Fair Credit Reporting Act Flashcards
Sector
Financial
Year passed/amended
1970; amended in 1996 to strengthen consumer access and correction rights and handle pre-screening; amended by FACTA in 2003
Original purpose
Regulate the consumer reporting industry and provide privacy rights in consumer reports
Primary requirements
(a) Mandates accurate and relevant data collection for consumer reports;
(b) provides consumers with access to consumer reports; and
(c) limits the use of consumer reports to defined permissible purposes
Entities subject to law
- “Consumer reporting agencies” (CRAs): entities that furnish “consumer reports” used primarily for assisting in consumers’ eligibility for credit
a. CRA: any person or entity that compiles or evaluates personal information for the purpose of furnishing credit reports for a fee. - Users of consumer reports
Term for relevant PII or regulated data
Consumer report
Definition of PII or regulated data
Any communication by a CRA related to an individual that pertains to the person’s
(a) creditworthiness;
(b) credit standing;
(c) credit capacity;
(d) character;
(e) general reputation;
(f) personal characteristics; or
(g) mode of living
Civil or criminal penalties?
Civil only
Enforcing authority - Civil
FTC
CFPB
State attorneys general (individually or collectively). Note: states must give FTC notice before filing and FTC can intervene
Penalties - Civil
Actual damages, plus statutory damages of at least $1,000 per violation or at least $3,756 for willful violations
Preemption?
Yes (FACTA), except for stronger state laws regarding identity theft. Some states’ laws were explicitly not preempted:
Regarding credit scores and insurers: California and Colorado not exempted;
Regarding frequency of free credit reports: Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey and Vermont not preempted.
Private right of action?
Yes, specifically for disputes regarding accuracy of data. The consumer must first make a request with the CRA to correct. If the dispute can’t be resolved that way, then the consumer has a private right of action
FIP individual rights provided
Notice, consent, access (all three)
Notice requirements
Consumers must receive notice when third-party data is used to make adverse decisions about them. Notice must include:
(a) name, address and phone of the CRA;
(b) a statement that the CRA did not make the adverse decision and is not able to explain why the decision was made;
(c) a statement explaining the right to a free disclosure from the CRA within 60 days;
(d) a statement explaining the right to dispute the accuracy with the CRA.
Employers must provide notice to the consumer before obtaining a report.
There are stronger notice requirements for investigative consumer reports
For pre-screening, the communication must include notice of the right to opt out
Exceptions for notice
For employers, employee investigations are not treated as consumer reports (and so are not subject to FCRA), so long as:
(a) employer complies with procedures set forth in the act;
(b) no credit information is used; and
(c) a summary describing the nature and scope of the inquiry is provided to the employee if an adverse action is taken.
Consent provisions
None for most types of information.
For employment, the employee must provide general consent (can be obtained at the time of employment).
For medical information (other than mere payment codes):
(a) in an insurance transaction, the consumer must provide consent or the information must be coded;
(b) in an employment context, the employee must provide specific written consent (and the information must be relevant).
Consumers can opt out of prescreened lists (once they receive an offer)
Exceptions for consent
none mentioned
Access provisions
Consumers must have access to their consumer reports and an opportunity to dispute them or correct any errors.
FACTA: one free credit report from each of the three national consumer credit reporting agencies.
FIP Controls Addressed
Information security, information quality (i.e. both)
Information security provisions
FACTA: financial institutions and creditors must implement “red flag” program to deter identity theft (no specific list of red flags).
FACTA: receipts must truncate credit and debit card numbers
Information quality provisions
Data must be appropriately accurate, current, and complete.
CRAs must take reasonable steps to ensure the maximum possible accuracy.
CRAs can’t report negative data that is outdated (account data more than 7 years old; bankruptcies more than 10 years old)
FIP information lifecycle provisions covered
collection/disposal, use and retention, disclosure (i.e. all three)
Collection/disposal requirements
FACTA disposal rule: users of credit reports must dispose of consumer information in a way that “reasonably” prevents unauthorized access and misuse, proportionate to the sensitivity of the information.
For prescreening, companies must pre-establish collection criteria
Use and retention requirements
Consumer reports may only be used for enumerated permissible purposes:
(a) by court order;
(b) by written instruction from the consumer;
(c) for the extension of credit, or for insurance underwriting, after an application from the consumer;
(d) to review or collect on a consumer’s account;
(e) for employment purposes, with written consent;
(f) for legitimate business purposes in a transaction initiated by the consumer;
(g) by government agencies, for a few different purposes;
(h) to value an existing credit obligation;
(i) for prescreened offers
Users must provide a certification of the permissible purpose for which they will use the information
