VIII. Privacy Fair Credit Reporting Act
Fair Credit Reporting Act
Introduction
The Fair Credit Reporting Act (FCRA) (15 USC §§1681-
1681u) became effective on April 25, 1971. The FCRA is a
part of a group of acts contained in the Federal Consumer
Credit Protection Act (15 USC §1601 et seq.), such as the
Truth in Lending Act and the Fair Debt Collection Practices
Act. Congress subsequently passed the Consumer Credit
Reporting Reform Act of 1996 (Pub. L. No. 104-208, 110 Stat.
3009-426), which substantially revised the FCRA. These
revisions generally became effective on September 30, 1997.
Minor amendments to the FCRA were made in 1997 and 1998.
The Gramm-Leach-Bliley Act (Pub. L. No. 106-102, 113 Stat.
1338 (1999)) made additional changes, including provisions
removing a previous statutory prohibition against conducting
routine FCRA examinations, and permitting regulations to be
adopted to implement the requirements of the FCRA.
Elements of the FCRA and Fair and Accurate Credit
Transactions Act of 2003 (FACT Act) have been implemented
in Regulation V (12 CFR 1022).
The FCRA was substantively amended in 2003 upon the
passage of the FACT Act (Pub. L. No. 108-159, 117 Stat.
1952). The FACT Act created many new responsibilities for
consumer reporting agencies and users of consumer reports. It
contained many new consumer disclosure requirements as well
as provisions to address identity theft. In addition, it provided
free annual consumer report rights for consumers and
improved access to consumer report information to help
increase the accuracy of data in the consumer reporting
system.
The FCRA contains significant responsibilities for business
entities that are consumer reporting agencies and lesser
responsibilities for those that are not. Generally, financial
institutions are not considered to function as consumer
reporting agencies; however, depending on the degree to
which their information sharing business practices
approximate those of a consumer reporting agency, they can
be deemed as such.
In addition to the requirements related to financial institutions
acting as consumer reporting agencies, FCRA requirements
also apply to financial institutions that operate in the following
capacities:
1. Procurers and users of information (for example, as credit
grantors, purchasers of dealer paper, or when opening
deposit accounts);
2. Furnishers and transmitters of information (by reporting
information to consumer reporting agencies or other third
parties, or to affiliates);
3. Marketers of credit or insurance products; or
4. Employers.
Structure and Overview of Examination Modules
The examination procedures are structured as a series of
modules, grouping similar requirements together. General
information about each of the requirements is followed by the
examination steps.
Financial institutions are subject to a number of different
requirements under the FCRA, of which some are contained
directly in the statute, while others contained in regulations
issued by the Consumer Financial Protection Bureau (Bureau),
Federal Reserve Board and/or the Federal Trade Commission.
Job Aids at the end of this section contains a matrix of the
different statutory and regulatory cites applicable to financial
institutions that are not consumer reporting agencies. This
matrix is sorted by federal regulator.
Key Definitions
There are a number of definitions used throughout the FCRA.
Key definitions include the following:
“Consumer” is defined as an individual.
“Consumer report” is any written, oral, or other
communication of any information by a consumer reporting
agency that bears on a consumer’s creditworthiness, credit
standing, credit capacity, character, general reputation,
personal characteristics, or mode of living which is used or
expected to be used or collected, in whole or in part, for the
purpose of serving as a factor in establishing the consumer’s
eligibility for:
1. Credit or insurance to be used primarily for personal,
family, or household purposes;
2. Employment purposes; or
3. Any other purpose authorized under section 604 (15 USC
§1681b).
The term “consumer report” does not include:
1. Any report containing information solely about
transactions or experiences between the consumer and the
institution making the report;
2. Any communication of that transaction or experience
information among entities related by common ownership
or affiliated by corporate control (for example, different
banks that are members of the same holding company, or
subsidiary companies of a bank);
3. Communication of other information among persons
related by common ownership or affiliated by corporate
control if:
a. It is clearly and conspicuously disclosed to the
consumer that the information may be communicated
among such persons; and
FDIC Consumer Compliance Examination Manual September 2015
VIII–6.1
____________________
VIII. Privacy Fair Credit Reporting Act
b. The consumer is given the opportunity, before the
time that the information is communicated, to direct
that the information not be communicated among such
persons.
4. Any authorization or approval of a specific extension of
credit directly or indirectly by the issuer of a credit card or
similar device;
5. Any report in which a person who has been requested by a
third party to make a specific extension of credit directly
or indirectly to a consumer, such as a lender who has
received a request from a broker, conveys his or her
decision with respect to such request, if the third party
advises the consumer of the name and address of the
person to whom the request was made, and such person
makes the disclosures to the consumer required under
section 615 (15 USC §1681m); or
6. A communication described in subsection (o) or (x) of
section 603 [15 USC §1681a(o)] (which relates to certain
investigative reports and certain reports to prospective
employers).
“Person” means any individual, partnership, corporation,
trust, estate, cooperative, association, government or
governmental subdivision or agency, or other entity.
“Investigative Consumer Report” means a consumer report
or portion thereof in which information on a consumer’s
character, general reputation, personal characteristics, or mode
of living is obtained through personal interviews with
neighbors, friends, or associates of the consumer reported on
or with others with whom he is acquainted or who may have
knowledge concerning any such items of information.
However, such information does not include specific factual
information on a consumer’s credit record obtained directly
from a creditor of the consumer or from a consumer reporting
agency when such information was obtained directly from a
creditor of the consumer or from the consumer.
“Adverse Action” has the same meaning as used in section
701(d)(6) [15 USC1691(d)(6)] of the Equal Credit
Opportunity Act (“ECOA”). Under the ECOA, it means a
denial or revocation of credit, a change in the terms of an
existing credit arrangement, or a refusal to grant credit in
substantially the same amount or on terms substantially similar
to those requested. Under the ECOA, the term does not
include a refusal to extend additional credit under an existing
credit arrangement where the applicant is delinquent or
otherwise in default, or where such additional credit would
exceed a previously established credit limit.
The term has the following additional meanings for purposes
of the FCRA:
1. A denial or cancellation of, an increase in any charge for,
or a reduction or other adverse or unfavorable change in
the terms of coverage or amount of, any insurance,
existing or applied for, in connection with the
underwriting of insurance;
2. A denial of employment or any other decision for
employment purposes that adversely affects any current or
prospective employee;
3. A denial or cancellation of, an increase in any charge for,
or any other adverse or unfavorable change in the terms
of, any license or benefit described in section 604(a)(3)(D)
[15 USC §1681b(a)(3)(D)]; and
4. An action taken or determination that is (a) made in
connection with an application made by, or transaction
initiated by, any consumer, or in connection with a review
of an account to determine whether the consumer
continues to meet the terms of the account, and (b) adverse
to the interests of the consumer.
“Employment Purposes” when used in connection with a
consumer report means a report used for the purpose of
evaluating a consumer for employment, promotion,
reassignment or retention as an employee.
“Consumer Reporting Agency” means any person which, for
monetary fees, dues, or on a cooperative nonprofit basis,
regularly engages in whole or in part in the practice of
assembling or evaluating consumer credit information or other
information on consumers for the purpose of furnishing
consumer reports to third parties, and which uses any means or
facility of interstate commerce for the purpose of preparing or
furnishing consumer reports.
Examination Objectives
1. To determine the financial institution’s compliance with
the FCRA.
2. To assess the quality of the financial institution’s
compliance management systems and its policies and
procedures for implementing the FCRA.
3. To determine the reliance that can be placed on the
financial institutions internal controls and procedures for
monitoring the institution’s compliance with the FCRA.
4. To direct corrective action when violations of law are
identified or when policies or internal controls are
deficient.
Examination Procedures
1
Initial Procedures
The initial procedures are designed to acquaint examiners with
the individual operations and processes of the institution under
examination. These initial steps focus on an institution’s
1
These reflect the interagency examination procedures in their entirety.
VIII–6.2 FDIC Consumer Compliance Examination Manual September 2015
VIII. Privacy Fair Credit Reporting Act
systems, controls, policies, and procedures, including audits
and previous examination findings.
The applicability of the various sections of the FCRA and
implementing regulations depend on an institution’s unique
operations. The functional examination requirements for these
responsibilities are presented topically in Modules 1 through 6
of these procedures. (Module 6 will be included in a
subsequent amendment to these procedures.)
The FCRA contains many different requirements that a
financial institution must follow, even if it is not a consumer
reporting agency. Subsequent to the passage of the FACT Act,
some of the individual compliance responsibilities are set forth
directly in the statute, while others are within joint, inter-
agency regulations, while still others are set forth in
regulations set by some of the regulatory agencies. The
modules present examination responsibilities by subject
matter, versus strict regulatory or statutory construction.
Initially, examiners should:
1. Through discussions with management and review of
available information, determine whether the institution’s
internal controls are adequate to ensure compliance in the
area under review. Consider the following:
a. Organization charts
b. Process flowcharts
c. Policies and procedures
d. Loan documentation
e. Checklists
f. Computer program documentation (for example,
records illustrating the fields and types of data
reported to consumer reporting agencies; automated
records tracking customer opt outs for FCRA affiliate
information sharing; etc.)
2. Review any compliance audit material including work
papers and reports to determine whether:
a. The scope of the audit addresses all provisions as
applicable;
b. Corrective actions were taken to follow-up on
previously identified deficiencies;
c. The testing includes samples covering all product
types and decision centers;
d. The work performed is accurate;
e. Significant deficiencies and their causes are included
in reports to management and/or to the board of
directors; and
f. The frequency of review is appropriate.
3. Review the financial institution’s training materials to
determine whether:
a. Appropriate training is provided to individuals
responsible for FCRA compliance and operational
procedures; and
b. The training is comprehensive and covers the various
aspects of the FCRA that apply to the individual
financial institution’s operations.
4. Through discussions with management, determine which
portions of the six examination modules will apply.
5. Complete appropriate examination modules, document
and form conclusions regarding the quality of the financial
institution’s compliance management systems and
compliance with the FCRA
FDIC Consumer Compliance Examination Manual September 2015
VIII–6.3
____________________
VIII. Privacy Fair Credit Reporting Act
Module 1: Obtaining Consumer Reports
Overview
Consumer reporting agencies have a significant amount of
personal information about consumers. This information is
invaluable in assessing a consumer’s creditworthiness for a
variety of products and services, including loan and deposit
accounts, insurance, and utility services, among others. Access
to this information is governed by the Fair Credit Reporting
Act (FCRA) to ensure that it is obtained for permissible
purposes and not exploited for illegitimate purposes.
The FCRA requires any prospective “user” of a consumer
report, for example a lender, insurer, landlord, or employer,
among others, to have a legally permissible purpose to obtain a
report.
Section 604 Permissible Purposes of Consumer Reports
and Section 606 Investigative Consumer Reports
Legally Permissible Purposes. The FCRA allows a consumer
reporting agency to furnish a consumer report for the
following circumstances and no other:
1. In response to a court order or Federal Grand Jury
subpoena.
2. In accordance with the written instructions of the
consumer.
3. To a person, including a financial institution, which it has
reason to believe:
a. Intends to use the report in connection with a credit
transaction involving the consumer (includes
extending, reviewing, and collecting credit);
b. Intends to use the information for employment
purposes;
2
c. Intends to use the information in connection with the
underwriting of insurance involving the consumer;
d. Intends to use the information in connection with a
determination of the consumer’s eligibility for a
license or other benefit granted by a governmental
instrumentality that is required by law to consider an
applicant’s financial responsibility;
e. Intends to use the information, as a potential investor
or servicer, or current insurer, in connection with a
valuation of, or an assessment of the credit or
prepayment risks associated with, an existing credit
obligation; or
f. Otherwise has a legitimate business need for the
information:
Use of consumer reports for employment purposes requires specific
advanced authorization, disclosure, and adverse action notices. These
issues are contained in Module 3 of the examination procedures.
i. In connection with a business transaction that is
initiated by the consumer; or
ii. To review an account to determine whether the
consumer continues to meet the terms of the
account.
4. In response to a request by the head of a State or local
child support enforcement agency (or authorized
appointee) if the person certifies various information to
the consumer reporting agency regarding the need to
obtain the report. (Generally, this particular purpose does
not impact a financial institution that is not a consumer
reporting agency.)
Prescreened Consumer Reports. Users of consumer reports,
such as financial institutions, may obtain prescreened
consumer reports to make firm offers of credit or insurance to
consumers, unless the consumers have elected to opt out of
being included on prescreened lists. The FCRA contains many
requirements, including an opt out notice requirement when
prescreened consumer reports are used. In addition to defining
prescreened consumer reports, Module 3 covers these
requirements.
Investigative Consumer Reports. Section 606 contains
specific requirements for use of an investigative consumer
report. This type of consumer report contains information
about a consumer’s character, general reputation, personal
characteristics, or mode of living that is obtained in whole or
in part through personal interviews with neighbors, friends, or
associates of the consumer. If a financial institution procures
an investigative consumer report, or causes one to be prepared,
the institution must meet the following requirements:
1. The institution clearly and accurately discloses to the
consumer that an investigative consumer report may be
obtained.
2. The disclosure contains a statement of the consumer’s
right to request other information about the report, and a
summary of the consumer’s rights under the FCRA.
3. The disclosure is in writing and is mailed or otherwise
delivered to the consumer not later than three business
days after the date on which the report was first requested.
4. The financial institution procuring the report certifies to
the consumer reporting agency that it has complied with
the disclosure requirements and will comply in the event
that the consumer requests additional disclosures about the
report.
Institution Procedures. Given the preponderance of
electronically available information and the growth of identity
theft, financial institutions should manage the risks associated
with obtaining and using consumer reports. Financial
institutions should employ procedures, controls, or other
safeguards to ensure that consumer reports are obtained and
used only in situations for which there are permissible
VIII–6.4 FDIC Consumer Compliance Examination Manual September 2015
2
VIII. Privacy Fair Credit Reporting Act
purposes. Access to, and storage and destruction of this
information is dealt with under an institution’s Information
Security Program; however, obtaining consumer reports
initially must be done in compliance with the FCRA.
Examination Procedures
Section 604 Permissible Purposes of Consumer Reports
and Section 606 Investigative Consumer Reports
1. Determine whether the financial institution obtains
consumer reports.
2. Determine whether the institution obtains prescreened
consumer reports and/or reports for employment purposes.
If so, complete the appropriate sections of Module 3.
3. Determine whether the financial institution procures or
causes to be prepared an investigative consumer report. If
so, ensure that the appropriate disclosure is given to the
consumer within the required time periods. In addition,
ensure that the financial institution certified compliance
with the disclosure requirements to the consumer reporting
agency.
4. Evaluate the institution’s procedures to ensure that
consumer reports are obtained only for permissible
purposes. Confirm that the institution certifies to the
consumer reporting agency the purposes for which it will
obtain reports. (The certification is usually contained in a
financial institution’s contract with the consumer reporting
agency.)
5. If procedural weaknesses are noted or other risks requiring
further investigation are noted, such as the receipt of
several consumer complaints were received, review a
sample of consumer reports obtained from a consumer
reporting agency and determine whether the financial
institution had permissible purposes to obtain the reports.
For example, obtain a copy of a billing statement or
other list of consumer reports obtained by the
financial institution from the consumer reporting
agency for a period of time.
Compare this list, or a sample from this list to the
institution’s records to ensure that there is a
permissible purpose for the report(s) obtained. This
could include any permissible purpose, such as the
consumer applied for credit, insurance, or
employment, etc. The financial institution may also
obtain a report in connection with the review of an
existing account.
FDIC Consumer Compliance Examination Manual September 2015
VIII–6.5
VIII. Privacy Fair Credit Reporting Act
Module 2: Obtaining Information and Sharing
Among Affiliates
Overview
The Fair Credit Reporting Act (FCRA) contains many
substantive compliance requirements for consumer reporting
agencies that are designed to help ensure the accuracy and
integrity of the consumer reporting system. As noted in the
definitions section, a consumer reporting agency is a person
that generally furnishes consumer reports to third parties. By
their very nature, banks, credit unions, and thrifts have a
significant amount of consumer information that could
constitute a consumer report, and thus communication of this
information could cause the institution to become a consumer
reporting agency. The FCRA contains several exceptions that
enable a financial institution to communicate this type of
information, within strict guidelines, without becoming a
consumer reporting agency.
Rather than containing strict information sharing prohibitions,
the FCRA creates a business disincentive such that if a
financial institution shares consumer report information
outside of the exceptions, then the institution is a consumer
reporting agency and will be subject to the significant,
substantive requirements of the FCRA applicable to those
entities. Typically, a financial institution will structure its
information sharing practices within the exceptions to avoid
becoming a consumer reporting agency. This examination
module generally covers the various information sharing
practices within these exceptions.
If upon completion of this module, examiners determine that
the financial institution’s information sharing practices fall
outside of these exceptions, the financial institution will be
considered a consumer reporting agency and Module 6 of the
examination procedures should be completed.
Section 603(d) Consumer Report and Information Sharing
Section 603(d) defines a consumer report to include
information about a consumer such as that which bears on a
consumer’s creditworthiness, character, and capacity among
other factors. Communication of this information may cause a
person, including a financial institution, to become a consumer
reporting agency. The statutory definition contains key
exemptions to this definition that enable financial institutions
to share this type of information under certain circumstances,
without becoming consumer reporting agencies. Specifically,
the term “consumer report” does not include:
1. A report containing information solely as to transactions
or experiences between the consumer and the financial
institution making the report. A person, including a
financial institution, may share information strictly related
to its own transactions or experiences with a consumer
(such as the consumer’s payment history, or an account
with the institution) with any third party, without regard to
affiliation, without becoming a consumer reporting
agency. This type of information sharing may, however,
be restricted under the Privacy of Consumer Financial
Information regulations that implement the Gramm-
Leach-Bliley Act (GLBA) because it meets the definition
of non-public personal information under the Privacy
regulations; therefore sharing it with non-affiliated third
parties may be subject to an opt out under the privacy
regulations. In turn, the FCRA may also restrict activities
that the GLBA permits. For example, the GLBA permits a
financial institution to share a list of its customers and
information such as their credit scores with another
financial institution to jointly market or sponsor other
financial products or services. This communication may
be considered a consumer report under the FCRA and
could potentially cause the sharing financial institution to
become a consumer reporting agency.
2. Communication of such transaction or experience
information among persons, including financial
institutions related by common ownership or affiliated by
corporate control.
3. Communication of other information (e.g., other than
transaction or experience information) among persons and
financial institutions related by common ownership or
affiliated by corporate control, if it is clearly and
conspicuously disclosed to the consumer that the
information will be communicated among such entities,
and before the information is initially communicated, the
consumer is given the opportunity to opt out of the
communication. This allows a financial institution to share
other information (that is, information other than its own
transaction and experience information) that could
otherwise be a consumer report, without becoming a
consumer reporting agency under the following
circumstances:
a. The sharing of the “other” information is done with
affiliates; and
b. Consumers are provided with the notice and an
opportunity to opt out of this sharing before the
information is first communicated among affiliates.
For example, “other” information can include information
provided by a consumer on an application form
concerning accounts with other financial institutions. It
can also include information obtained by a financial
institution from a consumer reporting agency, such as the
consumer’s credit score. If a financial institution shares
other information with affiliates without providing a
notice and an opportunity to opt out, the financial
institution may become a consumer reporting agency
subject to all of the other requirements of the FCRA.
The opt out right required by this section must be
contained in a financial institution’s Privacy Notice, as
required by the GLBA and its implementing regulations.
VIII–6.6 FDIC Consumer Compliance Examination Manual September 2015
VIII. Privacy Fair Credit Reporting Act
Other Exceptions
Specific extensions of credit. In addition, the term “consumer
report” does not include the communication of a specific
extension of credit directly or indirectly by the issuer of a
credit card or similar device. For example, this exception
allows a lender to communicate an authorization through the
credit card network to a retailer, to enable a consumer to
complete a purchase using a credit card.
Credit Decision to Third Party (e.g., auto dealer). The term
“consumer report” also does not include any report in which a
person, including a financial institution, who has been
requested by a third party to make a specific extension of
credit directly or indirectly to a consumer, conveys the
decision with respect to the request. The third party must
advise the consumer of the name and address of the financial
institution to which the request was made, and such financial
institution makes the adverse action disclosures required by
section 615 of the FCRA. For example, this exception allows a
lender to communicate a credit decision to an automobile
dealer who is arranging financing for a consumer purchasing
an automobile and who requires a loan to finance the
transaction.
Joint User Rule. The Federal Trade Commission staff
commentary discusses another exception known as the “Joint
User Rule.” Under this exception, users of consumer reports,
including financial institutions, may share information if they
are jointly involved in the decision to approve a consumer’s
request for a product or service, provided that each has a
permissible purpose to obtain a consumer report on the
individual. For example, a consumer applies for a mortgage
loan that will have a high loan-to-value ratio, and thus the
lender will require private mortgage insurance (PMI) in order
to approve the application. The PMI will be provided by an
outside company. The lender and the PMI company can share
consumer report information about the consumer because both
entities have permissible purposes to obtain the information
and both are jointly involved in the decision to grant the
products to the consumer. This exception applies to entities
that are affiliated or non-affiliated third parties. It is important
to note that the GLBA will still apply to the sharing of non-
public, personal information with non-affiliated third parties;
therefore, financial institutions should be aware that sharing
under the FCRA joint user rule may still be limited or
prohibited by the GLBA.
Examination Procedures
Section 603(d) Consumer Report and Information Sharing
1. Review the financial institution’s policies, procedures, and
practices concerning the sharing of consumer information
with third parties, including both affiliated and non-
affiliated third parties. Determine the type of information
shared and with whom the information is shared. (This
portion of the examination process may overlap with a
review of the institution’s compliance with the Privacy of
Consumer Financial Information Regulations that
implement the Gramm-Leach-Bliley Act.)
2. Determine whether the financial institution’s information
sharing practices fall within the exceptions to the
definition of a consumer report. If they do not, the
financial institution could be considered a consumer
reporting agency, in which case Module 6 of the
examination procedures should be completed.
3. If the financial institution shares information other than
transaction and experience information with affiliates
subject to an opt out, ensure that information regarding
how to opt out is contained in the institution’s GLBA
Privacy Notice, as required by the Privacy of Consumer
Financial Information regulations.
4. If procedural weaknesses are noted or other risks requiring
further investigation are noted, obtain a sample of opt out
rights exercised by consumers and determine if the
financial institution honored the opt out requests by not
sharing “other information” about the consumers with the
institution’s affiliates subsequent to receiving a
consumer’s opt out direction.
Section 604(g) Protection of Medical Information
Section 604(g) generally prohibits creditors from obtaining
and using medical information in connection with any
determination of the consumer’s eligibility, or continued
eligibility, for credit. The statute contains no prohibition on
creditors obtaining or using medical information for other
purposes that are not in connection with a determination of the
consumer’s eligibility, or continued eligibility for credit.
Section 604(g)(5)(A) requires the FFIEC agencies to prescribe
regulations that permit transactions that are determined to be
necessary and appropriate to protect legitimate operational,
transactional, risk, consumer, and other needs (including
administrative verification purposes), consistent with the
Congressional intent to restrict the use of medical information
for inappropriate purposes. On November 22, 2005, the FFIEC
Agencies published final rules in the Federal Register (70 FR
70664). The rules contain the general prohibition on obtaining
or using medical information, and provide exceptions for the
limited circumstances when medical information may be used.
The rules define “credit” and “creditor” as having the same
meanings as in section 702 of the Equal Credit Opportunity
Act (15 USC 1691a).
Obtaining and Using Unsolicited Medical Information. A
creditor does not violate the prohibition on obtaining medical
information if it receives the medical information pertaining to
a consumer in connection with any determination of the
consumer’s eligibility, or continued eligibility, for credit
without specifically requesting medical information. However,
FDIC Consumer Compliance Examination Manual September 2015
VIII–6.7
VIII. Privacy Fair Credit Reporting Act
the creditor may only use this medical information in
connection with a determination of the consumer’s eligibility,
or continued eligibility, for credit in accordance with either the
financial information exception or one of the specific other
exceptions provided in the rules. These exceptions are
discussed below.
Financial Information Exception. The rules allow a creditor
to obtain and use medical information pertaining to a
consumer in connection with any determination of the
consumer’s eligibility or continued eligibility for credit, so
long as:
1. The information is the type of information routinely used
in making credit eligibility determinations, such as
information relating to debts, expenses, income, benefits,
assets, collateral, or the purpose of the loan, including the
use of the loan proceeds;
2. The creditor uses the medical information in a manner and
to an extent that is no less favorable than it would use
comparable information that is not medical information in
a credit transaction; AND
3. The creditor does not take the consumer’s physical,
mental, or behavioral health, condition or history, type of
treatment, or prognosis into account as part of any such
determination.
The financial information exception is designed in part to
allow creditors to consider a consumer’s medical debts and
expenses in the assessment of that consumer’s ability to repay
the loan according to the loan terms. In addition, the financial
information exception also allows a creditor to consider the
dollar amount and continued eligibility for disability income,
worker’s compensation income, or other benefits related to
health or a medical condition that is relied on as a source of
repayment.
The creditor may use the medical information in a manner and
to an extent that is no less favorable than it would use
comparable, non-medical information. For example, a
consumer includes on an application for credit information
about two $20,000 debts. One debt is to a hospital; the other is
to a retailer. The creditor may use and consider the debt to the
hospital in the same manner in which they consider the debt to
the retailer, such as including the debts in the calculation of
the consumer’s proposed debt-to-income ratio. In addition, the
consumer’s payment history of the debt to the hospital may be
considered in the same manner as the debt to the retailer. For
example, if the creditor does not grant loans to applicants who
have debts that are 90-days past due, the creditor could
consider the past-due status of a debt to the hospital, in the
same manner as the past-due status of a debt to the retailer.
A creditor may use medical information in a manner that is
more favorable to the consumer, according to its regular
policies and procedures. For example, if a creditor has a
routine policy of declining consumers who have a 90-day past
due installment loan to a retailer, but does not decline
consumers who have a 90-day past due debt to a hospital, the
financial information exception would allow a creditor to
continue this policy without violating the rules because in
these cases, the creditor’s treatment of the debt to the hospital
is more favorable to the consumer.
A creditor may not take the consumer’s physical, mental, or
behavioral health, condition or history, type of treatment, or
prognosis into account as part of any determination regarding
the consumer’s eligibility, or continued eligibility for credit.
The creditor may only consider the financial implications as
discussed above, such as the status of a debt to a hospital,
continuance of disability income, etc.
Specific Exceptions for Obtaining and Using Medical
Information. In addition to the financial information
exception, the rules also provide for the following nine
specific exceptions under which a creditor can obtain and use
medical information in its determination of the consumer’s
eligibility, or continued eligibility for credit:
1. To determine whether the use of a power of attorney or
legal representative that is triggered by a medical
condition or event is necessary and appropriate, or
whether the consumer has the legal capacity to contract
when a person seeks to exercise a power of attorney or act
as a legal representative for a consumer based on an
asserted medical condition or event. For example, if
Person A is attempting to act on behalf of Person B under
a Power of Attorney that is invoked based on a medical
event, a creditor is allowed to obtain and use medical
information to verify that Person B has experienced a
medical condition or event such that Person A is allowed
to act under the Power of Attorney.
2. To comply with applicable requirements of local, state, or
Federal laws.
3. To determine, at the consumer’s request, whether the
consumer qualifies for a legally permissible special credit
program or credit related assistance program that is:
a. Designed to meet the special needs of consumers with
medical conditions; AND
b. Established and administered pursuant to a written
plan that:
i. Identifies the class of persons that the program is
designed to benefit; and
ii. Sets forth the procedures and standards for
extending credit or providing other credit-related
assistance under the program.
4. To the extent necessary for purposes of fraud prevention
or detection.
VIII–6.8 FDIC Consumer Compliance Examination Manual September 2015
VIII. Privacy Fair Credit Reporting Act
5. In the case of credit for the purpose of financing medical
products or services, to determine and verify the medical
purpose of the loan and the use of the proceeds.
6. Consistent with safe and sound banking practices, if the
consumer or the consumer’s legal representative requests
that the creditor use medical information in determining
the consumer’s eligibility, or continued eligibility, for
credit, to accommodate the consumer’s particular
circumstances, and such request is documented by the
creditor. For example, at the consumer’s request, a
creditor may grant an exception to its ordinary policy to
accommodate a medical condition that the consumer has
experienced. This exception allows a creditor to consider
medical information in this context, but it does not require
a creditor to make such an accommodation nor does it
require a creditor to grant a loan that is unsafe or unsound.
7. Consistent with safe and sound practices, to determine
whether the provisions of a forbearance practice or
program that is triggered by a medical condition or event
apply to a consumer. For example, if a creditor has a
policy of delaying foreclosure in cases where a consumer
is experiencing a medical hardship, this exception allows
the creditor to use medical information to determine if the
policy would apply to the consumer. Like the exception
listed in item 6 above, this exception does not require a
creditor to grant forbearance, it merely provides an
exception so that a creditor may consider medical
information in these instances.
8. To determine the consumer’s eligibility for, the triggering
of, or the reactivation of a debt cancellation contract or
debt suspension agreement if a medical condition or event
is a triggering event for the provision of benefits under the
contract or agreement.
9. To determine the consumer’s eligibility for, the triggering
of, or the reactivation of a credit insurance product if a
medical condition or event is a triggering event for the
provision of benefits under the product.
Limits on redisclosure of information. If a creditor subject to
the medical information rules receives medical information
about a consumer from a consumer reporting agency or its
affiliate, the creditor must not disclose that information to any
other person, except as necessary to carry out the purpose for
which the information was initially disclosed, or as otherwise
permitted by statute, regulation, or order.
Sharing medical information with affiliates. In general, the
exclusions from the definition of “consumer report” in section
603(d)(2) of the FCRA allow the sharing of information
among affiliates. With regard to medical information, section
603(d)(3) of the FCRA provides that the exclusions in section
603(d)(2) do not apply when a person subject to the medical
information rules shares the following information with an
affiliate:
1. Medical information;
2. An individualized list or description based on the payment
transactions of the consumer for medical products or
services; or
3. An aggregate list of identified consumers based on
payment transactions for medical products or services.
If a person who is subject to the medical rules shares with an
affiliate the type of information discussed above, the
exclusions from the definition of “consumer report” do not
apply. Effectively, this means that if a person shares medical
information, that person becomes a consumer reporting
agency, subject to all of the other substantive requirements of
the FCRA.
The rules provide exceptions to these limitations on sharing
medical information with affiliates. A person, such as a bank,
thrift, or credit union, may share medical information with its
affiliates without becoming a consumer reporting agency
under the following circumstances:
1. In connection with the business of insurance or annuities
(including the activities described in section 18B of the
model Privacy of Consumer Financial and Health
Information Regulation issued by the National Association
of Insurance Commissioners, as in effect on January 1,
2003);
2. For any purpose permitted without authorization under the
regulations promulgated by the Department of Health and
Human Services pursuant to the Health Insurance
Portability and Accountability Act of 1996 (HIPAA);
3. For any purpose referred to in section 1179 of HIPAA;
4. For any purpose described in section 502(e) of the
Gramm-Leach-Bliley Act;
5. In connection with a determination of the consumer’s
eligibility, or continued eligibility, for credit consistent
with the financial information exceptions or specific
exceptions; or
6. As otherwise permitted by order of an FFIEC agency.
Examination Procedures
1. Review the financial institution’s policies, procedures, and
practices concerning the collection and use of medical
information pertaining to a consumer in connection with
any determination of the consumer’s eligibility, or
continued eligibility for credit.
2. If the financial institution’s policies, procedures, and
practices allow for obtaining and using medical
information pertaining to a consumer in the context of a
credit transaction, assess whether there are adequate
controls in place to ensure that the information is only
used subject to the financial information exception in the
rules, or under a specific exception within the rules.
FDIC Consumer Compliance Examination Manual September 2015
VIII–6.9
____________________
____________________
VIII. Privacy Fair Credit Reporting Act
3. If procedural weaknesses are noted or other risks requiring
further investigation are noted, obtain samples of credit
transactions to determine if the use of medical information
pertaining to a consumer was done strictly under the
financial information exception or the specific exceptions
under the regulation.
4. Determine whether the financial institution has adequate
policies and procedures in place to limit the redisclosure
of medical information about a consumer that was
received from a consumer reporting agency or an affiliate.
5. Determine whether the financial institution shares medical
information about a consumer with affiliates. If
information is shared, determine whether it occurred under
an exception in the rules that enables the financial
institution to share the information without becoming a
consumer reporting agency.
Section 624 Affiliate Marketing Opt Out
Section 624 gives a consumer the right to restrict an entity,
with which it does not have a pre-existing business
relationship, from using certain information obtained from an
affiliate to make solicitations to that consumer. This provision
is distinct from Section 603(d)(2)(A)(iii) which gives
consumer the right to restrict the sharing of certain consumer
information amongst affiliates.
3
Under Section 624, an entity may not use information received
from an affiliate to market its products or services to a
consumer, unless the consumer is given notice and a
reasonable opportunity and a reasonable and simple method to
opt out of the making of such solicitations. The affiliate
marketing opt-out applies to both transaction or experience
information and “other” information, such as information from
credit reports and credit applications. On November 7, 2007,
the federal financial institution regulators published final
regulations in the Federal Register to implement this section
(72 FR 62910).
4
Exceptions to the notice and opt out requirements apply when
an entity uses eligibility information in certain ways, as
described later in these procedures.
Key Definitions (12 CFR 1022.20)
5
1. Eligibility information” (12 CFR 1022.20(b)(3))
includes not only transaction and experience information,
3 See Module 2, Section 603(d) Consumer Report and Information Sharing,
for provisions pertaining to the sharing of consumer information. Under
section 603(d)(2)(A)(iii) of the FCRA, entities are responsible for
complying with the affiliate sharing notice and opt-out requirement, where
applicable. Thus, under the FCRA, certain consumer information will be
subject to two opt-outs, a sharing opt-out (section 603(d)) and a marketing
use opt-out (section 624). These two opt-outs may be consolidated.
4 See 12 CFR 1022.20(a) for the scope of entities covered by Subpart C of 12
CFR 1022.
5 See 12 CFR 1022.20 for other definitions.
but also the type of information found in consumer
reports, such as information from third party sources and
credit scores. Eligibility information does not include
aggregate or blind data that does not contain personal
identifiers such as account numbers, names, or addresses.
6
2. Pre-existing business relationship” (12 CFR
1022.20(b)(4))
7
means a relationship between a person,
such as a financial institution (or a person’s licensed
agent), and a consumer based on:
a. A financial contract between the person and the
consumer which is in force on the date on which the
consumer is sent a solicitation covered by the affiliate
marketing regulation;
b. The purchase, rental, or lease by the consumer of the
person’s goods or services, or a financial transaction
(including holding an active account or a policy in
force, or having another continuing relationship)
between the consumer and the person, during the 18-
month period immediately preceding the date on
which the consumer is sent a solicitation covered by
the affiliate marketing regulation; or
c. An inquiry or application by the consumer regarding a
product or service offered by that person during the
three-month period immediately preceding the date on
which the consumer is sent a solicitation covered by
the affiliate marketing regulation.
3. Solicitation” (12 CFR 1022.20(b)(5) means the
marketing of a product or service initiated by a person,
such as a financial institution, to a particular consumer
that is:
a. Based on eligibility information communicated to that
person by its affiliate; and
b. Intended to encourage the consumer to purchase or
obtain such product or service.
Examples of a solicitation include a telemarketing call, direct
mail, e-mail, or other form of marketing communication
directed to a particular consumer that is based on eligibility
information received from an affiliate. A solicitation does not
include marketing communications that are directed at the
general public (e.g., television, general circulation magazine,
and billboard advertisements).
Initial Notice and Opt-out Requirement (12 CFR 1022.21(a),
1022.24, and 1022.25). A financial institution and its
6 Specifically, “eligibility information” is defined in the affiliate marketing
regulation as “any information the communication of which would be a
consumer report if the exclusions from the definition of “consumer report”
in Section 603(d)(2)(A) of the [Fair Credit Reporting] Act did not apply.”
7 See 12 CFR 1022.20(b)(4)(ii) and (iii) for examples of pre-existing
business relationships and situations where no pre-existing business
relationship exists.
VIII–6.10 FDIC Consumer Compliance Examination Manual September 2015
____________________
VIII. Privacy Fair Credit Reporting Act
subsidiaries (“financial institution”) generally may not use
eligibility information about a consumer that it receives from
an affiliate to make a solicitation for marketing purposes to the
consumer, unless:
1. It is clearly and conspicuously disclosed to the consumer
in writing or, if the consumer agrees, electronically, in a
concise notice that the financial institution may use
eligibility information about that consumer that it received
from an affiliate to make solicitations for marketing
purposes to the consumer;
2. The consumer is provided a reasonable opportunity and a
reasonable and simple method to “opt out” (that is, the
consumer prohibits the financial institution from using
eligibility information to make solicitations for marketing
purposes to the consumer);
8
and
3. The consumer has not opted out.
For example, a consumer has a homeowner’s insurance policy
with an insurance company. The insurance company shares
eligibility information about the consumer with its affiliated
depository institution. Based on that eligibility information,
the depository institution wants to make a solicitation to the
consumer about its home equity loan products. The depository
institution does not have a pre-existing business relationship
with the consumer and none of the other exceptions apply. The
depository institution may not use eligibility information it
received from its insurance affiliate to make solicitations to the
consumer about its home equity loan products unless the
insurance company gave the consumer a notice and
opportunity to opt out and the consumer does not opt out.
Making Solicitations (12 CFR 1022.21(b)).
9
A financial
institution (or a service provider acting on behalf of the
financial institution) makes a solicitation for marketing
purposes if:
1. The financial institution receives eligibility information
from an affiliate, including when the affiliate places that
information into a common database that the financial
institution may access;
2. The financial institution uses that eligibility information to
do one or more of the following:
a. Identify the consumer or type of consumer to receive
a solicitation;
b. Establish criteria used to select the consumer to
receive a solicitation; or
c. Decide which of the financial institution’s products or
services to market to the consumer or tailor the
8 See 12 CFR 1022.24 and 1022.25 for examples of “a reasonable
opportunity to opt out” and “reasonable and simple methods for opting
out.”
9 See 12 CFR 1022.21(b)(6) for examples of making solicitations.
financial institution’s solicitation to that consumer;
and
3. As a result of the financial institution’s use of the
eligibility information, the consumer is provided a
solicitation.
A financial institution does not make a solicitation for
marketing purposes (and therefore the affiliate marketing
regulation, with its notice and opt-out requirements, does not
apply) in the situations listed below, commonly referred to as
“constructive sharing.” Constructive sharing occurs when a
financial institution provides criteria to an affiliate to use in
marketing the financial institution’s product and the affiliate
uses the criteria to send marketing materials to the affiliate’s
own customers that meet the criteria. In this situation, the
financial institution is not using shared eligibility information
to make solicitations.
1. The financial institution provides criteria for consumers to
whom it would like its affiliate to market the financial
institution’s products. Then, based on this criteria, the
affiliate uses eligibility information that the affiliate
obtained in connection with its own pre-existing business
relationship with the consumer to market the financial
institution’s products or services (or directs its service
provider to use the eligibility information in the same
manner and the financial institution does not communicate
with the service provider regarding that use).
2. A service provider, applying the financial institution’s
criteria, uses information from an affiliate, such as that in
a shared database, to market the financial institution’s
products or services to the consumer, so long as it meets
certain requirements, including:
a. The affiliate controls access to and use of its
eligibility information by the service provider under a
written agreement between the affiliate and the
service provider;
b. The affiliate establishes, in writing, specific terms and
conditions under which the service provider may
access and use the affiliate’s eligibility information to
market the financial institution’s products and services
(or those of affiliates generally) to the consumer;
c. The affiliate requires the service provider, under a
written agreement, to implement reasonable policies
and procedures designed to ensure that the service
provider uses the affiliate’s eligibility information in
accordance with the terms and conditions established
by the affiliate relating to the marketing of the
financial institution’s products or services;
d. The affiliate is identified on or with the marketing
materials provided to the consumer; and
e. The financial institution does not directly use its
affiliate’s eligibility information in the manner
FDIC Consumer Compliance Examination Manual September 2015
VIII–6.11
____________________
____________________
VIII. Privacy Fair Credit Reporting Act
described above under “Making Solicitations (12 CFR
1022.21(b)),” item 2.
Exceptions to Initial Notice and Opt-out Requirements (12
CFR 1022.21(c)).
10
The initial notice and opt-out requirements
do not apply to a financial institution if it uses eligibility
information that it receives from an affiliate:
1. To make a solicitation for marketing purposes to a
consumer with whom the financial institution has a pre-
existing business relationship;
2. To facilitate communications to an individual for whose
benefit the financial institution provides employee benefit
or other services pursuant to a contract with an employer;
3. To perform services on behalf of an affiliate (but this
would not allow solicitation where the consumer has opted
out);
4. In response to a communication about the financial
institution’s products or services initiated by the
consumer;
5. In response to a consumer’s authorization or request to
receive solicitations; or
6. If the financial institution’s compliance with the affiliate
marketing regulation would prevent it from complying
with State insurance laws pertaining to unfair
discrimination in any state in which the financial
institution is lawfully doing business.
Contents of Opt-out Notice (12 CFR 1022.23). A financial
institution must provide to the consumer a reasonable and
simple method for the consumer to opt out. The opt-out notice
must be clear, conspicuous, and concise, and must accurately
disclose specific information outlined in 12 CFR 1022.23(a),
including that the consumer may elect to limit the use of
eligibility information to make solicitations to the consumer.
See Appendix C to the regulation for the model notices
contained in the affiliate marketing regulation.
Alternative contents. An affiliate that provides a consumer a
broader right to opt out than that required by the affiliate
marketing regulation may satisfy the regulatory requirements
by providing the consumer with a clear, conspicuous, and
concise notice that accurately discloses the consumer’s opt-out
rights.
Coordinated, consolidated, and equivalent notices. Opt-out and
renewal notices may be coordinated and consolidated with any
other notice or disclosure required under any other provision
of law, such as the Gramm-Leach-Bliley Act (GLBA), 15
USC 6801 et seq. Renewal notices, which have additional
10 See 12 CFR 1022.21(d) for examples of exceptions to the initial notice and
opt-out requirement.
required content (12 CFR 1022.27), may be consolidated with
the annual GLBA privacy notices.
Delivery of the Opt-out Notice (12 CFR 1022.21(a)(3) and
1022.26)
11
An affiliate that has or previously had a pre-
existing business relationship with the consumer must provide
the notice either individually or as part of a joint notice from
two or more members of an affiliated group of companies. The
opt-out notice must be provided so that each consumer can
reasonably be expected to receive actual notice. A consumer
may not reasonably be expected to receive actual notice if, for
example, the affiliate providing the notice sends the notice via
e-mail to a consumer who has not agreed to receive electronic
disclosures by e-mail from the affiliate providing the notice.
12
Scope of Opt-out (12 CFR 1022.22(a) and 1022.23(a)(2)).
13
As a general rule, the consumer’s election to opt out prohibits
any affiliate covered by the opt-out notice from using
eligibility information received from another affiliate,
described in the notice, to make solicitations to the consumer.
If two or more consumers jointly obtain a product or service,
any of the joint consumers may exercise the right to opt out. It
is impermissible to require all joint consumers to opt out
before implementing any opt-out direction.
Menu of alternatives. A consumer may be given the
opportunity to choose from a menu of alternatives when
electing to prohibit solicitations, such as by:
1. Electing to prohibit solicitations from certain types of
affiliates covered by the opt-out notice but not other types
of affiliates covered by the notice,
2. Electing to prohibit solicitations based on certain types of
eligibility information but not other types of eligibility
information, or
3. Electing to prohibit solicitations by certain methods of
delivery but not other methods of delivery.
One of the alternatives, however, must allow the consumer to
prohibit all solicitations from all of the affiliates that are
covered by the notice.
11 See 12 CFR 1022.26(b) and (c) for examples of “reasonable expectation of
actual notice” and “no reasonable expectation of actual notice.”
12 For opt-out notices provided electronically, the notice may be provided in
compliance with either the electronic disclosure provisions of 12 CFR
1022.24(b)(2) and 1022.24(b)(3) or the provisions in section 101 of the
Electronic Signatures in Global and National Commerce Act, 15 U.S.C.
7001 et seq.
13 See 12 CFR 1022.22(a) for examples of the scope of the opt-out, including
examples of continuing relationships.
VIII–6.12 FDIC Consumer Compliance Examination Manual September 2015
____________________
____________________
VIII. Privacy Fair Credit Reporting Act
Continuing relationship. If the consumer establishes a
continuing relationship with a financial institution or its
affiliate, an opt-out notice may apply to eligibility information
obtained from one or more continuing relationships (such as a
deposit account, a mortgage loan, or a credit card), if the
notice adequately describes the continuing relationships
covered. The opt-out notice can also apply to future continuing
relationships if the notice adequately describes the continuing
future relationships that would be covered.
Special rule for a notice following termination of all
continuing relationships. After all continuing relationships
with a financial institution or its affiliate(s) are terminated, a
consumer must be given a new opt-out notice if the consumer
later establishes another continuing relationship with the
financial institution or its affiliate(s) and the consumer’s
eligibility information is to be used to make a solicitation. The
consumer’s decision not to opt out after receiving the new opt-
out notice would not override a prior opt-out election that
applies to eligibility information obtained in connection with a
terminated relationship.
No continuing relationship (isolated transaction). If the
consumer does not establish a continuing relationship with a
financial institution or its affiliate, but the financial institution
or its affiliate obtains eligibility information about the
consumer in connection with a transaction with the consumer
(such as an ATM cash withdrawal, purchase of traveler’s
checks, or a credit application that is denied), an opt-out notice
provided to the consumer only applies to eligibility
information obtained in connection with that transaction.
Time, Duration, and Renewal of Opt-out (12 CFR 1022.22(b)
and (c) and 1022.27). A consumer may opt out at any time.
The opt-out must be effective for a period of at least five years
beginning when the consumer’s opt-out election is received
and implemented, unless the consumer later revokes the opt-
out in writing or, if the consumer agrees, electronically. An
opt-out period may be set at more than five years, including an
opt-out that does not expire unless the consumer revokes it.
Renewal after opt-out period expires. After the opt-out period
expires, a financial institution may not make solicitations
based on eligibility information it receives from an affiliate to
a consumer who previously opted out, unless:
1. The consumer receives a renewal notice and opportunity
to opt out, and the consumer does not renew the opt-out;
or
2. An exception to the notice and opt-out requirements
applies.
14
14 See 12 CFR 1022.21(c) for exceptions.
Contents of renewal notice. The renewal notice must be clear,
conspicuous, and concise, and must accurately disclose most
of the elements of the original opt-out notice, as well as the
facts that:
1. The consumer previously elected to limit the use of certain
information to make solicitations to the consumer;
2. The consumer’s election has expired or is about to expire;
3. The consumer may elect to renew the consumer’s previous
election; and
4. If applicable, that the consumer’s election to renew will
apply for the specified period of time stated in the notice
and that the consumer will be allowed to renew the
election once that period expires.
See 12 CFR 1022.27(b) for all the content requirements of
renewal notice.
Renewal period. Each opt-out renewal must be effective for a
period of at least five years.
Affiliate who may provide the notice. The renewal notice
must be provided by the affiliate that provided the previous
opt-out notice, or its successor; or as part of a joint renewal
notice from two or more members of an affiliated group of
companies, or their successors, that jointly provided the
previous opt-out notice.
Timing of the renewal notice. A renewal notice may be
provided to the consumer either a reasonable period of time
before the expiration of the opt-out period
15
or any time after
the expiration of the opt-out period but before solicitations that
would have been prohibited by the expired opt-out are made to
the consumer.
Model forms for opt-out notices (12 CFR 1022, Appendix
C). Appendix C of the affiliate marketing regulation contains
model forms that may be used to comply with the requirement
for clear, conspicuous, and concise notices. The five model
forms are:
C-1 Model Form for Initial Opt-out Notice (Single-Affiliate
Notice)
C-2 Model Form for Initial Opt-out Notice (Joint Notice)
C-3 Model Form for Renewal Notice (Single-Affiliate
Notice)
C-4 Model Form for Renewal Notice (Joint Notice)
15 An opt-out period may not be shortened by sending a renewal notice to the
consumer before expiration of the opt-out period, even if the consumer
does not renew the opt-out. If a financial institution provides an annual
privacy notice under the Gramm-Leach-Bliley Act, providing a renewal
notice with the last annual privacy notice provided to the consumer before
expiration of the opt-out period is a reasonable period of time before
expiration of the opt-out in all cases. 12 CFR 1022.27(d)
FDIC Consumer Compliance Examination Manual September 2015 VIII–6.13
VIII. Privacy Fair Credit Reporting Act
C-5 Model Form for Voluntary “No Marketing” Notice
Use of the model forms is not required and a financial
institution may make certain changes to the language or format
of the model forms without losing the protection from liability
afforded by use of the model forms. These changes may not be
so extensive as to affect the substance, clarity, or meaningful
sequence of the language in the model forms. Institutions
making such extensive revisions will lose the safe harbor that
Appendix C provides. Examples of acceptable changes are
provided in Appendix C to the regulation.
Examination Procedures
Section 624 Affiliate Marketing Opt Out
1. Determine whether the financial institution receives
consumer eligibility information from an affiliate. Stop
here if it does not because Subpart C of 12 CFR 1022 does
not apply.
2. Determine whether the financial institution uses consumer
eligibility information received from an affiliate to make a
solicitation for marketing purposes that is subject to the
notice and opt-out requirements. If it does not, stop here.
3. Evaluate the institution’s policies, procedures, practices
and internal controls to ensure that, where applicable, the
consumer is provided with an appropriate notice, a
reasonable opportunity, and a reasonable and simple
method to opt out of the institution’s using eligibility
information to make solicitations for marketing purposes
to the consumer, and that the institution is honoring the
consumer’s opt-outs.
4. If compliance risk management weaknesses or other risks
requiring further investigation are noted, obtain and
review a sample of notices to ensure technical compliance
and a sample of opt-out requests from consumers to
determine if the institution is honoring the opt-out
requests.
a. Determine whether the opt-out notices are clear,
conspicuous, and concise and contain the required
information, including the name of the affiliate(s)
providing the notice, a general description of the types
of eligibility information that may be used to make
solicitations to the consumer, and the duration of the
opt out. (12 CFR 1022.23(a))
b. Review opt-out notices that are coordinated and
consolidated with any other notice or disclosure that is
required under other provisions of law for compliance
with the affiliate marketing regulation. (12 CFR
1022.23(b))
c. Determine whether the opt-out notices and renewal
notices provide the consumer a reasonable opportunity
to opt out and a reasonable and simple method to opt
out. (12 CFR 1022.24 and 1022.25)
d. Determine whether the opt-out notice and renewal
notice are provided (by mail, delivery or
electronically) so that a consumer can reasonably be
expected to receive that actual notice. (12 CFR
1022.26)
e. Determine whether, after an opt-out period expires, a
financial institution provides a consumer a renewal
notice prior to making solicitations based on
eligibility information received from an affiliate. (12
CFR 1022.27)
VIII–6.14 FDIC Consumer Compliance Examination Manual September 2015
VIII. Privacy Fair Credit Reporting Act
Module 3: Disclosures to Consumers and
Miscellaneous Requirements
Overview
The Fair Credit Reporting Act (FCRA) requires financial
institutions to provide consumers with various notices and
information under a variety of circumstances. This module
contains examination responsibilities for these various areas.
Section 604(b) Use of Consumer Reports for Employment
Purposes
Section 604(b) has specific requirements for financial
institutions that obtain consumer reports of its employees or
prospective employees prior to, and/or during, the term of
employment. The FCRA generally requires the written
permission of the consumer to procure a consumer report for
“employment purposes.” Moreover, a clear and conspicuous
disclosure that a consumer report may be obtained for
employment purposes must be provided in writing to the
consumer prior to procuring a report.
Prior to taking any adverse action involving employment that
is based in whole or in part on the consumer report, the user
generally must provide to the consumer:
1. A copy of the report; and
2. A description in writing of the rights of the consumer
under this title, as prescribed by the FTC under section
(609)(c)(3).
At the time a financial institution takes adverse action in an
employment situation, the consumer must also be provided
with an adverse action notice, required by section 615,
described later in this module.
Examination Procedures
1. Determine whether the financial institution obtains
consumer reports on current or prospective employees.
2. Assess the financial institution’s policies and procedures
to ensure that appropriate disclosures are provided to
current and prospective employees when consumer reports
are obtained for employment purposes, including
situations where adverse actions are taken based on
consumer report information.
3. If procedural weaknesses are noted or other risks requiring
further investigation are noted, review a sample of the
disclosures to determine if they are accurate and in
compliance with the technical FCRA requirements.
Sections 604(c) and 615(d) of FCRA - Prescreened
Consumer Reports and Opt out Notice [and Parts 642 and
698 of Federal Trade Commission Regulations]
Section 604(c)(1)(B) allows persons, including financial
institutions, to obtain and use consumer reports on any
consumer in connection with any credit or insurance
transaction that is not initiated by the consumer, to make firm
offers of credit or insurance. This process, known as
prescreening, occurs when a financial institution obtains a list
from a consumer reporting agency of consumers who meet
certain predetermined creditworthiness criteria and who have
not elected to be excluded from such lists. These lists may
only contain the following information:
1. The name and address of a consumer;
2. An identifier that is not unique to the consumer and that is
used by the person solely for the purpose of verifying the
identity of the consumer; and
3. Other information pertaining to a consumer that does not
identify the relationship or experience of the consumer
with respect to a particular creditor or other entity.
Each name appearing on the list is considered an individual
consumer report. In order to obtain and use these lists,
financial institutions must make a “firm offer of credit or
insurance” as defined in section 603(l) to each person on the
list. An institution is not required to grant credit or insurance if
the consumer is not creditworthy or insurable, or cannot
furnish required collateral, provided that the underwriting
criteria are determined in advance, and applied consistently.
Example 1: Assume a home mortgage lender obtains a list
from a consumer reporting agency of everyone in County
X, with a current home mortgage loan and a credit score of
700. The lender will use this list to market a 2nd lien home
equity loan product. The lender’s other non-consumer
report criteria, in addition to those used in the prescreened
list for this product, include a maximum total debt-to-
income ratio (DTI) of 50% or less. Some of the criteria can
be screened by the consumer reporting agency, but others,
such as the DTI, must be determined individually when
consumers respond to the offer. If a consumer responds to
the offer, but already has a DTI of 60%, the lender does not
have to grant the loan.
In addition, the financial institution is allowed to obtain a full
consumer report on anyone responding to the offer to verify
that the consumer continues to meet the creditworthiness
criteria. If the consumer no longer meets those criteria, the
financial institution does not have to grant the loan.
Example 2: On January 1, a credit card lender obtains a list
from a consumer reporting agency of consumers in County
Y who have credit scores of 720, and no previous
bankruptcy records. The lender mails solicitations offering
a pre-approved credit card to everyone on the list on
January 2. On January 31, a consumer responds to the offer
and the lender obtains and reviews a full consumer report
which shows that a bankruptcy record was added on
January 15. Since this consumer no longer meets the
FDIC Consumer Compliance Examination Manual September 2015
VIII–6.15
VIII. Privacy Fair Credit Reporting Act
lender’s predetermined criteria, the lender is not required to
issue the credit card.
These basic requirements help prevent financial institutions
from obtaining prescreened lists without following through
with an offer of credit or insurance. The financial institution
must maintain the criteria used for the product (including the
criteria used to generate the prescreened report and any other
criteria such as collateral requirements) on file for a period of
three years, beginning on the date that the offer was made to
the consumer.
Technical Notice and Opt Out Requirements. Section 615(d)
contains consumer protections and technical notice
requirements concerning prescreened offers of credit or
insurance. The FCRA requires nationwide consumer reporting
agencies to jointly operate an “opt out” system, whereby
consumers can elect to be excluded from prescreened lists by
calling a toll-free number.
When a financial institution obtains and uses these lists, they
must provide consumers with a Prescreened Opt Out Notice
with the offer of credit or insurance. This notice alerts
consumers that they are receiving the offer because they meet
certain creditworthiness criteria. The notice must also provide
the toll-free telephone number operated by the nationwide
consumer reporting agencies for consumers to call to opt out
of prescreened lists.
The FCRA contains the basic requirement to provide notices
to consumers at the time the prescreened offers are made. The
Federal Trade Commission published an implementing
regulation containing the technical requirements of the notice
at 16 CFR Parts 642 and 698. This regulation is applicable to
anyone, including banks, credit unions, and thrifts that obtain
and use prescreened consumer reports. These requirements
became effective on August 1, 2005; however, the requirement
to provide a notice containing the toll-free opt out telephone
number has existed under the FCRA for many years.
Requirements Beginning August 1, 2005. 16 CFR 642 and
698 of the FTC regulations require a “short” notice and a
“long” notice of the prescreened opt out information be given
with each written solicitation made to consumers using
prescreened consumer reports. These regulations also contain
specific requirements concerning the content and appearance
of these notices. The requirements are listed within the
following paragraphs of these procedures. The regulations
were published on January 31, 2005, in 70 Federal Register
5022.
The short notice must be a clear and conspicuous, simple, and
easy-to-understand statement as follows:
1. Content. The short notice must state that the consumer
has the right to opt out of receiving prescreened
solicitations, provide the toll-free number, and direct
consumers to the existence and location of the long notice,
and shall state the title of the long notice. The short notice
may not contain any other information.
2. Form. The short notice must be in a type size larger than
the principal text on the same page, but it may not be
smaller than 12 point type. If the notice is provided by
electronic means, it must be larger than the type size of the
principal text on the same page.
3. Location. The short form must be on the front side of the
first page of the principal promotional document in the
solicitation, or if provided electronically, it must be on the
same page and in close proximity to the principal
marketing message. The statement must be located so that
it is distinct from other information, such as inside a
border, and must be in a distinct type style, such as
bolded, italicized, underlined, and/or in a color that
contrasts with the principal text on the page, if the
solicitation is provided in more than one color.
The long notice must also be a clear and conspicuous, simple,
and easy to understand statement as follows:
1. Content. The long notice must state the information
required by section 615(d) of the FCRA and may not
include any other information that interferes with, detracts
from, contradicts, or otherwise undermines the purpose of
the notice.
2. Form.
The notice must appear in the solicitation, be in a
type size that is no smaller than the type size of the
principal text on the same page, and, for solicitations
provided other than by electronic means, the type size may
not be smaller than 8-point type. The notice must begin
with a heading in capital letters and underlined, and
identifying the long notice as the “PRESCREEN & OPT
OUT NOTICE.It must be in a type style that is distinct
from the principal type style used on the same page, such
as bolded, italicized, underlined, and/or in a color that
contrasts from the principal text, if the solicitation is in
more than one color. The notice must be set apart from
other text on the page, such as by including a blank line
above and below the statement, and by indenting both the
left and right margins from other text on the page.
The FTC developed model Prescreened Opt Out Notices,
which are contained in Appendix A to 16 CFR 698 of the
FTC’s regulations. Appendix A contains complete sample
solicitations for context. The prescreen notice text is contained
in the following:
VIII–6.16 FDIC Consumer Compliance Examination Manual September 2015
VIII. Privacy Fair Credit Reporting Act
Sample Short Notice:
You can choose to stop receiving “prescreened” offers of [credit
or insurance] from this and other companies by calling toll-free
[toll-free number]. See PRESCREEN & OPT-OUT NOTICE on
other side [or other location] for more information about
prescreened offers.
Sample Long Notice:
PRESCREEN & OPT-OUT NOTICE: This “prescreened” offer of
[credit or insurance] is based on information in your credit report
indicating that you meet certain criteria. This offer is not
guaranteed if you do not meet our criteria [including providing
acceptable property as collateral]. If you do not want to receive
prescreened offers of [credit or insurance] from this and other
companies, call the consumer reporting agencies [or name of
consumer reporting agency] toll-free, [toll-free number]; or write:
[consumer reporting agency name and mailing address].
Examination Procedures
1. Determine whether the financial institution obtained and
used prescreened consumer reports in connection with
offers of credit and/or insurance.
2. Evaluate the institution’s policies and procedures to ensure
that criteria used for prescreened offers, including all post-
application criteria, are maintained in the institution’s files
and used consistently when consumers respond to the
offers.
3. Determine whether written solicitations contain the
required disclosures of the consumers’ right to opt out of
prescreened solicitations and comply with all requirements
applicable at the time of the offer.
4. If procedural weaknesses are noted or other risks requiring
further investigation are noted, obtain and review a sample
of approved and denied responses to the offers to ensure
that criteria were appropriately followed.
Section 605(g) Truncation of Credit and Debit Card
Account Numbers
Section 605(g) provides that persons, including financial
institutions that accept debit and credit cards for the
transaction of business will be prohibited from issuing
electronic receipts that contain more than the last five digits of
the card number, or the card expiration dates, at the point of
sale or transaction. This requirement applies only to
electronically developed receipts and does not apply to
hand-written receipts or those developed with an imprint of the
card.
For Automatic Teller Machines (ATMs) and Point-of-Sale
(POS) terminals or other machines that were put into operation
before January 1, 2005, this requirement is effective on
December 4, 2006. For ATMs and POS terminals or other
machines that were put into operation on or after January 1,
2005, the effective date is the date of installation.
Examination Procedures
1. Determine whether the financial institution’s policies and
procedures ensure that electronically generated receipts
from ATM and POS terminals or other machines do not
contain more than the last five digits of the card number
and do not contain the expiration dates.
2. For ATMs and POS terminals or other machines that were
put into operation before January 1, 2005, determine if the
institution has brought the terminals into compliance or
has begun a plan to ensure that these terminals comply by
the mandatory compliance date of December 4, 2006.
3. If procedural weaknesses are noted or other risks requiring
further investigation are noted, review samples of actual
receipts to ensure compliance.
Section 609(g) Disclosure of Credit Scores by Certain
Mortgage Lenders
Section 609(g) requires financial institutions that make or
arrange mortgage loans using credit scores to provide the score
with accompanying information to the applicants.
Credit score. For purposes of this section, the term “credit
score” is defined as a numerical value or a categorization
derived from a statistical tool or modeling system used by a
person who makes or arranges a loan to predict the likelihood
of certain credit behaviors, including default (and the
numerical value or the categorization derived from such
analysis may also be referred to as a “risk predictor” or “risk
score”). The credit score does not include:
(a) any mortgage score or rating by an automated
underwriting system that considers one or more factors in
addition to credit information, such as the loan-to-value
ratio, the amount of down payment, or the financial assets
of a consumer; or
(b) any other elements of the underwriting process or
underwriting decision.
Covered transactions. The disclosure requirement applies to
both closed-end and open-end loans that are for consumer
purposes and are secured by 1-to-4 family residential real
properties, including purchase and refinance transactions. This
requirement will not apply in circumstances that do not
involve a consumer purpose, such as when a borrower obtains
a loan secured by his or her residence to finance his or her
small business.
Specific required notice. Financial institutions in covered
transactions that use credit scores must provide a disclosure
containing the following specific language, which is contained
in section 609(g)(1)(D):
FDIC Consumer Compliance Examination Manual September 2015
VIII–6.17
VIII. Privacy Fair Credit Reporting Act
Notice to The Home Loan Applicant
In connection with your application for a home loan, the lender
must disclose to you the score that a consumer reporting agency
distributed to users and the lender used in connection with your
home loan, and the key factors affecting your credit scores.
The credit score is a computer generated summary calculated at
the time of the request and based on information that a consumer
reporting agency or lender has on file. The scores are based on
data about your credit history and payment patterns. Credit
scores are important because they are used to assist the lender in
determining whether you will obtain a loan. They may also be
used to determine what interest rate you may be offered on the
mortgage. Credit scores can change over time, depending on
your conduct, how your credit history and payment patterns
change, and how credit scoring technologies change.
Because the score is based on information in your credit history, it
is very important that you review the credit-related information
that is being furnished to make sure it is accurate. Credit records
may vary from one company to another.
If you have questions about your credit score or the credit
information that is furnished to you, contact the consumer
reporting agency at the address and telephone number provided
with this notice, or contact the lender, if the lender developed or
generated the credit score. The consumer reporting agency plays
no part in the decision to take any action on the loan application
and is unable to provide you with specific reasons for the decision
on a loan application.
If you have questions concerning the terms of the loan, contact
the lender.
The notice must include the name, address, and telephone
number of each consumer reporting agency that provided a
credit score that was used.
Credit score and key factors disclosed. In addition to the
notice, financial institutions must also disclose the credit
score, the range of possible scores, the date that the score was
created, and the “key factors” used in the score calculation.
“Key factors” are defined as all relevant elements or reasons
adversely affecting the credit score for the particular
individual, listed in the order of their importance based on
their effect on the credit score. The total number of factors to
be disclosed shall not exceed four factors. However, if one of
the key factors is the number of inquiries into a consumer’s
credit information, then the total number of factors shall not
exceed five. These key factors come from information
supplied by the consumer reporting agencies with any
consumer report that was furnished containing a credit score.
(Section 605(d)(2)).
This disclosure requirement applies in any application for a
covered transaction, regardless of the final action taken by the
lender on the application. The FCRA requires a financial
institution to disclose all of the credit scores that were used in
these transactions. For example, if two joint applicants apply
for a mortgage loan to purchase a single-family-residence and
the lender uses both credit scores, then both need to be
disclosed. The statute specifically does not require more than
one disclosure per loan; therefore, if multiple scores are used,
all of them can be included in one disclosure containing the
Notice to the Home Loan Applicant.
If a financial institution uses a credit score that was not
obtained directly from a consumer reporting agency, but may
contain some information from a consumer reporting agency,
this disclosure requirement may be satisfied by providing a
score and associated key factor information that were supplied
by a consumer reporting agency. For example, certain
automated underwriting systems generate a score used in a
credit decision. These systems are often populated by data
obtained from a consumer reporting agency. If a financial
institution uses this automated system, the disclosure
requirement may be satisfied by providing the applicants with
a score and key factors supplied by a consumer reporting
agency based on the data, including credit score(s) that was
imported into the automated underwriting system. This will
provide applicants with information about their credit history
and its role in the credit decision, in the spirit of this section of
the statute.
Timing. With regard to the timing of the disclosure, the statute
requires that it be provided as soon as is reasonably practicable
after using a credit score.
Examination Procedures
1. Determine whether the financial institution uses credit
scores in connection with applications for closed-end or
open-end loans secured by 1 to 4 family residential real
property.
2. Evaluate the institution’s policies and procedures to
determine whether accurate disclosures are provided to
applicants as soon as is reasonably practicable after using
credit scores.
3. If procedural weaknesses are noted or other risks requiring
further investigation are noted, review a sample of
disclosures given to home loan applicants to ensure
technical compliance with the requirements.
VIII–6.18 FDIC Consumer Compliance Examination Manual September 2015
VIII. Privacy Fair Credit Reporting Act
Section 615(a) and (b) Adverse Action Disclosures
The FCRA requires certain disclosures when adverse actions
are taken with respect to consumers, based on information
received from third parties. Specific disclosures are required
depending upon whether the source of the information is: a
consumer reporting agency, a third party other than a
consumer reporting agency, or an affiliate. The disclosure
requirements are discussed separately below.
Information Obtained From a Consumer Reporting Agency.
Section 615(a) provides that when adverse action is taken with
respect to any consumer that is based in whole or in part on
any information contained in a consumer report, the financial
institution must:
1. Provide oral, written, or electronic notice of the adverse
action to the consumer;
2. Provide to the consumer orally, in writing, or
electronically,
a. the name, address, and telephone number of the
consumer reporting agency from which it received the
information (including a toll-free telephone number
established by the agency, if the consumer reporting
agency maintains files on a nationwide basis); and
b. a statement that the consumer reporting agency did
not make the decision to take the adverse action and is
unable to provide the consumer the specific reasons
why the adverse action was taken; and
3. Provide the consumer an oral, written or electronic notice
of the consumer’s right to obtain a free copy of the
consumer report from the consumer reporting agency,
within 60 days of receiving notice of the adverse action,
and the consumer’s right to dispute the accuracy or
completeness of any information in the consumer report
with the consumer reporting agency.
Information Obtained from a Source Other Than a
Consumer Reporting Agency. Section 615(b)(1) provides that
if credit for personal, family, or household purposes involving
a consumer is denied or the charge for such credit is increased,
partially or wholly on the basis of information obtained from a
person other than a consumer reporting agency and bearing
upon the consumer’s creditworthiness, credit standing, credit
capacity, character, general reputation, personal
characteristics, or mode of living, the financial institution:
1. At the time an adverse action is communicated to a
consumer, must clearly and accurately disclose the
consumer’s right to file a written request for the reasons
for the adverse action; and
2. If it receives such a request within 60 days after the
consumer learns of the adverse action, must disclose,
within a reasonable period of time, the nature of the
adverse information. The information should be
sufficiently detailed to enable the consumer to evaluate its
accuracy. The source of the information need not be, but
may be, disclosed. In some instances, it may be impossible
to identify the nature of certain information without also
revealing the source.
Information Obtained from an Affiliate. Section 615(b)(2)
provides that if a person, including a financial institution, takes
an adverse action involving credit (taken in connection with a
transaction initiated by a consumer), insurance or employment,
based in whole or in part on information provided by an
affiliate, it must notify the consumer that the information:
1. Is furnished to the person taking the action by a person
related by common ownership or affiliated by common
corporate control, to the person taking the action;
2. Bears upon the consumer’s creditworthiness, credit
standing, credit capacity, character, general reputation,
personal characteristics, or mode of living;
3. Is not information solely involving transactions or
experiences between the consumer and the person
furnishing the information; and
4. Is not information in a consumer report.
The notification must inform the consumer of the action and
that the consumer may obtain a disclosure of the nature of the
information relied upon by making a written request within 60
days of transmittal of the adverse action notice. If the
consumer makes such a request, the user must disclose the
nature of the information received from the affiliate not later
than 30 days after receiving the request.
Examination Procedures
1. Determine whether the financial institution’s policies and
procedures adequately ensure that appropriate disclosures
are provided when adverse action is taken against
consumers based on information received from consumer
reporting agencies, other third parties, and/or affiliates.
2. Review the financial institution’s policies and procedures
for responding to requests for information in response to
these adverse action notices.
3. If procedural weaknesses are noted or other risks requiring
further investigation are noted, review a sample of adverse
action notices to determine if they are accurate and in
technical compliance.
Section 615(g) Debt Collector Communications
Concerning Identity Theft
Section 615(g) has specific requirements for financial
institutions that act as debt collectors, that is, the financial
institution collects debts on behalf of a third party that is a
creditor or other user of a consumer report. The requirements
do not apply when a financial institution is collecting its own
loans. When a financial institution is notified that any
FDIC Consumer Compliance Examination Manual September 2015
VIII–6.19
VIII. Privacy Fair Credit Reporting Act
information relating to a debt that it is attempting to collect
may be fraudulent or may be the result of identity theft, the
financial institution must notify the third party of this fact. In
addition, if the consumer, to whom the debt purportedly
relates, requests information about the transaction, the
financial institution must provide all of the information the
consumer would otherwise be entitled to if the consumer
wished to dispute the debt under other provisions of law
applicable to the financial institution.
Examination Procedures
1. Determine whether the financial institution collects debts
for third parties.
2. Determine that the financial institution has policies and
procedures to ensure that the third parties are notified if
the financial institution obtains any information that may
indicate the debt in question is the result of fraud or
identity theft.
3. Determine if the institution has effective policies and
procedures to provide information to consumers to whom
the fraudulent debts relate.
4. If procedural weaknesses are noted or other risks requiring
further investigation are noted, review a sample of
instances where consumers have alleged identity theft and
requested information related to transactions to ensure that
all of the appropriate information was provided to the
consumer.
Examination Procedures
Section 615(h) Duties of Users Regarding Risk-Based
Pricing (Regulation V, Subpart H)
Background
Section 615(h) of the Fair Credit Reporting Act (FCRA)
generally requires a user of consumer reports, such as a
financial institution, to provide a risk-based pricing notice to a
consumer when the financial institution, based on a consumer
report, extends credit to the consumer on terms that are
“materially less favorable” than the terms the financial
institution has extended to other consumers. On January 15,
2010, the Federal Reserve and the Federal Trade Commission
published final rules in the Federal Register (75 FR 2724)
implementing this section of the FCRA.
The risk-based pricing notice requirement is designed
primarily to improve the accuracy of consumer reports by
alerting consumers to the existence of negative information in
their consumer reports so that the consumers can, if they
choose, check their consumer reports for accuracy and correct
any inaccurate information. This notice provision is meant to
complement an existing provision of the FCRA, Section
615(a), whereby a creditor that denies a consumer’s
application for credit, based in whole or in part on information
in a consumer’s report, must provide an adverse action notice.
The new provision, Section 615(h), covers the situation where
credit is offered at “materially less favorable terms,” rather
than being denied.
Definitions (12 CFR 1022.71)
The following definitions pertain to the rules governing the
risk-based pricing regulation:
1. “Material terms” means in general:
a. For open-end credit, the annual percentage rate (APR)
required to be disclosed in the account opening
disclosures required under Regulation Z. This does
not include a temporary initial rate that is lower than
the rate that will apply when the temporary rate
expires, any penalty rate that applies upon the
occurrence of specific events (such as a late payment),
or any fixed APR option for a home equity line of
credit;
b. For credit cards (other than a credit card used to
access a home equity line of credit or a charge card),
the APR that applies for purchases. For credit cards
without a purchase APR, “material terms” means the
APR that varies based on consumer report information
and that has the most significant financial impact on
consumers;
c. For closed-end credit, the APR required to be
disclosed prior to consummation under the closed-end
provisions of Regulation Z; and
d. For credit that does not have an APR, the financial
term that varies based on consumer report information
and that has the most significant financial impact on
consumers, such as an annual membership fee for a
charge card.
2. “Materially less favorable” means, generally, that the
cost of credit to a consumer would be significantly greater
than the cost of credit to another consumer from or
through the same creditor. Relevant factors in determining
the significance of a difference in cost include the type of
credit product, the term of the credit extension, and the
extent of the difference.
General Requirements (12 CFR 1022.72-73)
A financial institution must provide to a consumer a notice
(“risk-based pricing notice”) in the form and manner
prescribed by the regulation if:
1. The institution uses a consumer report in connection with
an application for, or a grant, extension, or other provision
of, credit to a consumer for personal, family, or household
purposes; and
2. Based in whole or in part on the consumer report, the
institution grants, extends, or otherwise provides credit to
that consumer on material terms that are materially less
favorable than the most favorable material terms available
VIII–6.20 FDIC Consumer Compliance Examination Manual September 2015
VIII. Privacy Fair Credit Reporting Act
to a substantial proportion of consumers from that
institution.
The obligation to provide the notice applies to the creditor to
whom the obligation is initially payable, i.e. the original
creditor. This interpretation excludes brokers and other
intermediaries who do not themselves grant, extend, or
provide credit to consumers. See preamble to the final
regulation (75 FR at 2730 - 2731).
Determination of which consumers must receive notice
(12 CFR 1022.72(b))
A financial institution may determine, on a case-by-case basis,
whether a consumer has received material terms that are
materially less favorable by comparing the material terms
offered to the consumer to the material terms offered to other
consumers for a specific type of credit product. A “specific
type of credit product” means one or more credit products with
similar features that are designed for similar purposes.
Examples include student loans, unsecured credit cards,
secured credit cards, new automobile loans, used automobile
loans, fixed-rate mortgage loans, and variable-rate mortgage
loans.
Because making such a direct comparison between consumers
may not be operationally feasible, the rules provide the two
alternative methods, a credit score proxy method and a tiered
pricing method, both of which are described as follows:
1. Credit score proxy method (12 CFR 1022.72(b)(1)). If a
creditor uses credit scores to set the material terms of
credit, the creditor may determine a cutoff score that
represents the point at which approximately 40 percent of
its consumers have higher credit scores and 60 percent of
its consumers have lower credit scores. The creditor may
then provide a risk-based pricing notice to each consumer
who has a credit score lower than the cutoff score.
Credit Score Proxy Example
The number of all, or a
representative sample of,
consumers to whom the
institution granted credit
for a specific type of credit
product
10,000
40 percent of consumers
4,000
Credit scores of the 4,000
consumers with the highest
credit scores
700 or higher
Cutoff score
700
Credit scores of those
consumers to whom the
creditor must provide a
risk-based pricing notice,
because the consumers’
scores are lower than
cutoff score
699 or lower
Alternative to 40/60 cutoff. The regulation provides an
alternative to the 40/60 cutoff discussed above for
situations where more than 40 percent of consumers (e.g.,
80 percent) receive the most favorable material terms. In
such situations, the creditor may set a different cutoff
score based on its historical experience. The cutoff score
would be set at a point at which the approximate
percentage of consumers who historically have received
the most favorable material terms based on their credit
score would not receive a notice in the future. Under this
alternative, the risk-based pricing notices would be
provided to the approximate percentage of consumers who
historically have been granted credit on material terms
other than the most favorable terms.
For example, based on a sample of credit extended in the
past six months, a creditor may determine that
approximately 80 percent of its consumers received credit
at its lowest APR (i.e., the most favorable material terms),
and 20 percent of its consumers received credit at a higher
APR (i.e., material terms other than the most favorable).
Approximately 80 percent of the sampled consumers had a
credit score at or above 750, and 20 percent had a credit
score below 750. As a result, the card issuer could select
750 s its cutoff score. Consumers who have credit scores
lower than 750 would receive the risk-based pricing
notice. See preamble to the final regulation (75 FR at
2733).
FDIC Consumer Compliance Examination Manual September 2015
VIII–6.21
VIII. Privacy Fair Credit Reporting Act
Recalculation. An institution must recalculate the score
no less than every two years.
Specific type of product. A financial institution must
calculate the cutoff score by considering the credit scores
of all, or a representative sample of, the consumers who
have received credit for a specific type of credit product.
New entrants or new products. For new entrants into the
credit business or for new products subject to risk-based
pricing, a financial institution may determine the cutoff
score based on information from market research or other
third-party sources. For a newly acquired credit portfolio,
a financial institution may determine the cutoff score from
information obtained from the party from which it
acquired the portfolio. The institution must recalculate the
cutoff score using the scores of its own consumers within
one year after it begins using a score derived from market
research, a third-party, or the party from which it acquired
the portfolio. If, within that one year, it has not granted
credit to a sufficient number of new consumers, thus
preventing it from having sufficient data with which to
recalculate a cut-off score based on the credit scores of its
own consumers, it may continue to use the original cutoff
score. However, within two years, it must calculate its
own cutoff score if it has granted credit to some new
consumers within those two years.
Use of multiple credit scores. For a financial institution
that generally uses two or more credit scores to set
material credit terms, the institution must determine the
cutoff score using the same method used to evaluate
multiple scores when making credit decisions (for
example, using an average credit score). If the institution
does not consistently use the same method for evaluating
multiple scores, the institution must use a reasonable
means. For example, the institution may use any one of
the methods that the institution ordinarily uses or the
average credit score of each consumer to calculate the
credit score by a reasonable means.
No credit score available for a consumer. If no credit
score is available for a consumer, a financial institution
must assume that it is granting credit on materially less
favorable terms and thus must provide a risk-based pricing
notice to the consumer.
2. Tiered pricing method (12 CFR 1022.72(b)(2)). If a
financial institution sets the material terms of credit by
assigning each consumer to one of a discrete number of
pricing tiers for a specific type of credit product, based in
whole or in part on a consumer report, the institution may
provide a risk-based pricing notice to each consumer who
is not assigned to the top pricing tier or tiers.
If the financial institution uses four or fewer pricing tiers,
it complies by providing risk-based pricing notices to all
consumers who do not qualify for the top, best-priced tier.
If the institution uses five or more pricing tiers, it complies
by providing the notices to all consumers who do not
qualify for the two top, best-priced tiers and any other tier
that, combined with the top two tiers, equal no less than
the top 30 percent and no more than the top 40 percent of
the total number of tiers.
Tiered Pricing Example
Four or fewer tiers
Top tier = best rate
APR
Notice requirement
Tier 1 (top)
8%
No risk-based pricing
notice required.
Tier 2
10%
Risk-based pricing notice
required for Tiers 2-4.
Tier 3
12%
Tier 4
14%
Five or more tiers (5 tiers)
8%
No risk-based pricing notice
required for top 30% to 40%
of tiers.
Top two tiers comprise 2 out
of 5 (40%) of the number of
tiers.
10%
12%
Risk-based notices
required for Tiers 35.
14%
16%
Five or more tiers (9 tiers)
8%
No risk-based pricing notice
required for top 30% to 40%
of tiers.
Top three tiers comprise 3
out of 9 (33%) of the number
of tiers.
10%
12%
14%
Risk-based notices
required for Tiers 49.
16%
18%
20%
22%
24%
VIII–6.22 FDIC Consumer Compliance Examination Manual September 2015
VIII. Privacy Fair Credit Reporting Act
Application to credit card issuers (12 CFR 1022.72(c)). A
credit card issuer may use any of the methods in 12 CFR
1022.72(b) to identify consumers to whom it must provide a
risk-based pricing notice. Alternatively, the card issuer may
provide the notice when:
(a) a consumer applies for a credit card in connection with an
application program or in response to a solicitation, and
more than one purchase APR may apply under the
program or solicitation, and
(b) based in whole or in part on a consumer report, the credit
card is issued to a consumer with an APR that is higher
than the lowest APR available in connection with the
application or solicitation.
The risk-based pricing requirements do not apply to a card
issuer if the credit card program offers only a single annual
APR (other than temporary initial rates or penalty rates) or if
the issuer offers the consumer the lowest possible APR under
the credit card program.
Content of the notice (12 CFR 1022.73(a)(1)). The risk-based
pricing notice must include:
1. A statement that a consumer report (or credit report)
includes information about the consumer’s credit history
and the type of information included in that history;
2. A statement that the consumer is encouraged to verify the
accuracy of the information contained in the consumer
report and has the right to dispute any inaccurate
information in the report;
3. The identity of each consumer reporting agency that
furnished a consumer report used in the credit decision;
4. A statement that federal law gives the consumer the right
to obtain a copy of a consumer report from the consumer
reporting agency or agencies identified in the notice
without charge for 60 days after receipt of the notice;
5. A statement informing the consumer how to obtain a
consumer report from the consumer reporting agency or
agencies identified in the notice and providing contact
information (including a toll-free telephone number,
where applicable) specified by the consumer reporting
agency or agencies;
6. A statement directing consumers to the web site of the
Bureau to obtain more information about consumer
reports;
7. A statement that the terms offered, such as the APR, have
been set based on information from a consumer report;
and
8. A statement that the terms offered may be less favorable
than the terms offered to consumers with better credit
histories.
See Appendix H-1 of the regulation for a model form for
the risk-based pricing notice.
Account Review (12 CFR 1022.72(d)). Generally, creditors
must provide an account review risk-based pricing notice to
the consumer if the creditor, based in whole or in part on a
consumer report, increases the consumer’s APR after a review
of the consumer’s account, unless one of the exceptions in 12
CFR 1022.74(a), (b), or (c) applies (for example, the creditor
provides an adverse action notice).
Content of account review risk-based pricing notice (12 CFR
1022.73(a)(2)). The account review risk-based pricing notice
must include:
1. A statement that a consumer report (or credit report)
includes information about the consumer’s credit history
and the type of information included in that history;
2. A statement that the consumer is encouraged to verify the
accuracy of the information contained in the consumer
report and has the right to dispute any inaccurate
information in the report;
3. The identity of each consumer reporting agency that
furnished a consumer report used in the account review;
4. A statement that federal law gives the consumer the right
to obtain a copy of a consumer report from the consumer
reporting agency or agencies identified in the notice
without charge for 60 days after receipt of the notice;
5. A statement informing the consumer how to obtain a
consumer report from the consumer reporting agency or
agencies identified in the notice and providing contact
information (including a toll-free telephone number,
where applicable) specified by the consumer reporting
agency or agencies;
6. A statement directing consumers to the web site of the
Bureau to obtain more information about consumer
reports;
7. A statement that the financial institution has conducted a
review of the account using information from a consumer
report; and
8. A statement that as a result of the review, the APR on the
account has been increased based on information from a
consumer report.
NOTE: Items 1 through 6 for account review risk-based
pricing notice are substantially the same as items 1
through 6 for the risk-based pricing notice. Only the last
two items in each list are different.
See Appendix H-2 of the regulation for a model form for
the account review risk-based pricing notice.
Form of the notice (12 CFR 1022.73(b)). The risk-based
pricing notices and the account review risk-based pricing
notices must be clear and conspicuous and provided to the
FDIC Consumer Compliance Examination Manual September 2015
VIII–6.23
VIII. Privacy Fair Credit Reporting Act
consumer in oral, written, or electronic form. Creditors are
deemed to be in compliance with the disclosure requirements
through use of the optional, applicable model forms, found in
Appendix H of the regulation.
Timing (12 CFR 1022.73(c)). The timing requirement depends
on the specific type of credit transaction as specified below:
For closed-end credit, a risk-based pricing notice must be
provided to the consumer after the decision to approve a
credit request is communicated to the consumer, but
before consummation of the transaction.
For open-end credit, the notice must be provided after the
decision to grant credit is communicated to the consumer,
but before the first transaction under the plan has been
made.
For account reviews, the notice must be provided at the
time that the decision to increase the APR is
communicated to the consumer. If no notice of the
increase in the APR is provided to the consumer prior to
the effective date of the APR change, the notice must be
provided no later than five days after the effective date of
the APR change.
For automobile lending transactions made through an auto
dealer that is unaffiliated with the institution, the
institution may provide a risk-based pricing notice in the
time periods described above for closed-end credit.
Alternatively, the institution may arrange to have the auto
dealer provide a risk-based pricing notice to the consumer
on its behalf within these time periods and maintain
reasonable policies and procedures to verify that the auto
dealer provides the notices to consumers within the
applicable time periods.
For instant credit that is granted under an open-end credit
plan to a consumer in person or by telephone, the risk-
based pricing notice may be provided at the earlier of:
° The time of the first mailing to the consumer after the
decision is made to approve the credit, such as in a
mailing containing the account agreement or a credit
card; or
° Within 30 days after the decision to approve the
credit.
Exceptions (12 CFR 1022.74)
The rules contain a number of exceptions to the risk-based
pricing notice requirement, as follows:
1. When a consumer applies for specific terms of credit, and
receives them, unless those terms were specified by the
creditor using a consumer report after the consumer
applied for the credit and after the creditor obtained the
consumer report (12 CFR 1022.74(a));
2. When a creditor provides a notice of adverse action
(12 CFR 1022.74(b));
3. When a creditor makes a firm offer of credit in a
prescreened solicitation (12 CFR 1022.74(c));
4. When an institution generally provides a credit score
disclosure to each consumer that requests a loan that is or
will be secured by residential real property
(12 CFR 1022.74(d));
5. When an institution generally provides a credit score
disclosure to each consumer that requests a loan that is not
or will not be secured by residential real property
(12 CFR 1022.74(e)):
6. When an institution, which otherwise provides credit score
disclosures to consumers that request loans, provides a
disclosure about credit scores when no credit score is
available (12 CFR 1022.74(f)).
The regulation contains specific disclosure requirements for
Sections 1022.74(d)-(f) exceptions, as discussed below.
Section 1022.74(d) exception credit score disclosure for
loans secured by residential real property (12 CFR
1022.74(d)). An institution is not required to provide a risk-
based pricing notice to a consumer under Sections 1022.72(a)
or (c) if:
1. The consumer requests from an institution an extension of
credit that is or will be secured by one to four units of
residential real property; and
2. The institution generally provides to each consumer that
requests such an extension of credit a notice that contains
the following:
a. A statement that a consumer report (or credit report) is
a record of the consumer’s credit history and includes
information about whether the consumer pays his or
her obligations on time and how much the consumer
owes to creditors;
b. A statement that a credit score is a number that takes
into account information in a consumer report and that
a credit score can change over time to reflect changes
in the consumer’s credit history;
c. A statement that the consumer’s credit score can
affect whether the consumer can obtain credit and
what the cost of that credit will be;
d. A statement that the consumer is encouraged to verify
the accuracy of the information contained in the
consumer report and has the right to dispute any
inaccurate information in the report;
e. A statement that federal law gives the consumer the
right to obtain copies of his or her consumer reports
directly from the consumer reporting agencies,
including a free report from each of the nationwide
consumer reporting agencies once during any
12-month period;
VIII–6.24 FDIC Consumer Compliance Examination Manual September 2015
VIII. Privacy Fair Credit Reporting Act
f. Contact information for the centralized source from
which consumers may obtain their free annual
consumer reports;
g.
A s
tatement directing consumers to the web site of th
e
B
ureau to obtain more information about consume
r
re
ports
;
h.
T
he information required to be disclosed to t
he
c
onsumer in Section 609(g) of the FCRA, and a
s
de
scribed in Module 3 of these examinati
on
p
rocedures, under “Disclosure of Credit Scores b
y
C
ertain Mortgage Lenders (FCRA), Section 609(g)”
;
and
i. T
he distribution of credit scores among consumer
s
wh
o are scored under the same scoring model that i
s
u
sed to generate the consumer’s credit score. Th
e
d
istribution must
:
(i) Us
e the same scale as that of the credit scor
e
pr
ovided to the consumer; a
nd
(
ii
) B
e presented
:
In the form of a bar graph containing a
minimum of six bars that illustrates the
p
ercentage of consumers with credit scor
es
wi
thin the range of scores reflected in
each
b
a
r,
By other clear and readily understandable
graphical means, or
I
n a clear and readily understandabl
e
statement informing the consumer how his or
her credit score compares to the scores of
other consumers.
T
he presentation may use a graph or statement
obtained from the entity providing the credit score
if it meets these requirements.
Form of the notice. (1022.74(d)) The notice must be:
a. C
lear and conspicuous
;
b.
Provided on or with the notice required by Section
609(g) of the FCRA;
c.
S
egregated from other information provided to t
he
c
onsumer, except for the notice required by Sectio
n
609(g) of the FCRA; and
d.
P
rovided to the consumer in writing and in a form tha
t
t
he consumer may keep
.
T
iming. (1022.74(d)) The notice must be provided to the
consumer at the same time as the disclosure required by
Section 609(g) of the FCRA is provided to the consumer,
which must be provided as soon as reasonably practicable
after the credit score has been obtained. In any event, the
Section 1022.74(d) notice must be provided at or before
consummation in the case of closed-end credit or before
the first transaction is made under an open-end credit plan.
Content of the notice when using multiple credit scores.
When an institution obtains two or more credit scores
from consumer reporting agencies in setting material
terms of credit, the content of the Section 1022.74(d)
notice varies depending upon whether the institution only
relies upon one of the credit scores or relies upon multiple
credit scores.
a. I
f an institution only relies upon one of those credi
t
s
cores in setting the material terms of credit granted
,
extended, or otherwise provided to a consumer (for
example, by using the low, middle, high, or most
recent score), the notice must include that credit score
and the other information required by Section
1022.74(d).
b.
I
f an institution relies upon multiple credit scores i
n
setting the material terms of credit granted, extended,
or otherwise provided to a consumer (for example, by
computing the average of all the credit scores
obtained), the notice must include one of those credit
scores and the other information required by Section
1022.74(d).
A
t the institution’s option, the notice may include more
than one credit score, along with the additional
information required by Section 1022.74(d) for each credit
score disclosed.
Examples.
a. A
n institution uses consumer reports to set t
he
m
aterial terms of mortgage credit granted, extended
,
or
provided to consumers and regularly requests credi
t
s
cores from several consumer reporting agencies. I
t
r
elies upon the low score when determining th
e
m
aterial terms it will offer to the consumer. Th
e
i
nstitution must disclose the low score in the Sectio
n
10
22.74(d) notice
.
b.
A
n institution uses consumer reports to set t
he
m
aterial terms of mortgage credit granted, extended
,
or
provided to consumers and regularly requests credi
t
s
cores from several consumer reporting agencies. Th
e
i
nstitution takes an average of all of the credit scor
es
o
btained in order to determine the material terms i
t
w
ill offer to the consumer, and thus relies upon all o
f
t
he credit scores that it receives. The institution ma
y
c
hoose one of these scores to include in the Sectio
n
10
22.74(d) notice
.
M
odel form. Appendix H-3
of the regulation contains a model
form of the Section 1022.74(d) notice that is consolidated with
the notice required by Section 609(g) of the FCRA. While use
of the model form is optional, appropriate use of Model Form
H-3 is deemed to comply with the requirements of Sectio
n
102
2.74(d)
.
FD
IC Consumer Compliance Examination Manual September 2015
VIII–6.25
VIII. Privacy Fair Credit Reporting Act
Section 1022.74(e) exception credit score disclosure for
loans not secured by residential real property (12 CFR
1022.74(e)). An institution is not required to provide a risk-
based pricing notice to a consumer under Section 1022.72(a)
or (c) if:
1. The consumer requests from an institution an extension of
credit that is not or will not be secured by one to four units
of residential real property; and
2. The institution provides to each consumer that requests
such an extension of credit a notice that contains the
following:
a. A statement that a consumer report (or credit report) is
a record of the consumer’s credit history and includes
information about whether the consumer pays his or
her obligations on time and how much the consumer
owes to creditors;
b. A statement that a credit score is a number that takes
into account information in a consumer report and that
a credit score can change over time to reflect changes
in the consumer’s credit history;
c. A statement that the consumer’s credit score can
affect whether the consumer can obtain credit and
what the cost of that credit will be;
d. A statement that the consumer is encouraged to verify
the accuracy of the information contained in the
consumer report and has the right to dispute any
inaccurate information in the report;
e. A statement that federal law gives the consumer the
right to obtain copies of his or her consumer reports
directly from the consumer reporting agencies,
including a free report from each of the nationwide
consumer reporting agencies once during any 12-
month period;
f. Contact information for the centralized source from
which consumers may obtain their free annual
consumer reports;
g. A statement directing consumers to the web site of the
Bureau to obtain more information about consumer
reports;
h. The current credit score of the consumer or the most
recent credit score of the consumer that was
previously calculated by the consumer reporting
agency for a purpose related to the extension of credit;
i. The distribution of credit scores among consumers
who are scored under the same scoring model that is
used to generate the consumer’s credit score. The
distribution must:
Use the same scale as that of the credit score
provided to the consumer, and
Be presented:
° In the form of a bar graph containing a
minimum of six bars that illustrates the
percentage of consumers with credit scores
within the range of scores reflected in each
bar,
° By other clear and readily understandable
graphical means, or
° In a clear and readily understandable
statement informing the consumer how his or
her credit score compares to the scores of
other consumers.
The presentation may use a graph or statement
obtained from the entity providing the credit score
if it meets these requirements.
j. The range of possible credit scores under the model
used to generate the credit score;
k. The date on which the credit score was created; and
l. The name of the consumer reporting agency or other
person that provided the credit score.
NOTE: Items a, b, c, d, e, f, g, and i for the Section
1022.74(e) notice are the same as items a, b, c, d, e, f,
g, and i for the Section 1022.74(d) notice.
Form of the notice. 1022.74(e) The notice must be:
a. Clear and conspicuous;
b. Segregated from other information provided to the
consumer; and
c. Provided to the consumer in writing and in a form that
the consumer may keep.
Timing. 1022.74(e) The notice generally must be provided
to the consumer as soon as reasonably practicable after the
credit score has been obtained, but in any event at or
before consummation in the case of closed-end credit or
before the first transaction is made under an open-end
credit plan. The notice may alternatively be provided in
the following manner:
1. For automobile lending transactions made through an
auto dealer that is unaffiliated with the institution, the
institution may provide a Section 1022.74(e) notice in
the time periods described above . Alternatively, the
institution may arrange to have the auto dealer provide
a Section 1022.74(e) notice to the consumer on its
behalf within these time periods and maintain
reasonable policies and procedures to verify that the
auto dealer provides the notice to the consumer within
the applicable time periods. If the institution arranges
to have the auto dealer provide a Section 1022.74(e)
notice, the institution complies if the consumer
receives a notice containing a credit score obtained by
the dealer, even if a different credit score is obtained
and used by the institution. (12 CFR 1022.73(c)(2))
VIII–6.26 FDIC Consumer Compliance Examination Manual September 2015
VIII. Privacy Fair Credit Reporting Act
2. For instant credit that is granted under an open-end
credit plan to a consumer in person or by telephone,
the Section 1022.74(e) notice may be provided at the
earlier of:
a. The time of the first mailing to the consumer after
the decision is made to approve the credit, such as
in a mailing containing the account agreement or
a credit card; or
b. Within 30 days after the decision to approve the
credit. 12 CFR 1022.73(c)(3))
Multiple credit scores. When an institution obtains two or
more credit scores from consumer reporting agencies in setting
material terms of credit, the content of the Section 1022.74(e)
notice varies depending if the institution relies upon only one
of the credit scores or relies upon multiple credit scores. These
disclosures requirements are the same as those for the Section
1022.74(d) notices, as described previously.
Model form. Appendix H-4 of the regulation contains a model
form of the Section 1022.74(e) notice. While use of the model
form is optional, appropriate use of Model Form H-4 is
deemed to comply with the requirements of Section
1022.74(e).
Section 1022.74(f) exception credit score not available (12
CFR 1022.74(f)). An institution is not required to provide a
risk-based pricing notice to a consumer under Section
1022.72(a) or (c) if the institution:
1. Regularly obtains credit scores from a consumer reporting
agency and provides credit score disclosures to consumers
in accordance with Sections 1022.74(d) or (e), but a credit
score is not available from the consumer reporting agency
from which the institution regularly obtains credit scores
for a consumer to whom the institution grants, extends, or
provides credit;
2. Does not obtain a credit score from another consumer
reporting agency in connection with granting, extending,
or providing credit to the consumer; and
3. Provides to the consumer a notice that contains the
following:
a. A statement that a consumer report (or credit report)
includes information about the consumer’s credit
history and the type of information included in that
history;
b. A statement that a credit score is a number that takes
into account information in a consumer report and that
a credit score can change over time in response to
changes in the consumer’s credit history;
c. A statement that credit scores are important because
consumers with higher credit scores generally obtain
more favorable credit terms;
d. A statement that not having a credit score can affect
whether the consumer can obtain credit and what the
cost of that credit will be;
e. A statement that a credit score about the consumer
was not available from a consumer reporting agency,
which must be identified by name, generally due to
insufficient information regarding the consumer’s
credit history;
f. A statement that the consumer is encouraged to verify
the accuracy of the information contained in the
consumer report and has the right to dispute any
inaccurate information in the consumer report;
g. A statement that federal law gives the consumer the
right to obtain copies of his or her consumer reports
directly from the consumer reporting agencies,
including a free consumer report from each of the
nationwide consumer reporting agencies once during
any 12-month period;
h. The contact information for the centralized source
from which consumers may obtain their free annual
consumer reports; and
i. A statement directing consumers to the web site of the
Bureau to obtain more information about consumer
reports.
NOTE: Items b, f, g, h, and i for the Section 1022.74(f)
notice are the same as items b, f, g, h, and i for the
Sections 1022.74(d) and (e) notices.
Example. An institution uses consumer reports to set
the material terms of non-mortgage credit granted,
extended, or provided to consumers and regularly
requests credit scores from a particular consumer
reporting agency. As required by Section 1022.74(e),
the institution provides those credit scores and
additional information to consumers. The consumer
reporting agency provides to the institution a
consumer report on a particular consumer that
contains one trade line, but does not provide the
institution with a credit score on that consumer. If the
institution does not obtain a credit score from another
consumer reporting agency and, based in whole or in
part on information in a consumer report, grants,
extends, or provides credit to the consumer, the
institution may provide the Section 1022.74(f) notice.
If, however, the institution obtains a credit score from
another consumer reporting agency, the institution
may not rely upon the Section 1022.74(f) exception,
but must satisfy the requirements of Section
1022.74(e).
FDIC Consumer Compliance Examination Manual September 2015
VIII–6.27
VIII. Privacy Fair Credit Reporting Act
Form of the notice. The Section 1022.74(f) notice must be:
1. Clear and conspicuous;
2. Segregated from other information provided to the
consumer; and
3. Provided to the consumer in writing and in a form that the
consumer may keep.
Timing. (1022.74(f)) The notice generally must be provided to
the consumer as soon as reasonably practicable after the
institution has requested the credit score, but in any event not
later than consummation of a transaction in the case of closed-
end credit or when the first transaction is made under an open-
end credit plan. The notice may alternatively be provided in
the following manner:
1. For automobile lending transactions made through an auto
dealer that is unaffiliated with the institution, the
institution may provide a Section 1022.74(f) notice in the
time periods described above. Alternatively, the institution
may arrange to have the auto dealer provide a Section
1022.74(f) notice to the consumer on its behalf within
these time periods and maintain reasonable policies and
procedures to verify that the auto dealer provides the
notice to the consumer within the applicable time periods.
12 CFR 1022.73(c)(2))
2. For instant credit that is granted under an open-end credit
plan to a consumer in person or by telephone, the Section
1022.74(f) notice may be provided at the earlier of:
a. The time of the first mailing to the consumer after the
decision is made to approve the credit, such as in a
mailing containing the account agreement or a credit
card; or
b. Within 30 days after the decision to approve the
credit. 12 CFR 1022.73(c)(3))
Model form. Appendix H-5 of the regulation contains a model
form of the Section 1022.74(f) notice. While use of the model
form is optional, appropriate use of Model Form H-5 is
deemed to comply with the requirements of Section
1022.74(f).
Rules of Construction (12 CFR 1022.75) The rules clarify
that, in general, only one risk-based pricing notice or one
credit score exception notice is required to be provided per
credit extension (however, an account review would still be
required, if applicable). In a transaction involving two or more
consumers, a financial institution must provide a risk-based
pricing notice to each consumer. If the consumers have the
same address, a financial institution may satisfy the
requirements by providing a single risk-based pricing notice
addressed to both consumers. For credit score disclosure
exception notices, whether the consumers have the same
address or not, the financial institution must provide a separate
notice to each consumer.
Appendix H Appendix H contains five optional model forms
that may be used to comply with the regulatory requirements.
The five model forms are:
1. H-1 Model form for risk-based pricing notice
2. H-2 Model form for account review risk-based pricing
notice
3. H-3 Model form for credit score disclosure exception for
credit secured by one to four units of residential real
property
4. H-4 Model form for credit score disclosure exception for
loans not secured by residential real property
5. H-5 Model form for credit score disclosure exception for
loans where credit score is not available
Use of the model forms is not required. A financial institution
may change the forms by rearranging the format or by making
technical modifications to the language of the forms.
However, any change may not be so extensive as to materially
affect the substance, clarity, comprehensibility, or meaningful
sequence of the forms. Institutions making such extensive
revisions would lose the “safe harbor” that Appendix H
provides. Examples of acceptable changes are provided in
Appendix H to the regulation.
Examination Procedures
1. Determine whether the financial institution uses consumer
report information in consumer credit decisions.
If yes, determine whether the institution uses such
information to provide credit on terms that are “materially
less favorable” than the most favorable material terms
available to a substantial proportion of its consumers.
Relevant factors in determining the significance of
differences in the cost of credit include the type of credit
product, the term of the credit extension, and the extent of
the difference.
If “yes,” the financial institution is subject to the risk-
based pricing regulations.
2. Determine whether the financial institution provides a
risk-based pricing notice to a consumer (12 CFR
1022.72(a)). If it does, proceed to step #3. If the institution
does not provide a risk-based pricing notice, proceed to
step #5 to determine whether an exception applies (12
CFR 1022.74).
3. Determine the method the financial institution uses to
identify consumers who must receive a risk-based pricing
notice and whether the method complies with the
regulation (12 CFR 1022.72(b)).
a. For institutions that use the direct comparison method
(12 CFR 1022.72(b)), determine whether the
VIII–6.28 FDIC Consumer Compliance Examination Manual September 2015
VIII. Privacy Fair Credit Reporting Act
institution directly compares the material terms
offered to each consumer and the material terms offer
to the other consumers for a specific type of credit
product.
b. For institutions that use the credit score proxy method:
(12 CFR 1022.72(b)(1))
i. Determine whether the institution calculates the
cutoff score by considering the credit scores of
all, or a representative sample, of consumers who
have received credit for a specific type of credit
product;
ii. Determine whether the institution recalculates the
cutoff score no less than every two years;
iii. For new entrants into the credit business, for new
products subject to risk-based pricing, or for
acquired credit portfolios, determine whether the
institution recalculates the cutoff scores within
time periods specified in the regulation;
iv. For institutions using more than one credit score
to set material terms, determine whether the
institution establishes a cutoff score according to
the methods specified in the regulation; and
v. If no credit score is available for a consumer,
determine whether the institution provides the
consumer a risk-based pricing notice.
c. For institutions that use the tiered pricing method: (12
CFR 1022.72(b)(2))
i. When four or fewer pricing tiers are used,
determine if the institution sends risk-based
pricing notices to consumers who do not qualify
for the top, best-priced tier; or
ii. When five or more pricing tiers are used,
determine if the institution provides risk-based
pricing notices to consumers who do not qualify
for the two top, best-priced tiers and any other tier
that, combined with the top two tiers, equal no
less than the top 30 percent and no more than the
top 40 percent of the total number of tiers.
d. For credit card issuers:
i. Determine whether the card issuer uses the
credit score proxy method or the tiered pricing
method to identify consumers to whom it must
provide a risk-based pricing notice.
ii. If the institution does not use the credit score
proxy method or the tiered pricing method,
determine whether the card issuer uses the
following method as permitted by 12 CFR
1022.72(c) to identify consumers to whom it must
provide a risk-based pricing notice.:
A consumer applies for a credit card either in
connection with an application program, such
as a direct-mail offer or a take-one
application, or in response to a solicitation
under 12 CFR 1026.5a, and more than a
single possible purchase annual percentage
rate may apply under the program or
solicitation; and
Based in whole or in part on a consumer
report, the credit card issuer provides a credit
card to the consumer with a purchase APR
that is greater than the lowest purchase APR
available in connection with the application
or solicitation.
iii. Determine whether the card issuer provides a risk-
based pricing notice to each consumer that is
provided a credit card with a purchase APR
greater than the lowest purchase APR available
under the program or solicitation.
4. Determine whether the risk based pricing notice contains:
(12 CFR 1022.73(a)(1))
a. A statement that a consumer report (or credit report)
includes information about the consumer’s credit
history and the type of information included in that
history;
b. A statement that the terms offered, such as the APR,
have been set based on information from a consumer
report;
c. A statement that the terms offered may be less
favorable than the terms offered to consumers with
better credit histories;
d. A statement that the consumer is encouraged to verify
the accuracy of the information contained in the
consumer report and has the right to dispute any
inaccurate information in the report;
e. The identity of each consumer reporting agency that
furnished a consumer report used in the credit
decision;
f. A statement that federal law gives the consumer the
right to obtain a copy of a consumer report from the
consumer reporting agency or agencies identified in
the notice without charge for 60 days after receipt of
the notice;
g. A statement informing the consumer how to obtain a
consumer report from the consumer reporting agency
or agencies identified in the notice and providing
contact information (including a toll-free telephone
number, where applicable) specified by the consumer
reporting agency or agencies; and
h. A statement directing consumers to the web site of the
Bureau to obtain more information about consumer
reports.
Proceed to step #10.
FDIC Consumer Compliance Examination Manual September 2015
VIII–6.29
VIII. Privacy Fair Credit Reporting Act
5. If the institution does not provide a risk-based pricing
notice, determine if one of the following situations that
qualify for a regulatory exception applies: (12 CFR
1022.74(a)-(f))
a. When a consumer applies for specific terms of credit,
and receives them, unless those terms were specified
by the creditor using a consumer report after the
consumer applied for the credit and after the creditor
obtained the consumer report;
b. When a creditor provides a notice of adverse action;
c. When a creditor makes a firm offer of credit in a
prescreened solicitation;
d. When an institution generally provides a credit score
disclosure to each consumer that requests a loan that
is or will be secured by residential real property;
e. When an institution generally provides a credit score
disclosure to each consumer that requests a loan that
is not or will not be secured by residential real
property; and
f. When an institution, which otherwise provides credit
score disclosures to consumers that request loans,
provides a disclosure for when no credit score is
available.
6. For institutions that choose to provide a credit score
disclosure to consumers that request a loan that is or will
be secured by residential real property, determine whether
the Section 1022.74(d) notice generally is provided to
each consumer that requests such an extension of credit
and that each notice contains:
a. A statement that a consumer report (or credit report) is
a record of the consumer’s credit history and includes
information about whether the consumer pays his or
her obligations on time and how much the consumer
owes to creditors;
b. A statement that a credit score is a number that takes
into account information in a consumer report and that
a credit score can change over time to reflect changes
in the consumer’s credit history;
c. A statement that the consumer’s credit score can
affect whether the consumer can obtain credit and
what the cost of that credit will be;
d. A statement that the consumer is encouraged to verify
the accuracy of the information contained in the
consumer report and has the right to dispute any
inaccurate information in the report;
e. A statement that federal law gives the consumer the
right to obtain copies of his or her consumer reports
directly from the consumer reporting agencies,
including a free report from each of the nationwide
consumer reporting agencies once during any 12-
month period;
f. Contact information for the centralized source from
which consumers may obtain their free annual
consumer reports;
g. A statement directing consumers to the web site of the
Bureau to obtain more information about consumer
reports;
h. The information required to be disclosed to the
consumer in Section 609(g) of the FCRA, and as
described in Module 3 of these examination
procedures, under “Disclosure of Credit Scores by
Certain Mortgage Lenders (FCRA), Section 609(g)”;
and
i. The distribution of credit scores among consumers
who are scored under the same scoring model that is
used to generate the consumer’s credit score. The
distribution should:
Use the same scale as that of the credit score
provided to the consumer, and
Be presented:
° In the form of a bar graph containing a
minimum of six bars that illustrates the
percentage of consumers with credit scores
within the range of scores reflected in each
bar,
° By other clear and readily understandable
graphical means, or
° In a clear and readily understandable
statement informing the consumer how his or
her credit score compares to the scores of
other consumers.
The presentation may use a graph or statement
obtained from the entity providing the credit score
if it meets these requirements.
7. For institutions that choose to provide a credit score
disclosure to consumers that request a loan that is not or
will not be secured by residential real property, determine
whether the Section 1022.74(e) notice generally is
provided to each consumer that requests such an extension
of credit and that each notice contains:
a. A statement that a consumer report (or credit report) is
a record of the consumer’s credit history and includes
information about whether the consumer pays his or
her obligations on time and how much the consumer
owes to creditors;
b. A statement that a credit score is a number that takes
into account information in a consumer report and that
a credit score can change over time to reflect changes
in the consumer’s credit history;
c. A statement that the consumer’s credit score can
affect whether the consumer can obtain credit and
what the cost of that credit will be;
VIII–6.30 FDIC Consumer Compliance Examination Manual September 2015
VIII. Privacy Fair Credit Reporting Act
d. A statement that the consumer is encouraged to verify
the accuracy of the information contained in the
consumer report and has the right to dispute any
inaccurate information in the report;
e. A statement that federal law gives the consumer the
right to obtain copies of his or her consumer reports
directly from the consumer reporting agencies,
including a free report from each of the nationwide
consumer reporting agencies once during any 12-
month period;
f. Contact information for the centralized source from
which consumers may obtain their free annual
consumer reports;
g. A statement directing consumers to the web site of the
Bureau to obtain more information about consumer
reports;
h. The current credit score of the consumer or the most
recent credit score of the consumer that was
previously calculated by the consumer reporting
agency for a purpose related to the extension of credit;
i. The distribution of credit scores among consumers
who are scored under the same scoring model that is
used to generate the consumer’s credit score. The
distribution should:
Use the same scale as that of the credit score
provided to the consumer, and
Be presented:
° in the form of a bar graph containing a
minimum of six bars that illustrates the
percentage of consumers with credit scores
within the range of scores reflected in each
bar,
° by other clear and readily understandable
graphical means, or
° in a clear and readily understandable
statement informing the consumer how his or
her credit score compares to the scores of
other consumers.
The presentation may use a graph or statement
obtained from the entity providing the credit score
if it meets these requirements;
j. The range of possible credit scores under the model
used to generate the credit score;
k. The date on which the credit score was created; and
l. The name of the consumer reporting agency or other
person that provided the credit score.
8. For institutions that otherwise provide credit score
disclosures to consumers that request loans, determine
whether the Section 1022.74(f) notice is provided to the
applicable consumers in situations where no credit score is
available for the consumer, as required by 1022.74(f).
Determine whether each notice contains:
a. A statement that a consumer report (or credit report)
includes information about the consumer’s credit
history and the type of information included in that
history;
b. A statement that a credit score is a number that takes
into account information in a consumer report and that
a credit score can change over time in response to
changes in the consumer’s credit history;
c. A statement that credit scores are important because
consumers with higher credit scores generally obtain
more favorable credit terms;
d. A statement that not having a credit score can affect
whether the consumer can obtain credit and what the
cost of that credit will be;
e. A statement that a credit score about the consumer
was not available from a consumer reporting agency,
which must be identified by name, generally due to
insufficient information regarding the consumer’s
credit history;
f. A statement that the consumer is encouraged to verify
the accuracy of the information contained in the
consumer report and has the right to dispute any
inaccurate information in the consumer report;
g. A statement that federal law gives the consumer the
right to obtain copies of his or her consumer reports
directly from the consumer reporting agencies,
including a free consumer report from each of the
nationwide consumer reporting agencies once during
any 12-month period;
h. The contact information for the centralized source
from which consumers may obtain their free annual
consumer reports; and
i. A statement directing consumers to the web site of the
Bureau to obtain more information about consumer
reports.
9. For institutions that provide credit score exception notices
and that obtain multiple credit scores in setting material
terms of credit, determine whether the score(s) is disclosed
in a manner consistent with the regulation: (12 CFR
1022.74(d)(4) and .74 (e)(4))
a. If an institution only relies upon one of those credit
scores in setting the material terms of credit granted,
extended, or otherwise provided to a consumer (for
example, by using the low, middle, high, or most
recent score), determine whether the notice includes
that credit score and the other information required by
Section 1022.74(d).
b. If an institution relies upon multiple credit scores in
setting the material terms of credit granted, extended,
or otherwise provided to a consumer (for example, by
FDIC Consumer Compliance Examination Manual September 2015
VIII–6.31
VIII. Privacy Fair Credit Reporting Act
computing the average of all the credit scores
a. Risk-based pricing notices and account review risk-
obtained), determine whether the notice includes one
based pricing notices
of those credit scores and the other information
required by Section 1022.74(d).
10. Regardless of whether the institution provides risk-based
pricing notices or credit score exception notices, if the
institution increases the consumer’s APR as the result of a
review of a consumer’s account, determine whether the
financial institution provided the consumer with an
account review risk-based pricing notice (12 CFR
1022.72(d)) if an adverse action notice was not already
provided.
11. Determine whether the account review risk-based pricing
notice contains (12 CFR 1022.73(a)(2)):
a. a statement that a consumer report (or credit report)
includes information about the consumer’s credit
history and the type of information included in that
history;
b. a statement that the consumer is encouraged to verify
the accuracy of the information contained in the
consumer report and has the right to dispute any
inaccurate information in the report;
c. the identity of each consumer reporting agency that
furnished a consumer report used in the credit
decision;
d. a statement that federal law gives the consumer the
right to obtain a copy of a consumer report from the
consumer reporting agency or agencies identified in
the notice without charge for 60 days after receipt of
the notice;
e. a statement that informs the consumer how to obtain a
consumer report from the consumer reporting agency
or agencies identified in the notice and provides
contact information (including a toll-free telephone
number, where applicable) specified by the consumer
reporting agency or agencies;
f. a statement that directs consumers to the web site of
the Bureau to obtain more information about
consumer reports;
g. a statement that the financial institution has conducted
a review of the account using information from a
consumer report; and
h. a statement that, as a result of the review, the APR on
the account has been increased based on information
from a consumer report.
12. For all notices, determine whether the notices are clear
and conspicuous and comply with the specific format
requirements for the notices (12 CFR 1022.73(b),
.74(d)(2), .74(e)(2), and .74(f)(3)).
13. For all notices, determine whether the notices are provided
within the required timeframes: (12 CFR 1022.73(c),
.74(d)(3), .74(e)(3), and .74(f)(4))
For closed-end credit, the notice generally must
be provided to the consumer after the decision to
approve a credit request is communicated to the
consumer, but before consummation of the
transaction.
For open-end credit, the notice generally must be
provided after the decision to grant credit is
communicated to the consumer, but before the
first transaction under the plan has been made.
For account reviews, the notice generally must be
provided at the time that the decision to increase
the APR is communicated to the consumer or no
later than five days after the effective date of the
change in the APR.
b. Credit score disclosures for loans secured by
residential real property
The credit score disclosure for loans secured by
residential real property must be provided to the
consumer at the same time as the disclosure
required by Section 609(g) of the FCRA is
provided to the consumer. The 609(g) notice must
be provided as soon as reasonably practicable
after the credit score has been obtained. In any
event, the credit score disclosure for loans secured
by residential real property must be provided at or
before consummation in the case of closed-end
credit or before the first transaction is made under
an open-end credit plan.
c. Credit score disclosures for loans not secured by
residential real property
The notice generally must be provided to the
consumer as soon as reasonably practicable after
the credit score has been obtained, but in any
event at or before consummation in the case of
closed-end credit or before the first transaction is
made under an open-end credit plan.
d. Credit score exception notices when no credit score is
available
The notice generally must be provided to the
consumer as soon as reasonably practicable after
the institution has requested the credit score, but
in any event not later than consummation of a
transaction in the case of closed-end credit or
when the first transaction is made under an open-
end credit plan.
e. All notices, except credit score disclosures for loans
secured by residential real property
For automobile lending transactions made through
an auto dealer that is unaffiliated with the
institution, the institution may provide a notice in
VIII–6.32 FDIC Consumer Compliance Examination Manual September 2015
VIII. Privacy Fair Credit Reporting Act
the time periods described above. Alternatively,
the institution may arrange to have the auto dealer
provide a notice to the consumer on its behalf
within these time periods and maintain reasonable
policies and procedures to verify that the auto
dealer provides the notice to the consumer within
the applicable time periods. If the institution
arranges to have the auto dealer provide a credit
score disclosure for loans not secured by
residential real property, the institution complies
if the consumer receives a notice containing a
credit score obtained by the dealer with these time
periods, even if a different credit score is obtained
and used by the institution.
For instant credit that is granted under an open-end
credit plan to a consumer in person or by telephone,
the notice may be provided at the earlier of:
° The time of the first mailing to the consumer after
the decision is made to approve the credit, such as
in a mailing containing the account agreement or
a credit card; or
° Within 30 days after the decision to approve the
credit.
14. For all notices, determine whether the financial institution
follows the rules of construction pertaining to the number
of notices provided to the consumer(s) (12 CFR 1022.75).
In a transaction involving two or more consumers, a
financial institution must provide a risk-based notice to
each consumer. If the consumers have the same address, a
financial institution may satisfy the requirements by
providing a single risk-based pricing notice addressed to
both consumers. For credit score disclosure exception
notices, whether the consumers have the same address or
not, the financial institution must provide a separate notice
to each consumer.
15. For all notices, determine whether the financial institution
uses the model forms in Appendix H of the regulation. If
yes, determine that it does not modify the model form so
extensively as to affect the substance, clarity,
comprehensibility, or meaningful sequence of the forms
(Appendix H
).
FDIC Consumer Compliance Examination Manual September 2015
VIII–6.33
VIII. Privacy Fair Credit Reporting Act
Module 4: Financial Institutions as Furnishers of
Information
Overview
The Fair Credit Reporting Act (FCRA) contains many
responsibilities for financial institutions that furnish
information to consumer reporting agencies. These
requirements generally involve ensuring the accuracy of the
data that is placed in the consumer reporting system. This
examination module includes reviews of the various areas
associated with furnishers of information. This module will
not apply to financial institutions that do not furnish any
information to consumer reporting agencies.
Section 605(h) Address Discrepancies
Section 605(h)(1) requires that, when providing a consumer
report to a person that requests the report (a user), a
nationwide consumer reporting agency (NCRA) must provide
a notice of address discrepancy to the user if the address
provided by the user in its request “substantially differs” from
the address the NCRA has in the consumer’s file. Section
605(h)(2) requires the federal banking agencies and the NCUA
(the Agencies) and the FTC to prescribe regulations providing
guidance regarding reasonable policies and procedures that a
user of a consumer report should employ when such user has
received a notice of address discrepancy. On November 9,
2007, the agencies published final rules in the Federal Register
implementing this section. (72 FR 63718)
Definitions
“Nationwide consumer reporting agency.” Section 603(p)
defines an NCRA as one that compiles and maintains files on
consumers on a nationwide basis and regularly engages in the
practice of assembling or evaluating and maintaining the
following two pieces of information about consumers residing
nationwide for the purpose of furnishing consumer reports to
third parties bearing on a consumer’s credit worthiness, credit
standing, or credit capacity:
1. Public record information and
2. Credit account information from persons who furnish that
information regularly and in the ordinary course of
business.
Notice of address discrepancy (12 CFR 1022.82(b)).” A
“notice of address discrepancy” is a notice sent to a user by an
NCRA (section 603(p)) that informs the user of a substantial
difference between the address for the consumer that the user
provided to request the consumer report and the address(es) in
the NCRA’s file for the consumer.
“Requirement to form a reasonable belief” (12 CFR
1022.82(c)). A user must develop and implement reasonable
policies and procedures designed to enable the user to form a
reasonable belief that the consumer report relates to the
consumer whose report was requested, when the user receives
a notice of address discrepancy in connection with a new or
existing account.
The rules provide the following examples of reasonable
policies and procedures for forming a reasonable belief that a
consumer report relates to the consumer whose report was
requested:
1. Comparing information in the consumer report with
information the user
a. has obtained and used to verify the consumer’s
identity as required by the Customer Identification
Program rules (31 CFR 103.121);
b. maintains in its records; or
c. obtains from a third party; or
2. Verifying the information in the consumer report with the
consumer.
“Requirement to furnish a consumer’s address to an
NCRA” (12 CFR 1022.82(d)). A user must develop and
implement reasonable policies and procedures for furnishing
to the NCRA an address for the consumer that the user has
reasonably confirmed is accurate when the user
1. can form a reasonable belief that the report relates to the
consumer whose report was requested;
2. establishes a continuing relationship with the consumer
(i.e., in connection with a new account); and
3. regularly furnishes information to the NCRA that provided
the notice of address discrepancy.
A user’s policies and procedures for furnishing a
consumer’s address to an NCRA must require the user to
furnish the confirmed address as part of the information it
regularly furnishes to the NCRA during the reporting
period when it establishes a continuing relationship with
the consumer.
The rules also provide the following examples of how a user
may reasonably confirm an address is accurate:
1. Verifying the address with the consumer whose report was
requested;
2. Reviewing its own records;
3. Verifying the address through third-party sources; or
4. Using other reasonable means.
Examination Procedures
(12 CFR 1022.82)
1. Determine whether a user of consumer reports has policies
and procedures to recognize notices of address
discrepancy that it receives from a nationwide consumer
VIII–6.34 FDIC Consumer Compliance Examination Manual September 2015
____________________
VIII. Privacy Fair Credit Reporting Act
reporting agency (NCRA)
16
in connection with consumer
reports.
2. Determine whether a user that receives notices of address
discrepancy has policies and procedures to form a
reasonable belief that the consumer report relates to the
consumer whose report was requested. (12 CFR
1022.82(c))
See examples of reasonable policies and procedures “to
form a reasonable belief” in 12 CFR 1022.82(c)(2).
3. Determine whether a user that receives notices of address
discrepancy has policies and procedures to furnish to the
NCRA an address for the consumer that the user has
reasonably confirmed is accurate, if the user
a. can form a reasonable belief that the report relates to
the consumer;
b. establishes a continuing relationship with the
consumer; and
c. regularly furnishes information to the NCRA. (12
CFR 1022.82(d)(1))
See examples of reasonable confirmation methods in 12
CFR 1022.82(d)(2).
4. Determine whether the user’s policies and procedures
require it to furnish the confirmed address as part of the
information it regularly furnishes to an NCRA during the
reporting period when it establishes a relationship with the
consumer. (12 CFR 1022.82(d)(3)
5. If procedural weaknesses or other risks requiring further
information are noted, obtain a sample of consumer
reports requested by the user from an NCRA that included
notices of address discrepancy and determine:
a. How the user established a reasonable belief that the
consumer reports related to the consumers whose
reports were requested: and
b. If a consumer relationship was established:
Whether the institution furnished a consumer’s
address that it reasonably confirmed to the NCRA
from which it received the notice of address
discrepancy; and
Whether it furnished the address in the reporting
period during which it established the
relationship.
Conclusion. On the basis of examination procedures
completed, form a conclusion about the ability of user’s
policies and procedures to meet regulatory requirements for
the proper handling of address discrepancies reported by an
NCRA.
16 A NCRA compiles and maintains files on consumers on a nationwide basis.
As of the effective date of the rule (January 1, 2008) there were three such
consumer reporting agencies: Experian, Equifax, and TransUnion. Section
603(p) of FCRA (15 USC 1681a).
Section 615(e) Change of Address
Section 615(e)(1)(C) requires the Agencies and the FTC to
prescribe regulations for debit and credit card issuers
regarding the assessment of the validity of address changes for
existing accounts. The regulations require card issuers to have
procedures to assess the validity of an address change if the
card issuer receives a notice of change of address for an
existing account, and within a short period of time (during at
least the first 30 days) receives a request for an additional or
replacement card for the same account. On November 9, 2007,
the Agencies published final rules in the Federal Register
implementing this section. (72 FR 63718)
Definitions (12 CFR 334.91(b))
The following definitions pertain to the rules governing the
duties of card issuers regarding changes of address:
“Cardholder” a consumer who has been issued a credit or
debit card.
“Clear and conspicuous” means reasonably understandable
and designed to call attention to the nature and significance of
the information presented.
Address validation requirements (12 CFR 334.91(c)). A card
issuer must establish and implement policies and procedures to
assess the validity of a change of address if it receives
notification of a change of address for a consumer’s debit or
credit card account and, within a short period of time
afterwards (during at least the first 30 days after it receives
such notification), the card issuer receives a request for an
additional or replacement card for the same account. In such
situations, the card issuer must not issue an additional or
replacement card until it assesses the validity of the change of
address in accordance with its policies and procedures.
The policies and procedures must provide that the card issuer
will:
1. Notify the cardholder of the request for an additional or
replacement card
a. at the cardholder’s former address; or
b. by any other means of communication that the card
issuer and the cardholder have previously agreed to
use; and
2. Provide to the cardholder a reasonable means of promptly
reporting incorrect address changes; or
3. Assess the validity of the change of address according to
the procedures the card issuer has established as a part of
its Identity Theft Prevention Program (12 CFR 334.90).
Alternative timing of address validation (12 CFR 334.91(d).
A card issuer may satisfy the requirements of these rules prior
to receiving any request for an additional or replacement card
FDIC Consumer Compliance Examination Manual September 2015
VIII–6.35
VIII. Privacy Fair Credit Reporting Act
by validating an address when it receives an address change
notification.
Form of notice (12 CFR 334.91(e))
Any written or electronic notice that a card issuer provides to
satisfy these rules must be clear and conspicuous and provided
separately from its regular correspondence with the
cardholder.
Change of Address Examination Procedures (12 CFR
334.91)
1. Verify that the card issuer has policies and procedures to
assess the validity of a change of address if:
a. it receives notification of a change of address for a
consumer’s debit or credit card account; and
b. within a short period of time afterwards (during at
least the first 30 days after it receives such
notification), the card issuer receives a request for an
additional or replacement card for the same account.
(12 CFR 334.91(c))
2. Determine whether the policies and procedures prevent the
card issuer from issuing additional or replacement cards
until it:
a. notifies the cardholder at the cardholder’s former
address or by any other means previously agreed to
and provides the cardholder a reasonable means to
promptly report an incorrect address (12 CFR
334.91(c)(1)(i)-(ii)); or
b. uses other reasonable means of evaluating the validity
of the address change; (12 CFR 334.91(c)(2)).
In the alternative, a card issuer may validate a change of
address request when it is received, using the above
methods, prior to receiving any request for an additional
or replacement card. (12 CFR 334.91(d))
3. Determine whether any written or electronic notice sent to
cardholders for purposes of validating a change of address
request is clear and conspicuous and is provided
separately from any regular correspondence with the
cardholder. (12 CFR 334.91(e))
4. If procedural weaknesses or other risks requiring further
information are noted, obtain a sample of notifications
from cardholders of changes of address and requests for
additional or replacement cards to determine whether the
card issuer complied with the regulatory requirement to
evaluate the validity of the notice of address change before
issuing additional or replacement cards.
Conclusion. On the basis of examination procedures
completed, form a conclusion about whether a card issuer’s
policies and procedures effectively meet regulatory
requirements for evaluating the validity of change of address
requests received in connection with credit or debit card
accounts.
Section 623 Furnishers of Information General
Background
Section 623 of the Fair Credit Reporting Act (FCRA) requires
the federal banking agencies (Agencies) and the Federal Trade
Commission (FTC) to:
Issue guidelines for use by furnishers regarding the accuracy
and integrity of the information about consumers that they
furnish to consumer reporting agencies;
Prescribe regulations requiring furnishers to establish
reasonable policies and procedures for implementing the
guidelines; and
Issue regulations identifying the circumstances under which a
furnisher must reinvestigate disputes concerning the accuracy
of information contained in a consumer report based on a
direct request from a consumer.
On July 1, 2009, the Agencies and the FTC published final
rules in the Federal Register (74 FR 31484) implementing this
section of FCRA.
Definitions (12 CFR 1022.41)
The following definitions pertain to the rules governing the
furnishers of information to a consumer reporting agency:
“Accuracy” means that the information a furnisher provides
to a consumer reporting agency about an account or other
relationship with the consumer correctly:
1. Reflects the terms of and liability for the account or other
relationship;
2. Reflects the consumer’s performance and other conduct
with respect to the account or other relationship; and
3. Identifies the appropriate consumer.
“Direct dispute” means a dispute submitted by a consumer
directly to a furnisher (including a furnisher that is a debt
collector) concerning the accuracy of any information
contained in a consumer report and pertaining to an account or
other relationship that the furnisher has or had with the
consumer.
“Furnisher” means an entity that furnishes information
relating to consumers to one or more consumer reporting
agencies for inclusion in a consumer report. An entity is not a
furnisher when it:
1. Provides information to a consumer reporting agency
solely to obtain a consumer report in accordance with the
permissible purposes outlined in sections 604(a) and (f) of
the FCRA;
2. Is acting as a “consumer reporting agency” as defined in
section 603(f) of the FCRA;
VIII–6.36 FDIC Consumer Compliance Examination Manual September 2015
VIII. Privacy Fair Credit Reporting Act
3. Is a consumer to whom the furnished information pertains;
or
4. Is a neighbor, friend, or associate of the consumer, or
another individual with whom the consumer is acquainted
or who may have knowledge about the consumer, and who
provides information about the consumer’s character,
general reputation, personal characteristics, or mode of
living in response to a specific request from a consumer
reporting agency.
“Identity theft” means a fraud committed or attempted using
the identifying information of another person without
authority. “Identifying information” means any name or
number that may be used alone or in conjunction with any
other information to identify a specific person (16 CFR 603.2).
“Integrity” means that the information a furnisher provides to
a consumer reporting agency about an account or other
relationship with the consumer:
1. Is substantiated by the furnisher’s records at the time it is
furnished;
2. Is furnished in a form and manner that is designed to
minimize the likelihood that the information may be
incorrectly reflected in a consumer report; and
3. Includes:
a. the information in the furnisher’s possession about the
account or other relationship that the relevant Agency
has determined that the absence of which would likely
be materially misleading in evaluating a consumer’s
creditworthiness, credit standing, credit capacity,
character, general reputation, personal characteristics,
or mode of living; and
b. the credit limit, if applicable and in the furnisher’s
possession.
Duties of furnishers to provide accurate information. Section
623(a) states that a person, including a financial institution,
may, but need not, specify an address for receipt of notices
from consumers concerning inaccurate information. If the
financial institution specifies such an address, then it may not
furnish information relating to a consumer to any consumer
reporting agency, if (a) the financial institution has been
notified by the consumer, at the specified address, that the
information is inaccurate, and (b) the information is in fact
inaccurate. If the financial institution does not specify an
address, then it may not furnish any information relating to a
consumer to any consumer reporting agency if the financial
institution knows or has reasonable cause to believe that the
information is inaccurate.
When a financial institution that (regularly and in the ordinary
course of business) furnishes information to one or more
consumer reporting agencies about its transactions or
experiences with any consumer determines that any such
information is not complete or accurate, the financial
institution must promptly notify the consumer reporting
agency of that determination. Corrections to that information
or any additional information necessary to make the
information complete and accurate must be provided to the
consumer reporting agency. Further, any information that
remains incomplete or inaccurate must not thereafter be
furnished to the consumer reporting agency.
If the completeness or accuracy of any information furnished
by a financial institution to a consumer reporting agency is
disputed by a consumer, that financial institution may not
furnish the information to any consumer reporting agency
without notice that the information is disputed by the
consumer.
Reasonable policies and procedures concerning the accuracy
and integrity of furnished information (12 CFR 1022.42) and
Interagency Guidelines (12 CFR 1022, Appendix E).
Each furnisher must establish and implement reasonable
written policies and procedures regarding the accuracy and
integrity of consumer information that it furnishes to a
consumer reporting agency. The policies and procedures must
be appropriate to the nature, size, complexity, and scope of
each furnisher’s activities. In developing its policies and
procedures, a furnisher must consider the Interagency
Guidelines and may include its existing policies and
procedures that are relevant and appropriate. Each furnisher
must also review its policies and procedures periodically and
update them as necessary to ensure their continued
effectiveness.
Voluntary closures of accounts. Section 623(a)(4) requires
that any person, including a financial institution, that
(regularly and in the ordinary course of business) furnishes
information to a consumer reporting agency regarding a
consumer who has a credit account with that financial
institution, must notify the consumer reporting agency of the
voluntary closure of the account by the consumer in
information regularly furnished for the period in which the
account is closed.
Notice involving delinquent accounts. Section 623(a)(5)
requires that a person, including a financial institution, that
furnishes information to a consumer reporting agency about a
delinquent account being placed for collection, charged off, or
subjected to any similar action, must, not later than 90 days
after furnishing the information to the consumer reporting
agency, notify the consumer reporting agency of the month
and year of the commencement of the delinquency that
immediately preceded the action.
Duties upon notice of dispute from a consumer reporting
agency. Section 623(b) requires that whenever a financial
FDIC Consumer Compliance Examination Manual September 2015
VIII–6.37
VIII. Privacy Fair Credit Reporting Act
institution receives a notice of dispute from a consumer
reporting agency regarding the accuracy or completeness of
any information provided by the financial institution to a
consumer reporting agency pursuant to section 611 (Procedure
in Case of Disputed Accuracy), that financial institution must,
pursuant to section 623(b):
1. Conduct an investigation regarding the disputed
information;
2. Review all relevant information provided by the consumer
reporting agency along with the notice;
3. Report the results of the investigation to the consumer
reporting agency; and
4. If the disputed information is found to be incomplete or
inaccurate, report those results to all nationwide consumer
reporting agencies to which the financial institution
previously provided the information.
5. If the disputed information is incomplete, inaccurate, or
not verifiable by the financial institution, the financial
institution must promptly, for purposes of reporting to the
consumer reporting agency:
a. Modify the item of information,
b. Delete the item of information, or
c. Permanently block the reporting of that item of
information.
The investigations, reviews and reports required to be made
must be completed within 30 days. The time period may be
extended for 15 days if a consumer reporting agency receives
additional relevant information from the consumer.
Duties upon notice of a direct dispute from a consumer
(12 CFR 1022.43).
General rule. A furnisher must conduct a reasonable
investigation of a direct dispute (unless exceptions, described
later, apply) if the dispute relates to:
1. The consumer’s liability for a credit account or other debt
with the furnisher, such as direct disputes relating to
whether there is or has been identify theft or fraud against
the consumer, whether there is individual or joint liability
on an account, or whether the consumer is an authorized
user of a credit account;
2. The terms of a credit account or other debt with the
furnisher, such as, direct disputes relating to the type of
account, principal balance, scheduled payment amount on
an account, or the amount of the credit limit on an open-
end account.
3. The consumer’s performance or other conduct concerning
an account or other relationship with the furnisher such as,
direct disputes relating to the current payment status, high
balance, payment date, the payment amount, or the date an
account was opened or closed; or
4. Any other information contained in a consumer report
regarding an account or other relationship with the
furnisher that bears on the consumers creditworthiness,
credit standing, credit capacity, character, general
reputation, personal characteristics, or mode of living.
Exceptions. The direct dispute requirements do not apply to a
furnisher if the direct dispute relates to:
1. The consumer’s identifying information such as name(s),
date of birth, Social Security number, telephone
number(s), or address(es);
2. The identity of past or present employers;
3. Inquiries or requests for a consumer report;
4. Information derived from public records, such as
judgments, bankruptcies, liens, and other legal matters
(unless the information was provided by a furnisher with
an account or other relationship with the consumer);
5. Information related to fraud alerts or active duty alerts; or
6. Information provided to a consumer reporting agency by
another furnisher.
The direct dispute requirements also do not apply if the
furnisher has a reasonable belief that the direct dispute is:
1. submitted by a credit repair organization;
2. is prepared on behalf of the consumer by a credit repair
organization; or
3. is submitted on a form supplied to the consumer by a
credit repair organization.
Direct Dispute Address. A furnisher is required to investigate
a direct dispute only if a consumer submits a dispute notice to
the furnisher at:
1. The address provided by a furnisher and listed on a
consumer report relating to the consumer;
2. An address clearly and conspicuously specified by the
furnisher that is provided to the consumer in writing or
electronically (if the consumer has agreed to the electronic
delivery of information from the furnisher); or
3. Any business address of the furnisher if the furnisher has
not provided a specific address for submitting direct
disputes.
Direct Dispute Notice Contents. A dispute notice from a
consumer must include:
1. Sufficient information to identify the account or other
relationship that is in dispute, such as an account number
and the name, address, and telephone number of the
consumer;
2. The specific information that the consumer is disputing
and an explanation of the basis for the dispute; and
VIII–6.38 FDIC Consumer Compliance Examination Manual September 2015
VIII. Privacy Fair Credit Reporting Act
3. All supporting documentation or other information
reasonably required by the furnisher to substantiate the
basis of the dispute. This documentation may include, for
example, a copy of the relevant portion of the consumer
report that contains the allegedly inaccurate information; a
police report; a fraud or identity theft affidavit; a court
order; or account statements.
Duties of a Furnisher after Receiving a Direct Dispute
Notice from a Consumer. After receiving a dispute notice
from a consumer, the furnisher must:
1. Conduct a reasonable investigation with respect to the
disputed information;
2. Review all relevant information provided by the consumer
with the dispute notice;
3. Complete its investigation of the dispute and report the
results of the investigation to the consumer before the
expiration of the period under section 611(a)(1) of the
FCRA (15 U.S.C. 1681i(a)(1)) within which a consumer
reporting agency would be required to complete its action
if the consumer had elected to dispute the information
under that section; and
3. If the investigation finds that the information reported was
inaccurate, promptly notify each consumer reporting
agency to which the furnisher provided inaccurate
information of investigation findings and provide to the
consumer reporting agency any correction to that
information that is necessary to make the information
provided by the furnisher accurate.
Frivolous or Irrelevant Disputes. A furnisher is not required
to investigate a direct dispute if the furnisher has reasonably
determined that the dispute is frivolous or irrelevant. A dispute
qualifies as frivolous or irrelevant if:
1. The consumer did not provide sufficient information to
investigate the disputed information;
2. The direct dispute is substantially the same as a dispute
previously submitted by or on behalf of the consumer and
the dispute is one with respect to which the furnisher has
already complied with the statutory or regulatory
requirements. However, a direct dispute would not be
“substantially the same” as the one previously submitted if
the dispute includes new information required by the
regulation to be provided to the furnisher, but that had not
previously been provided; or
3. The furnisher is not required to investigate the direct
dispute because one or more of the exceptions listed in 12
CFR 1022.43(b) applies.
Upon making a determination that a dispute is frivolous or
irrelevant, the furnisher must notify the consumer of the
determination not later than five business days after making
the determination, by mail or, if authorized by the consumer
for that purpose, by any other means available to the furnisher.
The furnisher’s notice that a dispute is frivolous or irrelevant
must include the reasons for such determination and identify
any information required to investigate the disputed
information. The notice may consist of a standardized form
describing the general nature of such information.
Examination Procedures
1. Determine whether the financial institution furnishes
consumer information to a consumer reporting agency
about an account or other relationship with a consumer. If
so, the institution is subject to 12 CFR 1022.40.
2. Determine whether the financial institution has established
and implemented reasonable policies and procedures
regarding the accuracy and integrity of information
furnished to a consumer reporting agency (12 CFR
1022.42(a)).
3. Determine whether the institution considered the
Interagency Guidelines in Appendix E of the regulation
when developing its policies and procedures, and
incorporated the guidelines as appropriate (12 CFR
1022.42(b)).
4. Determine whether the institution reviews its policies and
procedures periodically and updates them as necessary to
ensure their effectiveness (12 CFR 1022.42(c)).
5. If procedural weaknesses are noted or other risks requiring
further investigation are noted, such as a high number of
consumer complaints regarding the accuracy of their
consumer report information from the financial institution,
select a sample of reported items and the corresponding
loan or collection file to determine that the financial
institution:
a. Did not report information that it knew, or had
reasonable cause to believe, was inaccurate. Section
623(a)(1)(A) [15 U.S.C § 1681s-2(a)(1)(A)];
b. Did not report information to a consumer reporting
agency if it was notified by the consumer that the
information was inaccurate and the information was,
in fact, inaccurate. Section 623(a)(1)(B) [15U.S.C.
§ 1681s-2(a)(1)(B)];
c. Did provide the consumer reporting agency with
corrections or additional information to make the
information complete and accurate, and thereafter did
not send the consumer reporting agency the inaccurate
or incomplete information in situations where the
incomplete or inaccurate information was provided.
Section 623(a)(2) [15 U.S.C. § 1681s-2(a)(2)];
d. Furnished a notice to a consumer reporting agency of
a dispute in situations where a consumer disputed the
completeness or accuracy of any information the
institution furnished, and the institution continued
FDIC Consumer Compliance Examination Manual September 2015
VIII–6.39
VIII. Privacy Fair Credit Reporting Act
furnishing the information to a consumer reporting
agency. Section 623(a)(3) [15 U.S.C § 1681s-2(a)(3)];
e. Notified the consumer reporting agency of a voluntary
account-closing by the consumer, and did so as part of
the information regularly furnished for the period in
which the account was closed. Section 623(a)(4) [15
U.S.C.§1681s-2(a)(4)]; and
f. Notified the consumer reporting agency of the month
and year of commencement of a delinquency that
immediately preceded the action. The notification to
the consumer reporting agency must be made within
90 days of furnishing information about a delinquent
account that was being placed for collection, charged-
off, or subjected to any similar action. Section
623(a)(5) [15 U.S.C. § 1681s-2(a)(5)].
6. If weaknesses within the financial institution’s procedures
for investigating errors are revealed, review a sample of
notices of disputes received from a consumer reporting
agency and determine whether the institution:
a. Conducted an investigation with respect to the
disputed information. Section 623(b)(1)(A) [15 U.S.C.
§ 1681s-2(b)(1)(A)];
b. Reviewed all relevant information provided by the
consumer reporting agency. Section 623(b)(1)(B) [15
U.S.C. § 1681s-2(b)(1)(B)];
c. Reported the results of the investigation to the
consumer reporting agency. Section 623(b)(1)(C) [15
U.S.C. § 1681s-2(b)(1)(C);
d. Reported the results of the investigation to all other
nationwide consumer reporting agencies to which the
information was furnished, if the investigation found
that the reported information was inaccurate or
incomplete. Section 623(b)(1)(D) [15 U.S.C. § 1681s-
2)(b)(1)(D)]; and
e. Modified, deleted, or blocked the reporting of
information that could not be verified.
7. Determine whether the institution conducts reasonable
investigations of direct disputes from consumers,
including a review of all relevant information provided by
the consumer (12 CFR 1022.43(e)(1) and (2)).
a. Determine whether the institution completes the
investigation and reports the results to the consumer
within the required timeframe (12 CFR
1022.43(e)(3)).
b. Determine whether the institution notifies and
provides corrected information to the consumer
reporting agencies when the results of its investigation
find that inaccurate information was furnished to the
consumer reporting agencies (12 CFR 1022.43(e)(4)).
c. When the institution finds that a dispute is frivolous or
irrelevant, determine whether the institution:
Notifies the consumer within five days after
finding the dispute frivolous or irrelevant (12
CFR 1022.43(f)(2)), and
Includes in the consumer notification the reasons
for the findings and the information necessary to
investigate the disputed information (12 CFR
1022.43(f)(3)).
Section 623(a)(6) Prevention of Re-Pollution of Consumer
Reports
Section 623(a)(6) has specific requirements for furnishers of
information, including financial institutions, to a consumer
reporting agency that receive notice from a consumer
reporting agency that furnished information may be fraudulent
as a result of identity theft. Section 605B requires consumer
reporting agencies to notify furnishers of information,
including financial institutions, that the information may be
the result of identity theft, an identity theft report has been
filed, and that a block has been requested. Upon receiving
such notice, section 623(a)(6) requires financial institutions to
establish and follow reasonable procedures to ensure that this
information is not re-reported to the consumer reporting
agency, thus “re-polluting” the victim’s consumer report.
Section 615(f) of the FCRA also prohibits a financial
institution from selling or transferring debt caused by an
alleged identity theft.
Examination Procedures
1. If the financial institution provides information to a
consumer reporting agency, review the institution’s
policies and procedures to ensure that items of information
blocked due to an alleged identity theft are not re-reported
to the consumer reporting agency.
2. If weaknesses are noted within the financial institution’s
policies and procedures, review a sample of notices from a
consumer reporting agency of allegedly fraudulent
information due to identity theft furnished by the financial
institution to ensure that the institution does not re-report
the item to a consumer reporting agency.
3. If procedural weaknesses are noted or other risks requiring
further investigation are noted, verify that the financial
institution has not sold or transferred a debt that was
caused by an alleged identity theft.
Section 623(a)(7) Negative Information Notice
Section 623(a)(7) requires financial institutions to provide
consumers with a notice either before negative information is
provided to a nationwide consumer reporting agency, or within
30 days after reporting the negative information.
Negative information.” For these purposes, negative
information means any information concerning a customer’s
VIII–6.40 FDIC Consumer Compliance Examination Manual September 2015
VIII. Privacy Fair Credit Reporting Act
delinquencies, late payments, insolvency, or any form of
default.
Nationwide consumer reporting agency.” Section 603(p)
defines a consumer reporting agency as one that compiles and
maintains files on consumers on a nationwide basis and
regularly engages in the practice of assembling or evaluating
and maintaining the following two pieces of information about
consumers residing nationwide for the purpose of furnishing
consumer reports to third parties bearing on a consumer’s
credit worthiness, credit standing, or credit capacity:
1. Public Record Information.
2. Credit account information from persons who furnish that
information regularly and in the ordinary course of
business.
Institutions may provide this disclosure on or with any notice
of default, any billing statement, or any other materials
provided to the customer, as long as the notice is clear and
conspicuous. Institutions may also choose to provide this
notice to all customers as an abundance of caution. However,
this notice may not be included in the initial disclosures
provided under section 127(a) of the Truth in Lending Act.
Model text. Institutions can use the following model text to
comply with these requirements. The first model contains text
to be used when institutions choose to provide a notice before
furnishing negative information. The second model form
contains text to be used when institutions provide notice
within 30 days after reporting negative information:
1. Notice prior to communicating negative information
(Model B-1):
“We may report information about your account to credit
bureaus. Late payments, missed payments, or other
defaults on your account may be reflected in your credit
report.”
2. Notice within 30 days after communicating negative
information (Model B-2):
“We have told a credit bureau about a late payment,
missed payment or other default on your account. This
information may be reflected in your credit report.”
Use of the model form(s) is not required; however, proper use
of the model forms provides financial institutions with a safe
harbor from liability. Financial institutions may make certain
changes to the language or format of the model notices
without losing the safe harbor from liability provided by the
model notices. The changes to the model notices may not be
so extensive as to affect the substance, clarity, or meaningful
sequence of the language in the model notices. Financial
institutions making such extensive revisions will lose the safe
harbor from liability that the model notices provide.
Acceptable changes include, for example,
1. Rearranging the order of the references to “late
payment(s),” or “missed payment(s);
2. Pluralizing the terms “credit bureau,” “credit report,” and
“account;”
3. Specifying the particular type of account on which
information may be furnished, such as “credit card
account;” or
4. Rearranging in Model Notice B-1 the phrases
“information about your account” and “to credit bureaus”
such that it would read “We may report to credit bureaus
information about your account.”
Examination Procedures
1. If the financial institution provides negative information to
a nationwide consumer reporting agency, verify that the
institution’s policies and procedures ensure that the
appropriate notices are provided to customers.
2. If procedural weaknesses are noted or other risks requiring
further investigation are noted, review a sample of notices
provided to consumers to determine compliance with the
technical content and timing requirements.
FDIC Consumer Compliance Examination Manual September 2015
VIII–6.41
VIII. Privacy Fair Credit Reporting Act
Module 5: Consumer Alerts and Identity Theft
Protections
Overview
The Fair Credit Reporting Act (FCRA) contains several
provisions for both consumer reporting agencies and users of
consumer reports including financial institutions that are
designed to help combat identity theft. This module applies to
financial institutions that are not consumer reporting agencies,
but are users of consumer reports.
Two primary requirements exist: first, a user of a consumer
report that contains a fraud or active duty alert must take steps
to verify the identity of an individual to whom the consumer
report relates, and second, a financial institution must disclose
certain information when consumers allege that they are the
victims of identity theft.
Section 605A(h) Fraud and Active Duty Alerts
Initial fraud and active duty alerts. Consumers who suspect
that they may be the victims of fraud including identity theft
may request nationwide consumer reporting agencies to place
initial fraud alerts in their consumer reports. These alerts must
remain in a consumer’s report for no less than 90 days. In
addition, members of the armed services who are called to
active duty may also request that active duty alerts be placed
in their consumer reports. Active duty alerts must remain in
these service members’ files for no less than 12 months.
Section 605A(h)(1)(B) requires users of consumer reports,
including financial institutions, to verify a consumer’s identity
if a consumer report includes a fraud or active duty alert.
Unless the financial institution uses reasonable policies and
procedures to form a reasonable belief that they know the
identity of the person making the request, the financial
institution may not:
1. Establish a new credit plan or extension credit (other than
under an open-end credit plan) in the name of the
consumer;
2. Issue an additional card on an existing account; or
3. Increase a credit limit.
Extended Alerts. Consumers who allege that they are the
victim of an identity theft may also place an extended alert,
which lasts seven years, on their consumer report. Extended
alerts require consumers to submit identity theft reports and
appropriate proof of identity to the nationwide consumer
reporting agencies.
Section 605A(h)(2)(B) requires a financial institution that
obtains a consumer report that contains an extended alert to
contact the consumer in person or by the method listed by the
consumer in the alert prior to performing any of the three
actions listed above.
Examination Procedures
1. Determine whether the financial institution has effective
policies and procedures in place to verify the identity of
consumers in situations where consumer reports include
fraud and/or active duty military alerts.
2. Determine if the financial institution has effective policies
and procedures in place to contact consumers in situations
where consumer reports include extended alerts.
3. If procedural weaknesses are noted or other risks requiring
further investigation are noted, review a sample of
transactions in which consumer reports including these
types of alerts were obtained. Verify that the financial
institution complied with the identity verification and/or
consumer contact requirements.
Section 609(e) Information Available to Victims
Section 609(e) requires financial institutions to provide
records of fraudulent transactions to victims of identity theft
within 30 days after the receipt of a request for the records.
These records include the application and business transaction
records under the control of the financial institution whether
maintained by the financial institution or another person on
behalf of the institution (such as a service provider). This
information should be provided to:
1. The victim;
2. Any federal, state, or local government law enforcement
agency or officer specified by the victim in the request; or
3. Any law enforcement agency investigating the identity
theft that was authorized by the victim to take receipt of
these records.
The request for the records must be made by the victim in
writing and be sent to the financial institution to the address
specified by the financial institution for this purpose. The
financial institution may ask the victim to provide information,
if known, regarding the date of the transaction or application,
and any other identifying information such as an account or
transaction number.
Unless the financial institution, at its discretion, otherwise has
a high degree of confidence that it knows the identity of the
victim making the request for information before disclosing
any information to the victim, the financial institution must
take prudent steps to positively identify the person requesting
information. Proof of identity can include:
1. A government-issued identification card;
2. Personally identifying information of the same type that
was provided to the financial institution by the
unauthorized person; or
3. Personally identifiable information that the financial
institution typically requests from new applicants or for
new transactions.
VIII–6.42 FDIC Consumer Compliance Examination Manual September 2015
VIII. Privacy Fair Credit Reporting Act
At the election of the financial institution, the victim must also
provide the financial institution with proof of an identity theft
complaint, which may consist of a copy of a police report
evidencing the claim of identity theft and a properly completed
affidavit. The affidavit can be either the standardized affidavit
form prepared by the Federal Trade Commission (published in
April 2005 in 70 Federal Register 21792), or an “affidavit of
fact” that is acceptable to the financial institution for this
purpose.
When these conditions are met, the financial institution must
provide the information at no charge to the victim. However,
the financial institution is not required to provide any
information if, acting in good faith, the financial institution
determines that:
1. Section 609(e) does not require disclosure of the
information;
2. The financial institution does not have a high degree of
confidence in knowing the true identity of the requestor,
based on the identification and/or proof provided;
3. The request for information is based on a
misrepresentation of fact by the requestor; or
4. The information requested is Internet navigational data or
similar information about a person’s visit to a web site or
online service.
Examination Procedures
1. Review financial institution policies, procedures, and/or
practices to ensure that identities and claims of fraudulent
transactions are verified and that information is properly
disclosed to victims of identity theft and/or appropriately
authorized law enforcement agents.
2. If procedural weaknesses are noted or other risks requiring
further investigation are noted, review a sample of these
types of requests to ensure that the financial institution
properly verified the requestor’s identity prior to
disclosing the information.
References
Statute
Fair Credit Reporting Act
Regulations
CFPB 12 CFR 1022
FDIC Consumer Compliance Examination Manual September 2015
VIII–6.43