The Fair Credit Reporting Act

Question 1

What are the three principal purposes the Fair Credit Reporting Act was enacted to serve?

Answer 1

he Fair Credit Reporting Act was enacted to: (1) regulate the consumer reporting industry and to ensure that the issuers of consumer reports provide information that is fair and equitable to members and fair and accurate to report users; (2) prohibit consumer-reporting agencies from taking actions that are unfair or that adversely affect a member’s credit and ability to obtain credit; and 3) restrict the availability and use of consumer reports.

Question 2

What are the permissible uses for consumer reports under the FCRA?

Answer 2

Permissible uses of consumer reports include: (1) determining an applicant’s eligibility for credit, insurance, or to open a deposit account or in connection with a review or collection of a member’s account; (2) in response to a court order; (3) prescreening a list of members to solicit for credit services; and 4) in accordance with written instructions of the member to whom the report relates.

Question 3

When information obtained from a credit bureau has any bearing on a credit decision, what information must be disclosed to the member?

Answer 3

When information obtained from a credit bureau has bearing on a credit decision, you must disclose orally or in writing: (1) that information from a credit bureau was used in the credit decision; (2) the name, address, and telephone number (toll free if a nationwide bureau) of the credit bureau used; (3) statement that the credit bureau did not make the decision to take the adverse action; (4) notice of the member’s right to get a free copy of his or her credit report from the bureau upon written request within 60 days; and (5) notice of the member’s right to dispute with the bureau the accuracy or completeness of any information in his or her report. You do not have to include the nature of the information in the report.

Question 4

Under what circumstances would your credit union become a consumer-reporting agency?

Answer 4

Your credit union could become a consumer-reporting agency if you report to others information you gather from sources other than through your own experience with the member.

Question 5

What is the duty of a credit union upon discovering that incorrect information has been given to consumer-reporting agencies?

Answer 5

The credit union must: (1) provide the complete and accurate information to the CRA; and (2) notify each CRA to whom the incorrect or incomplete information was given to.

Question 6

If you use a prescreened list of members to offer credit, you must make that offer to all members who pass the selection process. List two of the five disclosures that must be made to those members.

Answer 6

The credit union must disclose: (1) information from the member’s consumer report was used in connection with the offer; (2) that the member satisfied the criteria to determine creditworthiness; (3) that the member may still not qualify for the credit if it is determined after receipt of acceptance of the offer that he or she no longer qualifies; (4) the member has the right to prohibit the information obtained from the CRA from being used in connection with the credit transaction the member did not initiate; and (5) the member may contract the CRA to prohibit the use of the information.

Question 7

Both the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act set
standards for the types of nonpublic personal information that credit unions can disclose to third parties. What is the only type of information the FCRA allows credit unions to disclose without limitation?

Answer 7

Credit unions can only share “experience” information without limitations.

Question 8

When should you notify your member that negative information would be reported to a credit bureau?

Answer 8

The notice must be provided either prior to, or no later than 30 days after the negative information is furnished to the credit bureau. It may be combined with any notice of default, any billing statement, or any other materials provided to the member, as long as the notice is “clear and conspicuous.” The credit union may not, however, combine the notice with the initial Truth in Lending disclosures.

Question 9

What is the credit union required to provide loan applicants if it uses credit scores in connection with making mortgage loans?

Answer 9

The credit union must provide a “Notice to Home Loan Applicants” and the credit score (along with key factors associated with the score).

Question 10

What are the identity theft requirements?

Answer 10

Have reasonable procedures in place to respond to any notification from a credit bureau that the information furnished was the result of identity theft and to prevent refurnishing that same information in the future.

Do not furnish information the member has identified as resulting from ID theft unless the credit union knows or is informed by the member that the information is correct. If the credit union learns that it has furnished inaccurate information due to ID theft, each consumer-reporting agency that received that information must be notified that it is incorrect and then report only complete and accurate information.

If the credit union is notified that a debt was a result of identity theft, the loan cannot be sold, transferred, or placed for collection. (However, there are very limited exceptions, for example, if a debt is transferred as a result of a merger or repurchased because the credit union found out the debt resulted from ID theft).

Question 11

What requirements must be met before a credit union obtains and uses medical information in determining credit eligibility?

Answer 11

Under the “financial information exception,” credit unions may obtain and use medical information in determining credit eligibility if the following three requirements are met:
* The information relates to debts, expenses, income, benefits, assets,
collateral, or the purpose of the loan, including the use of the proceeds.
* The credit union uses the information in a manner and to an extent no less favorable than it would use comparable information that is not medical information in a credit transaction. (Medical expenses or income may be treated more favorably.)
* The credit union does not take the consumer’s physical, mental, or behavioral, condition or history, type of treatment, or prognosis into account as part of any credit eligibility determination.

Question 12

How should a credit union respond when it finds a fraud alert on the member’s credit report?

Answer 12

For initial active-duty alerts, if the consumer has specified a telephone number in the alert, the credit union cannot extend any credit until it contacts the consumer using that number or takes other reasonable steps to verify the person’s identity and confirm that the application for credit is not the result of ID theft. For extended alerts, the credit union must contact the consumer in person, at the telephone number indicated in the alert, or other reasonable contact method specified by the consumer before credit is granted, additional cards are sent, etc.

Question 13

What are the key elements of an ID theft prevention program?

Answer 13

Every program must contain “reasonable policies and procedures” to:
* Identify relevant red flags and incorporate them into the program,
* Detect red flags that have been incorporated into the program.
* Respond appropriately to any red flags that are detected to prevent and mitigate identity theft.
* Ensure the program is updated periodically to reflect changes in risks to members or to the safety and soundness of the credit union from ID theft.
The initial program must be approved by the credit union’s board of directors or a board committee. In addition, credit unions must involve the board, any appropriate committees, or a designated a senior management employee in the oversight, development, implementation and continued administration of the program; train staff as necessary to effectively implement the program; and exercise appropriate oversight of any service provider arrangements to ensure that vendors have policies and procedures in place to detect, prevent and mitigate the risk of ID theft.

Question 14

The red flag regulations also require credit and debit card issuers to assess the validity of change of address request. What steps can the card issuer take to assess whether the change of address is valid?

Answer 14

The card issuer can:
* Notify the cardholder at the old address.
* Notify the cardholder through some other means of communication that the cardholder has previously agreed to; or
* Use another method of assessing the validity of the change of address that the credit union has included in its red flag program.

Question 15

Under the affiliate marketing rules, an affiliate cannot use shared member information for marketing purposes unless 3 conditions are met. What are those conditions?

Answer 15

Under the affiliate marketing rules, if a credit union shares eligibility information with an affiliated entity, the affiliate cannot use that information to make a solicitation for marketing purposes unless the consumer is:
* provided with a notice that the information may be used for marketing solicitations.
* given a reasonable opportunity to “opt-out” of these solicitations; and
* the consumer does not “opt-out.”

Question 16

List 3 exceptions to the affiliate marketing rule

Answer 16

• The affiliate receiving the information has a pre-existing business relationship with the consumer, which may include CUSOs that provide mortgage or other financial services.
• Using the information to communicate with an individual for whose benefit the affiliate provides services on behalf of the individual’s employer.
• The information is used to perform services on behalf of an affiliate, although solicitations may not be sent if that affiliate is not permitted to send solicitations because the consumer elected to opt-out.
• The information is used in response to a communication about products and services initiated by the consumer. Requests for information not related to products or services would not be sufficient, and a consumer responding to a message left by the affiliate would also not be sufficient. Solicitation of additional products and services, as part of that communication, would also not be permitted.
• The information is used to make a solicitation that has been authorized or requested by the consumer. A pre-selected check box or boilerplate language in a disclosure will not be sufficient. The authorization terminates if it is revoked by the consumer.
• If compliance with these provisions would prevent the affiliate from complying with state insurance laws pertaining to unfair discrimination.

Question 17

What must credit unions do to comply with the FCRA’s furnisher regulations with regard to ensuring the accuracy and integrity of information provided to credit bureaus?

Answer 17

The furnisher regulations require a credit union to establish and implement reasonable written policies and procedures to ensure the “accuracy” and “integrity” of information that it furnishes to credit bureaus. The regulations include guidelines that credit unions should use to develop these policies and procedures. The policies and procedures must be appropriate to the size, complexity and scope of the credit union’s business operations and should address:
* Using standard data reporting formats and standard procedures for compiling and furnishing data to CRAs.
* Maintaining records for a reasonable period of time (not less than any
applicable recordkeeping requirement) in order to substantiate the accuracy of any information it furnishes that is subject to a direct dispute.
* Establishing and implementing appropriate internal controls regarding the accuracy and integrity of information about consumers furnished to consumer reporting agencies, such as by implementing standard procedures and verify‑ing random samples of information provided to consumer reporting agencies.
* Training staff that participates in activities related to the furnishing of informa‑tion to CRAs to implement the policies and procedures.
* Providing for appropriate and effective oversight of relevant service providers whose activities may affect the accuracy or integrity of information furnished to CRAs.
* Furnishing information to CRAs following mergers, portfolio acquisitions or sales, or other acquisitions or transfers of accounts or other obligations in a manner that prevents re-aging of information, duplicative reporting, or other problems that may similarly affect the accuracy or integrity of the information furnished.
* Deleting, updating, and correcting information in the credit union’s records, as appropriate, to avoid furnishing inaccurate information.
* Conducting reasonable investigations of disputes.
* Designing technological and other means of communication with CRAs to pre‑vent duplicative reporting of accounts, erroneous association of information with the wrong consumer(s), and other occurrences that may compromise the accuracy or integrity of information provided to CRAs.
* Providing CRAs with sufficient identifying information to enable the consumer reporting agency properly to identify the consumer.

Question 18

How must credit unions respond to members’ direct disputes under the FACTA furnisher regulations?

Answer 18

The direct dispute regulations enable consumers to submit a dispute directly to the credit union (with certain exceptions) when the issue in dispute relates to information the credit union provided to the consumer reporting agency.
Credit unions will be required to investigate a direct dispute if it relates to credit accounts or debts with the credit union (including accounts/debts resulting from ID theft), the terms of a credit account or other debt with the credit union (e.g., principal balance, scheduled payment amount, etc.), the consumer’s performance or other conduct concerning an account or other relationship with the credit union, or any other information contained in a consumer report regarding an account or other relationship with the furnisher that bears on the
consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.

A credit union will only be required to investigate a direct dispute if a consumer submits a dispute notice to the credit union at:
* an address provided by the credit union and set forth on the consumer report relating to that consumer.
* an address clearly and conspicuously specified by the credit union for
submitting direct disputes that is provided to the consumer in writing (or electronically, if the consumer has agreed to electronic delivery); or
* any credit union address if the credit union has not otherwise specified an address for submitting direct disputes. Credit unions will have 30 days to complete a reasonable investigation and report the results to the consumer. The 30 days begins on the date the credit union receives the notice of dispute. If the investigation finds that the information in the report was inaccurate, the credit union must correct the error and provide accurate information to the credit bureau.

Question 19

How should a credit union handle frivolous disputes from consumers?

Answer 19

A credit union will not be required to investigate disputes that are determined to be frivolous or irrelevant, such as those containing insufficient information to conduct an investigation, or substantially similar disputes that were previously submitted to the credit union or a consumer reporting agency by or on behalf of the consumer.
Upon making a determination that a dispute is frivolous or irrelevant, the credit union must notify the consumer not later than 5 business days after making the determination, by mail (or other means if authorized for that purpose by the consumer). The notice to the consumer must explain the reasons for the credit union’s determination that the dispute was frivolous.

Question 20

When must a credit union provide a risk-based pricing notice?

Answer 20

Credit unions are required to provide a risk-based pricing notice when: (1) the credit union uses a consumer report in connection with a consumer’s credit application or extension; and (2) based at least in part on that report, grants or extends credit to the consumer on “material terms” (e.g., annual percentage rate or APR) that are “materially less favorable” (higher cost for credit) than the most favorable terms available to a substantial portion of the credit union’s members.

Question 21

What are the methods for detereming who receives a risk-based pricing notice?

Answer 21

The following are the methods credit unions may use to determine who receives the risk-based pricing notice: consumer-to-consumer comparison, credit score proxy method, tiered pricing method, or the special method for credit cards that allows the card issuer to determine which consumers must receive the notice on an offer-by-offer basis.

Question 22

What are the exceptions to the risk-based pricing requirements?

Answer 22

The regulation sets forth a number of exceptions to the risk-based notice requirements. They are the: application for specific terms exception; adverse action exception; prescreened solicitations exception; credit score disclosure exception for non-mortgage credit; credit score disclosure exception for mortgage loans; and the credit score disclosure exception when no credit score is available for the consumer.