Fair Credit Reporting - Board of Governors of the Federal ...

Fair Credit Reporting

Background

The Fair Credit Reporting Act (FCRA) deals with therights of consumers in relation to their credit reportsand the obligations of credit reporting agenciesand the businesses that provide information tothem. The FCRA has been revised numerous timessince it took effect in 1971, notably by passage ofthe Consumer Credit Reporting Reform Act of1996, the Gramm-Leach-Bliley Act of 1999, and theFair and Accurate Credit Transactions Act of 2003(FACT Act).

The FACT Act created new responsibilities forconsumer reporting agencies and users of con-sumer reports, many concerning consumer disclo-sures and identity theft. It also created new rightsfor consumers, including the right to free annualconsumer reports and improved access to reportinformation, with the aim of making data in theconsumer reporting system more accurate.

Coverage

Business entities that are consumer reportingagencies have significant responsibilities under theFCRA; business entities that are not consumerreporting agencies have somewhat lesser respon-sibilities. Generally, financial institutions are notconsidered consumer reporting agencies; how-ever, those that engage in certain types ofinformation-sharing practices can be deemed con-sumer reporting agencies. In addition, the FCRAapplies to financial institutions that operate as

• Procurers and users of information (for example,when granting credit, purchasing dealer paper,or opening deposit accounts),

• Furnishers and transmitters of information (byreporting information to consumer reporting agen-cies or other third parties, or to affiliates),

• Marketers of credit or insurance products, or

• Employers.

Key Definitions

Key definitions used throughout the FCRA includethe following:

Consumer

A consumer is an individual.

Consumer Report

A consumer report is any written, oral, or othercommunication of any information by a consumerreporting agency that bears on a consumer’screditworthiness, credit standing, credit capacity,character, general reputation, personal character-istics, or mode of living that is used (or is expectedto be used) or collected in whole or in part for thepurpose of serving as a factor in establishing theconsumer’s eligibility for

• Credit or insurance to be used primarily forpersonal, family, or household purposes;

• Employment purposes; or

• Any other purpose authorized under FCRA,section 604.

The term ‘‘consumer report’’ does not include

• Any report containing information solely abouttransactions or experiences between the con-sumer and the institution making the report;

• Any communication of that transaction or experi-ence information among entities related bycommon ownership or affiliated by corporatecontrol (for example, different banks that aremembers of the same holding company, orsubsidiary companies of a bank);

• Communication of other information among per-sons related by common ownership or affiliatedby corporate control if

– It is clearly and conspicuously disclosed to theconsumer that the information may be commu-nicated among such persons, and

– The consumer is given the opportunity, beforethe time the information is communicated, todirect that the information not be communi-cated among such persons;

• Any authorization or approval of a specificextension of credit directly or indirectly by theissuer of a credit card or similar device;

• Any report in which a person who has beenrequested by a third party to make a specificextension of credit directly or indirectly to aconsumer (such as a lender who has received arequest from a broker) conveys his or herdecision with respect to such request, if the thirdparty advises the consumer of the name andaddress of the person to whom the request wasmade, and such person makes the disclosures to

Consumer Compliance Handbook FCRA • 1 (6/09)

the consumer required under FCRA, section 615;or

• A communication described in FCRA, subsec-tion 603(o) or (x) (which relate to certain investi-gative reports and certain reports to prospectiveemployers).

Person

A person is any individual, partnership, corpora-tion, trust, estate, cooperative, association, govern-ment or governmental subdivision or agency, orother entity.

Investigative Consumer Report

An investigative consumer report is a consumerreport or portion thereof for which information on aconsumer’s character, general reputation, per-sonal characteristics, or mode of living is obtainedthrough personal interviews with neighbors,friends, or associates of the consumer, or with oth-ers with whom the consumer is acquainted or whomay have knowledge concerning any such infor-mation. However, such information does notinclude specific factual information on a consum-er’s credit record obtained directly from a creditorof the consumer or from a consumer reportingagency when such information was obtaineddirectly from a creditor of the consumer or fromthe consumer.

Adverse Action

With regard to credit transactions, the term adverseaction has the same meaning as used in sec-tion 701(d)(6) of the Equal Credit Opportunity Act(ECOA), Regulation B, and the official staff com-mentary. Under the ECOA, an ‘‘adverse action’’ is adenial or revocation of credit, a change in the termsof an existing credit arrangement, or a refusal togrant credit in substantially the same amount or onterms substantially similar to those requested.Under the ECOA, the term does not include arefusal to extend additional credit under an existingcredit arrangement when the applicant is delin-quent or otherwise in default, or when suchadditional credit would exceed a previously estab-lished credit limit.

For non-credit transactions, the term has thefollowing additional meanings for purposes of theFCRA:

• A denial or cancellation of, an increase in anycharge for, or a reduction or other adverse orunfavorable change in the terms of coverage oramount of any insurance, existing or applied for,in connection with the underwriting of insurance

• A denial of employment, or any other decision for

employment purposes that adversely affects anycurrent or prospective employee

• A denial or cancellation of, an increase in anycharge for, or any other adverse or unfavorablechange in the terms of any license or benefitdescribed in FCRA, section 604(a)(3)(D)

• An action taken or determination that (1) is madein connection with an application made by, ortransaction initiated by, any consumer, or inconnection with a review of an account todetermine whether the consumer continues tomeet the terms of the account, and (2) is adverseto the interests of the consumer

Employment Purposes

A consumer report used for employment purposesis a report used for the purpose of evaluating aconsumer for employment, promotion, reassign-ment, or retention as an employee.

Consumer Reporting Agency

A consumer reporting agency is any person that(1) for monetary fees, dues, or on a cooperativenonprofit basis regularly engages in whole or inpart in the practice of assembling or evaluatingconsumer credit information, or other informationon consumers, for the purpose of furnishingconsumer reports to third parties, and (2) uses anymeans or facility of interstate commerce for thepurpose of preparing or furnishing consumerreports.

Implementation of the FCRA

Some of the requirements for financial institutionsimposed by the FCRA are written directly into thestatute; others are contained in regulations issuedjointly by the FFIEC agencies; still others are spelledout in regulations issued by the Federal ReserveBoard and/or the Federal Trade Commission.

For examination purposes, similar requirementshave been grouped together, creating a series ofexamination modules. The five modules that havebeen completed to date cover requirements appli-cable to financial institutions that are not consumerreporting agencies. A sixth module will coverinstitutions that are considered consumer reportingagencies. The five completed examination mod-ules are listed below with the statutory or regulatorycites for the FCRA requirements they cover.1

1. Other FCRA provisions—including section 628 (DisposalRules)—are covered in other functional examinations, such assafety and soundness examinations, and therefore are not part ofthese procedures.


2 (6/09) • FCRA Consumer Compliance Handbook

Module 1: Obtaining Consumer Reports• Permissible Purposes of Consumer Reports, andInvestigative Consumer Reports—FCRA, Sec-tions 604 and 606

Module 2: Obtaining Information andSharing among Affiliates• Consumer Report and Information Sharing—FCRA, Section 603(d)

• Protection of Medical Information—FCRA, Sec-tion 604(g), and Regulation V, Sections 222.30–32

• Affiliate Marketing Opt-Out—FCRA, Section 624and Regulation V, Section 222.20

Module 3: Disclosures to Consumers andMiscellaneous Requirements• Use of Consumer Reports for EmploymentPurposes—FCRA, Section 604(b)

• Prescreened Consumer Reports and Opt-OutNotice—FCRA, Sections 604(c) and 615(d); FTCRegulations, Parts 642 and 698

• Truncation of Credit and Debit Card AccountNumbers—FCRA, Section 605(g)

• Disclosure of Credit Scores by Certain MortgageLenders—FCRA, Section 609(g)

• Adverse Action Disclosures—FCRA, Sections615(a) and (b)

• Debt Collector Communications concerning Iden-tity Theft—FCRA, Section 615(g)

• Risk-Based Pricing Notice—FCRA, Section 615(h)

Module 4: Duties of Users of Credit Reportsand Furnishers of Consumer ReportInformation• Duties of Users of Credit Reports Regarding

Address Discrepancies—FCRA, Section605(h)(1) and Regulation V, Section 222.82

• Furnishers of Information—General—FCRA, Sec-tion 623

• Prevention of Re-Pollution of Consumer Reports—FCRA, Section 623(a)(6)

• Negative Information Notice—FCRA, Section623(a)(7)

Module 5: Consumer Alerts and IdentityTheft Protections• Fraud and Active Duty Alerts—FCRA, Section605A(h)

• Information Available to Victims—FCRA, Section609(e)

• Duties of Card Issuers Regarding Changes ofAddress—FCRA, Section 615(e)(1)(c) and Regu-lation V, Section 222.91

Module 6: Requirements for ConsumerReporting Agencies

Organization ofExamination Procedures

The modules in this chapter contain both generalinformation about each of the requirements andexamination procedures. Preceding the modulesare the objectives and initial procedures for faircredit reporting examinations.



Fair Credit ReportingExamination Objectives andInitial Examination Procedures

EXAMINATION OBJECTIVES

1. To determine the financial institution’s compli-ance with the FCRA

2. To assess the quality of the financial institution’scompliance management systems and its poli-cies and procedures for implementing the FCRA

3. To determine the reliance that can be placed onthe financial institution’s internal controls andprocedures for monitoring the institution’s com-pliance with the FCRA

4. To direct corrective action when violations of laware identified or when policies or internal con-trols are deficient

INITIAL EXAMINATION PROCEDURES

The initial examination procedures are designed toacquaint examiners with the operations and pro-cesses of the institution being examined. Theyfocus on the institution’s systems, controls, poli-cies, and procedures, including audits and previ-ous examination findings.

The applicability of the various sections of theFCRA and the implementing regulations dependson an institution’s unique operations. The func-tional examination requirements for an institution’sFCRA responsibilities are presented topically inmodules 1 through 6.

Initially, examiners should

1. Through discussions with management and areview of available information, determinewhether the institution’s internal controls areadequate to ensure compliance in the areaunder review. Consider the following:

a. Organization charts

b. Process flowcharts

c. Policies and procedures

d. Loan documentation

e. Checklists

f. Computer program documentation (forexample, records that illustrate the fields andtypes of data reported to consumer reportingagencies, and automated records that trackcustomer opt-outs for FCRA affiliate informa-tion sharing)

2. Review any compliance audit material, includingworkpapers and reports, to determine whether

a. The scope of the audit addresses all provi-sions as applicable;

b. Corrective actions were taken to follow up onpreviously identified deficiencies;

c. The testing includes samples covering allproduct types and decision centers;

d. The work performed is accurate;

e. Significant deficiencies and their causes areincluded in reports to management and/or tothe board of directors; and

f. The frequency of review is appropriate.

3. Review the financial institution’s training materi-als to determine whether

a. Appropriate training is provided to individu-als responsible for FCRA compliance andoperational procedures, and

b. The training is comprehensive and covers thevarious aspects of the FCRA that apply to theindividual financial institution’s operations.

4. Through discussions with management, deter-mine which portions of the six examinationmodules will apply.

5. Complete appropriate examination modules;document and form conclusions regarding thequality of the financial institution’s compliancemanagement systems and compliance with theFCRA.


Fair Credit ReportingExamination Module 1: Obtaining Consumer Reports

Overview

Consumer reporting agencies have a significantamount of personal information about consumers.This information is invaluable in assessing aconsumer’s creditworthiness for a variety ofproducts and services, including loan and depositaccounts, insurance, and telephone services.Access to this information is governed by the FairCredit Reporting Act (FCRA) to ensure that it isobtained for permissible purposes and is not usedfor illegitimate purposes.

The FCRA requires any prospective ‘‘user’’ of aconsumer report—for example a lender, insurer,landlord, or employer—to have a legally permis-sible purpose for obtaining a report.

Permissible Purposes of ConsumerReports (FCRA, Section 604) andInvestigative Consumer Reports(FCRA, Section 606)

Legally Permissible Purposes

The FCRA allows a consumer reporting agency tofurnish a consumer report under the followingcircumstances and no other:

• In response to a court order or federal grand jurysubpoena

• In accordance with the written instructions of theconsumer

• To a person, including a financial institution, thatit has reason to believe

– Intends to use the report in connection with acredit transaction involving the consumer(including extending, reviewing, and collectingcredit);

– Intends to use the information for employmentpurposes;2

– Intends to use the information in connectionwith the underwriting of insurance involving theconsumer;

– Intends to use the information in connectionwith adetermination of the consumer’s eligibilityfor a license or other benefit granted by agovernmental instrumentality that is required by

law to consider an applicant’s financialresponsibility;

– Intends to use the information, as a potentialinvestor or servicer or a current insurer, inconnection with a valuation of, or an assess-ment of the credit or prepayment risks associ-ated with, an existing credit obligation; or

– Otherwise has a legitimate business need forthe information

a. In connection with a business transactionthat is initiated by the consumer, or

b. To review an account to determine whetherthe consumer continues to meet the termsof the account

• In response to a request by the head of a state orlocal child support enforcement agency (orauthorized appointee), if the person certifiesvarious information to the consumer reportingagency regarding the need to obtain the report.(Generally, a financial institution that is not aconsumer reporting agency is not involved in sucha situation.)

Prescreened Consumer Reports

Users of consumer reports, such as financial insti-tutions, are allowed to obtain prescreened con-sumer reports in order to make firm offers of creditor insurance to consumers, unless the consumershave elected to opt out of being included on pre-screened lists. The FCRA contains many require-ments, including an opt-out notice requirement,when prescreened consumer reports are used. Inaddition to defining prescreened consumerreports, module 3 covers these requirements.

Investigative Consumer Reports

FCRA, section 606, contains specific requirementsconcerning the use of investigative consumerreports. Such reports contain information about aconsumer’s character, general reputation, personalcharacteristics, or mode of living that is obtained inwhole or in part through personal interviews with theconsumer’s neighbors, friends, or associates. If afinancial institution procures an investigative con-sumer report, or causes one to be prepared, theinstitution must meet the following requirements:

• The institution must clearly and accurately dis-close to the consumer that an investigativeconsumer report may be obtained.

• The disclosure must contain a statement of the

2. Use of consumer reports for employment purposes requiresspecific advance authorization and disclosure notices and, ifapplicable, adverse action notices. These issues are addressedin module 3 of these examination procedures.


consumer’s right to request other informationabout the report and a summary of the consumer’srights under the FCRA.

• The disclosure must be in writing and must bemailed or otherwise delivered to the consumer notlater than three business days after the date onwhich the report was first requested.

• The financial institution procuring the report mustcertify to the consumer reporting agency that ithas complied with the disclosure requirementsand will comply in the event that the consumerrequests additional disclosures about the report.

Institution Procedures

Given the preponderance of electronically avail-

able information and the growth of identity theft,financial institutions should manage the risksassociated with obtaining and using consumerreports. They should employ procedures, controls,or other safeguards to ensure that consumerreports are obtained and used only in situations forwhich there are permissible purposes. Access to,storage of, and destruction of this informationshould be dealt with under an institution’sinformation-security program; however, obtainingconsumer reports initially must be done in compli-ance with the FCRA.

Fair Credit Reporting: Examination Module 1


Fair Credit Reporting—Module 1Examination Procedures

Permissible Purposes of ConsumerReports (FCRA, Section 604) andInvestigative Consumer Reports(FCRA, Section 606)1. Determine whether the financial institution obtains

consumer reports.

2. Determine whether the financial institution obtainsprescreened consumer reports and/or reportsfor employment purposes. If it does, completethe appropriate sections of module 3.

3. Determine whether the financial institution pro-cures, or causes to be prepared, investigativeconsumer reports. If it does, determine whetherthe appropriate disclosure is given to consum-ers within the required time periods. In addition,determine whether the institution certifies com-pliance with the disclosure requirements to theconsumer reporting agency.

4. Evaluate the financial institution’s procedures toensure that consumer reports are obtained onlyfor permissible purposes. Confirm that theinstitution certifies to the consumer reporting

agency the purposes for which it will obtainreports. (The certification is usually contained inthe institution’s contract with the consumerreporting agency.)

5. If procedural weaknesses or other risks requir-ing further investigation are noted, such as thereceipt of several consumer complaints, reviewa sample of consumer reports obtained from aconsumer reporting agency and determinewhether the financial institution had permissiblepurposes for obtaining the reports. For example,

• Obtain a copy of a billing statement or otherlist of consumer reports obtained by thefinancial institution from the consumer report-ing agency over a period of time.

• Compare this list, or a sample from this list, withthe institution’s records to ensure that therewasa permissible purpose for obtaining thereport(s)—for instance, the consumer appliedfor credit, insurance, or employment. Theinstitution may also obtain a report inconnection with the review of an existingaccount.


Fair Credit ReportingExamination Module 2: Obtaining Informationand Sharing among Affiliates

Overview

The Fair Credit Reporting Act (FCRA) sets forthmany substantive compliance requirements forconsumer reporting agencies that are designed tohelp ensure the accuracy and integrity of theconsumer reporting system. As noted in the firstsection of this FCRA chapter, a consumer reportingagency is a person that generally furnishes con-sumer reports to third parties. By their very nature,banks, credit unions, and thrifts hold a significantamount of consumer information that could consti-tute a consumer report. Communication of thisinformation could cause the institution to become aconsumer reporting agency. The FCRA containsseveral exceptions that enable a financial institutionto communicate this type of information, withinstrict guidelines, without becoming a consumerreporting agency.

Rather than containing strict information-sharingprohibitions, the FCRA creates a business disin-centive such that if a financial institution sharesconsumer report information outside of the excep-tions, the institution becomes a consumer reportingagency and is subject to the significant, substan-tive requirements of the FCRA applicable to thoseentities. Typically, a financial institution will struc-ture its information-sharing practices within theexceptions to avoid becoming a consumer report-ing agency. This examination module generallycovers the information-sharing practices withinthese exceptions.

If upon completion of this module, examinersdetermine that the financial institution’s information-sharing practices fall outside of these exceptions,the institution may be considered a consumerreporting agency, and the examination proceduresin module 6 should be completed.

Consumer Report and InformationSharing (FCRA, Section 603(d))

FCRA, section 603(d), defines a consumer report toinclude information about a consumer that bears ona consumer’s creditworthiness, character, andcredit capacity, among other characteristics. Com-munication of this information may cause a person,including a financial institution, to become aconsumer reporting agency. The statutory defini-tion contains key exceptions to this definition thatenable a financial institution to share this type ofinformation under certain circumstances withoutbecoming a consumer reporting agency. Specifi-

cally, the term ‘‘consumer report’’ does not includethe following:

• A report containing information solely related totransactions or experiences between the con-sumer and the financial institution making thereport. A person, including a financial institution,may share information strictly related to its owntransactions or experiences with a consumer(such as the consumer’s record with a loan orsavings account at an institution) with any thirdparty, without regard to affiliation, without becom-ing a consumer reporting agency. This type ofinformation sharing may, however, be restrictedunder the Privacy of Consumer Financial Informa-tion regulations that implement the Gramm-Leach-Bliley Act (GLBA) because the information meetsthe definition of nonpublic personal informationunder the Privacy regulations; sharing it withnonaffiliated third parties may be subject toopt-out provisions under the Privacy regulations.In turn, the FCRA may restrict activities that theGLBA permits. For example, the GLBA permits afinancial institution to share lists of its customersand information about those customers, such astheir credit scores, with another financial institu-tion for the purpose of jointly marketing orsponsoring other financial products or services.Such a communication may be considered aconsumer report under the FCRA and couldcause the sharing institution to become a con-sumer reporting agency.

• Communication of such transaction or experi-ence information among persons, including finan-cial institutions, related by common ownership oraffiliated by corporate control.

• Communication of other information (that is, otherthan transaction or experience information)among persons, including financial institutions,related by common ownership or affiliated bycorporate control (1) if it is clearly and conspicu-ously disclosed to the consumer that the informa-tion will be communicated among such entitiesand (2) if, before the information is initiallycommunicated, the consumer is given the oppor-tunity to opt out of the communication. Thus, afinancial institution is allowed to share information(other than information about its own transactionsor experiences) that could otherwise constitute aconsumer report without becoming a consumerreporting agency under the following circum-stances:

– The sharing of the ‘‘other’’ information is donewith affiliates


– Consumers are provided with the notice andan opportunity to opt out of this sharing beforethe information is first communicated amongaffiliates

‘‘Other’’ information can include, for example,information provided by a consumer on anapplication form concerning accounts withother financial institutions. It can also includeinformation obtained by a financial institutionfrom a consumer reporting agency, such asthe consumer’s credit score. If a financialinstitution shares other information with affili-ates without providing a notice and anopportunity to opt out, the institution maybecome a consumer reporting agency subjectto the FCRA requirements.

The opt-out right required by this sectionmust be stated in a financial institution’sprivacy notice, as required by the GLBA andits implementing regulations.

Other Exceptions

Specific Extensions of Credit

In addition, the term ‘‘consumer report’’ does notinclude the communication of a specific extensionof credit directly or indirectly by the issuer of acredit card or similar device. For example, thisexception allows a lender to communicate anauthorization through a credit card network to aretailer, to enable a consumer to complete apurchase using a credit card.

Credit Decision to Third Party

The term ‘‘consumer report’’ also does not includeany report in which a person, including a financialinstitution, that has been requested by a third party(such as an automobile dealer) to make a specificextension of credit directly or indirectly to aconsumer conveys the decision with respect to therequest. The third party must advise the consumerof the name and address of the financial institutionto which the request was made, and the financialinstitution must make the adverse action disclo-sures when required by FCRA, section 615. Forexample, this exception allows a lender to commu-nicate a credit decision to an automobile dealerthat is arranging financing for the purchase of anautomobile by a consumer who requires a loan tofinance the transaction.

‘‘Joint User’’ Rule

The Federal Trade Commission staff commentarydiscusses another exception, known as the JointUser Rule. Under this exception, users of con-

sumer reports, including financial institutions, mayshare information with each other if they are jointlyinvolved in the decision to approve a consumer’srequest for a product or service, provided thateach has a permissible purpose for obtaining aconsumer report on the individual. For example, aconsumer applies for a mortgage loan that willhave a high loan-to-value ratio, and thus thelender will require private mortgage insurance(PMI) in order to approve the application. The PMIwill be provided by an outside company. Thelender and the PMI company may share con-sumer report information about the consumerbecause both entities have permissible purposesfor obtaining the information and they are jointlyinvolved in the decision to grant products to theconsumer.

This exception applies both to entities that areaffiliated and to nonaffiliated third parties. It isimportant to note that the GLBA still applies to thesharing of nonpublic personal information withnonaffiliated third parties; therefore, financial insti-tutions should be aware that sharing under theFCRA Joint User Rule may still be limited orprohibited by the GLBA.

Protection of Medical Information(FCRA, Section 604(g); andRegulation V, Subpart D)

Section 604(g) generally prohibits creditors fromobtaining and using medical information in connec-tion with any determination of the consumer’seligibility, or continued eligibility, for credit. Thestatute contains no prohibition regarding creditors’obtaining or using medical information for otherpurposes that are not in connection with a determi-nation of the consumer’s eligibility, or continuedeligibility, for credit.

Section 604(g)(5)(A) required the FFIEC agen-cies to prescribe regulations that permit transac-tions determined to be necessary and appropriateto protect legitimate operational, transactional, risk,consumer, and other needs (including administra-tive verification purposes) and that are consistentwith the congressional intent to restrict the use ofmedical information for inappropriate purposes.The agencies published final rules in the FederalRegister (70 FR 70664) on November 22, 2005;subpart D of Regulation V implements the require-ments for entities supervised by the FederalReserve. The rules contain the general prohibitionregarding obtaining or using medical informationand provide exceptions for the limited circum-stances under which medical information may beused. The rules define ‘‘credit’’ and ‘‘creditor’’ ashaving the same meanings as in section 702 of theEqual Credit Opportunity Act.



Obtaining and UsingUnsolicited Medical Information(Regulation V, § 222.30(c))

A creditor does not violate the prohibition onobtaining medical information if it receives themedical information pertaining to a consumer inconnection with any determination of the consum-er’s eligibility, or continued eligibility, for creditwithout specifically requesting medical information.However, the creditor may use this medical infor-mation only in connection with a determination ofthe consumer’s eligibility, or continued eligibility,for credit in accordance with either the financialinformation exception or one of the specific otherexceptions provided in the rules. These exceptionsare discussed below.

Financial Information Exception(Regulation V, § 222.30(d))

A creditor is allowed to obtain and use medicalinformation pertaining to a consumer in connectionwith any determination of the consumer’s eligibility,or continued eligibility, for credit, so long as all ofthe following conditions are met:

• The information is the type of information routinelyused in making credit eligibility determinations,such as information relating to debts, expenses,income, benefits, assets, collateral, or the pur-pose of the loan, including the use of the loanproceeds.

• The creditor uses the medical information in amanner and to an extent that is no less favorablethan it would use comparable information that isnot medical information in a credit transaction.

• The creditor does not take the consumer’sphysical, mental, or behavioral health, conditionor history, type of treatment, or prognosis intoaccount as part of any such determination.

The financial information exception is designedin part to allow a creditor to consider a consumer’smedical debts and expenses in the assessment ofthat consumer’s ability to repay the loan accordingto the loan terms. The financial informationexception also allows a creditor to consider thedollar amount and continued eligibility for disabilityincome, worker’s compensation income, or otherbenefits related to health or a medical conditionthat is relied on as a source of repayment.

The creditor may use the medical information in amanner and to an extent that is no less favorablethan it would use comparable nonmedical informa-tion. For example, a consumer includes on anapplication for credit information about two $20,000debts. One debt is to a hospital; the other is to aretailer. The creditor may use and consider the debt

to the hospital in the same manner in which itconsiders the debt to the retailer, such as includingthe debts in the calculation of the consumer’sproposed debt-to-income ratio. In addition, theconsumer’s history of payment of the debt to thehospital may be considered in the same manner aspayment of the debt to the retailer. For example, ifthe creditor does not grant loans to applicants whohave debts that are ninety days past due, thecreditor could consider thepast-due status of a debtto the hospital in the same manner as it considersthe past-due status of a debt to the retailer.

A creditor may use medical information in amanner that is more favorable to the consumer,according to its regular policies and procedures.For example, if a creditor has a routine policy ofdeclining consumers who have a ninety-day past-due installment loan to a retailer but does notdecline consumers who have a ninety-day past-due debt to a hospital, the financial informationexception would allow the creditor to continue thispolicy without violating the rules, because in such acase, the creditor’s treatment of the hospital debt ismore favorable to the consumer.

A creditor may not take the consumer’s physical,mental, or behavioral health, condition or history,type of treatment, or prognosis into account as partof any determination regarding the consumer’seligibility, or continued eligibility, for credit. Thecreditor may consider only the financial implicationsas discussed above, such as the status of a debt toa hospital or the continuance of disability income.

Specific Exceptions for Obtainingand Using Medical Information(Regulation V, § 222.30(e))

In addition to the financial information exception,the rules provide for the following nine specificexceptions under which a creditor may obtain anduse medical information in its determination of theconsumer’s eligibility, or continued eligibility, forcredit:

1. To determine whether the use of a power ofattorney or legal representative that is triggeredby a medical condition or event is necessaryand appropriate, or whether the consumer hasthe legal capacity to contract when a personseeks to exercise a power of attorney or act as alegal representative for a consumer on the basisof an asserted medical condition or event. Forexample, if person A is attempting to act onbehalf of person B under a power of attorney thatis invoked on the basis of a medical event, acreditor is allowed to obtain and use medicalinformation to verify that person B has experi-enced a medical condition or event such that



person A is allowed to act under the power ofattorney.

2. To comply with applicable requirements of local,state, or federal laws

3. To determine, at the consumer’s request, whetherthe consumer qualifies for a legally permissiblespecial credit program or credit-related assis-tance program that is

• Designed to meet the special needs ofconsumers with medical conditions, and

• Established and administered pursuant to awritten plan that

– Identifies the class of persons that theprogram is designed to benefit, and

– Sets forth the procedures and standards forextending credit or providing other credit-related assistance under the program

4. To the extent necessary for purposes of fraudprevention or detection

5. In the case of credit for the purpose of financingmedical products or services, to determine andverify the medical purpose of the loan and theuse of the proceeds

6. Consistent with safe and sound banking prac-tices, if the consumer or the consumer’s legalrepresentative requests that the creditor usemedical information in determining the consum-er’s eligibility, or continued eligibility, for credit toaccommodate the consumer’s particular circum-stances, and such request is documented bythe creditor. For example, at the consumer’srequest, a creditor may grant an exception to itsordinary policy to accommodate a medicalcondition that the consumer has experienced.This exception allows a creditor to considermedical information in this context, but it doesnot require a creditor to make such an accom-modation, nor does it require a creditor to granta loan that is unsafe or unsound.

7. Consistent with safe and sound practices, todetermine whether the provisions of a forbear-ance practice or program that is triggered by amedical condition or event apply to a consumer.For example, if a creditor has a policy ofdelaying foreclosure in cases in which a con-sumer is experiencing a medical hardship, thisexception allows the creditor to use medicalinformation to determine if the policy wouldapply to the consumer. Like exception 6 above,this exception does not require a creditor togrant forbearance; it merely provides an excep-tion so that a creditor may consider medicalinformation in these instances.

8. To determine the consumer’s eligibility for, the

triggering of, or the reactivation of a debt-cancellation contract or debt-suspension agree-ment if a medical condition or event is atriggering event for the provision of benefitsunder the contract or agreement

9. To determine the consumer’s eligibility for, thetriggering of, or the reactivation of a creditinsurance product if a medical condition orevent is a triggering event for the provision ofbenefits under the product

Limits on Redisclosure of Information(Regulation V, § 222.31(b))

If a creditor subject to the medical information rulesreceives medical information about a consumerfrom a consumer reporting agency or its affiliate, thecreditor must not disclose that information to anyother person, except as necessary to carry out thepurpose for which the information was initiallydisclosed or as otherwise permitted by statute,regulation, or order.

Sharing Medical Information withAffiliates (Regulation V, § 222.32(b))

In general, the exclusions from the definition of‘‘consumer report’’ in FCRA, section 603(d)(2),allow the sharing of information among affiliates.With regard to medical information, FCRA, sec-tion 603(d)(3), provides that the exclusions insection 603(d)(2) do not apply when a personsubject to the medical information rules sharesinformation of the following types with an affiliate:

• Medical information

• An individualized list or description based on thepayment transactions of the consumer for medi-cal products or services

• An aggregate list of identified consumers basedon payment transactions for medical products orservices

If a person that is subject to the medical rulesshares with an affiliate information of one of thetypes listed above, the exclusions from the defini-tion of ‘‘consumer report’’ do not apply. Effectively,this means that if a person shares medicalinformation, that person becomes a consumerreporting agency, subject to all the other substan-tive requirements of the FCRA.

The rules provide exceptions to these limitationson sharing medical information with affiliates (Regu-lation V, section 222.32(c)). A covered entity, suchas a state member bank, may share medicalinformation with its affiliates without becoming aconsumer reporting agency under one or more of



the following circumstances:

• In connection with the business of insurance orannuities (including the activities described insection 18B of the model Privacy of ConsumerFinancial and Health Information Regulationissued by the National Association of InsuranceCommissioners, as in effect on January 1, 2003)

• For any purpose permitted without authorizationunder the regulations issued by the Departmentof Health and Human Services pursuant to theHealth Insurance Portability and AccountabilityAct of 1996 (HIPAA)

• For any purpose referred to in section 1179 ofHIPAA

• For any purpose described in section 502(e) ofthe Gramm-Leach-Bliley Act

• In connection with a determination of the consum-er’s eligibility, or continued eligibility, for creditconsistent with the financial information excep-tions or specific exceptions

• As otherwise permitted by order of an FFIECagency

Affiliate Marketing Opt-Out(Regulation V, § 222.20)

Section 624 gives a consumer the right to restrictan entity, with which it does not have a pre-existingbusiness relationship, from using certain informa-tion obtained from an affiliate to make solicitationsto that consumer. This provision is distinct fromsection 603(d)(2)(A)(iii) which gives a consumerthe right to restrict the sharing of certain consumerinformation amongst affiliates.3

Under section 624, an entity may not useinformation received from an affiliate to market itsproducts or services to a consumer, unless theconsumer is given notice and a reasonable oppor-tunity and a reasonable and simple method to optout of the making of such solicitations. The affiliatemarketing opt-out applies to information that anentity has obtained from transactions or its experi-ence with a consumer. The opt-out also applies to‘‘other’’ information, such as information the entityobtains about a consumer from credit reports andcredit applications. On November 7, 2007, thefederal financial institution regulators publishedfinal regulations in the Federal Register to imple-

ment this section (72 FR 62910).4

Exceptions to the notice and opt-out require-ments apply when an entity uses eligibility informa-tion in certain ways, as described later in theseprocedures.

Key Definitions(Regulation V, § 222.20)5

1. Eligibility information (12 CFR 222.20(b)(3))includes not only transaction and experienceinformation, but also the type of informationfound in consumer reports, such as informationfrom third-party sources and credit scores.Eligibility information does not include aggre-gate or blind data that does not contain personalidentifiers such as account numbers, names, oraddresses.6

2. Pre-existing business relationship (12 CFR222.20(b)(4))7 means a relationship between aperson, such as a financial institution (or aperson’s licensed agent), and a consumerbased on

a. A financial contract between the person andthe consumer which is in force on the date onwhich the consumer is sent a solicitationcovered by the affiliate marketing regulation;

b. The purchase, rental, or lease by the con-sumer of the person’s goods or services, or afinancial transaction (including holding anactive account or a policy in force, or havinganother continuing relationship) between theconsumer and the person, during the 18-month period immediately preceding thedate on which the consumer is sent asolicitation covered by the affiliate marketingregulation; or

c. An inquiry or application by the consumerregarding a product or service offered bythat person during the three-month periodimmediately preceding the date on which theconsumer is sent a solicitation covered bythe affiliate marketing regulation.

3. Solicitation (12 CFR 222.20(b)(5)) means themarketing of a product or service initiated by aperson, such as a financial institution, to aparticular consumer that is

3. See Module 2, Consumer Report and Information Sharing(Section 603(d)), for provisions pertaining to the sharing ofconsumer information. Under section 603(d)(2)(A)(iii) of the FCRA,entities are responsible for complying with the affiliate sharingnotice and opt-out requirement, where applicable. Thus, underthe FCRA, certain consumer information will be subject to twoopt-outs, a sharing opt-out (section 603(d)) and a marketing useopt-out (section 624). These two opt-outs may be consolidated.

4. See 12 CFR 222.20(a) for the scope of entities covered bySubpart C of 12 CFR 222.5. See 12 CFR 222.20 for other definitions.6. Specifically, ‘‘eligibility information’’ is defined in the affiliate

marketing regulation as ‘‘any information the communication ofwhich would be a consumer report if the exclusions from thedefinition of ’consumer report’ in Section 603(d)(2)(A) of the [FairCredit Reporting] Act did not apply.’’7. See 12 CFR 222.20(b)(4)(ii) and (iii) for examples of

pre-existing business relationships and situations where nopre-existing business relationship exists.



a. Based on eligibility information communi-cated to that person by its affiliate, and

b. Intended to encourage the consumer topurchase or obtain such product or service.

Examples of a solicitation include a telemarket-ing call, direct mail, e-mail, or other form ofmarketing communication directed to a particu-lar consumer that is based on eligibility informa-tion received from an affiliate. A solicitation doesnot include marketing communications that aredirected at the general public (for example,television, general circulation magazine, andbillboard advertisements).

Initial Notice and Opt-OutRequirement (Regulation V,§§ 222.21(a), 222.24, and 222.25)

A financial institution and its subsidiaries (‘‘financialinstitution’’) generally may not use eligibility infor-mation about a consumer that it receives from anaffiliate to make a solicitation for marketing pur-poses to the consumer, unless

1. It is clearly and conspicuously disclosed to theconsumer in writing or, if the consumer agrees,electronically, in a concise notice that thefinancial institution may use eligibility informationabout that consumer that it received from anaffiliate to make solicitations for marketing pur-poses to the consumer;

2. The consumer is provided a reasonable oppor-tunity and a reasonable and simple method to‘‘opt out’’ (that is, the consumer prohibits thefinancial institution from using eligibility informa-tion to make solicitations for marketing purposesto the consumer);8 and

3. The consumer has not opted out.

For example, a consumer has a homeowner’sinsurance policy with an insurance company. Theinsurance company shares eligibility informationabout the consumer with its affiliated depositoryinstitution. Based on that eligibility information, thedepository institution wants to make a solicitation tothe consumer about its home equity loan products.The depository institution does not have a pre-existing business relationship with the consumerand none of the other exceptions apply. Thedepository institution may not use eligibility infor-mation it received from its insurance affiliate tomake solicitations to the consumer about its homeequity loan products unless the insurance com-pany gave the consumer a notice and opportunityto opt out and the consumer does not opt out.

Making Solicitations(Regulation V, § 222.21(b))9

A financial institution (or a service provider actingon behalf of the financial institution) makes asolicitation for marketing purposes if

1. The financial institution receives eligibility infor-mation from an affiliate, including when theaffiliate places that information into a commondatabase that the financial institution may ac-cess;

2. The financial institution uses that eligibility infor-mation to do one or more of the following:

a. Identify the consumer or type of consumer toreceive a solicitation;

b. Establish criteria used to select the con-sumer to receive a solicitation; or

c. Decide which of the financial institution’sproducts or services to market to the con-sumer or tailor the financial institution’ssolicitation to that consumer; and

3. As a result of the financial institution’s use of theeligibility information, the consumer is provideda solicitation.

A financial institution does notmake a solicitationfor marketing purposes (and therefore the affiliatemarketing regulation, with its notice and opt-outrequirements, does not apply) in the situationslisted below, commonly referred to as ‘‘constructivesharing.’’ Constructive sharing occurs when afinancial institution provides criteria to an affiliate touse in marketing the financial institution’s productand the affiliate uses the criteria to send marketingmaterials to the affiliate’s own customers that meetthe criteria. In this situation, the financial institutionis not using shared eligibility information to makesolicitations.

1. The financial institution provides criteria forconsumers to whom it would like its affiliate tomarket the financial institution’s products. Then,based on this criteria, the affiliate uses eligibilityinformation that the affiliate obtained in connec-tion with its own pre-existing business relation-ship with the consumer to market the financialinstitution’s products or services (or directs itsservice provider to use the eligibility informationin the same manner and the financial institutiondoes not communicate with the service providerregarding that use).

2. A service provider, applying the financial institu-tion’s criteria, uses information from an affiliate,such as that in a shared database, to market thefinancial institution’s products or services to the

8. See 12 CFR 222.24 and 222.25 for examples of ‘‘areasonable opportunity to opt out’’ and ‘‘reasonable and simplemethods for opting out.’’

9. See 12 CFR 222.21(b)(6) for examples of making solicita-tions.



consumer, so long as it meets certain require-ments, including

a. The affiliate controls access to, and use of,its eligibility information by the service pro-vider under a written agreement between theaffiliate and the service provider;

b. The affiliate establishes, in writing, specificterms and conditions under which the ser-vice provider may access and use theaffiliate’s eligibility information to market thefinancial institution’s products and services(or those of affiliates generally) to the con-sumer;

c. The affiliate requires the service provider,under a written agreement, to implementreasonable policies and procedures de-signed to ensure that the service provideruses the affiliate’s eligibility information inaccordance with the terms and conditionsestablished by the affiliate relating to themarketing of the financial institution’s prod-ucts or services;

d. The affiliate is identified on or with themarketing materials provided to the con-sumer; and

e. The financial institution does not directly useits affiliate’s eligibility information in themanner described above under ‘‘MakingSolicitations (Regulation V, §222.21(b)),’’ item2.

Exceptions to Initial Notice andOpt-out Requirements(Regulation V, § 222.21(c))10

The initial notice and opt-out requirements do notapply to a financial institution if it uses eligibilityinformation that it receives from an affiliate

1. To make a solicitation for marketing purposes toa consumer with whom the financial institutionhas a pre-existing business relationship;

2. To facilitate communications to an individual forwhose benefit the financial institution providesemployee benefit or other services pursuant to acontract with an employer;

3. To perform services on behalf of an affiliate (butthis would not allow solicitation where theconsumer has opted out);

4. In response to a communication about thefinancial institution’s products or services initi-ated by the consumer;

5. In response to a consumer’s authorization or

request to receive solicitations; or

6. If the financial institution’s compliance with theaffiliate marketing regulation would prevent itfrom complying with State insurance laws per-taining to unfair discrimination in any state inwhich the financial institution is lawfully doingbusiness.

Contents of Opt-out Notice(Regulation V, § 222.23)

A financial institution must provide to the consumera reasonable and simple method for the consumerto opt out. The opt-out notice must be clear,conspicuous, and concise, and must accuratelydisclose specific information outlined in 12 CFR222.23(a), including that the consumer may elect tolimit the use of eligibility information to makesolicitations to the consumer. See Appendix C tothe regulation for the model notices contained inthe affiliate marketing regulation.

Alternative contents. An affiliate that provides aconsumer a broader right to opt out than thatrequired by the affiliate marketing regulation maysatisfy the regulatory requirements by providing theconsumer with a clear, conspicuous, and concisenotice that accurately discloses the consumer’sopt-out rights.

Coordinated, consolidated, and equivalent no-tices. Opt-out and renewal notices may be coordi-nated and consolidated with any other notice ordisclosure required under any other provision oflaw, such as the Gramm-Leach-Bliley Act (GLBA),15 USC 6801 et seq. Renewal notices, which haveadditional required content (12 CFR 222.27), maybe consolidated with the annual GLBA privacynotices.

Delivery of the Opt-Out Notice(Regulation V, §§ 222.21(a)(3) and222.26)11

An affiliate that has or previously had a pre-existingbusiness relationship with the consumer mustprovide the notice either individually or as part of ajoint notice from two or more members of anaffiliated group of companies. The opt-out noticemust be provided so that each consumer canreasonably be expected to receive actual notice. Aconsumer may not reasonably be expected toreceive actual notice if, for example, the affiliateproviding the notice sends the notice via e-mail to aconsumer who has not agreed to receive electronic

10. See 12 CFR 222.21(d) for examples of exceptions to theinitial notice and opt-out requirement.

11. See 12 CFR 222.26(b) and (c) for examples of ‘‘reasonableexpectation of actual notice’’ and ‘‘no reasonable expectation ofactual notice.’’



disclosures by e-mail from the affiliate providing thenotice.12

Scope of Opt-Out (Regulation V,§§ 222.22(a) and 222.23(a)(2))13

As a general rule, the consumer’s election to optout prohibits any affiliate covered by the opt-outnotice from using eligibility information receivedfrom another affiliate, described in the notice, tomake solicitations to the consumer. If two or moreconsumers jointly obtain a product or service, anyof the joint consumers may exercise the right to optout. It is impermissible to require all joint consum-ers to opt out before implementing any opt-outdirection.

Menu of alternatives. A consumer may be giventhe opportunity to choose from a menu of alterna-tives when electing to prohibit solicitations, such asby

1. Electing to prohibit solicitations from certaintypes of affiliates covered by the opt-out noticebut not other types of affiliates covered by thenotice,

2. Electing to prohibit solicitations based on certaintypes of eligibility information but not other typesof eligibility information, or

3. Electing to prohibit solicitations by certain meth-ods of delivery but not other methods of delivery.

One of the alternatives, however, must allow theconsumer to prohibit all solicitations from all of theaffiliates that are covered by the notice.

Continuing relationship. If the consumer estab-lishes a continuing relationship with a financialinstitution or its affiliate, an opt-out notice mayapply to eligibility information obtained from one ormore continuing relationships (such as a depositaccount, a mortgage loan, or a credit card), if thenotice adequately describes the continuing rela-tionships covered. The opt-out notice can alsoapply to future continuing relationships if the noticeadequately describes the continuing future relation-ships that would be covered.

Special rule for a notice following termination ofall continuing relationships. After all continuingrelationships with a financial institution or itsaffiliate(s) are terminated, a consumer must begiven a new opt-out notice if the consumer laterestablishes another continuing relationship with thefinancial institution or its affiliate(s) and the consum-

er’s eligibility information is to be used to make asolicitation. The consumer’s decision not to opt outafter receiving the new opt-out notice would notoverride a prior opt-out election that applies toeligibility information obtained in connection with aterminated relationship.

No continuing relationship (isolated transaction).If the consumer does not establish a continuingrelationship with a financial institution or its affiliate,but the financial institution or its affiliate obtainseligibility information about the consumer in con-nection with a transaction with the consumer (suchas an ATM cash withdrawal, purchase of traveler’schecks, or a credit application that is denied), anopt-out notice provided to the consumer onlyapplies to eligibility information obtained in connec-tion with that transaction.

Time, Duration, and Renewal ofOpt-Out (Regulation V, §§ 222.22(b)and (c) and 222.27)

A consumer may opt out at any time. The opt-outmust be effective for a period of at least five yearsbeginning when the consumer’s opt-out election isreceived and implemented, unless the consumerlater revokes the opt-out in writing or, if theconsumer agrees, electronically. An opt-out periodmay be set at more than five years, including anopt-out that does not expire unless the consumerrevokes it.

Renewal after opt-out period expires. After theopt-out period expires, a financial institution maynot make solicitations based on eligibility informa-tion it receives from an affiliate to a consumer whopreviously opted out, unless

1. The consumer receives a renewal notice andopportunity to opt out, and the consumer doesnot renew the opt-out; or

2. An exception to the notice and opt-out require-ments applies.14

Contents of renewal notice. The renewal noticemust be clear, conspicuous, and concise, andmust accurately disclose most of the elements ofthe original opt-out notice, as well as the facts that

1. The consumer previously elected to limit the useof certain information to make solicitations to theconsumer;

2. The consumer’s election has expired or is aboutto expire;

3. The consumer may elect to renew the consum-er’s previous election; and

4. If applicable, that the consumer’s election to

12. For opt-out notices provided electronically, the notice maybe provided in compliance with either the electronic disclosureprovisions of 12 CFR 222.24(b)(2) and 222.24(b)(3) or theprovisions in section 101 of the Electronic Signatures in Globaland National Commerce Act, 15 USC 7001 et seq.13. See 12 CFR 222.22(a) for examples of the scope of the

opt-out, including examples of continuing relationships. 14. See 12 CFR 222.21(c) for exceptions.



renew will apply for the specified period of timestated in the notice and that the consumer will beallowed to renew the election once that periodexpires.

See 12 CFR 222.27(b) for all the content require-ments of renewal notice.

Renewal period. Each opt-out renewal must beeffective for a period of at least five years.

Affiliate who may provide the notice. The renewalnotice must be provided by the affiliate thatprovided the previous opt-out notice, or its succes-sor; or as part of a joint renewal notice from two ormore members of an affiliated group of companies,or their successors, that jointly provided theprevious opt-out notice.

Timing of the renewal notice. A renewal noticemay be provided to the consumer either at areasonable period of time before the expiration ofthe opt-out period15 or at any time after theexpiration of the opt-out period but before solicita-tions that would have been prohibited by theexpired opt-out are made to the consumer.

Prospective Application(Regulation V, § 222.28(c))

A financial institution may use eligibility informationreceived from an affiliate to make solicitations to aconsumer if it received such information prior to

October 1, 2008, the mandatory compliance dateof the affiliate marketing regulation. An institution isdeemed to have received eligibility informationwhen such information is placed into a commondatabase and is accessible by the institution priorto that date.

Model Forms for Opt-Out Notices(Regulation V, § 222, Appendix C)

Appendix C of the affiliate marketing regulationcontains model forms that may be used to complywith the requirement for clear, conspicuous, andconcise notices. The five model forms are

C-1 Model Form for Initial Opt-out Notice (Single-Affiliate Notice)

C-2 Model Form for Initial Opt-out Notice (JointNotice)

C-3 Model Form for Renewal Notice (Single-Affiliate Notice)

C-4 Model Form for Renewal Notice (Joint Notice)

C-5 Model Form for Voluntary ‘‘No Marketing’’Notice

Use of the model forms is not required and afinancial institution may make certain changes tothe language or format of the model forms withoutlosing the protection from liability afforded by useof the model forms. These changes may not be soextensive as to affect the substance, clarity, ormeaningful sequence of the language in the modelforms. Institutions making such extensive revisionswill lose the ‘‘safe harbor’’ that Appendix Cprovides. Examples of acceptable changes areprovided in Appendix C to the regulation.

15. An opt-out period may not be shortened by sending arenewal notice to the consumer before expiration of the opt-outperiod, even if the consumer does not renew the opt-out. If afinancial institution provides an annual privacy notice under theGramm-Leach-Bliley Act, providing a renewal notice with the lastannual privacy notice provided to the consumer before expirationof the opt-out period is a reasonable period of time beforeexpiration of the opt-out in all cases. 12 CFR 222.27(d)




Consumer Report and InformationSharing (FCRA, Section 603(d))1. Review the financial institution’s policies, proce-

dures, and practices concerning the sharing ofconsumer information with third parties, includ-ing both affiliated and nonaffiliated third parties.Determine the type of information shared andwith whom the information is shared. (Thisportion of the examination may overlap with areview of the institution’s compliance with Regu-lation P, Privacy of Consumer Financial Informa-tion, which implements the Gramm-Leach-BlileyAct.)

2. Determine whether the financial institution’sinformation-sharing practices fall within theexceptions to the definition of a consumerreport. If they do not, the financial institutioncould be considered a consumer reportingagency, in which case the examination proce-dures in module 6 should be completed.

3. If the financial institution shares information otherthan transaction and experience information withaffiliates subject to opt-out provisions, determinewhether the institution’s GLBA privacy noticecontains information regarding how to opt out,as required by Regulation P.

4. If procedural weaknesses or other risks requir-ing further investigation are noted, obtain asample of opt-out rights exercised by consum-ers and determine whether the financial institu-tion honored the opt-out requests by not sharing‘‘other information’’ about those consumers withthe institution’s affiliates after receiving theopt-out requests.

Protection of Medical Information(FCRA, Section 604(g); andRegulation V, Subpart D)1. Review the financial institution’s policies, proce-

dures, and practices concerning the collectionand use of consumer medical information inconnection with any determination of the con-sumer’s eligibility, or continued eligibility, forcredit.

2. If the financial institution’s policies, procedures,and practices allow for obtaining and usingconsumer medical information in the context of acredit transaction, determine whether there areadequate controls in place to ensure that theinformation is used only subject to the financialinformation exception or one of the specific

exceptions set forth in Regulation V.

3. If procedural weaknesses or other risks requir-ing further investigation are noted, obtainsamples of credit transactions to determinewhether the use of consumer medical informa-tion was done strictly under the financial infor-mation exception or one of the specific excep-tions in Regulation V.

4. Determine whether the financial institution hasadequate policies and procedures in place tolimit the redisclosure of consumer medicalinformation that was received from a consumerreporting agency or an affiliate.

5. Determine whether the financial institution sharesmedical information about a consumer with itsaffiliates. If it does, determine whether thesharing occurred in accordance with an excep-tion in Regulation V that enables the institution toshare the information without becoming a con-sumer reporting agency.

Affiliate Marketing Opt-Out(FCRA, Section 624; andRegulation V, Section 222.20)1. Determine whether the financial institution re-

ceives consumer eligibility information from anaffiliate. Stop here if it does not because SubpartC of 12 CFR 222 does not apply.

2. Determine whether the financial institution usesconsumer eligibility information received from anaffiliate to make a solicitation for marketingpurposes that is subject to the notice andopt-out requirements. If it does not, stop here.

3. Evaluate the institution’s policies, procedures,practices, and internal controls to ensure that,where applicable, the consumer is provided withan appropriate notice, a reasonable opportunity,and a reasonable and simple method to opt outof the institution’s using eligibility information tomake solicitations for marketing purposes to theconsumer, and that the institution is honoring theconsumer’s opt-outs.

4. If compliance risk management weaknesses orother risks requiring further investigation arenoted, obtain and review a sample of notices toensure technical compliance and a sample ofopt-out requests from consumers to determine ifthe institution is honoring the opt-out requests.

a. Determine whether the opt-out notices areclear, conspicuous, and concise and contain


the required information, including the nameof the affiliate(s) providing the notice, ageneral description of the types of eligibilityinformation that may be used to makesolicitations to the consumer, and the dura-tion of the opt out. (12 CFR 222.23(a))

b. Review opt-out notices that are coordinatedand consolidated with any other notice ordisclosure that is required under other provi-sions of law for compliance with the affiliatemarketing regulation. (12 CFR 222.23(b))

c. Determine whether the opt-out notices andrenewal notices provide the consumer a

reasonable opportunity to opt out and areasonable and simple method to opt out.(12 CFR 222.24 and 222.25)

d. Determine whether the opt-out notice andrenewal notice are provided (by mail deliveryor electronically) so that a consumer canreasonably be expected to receive thatactual notice. (12 CFR 222.26)

e. Determine whether, after an opt-out periodexpires, a financial institution provides aconsumer a renewal notice prior to makingsolicitations based on eligibility informationreceived from an affiliate. (12 CFR 222.27)

Fair Credit Reporting: Fair Credit Reporting: Examination Module 2


Fair Credit ReportingExamination Module 3: Disclosures to Consumersand Miscellaneous Requirements

Overview

The Fair Credit Reporting Act (FCRA) requiresfinancial institutions to provide consumers withvarious notices and information under a variety ofcircumstances. This module deals with examina-tion responsibilities for these various areas.

Use of Consumer Reports forEmployment Purposes(FCRA, Section 604(b))

FCRA, section 604(b), sets forth specific require-ments for financial institutions that obtain consumerreports on its employees or prospective employeesprior to, and/or during, the term of employment. TheFCRA generally requires the written permission ofthe consumer to procure a consumer report for‘‘employment purposes.’’ Moreover, a clear andconspicuous disclosure that a consumer reportmay be obtained for employment purposes mustbe provided in writing to the consumer prior toprocuring a report.

Prior to taking any adverse action involvingemployment that is based in whole or in part on theconsumer report, the user generally must provideto the consumer

• A copy of the report, and

• A description in writing of the rights of theconsumer, as prescribed by the Federal TradeCommission (FTC) in FCRA, section 609(c)(1).

At the time a financial institution takes adverseaction in an employment situation, the consumermust also be provided with an adverse actionnotice, as required by FCRA, section 615, anddescribed later in this module.

Prescreened Consumer Reports andOpt-Out Notice (FCRA, Sections604(c) and 615(d); and FTCRegulations, Parts 642 and 698)

FCRA, section 604(c)(1)(B), allows persons, includ-ing financial institutions, to obtain anduse consumerreports on any consumer in connection with anycredit or insurance transaction that is not initiated bythe consumer, for the purpose of making firm offersof credit or insurance. This process, known asprescreening, occurs when a financial institutionobtains, from a consumer reporting agency, a list ofconsumers who meet certain predetermined credit-worthiness criteria and who have not elected to be

excluded from such lists. These lists may containonly the following information:

• The name and address of a consumer

• An identifier that is not unique to the consumerand that is used by the person solely for thepurpose of verifying the identity of the consumer

• Other information pertaining to a consumer thatdoes not identify the relationship or experience ofthe consumer with respect to a particular creditoror other entity

Each name on the list is considered an individualconsumer report. In order to obtain and use theselists, the financial institution must make a ‘‘firm offerof credit or insurance,’’ as defined in FCRA,section 603(l), to each person on the list. Theinstitution is not required to grant credit or insur-ance if the consumer is found to be not creditwor-thy or insurable or cannot furnish required collat-eral, provided that the underwriting criteria aredetermined in advance.

Example 1. Assume that a home mortgagelender obtains from a consumer reporting agencya list of everyone in county X who has a currenthome mortgage loan and a credit score of 700.The lender will use this list to market a second-lien home equity loan product. Besides thecriteria used to create the prescreened list forthis product, the lender’s criteria include a totaldebt-to-income ratio (DTI) of 50 percent or less.Some of these other criteria can be screened bythe consumer reporting agency, but others, suchas the DTI, must be determined from an applica-tion or other sources when consumers respondto the offer. If a consumer who responds to theoffer has a DTI of 60 percent, the lender does nothave to grant the loan.

In addition, the financial institution is allowed toobtain a full consumer report on anyone respond-ing to the offer in order to verify that the consumercontinues to meet the creditworthiness criteria. Ifthe consumer no longer meets those criteria, theinstitution does not have to grant the loan.

Example 2. On January 1, a credit card lenderobtains from a consumer reporting agency a listof consumers in county Y who have credit scoresof 720 and no previous bankruptcy records. OnJanuary 2, the lender mails solicitations offering apreapproved credit card to everyone on the list.On January 31, a consumer responds to the offerand the lender obtains and reviews a fullconsumer report, which shows that a bankruptcyrecord was added on January 15. Since this


consumer no longer meets the lender’s predeter-mined criteria, the lender is not required to issuethe credit card.

These basic requirements seek to ensure thatfinancial institutions that obtain prescreened listsfollow through with an offer of credit or insurance.An institution must maintain a list of the criteria usedfor the product (including the criteria used togenerate the prescreened list and any othercriteria, such as collateral requirements) on file forthree years, beginning on the date that the offerwas made to the consumer.

Technical Notice andOpt-Out Requirements

FCRA, section 615(d), sets forth consumer protec-tions and technical notice requirements concerningprescreened offers of credit or insurance. TheFCRA requires consumer reporting agencies thatoperate nationwide to jointly operate an ‘‘opt-out’’system whereby consumers can elect to beexcluded from prescreened lists by calling atoll-free number.

When a financial institution obtains and usessuch lists, it must provide consumers with a‘‘prescreen opt-out notice’’ along with a written offerof credit or insurance. The notice alerts consumersthat they are receiving the offer because they meetcertain creditworthiness criteria. The notice mustalso provide the toll-free telephone number oper-ated by the nationwide consumer reporting agen-cies for consumers to call to opt out of prescreenedlists.

The FCRA sets forth the basic requirementconcerning the provision of notices to consumersat the time prescreened offers are made. The FTC’simplementing regulation, which spells out thetechnical requirements of the notice, are at 16 CFR642 and 698. This regulation—which is applicableto anyone, including banks, credit unions, andthrifts, that obtains and uses prescreened con-sumer reports—became effective on August 1,2005; however, the requirement to provide a noticecontaining the toll-free opt-out telephone numberhas existed under the FCRA for many years.

Requirements Beginning August 1, 2005

The FTC regulations—16 CFR 642 and 698—require that a ‘‘short’’ notice and a ‘‘long’’ notice ofthe ‘‘prescreen opt-out’’ information be given witheach written solicitation made to consumers on thebasis of prescreened consumer reports. Theseregulations, which were published on January 31,2005, at 70 FR 5022, also contain specific require-ments concerning the content and appearance ofthese notices. The requirements are listed below.

The short notice must be a clear and conspicu-ous, simple, and easy-to-understand statement, asfollows:

• Content. The short notice must state that theconsumer has the right to opt out of receivingprescreened solicitations, must provide the toll-free number, must direct consumers to theexistence and location of the long notice, andmust state the title of the long notice. It may notcontain any other information.

• Form. The short notice must be in a type sizelarger than the principal text on the same page,but it may not be smaller than 12 point type. If thenotice is provided by electronic means, it mustbe larger than the type size of the principal texton the same page.

• Location. The short notice must be on the frontside of the first page of the principal promotionaldocument in the solicitation or, if providedelectronically, on the same page and in closeproximity to the principal marketing message.The statement must be located so that it isdistinct from other information, such as inside aborder, and must be in a distinct type style, suchas bolded, italicized, underlined, and/or in a colorthat contrasts with the principal text on the page,if the solicitation is provided in more than onecolor.

The long notice must also be a clear andconspicuous, simple, and easy-to-understand state-ment, as follows:

• Content. The long notice must state the informa-tion required by FCRA, section 615(d), and maynot include any other information that interfereswith, detracts from, contradicts, or otherwiseundermines the purpose of the notice.

• Form. The long notice must appear in thesolicitation and be in a type size that is nosmaller than the type size of the principal texton the same page; for solicitations providedother than by electronic means, the type sizemay not be smaller than 8-point. The noticemust begin with a heading, in capital letters andunderlined, identifying the long notice as the‘‘PRESCREEN & OPT OUT NOTICE.’’ Also, thenotice must be in a type style that is distinctfrom the principal type style used on the samepage, such as bolded, italicized, underlined,and/or in a color that contrasts with the principaltext, if the solicitation is in more than one color.Further, the notice must be set apart from othertext on the page, such as by including a blankline above and below the statement, and byindenting both the left and right margins fromother text on the page.

Model prescreen opt-out notices developed bythe FTC, along with complete sample solicitations



showing context, appear in appendix A to 16 CFR698. The model notice text is shown below.

Sample Short Notice

You can choose to stop receiving ‘‘prescreened’’ offers of[credit or insurance] from this and other companies bycalling toll-free [toll-free number]. See PRESCREEN &OPT-OUT NOTICE on other side [or other location] formore information about prescreened offers.

Sample Long Notice

PRESCREEN & OPT-OUT NOTICE: This ‘‘prescreened’’offer of [credit or insurance] is based on information inyour credit report indicating that you meet certain criteria.This offer is not guaranteed if you do not meet our criteria[including providing acceptable property as collateral]. Ifyou do not want to receive prescreened offers of [credit orinsurance] from this and other companies, call theconsumer reporting agencies [or name of consumerreporting agency] toll-free, [toll-free number]; or write:[consumer reporting agency name and mailing address].

Truncation of Credit and Debit CardAccount Numbers(FCRA, Section 605(g))

FCRA, section 605(g), provides that persons,including financial institutions, that accept debitand credit cards for the transaction of business areprohibited from issuing electronically generatedreceipts that contain more than the last five digits ofthe card number, or the card expiration date, at thepoint of sale or transaction. This requirementapplies only to electronically developed receiptsand does not apply to handwritten receipts or thosedeveloped with an imprint of the card.

For automatic teller machines (ATMs) and point-of-sale (POS) terminals or other machines that wereput into operation before January 1, 2005, thisrequirement is effective on December 4, 2006. Forthose that were put into operation on or afterJanuary 1, 2005, the effective date is the date ofinstallation.

Disclosure of Credit Scores byCertain Mortgage Lenders(FCRA, Section 609(g))

FCRA, section 609(g), requires financial institutionsthat make or arrange mortgage loans using creditscores to provide the score, with accompanyinginformation, to applicants.

Credit Score

For purposes of this section, credit score is definedas a numerical value or a categorization derivedfrom a statistical tool or modeling system used by aperson that makes or arranges a loan to predict thelikelihood of certain credit behaviors, includingdefault (the numerical value or the categorizationderived from such analysis may also be referred toas a ‘‘risk predictor’’ or ‘‘risk score’’). A credit scoredoes not include

• Any mortgage score or rating by an automatedunderwriting system that considers one or morefactors in addition to credit information, such asthe loan-to-value ratio, the amount of downpayment, or the financial assets of a consumer,or

• Any other elements of the underwriting processor underwriting decision.

Covered Transactions

The disclosure requirement applies to both closed-end and open-end loans that are for consumerpurposes and are secured by one- to four-familyresidential real properties, including purchase andrefinance transactions. The requirement does notapply in circumstances that do not involve aconsumer purpose, such as when a borrowerobtains a loan secured by his or her residence tofinance his or her small business.

Specific Required Notice

Financial institutions that are engaged in coveredtransactions and that use credit scores mustprovide a disclosure containing the specific lan-guage shown below, which is contained in FCRA,section 609(g)(1)(D):

Notice to the Home Loan Applicant

In connection with your application for a home loan, thelender must disclose to you the score that a consumerreporting agency distributed to users and the lender usedin connection with your home loan, and the key factorsaffecting your credit scores.

The credit score is a computer generated summarycalculated at the time of the request and based oninformation that a consumer reporting agency or lenderhas on file. The scores are based on data about yourcredit history and payment patterns. Credit scores areimportant because they are used to assist the lender indetermining whether you will obtain a loan. They may alsobe used to determine what interest rate you may beoffered on the mortgage. Credit scores can change overtime, depending on your conduct, how your credit historyand payment patterns change, and how credit scoringtechnologies change.



Because the score is based on information in yourcredit history, it is very important that you review thecredit-related information that is being furnished to makesure it is accurate. Credit records may vary from onecompany to another.

If you have questions about your credit score or thecredit information that is furnished to you, contact theconsumer reporting agency at the address and telephonenumber provided with this notice, or contact the lender, ifthe lender developed or generated the credit score. Theconsumer reporting agency plays no part in the decisionto take any action on the loan application and is unable toprovide you with specific reasons for the decision on aloan application.

If you have questions concerning the terms of the loan,contact the lender.

The notice must include the name, address, andtelephone number of each consumer reportingagency that provided a credit score that was used.

Credit Score and Key Factors Disclosed

In addition to providing the notice to home loanapplicants, financial institutions must disclose thecredit score, the range of possible scores, the dateon which the score was created, and the ‘‘keyfactors’’ used in calculating the score. Key factorsare all relevant elements or reasons adverselyaffecting the credit score for the particular indi-vidual, listed in the order of their importance basedon their effect on the credit score. The total numberof factors to be disclosed must not exceed four.However, if one of the key factors is the number ofinquiries into a consumer’s credit information, thenthe total number of factors must not exceed five.These key factors come from information suppliedby the consumer reporting agencies with anyconsumer report that was furnished containing acredit score. (FCRA, section 605(d)(2))

This disclosure requirement applies to anyapplication for a covered transaction, regardless ofthe final action on the application taken by thelender. The FCRA requires a financial institution todisclose all of the credit scores that were used inthese transactions. For example, if two applicantsjointly apply for a mortgage loan to purchase asingle-family residence and the lender uses thecredit scores of both, then both scores need to bedisclosed. The statute specifically does not requirethat more than one disclosure be provided perloan; therefore, if multiple scores are used, all ofthem can be included in one disclosure containingthe Notice to the Home Loan Applicant.

If a financial institution uses a credit score thatwas not obtained directly from a consumer report-ing agency but may contain some information froma consumer reporting agency, this disclosure

requirement can be satisfied by providing a scoreand associated key factor information that weresupplied by the consumer reporting agency. Forexample, certain automated underwriting systemsgenerate scores used in credit decisions. Thesesystems are often populated by data obtained fromconsumer reporting agencies. If a financial institu-tion uses such an automated system, the disclo-sure requirement can be satisfied by providing theapplicants with a score and list of key factorssupplied by a consumer reporting agency basedon the data, including the credit score(s), that wereimported into the automated system. Doing so willprovide applicants with information about theircredit history and its role in the credit decision, inthe spirit of this section of the statute.

Timing

The statute requires that the disclosure be providedas soon as is reasonably practicable after the creditscore is used.

Adverse Action Disclosures(FCRA, Sections 615(a) and (b))

The FCRA requires certain disclosures when ad-verse actions are taken with respect to consumerson the basis of information received from thirdparties. Specific disclosures are required depend-ing on whether the source of the information is aconsumer reporting agency, a third party otherthan a consumer reporting agency, or an affiliate.The disclosure requirements are discussed sepa-rately below.

Information Obtained from aConsumer Reporting Agency

Section 615(a) provides that when adverse actionis taken with respect to any consumer that is basedin whole or in part on any information contained ina consumer report, the financial institution must doall of the following:

• Provide oral, written, or electronic notice of theadverse action to the consumer

• Provide to the consumer, orally, in writing, orelectronically,

– The name, address, and telephone number ofthe consumer reporting agency from which itreceived the information (including a toll-freetelephone number establishedby the agency, ifthe agency maintains files on a nationwidebasis)

– A statement that the consumer reportingagency did not make the decision to take theadverse action and is unable to give the



consumer the specific reasons for the adverseaction

• Provide to the consumer an oral, written, orelectronic notice of (1) the consumer’s right toobtain a free copy of the consumer reportfrom the consumer reporting agency, withinsixty days of receiving notice of the adverseaction, and (2) the consumer’s right to disputethe accuracy or completeness of any informa-tion in the consumer report with the consumerreporting agency

Information Obtained from aSource Other Than aConsumer Reporting Agency

Section 615(b)(1) provides that if credit for per-sonal, family, or household purposes involving aconsumer is denied or if the charge for such creditis increased, partially or wholly on the basis ofinformation that was obtained from a person otherthan a consumer reporting agency and that bearson the consumer’s creditworthiness, credit stand-ing, credit capacity, character, general reputation,personal characteristics, or mode of living, thefinancial institution,

• At the time the adverse action is communicated tothe consumer, must clearly and accuratelydisclose the consumer’s right to file a writtenrequest for the reasons for the adverse action, and

• If it receives such a request within sixty days afterthe consumer learns of the adverse action, mustdisclose, within a reasonable period of time, thenature of the adverse information. The informa-tion should be sufficiently detailed to enable theconsumer to evaluate its accuracy. The source ofthe information need not be, but may be,disclosed. In some instances, it may be impos-sible to identify the nature of certain informationwithout also revealing the source.

Information Obtained from an Affiliate

Section 615(b)(2) provides that if a person, includ-ing a financial institution, takes an adverse actioninvolving credit (in connection with a transactioninitiated by a consumer), insurance, or employmentin whole or in part on the basis of informationprovided by an affiliate, it must notify the consumerthat the information

• Is furnished to the person taking the action by aperson related by common ownership, or affili-ated by common corporate control, to the persontaking the action;

• Bears upon the consumer’s creditworthiness,credit standing, credit capacity, character, gen-

eral reputation, personal characteristics, or modeof living;

• Is not information solely involving transactions orexperiences between the consumer and theperson furnishing the information; and

• Is not information in a consumer report.

The notification must inform the consumer of theadverse action and that the consumer may obtain adisclosure of the nature of the information relied onby making a written request within sixty days oftransmittal of the adverse action notice. If theconsumer makes such a request, the user mustdisclose the nature of the information received fromthe affiliate not later than thirty days after receivingthe request.

Debt Collector Communicationsconcerning Identity Theft(FCRA, Section 615(g))

Section 615(g) sets forth specific requirements forfinancial institutions that act as debt collectors, thatis, financial institutions that collect debts on behalfof a third party that is a creditor or other user of aconsumer report. The requirements do not applywhen a financial institution is collecting its ownloans. When a financial institution is notified thatany information relating to a debt that it isattempting to collect may be fraudulent or may bethe result of identity theft, the institution must notifythe third party of this fact. In addition, if theconsumer to whom the debt purportedly relatesrequests information about the transaction, thefinancial institution must provide all of the informa-tion the consumer would otherwise be entitled to ifthe consumer wished to dispute the debt underother provisions of law applicable to the financialinstitution.

Risk-Based Pricing Notice(FCRA, Section 615(h))

Section 615(h) requires users of consumer reportsthat grant credit onmaterial terms that aremateriallyless favorable than the most favorable termsavailable to a substantial proportion of consumerswhoget credit fromor through that person to providea notice to those consumers who did not receive themost favorable terms. Implementing regulations forthis section are currently (as of August 2006) underdevelopment jointly by the Federal Reserve Boardand the Federal Trade Commission. Financialinstitutions do not have to provide this notice untilfinal regulations are implemented andeffective. Thissection of the examination procedureswill bewrittenupon publication of final rules.




Use of Consumer Reports forEmployment Purposes(FCRA, Section 604(b))1. Determine whether the financial institution

obtains consumer reports on current or prospec-tive employees.

2. Assess the financial institution’s policies andprocedures to determine if appropriate disclo-sures are provided to current and prospectiveemployees when consumer reports are obtainedfor employment purposes, including in situationsin which adverse actions are taken on the basisof consumer report information.

3. If procedural weaknesses or other risks requir-ing further investigation are noted, review asample of the disclosures to determine if theyare accurate and in compliance with the techni-cal FCRA requirements.

Prescreened Consumer Reports andOpt-Out Notice (FCRA, Sections604(c) and 615(d); and FTCRegulations, Parts 642 and 698)1. Determine whether the financial institution

obtained and used prescreened consumerreports in connection with offers of credit and/orinsurance.

2. Evaluate the institution’s policies and proce-dures to determine if a list of the criteria used forprescreened offers, including all post-applicationcriteria, is maintained in the institution’s files andthe criteria are applied consistently when con-sumers respond to the offers.

3. Determine whether written solicitations containthe required disclosures of consumers’ right toopt out of prescreened solicitations and complywith all requirements applicable at the time of theoffer.

4. If procedural weaknesses or other risks requir-ing further investigation are noted, obtain andreview a sample of approved and deniedresponses to the offers to ensure that criteriawere appropriately applied.

Truncation of Credit and Debit CardAccount Numbers(FCRA, Section 605(g))1. Determine whether the financial institution’s

policies and procedures ensure that electroni-cally generated receipts from automated tellermachines and point-of-sale terminals or othermachines do not contain more than the last fivedigits of the card number and do not contain theexpiration date.

2. For ATMs and POS terminals or other machinesthat were put into operation before January 1,2005, determine if the institution has brought theterminals into compliance or has begun a plan toensure that these terminals comply by themandatory compliance date of December 4,2006.

3. If procedural weaknesses or other risks requiringfurther investigation are noted, review samples ofactual receipts to ensure compliance.

Disclosure of Credit Scores byCertain Mortgage Lenders(FCRA, Section 609(g))1. Determine whether the financial institution uses

credit scores in connection with applications forclosed-end or open-end loans secured by one-to four-family residential real property.

2. Evaluate the institution’s policies and proce-dures to determine whether accurate disclo-sures are provided to applicants as soon as isreasonably practicable after using credit scores.

3. If procedural weaknesses or other risks requir-ing further investigation are noted, review asample of disclosures given to home loanapplicants to determine technical compliancewith the requirements.

Adverse Action Disclosures(FCRA, Sections 615(a) and (b))1. Determine whether the financial institution’s

policies and procedures adequately ensure thatappropriate disclosures are provided whenadverse action is taken against consumers onthe basis of information received from consumerreporting agencies, other third parties, and/oraffiliates.

2. Review the financial institution’s policies andprocedures for responding to requests forinformation in response to these adverse actionnotices.

3. If procedural weaknesses or other risks requir-ing further investigation are noted, review a


sample of adverse action notices to determine ifthey are accurate and in technical compliance.

Debt Collector Communicationsconcerning Identity Theft(FCRA, Section 615(g))1. Determine whether the financial institution col-

lects debts for third parties.

2. Determine whether the financial institution haspolicies and procedures to ensure that the thirdparties are notified if the financial institutionobtains any information that may indicate thatthe debt in question is the result of fraud oridentity theft.

3. Determine if the institution has effective policiesand procedures for providing information toconsumers to whom the fraudulent debts relate.

4. If procedural weaknesses or other risks requir-ing further investigation are noted, review asample of instances in which consumers havealleged identity theft and requested information

related to transactions to determine if all of theappropriate information was provided to theconsumers.

Risk-Based Pricing Notice(FCRA, Section 615(h))

Section 615(h) requires users of consumer reportsthat grant credit on material terms that are materi-ally less favorable than the most favorable termsavailable to a substantial proportion of consumerswho get credit from or through that person toprovide a notice to those consumers who did notreceive the most favorable terms. Implementingregulations for this section are currently (as ofAugust 2006) under development jointly by theFederal Reserve Board and the Federal TradeCommission. Financial institutions do not have toprovide this notice until final regulations areimplemented and effective. This section of theexamination procedures will be written upon pub-lication of final rules.



Fair Credit ReportingExamination Module 4: Duties of Users of CreditReports and Furnishers of Consumer Information

Overview

The Fair Credit Reporting Act (FCRA) sets forthmany responsibilities for financial institutions thatuse credit reports and furnish information toconsumer reporting agencies. Those responsibili-ties generally concern ensuring the accuracy of thedata that are placed in the consumer reportingsystem. This examination module addresses thevarious areas associated with users of creditreports and furnishers of information; it does notapply to financial institutions that do not furnishinformation to consumer reporting agencies.

Duties of Users of Credit ReportsRegarding Address Discrepancies(Regulation V, Section 222.82)

Section 605(h)(1) of the Fair Credit Reporting Actrequires that, when providing a consumer report toa person that requests the report (a user), anationwide consumer reporting agency (NCRA)must provide a notice of address discrepancy tothe user if the address provided by the user in itsrequest ‘‘substantially differs’’ from the address theNCRA has in the consumer’s file. Section 605(h)(2)requires the federal banking agencies and theNational Credit Union Administration (collectively,the Agencies) and the Federal Trade Commissionto prescribe regulations providing guidance regard-ing reasonable policies and procedures that a userof a consumer report should employ when suchuser has received a notice of address discrepancy.On November 9, 2007, the agencies published finalrules in the Federal Register (72 FR 63718)implementing this section.

Definitions1. Nationwide consumer reporting agency. Section

603(p) defines an NCRA as one that compilesand maintains files on consumers on a nation-wide basis and regularly engages in the practiceof assembling or evaluating and maintaining thefollowing two pieces of information about con-sumers residing nationwide for the purpose offurnishing consumer reports to third partiesbearing on a consumer’s credit worthiness,credit standing, or credit capacity:

a. Public record information, and

b. Credit account information from persons whofurnish that information regularly and in theordinary course of business.

2. Notice of address discrepancy (12 CFR222.82(b)). A ‘‘notice of address discrepancy’’ isa notice sent to a user by an NCRA (sec-tion 603(p)) that informs the user of a substantialdifference between the address for the con-sumer that the user provided to request theconsumer report and the address(es) in theNCRA’s file for the consumer.

Requirement to Form a ReasonableBelief (12 CFR 222.82(c)).

A user must develop and implement reasonablepolicies and procedures designed to enable theuser to form a reasonable belief that the consumerreport relates to the consumer whose report wasrequested, when the user receives a notice ofaddress discrepancy in connection with a new orexisting account.

The rules provide the following examples ofreasonable policies and procedures for forming areasonable belief that a consumer report relates tothe consumer whose report was requested:

1. Comparing information in the consumer reportwith information the user

a. Has obtained and used to verify the consum-er’s identity as required by the CustomerIdentification Program rules (31 CFR103.121);

b. Maintains in its records; or

c. Obtains from a third party.

2. Verifying the information in the consumer reportwith the consumer.

Requirement to Furnish a Consumer’sAddress to an NCRA (12 CFR222.82(d)).

A user must develop and implement reasonablepolicies and procedures for furnishing to the NCRAan address for the consumer that the user hasreasonably confirmed is accurate when the user

1. Can form a reasonable belief that the reportrelates to the consumer whose report wasrequested;

2. Establishes a continuing relationship with theconsumer (that is, in connection with a newaccount); and

3. Regularly, and in the ordinary course of busi-ness, furnishes information to the NCRA thatprovided the notice of address discrepancy.


A user’s policies and procedures for furnishing aconsumer’s address to an NCRA must require theuser to furnish the confirmed address as part of theinformation it regularly furnishes to the NCRAduring the reporting period when it establishes acontinuing relationship with the consumer.

The rules also provide the following examples ofhow a user may reasonably confirm an address isaccurate:

1. Verifying the address with the consumer whosereport was requested

2. Reviewing its own records

3. Verifying the address through third-party sourcesor

4. Using other reasonable means

Furnishers of Information—General(FCRA, Section 623)

The examination procedures for this subsection willbe amended upon completion of interagencyguidance for institutions regarding the accuracyand integrity of information furnished to consumerreporting agencies (the guidance is required by theFair and Accurate Credit Transactions Act of 2003(FACT Act)). An interagency working group willdevelop and publish the guidance for comment andwill finalize it at a later date. The agencies will also,at a later date, write regulations regarding whenfurnishers must handle direct disputes fromconsumers.

In the interim, institutions that furnish informationto consumer reporting agencies must comply withthe existing FCRA requirements, which generallyrequire accurate reporting and prompt investigationand resolution of disputes over accuracy. Theexamination procedures presented here are basedlargely on the procedures last approved by theFFIEC Task Force on Consumer Compliance inMarch 2000, but they have been revised to includenew requirements under the 2003 amendments tothe FCRA that do not require implementingregulations.

Duties of Furnishers to ProvideAccurate Information

Section 623(a) states that a person, including afinancial institution, may, but need not, specify anaddress to which consumers may send noticesconcerning inaccurate information. If the financialinstitution specifies such an address, then it maynot furnish information relating to a consumer toany consumer reporting agency if (1) the institutionhas been notified by the consumer, at the specifiedaddress, that the information is inaccurate and

(2) the information is in fact inaccurate. If thefinancial institution does not specify an address,then it may not furnish any information relating to aconsumer to any consumer reporting agency if itknows or has reasonable cause to believe that theinformation is inaccurate.

When a financial institution that (regularly and inthe ordinary course of business) furnishes informa-tion to one or more consumer reporting agenciesabout its transactions or experiences with anyconsumer determines that any such information isnot complete or accurate, the institution mustpromptly notify the consumer reporting agency ofthat determination. Corrections to that informationor any additional information necessary to make theinformation complete and accurate must be pro-vided to the consumer reporting agency. Further,any information that remains incomplete or inaccu-rate must not thereafter be furnished to theconsumer reporting agency.

If the completeness or accuracy of any informa-tion furnished by a financial institution to a con-sumer reporting agency is disputed by a con-sumer, that financial institution may not furnish theinformation to any consumer reporting agencywithout notice that the information is disputed bythe consumer.

Voluntary Closures of Accounts

Section 623(a)(4) requires that any person, includ-ing a financial institution, that (regularly and in theordinary course of business) furnishes informationto a consumer reporting agency regarding aconsumer who has a credit account with thatinstitution notify the agency of the voluntary closureof the account by the consumer, in informationregularly furnished for the period in which theaccount is closed.

Notice Involving Delinquent Accounts

Section 623(a)(5) requires that a person, includinga financial institution, that furnishes information to aconsumer reporting agency about a delinquentaccount being placed for collection, charged off, orsubjected to any similar action, not later than ninetydays after furnishing the information to the agency,notify the agency of the month and year of thecommencement of the delinquency that immedi-ately preceded the action.

Duties upon Notice of Dispute

Section 623(b) requires the financial institution todo the following whenever it receives a notice ofdispute from a consumer reporting agency regard-ing the accuracy or completeness of any informa-



tion provided by the institution to the agencypursuant to FCRA, section 611 (Procedure in Caseof Disputed Accuracy):

• Conduct an investigation regarding the disputedinformation

• Review all relevant information provided by theconsumer reporting agency along with the notice

• Report the results of the investigation to theconsumer reporting agency

• If the disputed information is found to beincomplete or inaccurate, report those results toall nationwide consumer reporting agencies towhich the financial institution previously providedthe information

• If the disputed information is incomplete, inaccu-rate, or not verifiable by the financial institution,for purposes of reporting to the consumerreporting agency,

– Modify the item of information,

– Delete the item of information, or

– Permanently block the reporting of that item ofinformation

The investigations, reviews, and reports requiredto be made must be completed within thirty days.The time period may be extended for fifteen days ifa consumer reporting agency receives additionalrelevant information from the consumer.

Prevention of Re-Pollution ofConsumer Reports(FCRA, Section 623(a)(6))

Section 623(a)(6) has specific requirements forfurnishers of information, including financial institu-tions, to a consumer reporting agency thatreceives notice from a consumer reporting agencythat the information furnished may be fraudulentas a result of identity theft. FCRA, section 605B,requires consumer reporting agencies to notifyfurnishers of information, including financial institu-tions, that the information may be fraudulent as aresult of identity theft, that an identity theft reporthas been filed, and that a block has beenrequested. Section 623(a)(6) requires financialinstitutions, upon receiving such notice, to estab-lish and follow reasonable procedures to ensurethat this information is not re-reported to theconsumer reporting agency, thus ‘‘re-polluting’’the victim’s consumer report.

FCRA, section 615(f), also prohibits a financialinstitution from selling or transferring debt resultingfrom an alleged identity theft.

Negative Information Notice(FCRA, Section 623(a)(7))

Section 623(a)(7) requires financial institutions toprovide consumers with a notice either beforenegative information is provided to a nationwideconsumer reporting agency or within thirty daysafter reporting the negative information.

Financial institutions may provide this disclosureon or with any notice of default, any billingstatement, or any other materials provided to thecustomer, as long as the notice is clear andconspicuous. Institutions may also choose toprovide this notice to all customers as an abun-dance of caution. However, this notice may not beincluded in the initial disclosures provided undersection 127(a) of the Truth in Lending Act.

Negative Information

For these purposes, negative information is anyinformation concerning a customer’s delinquen-cies, late payments, insolvency, or any form ofdefault.

Nationwide Consumer Reporting Agency

FCRA, section 603(p), defines a consumer report-ing agency that compiles and maintains files onconsumers on a nationwide basis as one thatregularly engages in the practice of assembling orevaluating and maintaining the following twopieces of information about consumers residingnationwide, for the purpose of furnishing con-sumer reports to third parties bearing on aconsumer’s creditworthiness, credit standing, orcredit capacity:

• Public record information

• Credit account information from persons whofurnish that information regularly and in theordinary course of business

Model Notices

As required by the FCRA, the Federal ReserveBoard developed the following model notices thatfinancial institutions may use to comply with theserequirements. One model notice is to be used whenan institution chooses to provide a notice beforefurnishing negative information. The other is to beused when an institution provides a notice withinthirty days after reporting negative information:

• Notice prior to communicating negative informa-tion (model B-1). ‘‘We may report informationabout your account to credit bureaus. Late



payments, missed payments, or other defaults onyour account may be reflected in your creditreport.’’

• Notice within thirty days after communicatingnegative information (model B-2). ‘‘We have tolda credit bureau about a late payment, missedpayment or other default on your account. Thisinformation may be reflected in your creditreport.’’

Use of the model notices is not required;however, proper use of the model notices providesfinancial institutions with a safe harbor from liability.Financial institutions may make certain changes tothe language or format of the model notices withoutlosing the safe harbor from liability provided by themodels, but the changes may not be so extensiveas to affect the substance, clarity, or meaningful

sequence of the language in the models. Institu-tions making such extensive revisions will lose thesafe harbor from liability that the model noticesprovide. Acceptable changes include, for example,

• Rearranging the order of the references to ‘‘latepayment(s)’’ or ‘‘missed payment(s)’’;

• Pluralizing the terms ‘‘credit bureau,’’ ‘‘creditreport,’’ and ‘‘account’’;

• Specifying the particular type of account onwhich information may be furnished, such as‘‘credit card account’’; and

• Rearranging, in model B-1, the phrases ‘‘informa-tion about your account’’ and ‘‘to credit bureaus’’such that it would read ‘‘We may report to creditbureaus information about your account.’’




1. Determine whether a user of consumer reportshas policies and procedures to recognize no-tices of address discrepancy that it receivesfrom a nationwide consumer reporting agency(NCRA)16 in connection with consumer reports.

2. Determine whether a user that receives noticesof address discrepancy has policies and proce-dures to form a reasonable belief that theconsumer report relates to the consumer whosereport was requested (12 CFR 222.82(c)).See examples of reasonable policies and

procedures ‘‘to form a reasonable belief’’ in12 CFR 222.82(c)(2).

3. Determine whether a user that receives noticesof address discrepancy has policies and proce-dures in place to furnish to the NCRA an addressfor the consumer that the user has reasonablyconfirmed is accurate, if the user

a. Can form a reasonable belief that the reportrelates to the consumer;

b. Establishes a continuing relationship with theconsumer; and

c. Regularly, and in the ordinary course ofbusiness, furnishes information to the NCRA(12 CFR 222.82(d)(1)).See examples of reasonable confirmation

methods in 12 CFR 222.82(d)(2).

4. Determine whether the user’s policies andprocedures require it to furnish the confirmedaddress as part of the information it regularlyfurnishes to an NCRA during the reportingperiod when it establishes a relationship with theconsumer (12 CFR 222.82(d)(3)).

5. If procedural weaknesses or other risks requir-ing further information are noted, obtain asample of consumer reports requested by theuser from an NCRA that included notices ofaddress discrepancy and determine

a. How the user established a reasonable beliefthat the consumer reports related to theconsumers whose reports were requested;and

b. If a consumer relationship was established,

i. Whether the institution furnished a con-sumer’s address that it reasonably con-firmed to the NCRA from which it re-

ceived the notice of addressdiscrepancy; and

ii. Whether it furnished the address in thereporting period during which it estab-lished the relationship.

Conclusion: On the basis of examination proce-dures completed, form a conclusion about theability of the user’s policies and procedures to meetregulatory requirements for the proper handling ofaddress discrepancies reported by an NCRA.

Furnishers of Information—General(FCRA, Section 623)1. Determine whether the financial institution

provides information to consumer reportingagencies.

2. Review the financial institution’s policies andprocedures for ensuring compliance with theFCRA requirements for furnishing information toconsumer reporting agencies.

3. If procedural weaknesses or other risks requir-ing further investigation are noted, such as ahigh number of complaints from consumersregarding the accuracy of their consumer reportinformation furnished by the financial institution,select a sample of reported items and thecorresponding loan or collection file to deter-mine that the institution did the following:

a. Did not report information that it knew, or hadreasonable cause to believe, was inaccurate(§ 623(a)(1)(A))

b. Did not report information to a consumerreporting agency if it was notified by theconsumer that the information was inaccu-rate and the information was, in fact, inaccu-rate (§ 623(a)(1)(B))

c. Provided the consumer reporting agencywith corrections or additional information tomake the information complete and accu-rate, and thereafter did not send the con-sumer reporting agency the inaccurate orincomplete information (§ 623(a)(2))

d. Furnished a notice to a consumer reportingagency of a dispute in situations in which aconsumer disputed the completeness oraccuracy of any information the institutionfurnished, and the institution continued fur-nishing the information to a consumer report-ing agency (§ 623(a)(3))

e. Notified the consumer reporting agency of a

16. An NCRA compiles and maintains files on consumers on anationwide basis. As of the effective date of the rule (January 1,2008), there were three such consumer reporting agencies:Experian, Equifax, and TransUnion (section 603(p) of FCRA(15 USC 1681a)).


voluntary account-closing by the consumer,and did so as part of the information regularlyfurnished for the period in which the accountwas closed (§ 623(a)(4))

f. Notified the consumer reporting agency ofthe month and year of commencement of adelinquency that immediately preceded theaction of placing the delinquent account forcollection, charging it off, or similar action.The notification to the agency must be madewithin ninety days of furnishing information tothe agency about a delinquent accountbeing placed for collection, charged off, orsubjected to any similar action (§ 623(a)(5))

4. If weaknesses within the financial institution’sprocedures for investigating errors are revealed,review a sample of notices of disputes receivedfrom a consumer reporting agency and deter-mine whether the institution did the following:

a. Conducted an investigation with respect tothe disputed information (§ 623(b)(1)(A))

b. Reviewed all relevant information providedby the consumer reporting agency(§ 623(b)(1)(B))

c. Reported the results of the investigation tothe consumer reporting agency (§ 623(b)(1)(C))

d. Reported the results of the investigation to allother nationwide consumer reporting agen-cies to which the information was furnished, ifthe investigation found that the reportedinformation was inaccurate or incomplete(§ 623(b)(1)(D))

e. Modified, deleted, or blocked the reportingof information that could not be verified

Prevention of Re-Pollution ofConsumer Reports(FCRA, Section 623(a)(6))1. If the financial institution provides information to

a consumer reporting agency, review the insti-tution’s policies and procedures for ensuringthat items of information blocked because of analleged identity theft are not re-reported to theconsumer reporting agency.

2. If weaknesses are noted within the financialinstitution’s policies and procedures, review asample of notices from a consumer reportingagency of allegedly fraudulent information due toidentity theft furnished by the financial institution,to determine whether the institution does notre-report the item to a consumer reportingagency.

3. If procedural weaknesses or other risks requir-ing further investigation are noted, verify that thefinancial institution has not sold or transferred adebt that resulted from an alleged identity theft.

Negative Information Notice(FCRA, Section 623(a)(7))1. If the financial institution provides negative

information to a nationwide consumer reportingagency, verify that the institution’s policies andprocedures ensure that the appropriate noticesare provided to customers.

2. If procedural weaknesses or other risks requir-ing further investigation are noted, review asample of notices provided to consumers todetermine compliance with the technical contentand timing requirements.



Fair Credit ReportingExamination Module 5: Consumer Alerts andIdentity Theft Protections

Overview

The Fair Credit Reporting Act (FCRA) containsseveral provisions for both consumer reportingagencies and users of consumer reports, includ-ing financial institutions, that are designed to helpcombat identity theft. This module applies to finan-cial institutions that are not consumer reportingagencies but are users of consumer reports. Inaddition, this module applies to debit and creditcard issuers.

There are two primary requirements for users ofconsumer reports: (1) a user of a consumer reportthat contains a fraud or active duty alert must takesteps to verify the identity of the individual to whomthe consumer report relates and (2) a financialinstitution must disclose certain information whenconsumers allege that they are the victim of identitytheft.

The primary responsibility for card issuers is toassess the validity of address changes beforeissuing additional or replacement cards.

Fraud and Active Duty Alerts(FCRA, Section 605A(h))

Initial Fraud and Active Duty Alerts

A consumer who suspects that he or she may bethe victim of fraud, including identity theft, may asknationwide consumer reporting agencies to placeinitial fraud alerts in his or her consumer reports.These alerts must remain in the consumer’s reportfor no less than ninety days. In addition, membersof the armed services who are called to active dutymay request that active duty alerts be placed intheir consumer reports. Active duty alerts mustremain in these service members’ files for no lessthan twelve months.

Section 605A(h)(1)(B) requires users of con-sumer reports, including financial institutions, toverify a consumer’s identity if a consumer reportincludes a fraud or active duty alert. Unless thefinancial institution uses reasonable policies andprocedures to form a reasonable belief that itknows the identity of the person making therequest, the financial institution may not

• Establish a new credit plan or extension of credit(other than under an open-end credit plan) in thename of the consumer,

• Issue an additional card on an existing account, or

• Increase a credit limit.

Extended Alerts

Consumers who allege that they are the victim ofidentity theft may also place an extended alert,which lasts seven years, on their consumer report.Extended alerts require consumers to submitidentity theft reports and appropriate proof ofidentity to the nationwide consumer reportingagencies.

Section 605A(h)(2)(B) requires a financial institu-tion that obtains a consumer report that contains anextended alert to contact the consumer in person,or by the method listed by the consumer in thealert, prior to taking any of the three actions listedabove.

Information Available to Victims(FCRA, Section 609(e))

Section 609(e) requires financial institutions toprovide records of fraudulent transactions to vic-tims of identity theft within thirty days after receivinga request for the records. These records includethe application and business transaction recordsunder the control of the financial institution, whethermaintained by the institution or another person onbehalf of the institution (such as a service provider).This information should be provided to one of thefollowing:

• The victim

• Any federal, state, or local government lawenforcement agency or officer specified by thevictim in the request

• Any law enforcement agency investigating theidentity theft that was authorized by the victim totake receipt of these records

The request for the records must be made by thevictim in writing and must be sent to the financialinstitution to the address specified by the institutionfor this purpose. The financial institution may askthe victim to provide information, if known, regard-ing the date of the transaction or application andany other identifying information, such as anaccount or transaction number.

Unless the financial institution, at its discretion,otherwise has a high degree of confidence that itknows the identity of the victim making therequest for information, before disclosing anyinformation to the victim it must take prudentsteps to positively identify the person requestingthe information. Proof of identity can include anyof the following:


• A government-issued identification card

• Personally identifying information of the sametype that was provided to the financial institutionby the unauthorized person

• Personally identifying information that the finan-cial institution typically requests from new appli-cants or for new transactions

At the election of the financial institution, the victimmust also provide the institution with proof of anidentity theft complaint, whichmay consist of a copyof a police report evidencing the claim of identitytheft and a properly completed affidavit. Theaffidavit may be either the standardized affidavitform prepared by the Federal Trade Commission(published in April 2005 in the Federal Register at70 FR 21792) or an ‘‘affidavit of fact’’ that isacceptable to the financial institution for thispurpose.

When these conditions are met, the financialinstitution must provide the information at nocharge to the victim. However, the institution is notrequired to provide any information if, acting ingood faith, it determines that

• Section 609(e) does not require disclosure of theinformation;

• It does not have a high degree of confidence inknowing the true identity of the requestor, basedon the identification and/or proof provided;

• The request for information is based on amisrepresentation of fact by the requestor; or

• The information requested is Internet navigationaldata or similar information about a person’s visitto a web site or online service.

Duties of Card Issuers RegardingChanges of Address (FCRA, Section615(e)(1)(c) and Regulation V,Section 222.91)

Background

Section 615(e)(1)(C) of the Fair Credit ReportingAct requires the federal banking agencies (agen-cies) and the Federal Trade Commission to pre-scribe regulations for debit and credit card issuersregarding the assessment of the validity of addresschanges for existing accounts. The regulationsrequire card issuers to have procedures to assessthe validity of an address change if the card issuerreceives a notice of change of address for anexisting account, and within a short period of time(during at least the first 30 days) receives a requestfor an additional or replacement card for the sameaccount. On November 9, 2007, the agenciespublished final rules in the Federal Register (72 FR

63718) implementing this section.

Definitions (12 CFR 222.91(b))

The following definitions pertain to the rules gov-erning the duties of card issuers regarding changesof address:

1. A cardholder is a consumer who has beenissued a credit or debit card.

2. Clear and conspicuous means reasonably un-derstandable and designed to call attention tothe nature and significance of the informationpresented.

Address Validation Requirements(12 CFR 222.91(c))

A card issuer must establish and implementpolicies and procedures to assess the validity of achange of address if it receives notification of achange of address for a consumer’s debit or creditcard account and, within a short period of timeafterwards (during at least the first 30 days after itreceives such notification), the card issuer receivesa request for an additional or replacement card forthe same account. In such situations, the cardissuer must not issue an additional or replacementcard until it assesses the validity of the change ofaddress in accordance with its policies andprocedures.

The policies and procedures must provide thatthe card issuer will

1a. Notify the cardholder of the request for anadditional or replacement card

(i) At the cardholder’s former address, or

(ii) By any other means of communication thatthe card issuer and the cardholder havepreviously agreed to use, and

1b. Provide to the cardholder a reasonable meansof promptly reporting incorrect addresschanges, or

2. Assess the validity of the change of addressaccording to the procedures the card issuerhas established as a part of its Identity TheftPrevention Program (12 CFR 222.90).

Alternative Timing of Address Validation(12 CFR 222.91(d))

A card issuer may satisfy the requirements of theserules prior to receiving any request for an additionalor replacement card by validating an address (byone of the methods in 12 CFR 222.91(c)) when itreceives an address change notification.



Form of Notice (12 CFR 222.91(e))

Any written or electronic notice that a card issuerprovides to satisfy these rules must be clear and

conspicuous and provided separately from itsregular correspondence with the cardholder.




Fraud and Active Duty Alerts(FCRA, Section 605A(h))1. Determine whether the financial institution has

effective policies and procedures in place toverify the identity of consumers in situations inwhich consumer reports include fraud and/oractive duty military alerts.

2. Determine if the financial institution has effectivepolicies and procedures in place to contactconsumers in situations in which consumerreports include extended alerts.

3. If procedural weaknesses or other risks requiringfurther investigation are noted, review a sampleof transactions in which consumer reportsincluding these types of alerts were obtained.Verify that the financial institution complied withthe identity verification and/or consumer contactrequirements.

Information Available to Victims(FCRA, Section 609(e))1. Review financial institution policies, procedures,

and/or practices to determine whether identitiesand claims of fraudulent transactions are verifiedand whether information is properly disclosed tovictims of identity theft and/or appropriatelyauthorized law enforcement agents.

2. If procedural weaknesses or other risks requiringfurther investigation are noted, review a sampleof requests of these types to determine whetherthe financial institution properly verified therequestor’s identity prior to disclosing theinformation.

Duties of Card Issuers RegardingChanges of Address (FCRA, Section615(e))1. Verify that the card issuer has policies and

procedures to assess the validity of a change ofaddress if

• It receives notification of a change of addressfor a consumer’s debit or credit card account;and

• Within a short period of time afterwards(during at least the first 30 days after itreceives such notification), the card issuerreceives a request for an additional or replace-ment card for the same account (12 CFR222.91(c)).

2. Determine whether the policies and proceduresprevent the card issuer from issuing additionalor replacement cards until it

• Notifies the cardholder at the cardholder’sformer address or by any other means previ-ously agreed to and provides the cardholder areasonable means to promptly report anincorrect address change (12 CFR222.91(c)(1)(i)-(ii)); or

• Assesses the validity of the address change inaccordance with its procedures establishedunder its Identity Theft Prevention Program(12 CFR 222.91(c)(2)).

In the alternative, a card issuer may validate achange of address request when it is re-ceived, using the above methods, prior toreceiving any request for an additional orreplacement card (12 CFR 222.91(d)).

3. Determine whether any written or electronicnotice sent to cardholders for purposes ofvalidating a change of address request is clearand conspicuous and is provided separatelyfrom any regular correspondence with thecardholder (12 CFR 222.91(e)).

4. If procedural weaknesses or other risks requir-ing further information are noted, obtain asample of notifications from cardholders ofchanges of address and requests for additionalor replacement cards to determine whether thecard issuer complied with the regulatory require-ment to evaluate the validity of the notice ofaddress change before issuing additional orreplacement cards.

Conclusion: On the basis of examination proce-dures completed, form a conclusion about whethera card issuer’s policies and procedures effectivelymeet regulatory requirements for evaluating thevalidity of change of address requests received inconnection with credit or debit card accounts.


Fair Credit ReportingExamination Module 6: Requirements forConsumer Reporting Agencies

Module 6, covering institutions that are consideredconsumer reporting agencies, will be added later.


Fair Credit Reporting - Board of Governors of the Federal ...

Documents

Transcript of Fair Credit Reporting - Board of Governors of the Federal ...