CFPB Consumer Laws and Regulations FCRA, Summaries of History

Download CFPB Consumer Laws and Regulations FCRA and more Summaries History in PDF only on Docsity! CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 1 Fair Credit Reporting Act1 The Fair Credit Reporting Act (FCRA)2 became effective on April 25, 1971. The FCRA is a part of a group of acts contained in the Federal Consumer Credit Protection Act3 such as the Truth in Lending Act and the Fair Debt Collection Practices Act. Congress substantively amended the FCRA upon the passage of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act).4 The FACT Act created many new responsibilities for consumer reporting agencies and users of consumer reports. It contained many new consumer disclosure requirements as well as provisions to address identity theft. In addition, it provided free annual consumer report rights for consumers and improved access to consumer report information to help increase the accuracy of data in the consumer reporting system. In 2010, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), which granted rule-making authority under FCRA (except for Section 615(e) (red flag guidelines and regulation) and Section 628 (disposal of records)) to the Consumer Financial Protection Bureau (CFPB). The Dodd-Frank Act also amended two provisions of the FCRA to require the disclosure of a credit score and related information when a credit score is used in taking an adverse action or in risk-based pricing.5 6 On December 21, 2011, the CFPB restated FCRA regulations under its authority at 12 CFR Part 1022 (76 Fed. Reg. 79308). 1 These reflect FFIEC-approved procedures. 2 15 U.S.C. Secs. 1681–1681x. 3 15 U.S.C. Sec. 1601 et seq. 4 Pub. L. No. 108-159, 117 Stat. 1952. 5 Section 1029 of the Dodd-Frank Act generally excludes from this transfer of authority, subject to certain exceptions, any rulemaking authority over a motor vehicle dealer that is predominantly engage in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both. 6 The agency responsible for supervising and enforcing compliance with the provisions of the FCRA and the implementing regulations will depend on the person subject to the FCRA (e.g., for financial institutions, jurisdiction will depend on the size and charter of the institution). CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 2 The FCRA contains responsibilities both for entities that are consumer reporting agencies and for persons that operate in any of the following capacities: 1. Procurers and users of information (for example, as credit grantors, purchasers of dealer paper, or when opening deposit accounts); 2. Furnishers and transmitters of information (by reporting information to consumer reporting agencies, other third parties, or to affiliates); 3. Marketers of credit or insurance products; and 4. Employers. Structure and Overview of Examination Modules The examination procedures are structured as a series of modules, grouping similar requirements together.7 The modules contain general information about each of the requirements: Module 1 Obtaining Consumer Reports Module 2 Obtaining Information and Sharing Among Affiliates Module 3 Disclosures to Consumers and Miscellaneous Requirements Module 4 Furnishers of Information Module 5 Consumer Alerts and Identity Theft Protections Financial institutions and other persons are subject to a number of different requirements under the FCRA; some are contained directly in the statute, while others are in 12 CFR 1022. Key Definitions The FCRA uses a number of definitions. Key definitions include the following: Adverse Action. With regard to credit transactions, the term “adverse action” has the same meaning as used in Section 701(d)(6) [15 U.S.C. 1691(d)(6)] of the Equal Credit Opportunity Act (ECOA), Regulation B, and the official staff commentary. Under the ECOA, it means a denial or revocation of credit, a change in the terms of an existing credit arrangement, or a refusal to grant credit in substantially the same amount or on terms substantially similar to those requested. Under the ECOA, the term does not include a refusal to extend additional credit under an existing credit arrangement where the applicant is delinquent or otherwise in default, or where such additional credit would exceed a previously established credit limit. 7 The examination procedures do not currently contain a module on the requirements for consumer reporting agencies. CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 5 Investigative Consumer Report. An “investigative consumer report” means a consumer report or portion thereof in which information on a consumer’s character, general reputation, personal characteristics, or mode of living is obtained through personal interviews with neighbors, friends, or associates of the consumer reported on or with others with whom he is acquainted or who may have knowledge concerning any such items of information. However, such information does not include specific factual information on a consumer’s credit record obtained directly from a creditor of the consumer or from a consumer reporting agency when such information was obtained directly from a creditor of the consumer or from the consumer. Person. A “person” means any individual, partnership, corporation, trust, estate, cooperative, association, government or governmental subdivision or agency, or other entity. CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 6 Module 1 – Obtaining Consumer Reports Overview Consumer reporting agencies have a significant amount of personal information about consumers. This information is invaluable in assessing a consumer’s creditworthiness for a variety of products and services, including loan and deposit accounts, insurance, and utility services, among others. The FCRA governs access to this information to ensure that a prospective user of the information obtains it for permissible purposes and does not exploit it for illegitimate purposes. The FCRA requires any prospective user of a consumer report, for example, a lender, insurer, landlord, or employer, among others, to have a legally permissible purpose to obtain a report. Permissible Purposes of Consumer Reports – Section 604; 15 U.S.C. 1681b Investigative Consumer Reports – Section 606; 15 U.S.C. 1681d Legally Permissible Purposes. The FCRA allows a consumer reporting agency to furnish a consumer report for the following circumstances and no other: 1. In response to a court order or Federal Grand Jury subpoena. 2. In accordance with the written instructions of the consumer. 3. To a person, including a financial institution, that the agency has reason to believe intends to use the report as information for any of the following reasons: a. In connection with a credit transaction involving the consumer (includes extending, reviewing, and collecting credit); b. For employment purposes;8 c. In connection with the underwriting of insurance involving the consumer; d. In connection with a determination of the consumer’s eligibility for a license or other benefit granted by a governmental instrumentality that is required by law to consider an applicant’s financial responsibility; e. As a potential investor or servicer, or current insurer, in connection with a valuation of, or an assessment of the credit or prepayment risks associated with, an existing credit obligation; 8 Use of consumer reports for employment purposes requires specific advanced authorization, disclosure notices, and, if applicable, adverse action notices. These issues are contained in Module 3 of the examination procedures. CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 7 f. Otherwise has a legitimate business need for the information: i. In connection with a business transaction that the consumer initiates; or ii. To review an account to determine whether the consumer continues to meet the terms of the account. iii. In response to a request by the head of a State or local child support enforcement agency (or authorized appointee) if the person certifies various information to the consumer reporting agency regarding the need to obtain the report. (Generally, this particular purpose does not impact a person, such as a financial institution, that is not a consumer reporting agency.) Prescreened Consumer Reports. Users of consumer reports, such as financial institutions, may obtain prescreened consumer reports to make firm offers of credit or insurance to consumers, unless the consumers elected to opt out of being included on prescreened lists. The FCRA contains many requirements, including an opt-out notice requirement when prescreened consumer reports are used. In addition to defining prescreened consumer reports, Module 3 covers these requirements. Investigative Consumer Reports. Section 606 contains specific requirements for use of an investigative consumer report. This type of consumer report contains information about a consumer’s character, general reputation, personal characteristics, or mode of living obtained in whole or in part through personal interviews with neighbors, friends, or associates of the consumer. If a user, such as a financial institution, procures an investigative consumer report, or causes the preparation of one, the user institution must meet the following requirements: 4. The user clearly and accurately discloses to the consumer that it may obtain an investigative consumer report. 5. The disclosure contains a statement of the consumer’s right to request other information about the report and a summary of the consumer’s rights under the FCRA. 6. The disclosure is in writing and is mailed or otherwise delivered to the consumer not later than three business days after the date on which the report was first requested. 7. The user procuring the report certifies to the consumer reporting agency that it has complied with the disclosure requirements and will comply in the event that the consumer requests additional disclosures about the report. Procedures. Given the preponderance of electronically available information and the growth of identity theft, a user should manage the risks associated with obtaining and using consumer reports. Users should employ procedures, controls, or other safeguards to ensure that they obtain and use consumer reports only in situations for which there are permissible purposes. CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 10 consumer, conveys the decision with respect to the request. The third party must advise the consumer of the name and address of the person, such as a financial institution, to which the request was made, and such person makes the adverse action disclosures required by Section 615 of the FCRA. For example, this exception allows a lender to communicate a credit decision to an automobile dealer who is arranging financing for a consumer purchasing an automobile and who requires a loan to finance the transaction. “Joint User” Rule. The Federal Trade Commission (FTC) staff commentary discusses another exception known as the “Joint User Rule.” Under this exception, users of consumer reports, including financial institutions, may share information if they are jointly involved in the decision to approve a consumer’s request for a product or service, provided that each has a permissible purpose to obtain a consumer report on the individual. For example, a consumer applies for a mortgage loan that will have a high loan-to-value ratio, and thus the lender will require private mortgage insurance (PMI) in order to approve the application. An outside company provides the PMI. The lender and the PMI company can share consumer report information about the consumer because both entities have permissible purposes to obtain the information and both are jointly involved in the decision to grant the products to the consumer. This exception applies to entities that are affiliated or nonaffiliated third parties. It is important to note that the GLBA will still apply to the sharing of nonpublic, personal information with nonaffiliated third parties; therefore, a person, such as a financial institution, should be aware the GLBA may still limit or prohibit sharing allowed under the FCRA joint user rule. Protection of Medical Information – Section 604(g); 15 U.S.C. 1681b(g); 12 CFR 1022, Subpart D Section 604(g) generally prohibits creditors from obtaining and using medical information in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit. The statute contains no prohibition on creditors obtaining or using medical information for other purposes that are not in connection with a determination of the consumer’s eligibility, or continued eligibility for credit. Section 604(g)(5)(A) requires the federal banking agencies and NCUA to prescribe regulations that permit transactions that are determined to be necessary and appropriate to protect legitimate operational, transactional, risk, consumer, and other needs (including administrative verification purposes), consistent with the Congressional intent to restrict the use of medical information for inappropriate purposes. On November 22, 2005, the FFIEC Agencies published final rules in the Federal Register (70 FR 70664). The rules contain the general prohibition on obtaining or using medical information, and provide exceptions for the limited circumstances when medical information may be used. The rules define “credit” and “creditor” as having the same meanings as in Section 702 of the ECOA (15 U.S.C. 1691a). On December 21, 2011, the CFPB restated the implementing regulation at 12 CFR Part 1022 (76 Fed. Reg. 79308). Obtaining and Using Unsolicited Medical Information (12 CFR 1022.30(c)). A creditor does not violate the prohibition on obtaining medical information if it receives the medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit without specifically requesting medical information. However, CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 11 the creditor may only use this medical information in connection with a determination of the consumer’s eligibility, or continued eligibility, for credit in accordance with either the financial information exception or one of the specific other exceptions provided in the rules. We discuss these exceptions below. Financial Information Exception (12 CFR 1022.30(d)). The rules allow a creditor to obtain and use medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility or continued eligibility for credit, so long as: 1. The information is the type of information routinely used in making credit eligibility determinations, such as information relating to debts, expenses, income, benefits, assets, collateral, or the purpose of the loan, including the use of the loan proceeds. 2. The creditor uses the medical information in a manner and to an extent that is no less favorable than it would use comparable information that is not medical information in a credit transaction. 3. The creditor does not take the consumer’s physical, mental, or behavioral health, condition or history, type of treatment, or prognosis into account as part of any such determination. The financial information exception is designed in part to allow creditors to consider a consumer’s medical debts and expenses in the assessment of that consumer’s ability to repay the loan according to the loan terms. In addition, the financial information exception also allows a creditor to consider the dollar amount and continued eligibility for disability income, worker’s compensation income, or other benefits related to health or a medical condition that is relied on as a source of repayment. The creditor may use the medical information in a manner and to an extent that is no less favorable than it would use comparable, nonmedical information. For example, a consumer includes on an application for credit information about two $20,000 debts. One debt is to a hospital; the other is to a retailer. The creditor may use and consider the debt to the hospital in the same manner in which it considers the debt to the retailer, such as including the debts in the calculation of the consumer’s proposed debt-to-income ratio. In addition, the consumer’s payment history of the debt to the hospital may be considered in the same manner as the debt to the retailer. For example, if the creditor does not grant loans to applicants who have debts that are 90-days past due, the creditor could consider the past-due status of a debt to the hospital, in the same manner as the past-due status of a debt to the retailer. A creditor may use medical information in a manner that is more favorable to the consumer, according to its regular policies and procedures. For example, if a creditor has a routine policy of declining consumers who have a 90-day past due installment loan to a retailer, but does not decline consumers who have a 90-day past due debt to a hospital, the financial information exception would allow a creditor to continue this policy without violating the rules because in these cases, the creditor’s treatment of the debt to the hospital is more favorable to the consumer. CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 12 A creditor may not take the consumer’s physical, mental, or behavioral health, condition or history, type of treatment, or prognosis into account as part of any determination regarding the consumer’s eligibility, or continued eligibility for credit. The creditor may only consider the financial implications as discussed above, such as the status of a debt to a hospital, continued eligibility for disability income, etc. Specific Exceptions for Obtaining and Using Medical Information (12 CFR 1022.30(e)). In addition to the financial information exception, the rules also provide for the following nine specific exceptions under which a creditor can obtain and use medical information in its determination of the consumer’s eligibility, or continued eligibility for credit: 1. To determine whether the use of a power of attorney or legal representative that is triggered by a medical condition or event is necessary and appropriate, or whether the consumer has the legal capacity to contract when a person seeks to exercise a power of attorney or act as a legal representative for a consumer based on an asserted medical condition or event. For example, if Person A is attempting to act on behalf of Person B under a Power of Attorney that is invoked based on a medical event, a creditor is allowed to obtain and use medical information to verify that Person B has experienced a medical condition or event such that Person A is allowed to act under the Power of Attorney. 2. To comply with applicable requirements of local, state, or Federal laws. 3. To determine, at the consumer’s request, whether the consumer qualifies for a legally permissible special credit program or credit-related assistance program that is: a. Designed to meet the special needs of consumers with medical conditions and b. Established and administered pursuant to a written plan that: i. Identifies the class of persons that the program is designed to benefit; and ii. Sets forth the procedures and standards for extending credit or providing other credit-related assistance under the program. 4. To the extent necessary for purposes of fraud prevention or detection. 5. In the case of credit for the purpose of financing medical products or services, to determine and verify the medical purpose of the loan and the use of the proceeds. 6. Consistent with safe and sound banking practices, if the consumer or the consumer’s legal representative requests that the creditor use medical information in determining the consumer’s eligibility, or continued eligibility, for credit, to accommodate the consumer’s particular circumstances, and such request is documented by the creditor. For example, at the consumer’s request, a creditor may grant an exception to its ordinary policy to accommodate a medical condition that the consumer has experienced. This exception allows a creditor to consider medical information in this CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 15 Federal Register to implement this section (72 FR 62910). On December 21, 2011, the CFPB restated the implementing regulation at 12 CFR Part 1022 (76 Fed. Reg. 79308). 10 Exceptions to the notice and opt-out requirements apply when an entity uses eligibility information in certain ways, as described later in these procedures. Key Definitions – 12 CFR 1022.2011 Eligibility information (12 CFR 1022.20(b)(3)) includes not only transaction and experience information, but also the type of information found in consumer reports, such as information from third-party sources and credit scores. Eligibility information does not include aggregate or blind data that does not contain personal identifiers such as account numbers, names, or addresses.12 Pre-existing business relationship (12 CFR 1022.20(b)(4))13 means a relationship between a person, such as a financial institution (or a person’s licensed agent), and a consumer based on: 1. A financial contract between the person and the consumer that is in force on the date on which the consumer is sent a solicitation covered by the affiliate marketing regulation; 2. The purchase, rental, or lease by the consumer of the person’s goods or services, or a financial transaction (including holding an active account or a policy in force, or having another continuing relationship) between the consumer and the person, during the 18-month period immediately preceding the date on which the consumer is sent a solicitation covered by the affiliate marketing regulation; or 3. An inquiry or application by the consumer regarding a product or service offered by that person during the three-month period immediately preceding the date on which the consumer is sent a solicitation covered by the affiliate marketing regulation. 10 See 12 CFR 1022.20(a) for the scope of entities covered by Subpart C of 12 CFR 1022. 11 See 12 CFR 1022.20 for other definitions. 12 Specifically, “eligibility information” is defined in the affiliate marketing regulation as “any information the communication of which would be a consumer report if the exclusions from the definition of “consumer report” in Section 603(d)(2)(A) of the [Fair Credit Reporting] Act did not apply.” 13 See 12 CFR 1022.20(b)(4)(ii) and (iii) for examples of pre-existing business relationships and situations where no pre-existing business relationship exists. CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 16 Solicitation (12 CFR 1022.20(b)(5)) means the marketing of a product or service initiated by a person, such as a financial institution, to a particular consumer that is: 1. Based on eligibility information communicated to that person by its affiliate; and 2. Intended to encourage the consumer to purchase or obtain such product or service. Examples of a solicitation include a telemarketing call, direct mail, email, or other form of marketing communication directed to a particular consumer that is based on eligibility information received from an affiliate. A solicitation does not include marketing communications that are directed at the general public (e.g., television, general circulation magazine, and billboard advertisements). Initial Notice and Opt-Out Requirement – 12 CFR 1022.21(a), 1022.24, and 1022.25 A person, such as a financial institution, and its subsidiaries generally may not use eligibility information about a consumer that it receives from an affiliate to make a solicitation for marketing purposes to the consumer, unless: 1. It is clearly and conspicuously disclosed to the consumer in writing or, if the consumer agrees, electronically, in a concise notice that the person may use eligibility information about that consumer that it received from an affiliate to make solicitations for marketing purposes to the consumer; 2. The consumer is provided a reasonable opportunity and a reasonable and simple method to “opt out” (that is, the consumer prohibits the person from using eligibility information to make solicitations for marketing purposes to the consumer);14 and 3. The consumer has not opted out. For example, a consumer has a homeowner’s insurance policy with an insurance company. The insurance company shares eligibility information about the consumer with its affiliated depository institution. Based on that eligibility information, the depository institution wants to make a solicitation to the consumer about its home equity loan products. The depository institution does not have a pre-existing business relationship with the consumer and none of the other exceptions apply. The depository institution may not use eligibility information it received from its insurance affiliate to make solicitations to the consumer about its home equity loan products unless the insurance company gave the consumer a notice and opportunity to opt out and the consumer does not opt out. 14 See 12 CFR 1022.24 and 1022.25 for examples of “a reasonable opportunity to opt out” and “reasonable and simple methods for opting out.” CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 17 Making Solicitations – 12 CFR 1022.21(b)15 A person, such as a financial institution, (or a service provider acting on behalf of the person) makes a solicitation for marketing purposes if: 1. The person receives eligibility information from an affiliate, including when the affiliate places that information into a common database that the person may access; 2. The person uses that eligibility information to do one or more of the following: a. Identify the consumer or type of consumer to receive a solicitation; b. Establish criteria used to select the consumer to receive a solicitation; or c. Decide which of the person’s products or services to market to the consumer or tailor the financial institution’s solicitation to that consumer; and 3. As a result of the person’s, such as a financial institution’s, use of the eligibility information, the consumer is provided a solicitation. A person, such as a financial institution, does not make a solicitation for marketing purposes (and therefore the affiliate marketing regulation, with its notice and opt-out requirements, does not apply) in the situations listed below, commonly referred to as “constructive sharing.” Constructive sharing occurs when a person, such as a financial institution, provides criteria to an affiliate to use in marketing the financial institution’s product and the affiliate uses the criteria to send marketing materials to the affiliate’s own customers that meet the criteria. In this situation, the financial institution is not using shared eligibility information to make solicitations. 1. The person provides criteria for consumers to whom it would like its affiliate to market the person’s products. Then, based on this criteria, the affiliate uses eligibility information that the affiliate obtained in connection with its own pre-existing business relationship with the consumer to market the person’s products or services (or directs its service provider to use the eligibility information in the same manner and the person does not communicate with the service provider regarding that use). 2. A service provider, applying the person’s criteria, uses information from an affiliate, such as that in a shared database, to market the person’s products or services to the consumer, so long as it meets certain requirements, including all of the following. a. The affiliate controls access to and use of its eligibility information by the service provider under a written agreement between the affiliate and the service provider. 15 See 12 CFR 1022.21(b)(6) for examples of making solicitations. CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 20 Menu of alternatives. A consumer may be given the opportunity to choose from a menu of alternatives when electing to prohibit solicitations, such as by: 1. Electing to prohibit solicitations from certain types of affiliates covered by the opt-out notice but not other types of affiliates covered by the notice. 2. Electing to prohibit solicitations based on certain types of eligibility information but not other types of eligibility information. 3. Electing to prohibit solicitations by certain methods of delivery but not other methods of delivery. One of the alternatives, however, must allow the consumer to prohibit all solicitations from all of the affiliates that are covered by the notice. Continuing relationship. If the consumer establishes a continuing relationship with a person, such as a financial institution, or its affiliate, an opt-out notice may apply to eligibility information obtained from one or more continuing relationships (such as a deposit account, a mortgage loan, or a credit card), if the notice adequately describes the continuing relationships covered. The opt-out notice can also apply to future continuing relationships if the notice adequately describes the continuing future relationships that would be covered. Special rule for a notice following termination of all continuing relationships. After all continuing relationships with a person or its affiliate(s) are terminated, a consumer must be given a new opt-out notice if the consumer later establishes another continuing relationship with the person or its affiliate(s) and the consumer’s eligibility information is to be used to make a solicitation. The consumer’s decision not to opt out after receiving the new opt-out notice would not override a prior opt-out election that applies to eligibility information obtained in connection with a terminated relationship, regardless of whether the new opt-out notice applies to eligibility information obtained in connection with a terminated relationship. No continuing relationship (isolated transaction). If the consumer does not establish a continuing relationship with a person or its affiliate, but the person or its affiliate obtains eligibility information about the consumer in connection with a transaction with the consumer (such as an ATM cash withdrawal, purchase of traveler’s checks, or a credit application that is denied), an opt-out notice provided to the consumer only applies to eligibility information obtained in connection with that transaction. Time, Duration, and Renewal of Opt-Out – 12 CFR 1022.22(b) and (c) and 1022.27 A consumer may opt out at any time. The opt-out must be effective for a period of at least five years beginning when the consumer’s opt-out election is received and implemented, unless the consumer later revokes the opt-out in writing or, if the consumer agrees, electronically. An opt- out period may be set at more than five years, including an opt-out that does not expire unless the consumer revokes it. CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 21 Renewal after opt-out period expires. After the opt-out period expires, a person, such as a financial institution, may not make solicitations based on eligibility information it receives from an affiliate to a consumer who previously opted out, unless: 1. The consumer receives a renewal notice and opportunity to opt out, and the consumer does not renew the opt-out; or 2. An exception to the notice and opt-out requirements applies.20 Contents of renewal notice. The renewal notice must be clear, conspicuous, and concise, and must accurately disclose most of the elements of the original opt-out notice, as well as the following information as applicable: 1. The consumer previously elected to limit the use of certain information to make solicitations to the consumer. 2. The consumer’s election has expired or is about to expire. 3. The consumer may elect to renew the consumer’s previous election. 4. If applicable, that the consumer’s election to renew will apply for the specified period of time stated in the notice and that the consumer will be allowed to renew the election once that period expires. See 12 CFR 1022.27(b) for all the content requirements of a renewal notice. Renewal period. Each opt-out renewal must be effective for a period of at least five years. Affiliate who may provide the notice. The renewal notice must be provided by the affiliate that provided the previous opt-out notice, or its successor; or as part of a joint renewal notice from two or more members of an affiliated group of companies, or their successors, that jointly provided the previous opt-out notice. Timing of the renewal notice. A renewal notice may be provided to the consumer either a reasonable period of time before the expiration of the opt-out period21 or any time after the expiration of the opt-out period but before solicitations are made to the consumer that would have been prohibited by the expired opt-out. 20 See 12 CFR 1022.21(c) for exceptions. 21 An opt-out period may not be shortened by sending a renewal notice to the consumer before expiration of the opt-out period, even if the consumer does not renew the opt-out. If a person provides an annual privacy notice under the Gramm-Leach-Bliley Act, providing a renewal notice with the last annual privacy notice provided to the consumer before expiration of the opt-out period is a reasonable period of time before expiration of the opt-out in all cases (12 CFR 1022.27(d)). CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 22 Model Forms for Opt-Out Notices – 12 CFR Part 1022, Appendix C Appendix C of the affiliate marketing regulation contains model forms that may be used to comply with the requirement for clear, conspicuous, and concise notices. The five model forms are: C-1 Model Form for Initial Opt-Out Notice (Single-Affiliate Notice) C-2 Model Form for Initial Opt-Out Notice (Joint Notice) C-3 Model Form for Renewal Notice (Single-Affiliate Notice) C-4 Model Form for Renewal Notice (Joint Notice) C-5 Model Form for Voluntary “No Marketing” Notice Use of the model forms is not required and a person may make certain changes to the language or format of the model forms without losing the protection from liability afforded by use of the model forms. These changes may not be so extensive as to affect the substance, clarity, or meaningful sequence of the language in the model forms. Institutions making such extensive revisions will lose the safe harbor that Appendix C provides. Examples of acceptable changes are provided in Appendix C to the regulation. CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 25 criteria. The notice must also provide the toll-free telephone number operated by the nationwide consumer reporting agencies for consumers to call to opt out of prescreened lists. The FCRA contains the basic requirement to provide notices to consumers at the time the prescreened offers are made. The implementing regulation, 12 CFR 1022.54, contains the technical requirements of the notice. This regulation is applicable to anyone, including banks, credit unions, and saving associations, that obtains and uses prescreened consumer reports. Short and Long Notice – 12 CFR 1022.54(c) Entities must provide a “short” notice and a “long” notice of the prescreened opt-out information with each written solicitation made to consumers using prescreened consumer reports. They must also comply with specific requirements concerning the content and appearance of these notices. The short notice must be a clear and conspicuous, simple, and easy-to-understand statement as follows: 1. Content. The short notice must state that the consumer has the right to opt out of receiving prescreened solicitations. It must provide the toll-free number and direct consumers to the existence and location of the long notice. It should also state the title of the long notice. The short notice may not contain any other information. 2. Form. The short notice must be in a type size larger than the principal text on the same page, but it may not be smaller than 12-point type. If a person, such as a financial institution, provides the notice by electronic means, it must be larger than the type size of the principal text on the same page. 3. Location. The short form must be on the front side of the first page of the principal promotional document in the solicitation. If provided electronically, it must be on the same page and in close proximity to the principal marketing message. The statement must be located so that it is distinct from other information, such as inside a border, and must be in a distinct type style, such as bolded, italicized, underlined, and/or in a color that contrasts with the principal text on the page, if the solicitation is provided in more than one color. The long notice must also be a clear and conspicuous, simple, and easy-to-understand statement as follows: 1. Content. The long notice must state the information required by Section 615(d) of the FCRA and may not include any other information that interferes with, detracts from, contradicts, or otherwise undermines the purpose of the notice. 2. Form. The notice must appear in the solicitation, be in a type size that is no smaller than the type size of the principal text on the same page, and, for solicitations provided other than by electronic means, the type size may not be smaller than 8-point type. The notice must begin with a heading in capital letters, underlined, and identifying the long notice as the “PRESCREEN & OPT-OUT NOTICE.” It must be in a type style that is distinct CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 26 from the principal type style used on the same page, such as bolded, italicized, underlined, and/or in a color that contrasts from the principal text, if the solicitation is in more than one color. The notice must be set apart from other text on the page, such as by including a blank line above and below the statement, and by indenting both the left and right margins from other text on the page. The model prescreened opt-out notices are contained in Appendix D to 12 CFR Part 1022. Appendix D contains complete sample solicitations for context. The model prescreen notice text is contained below: Sample Short Notice: You can choose to stop receiving “prescreened” offers of (credit or insurance) from this and other companies by calling toll-free (toll-free number). See PRESCREEN & OPT- OUT NOTICE on other side (or other location) for more information about prescreened offers. Sample Long Notice: PRESCREEN & OPT-OUT NOTICE: This “prescreened” offer of (credit or insurance) is based on information in your credit report indicating that you meet certain criteria. This offer is not guaranteed if you do not meet our criteria (including providing acceptable property as collateral). If you do not want to receive prescreened offers of (credit or insurance) from this and other companies, call the consumer reporting agencies (or name of consumer reporting agency) toll-free, (toll-free number); or write: (consumer reporting agency name and mailing address). Truncation of Credit and Debit Card Account Numbers – Section 605(g); 15 U.S.C. 1681c(g) Section 605(g) provides that persons, including financial institutions, that accept debit and credit cards for the transaction of business will be prohibited from issuing electronic receipts that contain more than the last five digits of the card number, or the card expiration date, at the point of sale or transaction. This requirement applies only to electronically developed receipts and does not apply to hand-written receipts or those developed with an imprint of the card. Disclosure of Credit Scores by Certain Mortgage Lenders – Section 609(g); 15 U.S.C. 1681g(g) Section 609(g) requires creditors, such as financial institutions, that make or arrange mortgage loans using credit scores to provide the score with accompanying information to the applicants. Credit score For purposes of this section, the term “credit score” is defined as a numerical value or a categorization derived from a statistical tool or modeling system used by a person who makes or arranges a loan to predict the likelihood of certain credit behaviors, including default (and the CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 27 numerical value or the categorization derived from such analysis may also be referred to as a “risk predictor” or “risk score”). The credit score does not include either of the following: 1. Any mortgage score or rating by an automated underwriting system that considers one or more factors in addition to credit information, such as the loan-to-value ratio, the amount of down payment, or the financial assets of a consumer. 2. Any other elements of the underwriting process or underwriting decision. Covered transactions The disclosure requirement applies to both closed-end and open-end loans that are for consumer purposes and are secured by one- to four-family residential real properties, including purchase and refinance transactions. This requirement will not apply in circumstances that do not involve a consumer purpose, such as when a borrower obtains a loan secured by his or her residence to finance his or her small business. Specific required notice Financial institutions in covered transactions that use credit scores must provide a disclosure containing the following specific language, which is contained in 609(g)(1)(D): Notice to The Home Loan Applicant In connection with your application for a home loan, the lender must disclose to you the score that a consumer reporting agency distributed to users and the lender used in connection with your home loan, and the key factors affecting your credit scores. The credit score is a computer generated summary calculated at the time of the request and based on information that a consumer reporting agency or lender has on file. The scores are based on data about your credit history and payment patterns. Credit scores are important because they are used to assist the lender in determining whether you will obtain a loan. They may also be used to determine what interest rate you may be offered on the mortgage. Credit scores can change over time, depending on your conduct, how your credit history and payment patterns change, and how credit scoring technologies change. Because the score is based on information in your credit history, it is very important that you review the credit-related information that is being furnished to make sure it is accurate. Credit records may vary from one company to another. If you have questions about your credit score or the credit information that is furnished to you, contact the consumer reporting agency at the address and telephone number provided with this notice, or contact the lender, if the lender developed or generated the credit score. The consumer reporting agency plays no part in the decision to take any action on the loan application and is unable to provide you with specific reasons for the decision on a loan application. If you have questions concerning the terms of the loan, contact the lender. CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 30 established by the agency, if the consumer reporting agency maintains files on a nationwide basis); and b. a statement that the consumer reporting agency did not make the decision to take the adverse action and is unable to provide the consumer the specific reasons why the adverse action was taken; 4. provide to the consumer an oral, written, or electronic notice of the consumer’s right to obtain a free copy of the consumer report from the consumer reporting agency within 60 days of receiving notice of the adverse action, and the consumer’s right to dispute the accuracy or completeness of any information in the consumer report with the consumer reporting agency. Information Obtained from Third Parties Other than Consumer Reporting Agencies (Including Affiliates) Section 615(b), Adverse Action Based on Information Obtained from Third Parties Other than Consumer Reporting Agencies, provides that, in general, whenever credit for personal, family, or household purposes involving a consumer is denied or the charge for such credit is increased either wholly or partly because of information obtained from a person other than a consumer reporting agency bearing upon the consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living, the user of such information shall: 1. At the time such adverse action is communicated, clearly and accurately disclose to the consumer his right to make a written request for the reasons for such adverse action within 60 days after learning of such adverse action; and 2. Within a reasonable period of time after receipt of such written request from the consumer, disclose the nature of the information to the consumer. If the adverse action described in 615(b)(2)(B) is (i) taken based in whole or in part on information from a person related by common ownership or affiliated by common corporate control to the person taking the action, and (ii) bears on the credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living of the consumer, and (iii) does not include information solely as to transactions or experiences between the consumer and the person furnishing the information or information in a consumer report, then the person taking the adverse action shall: 1. Notify the consumer of the action, including a statement that the consumer may obtain the information upon written request from the consumer received within 60 days after transmittal of the notice required; and 2. Not later than 30 days after receipt of such written request from the consumer, disclose to the consumer the nature of the information upon which the action is based. CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 31 Debt Collector Communications Concerning Identity Theft – Section 615(g); 15 U.S.C. 1681m(g) Section 615(g) has specific requirements for persons, such as financial institutions, that act as debt collectors, whereby they collect debts on behalf of a third party that is a creditor or other user of a consumer report. The requirements do not apply when a person is collecting its own loans. When a person is notified that any information relating to a debt that it is attempting to collect may be fraudulent or may be the result of identity theft, the person must notify the third party of this fact. In addition, if the consumer, to whom the debt purportedly relates, requests information about the transaction, the person must provide all of the information the consumer would otherwise be entitled to if the consumer wished to dispute the debt under other provisions of law applicable to the person. Risk-Based Pricing Notice – Section 615(h); 15 U.S.C. 1681m(h); 12 CFR 1022, Subpart H Section 615(h) of the Fair Credit Reporting Act (FCRA) generally requires a user of consumer reports, such as a creditor, to provide a risk-based pricing notice to a consumer when the creditor, based on a consumer report, extends credit to the consumer on terms that are “materially less favorable” than the terms the creditor has extended to other consumers. On January 15, 2010, the Federal Reserve and the Federal Trade Commission (FTC) published final rules in the Federal Register (75 Fed. Reg. 2724) implementing this section of the FCRA. The risk-based pricing notice requirement is designed primarily to improve the accuracy of consumer reports by alerting consumers to the existence of negative information in their consumer reports so that the consumers can, if they choose, check their consumer reports for accuracy and correct any inaccurate information. This notice provision is meant to complement an existing provision of the FCRA, Section 615(a), whereby a creditor that denies a consumer’s application for credit, based in whole or in part on information in a consumer’s report, must provide an adverse action notice. Section 615(h), covers the situation where credit is offered on “materially less favorable terms,” rather than being denied. The Dodd-Frank Act amended Section 615(h) of the FCRA to require a person to disclose a consumer’s credit score and certain information relating to the credit score, if a credit score is used in making the credit decision. On July 15, 2011, the Federal Reserve Board and the FTC published final rules (effective August 15, 2011) amending the risk-based pricing regulation to effect the Dodd-Frank Act changes (76 FR 41602). On December 21, 2011, the CFPB restated the FCRA regulations at 12 CFR Part 1022. (76 Fed. Reg. 79308) Key Definitions – 12 CFR 1022.71 The following definitions pertain to the rules governing the risk-based pricing regulation: Material terms means in general: a. for open-end credit (except as provided in (b) and (d) below), the annual percentage rate (APR) required to be disclosed in the account opening disclosures required under CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 32 Regulation Z. This does not include a temporary initial rate that is lower than the rate that will apply when the temporary rate expires, any penalty rate that applies upon the occurrence of specific events (such as a late payment), or any fixed APR option for a home equity line of credit; b. for credit cards (other than a credit card used to access a home equity line of credit or a charge card), the APR that applies for purchases. For credit cards without a purchase APR, “material terms” means the APR that varies based on consumer report information and that has the most significant financial impact on consumers; c. for closed-end credit, the APR required to be disclosed prior to consummation under the closed-end provisions of Regulation Z; and d. for credit that does not have an APR, the financial term that varies based on consumer report information and that has the most significant financial impact on consumers, such as an annual membership fee for a charge card. Materially less favorable means, generally, that the terms granted, extended, or otherwise provided to a consumer differ from the terms granted, extended, or otherwise provided to another consumer such that the cost of credit to a consumer would be significantly greater than the cost of credit granted, extended, or otherwise provided to the other consumer. Relevant factors in determining the significance of a difference in cost include the type of credit product, the term of the credit extension, and the extent of the difference between the material terms granted, extended, or otherwise provided to the two consumers. General requirements – 12 CFR 1022.72-73 A person must provide to a consumer a notice (“risk-based pricing notice”) in the form and manner prescribed by the regulation if: 1. The person uses a consumer report in connection with an application for, or a grant, extension, or other provision of, credit to a consumer for personal, family, or household purposes; and 2. Based in whole or in part on the consumer report, the person grants, extends, or otherwise provides credit to that consumer on material terms that are materially less favorable than the most favorable material terms available to a substantial proportion of consumers from that person. The obligation to provide the notice applies to the creditor to whom the obligation is initially payable, i.e., the original creditor. This interpretation excludes brokers and other intermediaries who do not themselves grant, extend, or provide credit to consumers. See preamble to the final regulation (75 FR 2730)(January 15, 2010). Determination of which consumers must receive notice (12 CFR 1022.72(b)). A person may determine, on a case-by-case basis, whether a consumer has received material terms that are CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 35 two tiers, equals no less than the top 30 percent and no more than the top 40 percent of the total number of tiers. Tiered Pricing Example Four or fewer tiers Top tier = best rate APR Notice requirements. Tier 1 (top) 8% No risk-based pricing notice required. Tier 2 10% Risk-based pricing notice required for Tiers 2, 3, and 4. Tier 3 12% Tier 4 14% Five or more tiers (5 tiers) Top tier = best rate APR Tier 1 (top) 8% No risk-based pricing notice required for top 30% to 40% of tiers. Top two tiers comprise 2 out of 5 (40%) of the number of tiers. Tier 2 10% Tier 3 12% Risk-based notices required for Tiers 3-5. Tier 4 14% Tier 5 16% Five or more tiers (9 tiers) Top tier = best rate APR Tier 1 (top) 8% No risk-based pricing notice required for top 30% to 40% of tiers. Top three tiers comprise 3 out of 9 (33%) of the number of tiers. Tier 2 10% Tier 3 12% Tier 4 14% Risk-based notices required for Tiers 4-9. Tier 5 16% Tier 6 18% Tier 7 20% Tier 8 22% Tier 9 24% CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 36 Application to credit card issuers (12 CFR 1022.72(c)). A credit card issuer may use any of the methods in 12 CFR 1022.72(b) to identify consumers to whom it must provide a risk-based pricing notice. Alternatively, the card issuer may provide the notice when: 1. a consumer applies for a credit card in connection with an application program or in response to a solicitation, and more than one purchase APR may apply under the program or solicitation, and 2. based in whole or in part on a consumer report, the credit card is issued to a consumer with an APR that is higher than the lowest APR available in connection with the application or solicitation. The risk-based pricing requirements do not apply to a card issuer if the credit card program offers only a single annual APR (other than temporary initial rates or penalty rates) or if the issuer offers the consumer the lowest possible APR under the credit card program. Content of the notice (12 CFR 1022.73(a)(1)). The risk-based pricing notice must include: 1. a statement that a consumer report (or credit report) includes information about the consumer’s credit history and the type of information included in that history; 2. a statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the report; 3. the identity of each consumer reporting agency that furnished a consumer report used in the credit decision; 4. a statement that federal law gives the consumer the right to obtain a copy of a consumer report from the consumer reporting agency or agencies identified in the notice without charge for 60 days after receipt of the notice; 5. a statement informing the consumer how to obtain a consumer report from the consumer reporting agency or agencies identified in the notice and providing contact information (including a toll-free telephone number, where applicable) specified by the consumer reporting agency or agencies; 6. a statement directing consumers to the website of the CFPB to obtain more information about consumer reports; 7. if a credit score of the consumer to whom a person grants, extends, or otherwise provides credit is used in setting the material terms of credit: a. a statement that a credit score is a number that takes into account information in a consumer report, that the consumer‘s credit score was used to set the terms of credit offered, and that a credit score can change over time to reflect changes in the consumer‘s credit history; CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 37 b. the credit score used by the person in making the credit decision; c. the range of possible credit scores under the model used to generate the credit score; d. all of the key factors that adversely affected the credit score, which shall not exceed four key factors, except that if one of the key factors is the number of enquiries made with respect to the consumer report, the number of key factors shall not exceed five; e. the date on which the credit score was created; and f. the name of the consumer reporting agency or other person that provided the credit score. 8. A statement that the terms offered, such as the APR, have been set based on information from a consumer report; and 9. A statement that the terms offered may be less favorable than the terms offered to consumers with better credit histories. See Appendix H-1 and H-6 of the regulation for model forms for the risk-based pricing notice. Account Review (12 CFR 1022.72(d)). Generally, a person must provide an account review risk-based pricing notice to the consumer if the person, based in whole or in part on a consumer report, increases the consumer’s APR after a review of the consumer’s account, unless one of the exceptions in 12 CFR 1022.74 applies (for example, the creditor provides an adverse action notice). Content of account review risk-based pricing notice (12 CFR 1022.73(a)(2)). The account review risk-based pricing notice must include: 1. a statement that a consumer report (or credit report) includes information about the consumer’s credit history and the type of information included in that history; 2. a statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the report; 3. the identity of each consumer reporting agency that furnished a consumer report used in the account review; 4. a statement that federal law gives the consumer the right to obtain a copy of a consumer report from the consumer reporting agency or agencies identified in the notice without charge for 60 days after receipt of the notice; CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 40 When a person obtains or creates two or more credit scores and uses multiple credit scores in setting the material terms of credit (e.g., by computing the average of all the credit scores obtained or created, the risk-based pricing notice and the account review notice must include one of those credit scores and the information about the credit score described previously in the notice content requirements. The notice may, at the person‘s option, include more than one credit score and the related information for each credit score disclosed. Examples. 1. A person that uses consumer reports to set the material terms of credit cards granted, extended, or provided to consumers regularly requests credit scores from several consumer reporting agencies and uses the low score when determining the material terms it will offer to the consumer. That person must disclose the low score in the risk-based pricing notice and the account review notice. 2. A person that uses consumer reports to set the material terms of automobile loans granted, extended, or provided to consumers regularly requests credit scores from several consumer reporting agencies, each of which it uses in an underwriting program in order to determine the material terms it will offer to the consumer. That person may choose one of these scores to include in the risk-based pricing notice and the account review notice. Exceptions – 12 CFR 1022.74 The rules contain a number of exceptions to the risk-based pricing notice requirement, as follows: 1. when a consumer applies for specific material terms of credit (e.g., a specific APR), and receives them, unless those terms were specified by the creditor using a consumer report after the consumer applied for the credit and after the creditor obtained the consumer report (12 CFR 1022.74(a)); 2. when a person such as a creditor provides a notice of adverse action (12 CFR 1022.74(b)); 3. when a person makes a firm offer of credit in a prescreened solicitation even if the person makes other firm offers of credit to other consumers on more favorable material terms (12 CFR 1022.74(c)); 4. when a person generally provides a credit score disclosure to each consumer that requests a loan that is or will be secured by residential real property (12 CFR 1022.74(d)); 5. when a person generally provides a credit score disclosure to each consumer that requests a loan that is not or will not be secured by residential real property (12 CFR 1022.74(e)); CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 41 6. when a person who otherwise provides credit score disclosures to consumers that request loans, provides a disclosure about credit scores when no credit score is available (12 CFR 1022.74(f)). The specific disclosure requirements for exceptions in 12 CFR 1022.74(d)-(f) are described below. Section 1022.74(d) exception - credit score disclosure for loans secured by residential real property. An person is not required to provide a risk-based pricing notice to a consumer under 12 CFR 1022.72(a) or (c) if: 1. The consumer requests from an person an extension of credit that is or will be secured by one to four units of residential real property; and 2. The person generally provides to each consumer that requests such an extension of credit a notice that contains the following: a. a statement that a consumer report (or credit report) is a record of the consumer’s credit history and includes information about whether the consumer pays his or her obligations on time and how much the consumer owes to creditors; b. a statement that a credit score is a number that takes into account information in a consumer report and that a credit score can change over time to reflect changes in the consumer’s credit history; c. a statement that the consumer’s credit score can affect whether the consumer can obtain credit and what the cost of that credit will be; d. a statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the report; e. a statement that federal law gives the consumer the right to obtain copies of his or her consumer reports directly from the consumer reporting agencies, including a free report from each of the nationwide consumer reporting agencies once during any 12-month period; f. contact information for the centralized source from which consumers may obtain their free annual consumer reports; g. a statement directing consumers to the website of the CFPB to obtain more information about consumer reports; h. the information required to be disclosed to the consumer in Section 609(g) of the FCRA, and as described in Module 3 of these examination procedures, under “Disclosure of Credit Scores by Certain Mortgage Lenders (FCRA), Section 609(g);” and CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 42 i. the distribution of credit scores among consumers who are scored under the same scoring model that is used to generate the consumer’s credit score. The distribution must: i. use the same scale as that of the credit score provided to the consumer, and ii. be presented: • in the form of a bar graph containing a minimum of six bars that illustrates the percentage of consumers with credit scores within the range of scores reflected in each bar, • by other clear and readily understandable graphical means, or • in a clear and readily understandable statement informing the consumer how his or her credit score compares to the scores of other consumers. The presentation may use a graph or statement obtained from the entity providing the credit score if it meets these requirements. Form of the notice. The 12 CFR 1022.74(d) notice must be: 1. clear and conspicuous; 2. provided on or with the notice required by Section 609(g) of the FCRA; 3. segregated from other information provided to the consumer, except for the notice required by Section 609(g) of the FCRA; and 4. provided to the consumer in writing and in a form that the consumer may keep. Timing. The 12 CFR 1022.74(d) notice must be provided to the consumer at the same time as the disclosure required by Section 609(g) of the FCRA is provided to the consumer, which must be provided as soon as reasonably practicable after the credit score has been obtained. In any event, the 12 CFR 1022.74(d) notice must be provided at or before consummation in the case of closed- end credit or before the first transaction is made under an open-end credit plan. Content of the notice when using multiple credit scores. When a person obtains two or more credit scores from consumer reporting agencies in setting material terms of credit, the content of the 12 CFR 1022.74(d) notice varies depending upon whether the person only relies upon one of the credit scores or relies upon multiple credit scores. 1. If a person only relies upon one of those credit scores in setting the material terms of credit granted, extended, or otherwise provided to a consumer (for example, by using the low, middle, high, or most recent score), the notice must include that credit score and the other information required by 12 CFR 1022.74(d). CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 45 NOTE: Items a, b, c, d, e, f, g, and i for the 12 CFR 1022.74(e) notice are the same as items a, b, c, d, e, f, g, and i for the 12 CFR 1022.74(d) notice. Form of the notice. The 12 CFR 1022.74(e) notice must be: a. clear and conspicuous; b. segregated from other information provided to the consumer; and c. provided to the consumer in writing and in a form that the consumer may keep. Timing. The 12 CFR 1022.74(e) notice generally must be provided to the consumer as soon as reasonably practicable after the credit score has been obtained, but in any event at or before consummation in the case of closed-end credit or before the first transaction is made under an open-end credit plan. The notice may alternatively be provided in the following manner: a. For automobile lending transactions made through an auto dealer or other party that is unaffiliated with the person, such as a creditor, the person may provide a 12 CFR 1022.74(e) notice in the time periods described above. Alternatively, the creditor may arrange to have the auto dealer or other party provide a 12 CFR 1022.74(e) notice to the consumer on its behalf within these time periods and maintain reasonable policies and procedures to verify that the auto dealer provides the notice to the consumer within the applicable time periods. If the creditor arranges to have the auto dealer or other party provide a credit score disclosure exception notice, the creditor complies if the consumer receives a notice containing a credit score obtained by the dealer or other party, even if a different credit score is obtained and used by the creditor. 12 CFR 1022.73(c)(2)) b. For credit that is granted under an open-end credit plan to a consumer in person or by telephone for contemporaneous purchase of goods or services, the 12 CFR 1022.74(e) notice may be provided at the earlier of: i. the time of the first mailing to the consumer after the decision is made to approve the credit, such as in a mailing containing the account agreement or a credit card; or ii. within 30 days after the decision to approve the credit (12 CFR 1022.73(c)(3)). Multiple credit scores. When a person obtains two or more credit scores from consumer reporting agencies in setting material terms of credit, the content of the 12 CFR 1022.74(e) notice varies depending if the person relies upon only one of the credit scores or relies upon multiple credit scores. These disclosures requirements are the same as those for the 12 CFR 1022.74(d) notices, as described previously. CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 46 Model form. Appendix H-4 of the regulation contains a model form of the 12 CFR 1022.74(e) notice. While use of the model form is optional, appropriate use of Model Form H-4 is deemed to comply with the requirements of 12 CFR 1022.74(e). Section 1022.74(f) exception - credit score not available. A person is not required to provide a risk-based pricing notice to a consumer under 12 CFR 1022.72(a) or (c) if the person: 1. regularly obtains credit scores from a consumer reporting agency and provides credit score disclosures to consumers in accordance with 12 CFR 1022.74(d) or (e), but a credit score is not available from the consumer reporting agency from which the person regularly obtains credit scores for a consumer to whom the person grants, extends, or provides credit; 2. does not obtain a credit score from another consumer reporting agency in connection with granting, extending, or providing credit to the consumer; and 3. provides to the consumer a notice that contains the following: a. a statement that a consumer report (or credit report) includes information about the consumer’s credit history and the type of information included in that history; b. a statement that a credit score is a number that takes into account information in a consumer report and that a credit score can change over time in response to changes in the consumer’s credit history; c. a statement that credit scores are important because consumers with higher credit scores generally obtain more favorable credit terms; d. a statement that not having a credit score can affect whether the consumer can obtain credit and what the cost of that credit will be; e. a statement that a credit score about the consumer was not available from a consumer reporting agency, which must be identified by name, generally due to insufficient information regarding the consumer’s credit history; f. a statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the consumer report; g. a statement that federal law gives the consumer the right to obtain copies of his or her consumer reports directly from the consumer reporting agencies, including a free consumer report from each of the nationwide consumer reporting agencies once during any 12-month period; h. the contact information for the centralized source from which consumers may obtain their free annual consumer reports; and CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 47 i. a statement directing consumers to the website of the CFPB to obtain more information about consumer reports. NOTE: Items b, f, g, h, and i for the 12 CFR 1022.74(f) notice are the same as items b, f, g, h, and i for the 12 CFR 1022.74(d) and (e) notices. Example. A person, such as a creditor, uses consumer reports to set the material terms of non-mortgage credit granted, extended, or provided to consumers and regularly requests credit scores from a particular consumer reporting agency. As required by 12 CFR 1022.74(e), the creditor provides those credit scores and additional information to consumers. The consumer reporting agency provides to the creditor a consumer report on a particular consumer that contains one trade line, but does not provide the creditor with a credit score on that consumer. If the creditor does not obtain a credit score from another consumer reporting agency and, based in whole or in part on information in a consumer report, grants, extends, or provides credit to the consumer, the creditor may provide the 12 CFR 1022.74(f) notice. If, however, the creditor obtains a credit score from another consumer reporting agency, the creditor may not rely upon the 12 CFR 1022.74(f) exception, but must satisfy the requirements of 12 CFR 1022.74(e). Form of the notice. The 12 CFR 1022.74(f) notice must be: 1. clear and conspicuous; 2. segregated from other information provided to the consumer; and 3. provided to the consumer in writing and in a form that the consumer may keep. Timing. The 12 CFR 1022.74(f) notice generally must be provided to the consumer as soon as reasonably practicable after the person has requested the credit score, but in any event not later than consummation of a transaction in the case of closed-end credit or when the first transaction is made under an open-end credit plan. The notice may alternatively be provided in the following manner: 1. For automobile lending transactions made through an auto dealer or other party that is unaffiliated with the person, such as a creditor, the creditor may provide a 12 CFR 1022.74(f) notice in the time periods described above. Alternatively, the creditor may arrange to have the auto dealer or other party provide a 12 CFR 1022.74(f) notice to the consumer on its behalf within these time periods and maintain reasonable policies and procedures to verify that the auto dealer provides the notice to the consumer within the applicable time periods. 2. For credit that is granted under an open-end credit plan to a consumer in person or by telephone for contemporaneous purchase of goods or services, the Section 1022.74(f) notice may be provided at the earlier of: CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 50 Module 4 – Duties of Users of Consumer Reports and Furnishers of Consumer Report Information Overview The FCRA contains many responsibilities for persons, such as financial institutions, that furnish information to consumer reporting agencies. These requirements generally involve ensuring the accuracy of the data that is placed in the consumer reporting system. This examination module includes reviews of the various areas associated with furnishers of information. This module will not apply to persons that do not furnish any information to consumer reporting agencies. Duties of Users of Credit Reports Regarding Address Discrepancies – Section 605(h); 15 U.S.C. 1681c(h); 12 CFR 1022.82 Section 605(h)(1) requires that, when providing a consumer report to a person that requests the report (a user), a nationwide consumer reporting agency (NCRA) must provide a notice of address discrepancy to the user if the address provided by the user in its request “substantially differs” from the address the NCRA has in the consumer’s file. Section 605(h)(2) requires the federal banking agencies and the NCUA (the Agencies), and the FTC to prescribe regulations providing guidance regarding reasonable policies and procedures that a user of a consumer report should employ when such user has received a notice of address discrepancy. On November 9, 2007, the Agencies and the FTC published final rules in the Federal Register implementing this section (72 FR 63718). On December 21, 2011, the CFPB restated the FCRA regulations at 12 CFR Part 1022. (76 Fed. Reg. 79308). Key Definitions Nationwide consumer reporting agency (NCRA). Section 603(p) defines an NCRA as one that compiles and maintains files on consumers on a nationwide basis and regularly engages in the practice of assembling or evaluating and maintaining the following two pieces of information about consumers residing nationwide for the purpose of furnishing consumer reports to third parties bearing on a consumer’s credit worthiness, credit standing, or credit capacity: 1. public record information. 2. credit account information from persons who furnish that information regularly and in the ordinary course of business. Notice of address discrepancy (12 CFR 1022.82(b)). A “notice of address discrepancy” is a notice sent to a user by an NCRA (Section 603(p)) that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the NCRA’s file for the consumer. CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 51 Requirement to form a reasonable belief – 12 CFR 1022.82(c) A user must develop and implement reasonable policies and procedures designed to enable the user to form a reasonable belief that the consumer report relates to the consumer whose report was requested, when the user receives a notice of address discrepancy in connection with a new or existing account. The rules provide the following examples of reasonable policies and procedures for forming a reasonable belief that a consumer report relates to the consumer whose report was requested: 1. comparing information in the consumer report with information the user: a. has obtained and used to verify the consumer’s identity as required by the Customer Identification Program rules (31 CFR 1020.220); b. maintains in its records; or c. obtains from a third party; or 2. verifying the information in the consumer report with the consumer. Requirement to furnish a consumer’s address to an NCRA – 12 CFR 1022.82(d) A user must develop and implement reasonable policies and procedures for furnishing to the NCRA an address for the consumer that the user has reasonably confirmed is accurate when the user does the following: 1. forms a reasonable belief that the report relates to the consumer whose report was requested; 2. establishes a continuing relationship with the consumer (i.e., in connection with a new account); and 3. regularly, and in the ordinary course of business, furnishes information to the NCRA that provided the notice of address discrepancy. A user’s policies and procedures for furnishing a consumer’s address to an NCRA must require the user to furnish the confirmed address as part of the information it regularly furnishes to the NCRA during the reporting period when it establishes a continuing relationship with the consumer. CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 52 The rules also provide the following examples of how a user may reasonably confirm an address is accurate: 1. verifying the address with the consumer whose report was requested; 2. reviewing its own records; 3. verifying the address through third-party sources; or 4. using other reasonable means. Furnishers of Information: General – Section 623(e); 15 U.S.C. 1681s-2; 12 CFR 1022, Subpart E Section 623(e) required the Agencies and the Federal Trade Commission (FTC) to: 1. issue guidelines for use by furnishers regarding the accuracy and integrity of the information about consumers that they furnish to consumer reporting agencies; 2. prescribe regulations requiring furnishers to establish reasonable policies and procedures for implementing the guidelines; and 3. issue regulations identifying the circumstances under which a furnisher must reinvestigate disputes concerning the accuracy of information contained in a consumer report based on a direct request from a consumer. The Agencies and the FTC published final rules in the Federal Register (74 FR 31484) implementing this section of FCRA. These rules took effect July 1, 2010. On December 21, 2011, the CFPB restated the FCRA regulations at 12 CFR Part 1022. (76 Fed Reg 79308). Key Definitions – 12 CFR 1022.41 The following definitions pertain to the rules governing the furnishers of information to a consumer reporting agency: Accuracy means that the information a furnisher provides to a consumer reporting agency about an account or other relationship with the consumer correctly: 1. reflects the terms of and liability for the account or other relationship; 2. reflects the consumer’s performance and other conduct with respect to the account or other relationship; and 3. identifies the appropriate consumer. Direct dispute means a dispute submitted by a consumer directly to a furnisher (including a furnisher that is a debt collector) concerning the accuracy of any information contained in a consumer report and pertaining to an account or other relationship that the furnisher has or had with the consumer. CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 55 Voluntary closures of accounts – Section 623(a)(4); 15 U.S.C. 1681s-2(a)(4) This section requires a person, including a financial institution, who regularly and in the ordinary course of business furnishes information to a consumer reporting agency regarding one of its consumer credit accountholders, to notify the consumer reporting agency of the consumer’s voluntary account closure. This notice is to be furnished to the consumer reporting agency as part of the regularly furnished information for the period in which the account is closed. Notice involving delinquent accounts – Section 623(a)(5); 15 U.S.C. 1681s-2(a)(5) This section requires that a person, including a financial institution, that furnishes information to a consumer reporting agency about a delinquent account placed for collection, charged off, or subjected to any similar action, must, not later than 90 days after furnishing the information to the consumer reporting agency, notify the consumer reporting agency of the month and year of the commencement of the delinquency that immediately preceded the action. Duties upon notice of dispute from a consumer reporting agency – Section 623(b); 15 U.S.C. 1681s-2(b) This section requires that whenever a person, such as a financial institution, receives a notice of dispute from a consumer reporting agency regarding the accuracy or completeness of any information the person provided to a consumer reporting agency pursuant to Section 611 (Procedure in Case of Disputed Accuracy), that person must, pursuant to Section 623(b): 1. conduct an investigation regarding the disputed information; 2. review all relevant information the consumer reporting agency provided along with the notice; 3. report the results of the investigation to the consumer reporting agency; 4. if the investigation finds the information is incomplete or inaccurate, report those results to all nationwide consumer reporting agencies to which the financial institution previously provided the information; and 5. if the disputed information is incomplete, inaccurate, or not verifiable by the person, it must promptly, for purposes of reporting to the consumer reporting agency do one of the following: a. modify the item of information. b. delete the item of information. c. permanently block the reporting of that item of information. CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 56 The person must complete the required investigations, reviews, and reports within 30 days. The person may extend the time period for 15 days if a consumer reporting agency receives additional relevant information from the consumer. Duties upon notice of dispute from a consumer (direct disputes) – Section 623(a)(8); 15 U.S.C. 1681s-2(a)(8); 12 CFR 1022.43 General rule. A furnisher must conduct a reasonable investigation of a direct dispute (unless exceptions, described later, apply) if the dispute relates to: 1. the consumer’s liability for a credit account or other debt with the furnisher, such as direct disputes relating to whether there is or has been identity theft or fraud against the consumer, whether there is individual or joint liability on an account, or whether the consumer is an authorized user of a credit account; 2. the terms of a credit account or other debt with the furnisher, such as, direct disputes relating to the type of account, principal balance, scheduled payment amount on an account, or the amount of the credit limit on an open-end account; 3. the consumer’s performance or other conduct concerning an account or other relationship with the furnisher such as, direct disputes relating to the current payment status, high balance, payment date, the payment amount, or the date an account was opened or closed; or 4. any other information contained in a consumer report regarding an account or other relationship with the furnisher that bears on the consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living. Exceptions. The direct dispute requirements do not apply to a furnisher if the direct dispute relates to: 1. the consumer’s identifying information such as name(s), date of birth, Social Security number, telephone number(s), or address(es); 2. the identity of past or present employers; 3. inquiries or requests for a consumer report; 4. information derived from public records, such as judgments, bankruptcies, liens, and other legal matters (unless the information was provided by a furnisher with an account or other relationship with the consumer); 5. information related to fraud alerts or active duty alerts; or 6. information provided to a consumer reporting agency by another furnisher. CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 57 The direct dispute requirements also do not apply if the furnisher has a reasonable belief that the direct dispute is: 1. submitted by a credit repair organization; 2. is prepared on behalf of the consumer by a credit repair organization; or 3. is submitted on a form supplied to the consumer by a credit repair organization. Direct Dispute Address. A furnisher is required to investigate a direct dispute only if a consumer submits a dispute notice to the furnisher at: 1. the address provided by a furnisher and listed on a consumer report relating to the consumer; 2. an address clearly and conspicuously specified by the furnisher that is provided to the consumer in writing or electronically (if the consumer has agreed to the electronic delivery of information from the furnisher); or 3. any business address of the furnisher if the furnisher has not provided a specific address for submitting direct disputes. Direct Dispute Notice Contents. A dispute notice from a consumer must include: 1. sufficient information to identify the account or other relationship that is in dispute, such as an account number and the name, address, and telephone number of the consumer; 2. the specific information that the consumer is disputing and an explanation of the basis for the dispute; and 3. all supporting documentation or other information reasonably required by the furnisher to substantiate the basis of the dispute. This documentation may include, for example, a copy of the relevant portion of the consumer report that contains the allegedly inaccurate information; a police report; a fraud or identity theft affidavit; a court order; or account statements. Duties of a Furnisher after Receiving a Direct Dispute Notice from a Consumer. After receiving a dispute notice from a consumer, the furnisher must: 1. conduct a reasonable investigation with respect to the disputed information; 2. review all relevant information provided by the consumer with the dispute notice; 3. complete its investigation of the dispute and report the results of the investigation to the consumer before the expiration of the period under Section 611(a)(1) of the FCRA (15 U.S.C. 1681i(a)(1)) within which a consumer reporting agency would be CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 60 Model text Institutions may use the following model text to comply with these requirements. The first model contains text an institution can use when it provides a notice before furnishing negative information. The second model form contains text to use when an institution provides notice within 30 days after reporting negative information: • Notice prior to communicating negative information (Model B-1): “We may report information about your account to credit bureaus. Late payments, missed payments, or other defaults on your account may be reflected in your credit report.” • Notice within 30 days after communicating negative information (Model B-2): “We have told a credit bureau about a late payment, missed payment, or other default on your account. This information may be reflected in your credit report.” Use of the model form(s) is not required; however, proper use of the model forms provides a financial institution with a safe harbor from liability. A financial institution may make certain changes to the language or format of the model notices without losing the safe harbor from liability provided by the model notices. The changes to the model notices may not be so extensive as to affect the substance, clarity, or meaningful sequence of the language in the model notices. A financial institution making extensive revisions will lose the safe harbor from liability that the model notices provide. Acceptable changes include: 1. rearranging the order of the references to “late payment(s),” or “missed payment(s).” 2. pluralizing the terms “credit bureau,” “credit report,” and “account.” 3. specifying the particular type of account on which it may furnish information, such as “credit card account.” 4. rearranging in Model Notice B-1 the phrases “information about your account” and “to credit bureaus” such that it would read, “We may report to credit bureaus information about your account.” CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 61 Module 5 – Consumer Alerts and Identity Theft Protections Overview The FCRA contains several provisions for both consumer reporting agencies and users of consumer reports, including financial institutions, that are designed to help combat identity theft. This module applies to persons that are not consumer reporting agencies, but are users of consumer reports. Two primary requirements exist for users of consumer reports: first, a user of a consumer report that contains a fraud or active duty alert must take steps to verify the identity of an individual to whom the consumer report relates, and second, a person must disclose certain information when consumers allege that they are the victims of identity theft. Fraud and Active Duty Alerts – Section 605A(h); 15 U.S.C. 1681c-1(h) Initial Fraud and Active Duty Alerts Consumers who suspect that they may be the victims of fraud including identity theft may request nationwide consumer reporting agencies to place initial fraud alerts in their consumer reports. These alerts must remain in a consumer’s report for no less than 90 days. In addition, members of the armed services who are called to active duty may also request that active duty alerts be placed in their consumer reports. Active duty alerts must remain in these service members’ files for no less than 12 months. Section 605A(h)(1)(B), Limitations on Use of Information for Credit Extensions, requires users of consumer reports, including financial institutions, to verify a consumer’s identity if a consumer report includes a fraud or active duty alert. Unless the user of the consumer report uses reasonable policies and procedures to form a reasonable belief that it knows the identity of the person making the request, the user may not: 1. establish a new credit plan or extension credit (other than under an open-end credit plan) in the name of the consumer; 2. issue an additional card on an existing account; or 3. increase a credit limit. Extended Alerts Consumers who allege that they are the victim of an identity theft may also place an extended alert, which lasts seven years, on their consumer report. Extended alerts require consumers to submit identity theft reports and appropriate proof of identity to the nationwide consumer reporting agencies. Section 605A(h)(2)(B), Limitation on Users, requires a user that obtains a consumer report that contains an extended alert to contact the consumer in person or by the method the consumer lists in the alert prior to performing any of the three actions listed above. CFPB Consumer Laws and Regulations FCRA CFPB Manual V.2 (October 2012) FCRA 62 Information Available to Victims – Section 609(e); 15 U.S.C. 1681g(e) Section 609(e) requires a person, such as a financial institution, to provide records of fraudulent transactions to victims of identity theft within 30 days after the receipt of a request for the records. These records include the application and business transaction records under the control of the person whether maintained by the person itself or another person on behalf of the institution (such as a service provider). The person should provide this information to any of the following: 1. the victim; 2. any federal, state, or local government law enforcement agency or officer specified by the victim in the request; or 3. any law enforcement agency investigating the identity theft that was authorized by the victim to take receipt of these records. The victim must make the request for the records in writing and send it to the person at the address specified by the person for this purpose. The person may ask the victim to provide information, if known, regarding the date of the transaction or application, and any other identifying information such as an account or transaction number. Unless the person has a high degree of confidence that it knows the identity of the victim making the request for information, the person must take prudent steps to positively identify the person before disclosing any information. Proof of identity can include any of the following: 1. a government-issued identification card; 2. personally identifying information of the same type that was provided to the person by the unauthorized person; or 3. personally identifying information that the person typically requests from new applicants or for new transactions. At the election of the person, the victim must also provide the person with proof of an identity theft complaint, which may consist of a copy of a police report evidencing the claim of identity theft and a copy of a properly completed affidavit. The CFPB’s Identity Theft Affidavit is available on the CFPB’s website (consumerfinance.gov/learnmore). The version of this form developed by the FTC and available on the FTC’s Website (ftc.gov/idtheft) remains valid and sufficient for this purpose (12 CFR 1022.3(i)(3)(ii)). CFPB Examination Procedures FCRA CFPB Manual V.2 (October 2012) Procedures 1 Fair Credit Reporting Act Examination Objectives1 2 • To determine the covered entity’s compliance with the Fair Credit Reporting Act (FCRA) and implementing regulations. • To assess the quality of the covered entity’s compliance risk management system to ensure compliance with the FCRA, as amended. • To determine the reliance that can be placed on the covered entity’s internal controls and procedures for monitoring the entity’s compliance with the FCRA. • To direct corrective action when violations of law are identified, or when the covered entity’s policies or internal controls are deficient. Initial Examination Procedures The initial examination procedures are designed to acquaint examiners with the operations and processes of the entity being examined. They focus on the entity’s systems, controls, policies, and procedures, including audits and previous examination findings. The applicability of the various sections of the FCRA and the implementing regulations depends on an entity’s unique operations. The functional examination requirements are presented topically in modules 1 through 5. Initially, examiners should: 1. Through discussions with management and review of available information, determine if the entity’s internal controls are adequate to ensure compliance in the FCRA area under review. Consider the following: a. organization charts; b. process flowcharts; c. policies and procedures; d. loan documentation; e. checklists; 1 These reflect FFIEC-approved procedures. 2 These procedures do not currently contain a module on the requirements for consumer reporting agencies. CFPB Examination Procedures FCRA CFPB Manual V.2 (October 2012) Procedures 2 f. computer program documentation (for example, records illustrating the fields and types of data reported to consumer reporting agencies; automated records tracking customer opt-outs for FCRA affiliate information sharing; etc.). 2. Review any compliance audit material, including workpapers and reports, to determine whether: a. the scope of the audit addresses all provisions as applicable; b. corrective actions were taken to follow up on previously identified deficiencies; c. the testing includes samples covering all product types and decision centers; d. the work performed is accurate; e. significant deficiencies and their causes are included in reports to management and/or to the board of directors; and f. the frequency of review is appropriate. 3. Review the entity’s training materials to determine whether: a. appropriate training is provided to individuals responsible for FCRA compliance and operational procedures; and b. the training is comprehensive and covers the various aspects of the FCRA that apply to the individual entity’s operations. 4. Through discussions with management, determine which portions of the examination modules will apply. 5. Complete appropriate examination modules; document and form conclusions regarding the quality of the entity’s compliance management systems and compliance with FCRA. CFPB Examination Procedures FCRA CFPB Manual V.2 (October 2012) Procedures 3 Module 1 – Obtaining Consumer Reports Permissible Purposes of Consumer Reports – Section 604; 15 U.S.C. 1681b Investigative Consumer Reports – Section 606; 15 U.S.C. 1681d 1. Determine whether the entity obtains consumer reports. 2. Determine whether the entity obtains prescreened consumer reports and/or reports for employment purposes. If so, complete the appropriate sections of Module 3. 3. Determine whether the entity procures or causes an investigative consumer report to be prepared. If so, ensure that the appropriate disclosure is given to the consumer within the required time period. In addition, ensure that the entity certified compliance with the disclosure requirements to the consumer reporting agency. 4. Ensure that the entity obtains consumer reports only for permissible purposes. Confirm that the entity certifies to the consumer reporting agency the purposes for which it will obtain reports. (The certification is usually contained in an entity’s contract with the consumer reporting agency.) 5. If procedural weaknesses are noted or other risks requiring further investigation are noted, such as the receipt of several consumer complaints, review a sample of consumer reports obtained from a consumer reporting agency and determine whether the entity had permissible purposes to obtain the reports. For example, • obtain a copy of a billing statement or other list of consumer reports obtained by the entity from the consumer reporting agency for a period of time; and • compare this list, or a sample from this list to the entity’s records to ensure that there is a permissible purpose for the report(s) obtained. This could include any permissible purpose, such as the consumer applied for credit, insurance, or employment, etc. The entity may also obtain a report in connection with the review of an existing account. CFPB Examination Procedures FCRA CFPB Manual V.2 (October 2012) Procedures 6 Module 3 – Disclosures to Consumers and Miscellaneous Requirements Use of Consumer Reports for Employment Purposes – Section 604(b); 15 U.S.C. 1681b(b) 1. Determine if the entity obtains consumer reports on current or prospective employees. 2. Assess the entity’s policies and procedures to determine if appropriate disclosures are provided to current and prospective employees when an entity obtains consumer reports for employment purposes, including situations where the entity takes adverse actions based on consumer report information. 3. If procedural weaknesses or other risks requiring further investigation are noted, review a sample of the disclosures to determine if they are accurate and in compliance with the technical FCRA requirements. Prescreened Consumer Reports and Opt-Out Notice – Sections 604(c) and 615(d); 15 U.S.C. 1681b(c) and 15 U.S.C. 1681m(d) 12 CFR 1022.54 1. Determine whether the entity obtained and used prescreened consumer reports in connection with offers of credit and/or insurance. 2. Evaluate the entity’s policies and procedures to determine if a list of the criteria used for prescreened offers, including all post-application criteria, is maintained in the entity’s files and the criteria are applied consistently when consumers respond to the offers. 3. Determine if written solicitations contain the required disclosures of the consumers’ right to opt-out of prescreened solicitations and comply with all requirements applicable at the time of the offer. 4. If procedural weaknesses or other risks requiring further investigation are noted, obtain and review a sample of approved and denied responses to the offers to ensure that criteria were appropriately followed. Truncation of Credit and Debit Card Account Numbers – Sections 605(g); 15 U.S.C. 1681c(g) 1. Determine whether the entity’s policies and procedures ensure that electronically generated receipts from automated teller machines and point-of-sale terminals or other machines do not contain more than the last five digits of the card number and do not contain the expiration dates. 2. If procedural weaknesses or other risks requiring further investigation are noted, review samples of actual receipts to ensure compliance. CFPB Examination Procedures FCRA CFPB Manual V.2 (October 2012) Procedures 7 Disclosure of Credit Scores by Certain Mortgage Lenders – Sections 609(g); 15 U.S.C. 1681g(g) 1. Determine if the entity uses credit scores in connection with applications for closed-end or open-end loans secured by one- to four-family residential real property. 2. Evaluate the entity’s policies and procedures to determine whether accurate disclosures are provided to applicants as soon as is reasonably practicable after using credit scores. 3. If procedural weaknesses or other risks requiring further investigation are noted, review a sample of disclosures given to home loan applicants to determine technical compliance with the requirements. Adverse Action Disclosures – Sections 615(a) and (b); 15 U.S.C. 1681m(a) and (b) 1. Determine whether the policies and procedures adequately ensure that the creditor or other person provides the appropriate disclosures, including the consumer’s credit score as appropriate, when it takes adverse action against consumers based in whole or in part on information contained in a consumer report or specified information received from third parties, including affiliates. 2. Review the policies and procedures of the creditor or other person for responding to requests for information in response to these adverse action notices. 3. If procedural weaknesses or other risks requiring further investigation are noted, review a sample of adverse action notices to determine if they are accurate and in technical compliance. Debt Collector Communications Concerning Identity Theft – Sections 615(g); 15 U.S.C. 1681m(g) 1. Determine whether the entity collects debts for third parties. 2. Determine whether the entity has policies and procedures to ensure that the third parties are notified if the entity obtains any information that may indicate that the debt in question is the result of fraud or identity theft. 3. Determine if the entity has effective policies and procedures for providing information to consumers to whom the fraudulent debts relate. 4. If procedural weaknesses or other risks requiring further investigation are noted, review a sample of instances where consumers have alleged identity theft and requested information related to transactions to determine if all of the appropriate information was provided to the consumer. CFPB Examination Procedures FCRA CFPB Manual V.2 (October 2012) Procedures 8 Risk-Based Pricing Notice – Section 615(h); 15 U.S.C. 1681m(h); 12 CFR 1022, Subpart H 1. Determine whether the creditor (or other person) uses consumer report information in consumer credit decisions. If yes, determine whether the creditor uses such information to provide credit on terms that are “materially less favorable” than the most favorable material terms available to a substantial proportion of its consumers. Relevant factors in determining the significance of differences in the cost of credit include the type of credit product, the term of the credit extension, and the extent of the difference. If “yes,” the creditor is subject to the risk-based pricing regulations. 2. Determine the method the creditor uses to identify consumers who must receive a risk-based pricing notice and whether the method complies with the regulation (12 CFR 1022.72(b)). a. For creditors that use the direct comparison method (12 CFR 1022.72(b)), determine whether the creditor directly compares the material terms offered to each consumer and the material terms offer to other consumers for a specific type of credit product. b. For creditors that use the credit score proxy method (12 CFR 1022.72(b)(1)): i. determine whether the creditor calculates the cutoff score by considering the credit scores of all, or a representative sample, of consumers who have received credit for a specific type of credit product; ii. determine whether the creditor recalculates the cutoff score no less than every two years; iii. for new entrants into the credit business, for new products subject to risk-based pricing, or for acquired credit portfolios, determine whether the creditor recalculates the cutoff scores within time periods specified in the regulation; iv. for creditors using more than one credit score to set material terms, determine whether the creditor establishes a cutoff score according to the methods specified in the regulation; and v. if no credit score is available for a consumer, determine whether the creditor provides the consumer a risk-based pricing notice. c. For creditors that use the tiered pricing method (12 CFR 1022.72(b)(2)): i. when four or fewer pricing tiers are used, determine if the creditor sends risk-based pricing notices to consumers who do not qualify for the top, best-priced tier; or ii. when five or more pricing tiers are used, determine if the creditor provides risk-based pricing notices to consumers who do not qualify for the two top, best-priced tiers and CFPB Examination Procedures FCRA CFPB Manual V.2 (October 2012) Procedures 11 c. a creditor makes a firm offer of credit in a prescreened solicitation (even if the person makes other firm offers of credit to other consumers on more favorable material terms); d. a creditor generally provides a credit score disclosure to each consumer that requests a loan that is or will be secured by residential real property (if so, proceed to step #6); e. a creditor generally provides a credit score disclosure to each consumer that requests a loan that is not or will not be secured by residential real property (if so, proceed to step #7); or f. a creditor, which otherwise provides credit score disclosures to consumers that request loans, provides a disclosure for when no credit score is available (if so, proceed to step #8). 6. For creditors that choose to provide a credit score disclosure to consumers that request a loan that is or will be secured by residential real property, determine whether the 12 CFR 1022.74(d) notice generally is provided to each consumer that requests such an extension of credit and that each notice contains: a. a statement that a consumer report (or credit report) is a record of the consumer’s credit history and includes information about whether the consumer pays his or her obligations on time and how much the consumer owes to creditors; b. a statement that a credit score is a number that takes into account information in a consumer report and that a credit score can change over time to reflect changes in the consumer’s credit history; c. a statement that the consumer’s credit score can affect whether the consumer can obtain credit and what the cost of that credit will be; d. a statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the report; e. a statement that federal law gives the consumer the right to obtain copies of his or her consumer reports directly from the consumer reporting agencies, including a free report from each of the nationwide consumer reporting agencies once during any 12-month period; f. contact information for the centralized source from which consumers may obtain their free annual consumer reports; g. a statement directing consumers to the website of the CFPB to obtain more information about consumer reports; h. the information required to be disclosed to the consumer in Section 609(g) of the FCRA, and as described in Module 3 of these examination procedures, under “Disclosure of Credit Scores by Certain Mortgage Lenders (FCRA), Section 609(g)”; and CFPB Examination Procedures FCRA CFPB Manual V.2 (October 2012) Procedures 12 i. the distribution of credit scores among consumers who are scored under the same scoring model that is used to generate the consumer’s credit score. The distribution must: i. use the same scale as that of the credit score provided to the consumer; and ii. be presented: a) in the form of a bar graph containing a minimum of six bars that illustrates the percentage of consumers with credit scores within the range of scores reflected in each bar; b) by other clear and readily understandable graphical means; or c) in a clear and readily understandable statement informing the consumer how his or her credit score compares to the scores of other consumers. The presentation may use a graph or statement obtained from the entity providing the credit score if it meets these requirements. 7. For creditors that choose to provide a credit score disclosure to consumers that request a loan that is not or will not be secured by residential real property, determine whether the 12 CFR 1022.74(e) notice generally is provided to each consumer that requests such an extension of credit and that each notice contains: a. a statement that a consumer report (or credit report) is a record of the consumer’s credit history and includes information about whether the consumer pays his or her obligations on time and how much the consumer owes to creditors; b. a statement that a credit score is a number that takes into account information in a consumer report and that a credit score can change over time to reflect changes in the consumer’s credit history; c. a statement that the consumer’s credit score can affect whether the consumer can obtain credit and what the cost of that credit will be; d. a statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the report; e. a statement that federal law gives the consumer the right to obtain copies of his or her consumer reports directly from the consumer reporting agencies, including a free report from each of the nationwide consumer reporting agencies once during any 12-month period; f. contact information for the centralized source from which consumers may obtain their free annual consumer reports; CFPB Examination Procedures FCRA CFPB Manual V.2 (October 2012) Procedures 13 g. a statement directing consumers to the website of CFPB to obtain more information about consumer reports; h. the current credit score of the consumer or the most recent credit score of the consumer that was previously calculated by the consumer reporting agency for a purpose related to the extension of credit; i. the distribution of credit scores among consumers who are scored under the same scoring model that is used to generate the consumer’s credit score. The distribution must: i. use the same scale as that of the credit score provided to the consumer; and ii. be presented: a) in the form of a bar graph containing a minimum of six bars that illustrates the percentage of consumers with credit scores within the range of scores reflected in each bar; b) by other clear and readily understandable graphical means; or c) in a clear and readily understandable statement informing the consumer how his or her credit score compares to the scores of other consumers. The presentation may use a graph or statement obtained from the entity providing the credit score if it meets these requirements; j. the range of possible credit scores under the model used to generate the credit score; k. the date on which the credit score was created; and l. the name of the consumer reporting agency or other person that provided the credit score. 8. For creditors that otherwise provide credit score disclosures to consumers that request loans, determine whether the 12 CFR 1022.74(f) notice is provided to the applicable consumers in situations where no credit score is available for the consumer, as required by 12 CFR 1022.74(f). Determine whether each notice contains: a. a statement that a consumer report (or credit report) includes information about the consumer’s credit history and the type of information included in that history; b. a statement that a credit score is a number that takes into account information in a consumer report and that a credit score can change over time in response to changes in the consumer’s credit history; c. a statement that credit scores are important because consumers with higher credit scores generally obtain more favorable credit terms; d. a statement that not having a credit score can affect whether the consumer can obtain credit and what the cost of that credit will be; CFPB Examination Procedures FCRA CFPB Manual V.2 (October 2012) Procedures 16 12. For all notices, determine whether the notices are clear and conspicuous and comply with the specific format requirements for the notices (12 CFR 1022.73(b), .74(d)(2), .74(e)(2), and .74(f)(3)). 13. For all notices, determine whether the notices are provided within the required time frames (12 CFR 1022.73(c), .74(d)(3), .74(e)(3), and .74(f)(4)), as set out as follows: Risk-based pricing notices and account review risk-based pricing notices • For closed-end credit, the notice generally must be provided to the consumer after the decision to approve a credit request is communicated to the consumer, but before consummation of the transaction. • For open-end credit, the notice generally must be provided after the decision to grant credit is communicated to the consumer, but before the first transaction under the plan has been made. • For account reviews, the notice generally must be provided at the time that the decision to increase the APR is communicated to the consumer or no later than five days after the effective date of the change in the APR. Credit score disclosures for loans secured by residential real property • The credit score disclosure for loans secured by residential real property must be provided to the consumer at the same time as the disclosure required by Section 609(g) of the FCRA is provided to the consumer. The Section 609(g) notice must be provided as soon as reasonably practicable after the credit score has been obtained. In any event, the credit score disclosure for loans secured by residential real property must be provided at or before consummation in the case of closed-end credit or before the first transaction is made under an open-end credit plan. Credit score disclosures for loans not secured by residential real property • The notice generally must be provided to the consumer as soon as reasonably practicable after the credit score has been obtained, but in any event at or before consummation in the case of closed-end credit or before the first transaction is made under an open-end credit plan. Credit score exception notices when no credit score is available • The notice generally must be provided to the consumer as soon as reasonably practicable after the creditor has requested the credit score, but in any event not later than consummation of a transaction in the case of closed-end credit or when the first transaction is made under an open-end credit plan. Application to certain automobile lending transactions CFPB Examination Procedures FCRA CFPB Manual V.2 (October 2012) Procedures 17 • For automobile lending transactions made through an auto dealer that is unaffiliated with the creditor, the creditor may provide a notice in the time periods described above. Alternatively, the creditor may arrange to have the auto dealer provide a notice to the consumer on its behalf within these time periods and maintain reasonable policies and procedures to verify that the auto dealer provides the notice to the consumer within the applicable time periods. If the creditor arranges to have the auto dealer provide a credit score disclosure for loans not secured by residential real property, the creditor complies if the consumer receives a notice containing a credit score obtained by the auto dealer with these time periods, even if a different credit score is obtained and used by the creditor. • For credit that is granted under an open-end credit plan to a consumer in person or by telephone for contemporaneous purchase of goods or services, the notice may be provided at the earlier of: o the time of the first mailing to the consumer after the decision is made to approve the credit, such as in a mailing containing the account agreement or a credit card; or o within 30 days after the decision to approve the credit. 14. For all notices, determine whether the creditor follows the rules of construction pertaining to the number of notices provided to the consumer(s) (12 CFR 1022.75). In a transaction involving two or more consumers, a creditor must provide a risk-based notice to each consumer. If the consumers have the same address, and the notice does not include a credit score(s), a person may satisfy the requirements by providing a single notice addressed to both consumers. However, if a notice includes a credit score(s), the person must provide a separate notice to each consumer whether the consumers have the same address or not. Each separate notice that includes a credit score(s) must contain only the credit score(s) of the consumer to whom the notice is provided, and not the credit score(s) of the other consumer. Similarly, for credit score disclosure exception notices, whether the consumers have the same address or not, the creditor must provide a separate notice to each consumer and each separate notice that includes a credit score(s) must contain only the credit score(s) of the consumer to whom the notices is provided. 15. For all notices, determine whether the creditor uses the model forms in Appendix H of the regulation. If yes, determine that it does not modify the model form so extensively as to affect the substance, clarity, comprehensibility, or meaningful sequence of the forms (Appendix H). CFPB Examination Procedures FCRA CFPB Manual V.2 (October 2012) Procedures 18 Module 4 – Duties of Users of Consumer Reports and Furnishers of Consumer Report Information Duties of Users of Credit Reports Regarding Address Discrepancies – Section 605(h); 15 U.S.C. 1681c(h); 12 CFR 1022.82 1. Determine whether a user of consumer reports has policies and procedures to recognize notices of address discrepancy that it receives from a nationwide consumer reporting agency (NCRA)3 in connection with consumer reports. 2. Determine whether a user that receives notices of address discrepancy has policies and procedures to form a reasonable belief that the consumer report relates to the consumer whose report was requested (12 CFR 1022.82(c)). See examples of reasonable policies and procedures “to form a reasonable belief” in 12 CFR 1022.82(c)(2). 3. Determine whether a user that receives notices of address discrepancy has policies and procedures to furnish to the NCRA an address for the consumer that the user has reasonably confirmed is accurate, if the user does the following: a. forms a reasonable belief that the report relates to the consumer; b. establishes a continuing relationship with the consumer; and c. regularly, and in the ordinary course of business, furnishes information to the NCRA (12 CFR 1022.82(d)(1)). See examples of reasonable confirmation methods in 12 CFR 1022.82(d)(2). 4. Determine whether the user’s policies and procedures require it to furnish the confirmed address as part of the information it regularly furnishes to an NCRA during the reporting period when it establishes a relationship with the consumer (12 CFR 1022.82(d)(3)). 5. If procedural weaknesses or other risks requiring further information are noted, obtain a sample of consumer reports requested by the user from an NCRA that included notices of address discrepancy and determine: a. how the user established a reasonable belief that the consumer reports related to the consumers whose reports were requested; and b. if a consumer relationship was established: 3 A NCRA compiles and maintains files on consumers on a nationwide basis. CFPB Examination Procedures FCRA CFPB Manual V.2 (October 2012) Procedures 21 b. Determine whether the entity notifies and provides corrected information to the consumer reporting agencies when the results of its investigation finds that inaccurate information was furnished to the consumer reporting agencies (12 CFR 1022.43(e)(4)). c. When the entity finds that a dispute is frivolous or irrelevant, determine whether the entity: i. notifies the consumer within five days after finding the dispute frivolous or irrelevant (12 CFR 1022.43(f)(2)); and ii. includes in the consumer notification the reasons for the findings and the information necessary to investigate the disputed information (12 CFR 1022.43(f)(3)). Prevention of Re-Pollution of Consumer Reports – Section 623(a)(6); 15 U.S.C. 1681s-2(a)(6) 1. If the entity provides information to a consumer reporting agency, review the entity’s policies and procedures for ensuring that items of information blocked because of an alleged identity theft are not re-reported to the consumer reporting agency. 2. If weaknesses are noted within the entity’s policies and procedures, review a sample of notices from a consumer reporting agency of allegedly fraudulent information due to identity theft furnished by the entity, to determine whether the entity does not re-report the item to a consumer reporting agency. 3. If procedural weaknesses or other risks requiring further investigation are noted, verify that the entity has not sold or transferred a debt that resulted from an alleged identity theft. Negative Information Notice – Section 623(a)(7); 15 U.S.C. 1681s-2(a)(7); 12 CFR 1022.1(b)(1)(ii) 1. If the entity provides negative information to a nationwide consumer reporting agency, verify that the entity’s policies and procedures ensure tht the approriate notices are provided to consumers. 2. If procedural weaknesses or other risks requiring further investigation are noted, review a sample of notices provided to consumers to determine compliance with the technical content and timing requirements. CFPB Examination Procedures FCRA CFPB Manual V.2 (October 2012) Procedures 22 Module 5 – Consumer Alerts and Identity Theft Protections Fraud and Active Duty Alerts – Section 605A(h); 15 U.S.C. 1681c-1(h) 1. Determine whether the entity has effective policies and procedures in place to verify the identity of consumers in situations in which consumer reports include fraud and/or active duty military alerts. 2. Determine if the entity has effective policies and procedures in place to contact consumers in situations where consumer reports include extended alerts. 3. If procedural weaknesses or other risks requiring further investigation are noted, review a sample of transactions in which consumer reports including these types of alerts were obtained. Verify that the entity complied with the identity verification and/or consumer contact requirements. Information Available to Victims – Section 609(e); 15 U.S.C. 1681g(e) 1. Review the entity’s policies, procedures, and/or practices to determine whether identities and claims of fruadulent transactions are verified and whether information is properly disclosed to victims of identity theft and/or appropriately authorized law enforcement agents. 2. If procedural weaknesses or other risks requiring further investigation are noted, review a sample of these types of requests to endetermine whether the entity properly verified the requestor’s identity prior to disclosing the information.