2C- 2- Fair Credit Reporting Act of 1970 (FCRA)
i. Permissible Purpose (Regulation of "Users" of Consumer Reports)
As with CRAs, a user of a consumer report is prohibited from obtaining or using a consumer report without a permissible purpose, as defined under the FRCA, and it must certify that it will abide by the requirements of the FCRA when it obtains a consumer report.
Who and What the FCRA Applies To
Broadly speaking, there are at least four different categories of persons or entities subject to regulation under the FCRA. First, and most importantly, the FCRA regulates any "consumer reporting agency" ("CRA"), which are entities that compile credit and other information on consumers for purposes of providing a "consumer report" to third parties for a fee. The FCRA also regulates any "users" of a consumer report provided by a CRA, as well as any "furnishers," or entities that provide personal information to CRAs to be included in a consumer report (e.g., lenders and retailers). Lastly, the FCRA applies certain of its provisions to any company that extends credit to consumers under the Red Flags Rule. Other than companies subject to the Red Flags Rule, each type of entity regulated under the FCRA is defined by its relationship to a "consumer report." A consumer report under the FCRA is any written, oral, or other communication of information for purposes of establishing an individual's eligibility for credit, insurance, employment, or for some other business purpose, and which bears on the "credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living" of an individual. There are three components to this definition. First, the form of communication is defined—a consumer report applies to any "written, oral, or other communication." Second, a consumer report is defined, in part, by the purpose for which it is used—i.e., it must be used for establishing a consumer's eligibility for credit, insurance, employment, or for other business purposes. Third, a consumer report is defined by the type of information it contains—i.e., it must bear on a consumer's "credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living." While many of the well-known CRAs—including Experian, TransUnion, and Equifax—deal largely with consumer financial information, it is important to understand that a "consumer report" under the FCRA can cover a wide range of personal records, including criminal and driving histories. The statute contains a number of exceptions within its definition of a consumer report. Information about a consumer will not be deemed a consumer report if: (1) the report containing the information relates only to the transactions and experiences between the consumer and the person making the report; (2) it is a communication between affiliated entities; or (3) when affiliates share information obtained by a CRA, the information sharing practices are disclosed, and the consumer is provided an opportunity to opt-out of the sharing before the report is obtained. Different rules apply under the FCRA depending on whether an entity or individual subject to it is a CRA, a consumer report user, a furnisher of information to be included in a consumer report, or a company that extends credit. In addition, a special type of consumer report—called an "investigative consumer report"—is subject to special treatment under the FCRA. Each set of applicable rules will be discussed in turn below, followed by a discussion of the enforcement and rulemaking authority under the FCRA.
v. Consumer Disputes (Regulation of Consumer Reporting Agencies (CRAs))
Consumers have a right to dispute the accuracy of the information contained in a file maintained by a CRA. If a consumer files a dispute, the CRA must conduct an investigation to determine the accuracy of the information, which must be completed within 30 days. The FCRA refers to this as a "reinvestigation." CRAs must provide notice of this dispute to the furnisher of the disputed information within 5 days from receiving notice from the consumer, and provide all relevant information related to the dispute after the conclusion of the investigation. If the reinvestigation reveals that the information is inaccurate, incomplete, or cannot be verified, the CRA must delete the information in its own files. CRAs must also notify any person receiving a consumer report within the past six months (or past two years if for an employment purpose) that the information could not be verified at the request of the consumer. Notice of the results of this reinvestigation must also be provided to the consumer within 5 days of being completed, which must include a statement that the consumer has a right to include a statement of disagreement in his or her file disputing the accuracy of the information. If the consumer provides such a statement, it must be included in all future consumer reports containing the disputed information.
iv. Consumer Access (Regulation of Consumer Reporting Agencies (CRAs))
Consumers have a right to request and obtain all information contained in his or her file maintained by a CRA. This includes the right to obtain information about each person to whom a consumer report was furnished in the last two years, if furnished for an employment purpose, or in the last year, if furnished for any other purpose. Consumers are also entitled to access a record of all inquiries received by the agency in the past year. Likewise, consumers must be provided the sources from which a CRA obtained information. CRAs are not obligated to provide credit scores or other risk scores, nor are they required to provide the sources from which the CRA has obtained information about a consumer for purposes of preparing an investigative consumer report (discussed below). Before making a disclosure to a consumer as required by the FCRA, a CRA must confirm the consumer's identity. Each disclosure must be made in writing (unless the consumer consents otherwise) and it must include a summary of the consumer's rights.
Investigative Consumer Reports
The FCRA places special requirements on the furnishing and use of what are referred to as "investigative consumer reports." An "investigative consumer report" is a consumer report that includes information about a consumer's character, general reputation, personal characteristics, or mode of living that is obtained through personal interviews with a consumer's acquaintances. An investigation undertaken by an employer that would otherwise fall within the definition of an investigative consumer report will not constitute a consumer report (or an investigative consumer report) so long as the employer complies with the special procedures set forth in the FCRA. This is discussed later in the Module covering employment investigations. A person cannot procure or cause to be prepared an investigative consumer report unless the consumer is "clearly and accurately" notified that such a report has been requested and notified of his or her rights with respect to that report within three days of such request. A person procuring such a report must certify to the CRA preparing the report that (1) appropriate disclosures have been made to the consumer and (2) that the user of the report will, upon written request of the consumer, make the required disclosure. Users of investigative consumer reports may avoid liability for violating these provisions if they have in place reasonable procedures to ensure compliance as of the date of the violation. CRAs are prohibited from preparing or furnishing an investigative consumer report until they obtain the required certification and they may not make any inquiries in violation of equal employment opportunity laws. The FCRA also seeks to ensure that investigative consumer reports are accurate by imposing on CRAs a requirement to verify negative information on a consumer before including it in a report. When an investigative consumer report is prepared, adverse information in that report (other than matters of public record) cannot be included in subsequent consumer reports unless the information is re-verified or received within three months of preparing the report.
Key Points
The FCRA was the first federal law regulating the use of personal information by privacy business; intended to regulate consumer reporting agencies Regulates credit reporting agencies, "users" of consumer reports, "furnishers" of information in a consumer report, and anyone extending consumer credit - Different rules apply to each group of persons Applies to "consumer reports," which are defined by three components: (1) the form of communication; (2) the purpose for its use; and (3) the type of information it contains Investigative Consumer Report: A consumer report that includes information that is obtained through personal interviews with a consumer's acquaintances - Consumers must be notified if an investigative consumer report is requested - Any negative information must be verified before it is included in the report, and negative information must be re-verified in every disclosure CRAs are the most heavily regulated entity under the FCRA: - CRAs are prohibited from supplying a consumer report unless the user of the consumer report has a "permissible purpose" Additional rules apply when the "permissible purpose" is employment related, made in connection with a firm offer of credit, or includes medical information - CRAs must ensure that the content of any consumer report it produces is accurate, current, and complete - Information more than 7 years old (or 10 years for a bankruptcy) may not be included in a consumer report; does not apply to criminal convictions - Some information must be included in order to ensure completeness (e.g., whether a consumer disputes any information in the consumer report) - CRAs must implement adequate compliance procedures, which can validate the identity of users and ensure report accuracy - Consumers may obtain access to any personal information held by a CRA, including an accounting of any disclosures - Consumers may dispute the accuracy of information held by a CRA, and the CRA must conduct a "reinvestigation" within 30 days If reinvestigation reveals information is inaccurate, CRA must delete the information and notify certain parties If reinvestigation reveals information is accurate, the consumer has a right to include a written statement in all future disclosures of that information Regulation of "users" of consumer reports: Users are prohibited from obtaining a consumer report without a permissible purpose Users must notify an individual of any adverse action taken as a result of information contained in a consumer report Additional notice obligations apply when an adverse employment decision is made (e.g., provide copy of consumer report) - Users may not re-sell a consumer report unless the identity of the end user is provided to the CRA and the end user has a permissible purpose - If a user makes use of pre-screened lists, there are additional notice and record-keeping requirements The regulation of furnishers of information to CRAs is focused on ensuring the information provided is accurate Furnishers of information to CRAs must provide a dispute resolution process to ensure the information it is providing is accurate Rulemaking authority was transferred to the CFPB as part of Dodd-Frank Both the FTC and the CFPB have enforcement authority, along with "functional regulators" State attorneys general may enforce the FCRA, but there is preemption of most state laws (with the exception of identity theft laws and several individual carve-outs) There is an individual private cause of action, with penalties that change based upon whether the violation was willful or merely negligent There are criminal penalties for some violations
Regulation of "Furnishers" of Information Used in Consumer Reports
The regulations related to furnishers of information included in consumer reports under the FCRA are designed to ensure that the information provided is accurate. As one example, furnishers are prohibited from providing information that (a) they know or have reasonable cause to believe is false or (b) where they have been notified of an inaccuracy by a consumer. Furnishers also have an obligation under FCRA to correct and update information if they provide information to CRAs in the regular course of business and determine that information previously provided is no longer accurate or complete.69 Additional obligations require furnishers to provide notice of any consumer dispute regarding information furnished, the closure of any consumer account, notice of delinquency within 90 days of being turned over to collections, and notice of identity-theft related information. If a financial institution furnishes negative information about a consumer to a CRA, it must also provide written notice to the consumer that it has furnished that information within 30 days of doing so. There is a safe harbor under this provision if a financial institution has reasonable policies and procedures in place meant to ensure compliance or it reasonably believes it is prohibited by law from notify the consumer. Furnishers of information to CRAs must also provide a means by which consumers may dispute the accuracy of information provided. Upon notification of a dispute, the furnisher must conduct an investigation and, if the information is found to be inaccurate, it must take steps to notify CRAs of the inaccuracy and correct the information. This investigation must generally be completed with 30 days. Under regulations adopted by both the FTC and CFPB, furnishers must have policies and procedures in place to handle consumer disputes and ensure the integrity and accuracy of information provided to CRAs.
ii. Notice of Adverse Action (Regulation of "Users" of Consumer Reports)
When a user of a consumer report takes "adverse action" against a consumer based, in whole or in part, on the contents of that consumer report, notice must be provided to the consumer affected by the adverse action. The definition of "adverse action" is extremely broad; it includes effectively any business, credit, or employment decision that has a negative impact on the consumer. The notice provided to consumers must include the name and contact information of the CRA providing the consumer report; a statement that the CRA was not responsible for and cannot explain the decision; include a notice of the consumer's right to request a free copy of the consumer report from the CRA if requested within 60 days; and include a notice of the consumer's right to protest the contents of that report. If the adverse action was based upon a consumer's credit score, the consumer must also be provided with the numerical credit score and additional information used to understand that score. If information that wholly or partly was the basis for the adverse action is obtained from a third party that is not a CRA, the notice of adverse action must include a clear and accurate disclosure of the consumer's right to be informed of the nature of the information that was relied upon if a written request is made within 60 days. The user must provide disclosure within a reasonable time if a written request is made. Similarly, if information forming part of the basis for the adverse action is obtained from an affiliate of the user based upon common ownership or control, the notice must include a statement that the consumer may obtain access to the nature of the information relied upon if a written request is made within 60 days. The user must disclose the nature of the information within 30 days after receiving the request. Liability for the failure to provide adequate notice of an adverse action under these general provisions can be avoided if reasonable procedures designed to ensure compliance are maintained. Adverse Employment Decisions. Additional obligations apply where an adverse employment decision is based, in whole or in part, on the contents of a consumer report. The most important obligation is that the party taking adverse action—i.e., the user of the consumer report—must provide a copy of the report to the consumer and a description of the consumer's rights under the FCRA before taking adverse action. If a consumer submits an employment application by mail, telephone, computer, or other similar means, the party taking adverse action does not need to provide these notices. In such cases, however, the user must nevertheless provide notice within 3 days of taking adverse action that adverse action was taken, the name and contact information for the CRA providing the consumer report, a statement that the CRA did not make the adverse decision, and notice that the consumer may obtain a free copy of the consumer report. These rules applicable to employment-related adverse action generally do not apply where a national security investigation is undertaken by an agency or department of the United States, but there are additional requirements imposed on the government in such instances. There are a number of additional disclosure rules applicable to users of consumer reports that have been adopted pursuant to agency rulemakings. For example, persons that provide a "risk-based pricing notice" to consumers have additional disclosure obligations if they rely upon a consumer report for the purpose of extending credit and the material terms of that credit extension are less-favorable to the consumer based upon that credit report. This is considered an adverse action under the agency rules.
iii. Compliance Procedures (Regulation of Consumer Reporting Agencies (CRAs))
CRAs are obligated to maintain procedures designed to comply with the requirements of the FCRA. The compliance program put in place must include procedures designed to ensure the identity of users are validated and consumer reports are accurate. There is also an affirmative obligation placed upon CRAs to provide notices to both users and furnishers of information of each of their obligations under the FCRA with respect to the information provided to or by the CRA.
Regulation of Consumer Reporting Agencies (CRAs)
CRAs are the most heavily regulated entities under the FCRA. The FCRA imposes strict limits on when a CRA may produce a consumer report. CRAs also face obligations related to the accuracy of consumer reports and the procedures put in place to produce a consumer report. Additionally, CRAs must provide significant access rights to individuals.
ii. Report Accuracy (Regulation of Consumer Reporting Agencies (CRAs))
The FCRA mandates that CRAs ensure that the content of any consumer report it produces is accurate, current, and complete. Exclusion of Outdated Information: In order to ensure that a credit report is current, information that is sufficiently dated may not be include in a consumer report. Bankruptcy information more than 10 years old, and information about liens, accounts placed in collection, civil judgments, records of arrest, or any other negative information (other than criminal convictions) more than 7 years old, may not be included in a consumer report. There are exceptions to this rule for credit or life insurance transactions greater than $150,000 and for employment where the contemplated salary is greater than $75,000.26 What Must Be Included: There are also a number of requirements regarding what must be included in a consumer report under certain circumstances. Some examples of required disclosure include: (1) if a bankruptcy is disclosed, information regarding what chapter of bankruptcy was filed and whether the case was voluntarily withdrawn by the consumer must be included, if known by the CRA; (2) if a key factor in a consumer's credit score is the number of credit inquiries, this fact must be disclosed; (3) if a credit account has been voluntarily closed by a consumer, this disclosure must accompany any disclosure of the account's existence; (4) if a consumer disputes any information contained in the consumer report, the dispute must be disclosed. In addition to the above, when CRAs report on negative information that is a matter of public record for employment purposes, the CRA must either contemporaneously notify the consumer that the information is being reported, or alternatively, the CRA may "maintain strict procedures designed to insure" that the information reported is complete and up to date.
The Fair Credit Reporting Act of 1970 ("FCRA")
The Fair Credit Reporting Act of 1970 ("FCRA") was enacted in the dawn of the computer age when concerns started to arise that decisions could be made about an individual's life based upon some secret data set. The FCRA was passed as Title VI to legislation related to the Federal Deposit Insurance Corporation and amended the Consumer Credit Protection Act. The purpose of the FCRA was to regulate the consumer reporting industry in order to ensure that consumer reporting agencies acted with fairness, impartiality, and respect for a consumer's right to privacy. This was the first federal law that regulated the use of personal information by private businesses.
iv. Pre-Screened Lists (Regulation of "Users" of Consumer Reports)
As noted above, a limited consumer report may be prepared for firm offers of credit or insurance not initiated by a consumer. These reports are used to create pre-screened lists of consumers meeting pre-selected qualifications. For entities using pre-screened lists from a CRA, the FCRA imposes additional requirements. Such entities must maintain adequate records of the criteria that were relied upon to make an offer or grant of credit or insurance for a period of three years from the date the offer is made. Any solicitation made pursuant to a firm offer of credit must state: (1) that information in a CRA file was used in making the solicitation; (2) that the consumer satisfied the criteria for creditworthiness or insurability used to prescreen; (3) that credit or insurance may be withheld if the consumer does not meet criteria following screening; and (4) that the consumer can prohibit the similar use of a consumer report about them by contacting the CRA that provided the report. The FTC and the CFPB have issued detailed regulations related to the procedures for opting out of pre-screened lists. For example, under these regulations, prescreened solicitations must provide simple explanations about how a consumer may opt out on the first page of the solicitation, followed later by a longer notice of how to opt out.
i. Permissible Purpose (Regulation of Consumer Reporting Agencies (CRAs))
CRAs are the most heavily regulated entities under the FCRA. The FCRA imposes strict limits on when a CRA may produce a consumer report. CRAs also face obligations related to the accuracy of consumer reports and the procedures put in place to produce a consumer report. Additionally, CRAs must provide significant access rights to individuals. i. Permissible Purpose Perhaps the most important limitation placed on CRAs under the FCRA is that CRAs are prohibited from supplying a consumer report unless the user of the consumer report has a "permissible purpose." A permissible purpose under the FCRA includes the following: A consumer report may be produced: (1) To comply with a valid court order; (2) In accordance with the written instruction of a consumer; (3) In connection with a credit transaction; (4) For an employment purpose; (5) For intended use in insurance underwriting; (6) To determine a consumer's eligibility for a government benefit; (7) To assess credit or prepayment risks based upon existing credit; (8) In connection with a business transaction initiated by the consumer; (9) To review an account to determine that the consumer continues to meet the terms of the account; (10) In connection with the issuance of government-sponsored, individually based travel charge cards; (11) In connection with child support determinations and enforcement; and (12) In connection with the liquidation of a financial institution. There are additional restrictions placed on CRAs when providing a consumer report for employment purposes, as well as when credit or insurance transactions are not initiated by the consumer. Employment Permissible Purpose: Under the FCRA, an employment purpose refers to any evaluation of a consumer for purposes of extending an offer of employment or promotion, as well as any reassignment or the retention of the employee.10 Before releasing a consumer report for employment purposes, the CRA must obtain a certification from the user of the consumer report that states: (1) that the user has obtained written permission from the consumer to obtain the consumer report; (2) that the user will comply with all statutory requirements if an adverse determination is made based upon information in the consumer report; and (3) that the consumer report will not be used in violation of equal employment opportunity laws. Moreover, a CRA must provide a summary of a consumer's rights along with any consumer report provided for employment purposes. Credit Transactions Not Initiated By a Consumer (and Firm Offers of Credit): As a general proposition, a CRA only has a permissible purpose to create a consumer report for purposes of a credit or insurance transaction when the transaction is initiated by the consumer. There are some instances, however, when the CRA may provide a consumer report to a third party where the transaction is not initiated by a consumer. First, a consumer report may be provided if the consumer authorizes the CRA to provide the report. Second, a consumer report may be provided in connection with "a firm offer of credit or insurance," which means an offer of credit or insurance that will be honored if the consumer is determined, based upon information contained in a consumer report, to meet specific pre-determined criteria, and subject to potential later confirmation of creditworthiness, verification of the credit information in a consumer report, and furnishing of collateral. The amount of information that can be contained in a consumer report furnished in connection with a firm offer of credit is limited, and consumers have the right to be excluded from this type of practice by notifying the CRA in writing. CRAs providing consumer reports in connection with firm offers of credit or insurance must establish and maintain a notification system, which includes a toll-free phone number that permits consumers to provide notification of his or her opt-out. Nationwide CRAs may operate a joint system for this purpose. A consumer opt-out under these provisions is generally valid for five years, unless the consumer submits a signed notice of election. This notice provided by consumers must be implemented within 5 business days by the CRA and each of its affiliates. Medical Information. In addition to the above restrictions, CRAs are also generally prohibited from providing consumer reports containing medical information for credit, insurance, or employment purposes without consumer consent (unless the information is coded for insurance purposes) and where necessary for the specific transaction or employment being contemplated. Any user of a consumer report containing medical information is prohibited from re-disclosing that information.
Enforcement and Rulemaking
Rulemaking authority under the FCRA was originally placed in several federal agencies, including the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Federal Trade Commission, the National Credit Union Administration, the Office of the Comptroller of the Currency, and Office of Thrift Supervision. With the passage of Dodd-Frank, however, this authority was largely transferred to the Consumer Financial Protection Bureau. Similar to its rulemaking provisions, the FCRA was also originally enforced by the FTC, but this enforcement authority is now shared between the FTC and the CFPB. As amended, Congress expressly provided that any violation of the FCRA constitutes an "unfair" or "deceptive" trade practice, subject to the FTC's Section 5 enforcement authority. The FTC is also authorized to enforce compliance under the statute directly where no other agency has been specifically provided enforcement authority. A number of specific federal authorities may enforce the FCRA against entities under their respective jurisdiction, including the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Secretary of Transportation, the Secretary of Agriculture, the Commodities Futures Trading Commission, and the Securities Exchange Commission. These are sometimes referred to as "functional regulators." For those persons subject to the FCRA that do not fall within the jurisdiction of a functional regulator, the CFPB has enforcement jurisdiction. Civil penalties are updated annually to adjust for inflation, and as of 2019, the maximum penalty for each violation of the FCRA was $3,993. State attorneys general also have investigative and enforcement authority under the FCRA to seek an injunction and to obtain damages on behalf of the people of their State. The appropriate federal authority must be notified prior to filing suit, and that federal authority has the right to intervene. State laws related to identity theft are not preempted under FCRA except to the extent that they are inconsistent with FCRA. Most other state laws are preempted, though Congress specifically carved out a number of state laws from this preemption provision. For example, most state laws regarding the frequency with which free credit reports can be requested are not preempted. There is a private right of action under the FCRA. Those that are found in willful non-compliance of the statute are liable to the consumer injured for any actual damages sustained or for statutory damages of not less than $100 or more than $1,000, as well as punitive damages, costs, and attorney's fees. Willful violators may also be held liable for damages to a CRA that result from obtaining a consumer report under false pretenses or without a permissible purpose. For negligent non-compliance, FCRA calls for the imposition of actual damages to the consumer, along with costs and attorney's fees. Attorney's fees may also be awarded to a defendant if the action is found to have been filed in bad faith. The statute of limitations on such claims is two years for a negligent violation and five years for a willful violation. In addition to civil liability, a person found to have knowingly and willfully obtained consumer information from a consumer reporting agency under false pretenses may be fined and jailed for a period of up to two years. The same penalties apply for an officer or employee of a CRA who knowingly and willfully provides information on a consumer from his or her file to a person not authorized to receive it. Furnishers of information to CRAs are generally exempt from criminal liability.
Regulation of Companies Extending Credit
Upon the adoption of FACTA, the FTC was required to pass regulations to better protect against identity theft. Out of this came the "Red Flags" Rule, which we discuss in the next Module covering FACTA. Briefly, however, the Red Flags Rule requires any company that extends credit to consumers—regardless of whether they rely upon consumer reports— to implement a "red flag" program to detect and protect against identity theft.
iii. Prohibition on Re-Selling (Regulation of "Users" of Consumer Reports)
Users of consumer reports are prohibited from re-selling any consumer reports they obtain unless they notify the CRA of (1) the identity of the end-user of the report and (2) each permissible purpose for which the end-user will be utilizing the report. Re-sellers must have reasonable procedures in place to ensure that the report will be used only for a permitted purpose, and the re-seller must verify the identity and certifications of the person to whom the report is being resold.