Consumer Contact Laws: Chapter 11

Question 1

Fair Credit Reporting Act - FCRA, Regulation V

Answer 1

Congress enacted the Fair Credit Reporting Act (FCRA) in an effort to ensure accurate and fair credit reporting by consumer reporting agencies. This act regulates consumer reporting agencies (CRAs); it regulates both those that provide and those that use consumer credit information. FCRA regulates how CRAs use and report a consumer’s information, and is overseen by the CFPB.

Due to the growing concern of identity theft and the proper procedures needed to prevent it, the Fair and Accurate Credit Transactions Act (FACTA) amendments were incorporated into FCRA. These amendments require lenders to help protect against identity theft and to properly dispose of consumer information. Under FACTA, consumers can obtain a free credit report once a year from CRAs, such as Equifax, Experian, and TransUnion, and consumers must receive a credit score disclosure when their credit report is reviewed.

The official site to request the free report is AnnualCreditReport.com.

Question 2

FCRA

Answer 2

Fair Credit Reporting Act

Question 3

FACTA

Answer 3

Fair and Accurate Credit Transactions Act

Question 4

What FCRA Requires

Answer 4

Requires CRAs to adopt reasonable procedures that ensure a consumer’s information is handled confidentially and accurately in an equitable and fair way. The act limits access to a consumer’s information and requires that only parties with a permissible purpose receive a copy of the consumer’s credit report from a CRA.

Lenders and consumer reporting agencies must guarantee the accuracy of a consumer’s credit report. The report and maintenance of accurate information is extremely important for the consumer. Inaccurate information can prevent an otherwise qualifying consumer from obtaining credit.

Question 5

What FACTA Requires

Answer 5

FACTA added provisions to the law that include the following responsibilities for CRAs:
• All derogatory (negative) credit information must be reported on a consumer’s report (credit report) for no longer than 7 years.
• Bankruptcies must be reported for no longer than 10 years.
• The consumer’s credit score and a description of key factors that affect their credit score must be included in the report.
• Indication of an account closed or disputed by a consumer must be reported.
• For a disputed account, responses must be provided within 30 days to the consumer.

Question 6

The Disposal Rule

Answer 6

All persons under the jurisdiction of FACTA must take reasonable measures to protect against identify theft by disposing of the consumer’s information. FACTA considers reasonable measures as burning, pulverizing, or shredding papers; and destroying or erasing electronic files or media containing consumer report information so that they cannot be read or reconstructed.

Question 7

Fraud Alerts

Answer 7

Under FCRA and FACTA the following are necessary measures to prevent identity theft:
• CRAs must place a one-call fraud alert on a consumer’s credit report if the consumer claims a suspicion that they are or will be a victim of identity theft. This fraud alert must be filed in the consumer’s credit report for a period of not less than 12 months.
• CRAs must place an extended fraud alert on a consumer’s credit report if the consumer submits an identity theft report to the CRA. A fraud alert must be filed for at least 7 years.
• CRAs must place an active duty alert on a consumer’s credit report if the consumer, who is on active military duty, requests a notice of their status during their time away. This alert must be filed for at least 12 months.
• CRAs must display their contact information on a consumer report.
• CRAs must block the information of a consumer that requests such alerts listed above and do so within 4 business days of request so that no new credit extensions can be made during the period of the freeze.5
• As an MLO, you need to be familiar with the different types of fraud alerts because you will see them when you pull credit. You will be notified as soon as you try to access the credit information of someone with a fraud alert.

Question 8

Red Flags Rule

Answer 8

FCRA and FACTA require the development, implementation, and administration of identity theft prevention programs at CRAs. This framework, known as the Red Flags Rule, requires that an identity theft prevention program include 3 basic elements to address the threat of identity theft:

1. Identify relevant red flags by detecting patterns and practices that indicate possible identity theft
2. Create reasonable guidelines to address a credit transaction occurring on an inactive account (inactive for more than 2 years) and provide notice to the consumer
3. Verify guidelines and procedures established for proper implementation through internal controls (quality control), a compliance officer, and training programs

The Red Flags Rule is regulated by the Federal Trade Commission (FTC).

Question 9

Penalties Under FCRA & FACTA

Answer 9

Action can be taken against a mortgage professional or institution for 2 years after the date of discovery of the FCRA or FACTA violation, and must be taken within 5 years of the violation.

Obtaining information under false pretenses or misleading consumers in regards to disclosures can result in a fine and 2 years of imprisonment. The civil penalty for willful non-compliance of FCRA and FACTA is actual damages, punitive damages, and any attorney’s fees.

Question 10

Disclosures Required Under FCRA/FACTA

Answer 10

Notice of Right to Receive Credit Score
• Must be delivered to the consumer at time of completed application or within 3 business days if mailed.
• Informs the borrower of their right to obtain their credit score after making an inquiry for financing and how to request a copy of their credit report.

Question 11

Simplifying the Gramm-Leach-Bliley Act - GLBA

Answer 11

GLBA is divided into many parts. The two key components that will impact your work as an MLO are the privacy protections found under Regulation P and the requirements for formal planning and protection in the FTC Safeguards Rule.

The regulatory authority for the privacy and pretexting protections (Regulation P) found in GLBA is the CFPB. All other rules of the act, such as the Safeguards Rule, are regulated by the Federal Trade Commission (FTC).

The terms used to describe consumer and customer in financial service industries are formally defined in GLBA. These definitions help to determine how that individual’s information is handled by institutions during the transaction process.

Question 12

Privacy - Regulation P

Answer 12

Regulation P requires financial institutions to exercise certain conduct with relation to a consumer’s and customer’s non-public information.1 Examples of non-public information are your driver’s license number, social security number, account numbers and account balances; all information that is not made public.

Below are the objectives and requirements of this regulation:
• Financial institutions must follow certain principles when disclosing non-public information about consumers to non-affiliated third parties.
• Consumers must have an opportunity to prevent a financial institution from disclosing their non- public information with most non-affiliated third parties.

These protections are regulated and enforced by the CFPB and include privacy policy, opt out, and pretexting rules.

Question 13

Regulation P: Pretexting/Phishing

Answer 13

In order to further protect a customer’s financial information, GLBA outlines certain protections against pretexting. Pretexting, otherwise known as phishing, is the act of obtaining an individual’s non-public personal information through false pretenses (without authorization).

Perhaps you didn’t know what it was called when you received that mysterious e-mail from the long forgotten member of some faraway royal kingdom who wanted to hide his millions in your bank account and all you had to do was provide your name, social security number and bank account information. Now you know, it’s called phishing!

Question 14

Regulation P: Privacy Policy Disclosures

Answer 14

Institutions must provide privacy notices in such a way that the consumer can expect to receive the actual notice in writing or electronically if so desired.
The threshold for expectation of receiving the actual notice is met if the institution:
• Hand delivers a printed copy of the notice to the borrower
• Mails a printed copy to the borrower’s most recent address
• In cases of electronic transmission, the notice may be posted on an electronic site with the consumer required to acknowledge receipt
• In isolated transactions such as usage of an ATM, it is acceptable to post the notice on the device’s screen requiring the consumer to acknowledge receipt of the notice
• For annual notices only, the reasonable expectation is met if the customer accesses a website or portal to conduct their business and agrees to receive the notice via that website.

In circumstances where the customer requests that the institution not send the notices it is acceptable that the institution’s privacy policy remains available to the customer upon request.

Question 15

Gramm-Leach-Bliley Act - GLBA: Initial Privacy Notice

Answer 15

Financial institutions must provide an initial privacy notice explaining what information the institution gathers, where this information is shared, and how the institution safeguards that information. This initial privacy notice must be given to:
• A customer no later than when a customer relationship is established; and
• A consumer before the institution discloses any non-public personal information about the consumer to any non-affiliated third party (if applicable). If the institution does not provide this information to non- affiliated third parties, then the privacy notice is not required.

Question 16

Gramm-Leach-Bliley Act - GLBA: Annual Privacy Notice

Answer 16

Throughout a customer relationship, financial institutions must provide an annual privacy notice to their customers. The annual notice contains the same information as the initial privacy notice, as well as a notice of the right to opt out of information being shared, and an explanation of how to do so.

Question 17

Gramm-Leach-Bliley Act - GLBA: Opting Out

Answer 17

Financial institutions are required to disclose to a consumer that they have a reasonable opportunity to opt out of allowing information to be shared in both the Initial Privacy Notice and the Annual Privacy Notice. Opting out allows the consumer to prevent their nonpublic information from being shared with the institution’s non-affiliated third parties. The opt out notice should include an explanation of the kind of information that the institution may
disclose, as well as reasonable means to opt out. This disclosure must be in writing or in electronic form, and must be provided to the consumer before their information is shared. There is no specific time frame associated with the opt-out period, just that it must be a reasonable period of time.

Question 18

Gramm-Leach-Bliley Act - GLBA: FTC Safeguards Rule

Answer 18

The FTC issued the Safeguards Rule, which requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue, protecting consumers’ non-public personal information. It applies to the information of any consumers (past or present) of the financial institution’s products or services. The Safeguards Rule forces financial institutions to take a closer look at how they manage private data and to do a risk analysis on their processes.

Question 19

Do Not Call Laws

Answer 19

The significant advancements in technology and data collection allow many industries to use telemarketing as an effective tool to reach both current and potential customers. With the growth of telemarketing came consumer complaints related to unwanted calls. Due to consumer unhappiness, Do Not Call regulations were created. Because of the significant use of telemarketing techniques within the mortgage industry, it is necessary to review these regulations.

The Do Not Call regulations put the consumer in control of which phone calls they receive. These regulations stemmed from several laws and eventually resulted in the Do Not Call Registry.

With different scopes, the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) regulate telemarketing rules established by these acts. The FCC is capable of overseeing interstate (national) and intrastate (in-state) calls. The FTC typically focuses its regulatory energies on interstate calls, which are calls made from one state, such as Wyoming, to another state, such as Maine.

Persons regulated by Do Not Call laws include any telemarketing company or individual, that uses solicitation to gain business.

Question 20

Telephone Consumer Protection Act (TCPA)

Answer 20

The Telephone Consumer Protection Act (TCPA) regulates the conduct of telephone solicitations and sets certain standards. Under this act, the Federal Communication Commission (FCC) requires that solicitors maintain a Do Not Call list for those consumers who wish to avoid solicitation, and it limits telephone solicitation between the hours of 8 a.m. and 9 p.m.

Question 21

Do Not Call Improvement Act

Answer 21

The Do Not Call Improvement Act was passed to amend the Do Not Call Implementation Act. Under this act, consumers who register their phone number with the Do Not Call Registry will remain in the registry forever (instead of only 5 years), unless the number is invalid, disconnected, reassigned, or the consumer requests to be taken off. In addition, telemarketers must stop calling a phone number within 31 days of its registration into the Do Not Call Registry and from calling cell phone numbers. Cell phone numbers are automatically entered into the Do Not Call Registry.

Telemarketing rules require that records from call activities be kept for a period of 24 months following the action. These records include:
• Advertising materials such as brochures, call scripts and promotional materials
• Name and address of prize recipients who are awarded prizes or promotional gifts in excess of $25
• Name and address of customers, the good or service purchased, and the amount paid
• The name (or fictitious name), home address and telephone number of the telemarketing solicitor
• Any verified authorizations or informed consent provided by the consumer2
• Fines for violation of the Do Not Call Act can be as high as $43,280 per violation.

Question 22

E-Sign Act

Answer 22

The E-SIGN Act is the general rule governing electronic records and signatures for commerce in the United States and those transactions in the global marketplace. The Act allows for the use of electronic records to satisfy any statute, regulation, or rule of law requiring that such information be in writing. The E-SIGN Act also indicates that oral communications do not qualify as an electronic record.
The regulatory authority for the E-SIGN Act is dependent on the law governing the item being E-Signed. For example, if the item being signed is the Truth-In-Lending Disclosure, then the regulatory authority would be the CFPB which has regulatory authority over the Truth In Lending Act (TILA).

Question 23

E-Sign Act Requirements

Answer 23

The E-Sign Act requires that:
• Prior to making an agreement involving electronically-delivered documents, a disclosure must be provided indicating that the consumer has the right to receive the signed agreement in paper form.
• A statement indicating whether the provided disclosure is specific only to the agreement that was e-signed or to a group of documents with which the e-signed agreement is associated.
• The steps needed for the consumer to withdraw their consent to the agreement.
• How the consumer can obtain a paper copy of the agreement regardless of whether or not they agreed to utilize the electronic method for agreement.
• Before agreeing to the use of electronic records, the consumer must be provided with a statement indicating the hardware and software needed to access and use the electronic record. Should the hardware or software requirements change, the E-Sign Act requires that the consumer must be notified of the change.

Question 24

Mortgage Acts And Practices - Advertising

MAP, Regulation N

Answer 24

Mortgage Acts and Practices — Advertising (MAP, Regulation N) protects consumers from mortgage-related misrepresentations in advertising and is regulated by the CFPB.

The activities that apply to this rule include any commercial communication by a mortgage professional. A commercial communication is defined as a statement, illustration, or depiction meant to generate interest in the purchase of goods or services. Commercial communications can be in or on any form of media, such as packages, magazines, radio, web pages, billboards, cellular networks, and letters.

Violations can be penalized by any attorney general or other officer of a state, or by the CFPB.

Copies of commercial communication must be retained for 2 years from the last date of the commercial communication. Documents about available mortgage loan programs must also be retained for 2 years.