5 (40%) of the number
of tiers.
Tier 3 12% Risk-based notices required for Tiers 3-5.
Tier 4 14%
Tier 5 16%

Five or more tiers (9 tiers)


Top tier = best APR
rate
Tier 1 (top) 8% No risk-based pricing notice required for top 30% to
40% of tiers.
Tier 2 10%
Tier 3 12% Top three tiers comprise 3 out of 9 (33%) of the number
of tiers.
Tier 4 14% Risk-based notices required for Tiers 4-9.
Tier 5 16%
Tier 6 18%
Tier 7 20%
Tier 8 22%
Tier 9 24%

CFPB Manual V.2 (October 2012) FCRA 35


CFPB Consumer
Laws and Regulations FCRA
Application to credit card issuers (12 CFR 1022.72(c)). A credit card issuer may use any of the
methods in 12 CFR 1022.72(b) to identify consumers to whom it must provide a risk-based
pricing notice. Alternatively, the card issuer may provide the notice when:
1. a consumer applies for a credit card in connection with an application program or in
response to a solicitation, and more than one purchase APR may apply under the
program or solicitation, and
2. based in whole or in part on a consumer report, the credit card is issued to a consumer
with an APR that is higher than the lowest APR available in connection with the
application or solicitation.
The risk-based pricing requirements do not apply to a card issuer if the credit card program
offers only a single annual APR (other than temporary initial rates or penalty rates) or if the
issuer offers the consumer the lowest possible APR under the credit card program.
Content of the notice (12 CFR 1022.73(a)(1)). The risk-based pricing notice must include:
1. a statement that a consumer report (or credit report) includes information about the
consumer’s credit history and the type of information included in that history;
2. a statement that the consumer is encouraged to verify the accuracy of the information
contained in the consumer report and has the right to dispute any inaccurate
information in the report;
3. the identity of each consumer reporting agency that furnished a consumer report used
in the credit decision;
4. a statement that federal law gives the consumer the right to obtain a copy of a
consumer report from the consumer reporting agency or agencies identified in the
notice without charge for 60 days after receipt of the notice;
5. a statement informing the consumer how to obtain a consumer report from the
consumer reporting agency or agencies identified in the notice and providing contact
information (including a toll-free telephone number, where applicable) specified by
the consumer reporting agency or agencies;
6. a statement directing consumers to the website of the CFPB to obtain more
information about consumer reports;
7. if a credit score of the consumer to whom a person grants, extends, or otherwise
provides credit is used in setting the material terms of credit:
a. a statement that a credit score is a number that takes into account information in a
consumer report, that the consumer‘s credit score was used to set the terms of
credit offered, and that a credit score can change over time to reflect changes in
the consumer‘s credit history;

CFPB Manual V.2 (October 2012) FCRA 36


CFPB Consumer
Laws and Regulations FCRA
b. the credit score used by the person in making the credit decision;
c. the range of possible credit scores under the model used to generate the credit
score;
d. all of the key factors that adversely affected the credit score, which shall not
exceed four key factors, except that if one of the key factors is the number of
enquiries made with respect to the consumer report, the number of key factors
shall not exceed five;
e. the date on which the credit score was created; and
f. the name of the consumer reporting agency or other person that provided the
credit score.
8. A statement that the terms offered, such as the APR, have been set based on
information from a consumer report; and
9. A statement that the terms offered may be less favorable than the terms offered to
consumers with better credit histories.
See Appendix H-1 and H-6 of the regulation for model forms for the risk-based pricing
notice.
Account Review (12 CFR 1022.72(d)). Generally, a person must provide an account review
risk-based pricing notice to the consumer if the person, based in whole or in part on a
consumer report, increases the consumer’s APR after a review of the consumer’s account,
unless one of the exceptions in 12 CFR 1022.74 applies (for example, the creditor provides an
adverse action notice).
Content of account review risk-based pricing notice (12 CFR 1022.73(a)(2)). The account
review risk-based pricing notice must include:
1. a statement that a consumer report (or credit report) includes information about the
consumer’s credit history and the type of information included in that history;
2. a statement that the consumer is encouraged to verify the accuracy of the information
contained in the consumer report and has the right to dispute any inaccurate
information in the report;
3. the identity of each consumer reporting agency that furnished a consumer report used
in the account review;
4. a statement that federal law gives the consumer the right to obtain a copy of a
consumer report from the consumer reporting agency or agencies identified in the
notice without charge for 60 days after receipt of the notice;

CFPB Manual V.2 (October 2012) FCRA 37


CFPB Consumer
Laws and Regulations FCRA
5. a statement informing the consumer how to obtain a consumer report from the
consumer reporting agency or agencies identified in the notice and providing contact
information (including a toll-free telephone number, where applicable) specified by
the consumer reporting agency or agencies;
6. a statement directing consumers to the website of the CFPB to obtain more
information about consumer reports;
7. if a credit score of the consumer whose extension of credit is under review is used in
increasing the APR:
a. a statement that a credit score is a number that takes into account information in a
consumer report, that the consumer‘s credit score was used to set the terms of
credit offered, and that a credit score can change over time to reflect changes in
the consumer‘s credit history;
b. the credit score used by the person in making the credit decision;
c. the range of possible credit scores under the model used to generate the credit
score;
d. all of the key factors that adversely affected the credit score, which shall not
exceed four key factors, except that if one of the key factors is the number of
enquires made with respect to the consumer report, the number of key factors
shall not exceed five;
e. the date on which the credit score was created; and
f. the name of the consumer reporting agency or other person that provided the
credit score.
8. a statement that the person has conducted a review of the account using information
from a consumer report; and
9. a statement that as a result of the review, the APR on the account has been increased
based on information from a consumer report.
NOTE: Items 1 through 7 for the account review risk-based pricing notice are substantially
the same as items 1 through 7 for the risk-based pricing notice. Only the last two items in
each list are different.
See Appendix H-2 and H-7 of the regulation for model forms for the account review risk-
based pricing notice.
Form of the notice (12 CFR 1022.73(b)).The risk-based pricing notices and the account review
risk-based pricing notices must be clear and conspicuous and provided to the consumer in oral,
written, or electronic form. Persons, such as creditors, are deemed to be in compliance with the

CFPB Manual V.2 (October 2012) FCRA 38


CFPB Consumer
Laws and Regulations FCRA
disclosure requirements through use of the optional, applicable model forms, found in Appendix
H of the regulation.
Timing (12 CFR 1022.73(c)). The timing requirement depends on the specific type of credit
transaction as specified below.
1. For closed-end credit, a risk-based pricing notice must be provided to the consumer
after the decision to approve a credit request is communicated to the consumer, but
before consummation of the transaction.
2. For open-end credit, the notice must be provided after the decision to grant credit is
communicated to the consumer, but before the first transaction under the plan has
been made.
3. For account reviews, the notice must be provided at the time that the decision to
increase the APR is communicated to the consumer. If no notice of the increase in the
APR is provided to the consumer prior to the effective date of the APR change, the
notice must be provided no later than five days after the effective date of the APR
change.
4. For automobile lending transactions made through an auto dealer or other party that is
unaffiliated with the creditor, the creditor may provide a risk-based pricing notice in
the time periods described above for closed-end credit. Alternatively, the creditor
may arrange to have the auto dealer or other party provide a risk-based pricing notice
to the consumer on its behalf within these time periods and maintain reasonable
policies and procedures to verify that the auto dealer provides the notices to
consumers within the applicable time periods. If the creditor arranges to have the auto
dealer or other party provide a credit score disclosure exception notice, the creditor
complies if the consumer receives a notice containing a credit score obtained by the
dealer or other party, even if a different credit score is obtained and used by the
creditor. (12 CFR 1022.73(c)(2))
5. For credit that is granted under an open-end credit plan to a consumer in person or by
telephone for contemporaneous purchase of goods or services, the risk-based pricing
notice may be provided at the earlier of:
a. The time of the first mailing to the consumer after the decision is made to approve
the credit, such as in a mailing containing the account agreement or a credit card;
or
b. Within 30 days after the decision to approve the credit.
Multiple credit scores (12 CFR 1022.73(d)). When a person obtains or creates two or more credit
scores and uses one of those credit scores in setting the material terms of credit (e.g., by using
the low, middle, high, or most recent score), the risk-based pricing notice and the account review
notice must include that credit score and the information about the credit score described in the
notice content requirements above.

CFPB Manual V.2 (October 2012) FCRA 39


CFPB Consumer
Laws and Regulations FCRA
When a person obtains or creates two or more credit scores and uses multiple credit scores in
setting the material terms of credit (e.g., by computing the average of all the credit scores
obtained or created, the risk-based pricing notice and the account review notice must include one
of those credit scores and the information about the credit score described previously in the
notice content requirements. The notice may, at the person‘s option, include more than one credit
score and the related information for each credit score disclosed.
Examples.
1. A person that uses consumer reports to set the material terms of credit cards granted,
extended, or provided to consumers regularly requests credit scores from several
consumer reporting agencies and uses the low score when determining the material
terms it will offer to the consumer. That person must disclose the low score in the
risk-based pricing notice and the account review notice.
2. A person that uses consumer reports to set the material terms of automobile loans
granted, extended, or provided to consumers regularly requests credit scores from
several consumer reporting agencies, each of which it uses in an underwriting
program in order to determine the material terms it will offer to the consumer. That
person may choose one of these scores to include in the risk-based pricing notice and
the account review notice.
Exceptions – 12 CFR 1022.74

The rules contain a number of exceptions to the risk-based pricing notice requirement, as
follows:
1. when a consumer applies for specific material terms of credit (e.g., a specific APR),
and receives them, unless those terms were specified by the creditor using a consumer
report after the consumer applied for the credit and after the creditor obtained the
consumer report (12 CFR 1022.74(a));
2. when a person such as a creditor provides a notice of adverse action (12 CFR
1022.74(b));
3. when a person makes a firm offer of credit in a prescreened solicitation even if the
person makes other firm offers of credit to other consumers on more favorable
material terms (12 CFR 1022.74(c));
4. when a person generally provides a credit score disclosure to each consumer that
requests a loan that is or will be secured by residential real property (12 CFR
1022.74(d));
5. when a person generally provides a credit score disclosure to each consumer that
requests a loan that is not or will not be secured by residential real property (12 CFR
1022.74(e));

CFPB Manual V.2 (October 2012) FCRA 40


CFPB Consumer
Laws and Regulations FCRA
6. when a person who otherwise provides credit score disclosures to consumers that
request loans, provides a disclosure about credit scores when no credit score is
available (12 CFR 1022.74(f)).
The specific disclosure requirements for exceptions in 12 CFR 1022.74(d)-(f) are described
below.
Section 1022.74(d) exception - credit score disclosure for loans secured by residential real
property. An person is not required to provide a risk-based pricing notice to a consumer under 12
CFR 1022.72(a) or (c) if:
1. The consumer requests from an person an extension of credit that is or will be secured
by one to four units of residential real property; and
2. The person generally provides to each consumer that requests such an extension of
credit a notice that contains the following:
a. a statement that a consumer report (or credit report) is a record of the consumer’s
credit history and includes information about whether the consumer pays his or
her obligations on time and how much the consumer owes to creditors;
b. a statement that a credit score is a number that takes into account information in a
consumer report and that a credit score can change over time to reflect changes in
the consumer’s credit history;
c. a statement that the consumer’s credit score can affect whether the consumer can
obtain credit and what the cost of that credit will be;
d. a statement that the consumer is encouraged to verify the accuracy of the
information contained in the consumer report and has the right to dispute any
inaccurate information in the report;
e. a statement that federal law gives the consumer the right to obtain copies of his or
her consumer reports directly from the consumer reporting agencies, including a
free report from each of the nationwide consumer reporting agencies once during
any 12-month period;
f. contact information for the centralized source from which consumers may obtain
their free annual consumer reports;
g. a statement directing consumers to the website of the CFPB to obtain more
information about consumer reports;
h. the information required to be disclosed to the consumer in Section 609(g) of the
FCRA, and as described in Module 3 of these examination procedures, under
“Disclosure of Credit Scores by Certain Mortgage Lenders (FCRA), Section
609(g);” and

CFPB Manual V.2 (October 2012) FCRA 41


CFPB Consumer
Laws and Regulations FCRA
i. the distribution of credit scores among consumers who are scored under the same
scoring model that is used to generate the consumer’s credit score. The
distribution must:
i. use the same scale as that of the credit score provided to the consumer, and
ii. be presented:

• in the form of a bar graph containing a minimum of six bars that illustrates the
percentage of consumers with credit scores within the range of scores
reflected in each bar,

• by other clear and readily understandable graphical means, or

• in a clear and readily understandable statement informing the consumer how his
or her credit score compares to the scores of other consumers.
The presentation may use a graph or statement obtained from the entity providing
the credit score if it meets these requirements.
Form of the notice. The 12 CFR 1022.74(d) notice must be:
1. clear and conspicuous;
2. provided on or with the notice required by Section 609(g) of the FCRA;
3. segregated from other information provided to the consumer, except for the notice
required by Section 609(g) of the FCRA; and
4. provided to the consumer in writing and in a form that the consumer may keep.
Timing. The 12 CFR 1022.74(d) notice must be provided to the consumer at the same time as the
disclosure required by Section 609(g) of the FCRA is provided to the consumer, which must be
provided as soon as reasonably practicable after the credit score has been obtained. In any event,
the 12 CFR 1022.74(d) notice must be provided at or before consummation in the case of closed-
end credit or before the first transaction is made under an open-end credit plan.
Content of the notice when using multiple credit scores. When a person obtains two or more
credit scores from consumer reporting agencies in setting material terms of credit, the content of
the 12 CFR 1022.74(d) notice varies depending upon whether the person only relies upon one of
the credit scores or relies upon multiple credit scores.
1. If a person only relies upon one of those credit scores in setting the material terms of
credit granted, extended, or otherwise provided to a consumer (for example, by using
the low, middle, high, or most recent score), the notice must include that credit score
and the other information required by 12 CFR 1022.74(d).

CFPB Manual V.2 (October 2012) FCRA 42


CFPB Consumer
Laws and Regulations FCRA
2. If a person relies upon multiple credit scores in setting the material terms of credit
granted, extended, or otherwise provided to a consumer (for example, by computing
the average of all the credit scores obtained), the notice must include one of those
credit scores and the other information required by 12 CFR 1022.74(d).
At the person’s option, the notice may include more than one credit score, along with the
additional information required by 12 CFR 1022.74(d) for each credit score disclosed.
Examples.
1. A person uses consumer reports to set the material terms of mortgage credit granted,
extended, or provided to consumers and regularly requests credit scores from several
consumer reporting agencies. It relies upon the low score when determining the
material terms it will offer to the consumer. The person must disclose the low score in
the 12 CFR 1022.74(d) notice.
2. A person uses consumer reports to set the material terms of mortgage credit granted,
extended, or provided to consumers and regularly requests credit scores from several
consumer reporting agencies. The person takes an average of all of the credit scores
obtained in order to determine the material terms it will offer to the consumer, and
thus relies upon all of the credit scores that it receives. The person may choose one of
these scores to include in the 12 CFR 1022.74(d) notice.
Model form. Appendix H-3 of the regulation contains a model form of the 12 CFR 1022.74(d)
notice that is consolidated with the notice required by Section 609(g) of the FCRA. While use of
the model form is optional, appropriate use of Model Form H-3 is deemed to comply with the
requirements of 12 CFR 1022.74(d).
Section 1022.74(e) exception - credit score disclosure for loans not secured by residential real
property. A person is not required to provide a risk-based pricing notice to a consumer under 12
CFR 1022.72(a) or (c) if:
1. the consumer requests from a person an extension of credit that is not or will not be
secured by one to four units of residential real property; and
2. the person provides to each consumer that requests such an extension of credit a
notice that contains the following:
a. a statement that a consumer report (or credit report) is a record of the consumer’s
credit history and includes information about whether the consumer pays his or
her obligations on time and how much the consumer owes to creditors;
b. a statement that a credit score is a number that takes into account information in a
consumer report and that a credit score can change over time to reflect changes in
the consumer’s credit history;

CFPB Manual V.2 (October 2012) FCRA 43


CFPB Consumer
Laws and Regulations FCRA
c. a statement that the consumer’s credit score can affect whether the consumer can
obtain credit and what the cost of that credit will be;
d. a statement that the consumer is encouraged to verify the accuracy of the
information contained in the consumer report and has the right to dispute any
inaccurate information in the report;
e. a statement that federal law gives the consumer the right to obtain copies of his or
her consumer reports directly from the consumer reporting agencies, including a
free report from each of the nationwide consumer reporting agencies once during
any 12-month period;
f. contact information for the centralized source from which consumers may obtain
their free annual consumer reports;
g. a statement directing consumers to the website of the CFPB to obtain more
information about consumer reports;
h. the current credit score of the consumer or the most recent credit score of the
consumer that was previously calculated by the consumer reporting agency for a
purpose related to the extension of credit;
i. the distribution of credit scores among consumers who are scored under the same
scoring model that is used to generate the consumer’s credit score. The
distribution must:
i. use the same scale as that of the credit score provided to the consumer; and
ii. be presented:

• in the form of a bar graph containing a minimum of six bars that illustrates the
percentage of consumers with credit scores within the range of scores
reflected in each bar;

• by other clear and readily understandable graphical means; or

• in a clear and readily understandable statement informing the consumer how


his or her credit score compares to the scores of other consumers.
The presentation may use a graph or statement obtained from the entity providing
the credit score if it meets these requirements.
j. the range of possible credit scores under the model used to generate the credit score;
k. the date on which the credit score was created; and
the name of the consumer reporting agency or other person that provided the
credit score.

CFPB Manual V.2 (October 2012) FCRA 44


CFPB Consumer
Laws and Regulations FCRA
NOTE: Items a, b, c, d, e, f, g, and i for the 12 CFR 1022.74(e) notice are the same as
items a, b, c, d, e, f, g, and i for the 12 CFR 1022.74(d) notice.
Form of the notice. The 12 CFR 1022.74(e) notice must be:
a. clear and conspicuous;
b. segregated from other information provided to the consumer; and
c. provided to the consumer in writing and in a form that the consumer may keep.
Timing. The 12 CFR 1022.74(e) notice generally must be provided to the consumer as soon as
reasonably practicable after the credit score has been obtained, but in any event at or before
consummation in the case of closed-end credit or before the first transaction is made under an
open-end credit plan. The notice may alternatively be provided in the following manner:
a. For automobile lending transactions made through an auto dealer or other party
that is unaffiliated with the person, such as a creditor, the person may provide a
12 CFR 1022.74(e) notice in the time periods described above. Alternatively, the
creditor may arrange to have the auto dealer or other party provide a 12 CFR
1022.74(e) notice to the consumer on its behalf within these time periods and
maintain reasonable policies and procedures to verify that the auto dealer
provides the notice to the consumer within the applicable time periods. If the
creditor arranges to have the auto dealer or other party provide a credit score
disclosure exception notice, the creditor complies if the consumer receives a
notice containing a credit score obtained by the dealer or other party, even if a
different credit score is obtained and used by the creditor. 12 CFR 1022.73(c)(2))
b. For credit that is granted under an open-end credit plan to a consumer in person
or by telephone for contemporaneous purchase of goods or services, the 12 CFR
1022.74(e) notice may be provided at the earlier of:
i. the time of the first mailing to the consumer after the decision is made to
approve the credit, such as in a mailing containing the account agreement
or a credit card; or
ii. within 30 days after the decision to approve the credit
(12 CFR 1022.73(c)(3)).
Multiple credit scores. When a person obtains two or more credit scores from consumer
reporting agencies in setting material terms of credit, the content of the 12 CFR
1022.74(e) notice varies depending if the person relies upon only one of the credit scores
or relies upon multiple credit scores. These disclosures requirements are the same as
those for the 12 CFR 1022.74(d) notices, as described previously.

CFPB Manual V.2 (October 2012) FCRA 45


CFPB Consumer
Laws and Regulations FCRA
Model form. Appendix H-4 of the regulation contains a model form of the 12 CFR
1022.74(e) notice. While use of the model form is optional, appropriate use of Model
Form H-4 is deemed to comply with the requirements of 12 CFR 1022.74(e).
Section 1022.74(f) exception - credit score not available. A person is not required to provide a
risk-based pricing notice to a consumer under 12 CFR 1022.72(a) or (c) if the person:
1. regularly obtains credit scores from a consumer reporting agency and provides credit
score disclosures to consumers in accordance with 12 CFR 1022.74(d) or (e), but a
credit score is not available from the consumer reporting agency from which the
person regularly obtains credit scores for a consumer to whom the person grants,
extends, or provides credit;
2. does not obtain a credit score from another consumer reporting agency in connection
with granting, extending, or providing credit to the consumer; and
3. provides to the consumer a notice that contains the following:
a. a statement that a consumer report (or credit report) includes information about
the consumer’s credit history and the type of information included in that history;
b. a statement that a credit score is a number that takes into account information in a
consumer report and that a credit score can change over time in response to
changes in the consumer’s credit history;
c. a statement that credit scores are important because consumers with higher credit
scores generally obtain more favorable credit terms;
d. a statement that not having a credit score can affect whether the consumer can
obtain credit and what the cost of that credit will be;
e. a statement that a credit score about the consumer was not available from a
consumer reporting agency, which must be identified by name, generally due to
insufficient information regarding the consumer’s credit history;
f. a statement that the consumer is encouraged to verify the accuracy of the
information contained in the consumer report and has the right to dispute any
inaccurate information in the consumer report;
g. a statement that federal law gives the consumer the right to obtain copies of his or
her consumer reports directly from the consumer reporting agencies, including a
free consumer report from each of the nationwide consumer reporting agencies
once during any 12-month period;
h. the contact information for the centralized source from which consumers may
obtain their free annual consumer reports; and

CFPB Manual V.2 (October 2012) FCRA 46


CFPB Consumer
Laws and Regulations FCRA
i. a statement directing consumers to the website of the CFPB to obtain more
information about consumer reports.
NOTE: Items b, f, g, h, and i for the 12 CFR 1022.74(f) notice are the same as items
b, f, g, h, and i for the 12 CFR 1022.74(d) and (e) notices.
Example. A person, such as a creditor, uses consumer reports to set the material terms of
non-mortgage credit granted, extended, or provided to consumers and regularly requests
credit scores from a particular consumer reporting agency. As required by 12 CFR
1022.74(e), the creditor provides those credit scores and additional information to consumers.
The consumer reporting agency provides to the creditor a consumer report on a particular
consumer that contains one trade line, but does not provide the creditor with a credit score on
that consumer. If the creditor does not obtain a credit score from another consumer reporting
agency and, based in whole or in part on information in a consumer report, grants, extends, or
provides credit to the consumer, the creditor may provide the 12 CFR 1022.74(f) notice. If,
however, the creditor obtains a credit score from another consumer reporting agency, the
creditor may not rely upon the 12 CFR 1022.74(f) exception, but must satisfy the
requirements of 12 CFR 1022.74(e).
Form of the notice. The 12 CFR 1022.74(f) notice must be:
1. clear and conspicuous;
2. segregated from other information provided to the consumer; and
3. provided to the consumer in writing and in a form that the consumer may keep.
Timing. The 12 CFR 1022.74(f) notice generally must be provided to the consumer as
soon as reasonably practicable after the person has requested the credit score, but in any
event not later than consummation of a transaction in the case of closed-end credit or
when the first transaction is made under an open-end credit plan. The notice may
alternatively be provided in the following manner:
1. For automobile lending transactions made through an auto dealer or other party that
is unaffiliated with the person, such as a creditor, the creditor may provide a 12 CFR
1022.74(f) notice in the time periods described above. Alternatively, the creditor
may arrange to have the auto dealer or other party provide a 12 CFR 1022.74(f)
notice to the consumer on its behalf within these time periods and maintain
reasonable policies and procedures to verify that the auto dealer provides the notice
to the consumer within the applicable time periods.
2. For credit that is granted under an open-end credit plan to a consumer in person
or by telephone for contemporaneous purchase of goods or services, the Section
1022.74(f) notice may be provided at the earlier of:

CFPB Manual V.2 (October 2012) FCRA 47


CFPB Consumer
Laws and Regulations FCRA
a. the time of the first mailing to the consumer after the decision is made to
approve the credit, such as in a mailing containing the account agreement or
a credit card; or
b. within 30 days after the decision to approve the credit (12 CFR
1022.73(c)(3)).
Model form. Appendix H-5 of the regulation contains a model form of the 12 CFR
1022.74(f) notice. While use of the model form is optional, appropriate use of Model
Form H-5 is deemed to comply with the requirements of 12 CFR 1022.74(f).
Rules of Construction – 12 CFR 1022.75

The rules clarify that, in general, only one risk-based pricing notice or one credit score disclosure
exception notice is required to be provided per credit extension (however, an account review
would still be required, if applicable).
In a transaction involving two or more consumers who are granted, extended, or otherwise
provided credit, a person must provide a risk-based pricing notice to each consumer. If the
consumers have the same address, and the notice does not include a credit score(s), a person may
satisfy the requirements by providing a single notice addressed to both consumers. However, if a
notice includes a credit score(s), the person must provide a separate notice to each consumer
whether the consumers have the same address or not. Each separate notice that includes a credit
score(s) must contain only the credit score(s) of the consumer to whom the notice is provided,
and not the credit score(s) of the other consumer. Similarly, for credit score disclosure exception
notices, whether the consumers have the same address or not, the person must provide a separate
notice to each consumer and each separate notice that includes a credit score(s) must contain
only the credit score(s) of the consumer to whom the notice is provided.
A purchaser or assignee of a credit contract with a consumer is not subject to the risk-based
pricing notice requirements.
Appendix H

Appendix H contains seven optional model forms that may be used to comply with the
regulatory requirements. The seven model forms are:
1. H-1 Model form for risk-based pricing notice
2. H-2 Model form for account review risk-based pricing notice
3. H-3 Model form for credit score disclosure exception for credit secured by one to four
units of residential real property
4. H-4 Model form for credit score disclosure exception for loans not secured by
residential real property

CFPB Manual V.2 (October 2012) FCRA 48


CFPB Consumer
Laws and Regulations FCRA
5. H-5 Model form for credit score disclosure exception for loans where credit score is
not available
6. H-6 Model form for risk-based pricing notice with credit score information
7. H-7 Model form for account review risk-based pricing notice with credit score information
Use of the model forms is not required. A person may change the forms by rearranging the format or
by making technical modifications to the language of the forms. However, any change may not be so
extensive as to materially affect the substance, clarity, comprehensibility, or meaningful sequence of
the forms. Persons making such extensive revisions would lose the “safe harbor” that Appendix H
provides. Examples of acceptable changes are provided in Appendix H to the regulation.

CFPB Manual V.2 (October 2012) FCRA 49


CFPB Consumer
Laws and Regulations FCRA
Module 4 – Duties of Users of Consumer Reports and
Furnishers of Consumer Report Information
Overview

The FCRA contains many responsibilities for persons, such as financial institutions, that furnish
information to consumer reporting agencies. These requirements generally involve ensuring the
accuracy of the data that is placed in the consumer reporting system. This examination module
includes reviews of the various areas associated with furnishers of information. This module will
not apply to persons that do not furnish any information to consumer reporting agencies.
Duties of Users of Credit Reports Regarding Address Discrepancies –
Section 605(h); 15 U.S.C. 1681c(h); 12 CFR 1022.82

Section 605(h)(1) requires that, when providing a consumer report to a person that requests the
report (a user), a nationwide consumer reporting agency (NCRA) must provide a notice of
address discrepancy to the user if the address provided by the user in its request “substantially
differs” from the address the NCRA has in the consumer’s file. Section 605(h)(2) requires the
federal banking agencies and the NCUA (the Agencies), and the FTC to prescribe regulations
providing guidance regarding reasonable policies and procedures that a user of a consumer report
should employ when such user has received a notice of address discrepancy. On November 9,
2007, the Agencies and the FTC published final rules in the Federal Register implementing this
section (72 FR 63718). On December 21, 2011, the CFPB restated the FCRA regulations at 12
CFR Part 1022. (76 Fed. Reg. 79308).
Key Definitions

Nationwide consumer reporting agency (NCRA). Section 603(p) defines an NCRA as one
that compiles and maintains files on consumers on a nationwide basis and regularly engages
in the practice of assembling or evaluating and maintaining the following two pieces of
information about consumers residing nationwide for the purpose of furnishing consumer
reports to third parties bearing on a consumer’s credit worthiness, credit standing, or credit
capacity:
1. public record information.
2. credit account information from persons who furnish that information regularly and in
the ordinary course of business.
Notice of address discrepancy (12 CFR 1022.82(b)). A “notice of address discrepancy” is a
notice sent to a user by an NCRA (Section 603(p)) that informs the user of a substantial
difference between the address for the consumer that the user provided to request the
consumer report and the address(es) in the NCRA’s file for the consumer.

CFPB Manual V.2 (October 2012) FCRA 50


CFPB Consumer
Laws and Regulations FCRA
Requirement to form a reasonable belief – 12 CFR 1022.82(c)

A user must develop and implement reasonable policies and procedures designed to enable the
user to form a reasonable belief that the consumer report relates to the consumer whose report
was requested, when the user receives a notice of address discrepancy in connection with a new
or existing account.
The rules provide the following examples of reasonable policies and procedures for forming a
reasonable belief that a consumer report relates to the consumer whose report was requested:
1. comparing information in the consumer report with information the user:
a. has obtained and used to verify the consumer’s identity as required by the
Customer Identification Program rules (31 CFR 1020.220);
b. maintains in its records; or
c. obtains from a third party; or
2. verifying the information in the consumer report with the consumer.
Requirement to furnish a consumer’s address to an NCRA – 12 CFR 1022.82(d)

A user must develop and implement reasonable policies and procedures for furnishing to the
NCRA an address for the consumer that the user has reasonably confirmed is accurate when the
user does the following:
1. forms a reasonable belief that the report relates to the consumer whose report was
requested;
2. establishes a continuing relationship with the consumer (i.e., in connection with a
new account); and
3. regularly, and in the ordinary course of business, furnishes information to the NCRA
that provided the notice of address discrepancy.
A user’s policies and procedures for furnishing a consumer’s address to an NCRA must require the
user to furnish the confirmed address as part of the information it regularly furnishes to the NCRA
during the reporting period when it establishes a continuing relationship with the consumer.

CFPB Manual V.2 (October 2012) FCRA 51


CFPB Consumer
Laws and Regulations FCRA
The rules also provide the following examples of how a user may reasonably confirm an address
is accurate:
1. verifying the address with the consumer whose report was requested;
2. reviewing its own records;
3. verifying the address through third-party sources; or
4. using other reasonable means.
Furnishers of Information: General – Section 623(e); 15 U.S.C. 1681s-2;
12 CFR 1022, Subpart E

Section 623(e) required the Agencies and the Federal Trade Commission (FTC) to:
1. issue guidelines for use by furnishers regarding the accuracy and integrity of the
information about consumers that they furnish to consumer reporting agencies;
2. prescribe regulations requiring furnishers to establish reasonable policies and
procedures for implementing the guidelines; and
3. issue regulations identifying the circumstances under which a furnisher must
reinvestigate disputes concerning the accuracy of information contained in a
consumer report based on a direct request from a consumer.
The Agencies and the FTC published final rules in the Federal Register (74 FR 31484)
implementing this section of FCRA. These rules took effect July 1, 2010. On December 21,
2011, the CFPB restated the FCRA regulations at 12 CFR Part 1022. (76 Fed Reg 79308).
Key Definitions – 12 CFR 1022.41

The following definitions pertain to the rules governing the furnishers of information to a
consumer reporting agency:
Accuracy means that the information a furnisher provides to a consumer reporting agency
about an account or other relationship with the consumer correctly:
1. reflects the terms of and liability for the account or other relationship;
2. reflects the consumer’s performance and other conduct with respect to the account or
other relationship; and
3. identifies the appropriate consumer.
Direct dispute means a dispute submitted by a consumer directly to a furnisher (including a
furnisher that is a debt collector) concerning the accuracy of any information contained in a
consumer report and pertaining to an account or other relationship that the furnisher has or
had with the consumer.

CFPB Manual V.2 (October 2012) FCRA 52


CFPB Consumer
Laws and Regulations FCRA
Furnisher means an entity that furnishes information relating to consumers to one or more
consumer reporting agencies for inclusion in a consumer report. An entity is not a furnisher
when it:
1. provides information to a consumer reporting agency solely to obtain a consumer
report in accordance with the permissible purposes outlined in Sections 604(a) and (f)
of the FCRA;
2. is acting as a “consumer reporting agency” as defined in Section 603(f) of the FCRA;
3. is a consumer to whom the furnished information pertains; or
4. is a neighbor, friend, or associate of the consumer, or another individual with whom
the consumer is acquainted or who may have knowledge about the consumer, and
who provides information about the consumer’s character, general reputation,
personal characteristics, or mode of living in response to a specific request from a
consumer reporting agency.
Identifying information means any name or number that may be used alone or in
conjunction with any other information to identify a specific person.
Identity theft means a fraud committed or attempted using the identifying information of
another person without authority.
Integrity means that the information a furnisher provides to a consumer reporting agency
about an account or other relationship with the consumer:
1. is substantiated by the furnisher’s records at the time it is furnished;
2. is furnished in a form and manner that is designed to minimize the likelihood that the
information may be incorrectly reflected in a consumer report; and
3. includes the information in the furnisher’s possession about the account or other
relationship that:
a. the relevant Agency has determined that the absence of which would likely be
materially misleading in evaluating a consumer’s creditworthiness, credit
standing, credit capacity, character, general reputation, personal characteristics, or
mode of living; and
b. is specified in the Interagency Guidelines Concerning the Accuracy and Integrity
of Information Furnished to Consumer Reporting Agencies (FCRA rule,
Appendix E). Currently, the Guidelines specify the credit limit, if applicable and
in the furnisher’s possession.

CFPB Manual V.2 (October 2012) FCRA 53


CFPB Consumer
Laws and Regulations FCRA
Duties of Furnishers to Provide Accurate Information –
Section 623(a); 15 U.S.C. 1681s-2(a)

Section 623(a) states that a person, including a financial institution, may, but need not, specify
an address for receipt of notices from consumers concerning inaccurate information. If the
person specifies such an address, then it may not furnish information relating to a consumer to
any consumer reporting agency, if (a) the consumer notified the person, at the specified
address, that the information is inaccurate, and (b) the information is inaccurate. If the person
does not specify an address, then it may not furnish any information relating to a consumer to
any consumer reporting agency if the person knows or has reasonable cause to believe that the
information is inaccurate.
When a person that (regularly and in the ordinary course of business) furnishes information to
one or more consumer reporting agencies about its transactions or experiences with any
consumer determines that any such information is not complete or accurate, the person must
promptly notify the consumer reporting agency of that determination. The person must provide
corrections to that information or any additional information necessary to make the information
complete and accurate to the consumer reporting agency. Further, the person thereafter must not
furnish any information that remains incomplete or inaccurate to the consumer reporting agency.
If a consumer disputes the completeness or accuracy of any information a person furnishes to a
consumer reporting agency, that person may not furnish the information to any consumer
reporting agency without notice that the consumer disputes the information.
Reasonable policies and procedures concerning the accuracy and integrity of
furnished information (12 CFR 1022.42) and Interagency Guidelines (Appendix E)

Each furnisher must establish and implement reasonable written policies and procedures
regarding the accuracy and integrity of consumer information that it furnishes to a consumer
reporting agency. The policies and procedures must be appropriate to the nature, size,
complexity, and scope of each furnisher’s activities. In developing its policies and procedures, a
furnisher must consider the Interagency Guidelines and may include its existing policies and
procedures that are relevant and appropriate. Each furnisher must also review its policies and
procedures periodically and update them as necessary to ensure their continued effectiveness.
The guideline’s recommendations include the following:
1. using standard data reporting formats and standard procedures for compiling and
furnishing data, where feasible, such as electronic transmission of information about
consumers to consumer reporting agencies;
2. maintaining records for a reasonable period of time, not less than any applicable
recordkeeping requirement, in order to substantiate the accuracy of any information
furnished about consumers to consumer reporting agencies that is subject to a direct
disputer; and
3. training staff that participates in activities related to the furnishing of information
about consumers to consumer reporting agencies.

CFPB Manual V.2 (October 2012) FCRA 54


CFPB Consumer
Laws and Regulations FCRA
Voluntary closures of accounts – Section 623(a)(4);
15 U.S.C. 1681s-2(a)(4)

This section requires a person, including a financial institution, who regularly and in the ordinary
course of business furnishes information to a consumer reporting agency regarding one of its
consumer credit accountholders, to notify the consumer reporting agency of the consumer’s
voluntary account closure. This notice is to be furnished to the consumer reporting agency as part
of the regularly furnished information for the period in which the account is closed.
Notice involving delinquent accounts – Section 623(a)(5);
15 U.S.C. 1681s-2(a)(5)

This section requires that a person, including a financial institution, that furnishes information to
a consumer reporting agency about a delinquent account placed for collection, charged off, or
subjected to any similar action, must, not later than 90 days after furnishing the information to
the consumer reporting agency, notify the consumer reporting agency of the month and year of
the commencement of the delinquency that immediately preceded the action.
Duties upon notice of dispute from a consumer reporting agency –
Section 623(b); 15 U.S.C. 1681s-2(b)

This section requires that whenever a person, such as a financial institution, receives a notice of
dispute from a consumer reporting agency regarding the accuracy or completeness of any
information the person provided to a consumer reporting agency pursuant to Section 611
(Procedure in Case of Disputed Accuracy), that person must, pursuant to Section 623(b):
1. conduct an investigation regarding the disputed information;
2. review all relevant information the consumer reporting agency provided along with
the notice;
3. report the results of the investigation to the consumer reporting agency;
4. if the investigation finds the information is incomplete or inaccurate, report those
results to all nationwide consumer reporting agencies to which the financial
institution previously provided the information; and
5. if the disputed information is incomplete, inaccurate, or not verifiable by the person,
it must promptly, for purposes of reporting to the consumer reporting agency do one
of the following:
a. modify the item of information.
b. delete the item of information.
c. permanently block the reporting of that item of information.

CFPB Manual V.2 (October 2012) FCRA 55


CFPB Consumer
Laws and Regulations FCRA
The person must complete the required investigations, reviews, and reports within 30 days. The
person may extend the time period for 15 days if a consumer reporting agency receives
additional relevant information from the consumer.
Duties upon notice of dispute from a consumer (direct disputes) –
Section 623(a)(8); 15 U.S.C. 1681s-2(a)(8); 12 CFR 1022.43

General rule. A furnisher must conduct a reasonable investigation of a direct dispute (unless
exceptions, described later, apply) if the dispute relates to:
1. the consumer’s liability for a credit account or other debt with the furnisher, such as
direct disputes relating to whether there is or has been identity theft or fraud against
the consumer, whether there is individual or joint liability on an account, or whether
the consumer is an authorized user of a credit account;
2. the terms of a credit account or other debt with the furnisher, such as, direct disputes
relating to the type of account, principal balance, scheduled payment amount on an
account, or the amount of the credit limit on an open-end account;
3. the consumer’s performance or other conduct concerning an account or other
relationship with the furnisher such as, direct disputes relating to the current payment
status, high balance, payment date, the payment amount, or the date an account was
opened or closed; or
4. any other information contained in a consumer report regarding an account or other
relationship with the furnisher that bears on the consumer’s creditworthiness, credit
standing, credit capacity, character, general reputation, personal characteristics, or
mode of living.
Exceptions. The direct dispute requirements do not apply to a furnisher if the direct dispute
relates to:
1. the consumer’s identifying information such as name(s), date of birth, Social Security
number, telephone number(s), or address(es);
2. the identity of past or present employers;
3. inquiries or requests for a consumer report;
4. information derived from public records, such as judgments, bankruptcies, liens, and
other legal matters (unless the information was provided by a furnisher with an
account or other relationship with the consumer);
5. information related to fraud alerts or active duty alerts; or
6. information provided to a consumer reporting agency by another furnisher.

CFPB Manual V.2 (October 2012) FCRA 56


CFPB Consumer
Laws and Regulations FCRA
The direct dispute requirements also do not apply if the furnisher has a reasonable belief that the
direct dispute is:
1. submitted by a credit repair organization;
2. is prepared on behalf of the consumer by a credit repair organization; or
3. is submitted on a form supplied to the consumer by a credit repair organization.
Direct Dispute Address. A furnisher is required to investigate a direct dispute only if a consumer
submits a dispute notice to the furnisher at:
1. the address provided by a furnisher and listed on a consumer report relating to the
consumer;
2. an address clearly and conspicuously specified by the furnisher that is provided to the
consumer in writing or electronically (if the consumer has agreed to the electronic
delivery of information from the furnisher); or
3. any business address of the furnisher if the furnisher has not provided a specific
address for submitting direct disputes.
Direct Dispute Notice Contents. A dispute notice from a consumer must include:
1. sufficient information to identify the account or other relationship that is in dispute,
such as an account number and the name, address, and telephone number of the
consumer;
2. the specific information that the consumer is disputing and an explanation of the basis
for the dispute; and
3. all supporting documentation or other information reasonably required by the
furnisher to substantiate the basis of the dispute. This documentation may include, for
example, a copy of the relevant portion of the consumer report that contains the
allegedly inaccurate information; a police report; a fraud or identity theft affidavit; a
court order; or account statements.
Duties of a Furnisher after Receiving a Direct Dispute Notice from a Consumer. After receiving
a dispute notice from a consumer, the furnisher must:
1. conduct a reasonable investigation with respect to the disputed information;
2. review all relevant information provided by the consumer with the dispute notice;
3. complete its investigation of the dispute and report the results of the investigation to
the consumer before the expiration of the period under Section 611(a)(1) of the
FCRA (15 U.S.C. 1681i(a)(1)) within which a consumer reporting agency would be

CFPB Manual V.2 (October 2012) FCRA 57


CFPB Consumer
Laws and Regulations FCRA
required to complete its action if the consumer had elected to dispute the information
under that section; and
4. if the investigation finds that the information reported was inaccurate, promptly notify
each consumer reporting agency to which the furnisher provided inaccurate
information of investigation findings and provide to the consumer reporting agency
any correction to that information that is necessary to make the information provided
by the furnisher accurate.
Frivolous or Irrelevant Disputes. A furnisher is not required to investigate a direct dispute if the
furnisher has reasonably determined that the dispute is frivolous or irrelevant. A dispute qualifies
as frivolous or irrelevant if:
1. the consumer did not provide sufficient information to investigate the disputed
information;
2. the direct dispute is substantially the same as a dispute previously submitted by or on
behalf of the consumer and the dispute is one with respect to which the furnisher has
already complied with the statutory or regulatory requirements. However, a direct
dispute would not be “substantially the same” as the one previously submitted if the
dispute includes new information required by the regulation to be provided to the
furnisher, but that had not previously been provided to the furnisher; or
3. the furnisher is not required to investigate the direct dispute because one or more of
the exceptions listed in 12 CFR 1022.43(b) applies.
Upon making a determination that a dispute is frivolous or irrelevant, the furnisher must notify
the consumer of the determination not later than five business days after making the
determination, by mail or, if authorized by the consumer for that purpose, by any other means
available to the furnisher. The furnisher’s notice that a dispute is frivolous or irrelevant must
include the reasons for such determination and identify any information required to investigate
the disputed information. The notice may consist of a standardized form describing the general
nature of such information.
Prevention of Re-Pollution of Consumer Reports – Section 623(a)(6);
15 U.S.C. 1681s-2(a)(6)

Section 623(a) has specific requirements for furnishers of information, including financial
institutions, to a consumer reporting agency that received notice from a consumer reporting
agency that furnished information may be fraudulent as a result of identity theft. Section 605B,
Block of Information Resulting From Identity Theft, requires consumer reporting agencies to
notify furnishers of information, including financial institutions, that the information may be the
result of identity theft, an identity theft report has been filed, and that a block has been requested.
Upon receiving such notice, Section 623(a)(6) requires furnishers to establish and follow
reasonable procedures to ensure that it does not re-report this information to the consumer
reporting agency, thus “re-polluting” the victim’s consumer report.

CFPB Manual V.2 (October 2012) FCRA 58


CFPB Consumer
Laws and Regulations FCRA
Section 615(f), Prohibition on Sale or Transfer of Debt Caused by Identity Theft, also prohibits a
furnisher from selling or transferring debt caused by an alleged identity theft.
Negative Information Notice – Section 623(a)(7); 15 U.S.C. 1681s-2(a)(7);
12 CFR 1022.1(b)(2)(ii)

Section 623(a)(7) requires a financial institution to provide consumers with a notice either before
it provides negative information to a nationwide consumer reporting agency, or within 30 days
after reporting the negative information.
Institutions may provide this disclosure on or with any notice of default, any billing statement, or
any other materials provided to the customer, as long as the notice is clear and conspicuous.
Institutions may also choose to provide this notice to all customers as an abundance of caution.
However, financial institutions may not include this notice in the initial disclosures provided
under Section 127(a) of the Truth in Lending Act.
Key Definitions

Negative information. For these purposes, “negative information” means any information
concerning a customer’s delinquencies, late payments, insolvency, or any form of default.
Nationwide consumer reporting agency. Section 603(p) of the FCRA defines a “nationwide
consumer reporting agency” as a:
consumer reporting agency that compiles and maintains files on consumers on a
nationwide basis.
It defines this type of consumer reporting agency as one that regularly assembles or evaluates,
and maintains, each of the following regarding consumers residing nationwide for the purpose of
furnishing consumer reports to third parties bearing on a consumer’s creditworthiness, credit
standing, or credit capacity:
1. public record information.
2. credit account information from persons who furnish that information regularly and in
the ordinary course of business.

CFPB Manual V.2 (October 2012) FCRA 59


CFPB Consumer
Laws and Regulations FCRA
Model text

Institutions may use the following model text to comply with these requirements. The first model
contains text an institution can use when it provides a notice before furnishing negative
information. The second model form contains text to use when an institution provides notice
within 30 days after reporting negative information:

• Notice prior to communicating negative information (Model B-1):


“We may report information about your account to credit bureaus. Late payments,
missed payments, or other defaults on your account may be reflected in your credit
report.”

• Notice within 30 days after communicating negative information (Model B-2):


“We have told a credit bureau about a late payment, missed payment, or other default on
your account. This information may be reflected in your credit report.”
Use of the model form(s) is not required; however, proper use of the model forms provides a
financial institution with a safe harbor from liability. A financial institution may make certain
changes to the language or format of the model notices without losing the safe harbor from
liability provided by the model notices. The changes to the model notices may not be so
extensive as to affect the substance, clarity, or meaningful sequence of the language in the model
notices. A financial institution making extensive revisions will lose the safe harbor from liability
that the model notices provide. Acceptable changes include:
1. rearranging the order of the references to “late payment(s),” or “missed payment(s).”
2. pluralizing the terms “credit bureau,” “credit report,” and “account.”
3. specifying the particular type of account on which it may furnish information, such as
“credit card account.”
4. rearranging in Model Notice B-1 the phrases “information about your account” and
“to credit bureaus” such that it would read, “We may report to credit bureaus
information about your account.”

CFPB Manual V.2 (October 2012) FCRA 60


CFPB Consumer
Laws and Regulations FCRA
Module 5 – Consumer Alerts and Identity Theft Protections
Overview

The FCRA contains several provisions for both consumer reporting agencies and users of
consumer reports, including financial institutions, that are designed to help combat identity theft.
This module applies to persons that are not consumer reporting agencies, but are users of
consumer reports.
Two primary requirements exist for users of consumer reports: first, a user of a consumer report
that contains a fraud or active duty alert must take steps to verify the identity of an individual to
whom the consumer report relates, and second, a person must disclose certain information when
consumers allege that they are the victims of identity theft.
Fraud and Active Duty Alerts – Section 605A(h); 15 U.S.C. 1681c-1(h)

Initial Fraud and Active Duty Alerts

Consumers who suspect that they may be the victims of fraud including identity theft may
request nationwide consumer reporting agencies to place initial fraud alerts in their consumer
reports. These alerts must remain in a consumer’s report for no less than 90 days. In addition,
members of the armed services who are called to active duty may also request that active duty
alerts be placed in their consumer reports. Active duty alerts must remain in these service
members’ files for no less than 12 months.
Section 605A(h)(1)(B), Limitations on Use of Information for Credit Extensions, requires users
of consumer reports, including financial institutions, to verify a consumer’s identity if a
consumer report includes a fraud or active duty alert. Unless the user of the consumer report uses
reasonable policies and procedures to form a reasonable belief that it knows the identity of the
person making the request, the user may not:
1. establish a new credit plan or extension credit (other than under an open-end credit
plan) in the name of the consumer;
2. issue an additional card on an existing account; or
3. increase a credit limit.
Extended Alerts

Consumers who allege that they are the victim of an identity theft may also place an extended
alert, which lasts seven years, on their consumer report. Extended alerts require consumers to
submit identity theft reports and appropriate proof of identity to the nationwide consumer
reporting agencies.
Section 605A(h)(2)(B), Limitation on Users, requires a user that obtains a consumer report that
contains an extended alert to contact the consumer in person or by the method the consumer lists
in the alert prior to performing any of the three actions listed above.

CFPB Manual V.2 (October 2012) FCRA 61


CFPB Consumer
Laws and Regulations FCRA
Information Available to Victims – Section 609(e); 15 U.S.C. 1681g(e)

Section 609(e) requires a person, such as a financial institution, to provide records of fraudulent
transactions to victims of identity theft within 30 days after the receipt of a request for the
records. These records include the application and business transaction records under the control
of the person whether maintained by the person itself or another person on behalf of the
institution (such as a service provider).
The person should provide this information to any of the following:
1. the victim;
2. any federal, state, or local government law enforcement agency or officer specified by
the victim in the request; or
3. any law enforcement agency investigating the identity theft that was authorized by the
victim to take receipt of these records.
The victim must make the request for the records in writing and send it to the person at the
address specified by the person for this purpose. The person may ask the victim to provide
information, if known, regarding the date of the transaction or application, and any other
identifying information such as an account or transaction number.
Unless the person has a high degree of confidence that it knows the identity of the victim making
the request for information, the person must take prudent steps to positively identify the person
before disclosing any information. Proof of identity can include any of the following:
1. a government-issued identification card;
2. personally identifying information of the same type that was provided to the person
by the unauthorized person; or
3. personally identifying information that the person typically requests from new
applicants or for new transactions.
At the election of the person, the victim must also provide the person with proof of an identity
theft complaint, which may consist of a copy of a police report evidencing the claim of identity
theft and a copy of a properly completed affidavit. The CFPB’s Identity Theft Affidavit is
available on the CFPB’s website (consumerfinance.gov/learnmore). The version of this form
developed by the FTC and available on the FTC’s Website (ftc.gov/idtheft) remains valid and
sufficient for this purpose (12 CFR 1022.3(i)(3)(ii)).

CFPB Manual V.2 (October 2012) FCRA 62


CFPB Consumer
Laws and Regulations FCRA
When these conditions are met, the person must provide the information at no charge to the
victim. However, the person is not required to provide any information if, acting in good faith,
the person determines any of the following:
1. section 609(e) does not require disclosure of the information;
2. the person does not have a high degree of confidence in knowing the true identity of
the requestor, based on the identification and/or proof provided;
3. the request for information is based on a misrepresentation of fact by the requestor; or
4. the information requested is Internet navigational data or similar information about a
person’s visit to a website or online service.
Duties Regarding the Detection, Prevention, and Mitigation of Identity
Theft – Section 615(e); 15 U.S.C. 1681m(e)

Section 615(e) requires the federal banking agencies and the NCUA (the Agencies) as well as the
FTC to prescribe regulations and guidelines for entities under their enforcement authority
regarding the detection, prevention, and mitigation of identity theft. On November 9, 2007, the
Agencies published final rules and guidelines in the Federal Register implementing this section
(72 FR 63718). The Agencies also have issued examination procedures for the implementing
regulations. CFPB examiners are not expected to examine for compliance with Section 615(e)).
If CFPB examiners become aware of potential issues in this area, the appropriate federal
regulator should be notified.
Duties of Card Issuers Regarding Changes of Address – Section 615(e);
15 U.S.C. 1681m(e)

Section 615(e)(1)(C) requires the Agencies and the FTC to prescribe regulations for debit and
credit card issuers regarding the assessment of the validity of address changes for existing
accounts. On November 9, 2007, the Agencies and the FTC published final rules in the Federal
Register implementing this section (72 FR 63718). The regulations require card issuers to have
procedures to assess the validity of an address change if the card issuer receives a notice of
change of address for an existing account, and within a short period of time (during at least the
first 30 days), receives a request for an additional or replacement card for the same account. The
Agencies also have issued examination procedures for the implementing regulations. CFPB
examiners are not expected to examine for compliance with Section 615(e)). If CFPB examiners
become aware of potential issues in this area, the appropriate federal regulator should be notified.
Disposal of Consumer Information – Section 628; 15 U.S.C. 1681w

Section 628 requires the federal banking agencies to prescribe regulations for entities under their
enforcement authority regarding the proper disposal of consumer information. On December 28,
2004, the federal banking agencies published final rules and guidelines in the Federal Register
implementing this section (69 FR 77610). The agencies also have issued examination procedures
for the implementing regulations. CFPB examiners are not expected to examine for compliance

CFPB Manual V.2 (October 2012) FCRA 63


CFPB Consumer
Laws and Regulations FCRA
with Section 628. If CFPB examiners become aware of potential issues in this area, the
appropriate federal regulator should be notified.

REFERENCES
Laws
15 U.S.C. 1681 et seq. Fair Credit Reporting Act
Regulations
Consumer Financial Protection Bureau Regulation (12 CFR)

Part 1022 Fair Credit Reporting (Regulation V)

CFPB Manual V.2 (October 2012) FCRA 64


CFPB
Examination Procedures FCRA

Fair Credit Reporting Act


Examination Objectives 1 2
• To determine the covered entity’s compliance with the Fair Credit Reporting Act (FCRA)
and implementing regulations.

• To assess the quality of the covered entity’s compliance risk management system to ensure
compliance with the FCRA, as amended.

• To determine the reliance that can be placed on the covered entity’s internal controls and
procedures for monitoring the entity’s compliance with the FCRA.

• To direct corrective action when violations of law are identified, or when the covered entity’s
policies or internal controls are deficient.

Initial Examination Procedures


The initial examination procedures are designed to acquaint examiners with the operations and
processes of the entity being examined. They focus on the entity’s systems, controls, policies,
and procedures, including audits and previous examination findings.
The applicability of the various sections of the FCRA and the implementing regulations depends
on an entity’s unique operations. The functional examination requirements are presented
topically in modules 1 through 5.
Initially, examiners should:
1. Through discussions with management and review of available information, determine if the
entity’s internal controls are adequate to ensure compliance in the FCRA area under review.
Consider the following:
a. organization charts;
b. process flowcharts;
c. policies and procedures;
d. loan documentation;
e. checklists;

1
These reflect FFIEC-approved procedures.
2
These procedures do not currently contain a module on the requirements for consumer reporting agencies.

CFPB Manual V.2 (October 2012) Procedures 1


CFPB
Examination Procedures FCRA
f. computer program documentation (for example, records illustrating the fields and types
of data reported to consumer reporting agencies; automated records tracking customer
opt-outs for FCRA affiliate information sharing; etc.).
2. Review any compliance audit material, including workpapers and reports, to determine
whether:
a. the scope of the audit addresses all provisions as applicable;
b. corrective actions were taken to follow up on previously identified deficiencies;
c. the testing includes samples covering all product types and decision centers;
d. the work performed is accurate;
e. significant deficiencies and their causes are included in reports to management and/or to
the board of directors; and
f. the frequency of review is appropriate.
3. Review the entity’s training materials to determine whether:
a. appropriate training is provided to individuals responsible for FCRA compliance and
operational procedures; and
b. the training is comprehensive and covers the various aspects of the FCRA that apply to
the individual entity’s operations.
4. Through discussions with management, determine which portions of the examination
modules will apply.
5. Complete appropriate examination modules; document and form conclusions regarding the
quality of the entity’s compliance management systems and compliance with FCRA.

CFPB Manual V.2 (October 2012) Procedures 2


CFPB
Examination Procedures FCRA
Module 1 – Obtaining Consumer Reports
Permissible Purposes of Consumer Reports – Section 604; 15 U.S.C. 1681b
Investigative Consumer Reports – Section 606; 15 U.S.C. 1681d

1. Determine whether the entity obtains consumer reports.


2. Determine whether the entity obtains prescreened consumer reports and/or reports for
employment purposes. If so, complete the appropriate sections of Module 3.
3. Determine whether the entity procures or causes an investigative consumer report to be
prepared. If so, ensure that the appropriate disclosure is given to the consumer within the
required time period. In addition, ensure that the entity certified compliance with the
disclosure requirements to the consumer reporting agency.
4. Ensure that the entity obtains consumer reports only for permissible purposes. Confirm that
the entity certifies to the consumer reporting agency the purposes for which it will obtain
reports. (The certification is usually contained in an entity’s contract with the consumer
reporting agency.)
5. If procedural weaknesses are noted or other risks requiring further investigation are noted,
such as the receipt of several consumer complaints, review a sample of consumer reports
obtained from a consumer reporting agency and determine whether the entity had permissible
purposes to obtain the reports. For example,

• obtain a copy of a billing statement or other list of consumer reports obtained by the
entity from the consumer reporting agency for a period of time; and

• compare this list, or a sample from this list to the entity’s records to ensure that there is a
permissible purpose for the report(s) obtained. This could include any permissible
purpose, such as the consumer applied for credit, insurance, or employment, etc. The
entity may also obtain a report in connection with the review of an existing account.

CFPB Manual V.2 (October 2012) Procedures 3


CFPB
Examination Procedures FCRA
Module 2 – Obtaining Information and
Sharing Among Affiliates
Consumer Report and Information Sharing – Section 603(d);
15 U.S.C. 1681a(d)

1. Review the entity’s policies, procedures, and practices concerning the sharing of consumer
information with third parties, including both affiliated and nonaffiliated third parties.
Determine the type of information shared and with whom the information is shared. (This
portion of the examination process may overlap with a review of the entity’s compliance with
the Privacy of Consumer Financial Information Regulations that implement the Gramm-
Leach-Bliley Act (GLBA).
2. Determine whether the entity’s information sharing practices fall within the exceptions to the
definition of a consumer report. If they do not, the entity could be considered a consumer
reporting agency and subject to the FCRA requirements for consumer reporting agencies.
3. If the entity shares information other than transaction and experience information with
affiliates subject to opt-out provisions, determine whether the entity’s GLBA privacy notice
contains tinformation regarding how to opt out, as required by the Privacy of Consumer
Financial Information regulations.
4. If procedural weaknesses or other risks requiring further investigation are noted, obtain a
sample of opt-out rights exercised by consumers and determine if the entity honored the opt-
out requests by not sharing “other information” about the consumers with the entity’s
affiliates subsequent to receiving a consumer’s opt-out direction.
Protection of Medical Information – Section 604(g); 15 U.S.C. 1681b(g);
12 CFR 1022, Subpart D

1. Review the entity’s policies, procedures, and practices concerning the collection and use of
consumer medical information in connection with any determination of the consumer’s
eligibility, or continued eligibility for credit.
2. If the entity’s policies, procedures, and practices allow for obtaining and using consumer
medical information in the context of a credit transaction, determine whether there are
adequate controls in place to ensure that the information is only used subject to the financial
information exception in the rules, or under a specific exception within the rules.
3. If procedural weaknesses or other risks requiring further investigation are noted, obtain
samples of credit transactions to determine whether the use of medical information pertaining
to a consumer was done strictly under the financial information exception or the specific
exceptions under the regulation.
4. Determine whether the entity has adequate policies and procedures in place to limit the
redisclosure of consumer medical information that was received from a consumer reporting
agency or an affiliate.

CFPB Manual V.2 (October 2012) Procedures 4


CFPB
Examination Procedures FCRA
5. Determine whether the entity shares medical information about a consumer with affiliates. If it
does, determine whether the sharing occurred in accordance with an exception in the rules that
enables the entity to share the information without becoming a consumer reporting agency.
Affiliate Marketing Opt Out – Section 624; 15 U.S.C. 1681s-3;
12 CFR 1022 Subpart C

1. Determine whether the entity receives consumer eligibility information from an affiliate. Stop
here if it does not because Subpart C of 12 CFR 1022 does not apply.
2. Determine whether the entity uses consumer eligibility information received from an affiliate
to make a solicitation for marketing purposes that is subject to the notice and opt-out
requirements. If it does not, stop here.
3. Evaluate the entity’s policies, procedures, practices and internal controls to ensure that,
where applicable, the consumer is provided with an appropriate notice, a reasonable
opportunity, and a reasonable and simple method to opt out of the entity’s using eligibility
information to make solicitations for marketing purposes to the consumer, and that the entity
is honoring the consumer’s opt-outs.
4. If compliance risk management weaknesses or other risks requiring further investigation are
noted, obtain and review a sample of notices to ensure technical compliance and a sample of
opt-out requests from consumers to determine if the entity is honoring the opt-out requests.
a. Determine whether the opt-out notices are clear, conspicuous, and concise and contain
the required information, including the name of the affiliate(s) providing the notice, a
general description of the types of eligibility information that may be used to make
solicitations to the consumer, and the duration of the opt out (12 CFR 1022.23(a)).
b. Review opt-out notices that are coordinated and consolidated with any other notice or
disclosure that is required under other provisions of law for compliance with the affiliate
marketing regulation (12 CFR 1022.23(b)).
c. Determine whether the opt-out notices and renewal notices provide the consumer a
reasonable opportunity to opt out and a reasonable and simple method to opt out (12 CFR
1022.24 and .25).
d. Determine whether the opt-out notice and renewal notice are provided (by mail, delivery
or electronically) so that a consumer can reasonably be expected to receive that actual
notice (12 CFR 1022.26).
e. Determine whether, after an opt-out period expires, an entity provides a consumer a
renewal notice prior to making solicitations based on eligibility information received
from an affiliate (12 CFR 1022.27).

CFPB Manual V.2 (October 2012) Procedures 5


CFPB
Examination Procedures FCRA
Module 3 – Disclosures to Consumers and Miscellaneous
Requirements
Use of Consumer Reports for Employment Purposes – Section 604(b);
15 U.S.C. 1681b(b)

1. Determine if the entity obtains consumer reports on current or prospective employees.


2. Assess the entity’s policies and procedures to determine if appropriate disclosures are
provided to current and prospective employees when an entity obtains consumer reports for
employment purposes, including situations where the entity takes adverse actions based on
consumer report information.
3. If procedural weaknesses or other risks requiring further investigation are noted, review a
sample of the disclosures to determine if they are accurate and in compliance with the
technical FCRA requirements.
Prescreened Consumer Reports and Opt-Out Notice –
Sections 604(c) and 615(d); 15 U.S.C. 1681b(c) and 15 U.S.C. 1681m(d)
12 CFR 1022.54

1. Determine whether the entity obtained and used prescreened consumer reports in connection
with offers of credit and/or insurance.
2. Evaluate the entity’s policies and procedures to determine if a list of the criteria used for
prescreened offers, including all post-application criteria, is maintained in the entity’s files
and the criteria are applied consistently when consumers respond to the offers.
3. Determine if written solicitations contain the required disclosures of the consumers’ right to
opt-out of prescreened solicitations and comply with all requirements applicable at the time
of the offer.
4. If procedural weaknesses or other risks requiring further investigation are noted, obtain and
review a sample of approved and denied responses to the offers to ensure that criteria were
appropriately followed.
Truncation of Credit and Debit Card Account Numbers – Sections 605(g);
15 U.S.C. 1681c(g)

1. Determine whether the entity’s policies and procedures ensure that electronically generated
receipts from automated teller machines and point-of-sale terminals or other machines do not
contain more than the last five digits of the card number and do not contain the expiration dates.
2. If procedural weaknesses or other risks requiring further investigation are noted, review
samples of actual receipts to ensure compliance.

CFPB Manual V.2 (October 2012) Procedures 6


CFPB
Examination Procedures FCRA
Disclosure of Credit Scores by Certain Mortgage Lenders – Sections 609(g);
15 U.S.C. 1681g(g)

1. Determine if the entity uses credit scores in connection with applications for closed-end or
open-end loans secured by one- to four-family residential real property.
2. Evaluate the entity’s policies and procedures to determine whether accurate disclosures are
provided to applicants as soon as is reasonably practicable after using credit scores.
3. If procedural weaknesses or other risks requiring further investigation are noted, review a
sample of disclosures given to home loan applicants to determine technical compliance with
the requirements.
Adverse Action Disclosures – Sections 615(a) and (b);
15 U.S.C. 1681m(a) and (b)

1. Determine whether the policies and procedures adequately ensure that the creditor or other
person provides the appropriate disclosures, including the consumer’s credit score as
appropriate, when it takes adverse action against consumers based in whole or in part on
information contained in a consumer report or specified information received from third
parties, including affiliates.
2. Review the policies and procedures of the creditor or other person for responding to requests
for information in response to these adverse action notices.
3. If procedural weaknesses or other risks requiring further investigation are noted, review a
sample of adverse action notices to determine if they are accurate and in technical
compliance.
Debt Collector Communications Concerning Identity Theft –
Sections 615(g); 15 U.S.C. 1681m(g)

1. Determine whether the entity collects debts for third parties.


2. Determine whether the entity has policies and procedures to ensure that the third parties are
notified if the entity obtains any information that may indicate that the debt in question is the
result of fraud or identity theft.
3. Determine if the entity has effective policies and procedures for providing information to
consumers to whom the fraudulent debts relate.
4. If procedural weaknesses or other risks requiring further investigation are noted, review a
sample of instances where consumers have alleged identity theft and requested information
related to transactions to determine if all of the appropriate information was provided to the
consumer.

CFPB Manual V.2 (October 2012) Procedures 7


CFPB
Examination Procedures FCRA
Risk-Based Pricing Notice – Section 615(h); 15 U.S.C. 1681m(h);
12 CFR 1022, Subpart H

1. Determine whether the creditor (or other person) uses consumer report information in
consumer credit decisions.
If yes, determine whether the creditor uses such information to provide credit on terms that
are “materially less favorable” than the most favorable material terms available to a
substantial proportion of its consumers. Relevant factors in determining the significance of
differences in the cost of credit include the type of credit product, the term of the credit
extension, and the extent of the difference.
If “yes,” the creditor is subject to the risk-based pricing regulations.
2. Determine the method the creditor uses to identify consumers who must receive a risk-based
pricing notice and whether the method complies with the regulation (12 CFR 1022.72(b)).
a. For creditors that use the direct comparison method (12 CFR 1022.72(b)), determine
whether the creditor directly compares the material terms offered to each consumer and
the material terms offer to other consumers for a specific type of credit product.
b. For creditors that use the credit score proxy method (12 CFR 1022.72(b)(1)):
i. determine whether the creditor calculates the cutoff score by considering the credit
scores of all, or a representative sample, of consumers who have received credit for
a specific type of credit product;
ii. determine whether the creditor recalculates the cutoff score no less than every two
years;
iii. for new entrants into the credit business, for new products subject to risk-based
pricing, or for acquired credit portfolios, determine whether the creditor
recalculates the cutoff scores within time periods specified in the regulation;
iv. for creditors using more than one credit score to set material terms, determine
whether the creditor establishes a cutoff score according to the methods specified
in the regulation; and
v. if no credit score is available for a consumer, determine whether the creditor
provides the consumer a risk-based pricing notice.
c. For creditors that use the tiered pricing method (12 CFR 1022.72(b)(2)):
i. when four or fewer pricing tiers are used, determine if the creditor sends risk-based
pricing notices to consumers who do not qualify for the top, best-priced tier; or
ii. when five or more pricing tiers are used, determine if the creditor provides risk-based
pricing notices to consumers who do not qualify for the two top, best-priced tiers and

CFPB Manual V.2 (October 2012) Procedures 8


CFPB
Examination Procedures FCRA
any other tier that, combined with the top two tiers, equal no less than the top 30
percent and no more than the top 40 percent of the total number of tiers.
d. For credit card issuers:
i. Determine whether the card issuer uses the direct comparison method, the credit
score proxy method, or the tiered pricing method to identify consumers to whom it
must provide a risk-based pricing notice.
ii. If the creditor does not use the direct comparison method, the credit score proxy
method, or the tiered pricing method, determine whether the card issuer uses the
following method as permitted by 12 CFR 1022.72(c) to identify consumers to
whom it must provide a risk-based pricing notice:
a) a consumer applies for a credit card either in connection with an application
program, such as a direct-mail offer or a take-one application, or in response
to a solicitation under 12 CFR 1026.60, and more than a single possible
purchase annual percentage rate (APR) may apply under the program or
solicitation; and
b) based in whole or in part on a consumer report, the credit card issuer provides
a credit card to the consumer with a purchase APR that is greater than the
lowest purchase APR available in connection with the application or
solicitation.
iii. Determine whether the card issuer provides a risk-based pricing notice to each
consumer that is provided a credit card with a purchase APR greater than the
lowest purchase APR available under the program or solicitation.
3. Determine whether the creditor provides a risk-based pricing notice to a consumer (12 CFR
1022.72(a)). For creditors that provide the notice, proceed to step #4. If the creditor does not
provide a risk-based pricing notice, proceed to step #5 to determine whether an exception
applies (12 CFR 1022.74).
4. Determine whether the risk based pricing notice contains (12 CFR 1022.73(a)(1)):
a. a statement that a consumer report (or credit report) includes information about the
consumer’s credit history and the type of information included in that history;
b. a statement that the terms offered, such as the APR, have been set based on information
from a consumer report;
c. statement that the terms offered may be less favorable than the terms offered to
consumers with better credit histories;
d. a statement that the consumer is encouraged to verify the accuracy of the information
contained in the consumer report and has the right to dispute any inaccurate information
in the report;

CFPB Manual V.2 (October 2012) Procedures 9


CFPB
Examination Procedures FCRA
e. the identity of each consumer reporting agency that furnished a consumer report used in
the credit decision;
f. a statement that federal law gives the consumer the right to obtain a copy of a consumer
report from the consumer reporting agency or agencies identified in the notice without
charge for 60 days after receipt of the notice;
g. a statement informing the consumer how to obtain a consumer report from the consumer
reporting agency or agencies identified in the notice and providing contact information
(including a toll-free telephone number, where applicable) specified by the consumer
reporting agency or agencies;
h. a statement directing consumers to the website of the Consumer Financial Protection
Bureau (CFPB) to obtain more information about consumer reports; and
i. if a credit score of the consumer to whom a person grants, extends, or otherwise provides
credit is used in setting the material terms of credit:
i. a statement that a credit score is a number that takes into account information in a
consumer report, that the consumer's credit score was used to set the terms of
credit offered, and that a credit score can change over time to reflect changes in
the consumer's credit history;
ii. the credit score used by the person in making the credit decision;
iii. the range of possible credit scores under the model used to generate the credit
score;
iv. all of the key factors that adversely affected the credit score, which shall not
exceed four key factors, except that if one of the key factors is the number of
enquiries made with respect to the consumer report, the number of key factors
shall not exceed five;
v. the date on which the credit score was created; and
vi. the name of the consumer reporting agency or other person that provided the
credit score.
Proceed to step #10.
5. If the creditor does not provide a risk-based pricing notice, determine if one of the following
situations that qualify for a regulatory exception applies (12 CFR 1022.74(a)-(f)):
a. a consumer applies for specific terms of credit, and receives them, unless those terms
were specified by the creditor using a consumer report after the consumer applied for the
credit and after the creditor obtained the consumer report;
b. a creditor provides a notice of adverse action;

CFPB Manual V.2 (October 2012) Procedures 10


CFPB
Examination Procedures FCRA
c. a creditor makes a firm offer of credit in a prescreened solicitation (even if the person
makes other firm offers of credit to other consumers on more favorable material terms);
d. a creditor generally provides a credit score disclosure to each consumer that requests a
loan that is or will be secured by residential real property (if so, proceed to step #6);
e. a creditor generally provides a credit score disclosure to each consumer that requests a loan
that is not or will not be secured by residential real property (if so, proceed to step #7); or
f. a creditor, which otherwise provides credit score disclosures to consumers that request
loans, provides a disclosure for when no credit score is available (if so, proceed to step #8).
6. For creditors that choose to provide a credit score disclosure to consumers that request a loan
that is or will be secured by residential real property, determine whether the 12 CFR
1022.74(d) notice generally is provided to each consumer that requests such an extension of
credit and that each notice contains:
a. a statement that a consumer report (or credit report) is a record of the consumer’s credit
history and includes information about whether the consumer pays his or her obligations
on time and how much the consumer owes to creditors;
b. a statement that a credit score is a number that takes into account information in a
consumer report and that a credit score can change over time to reflect changes in the
consumer’s credit history;
c. a statement that the consumer’s credit score can affect whether the consumer can obtain
credit and what the cost of that credit will be;
d. a statement that the consumer is encouraged to verify the accuracy of the information
contained in the consumer report and has the right to dispute any inaccurate information
in the report;
e. a statement that federal law gives the consumer the right to obtain copies of his or her
consumer reports directly from the consumer reporting agencies, including a free report
from each of the nationwide consumer reporting agencies once during any 12-month
period;
f. contact information for the centralized source from which consumers may obtain their
free annual consumer reports;
g. a statement directing consumers to the website of the CFPB to obtain more information
about consumer reports;
h. the information required to be disclosed to the consumer in Section 609(g) of the FCRA,
and as described in Module 3 of these examination procedures, under “Disclosure of
Credit Scores by Certain Mortgage Lenders (FCRA), Section 609(g)”; and

CFPB Manual V.2 (October 2012) Procedures 11


CFPB
Examination Procedures FCRA
i. the distribution of credit scores among consumers who are scored under the same scoring
model that is used to generate the consumer’s credit score. The distribution must:
i. use the same scale as that of the credit score provided to the consumer; and
ii. be presented:
a) in the form of a bar graph containing a minimum of six bars that illustrates the
percentage of consumers with credit scores within the range of scores reflected
in each bar;
b) by other clear and readily understandable graphical means; or
c) in a clear and readily understandable statement informing the consumer how his
or her credit score compares to the scores of other consumers.
The presentation may use a graph or statement obtained from the entity providing the
credit score if it meets these requirements.
7. For creditors that choose to provide a credit score disclosure to consumers that request a loan
that is not or will not be secured by residential real property, determine whether the 12 CFR
1022.74(e) notice generally is provided to each consumer that requests such an extension of
credit and that each notice contains:
a. a statement that a consumer report (or credit report) is a record of the consumer’s credit
history and includes information about whether the consumer pays his or her obligations
on time and how much the consumer owes to creditors;
b. a statement that a credit score is a number that takes into account information in a
consumer report and that a credit score can change over time to reflect changes in the
consumer’s credit history;
c. a statement that the consumer’s credit score can affect whether the consumer can obtain
credit and what the cost of that credit will be;
d. a statement that the consumer is encouraged to verify the accuracy of the information
contained in the consumer report and has the right to dispute any inaccurate information
in the report;
e. a statement that federal law gives the consumer the right to obtain copies of his or her
consumer reports directly from the consumer reporting agencies, including a free report
from each of the nationwide consumer reporting agencies once during any 12-month
period;
f. contact information for the centralized source from which consumers may obtain their
free annual consumer reports;

CFPB Manual V.2 (October 2012) Procedures 12


CFPB
Examination Procedures FCRA
g. a statement directing consumers to the website of CFPB to obtain more information about
consumer reports;
h. the current credit score of the consumer or the most recent credit score of the consumer
that was previously calculated by the consumer reporting agency for a purpose related to
the extension of credit;
i. the distribution of credit scores among consumers who are scored under the same scoring
model that is used to generate the consumer’s credit score. The distribution must:
i. use the same scale as that of the credit score provided to the consumer; and
ii. be presented:
a) in the form of a bar graph containing a minimum of six bars that illustrates the
percentage of consumers with credit scores within the range of scores reflected in
each bar;
b) by other clear and readily understandable graphical means; or
c) in a clear and readily understandable statement informing the consumer how his or
her credit score compares to the scores of other consumers. The presentation may
use a graph or statement obtained from the entity providing the credit score if it
meets these requirements;
j. the range of possible credit scores under the model used to generate the credit score;
k. the date on which the credit score was created; and
l. the name of the consumer reporting agency or other person that provided the credit score.
8. For creditors that otherwise provide credit score disclosures to consumers that request loans,
determine whether the 12 CFR 1022.74(f) notice is provided to the applicable consumers in
situations where no credit score is available for the consumer, as required by 12 CFR
1022.74(f). Determine whether each notice contains:
a. a statement that a consumer report (or credit report) includes information about the
consumer’s credit history and the type of information included in that history;
b. a statement that a credit score is a number that takes into account information in a
consumer report and that a credit score can change over time in response to changes in
the consumer’s credit history;
c. a statement that credit scores are important because consumers with higher credit scores
generally obtain more favorable credit terms;
d. a statement that not having a credit score can affect whether the consumer can obtain
credit and what the cost of that credit will be;

CFPB Manual V.2 (October 2012) Procedures 13


CFPB
Examination Procedures FCRA
e. a statement that a credit score about the consumer was not available from a consumer
reporting agency, which must be identified by name, generally due to insufficient
information regarding the consumer’s credit history;
f. a statement that the consumer is encouraged to verify the accuracy of the information
contained in the consumer report and has the right to dispute any inaccurate information
in the consumer report;
g. a statement that federal law gives the consumer the right to obtain copies of his or her
consumer reports directly from the consumer reporting agencies, including a free
consumer report from each of the nationwide consumer reporting agencies once during
any 12-month period;
h. the contact information for the centralized source from which consumers may obtain their
free annual consumer reports; and
i. a statement directing consumers to the website of the CFPB to obtain more information
about consumer reports.
9. For creditors that provide credit score exception notices and that obtain multiple credit scores
in setting material terms of credit, determine whether the score(s) is disclosed in a manner
consistent with the regulation (12 CFR 1022.74(d)(4) and .74(e)(4)):
a. if a creditor only relies upon one of those credit scores in setting the material terms of
credit granted, extended, or otherwise provided to a consumer (for example, by using the
low, middle, high, or most recent score), determine whether the notice includes that credit
score and the other information required by 12 CFR 1022.74(d).
b. if a creditor relies upon multiple credit scores in setting the material terms of credit
granted, extended, or otherwise provided to a consumer (for example, by computing the
average of all the credit scores obtained), determine whether the notice includes one of
those credit scores and the other information required by 12 CFR 1022.74(d).
10. Regardless of whether the creditor provides risk-based pricing notices or credit score
disclosure exception notices, if the creditor increases the consumer’s APR as the result of a
review of a consumer’s account, determine whether the creditor provided the consumer with
an account review risk-based pricing notice (12 CFR 1022.72(d)) if an adverse action notice
was not already provided.
11. Determine whether the account review risk-based pricing notice contains (12 CFR
1022.73(a)(2)):
a. a statement that a consumer report (or credit report) includes information about the
consumer’s credit history and the type of information included in that history;

CFPB Manual V.2 (October 2012) Procedures 14


CFPB
Examination Procedures FCRA
b. a statement that the consumer is encouraged to verify the accuracy of the information
contained in the consumer report and has the right to dispute any inaccurate information
in the report;
c. the identity of each consumer reporting agency that furnished a consumer report used in
the credit decision;
d. a statement that federal law gives the consumer the right to obtain a copy of a consumer
report from the consumer reporting agency or agencies identified in the notice without
charge for 60 days after receipt of the notice;
e. a statement that informs the consumer how to obtain a consumer report from the consumer
reporting agency or agencies identified in the notice and provides contact information
(including a toll-free telephone number, where applicable) specified by the consumer
reporting agency or agencies;
f. a statement that directs consumers to the website of the CFPB to obtain more information
about consumer reports;
g. a statement that the creditor has conducted a review of the account using information
from a consumer report;
h. a statement that, as a result of the review, the APR on the account has been increased
based on information from a consumer report; and
i. if a credit score of the consumer whose extension of credit is under review is used in
increasing the APR:
i. a statement that a credit score is a number that takes into account information in a
consumer report, that the consumer's credit score was used to set the terms of
credit offered, and that a credit score can change over time to reflect changes in
the consumer's credit history;
ii. the credit score used by the person in making the credit decision;
iii. the range of possible credit scores under the model used to generate the credit
score;
iv. all of the key factors that adversely affected the credit score, which shall not
exceed four key factors, except that if one of the key factors is the number of
enquiries made with respect to the consumer report, the number of key factors
shall not exceed five;
v. the date on which the credit score was created; and
vi. the name of the consumer reporting agency or other person that provided the
credit score.

CFPB Manual V.2 (October 2012) Procedures 15


CFPB
Examination Procedures FCRA
12. For all notices, determine whether the notices are clear and conspicuous and comply with the
specific format requirements for the notices (12 CFR 1022.73(b), .74(d)(2), .74(e)(2), and
.74(f)(3)).
13. For all notices, determine whether the notices are provided within the required time frames
(12 CFR 1022.73(c), .74(d)(3), .74(e)(3), and .74(f)(4)), as set out as follows:

Risk-based pricing notices and account review risk-based pricing notices

• For closed-end credit, the notice generally must be provided to the consumer after the
decision to approve a credit request is communicated to the consumer, but before
consummation of the transaction.

• For open-end credit, the notice generally must be provided after the decision to grant
credit is communicated to the consumer, but before the first transaction under the plan
has been made.

• For account reviews, the notice generally must be provided at the time that the decision to
increase the APR is communicated to the consumer or no later than five days after the
effective date of the change in the APR.

Credit score disclosures for loans secured by residential real property

• The credit score disclosure for loans secured by residential real property must be
provided to the consumer at the same time as the disclosure required by Section 609(g) of
the FCRA is provided to the consumer. The Section 609(g) notice must be provided as
soon as reasonably practicable after the credit score has been obtained. In any event, the
credit score disclosure for loans secured by residential real property must be provided at
or before consummation in the case of closed-end credit or before the first transaction is
made under an open-end credit plan.
Credit score disclosures for loans not secured by residential real property

• The notice generally must be provided to the consumer as soon as reasonably practicable
after the credit score has been obtained, but in any event at or before consummation in
the case of closed-end credit or before the first transaction is made under an open-end
credit plan.

Credit score exception notices when no credit score is available

• The notice generally must be provided to the consumer as soon as reasonably practicable
after the creditor has requested the credit score, but in any event not later than
consummation of a transaction in the case of closed-end credit or when the first
transaction is made under an open-end credit plan.
Application to certain automobile lending transactions

CFPB Manual V.2 (October 2012) Procedures 16


CFPB
Examination Procedures FCRA
• For automobile lending transactions made through an auto dealer that is unaffiliated with
the creditor, the creditor may provide a notice in the time periods described above.
Alternatively, the creditor may arrange to have the auto dealer provide a notice to the
consumer on its behalf within these time periods and maintain reasonable policies and
procedures to verify that the auto dealer provides the notice to the consumer within the
applicable time periods. If the creditor arranges to have the auto dealer provide a credit
score disclosure for loans not secured by residential real property, the creditor complies if
the consumer receives a notice containing a credit score obtained by the auto dealer with
these time periods, even if a different credit score is obtained and used by the creditor.

• For credit that is granted under an open-end credit plan to a consumer in person or by
telephone for contemporaneous purchase of goods or services, the notice may be
provided at the earlier of:
o the time of the first mailing to the consumer after the decision is made to approve the
credit, such as in a mailing containing the account agreement or a credit card; or
o within 30 days after the decision to approve the credit.
14. For all notices, determine whether the creditor follows the rules of construction pertaining to
the number of notices provided to the consumer(s) (12 CFR 1022.75). In a transaction
involving two or more consumers, a creditor must provide a risk-based notice to each
consumer. If the consumers have the same address, and the notice does not include a credit
score(s), a person may satisfy the requirements by providing a single notice addressed to both
consumers. However, if a notice includes a credit score(s), the person must provide a
separate notice to each consumer whether the consumers have the same address or not. Each
separate notice that includes a credit score(s) must contain only the credit score(s) of the
consumer to whom the notice is provided, and not the credit score(s) of the other consumer.
Similarly, for credit score disclosure exception notices, whether the consumers have the same
address or not, the creditor must provide a separate notice to each consumer and each
separate notice that includes a credit score(s) must contain only the credit score(s) of the
consumer to whom the notices is provided.
15. For all notices, determine whether the creditor uses the model forms in Appendix H of the
regulation. If yes, determine that it does not modify the model form so extensively as to
affect the substance, clarity, comprehensibility, or meaningful sequence of the forms
(Appendix H).

CFPB Manual V.2 (October 2012) Procedures 17


CFPB
Examination Procedures FCRA
Module 4 – Duties of Users of Consumer Reports and
Furnishers of Consumer Report Information
Duties of Users of Credit Reports Regarding Address Discrepancies –
Section 605(h); 15 U.S.C. 1681c(h); 12 CFR 1022.82

1. Determine whether a user of consumer reports has policies and procedures to recognize
notices of address discrepancy that it receives from a nationwide consumer reporting agency
(NCRA) 3 in connection with consumer reports.
2. Determine whether a user that receives notices of address discrepancy has policies and
procedures to form a reasonable belief that the consumer report relates to the consumer
whose report was requested (12 CFR 1022.82(c)).
See examples of reasonable policies and procedures “to form a reasonable belief” in 12 CFR
1022.82(c)(2).
3. Determine whether a user that receives notices of address discrepancy has policies and
procedures to furnish to the NCRA an address for the consumer that the user has reasonably
confirmed is accurate, if the user does the following:
a. forms a reasonable belief that the report relates to the consumer;
b. establishes a continuing relationship with the consumer; and
c. regularly, and in the ordinary course of business, furnishes information to the NCRA (12
CFR 1022.82(d)(1)).
See examples of reasonable confirmation methods in 12 CFR 1022.82(d)(2).
4. Determine whether the user’s policies and procedures require it to furnish the confirmed
address as part of the information it regularly furnishes to an NCRA during the reporting
period when it establishes a relationship with the consumer (12 CFR 1022.82(d)(3)).
5. If procedural weaknesses or other risks requiring further information are noted, obtain a
sample of consumer reports requested by the user from an NCRA that included notices of
address discrepancy and determine:
a. how the user established a reasonable belief that the consumer reports related to the
consumers whose reports were requested; and
b. if a consumer relationship was established:

3
A NCRA compiles and maintains files on consumers on a nationwide basis.

CFPB Manual V.2 (October 2012) Procedures 18


CFPB
Examination Procedures FCRA
i. whether the user furnished a consumer’s address that it reasonably confirmed
to the NCRA from which it received the notice of address discrepancy; and
ii. whether it furnished the address in the reporting period during which it
established the relationship.
6. On the basis of examination procedures completed, form a conclusion about the ability of
user’s policies and procedures to meet regulatory requirements for the proper handling of
address discrepancies reported by an NCRA.
Furnishers of Information to Consumer Reporting Agencies:
General – Section 623(e); 15 U.S.C. 1681s-2; 12 CFR 1022, Subpart E

• Notices of Disputes from a Consumer Reporting Agency – Section 623(b);


15 U.S.C. 1681s-2(b)
• Direct Disputes from Consumers – Section 623(a)(8); 15 U.S.C. 1681s-2(a)(8);
12 CFR 1022.43

1. Determine whether the entity furnishes consumer information to a consumer reporting


agency about an account or other relationship with a consumer. If so, the entity is subject to
12 CFR 1022.40-1022.43.
2. Determine whether the entity has established and implemented reasonable policies and
procedures regarding the accuracy and integrity of information furnished to a consumer
reporting agency (12 CFR 1022.42(a)).
3. Determine whether the entity considered the Interagency Guidelines in Appendix E of the
regulation when developing its policies and procedures, and incorporated the guidelines as
appropriate (12 CFR 1022.42(b)).
4. Determine whether the entity reviews its policies and procedures periodically and updates
them as necessary to ensure their effectiveness (12 CFR 1022.42(c)).
5. If procedural weaknesses are noted or other risks requiring further investigation are noted,
such as a high number of consumer complaints regarding the accuracy of their consumer
report information from the entity, select a sample of reported items and the corresponding
loan or collection file to determine that the entity:
a. did not report information that it knew, or had reasonable cause to believe, was
inaccurate. Section 623(a)(1)(A) [15 U.S.C. 1681s-2(a)(1)(A)];
b. did not report information to a consumer reporting agency if it was notified by the
consumer that the information was inaccurate and the information was, in fact,
inaccurate. Section 623(a)(1)(B) [15 U.S.C. 1681s-2(a)(1)(B)];

CFPB Manual V.2 (October 2012) Procedures 19


CFPB
Examination Procedures FCRA
c. provided the consumer reporting agency with corrections or additional information to
make information complete and accurate, and thereafter did not send the consumer
reporting agency any information that remained incomplete or inaccurate. Section
623(a)(2) [15 U.S.C. 1681s-2(a)(2)];
d. furnished a notice to a consumer reporting agency of a dispute in situations where a
consumer disputed the completeness or accuracy of any information the entity furnished,
and the entity continued furnishing the information to a consumer reporting agency.
Section 623(a)(3) [15 U.S.C. 1681s-2(a)(3)];
e. notified the consumer reporting agency of a voluntary account-closing by the consumer,
and did so as part of the information regularly furnished for the period in which the
account was closed. Section 623(a)(4) [15 U.S.C. 1681s-2(a)(4)]; and
f. notified the consumer reporting agency of the month and year of commencement of a
delinquency that immediately preceded the action. The notification to the consumer
reporting agency must be made within 90 days of furnishing information about a
delinquent account that was being placed for collection, charged-off, or subjected to any
similar action. Section 623(a)(5) [15 U.S.C. 1681s-2(a)(5)].
6. If weakness within the entity’s procedures for investigating errors are revealed, review a
sample of notices of discputes received from a consumer reporting agency and determine
whether the entity did the following:
a. conducted an investigation with respect to the disputed information (Section
623(b)(1)(A) [15 U.S.C. 1681s-2(b)(1)(A)];
b. reviewed all relevant information provided by the consumer reporting agency (Section
623(b)(1)(B) [15 U.S.C. 1681s-2(b)(1)(B)];
c. reported the results of the investigation to the consumer reporting agency (Section
623(b)(1)(C)) [15 U.S.C. 1681s-2(b)(1)(C)];
d. reported the results of the investigation to all other nationwide consumer reporting
agencies to which the information was furnished if the investigation found that the
reported information was inaccurate or incomplete (Section 623(b)(1)(D)) [15 U.S.C.
1681s-2(b)(1)(D)]; and
e. modified, deleted, or blocked the reporting of information that could not be verified.
7. Determine whether the entity conducts reasonable investigations of direct disputes from
consumers, including a review of all relevant information provided by the consumer (12 CFR
1022.43(e)(1) and (2)).
a. Determine whether the entity completes the investigation and reports the results to the
consumer within the required time frame (12 CFR 1022.43(e)(3)).

CFPB Manual V.2 (October 2012) Procedures 20


CFPB
Examination Procedures FCRA
b. Determine whether the entity notifies and provides corrected information to the consumer
reporting agencies when the results of its investigation finds that inaccurate information
was furnished to the consumer reporting agencies (12 CFR 1022.43(e)(4)).
c. When the entity finds that a dispute is frivolous or irrelevant, determine whether the
entity:
i. notifies the consumer within five days after finding the dispute frivolous or
irrelevant (12 CFR 1022.43(f)(2)); and
ii. includes in the consumer notification the reasons for the findings and the information
necessary to investigate the disputed information (12 CFR 1022.43(f)(3)).
Prevention of Re-Pollution of Consumer Reports – Section 623(a)(6);
15 U.S.C. 1681s-2(a)(6)

1. If the entity provides information to a consumer reporting agency, review the entity’s policies
and procedures for ensuring that items of information blocked because of an alleged identity
theft are not re-reported to the consumer reporting agency.
2. If weaknesses are noted within the entity’s policies and procedures, review a sample of
notices from a consumer reporting agency of allegedly fraudulent information due to identity
theft furnished by the entity, to determine whether the entity does not re-report the item to a
consumer reporting agency.
3. If procedural weaknesses or other risks requiring further investigation are noted, verify that
the entity has not sold or transferred a debt that resulted from an alleged identity theft.
Negative Information Notice – Section 623(a)(7); 15 U.S.C. 1681s-2(a)(7);
12 CFR 1022.1(b)(1)(ii)

1. If the entity provides negative information to a nationwide consumer reporting agency, verify
that the entity’s policies and procedures ensure tht the approriate notices are provided to
consumers.
2. If procedural weaknesses or other risks requiring further investigation are noted, review a
sample of notices provided to consumers to determine compliance with the technical content
and timing requirements.

CFPB Manual V.2 (October 2012) Procedures 21


CFPB
Examination Procedures FCRA
Module 5 – Consumer Alerts and Identity Theft Protections
Fraud and Active Duty Alerts – Section 605A(h); 15 U.S.C. 1681c-1(h)

1. Determine whether the entity has effective policies and procedures in place to verify the
identity of consumers in situations in which consumer reports include fraud and/or active
duty military alerts.
2. Determine if the entity has effective policies and procedures in place to contact consumers in
situations where consumer reports include extended alerts.
3. If procedural weaknesses or other risks requiring further investigation are noted, review a
sample of transactions in which consumer reports including these types of alerts were
obtained. Verify that the entity complied with the identity verification and/or consumer
contact requirements.
Information Available to Victims – Section 609(e); 15 U.S.C. 1681g(e)

1. Review the entity’s policies, procedures, and/or practices to determine whether identities and
claims of fruadulent transactions are verified and whether information is properly disclosed
to victims of identity theft and/or appropriately authorized law enforcement agents.
2. If procedural weaknesses or other risks requiring further investigation are noted, review a
sample of these types of requests to endetermine whether the entity properly verified the
requestor’s identity prior to disclosing the information.

CFPB Manual V.2 (October 2012) Procedures 22

You might also like