Fair Credit Reporting Act

Question 1

Sector

Answer 1

Financial

Question 2

Year passed/amended

Answer 2

1970; amended in 1996 to strengthen consumer access and correction rights and handle pre-screening; amended by FACTA in 2003

Question 3

Original purpose

Answer 3

Regulate the consumer reporting industry and provide privacy rights in consumer reports

Question 4

Primary requirements

Answer 4

(a) Mandates accurate and relevant data collection for consumer reports;
(b) provides consumers with access to consumer reports; and
(c) limits the use of consumer reports to defined permissible purposes

Question 5

Entities subject to law

Answer 5

1. “Consumer reporting agencies” (CRAs): entities that furnish “consumer reports” used primarily for assisting in consumers’ eligibility for credit
   a. CRA: any person or entity that compiles or evaluates personal information for the purpose of furnishing credit reports for a fee.
2. Users of consumer reports

Question 6

Term for relevant PII or regulated data

Answer 6

Consumer report

Question 7

Definition of PII or regulated data

Answer 7

Any communication by a CRA related to an individual that pertains to the person’s

(a) creditworthiness;
(b) credit standing;
(c) credit capacity;
(d) character;
(e) general reputation;
(f) personal characteristics; or
(g) mode of living

Question 8

Civil or criminal penalties?

Answer 8

Civil only

Question 9

Enforcing authority - Civil

Answer 9

FTC
CFPB
State attorneys general (individually or collectively). Note: states must give FTC notice before filing and FTC can intervene

Question 10

Penalties - Civil

Answer 10

Actual damages, plus statutory damages of at least $1,000 per violation or at least $3,756 for willful violations

Question 11

Preemption?

Answer 11

Yes (FACTA), except for stronger state laws regarding identity theft. Some states’ laws were explicitly not preempted:
Regarding credit scores and insurers: California and Colorado not exempted;
Regarding frequency of free credit reports: Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey and Vermont not preempted.

Question 12

Private right of action?

Answer 12

Yes, specifically for disputes regarding accuracy of data. The consumer must first make a request with the CRA to correct. If the dispute can’t be resolved that way, then the consumer has a private right of action

Question 13

FIP individual rights provided

Answer 13

Notice, consent, access (all three)

Question 14

Notice requirements

Answer 14

Consumers must receive notice when third-party data is used to make adverse decisions about them. Notice must include:

(a) name, address and phone of the CRA;
(b) a statement that the CRA did not make the adverse decision and is not able to explain why the decision was made;
(c) a statement explaining the right to a free disclosure from the CRA within 60 days;
(d) a statement explaining the right to dispute the accuracy with the CRA.

Employers must provide notice to the consumer before obtaining a report.

There are stronger notice requirements for investigative consumer reports

For pre-screening, the communication must include notice of the right to opt out

Question 15

Exceptions for notice

Answer 15

For employers, employee investigations are not treated as consumer reports (and so are not subject to FCRA), so long as:

(a) employer complies with procedures set forth in the act;
(b) no credit information is used; and
(c) a summary describing the nature and scope of the inquiry is provided to the employee if an adverse action is taken.

Question 16

Consent provisions

Answer 16

None for most types of information.

For employment, the employee must provide general consent (can be obtained at the time of employment).

For medical information (other than mere payment codes):

(a) in an insurance transaction, the consumer must provide consent or the information must be coded;
(b) in an employment context, the employee must provide specific written consent (and the information must be relevant).

Consumers can opt out of prescreened lists (once they receive an offer)

Question 17

Exceptions for consent

Answer 17

none mentioned

Question 18

Access provisions

Answer 18

Consumers must have access to their consumer reports and an opportunity to dispute them or correct any errors.

FACTA: one free credit report from each of the three national consumer credit reporting agencies.

Question 19

FIP Controls Addressed

Answer 19

Information security, information quality (i.e. both)

Question 20

Information security provisions

Answer 20

FACTA: financial institutions and creditors must implement “red flag” program to deter identity theft (no specific list of red flags).

FACTA: receipts must truncate credit and debit card numbers

Question 21

Information quality provisions

Answer 21

Data must be appropriately accurate, current, and complete.

CRAs must take reasonable steps to ensure the maximum possible accuracy.

CRAs can’t report negative data that is outdated (account data more than 7 years old; bankruptcies more than 10 years old)

Question 22

FIP information lifecycle provisions covered

Answer 22

collection/disposal, use and retention, disclosure (i.e. all three)

Question 23

Collection/disposal requirements

Answer 23

FACTA disposal rule: users of credit reports must dispose of consumer information in a way that “reasonably” prevents unauthorized access and misuse, proportionate to the sensitivity of the information.

For prescreening, companies must pre-establish collection criteria

Question 24

Use and retention requirements

Answer 24

Consumer reports may only be used for enumerated permissible purposes:

(a) by court order;
(b) by written instruction from the consumer;
(c) for the extension of credit, or for insurance underwriting, after an application from the consumer;
(d) to review or collect on a consumer’s account;
(e) for employment purposes, with written consent;
(f) for legitimate business purposes in a transaction initiated by the consumer;
(g) by government agencies, for a few different purposes;
(h) to value an existing credit obligation;
(i) for prescreened offers

Users must provide a certification of the permissible purpose for which they will use the information

Question 25

Disclosure requirements

Answer 25

The whole thing is about disclosure of the consumer report.

Question 26

Redisclosure requirements

Answer 26

for medical information, no redisclosure is permitted except where necessary to carry out the business purpose for which the information was disclosed, or as permitted by statute, regulation, or court order

Question 27

Right to list of disclosures?

Answer 27

Yes, and CRAs must maintain a record of disclosures

Question 28

FIP management principles addressed

Answer 28

Administration, monitoring and enforcement (i.e., both)

Question 29

Administration requirements

Answer 29

FACTA: red flags rule

Question 30

Monitoring and enforcement requirements

Answer 30

FACTA: red flags rule