Fair Credit Reporting Act Compliance – Ten Critical Issues

2016

Susan Costonis, C.R.C.M.Compliance Training & Consulting for Financial InstitutionsEmail: susancostonis@msn.com

4H

INSTRUCTOR

Susan Costonis is a compliance consultant and trainer. She specializes in compliance management along with deposit and lending regulatory training. Most of her career was spent as a banker in several areas including lending, loan administration, electronic banking, and compliance risk management.

Susan has successfully managed compliance programs and exams for institutions that ranged from a community bank to large multi-state bank holding companies. She has been a compliance officer for institutions

supervised by the OCC, FDIC, and Federal Reserve. Susan has been a Certified Regulatory Compliance Manager since 1998, completed the ABA Graduate Compliance School, and graduated from the University of Akron and the Graduate Banking School of the University of Colorado. She regularly presents to financial institution audiences in several states and “translates” complex regulations into simple concepts by using humor and real life examples.

susancostonis@msn.com (e-mail)

Published by:Susan Costonis, C.R.C.MCompliance Training and Consulting for Financial Institutions

All rights reserved. This material may not be reproduced in whole or in part in any form or by any means without written permission from the publisher.

DisclaimerThis presentation is designed to provide accurate and authoritative information in regard to the subject matter covered. The handouts, visuals, and verbal information provided are current as of the webinar date.   Links to other websites are inserted for convenience and do not constitute endorsement of material at those sites, or any associated organization, product, or service.

FCRA TOP TEN ISSUES - 2016 2

TABLE OF CONTENTS

CHAPTER 1 FCRA OVERVIEW ......................................................................... 4 INTRODUCTION: OVERVIEW OF THE MANUAL AND SEMINAR OBJECTIVES..........................5FCRA KEY DEFINITIONS...........................................................................................................6PART 1022 – FAIR CREDIT REPORTING (REGULATION V)......................................................10FCRA KEY PROVISIONS............................................................................................................12FCRA AND PERMISSABLE PURPOSE.........................................................................................17ADVERSE ACTION NOTICE REQUIREMENTS UNDER THE ECOA AND THE FCRA....................18WHEN ADVERSE ACTION NOTICES ARE REQUIRED................................................................20COMMON VIOLATIONS ON ADVERSE ACTION & REQUIRED DISCLOSURES...........................23FURNISHERS OBLIGATIONS UNDER THE FCRA AND ECOA.....................................................28CFPB POSTS “SUMMARY OF RIGHTS” UNDER FCRA...............................................................34WHO IS JULIE MILLER?............................................................................................................38

CHAPTER 2 CRITICAL IDENTITY THEFT ISSUES ................................... 39 RULES FOR IDENTITY THEFT RED FLAGS................................................................................40SUPPLEMENT A TO APPENDIX J EXAMPLES FOR RED FLAGS.................................................42FCRA REQUIRED TRAINING – RED FLAGS...............................................................................45TEN STEPS TO MITIGATE IDENTITY THEFT RISKS..................................................................46IDENTITY THEFT AND FACTA PROVISIONS..............................................................................47FCRA POLICY - FOUR STEP PROCESS TO COMPLY..................................................................51

CHAPTER 3 EXAM PROCEDURES AND GUIDANCE ................................ 57 FCRA EXAM PROCEDURES.......................................................................................................58CONSUMER PERSPECTIVE AND RECENT SETTLEMENT...........................................................59FTC ADVICE TO CONSUMERS – DISPUTING ERRORS ON CREDIT REPORTS............................62FCRA, IDENTITY THEFT RED FLAGS, AND THE PRIVACY ACT................................................65PRIVACY PROCEDURES............................................................................................................66FCRA RULES AND PERMISSIBLE PURPOSE...............................................................................67

CHAPTER 4 FCRA COMPLIANCE ISSUES ................................................... 68 CFPB RELEASE COMPLAINT REPORT AUGUST 2015...............................................................69SPECIFIC FUNCTIONAL UNITS OF THE CFPB...........................................................................70CFPB STUDY ON CREDIT REPORTS...........................................................................................71FDIC FAIR LENDING ISSUES WITH CREDIT REPORT FEES.......................................................73TOP TEN ISSUES AND SUGGESTIONS FOR FCRA COMPLIANCE...............................................75

APPENDIX A – SAMPLE DISCLOSURES ....................................................... 76 FTC SAMPLE LETTER FOR DISPUTING CREDIT REPORT ERRORS...........................................77REGULATION B- NOTICE OF ACTION TAKEN AND STATEMENT OF REASONS......................78MODEL FORM C-3 FOR CREDIT SCORE DISCLOSURE ON DENIALS.........................................80NOTICE TO THE HOME LOAN APPLICANT AND CREDIT SCORE DISCLOSURE........................81FTC RESOURCES FOR IDENTITY THEFT...................................................................................83

FCRA TOP TEN ISSUES - 2016 3

CHAPTER 1FCRA OVERVIEW

FCRA TOP TEN ISSUES - 2016 4

INTRODUCTION: OVERVIEW OF THE MANUAL AND SEMINAR OBJECTIVES

The Fair Credit Reporting Act has been in effect since 1971, but has been amended substantially over the years, most recently by significant changes in the FACT Act. Even though this regulation is an “oldie but goodie”, there are still many issues and violations have been cited. The CFPB tracks complaints and the “credit reporting” complaint category has increased focus by all the regulators. In addition, increased identify theft, fraud, and cyber crime have a direct relationship to the potential for inaccurate credit reports. There are numerous compliance challenges, ranging from what you can tell one joint applicant about the other applicant's credit, to when the FCRA portion should NOT be included with the adverse action form. What should your bank or credit union be doing to reduce the compliance risk of complaints & FCRA violations? Join us for a discussion of 10 issues that should be addressed in a effective FCRA compliance program.

HIGHLIGHTS What are the key definitions in the Fair Credit Reporting Act for “person”, “consumer”

“consumer report” and “consumer reporting agency”? What are the permissible purposes for a consumer reporting agency to furnish a

consumer report? What requirements must be followed by the USERS of consumer reports? What are the responsibilities to “furnish” accurate information? Is there a restriction on sharing credit and debit card numbers on electronic receipts? How should “negative” credit performance information be provided? How should adverse action/FCRA notices be given? Credit score disclosure notices – what’s required? Use of medical information – what are the rules? Exam procedures for FCRA – highlights and best practices.

WHO SHOULD ATTEND?This informative session is designed for customer (or member, for credit unions) service representatives, branch managers, lenders, loan operations, credit administration, compliance personnel, collectors, and anyone who handles loan accounts

FCRA TOP TEN ISSUES - 2016 5

FCRA KEY DEFINITIONS

What are the key definitions in the Fair Credit Reporting Act for “person”, “consumer” “consumer report” and “consumer reporting agency”?

These definitions are taken from the Federal Reserve Exam Procedures for Fair Credit Reporting (FCRA) and from Regulation V, Part 1022 from the CFPB; this is a link:http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&tpl=/ecfrbrowse/Title12/12cfr1022_main_02.tpl

FCRA – Fair Credit Reporting Act [15 U.S.C. 1681 et seq.] can be found at this link: https://www.bankersonline.com/regulations/fcra-000

Consumer – is an individual

Consumer Report – (1) In general. The term “consumer report” means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness,1 credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for(A) credit or insurance to be used primarily for personal, family, or household purposes;

(B) employment purposes; or

(C) any other purpose authorized under section 604 [§ 1681b]

There are some exclusions, it does not include, subject to section 624, any:

Consumer Report does NOT include –

(i) report containing information solely as to transactions or experiences between the consumer and the person making the report;

(ii) communication of that information among persons related by common ownership or affiliated by corporate control; or

(iii) communication of other information among persons related by common ownership or affiliated by corporate control, if it is clearly and conspicuously disclosed to the consumer that the information may be communicated among such persons and the consumer is given the opportunity, before the time that the information is initially communicated, to direct that such information not be communicated among such persons;

(B) any authorization or approval of a specific extension of credit directly or indirectly by the issuer of a credit card or similar device;

FCRA TOP TEN ISSUES - 2016 6

(C) any report in which a person who has been requested by a third party to make a specific extension of credit directly or indirectly to a consumer conveys his or her decision with respect to such request, if the third party advises the consumer of the name and address of the person to whom the request was made, and such person makes the disclosures to the consumer required under section 615 [§ 1681m]

Identifying information, 1022.3 (g)

(g) Identifying information means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any:

(1) Name, social security number, date of birth, official state or government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number;

(2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;

(3) Unique electronic identification number, address, or routing code; or

(4) Telecommunication identifying information or access device (as defined in 18 U.S.C. 1029(e)).

Identify Theft, 1022.3 (h) and Identify theft report (i)

(h) Identity theft means a fraud committed or attempted using the identifying information of another person without authority.

(i)(1) Identity theft report means a report:

(i) That alleges identity theft with as much specificity as the consumer can provide;

(ii) That is a copy of an official, valid report filed by the consumer with a Federal, state, or local law enforcement agency, including the United States Postal Inspection Service, the filing of which subjects the person filing the report to criminal penalties relating to the filing of false information, if, in fact, the information in the report is false; and

(iii) That may include additional information or documentation that an information furnisher or consumer reporting agency reasonably requests for the purpose of determining the validity of the alleged identity theft, provided that the information furnisher or consumer reporting agency:

(A) Makes such request not later than fifteen days after the date of receipt of the copy of the report form identified in Paragraph (i)(1)(ii) of this section or the request by the consumer for the particular service, whichever shall be the later;

FCRA TOP TEN ISSUES - 2016 7

(B) Makes any supplemental requests for information or documentation and final determination on the acceptance of the identity theft report within another fifteen days after its initial request for information or documentation; and

(C) Shall have five days to make a final determination on the acceptance of the identity theft report, in the event that the consumer reporting agency or information furnisher receives any such additional information or documentation on the eleventh day or later within the fifteen day period set forth in Paragraph (i)(1)(iii)(B) of this section.

(2) Examples of the specificity referenced in Paragraph (i)(1)(i) of this section are provided for illustrative purposes only, as follows:

(i) Specific dates relating to the identity theft such as when the loss or theft of personal information occurred or when the fraud(s) using the personal information occurred, and how the consumer discovered or otherwise learned of the theft.

(ii) Identification information or any other information about the perpetrator, if known.

(iii) Name(s) of information furnisher(s), account numbers, or other relevant account information related to the identity theft.

(iv) Any other information known to the consumer about the identity theft.

(3) Examples of when it would or would not be reasonable to request additional information or documentation referenced in Paragraph (i)(1)(iii) of this section are provided for illustrative purposes only, as follows:

(i) A law enforcement report containing detailed information about the identity theft and the signature, badge number or other identification information of the individual law enforcement official taking the report should be sufficient on its face to support a victim's request. In this case, without an identifiable concern, such as an indication that the report was fraudulent, it would not be reasonable for an information furnisher or consumer reporting agency to request additional information or documentation.

(ii) A consumer might provide a law enforcement report similar to the report in Paragraph (i)(1) of this section but certain important information such as the consumer's date of birth or Social Security number may be missing because the consumer chose not to provide it. The information furnisher or consumer reporting agency could accept this report, but it would be reasonable to require that the consumer provide the missing information. The Bureau's Identity Theft Affidavit is available on the Bureau's Web site (consumerfinance.gov/learnmore). The version of this form developed by the Federal Trade Commission, available on the FTC's Web site (ftc.gov/idtheft), remains valid and sufficient for this purpose.

(iii) A consumer might provide a law enforcement report generated by an automated system with a simple allegation that an identity theft occurred to support a request for a tradeline block or cessation of information furnishing. In such a case, it would be reasonable for an information

FCRA TOP TEN ISSUES - 2016 8

furnisher or consumer reporting agency to ask that the consumer fill out and have notarized the Bureau's Identity Theft Affidavit or a similar form and provide some form of identification documentation.

(iv) A consumer might provide a law enforcement report generated by an automated system with a simple allegation that an identity theft occurred to support a request for an extended fraud alert. In this case, it would not be reasonable for a consumer reporting agency to require additional documentation or information, such as a notarized affidavit.

Medical information 1022.3 (k) means:

(1) Information or data, whether oral or recorded, in any form or medium, created by or derived from a health care provider or the consumer, that relates to:

(i) The past, present, or future physical, mental, or behavioral health or condition of an individual;

(ii) The provision of health care to an individual; or

(iii) The payment for the provision of health care to an individual.

(2) The term does not include:

(i) The age or gender of a consumer;

(ii) Demographic information about the consumer, including a consumer's residence address or email address;

(iii) Any other information about a consumer that does not relate to the physical, mental, or behavioral health or condition of a consumer, including the existence or value of any insurance policy; or

(iv) Information that does not identify a specific consumer.

(l) Person means any individual, partnership, corporation, trust, estate cooperative, association, government or governmental subdivision or agency, or other entity

FCRA TOP TEN ISSUES - 2016 9

PART 1022 – FAIR CREDIT REPORTING (REGULATION V)

These are the subparts and sections of Regulation V

Subpart A—General Provisions1022.1 Purpose, scope, and model forms and disclosures.1022.2 Examples1022.3 DefinitionsSubpart B—[Reserved]Subpart C—Affiliate Marketing1022.20 Coverage and definitions.1022.21 Affiliate marketing opt-out and exceptions.1022.22 Scope and duration of opt-out.1022.23 Contents of opt-out notice; consolidated and equivalent notices.1022.24 Reasonable opportunity to opt out.1022.25 Reasonable and simple methods of opting out.1022.26 Delivery of opt-out notices.1022.27 Renewal of opt-outSubpart D—Medical Information1022.30 Obtaining or using medical information in connection with a determination of eligibility for credit.1022.31 Limits on re-disclosure of information1022.32 Sharing medical information with affiliates.Subpart E—Duties of Furnishers of Information1022.40 Scope. 1022.41 Definitions. 1022.42 Reasonable policies and procedures concerning the accuracy and integrity of furnished information. 1022.43 Direct disputes.Subpart F—Duties of Users Regarding Obtaining and Using Consumer Reports 1022.50–1022.53—[Reserved] 1022.54 Duties of users making written firm offers of credit or insurance based on information contained in consumer files 1022.55–1022.59—[Reserved]Subpart G—[Reserved]Subpart H—Duties of Users Regarding Risk-Based Pricing 1022.70 Scope. 1022.71 Definitions. 1022.72 General requirements for risk-based pricing notices. 1022.73 Content, form, and timing of risk-based pricing notices. 1022.74 Exceptions. 1022.75 Rules of construction.Subpart I—Duties of Users of Consumer Reports Regarding Identity Theft 1022.80–1022.81—[Reserved] 1022.82 Duties of users regarding address discrepancies.

FCRA TOP TEN ISSUES - 2016 10

Subparts J–L—[Reserved]Subpart M—Duties of Consumer Reporting Agencies Regarding Identity Theft 1022.120—[Reserved] 1022.121 Active Duty Alerts. 1022.122—[Reserved] 1022.123 Appropriate proof of identity. 1022.124-1022.129—[Reserved]Subpart N—Duties of Consumer Reporting Agencies Regarding Disclosures to Consumers 1022.130 Definitions. 1022.131-1022.135—[Reserved] 1022.136 Centralized source for requesting annual file disclosures from nationwide consumer reporting agencies. 1022.137 Streamlined process for requesting annual file disclosures from nationwide specialty consumer reporting agencies. 1022.138 Prevention of deceptive marketing of free credit reports. 1022.139—[Reserved]Subpart O—Miscellaneous Duties of Consumer Reporting Agencies 1022.140 Prohibition against circumventing or evading treatment as a consumer reporting agency.AppendicesAppendix A to Part 1022—[Reserved]Appendix B to Part 1022—Model Notices of Furnishing Negative InformationAppendix C to Part 1022—Model Forms for Opt-Out NoticesAppendix D to Part 1022—Model Forms for Firm Offers of Credit or InsuranceAppendix E to Part 1022—Interagency Guidelines Concerning the Accuracy and Integrity of Information Furnished to Consumer Reporting AgenciesAppendices F–G to Part 1022—[Reserved]Appendix H to Part 1022—Appendix H—Model Forms for Risk-Based Pricing and Credit Score Disclosure Exception NoticesAppendix I to Part 1022—Summary of Consumer Identity Theft RightsAppendix J to Part 1022—[Reserved]Appendix K to Part 1022—Summary of Consumer RightsAppendix L to Part 1022—Standardized Form for Requesting Annual File DisclosuresAppendix M to Part 1022—Notice of Furnisher ResponsibilitiesAppendix N to Part 1022—Notice of User ResponsibilitiesFederal Register documents affecting this regulation.

FCRA TOP TEN ISSUES - 2016 11

FCRA KEY PROVISIONS

Obligations of ALL USERS of CONSUMER REPORTS

A. Users Must Have a Permissible PurposeCongress has limited the use of consumer reports to protect consumers' privacy. All users must have a permissible purpose under the FCRA to obtain a consumer report. Section 604 contains a list of the permissible purposes under the law. These are:

As ordered by a court or a federal grand jury subpoena. Section 604(a)(1) As instructed by the consumer in writing. Section 604(a)(2) For the extension of credit as a result of an application from a consumer, or the

review or collection of a consumer's account. Section 604(a)(3)(A) For employment purposes, including hiring and promotion decisions, where the consumer

has given written permission. Sections 604(a)(3)(B) and 604(b) For the underwriting of insurance as a result of an application from a consumer. Section

604(a)(3)(C) When there is a legitimate business need, in connection with a business transaction

that is initiated by the consumer. Section 604(a)(3)(F)(i) To review a consumer's account to determine whether the consumer continues to

meet the terms of the account. Section 604(a)(3)(F)(ii) To determine a consumer's eligibility for a license or other benefit granted by a

governmental instrumentality required by law to consider an applicant's financial responsibility or status. Section 604(a)(3)(D)

For use by a potential investor or servicer, or current insurer, in a valuation or assessment of the credit or prepayment risks associated with an existing credit obligation. Section 604(a)(3)(E)

For use by state and local officials in connection with the determination of child support payments, or modifications and enforcement thereof. Sections 604(a)(4) and 604(a)(5)

In addition, creditors and insurers may obtain certain consumer report information for the purpose of making "prescreened" unsolicited offers of credit or insurance. Section 604(c). The particular obligations of users of "prescreened" information are described in Section VII below.

B. Users Must Provide CertificationsSection 604(f) prohibits any person from obtaining a consumer report from a consumer reporting agency (CRA) unless the person has certified to the CRA the permissible purpose(s) for which the report is being obtained and certifies that the report will not be used for any other purpose.

C. Users Must Notify Consumers When Adverse Actions Are TakenThe term "adverse action" is defined very broadly by Section 603. "Adverse actions" include all business, credit, and employment actions affecting consumers that can be considered to have a negative impact as defined by Section 603(k) of the FCRA – such as denying or canceling credit

FCRA TOP TEN ISSUES - 2016 12

or insurance, or denying employment or promotion. No adverse action occurs in a credit transaction where the creditor makes a counteroffer that is accepted by the consumer.1. Adverse Actions Based on Information Obtained From a CRA

If a user takes any type of adverse action as defined by the FCRA that is based at least in part on information contained in a consumer report, Section 615(a) requires the user to notify the consumer. The notification may be done in writing, orally, or by electronic means. It must include the following:

The name, address, and telephone number of the CRA (including a toll-free telephone number, if it is a nationwide CRA) that provided the report.

A statement that the CRA did not make the adverse decision and is not able to explain why the decision was made.

A statement setting forth the consumer's right to obtain a free disclosure of the consumer's file from the CRA if the consumer makes a request within 60 days.

A statement setting forth the consumer's right to dispute directly with the CRA the accuracy or completeness of any information provided by the CRA.

2. Adverse Actions Based on Information Obtained From Third Parties Who Are Not Consumer Reporting AgenciesIf a person denies (or increases the charge for) credit for personal, family, or household purposes based either wholly or partly upon information from a person other than a CRA, and the information is the type of consumer information covered by the FCRA, Section 615(b)(1) requires that the user clearly and accurately disclose to the consumer his or her right to be told the nature of the information that was relied upon if the consumer makes a written request within 60 days of notification. The user must provide the disclosure within a reasonable period of time following the consumer's written request.

3. Adverse Actions Based on Information Obtained From AffiliatesIf a person takes an adverse action involving insurance, employment, or a credit transaction initiated by the consumer, based on information of the type covered by the FCRA, and this information was obtained from an entity affiliated with the user of the information by common ownership or control, Section 615(b)(2) requires the user to notify the consumer of the adverse action. The notice must inform the consumer that he or she may obtain a disclosure of the nature of the information relied upon by making a written request within 60 days of receiving the adverse action notice. If the consumer makes such a request, the user must disclose the nature of the information not later than 30 days after receiving the request. If consumer report information is shared among affiliates and then used for an adverse action, the user must make an adverse action disclosure as set forth in I.C.1 above.

D. Users Have Obligations When Fraud and Active Duty Military Alerts are in FilesWhen a consumer has placed a fraud alert, including one relating to identity theft, or an active duty military alert with a nationwide consumer reporting agency as defined in Section 603(p) and resellers, Section 605A(h) imposes limitations on users of reports obtained from the consumer reporting agency in certain circumstances, including the establishment of a new credit plan and the issuance of additional credit cards. For initial fraud alerts and active duty alerts, the user must have reasonable policies and procedures in place to form a belief that the user knows the identity

FCRA TOP TEN ISSUES - 2016 13

of the applicant or contact the consumer at a telephone number specified by the consumer; in the case of extended fraud alerts, the user must contact the consumer in accordance with the contact information provided in the consumer's alert.

E. Users Have Obligations When Notified of an Address DiscrepancySection 605(h) requires nationwide CRAs, as defined in Section 603(p), to notify users that request reports when the address for a consumer provided by the user in requesting the report is substantially different from the addresses in the consumer's file. When this occurs, users must comply with regulations specifying the procedures to be followed, which will be issued by the Consumer Financial Protection Bureau and the banking and credit union regulators. The Consumer Financial Protection Bureau's regulations will be available at www.consumerfinance.gov/learnmore.

F. Users Have Obligations When Disposing of RecordsSection 628 requires that all users of consumer report information have in place procedures to properly dispose of records containing this information. The Consumer Financial Protection Bureau, the Securities and Exchange Commission, and the banking and credit union regulators have issued regulations covering disposal. The Consumer Financial Protection Bureau's regulations may be found at www.consumerfinance.gov/learnmore.

II. CREDITORS MUST MAKE ADDITIONAL DISCLOSURESIf a person uses a consumer report in connection with an application for, or a grant, extension, or provision of, credit to a consumer on material terms that are materially less favorable than the most favorable terms available to a substantial proportion of consumers from or through that person, based in whole or in part on a consumer report, the person must provide a risk-based pricing notice to the consumer in accordance with regulations to be jointly prescribed by the Consumer Financial Protection Bureau and the Federal Reserve Board.Section 609(g) requires a disclosure by all persons that make or arrange loans secured by residential real property (one to four units) and that use credit scores. These persons must provide credit scores and other information about credit scores to applicants, including the disclosure set forth in Section 609(g)(1)(D) ("Notice to the Home Loan Applicant").

III. OBLIGATIONS OF USERS WHEN CONSUMER REPORTS ARE OBTAINED FOR EMPLOYMENT PURPOSESA. Employment Other Than in the Trucking IndustryIf information from a CRA is used for employment purposes, the user has specific duties, which are set forth in Section 604(b) of the FCRA. The user must:Make a clear and conspicuous written disclosure to the consumer before the report is obtained, in a document that consists solely of the disclosure, that a consumer report may be obtained.Obtain from the consumer prior written authorization. Authorization to access reports during the term of employment may be obtained at the time of employment.Certify to the CRA that the above steps have been followed, that the information being obtained will not be used in violation of any federal or state equal opportunity law or regulation, and that, if any adverse action is to be taken based on the consumer report, a copy of the report and a summary of the consumer's rights will be provided to the consumer.

FCRA TOP TEN ISSUES - 2016 14

Before taking an adverse action, the user must provide a copy of the report to the consumer as well as the summary of consumer's rights. (The user should receive this summary from the CRA.) A Section 615(a) adverse action notice should be sent after the adverse action is taken.An adverse action notice also is required in employment situations if credit information (other than transactions and experience data) obtained from an affiliate is used to deny employment. Section 615(b)(2)The procedures for investigative consumer reports and employee misconduct investigations are set forth below.B. Employment in the Trucking IndustrySpecial rules apply for truck drivers where the only interaction between the consumer and the potential employer is by mail, telephone, or computer. In this case, the consumer may provide consent orally or electronically, and an adverse action may be made orally, in writing, or electronically. The consumer may obtain a copy of any report relied upon by the trucking company by contacting the company.

IV. OBLIGATIONS WHEN INVESTIGATIVE CONSUMER REPORTS ARE USEDInvestigative consumer reports are a special type of consumer report in which information about a consumer's character, general reputation, personal characteristics, and mode of living is obtained through personal interviews by an entity or person that is a consumer reporting agency. Consumers who are the subjects of such reports are given special rights under the FCRA. If a user intends to obtain an investigative consumer report, Section 606 requires the following:The user must disclose to the consumer that an investigative consumer report may be obtained. This must be done in a written disclosure that is mailed, or otherwise delivered, to the consumer at some time before or not later than three days after the date on which the report was first requested. The disclosure must include a statement informing the consumer of his or her right to request additional disclosures of the nature and scope of the investigation as described below, and the summary of consumer rights required by Section 609 of the FCRA. (The summary of consumer rights will be provided by the CRA that conducts the investigation.)The user must certify to the CRA that the disclosures set forth above have been made and that the user will make the disclosure described below.Upon the written request of a consumer made within a reasonable period of time after the disclosures required above, the user must make a complete disclosure of the nature and scope of the investigation. This must be made in a written statement that is mailed, or otherwise delivered, to the consumer no later than five days after the date on which the request was received from the consumer or the report was first requested, whichever is later in time.

V. SPECIAL PROCEDURES FOR EMPLOYEE INVESTIGATIONSSection 603(x) provides special procedures for investigations of suspected misconduct by an employee or for compliance with Federal, state or local laws and regulations or the rules of a self-regulatory organization, and compliance with written policies of the employer. These investigations are not treated as consumer reports so long as the employer or its agent complies with the procedures set forth in Section 603(x), and a summary describing the nature and scope of the inquiry is made to the employee if an adverse action is taken based on the investigation.

FCRA TOP TEN ISSUES - 2016 15

VI. OBLIGATIONS OF USERS OF MEDICAL INFORMATIONSection 604(g) limits the use of medical information obtained from consumer reporting agencies (other than payment information that appears in a coded form that does not identify the medical provider). If the information is to be used for an insurance transaction, the consumer must give consent to the user of the report or the information must be coded. If the report is to be used for employment purposes – or in connection with a credit transaction (except as provided in regulations issued by the banking and credit union regulators) – the consumer must provide specific written consent and the medical information must be relevant. Any user who receives medical information shall not disclose the information to any other person (except where necessary to carry out the purpose for which the information was disclosed, or as permitted by statute, regulation, or order).

VII. OBLIGATIONS OF USERS OF "PRESCREENED" LISTSThe FCRA permits creditors and insurers to obtain limited consumer report information for use in connection with unsolicited offers of credit or insurance under certain circumstances. Sections 603(l), 604(c), 604(e), and 615(d). This practice is known as "prescreening" and typically involves obtaining from a CRA a list of consumers who meet certain pre-established criteria. If any person intends to use prescreened lists, that person must (1) before the offer is made, establish the criteria that will be relied upon to make the offer and to grant credit or insurance, and (2) maintain such criteria on file for a three-year period beginning on the date on which the offer is made to each consumer. In addition, any user must provide with each written solicitation a clear and conspicuous statement that:Information contained in a consumer's CRA file was used in connection with the transaction.The consumer received the offer because he or she satisfied the criteria for credit worthiness or insurability used to screen for the offer.Credit or insurance may not be extended if, after the consumer responds, it is determined that the consumer does not meet the criteria used for screening or any applicable criteria bearing on credit worthiness or insurability, or the consumer does not furnish required collateral.The consumer may prohibit the use of information in his or her file in connection with future prescreened offers of credit or insurance by contacting the notification system established by the CRA that provided the report. The statement must include the address and toll-free telephone number of the appropriate notification system.In addition, once the Consumer Financial Protection Bureau by rule has established the format, type size, and manner of the disclosure required by Section 615(d), users must be in compliance with the rule. The CFPB's regulations will be at www.consumerfinance.gov/learnmore.

FCRA TOP TEN ISSUES - 2016 16

FCRA AND PERMISSABLE PURPOSE

The FCRA regulates the furnishing and collection of consumer credit information and access to credit reports and imposes certain disclosure requirements. Some FCRA provisions have implementing regulations, while others do not. Although the FCRA is generally limited to consumer credit transactions, it also applies in some instances to commercial credit transactions involving a consumer.

Permissible purpose to obtain consumer report. Creditors must have a permissible purpose to obtain a consumer’s credit report, regardless of the purpose of the transaction. In some cases, when credit is extended to a business, the creditor will include the business’s principal on the credit instrument as a guarantor or co-obligor and obtain the consumer’s credit report. The question arises whether a creditor has a permissible purpose in this circumstance.

What is a “permissible purpose?

A creditor always has a permissible purpose to obtain a credit report if the consumer authorizes it in writing. If a creditor is unsure if it has a permissible purpose for a business purpose loan for which the consumer is a guarantor or co-obligor, it has been an acceptable practice for the creditor to include an authorization to access the consumer’s credit report in the credit application or in a separate document. (See information in FCRA “Key Provisions” section)

Adverse action notice. The FCRA requires that if a person accesses a consumer report and takes adverse action based, in whole or in part, on information in the report, the consumer must be given an adverse action notice.

The FCRA may so apply when a creditor pulls a credit report on a consumer who is or could be liable for a commercial loan (for example, the consumer is the principal of a business and the creditor wants the consumer to be a guarantor or co-applicant on the loan) and takes adverse action based on the report. If the consumer is acting as a guarantor, a surety, or in a like capacity on the commercial loan, an adverse action notice is not required because the FCRA definition of adverse action is based on ECOA’s definition of adverse action, and ECOA’s definition does not apply to guarantors. However, if a consumer is a co-applicant for a commercial loan and adverse action is taken, based in whole or in part on information in the consumer’s report, and the creditor is unsure if an FCRA adverse notice is required, an adverse action notice may be provided.

FCRA TOP TEN ISSUES - 2016 17

ADVERSE ACTION NOTICE REQUIREMENTS UNDER THE ECOA AND THE FCRA

Two federal laws — the Equal Credit Opportunity Act (ECOA), as implemented by Regulation B, and the Fair Credit Reporting Act (FCRA) — reflect Congress’s determination that consumers and businesses applying for credit should receive notice of the reasons a creditor took adverse action on the application or on an existing credit account.1 Notice is also required under the FCRA for adverse actions taken with respect to insurance transactions, employment decisions, and in certain other circumstances.

The two laws serve different purposes. Adverse action notices under the ECOA and Regulation B are designed to help consumers and businesses by providing transparency to the credit underwriting process and protecting against potential credit discrimination by requiring creditors to explain the reasons adverse action was taken. The FCRA’s requirements for adverse action notices apply only to consumer transactions and are designed to alert consumers that negative information was the basis for the adverse action. Under the FCRA, the consumer has 60 days from the date of the notice to obtain more details about the negative information so that if it is erroneous, the consumer can correct it. To reduce the compliance burden, a creditor can use a single, combined notice to comply with the adverse action requirements of both laws, and model forms have been published in connection with Regulation B.

To ensure compliance, it is important to understand how the requirements of Regulation B and the FCRA relate to and differ from one another. In this article, we review the adverse action requirements of both Regulation B and the FCRA, explain recent disclosure requirements under the FCRA mandated by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), and discuss common adverse action violations.

WHAT IS ADVERSE ACTION?Regulation B defines adverse action as:

A refusal to grant credit in substantially the amount or on substantially the terms requested in an application unless the creditor makes a counteroffer (to grant credit in a different amount or on other terms), and the applicant uses or expressly accepts the credit offered;

A termination of an account or an unfavorable change in the terms of an account that does not affect all or substantially all of a class of the creditor’s accounts; or

A refusal to increase the amount of credit available to an applicant who has made an application for an increase.

To provide greater clarity about the definition, Regulation B also specifically delineates what is not adverse action:

FCRA TOP TEN ISSUES - 2016 18

A change in the terms of an account expressly agreed to by an applicant; Any action or forbearance relating to an account taken in connection with inactivity,

default, or delinquency as to that account; A refusal or failure to authorize an account transaction at point of sale or loan except

when the refusal is a termination or an unfavorable change in the terms of an account that does not affect all or substantially all of a class of the creditor’s accounts or when the refusal is a denial of an application for an increase in the amount of credit available under the account;

A refusal to extend credit because applicable law prohibits the creditor from extending the credit requested; or

A refusal to extend credit because the creditor does not offer the type of credit or credit plan requested.3

The FCRA, by contrast, defines adverse action more broadly to include: Adverse action as defined in section 701(d)(6) of ECOA ; A denial or cancellation of, an increase in any charge for, or a reduction or other adverse

or unfavorable change in the terms of coverage or amount of, any insurance, existing or applied for, in connection with the underwriting of insurance;

A denial of employment or any other decision for employment purposes that adversely affects any current or prospective employee;

A denial or cancellation of, an increase in any charge for, or any adverse or unfavorable change in the terms of a government license or benefit; or

An action on an application or transaction initiated by a consumer, or in connection with account review that is adverse to the consumer’s interests.

Thus, the FCRA definition not only specifically includes the ECOA definition but also covers certain noncredit, consumer-initiated transactions and applications, including consumer applications for insurance, employment, a rental, and a government license or benefit. Note, however, that the FCRA only applies to consumer transactions, so adverse action notices are not required under the FCRA for business transactions.

FCRA TOP TEN ISSUES - 2016 19

WHEN ADVERSE ACTION NOTICES ARE REQUIRED

TABLE 1Regulation B

(Consumer and Business)FCRA (Consumer)

A creditor must provide a notice if it has: For a covered transaction, a person must provide notice if:

Taken adverse action on a completed credit application;

Taken adverse action on an incomplete credit application;

Taken adverse action on an existing credit account; or

Made a counteroffer to an application for credit and the applicant does not accept the counteroffer:

Notice is not required if: The transaction does not involve credit; A credit applicant accepts a

counteroffer; A credit applicant expressly withdraws

an application; or The creditor approves a credit

application and both parties expect that the applicant will inquire about its status, but the applicant does not inquire within 30 days after application (the approved application is treated as withdrawn)

Adverse action was taken based in whole or in part on information in a consumer report;

Consumer credit is denied or a charge for credit increased based on information obtained from third parties other than consumer reporting agencies bearing upon the consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living; or

Adverse action was taken based on information furnished by a corporate affiliate of the person taking the action

FCRA TOP TEN ISSUES - 2016 20

When Is Notice Required?Generally, Regulation B notice requirements are triggered when adverse action is taken on a credit application or an existing credit account, and FCRA notice requirements are triggered when adverse action is taken based on information provided in one of the three circumstances listed in Table 1 in the FCRA column.

Because of different coverage rules, an adverse action notice may be required under one law but not the other. For example, an employer must comply with the FCRA notice requirements when denying an employment application based on information in a consumer report5; however, the disclosures under Regulation B are not triggered because the application does not involve credit.

Who Must Receive Notice?Regulation B and the FCRA differ on who must receive the adverse action notice. Regulation B defines an applicant more broadly than the FCRA, incorporating businesses as well as individuals. Table 2 shows the two requirements.

TABLE 2Regulation B

(Consumer and Business)FCRA (Consumer)

Any applicant, including individuals applying for credit, businesses of all sizes, and any person liable or who will become liable for the debt such as a coapplicant. Guarantors are not “applicants” under Regulation B’s definition of applicant

Any consumer defined as an individual, including coapplicants

The requirements are different for multiple applicants. According to Regulation B, if multiple applicants submit an application, notice need only be given to the primary applicant if the primary applicant is readily apparent. In the case of multiple applicants under the FCRA, the statute has been interpreted to require notice to all consumers against whom adverse action is taken if the action taken was based on information in a consumer report. If the applicants’ credit scores were used in taking adverse action, each individual should receive a separate adverse action notice with the credit score and related disclosures associated with his or her individual consumer report; however, an applicant should not receive credit score information about a coapplicant. Regulation B does not prohibit delivery of an adverse action notice to each applicant. If applicable, financial institutions can provide a combined notice of adverse action to all consumer applicants to comply with multiple-applicant requirements under the FCRA,

FCRA TOP TEN ISSUES - 2016 21

provided a credit score is not required for the adverse action notice because a score was not relied upon in taking adverse action.

What Are the Notice Timing Requirements?As shown in Table 3, Regulation B includes detailed timing requirements for adverse action notices, while the FCRA does not include such requirements. Typically, financial institutions include the disclosures required under both Regulation B and the FCRA in one adverse action notice when both notices are required. For these combined notices, Regulation B’s timing requirements apply.

For businesses with gross annual revenues of $1 million or less, Regulation B requires notice be provided according to the same timing requirements applicable to consumers as described in Table 3. For businesses with gross annual revenues greater than $1 million, Regulation B requires only that a creditor provide notice within a reasonable time.

TABLE 3Regulation B

(Consumer and Business)FCRA (Consumer)

A creditor must notify the applicant of adverse action within:*

30 days after receiving a complete credit application

30 days after receiving an incomplete credit application

30 days after taking action on an existing credit account

90 days after making a counteroffer to an application for credit if the applicant does not accept the counteroffer

The FCRA does not have specific timing requirements for adverse action notices.

FCRA TOP TEN ISSUES - 2016 22

COMMON VIOLATIONS ON ADVERSE ACTION & REQUIRED DISCLOSURES

Common Regulation B adverse action notification and timing errors relate to handling incomplete applications. Creditors may fail to identify an application as incomplete and, as such, fail to meet notice content and timing requirements. A creditor has two options after receiving an incomplete application: it can (1) take action on the application and notify the applicant according to Regulation B’s standard notice requirements or (2) refrain from taking action and notify the applicant that the application is incomplete.11 If the creditor provides a notice of incompleteness, the notice must (1) be in writing, (2) detail the information needed to complete the application, (3) provide a reasonable deadline, and (4) state that the application will not be reviewed if the information is not received. Regardless of which notice is provided, the notice must be provided within 30 days.

What Disclosures Are Required?Both Regulation B and the FCRA include particular content and format requirements for adverse action notices. Regulation B requires the notice be in writing except for business applicants, who may receive oral notice of adverse action.14 The FCRA, on the other hand, states that adverse action notices may be provided orally, in writing, or in electronic format.15 Although Regulation B does not specifically provide for electronic delivery, a combined adverse action notice that incorporates both Regulation B and the FCRA requirements may be provided electronically if the consent requirements of the Electronic Signatures in Global and National Commerce Act, 15 U.S.C. §7001 et seq., are complied with.

Appendix C of Regulation B  contains model adverse action notices that include the disclosures required under both Regulation B and the FCRA. Although not mandatory, proper use of the model notice forms satisfies the adverse action disclosure requirements of the FCRA and the ECOA. Table 4 includes current adverse action disclosure requirements for Regulation B and the FCRA.

Similar to the timing requirements, the contents of the disclosures under Regulation B may vary based on the type of applicant or account holder. For businesses with gross annual revenues of $1 million or less, the notice must include the same information described in Table 4, except the disclosure of the applicant’s right to receive the statement of reasons can be given at application. For businesses with gross annual revenues greater than $1 million, a creditor is only required to provide a statement of reasons for adverse action and the ECOA antidiscrimination statement if the applicant makes a written request for the information within 60 days of notification.

TABLE 4

FCRA TOP TEN ISSUES - 2016 23

Regulation B(Consumer and Business)

FCRA (Consumer)

Notice provided shall include the following disclosures:

The creditor’s name and address An ECOA antidiscrimination notice

substantially similar to the one in 12 C.F.R. §1002.9(b) (1)

The name and address of the creditor’s primary regulator

A statement of action taken by the creditor

Either a statement of the specific reasons for the action taken or a disclosure of the applicant’s right to a statement of specific reasons and the name, address, and telephone number of the person or office from which this information can be obtained

Section 615(a) notice (adverse action based on information in a consumer report) must include the following disclosures:

Notice that adverse action was taken based on information obtained from a consumer reporting agency

The consumer’s right to:o Obtain a free copy of his or her

consumer report from the consumer reporting agency providing the information if requested within 60 days

o To dispute the accuracy or completeness of any information in a consumer report furnished by the consumer reporting agency

The name, address, and telephone number of the consumer reporting agency that furnished the report to the person

A statement that the consumer reporting agency did not make the credit decision and is unable to provide to the consumer the specific reasons why the adverse action was taken

Credit score disclosures if the credit score was a factor in taking adverse action

Section 615(b)(1) notice (consumer credit denied or a charge for credit increased based on information obtained from third parties other than consumer reporting agencies) must include the following disclosures:

The consumer’s right to request the information that was relied on in taking adverse action within 60 days of receipt of the adverse action notice; the information must be provided to the consumer within a reasonable period of

FCRA TOP TEN ISSUES - 2016 24

time

Section 615(b)(2) notice (taking adverse action based on information obtained from an affiliate) must include the following disclosures:

Notice that adverse action was taken based on information from an affiliate and the consumer’s right to obtain the information by sending a written request within 60 days after receipt of the adverse action notice; the information must be provided within 30 days after receiving the request

Common content violations. Regulation B adverse action errors involving content typically relate to the statement of specific reasons for the action taken. The regulation requires the statement to be specific and indicate the principal reason(s) for taking adverse action. Creditors should disclose up to four principal reasons; disclosure of more than four reasons is unlikely to be helpful to the applicant. Violations often involve inaccurate, ambiguous, or confusing statements of the principal reasons.

When are additional FCRA credit score disclosures required?Section 1100F of the Dodd-Frank Act amended the FCRA to include additional disclosure requirements when adverse action is taken because of the consumer’s credit score. Specifically, the FCRA requires a person to make the following disclosures in writing or electronically as part of the adverse action notice in addition to those identified in Table 4:

The consumer’s numerical credit score used by the person in taking adverse action The range of possible credit scores; All the key factors that adversely affected the credit score; The date on which the credit score was created; and The name of the person or entity providing the credit score or the information upon

which score was created.

But if the credit score did not play a role in the decision to take adverse action, these disclosures are not required. One question that frequently arises is whether credit score disclosures are required for adverse action on a credit application where the creditor already provided a credit score disclosure because the creditor uses the credit score exception method of complying with the FCRA risk-based pricing (RBP) rules. Under this compliance option, the creditor provides RBP notices with credit scores to all applicants. A creditor taking adverse action in this

FCRA TOP TEN ISSUES - 2016 25

circumstance must still include the credit score disclosure in the adverse action notice because the credit score exception notice is provided at a different time in the application process and serves a different purpose than the adverse action notice.

Credit score disclosures cannot be combined with any other disclosures required under the FCRA, although they can be combined with the adverse action notice disclosures required by Regulation B. Finally, the credit score disclosures cannot be provided on a separate form; they must be included on the adverse action form.

Key factors. A person relying on a credit score in taking adverse action is required by section 615(a) of the FCRA to disclose the key factors adversely affecting the consumer’s credit score. Because credit scores are typically purchased from a consumer reporting agency, that agency is in the best position to identify the factors that adversely affected the score. The final rule therefore permits disclosure of the reasons identified by the agency to satisfy the key factors requirement.

Providing applicants with a list of key factors affecting their credit score does not relieve the creditor of its duty to also disclose, under Regulation B, the reasons for taking adverse action. In some instances, the key factors affecting a credit score will be the same as the reasons for taking adverse action under Regulation B. But in other cases, they may be unrelated. For example, a creditor may deny a loan application because of factors unrelated to a credit score, such as an applicant’s income, employment, or residence. In addition, a person cannot provide an applicant with a general reference to the key factors that affected a credit score as a reason for taking adverse action under Regulation B.

Multiple credit scores. In certain cases, a person may receive multiple credit scores from consumer reporting agencies. If the person only uses one credit score in making the decision, that particular score and related information for that specific credit score must be disclosed. If the person uses multiple credit scores in making the credit decision, only one of the scores is required to be disclosed; however, the FCRA does not prohibit creditors from disclosing multiple credit scores to the consumer.

Common violations related to credit score disclosures. Violations involving the FCRA’s requirement to include credit score information in adverse action notices typically involve failing to recognize when the requirement applies. The disclosure requirements are triggered when a credit score is used by a person in taking adverse action. Some violations have occurred when persons interpreted the term “use” too narrowly to include only situations when adverse action is solely or primarily based on the credit score. Similarly, other violations have involved persons incorrectly providing additional credit score disclosures only in cases when a minimum credit

FCRA TOP TEN ISSUES - 2016 26

score was established. To avoid these violations, a person must provide the additional credit score disclosures whenever a credit score is used in the decision to take adverse action.

BOTTOM LINECompliance with the requirements of both Regulation B and the FCRA involving adverse action decisions is important to provide applicants and account holders timely and relevant information. To ensure compliance with the rules, banks should implement appropriate policies and procedures. In addition, banks should ensure that updates for automated disclosure systems are received, tested, and correctly implemented. A strong training program, both for current regulations and any recent changes, will help ensure compliance. Controls that banks may consider include a secondary review of all adverse action notices and a consistent process, even in excess of regulatory requirements, such as delivering a combined adverse action notice to all consumer applicants. 

FCRA TOP TEN ISSUES - 2016 27

FURNISHERS OBLIGATIONS UNDER THE FCRA AND ECOA

Consumer reports and credit scores have become an indispensable tool for creditors, not only when evaluating credit applications and setting credit terms and conditions but also during account review for existing accounts. Because the information that furnishers provide to consumer reporting agencies (CRAs) can have significant consequences for consumers, Congress created consumer protections for furnished information.The two primary laws are the Fair Credit Reporting Act (FCRA), as implemented by Regulation V, 12 C.F.R. Part 1022, and the Equal Credit Opportunity Act (ECOA), as implemented by Regulation B, 12 C.F.R. Part 1002. This article reviews furnishers' compliance obligations under the ECOA and the FCRA.

EQUAL CREDIT OPPORTUNITY ACT/REGULATION BSection 1002.10 of Regulation B imposes three obligations on creditors furnishing consumer credit information to the CRAs. First, a furnisher must designate accounts to reflect both spouses' participation in the following circumstances: for new accounts when the spouse is an authorized user or is liable on the account (except as a guarantor, surety, endorser, or similar party); and for existing accounts when one of the spouses makes a written request to reflect both spouses' participation on the account. In the latter situation, the furnisher must make the designation within 90 days after receiving the written request.

Second, when an account is designated to reflect the participation of both spouses, the information must be furnished to the CRAs in a way that enables the CRAs to provide access to the information in the name of each spouse.

Finally, when a creditor receives an inquiry about an account that reflects the participation of both spouses, the creditor must furnish the information in the name of the spouse for whom the request is made. For example, if the inquiry concerns an account on which a husband and wife both participate, and the inquiry specifically is about the wife, the creditor must provide the information in the wife's name.

The Official Staff Commentary to §1002.10 clarifies that these requirements only apply to consumer credit and only apply to furnishers if they choose to furnish information to the CRAs because furnishing such information is not required. Further, in furnishing information to the CRAs, furnishers are not required to distinguish between an account on which a spouse is a contractually liable party and one on which a spouse is an authorized user.

Violations of these provisions subject furnishers to civil liability for actual and punitive damages, but if a furnisher fails to comply with §1002.10 because of an inadvertent error, there is no violation. Upon discovering the error, the furnisher must correct it as soon as possible. Under

FCRA TOP TEN ISSUES - 2016 28

ECOA, violations may, in some circumstances, be referred to the Department of Justice or the Department of Housing and Urban Development.

FAIR CREDIT REPORTING ACT/REGULATION VA 1996 amendment to the FCRA created compliance obligations for furnishers under §623 of the FCRA. According to a report of the Senate Committee on Banking, Housing and Urban Affairs, “[t]he driving force behind the changes was the significant amount of inaccurate information that was being reported by consumer reporting agencies and the difficulties that consumers faced getting such errors corrected. In fact, during the period leading up to the amendments, the FTC [Federal Trade Commission] consistently indicated that it received more complaints about consumer report errors than any other item.” Section 623, among other things, generally provides that a furnisher must not furnish inaccurate consumer information to a CRA, and that furnishers must investigate a consumer's dispute of the completeness or accuracy of information after the furnisher receives notice from a CRA.

Duty to Provide Accurate Information: FCRA §623(a)

Inaccurate Information. Section 623(a) prohibits furnishers from reporting information to a CRA if the furnisher “knows or has reasonable cause to believe that the information is inaccurate.” The statute defines “reasonable cause to believe that the information is inaccurate” to mean “specific knowledge, other than solely allegations by the consumer, that would cause a reasonable person to have substantial doubts about the accuracy of the information.”

Duty to Correct and Update Information. A furnisher that regularly furnishes information to CRAs is also required to notify a CRA if it has determined that previously furnished information is not complete or accurate and to correct that information. For example, if a bank reports to a checking account verification service that a consumer's account was closed with an outstanding negative balance, and the consumer subsequently paid off that balance, the bank would have a duty to report that the balance had been paid off.

Duty to Provide Notice of Dispute. When a consumer disputes the completeness or accuracy of furnished information, the furnisher must note the dispute to the CRAs when furnishing the information.

Duty to Provide Notice of Closed Accounts. Furnishers that regularly furnish information to CRAs must notify the CRAs when a consumer voluntarily closes a credit account. This information must be included in information regularly furnished for the period in which the account is closed. The legislative history indicates that this requirement is designed to complement the requirement in §605 of the FCRA that CRAs must indicate in a consumer report when a consumer voluntarily closes an account and to “ensure that an account closed by a consumer does not lead to the incorrect assumption by credit grantors reviewing the consumer's

FCRA TOP TEN ISSUES - 2016 29

consumer report that the account was closed because the consumer failed to meet its terms. Such an assumption could result in the denial of credit to a consumer.”

Duty to Provide Notice of Delinquency of Accounts. When an account is placed for collection, is charged to profit or loss, or a similar action is taken, and that delinquency is furnished to a CRA, the furnisher must notify the CRA of the date of delinquency on the account no later than 90 days after furnishing the information. This date is the month and year the account first becomes delinquent, not when the creditor places the account for collections, charges the account to profit or loss, or takes a similar action. For example, if an account became delinquent in January 2015 but the creditor waited until April 2015 to sell it to a collection agency, the “date of delinquency” is January 2015.

Identity Theft. Furnishers are required to maintain reasonable procedures to respond to notifications from the CRAs under §605B relating to information resulting from identify theft in order to prevent the refurnishing of this information. In addition, when a consumer submits an identity theft report to a furnisher indicating that furnished information resulted from identity theft, the furnisher may not report the information to the CRAs unless the furnisher subsequently knows or is informed by the consumer that the information is correct.

Negative Information. If a financial institution that extends credit and regularly furnishes information to a nationwide CRA furnishes negative information to the CRAs about a consumer credit extension, it must provide a clear and conspicuous written notice to the consumer indicating that it furnished negative information to the CRAs. The notice must be provided to the consumer no later than 30 days after furnishing the negative information. After providing the notice, the financial institution is not required to send the consumer additional notices if it furnishes additional negative information to the CRAs about the same transaction, credit extension, account, or consumer. Two model forms (“Furnishing Negative Information”) are available in Appendix B of Regulation V. Appropriate use of one of the two model notices in Regulation V provides a safe harbor for complying with the notice requirement in §623(a)(7). See Appendix B of Regulation V.

Furnishers' Investigation of Disputes Filed with CRAs: §623(b)In addition to establishing accuracy requirements, the FCRA requires furnishers to investigate consumer disputes filed with the CRAs about information the furnishers provided. Note that this requirement under §623(b) applies only to disputes that consumers file with the CRAs, which the CRAs forward to the furnisher. Congress amended the FCRA in 2003 with the Fair and Accurate Credit Transactions Act (FACT Act), which established a furnisher's obligation to investigate disputes that consumers file directly with the furnisher. Those direct dispute requirements, which became effective July 1, 2010, are discussed later in this section.

FCRA TOP TEN ISSUES - 2016 30

Investigation Procedures. Under §623(b)(1), when a furnisher receives notice from a CRA that a consumer disputes the completeness or accuracy of information the furnisher provided to the CRA, it must investigate the disputed information, review all relevant information provided by the CRA, and report the results of its investigation to the CRA. If the furnisher determines that the information it provided was incomplete or inaccurate, it must notify all nationwide CRAs to which the information was furnished of its findings. Finally, if the furnisher determines that the disputed information is inaccurate or incomplete or cannot be verified, the furnisher must promptly modify or delete the information or permanently block the reporting of that information. The furnisher generally has 30 days from the date the consumer filed the dispute with the CRA to complete its investigation and make appropriate notifications, but the investigation period may be extended an additional 15 days in some circumstances.

Additional Furnishers' Duties Under the FACT ActSection 312 of the FACT Act expands furnishers' affirmative duties concerning the accuracy and integrity of the information they furnish, contains a provision that allows consumers to file disputes directly with the furnishers, and specifies the procedures furnishers must follow in responding to direct disputes. In July 2009, the federal banking agencies and the Federal Trade Commission (FTC) issued a final rule implementing §312's requirements, which became effective July 1, 2010. Because the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) transferred rulemaking authority for most sections of the FCRA to the Consumer Financial Protection Bureau (CFPB), the §312 regulations are now under the jurisdiction of the CFPB, which republished them as CFPB regulations. See 12 C.F.R., Part 1022, Subpart E.

Accuracy and Integrity Requirements: §1022.42. Section 1022.42 requires furnishers to establish and implement reasonable written policies and procedures regarding the accuracy and integrity of the consumer information furnished to CRAs. “Accuracy” means that the information provided to a CRA by a furnisher correctly:

identifies the appropriate consumer; reflects the account's terms and liability; and reflects the consumer's performance with respect to the account.

“Integrity” means the information provided to a CRA by a furnisher: is substantiated by the furnisher's records at the time it is furnished; is in a form designed to minimize the likelihood that the information may be incorrectly

reflected in a consumer report; and includes information in the furnisher's possession that the CFPB has determined would

likely be materially misleading in evaluating a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode

FCRA TOP TEN ISSUES - 2016 31

of living, if absent. For open-end credit products, the credit limit (if any) is the one item of information the agencies have determined would likely be materially misleading if omitted.

The final rule includes guidelines for designing and implementing policies and procedures to comply with the accuracy and integrity requirements in Appendix E of Regulation V (“Interagency Guidelines Concerning the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies”). Under §1022.42(b), furnishers must consider the guidelines in developing policies and procedures and incorporate them as appropriate in light of the nature, size, complexity, and scope of the furnisher's activities.

Direct Disputes Rule: §1022.43. The dispute provision in §623(b) discussed above only requires furnishers to investigate a consumer dispute that is filed with a CRA, which, in turn, would forward the dispute to the furnisher to investigate. When Congress passed the FACT Act in 2003, it allowed consumers to also file disputes directly with the furnisher.

Under the regulations implementing this provision, when a consumer files a direct dispute, a furnisher is required to investigate if the dispute relates to any of the following issues: (1) the consumer's liability for a credit account or other debt with the furnisher; (2) the terms of a credit account or other debt with the furnisher; (3) the consumer's performance or other conduct concerning an account or other relationship with the furnisher; or (4) any other information contained in a consumer report for an account or other relationship with the furnisher that bears on the consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.

The direct dispute rule does not apply if the dispute relates to the consumer's identifying information, the identity of past or present employers, or inquiries or requests for a consumer report. It also does not apply to disputes relating to information that is derived from public records, provided to a CRA by another furnisher, or related to fraud alerts or active duty alerts.

A furnisher is required to investigate the dispute only if the consumer submitted the dispute notice to one of the following addresses: (1) an address the furnisher provided and is listed on the consumer report; (2) an address the furnisher clearly and conspicuously identified for submitting direct disputes; or (3) if no address is specified, any business address of the furnisher. The dispute notice must contain sufficient information to identify the account in dispute, the specific information being disputed, an explanation of the basis for the dispute, and all supporting documentation reasonably required by the furnisher to substantiate the basis of the dispute.

After receiving the dispute notice, the furnisher must determine whether to initiate an investigation or dismiss the dispute as frivolous or irrelevant. A dispute is frivolous or irrelevant if the dispute notice (1) does not contain sufficient information to investigate the dispute; (2)

FCRA TOP TEN ISSUES - 2016 32

raises a dispute about information exempted from the rule; or (3) raises a dispute that is substantially the same as a dispute previously submitted by the consumer and resolved in accordance with the regulations. If the dispute is found to be frivolous or irrelevant, the furnisher has five business days to mail the consumer a notice of determination. The notice of determination must include the reasons for the determination and any information required to investigate the disputed information.

If the furnisher does not find the dispute frivolous or irrelevant, the furnisher must review all relevant information provided by the consumer in the dispute notice and conduct a reasonable investigation. The furnisher has 30 days from receipt of the dispute notice (with the possibility for a 15-day extension under certain circumstances) to complete the investigation and report the results to the consumer. If the furnisher finds that the information reported was inaccurate, the furnisher must promptly notify each CRA to which it provided the inaccurate information of the determination and provide the changes necessary to make the information accurate.

CONCLUSIONFinancial institutions that furnish information to the CRAs must have adequate policies and procedures in place to ensure that they are complying with these requirements, including procedures to periodically test systems to verify compliance. 

FCRA TOP TEN ISSUES - 2016 33

CFPB POSTS “SUMMARY OF RIGHTS” UNDER FCRA

The CFPB has “Tools and Resources” for Consumers; one of the topics includes Credit Reporting/identity theft; it’s at this link: http://www.consumerfinance.gov/learnmore/

Here are some of the questions and answers about credit reports:QUESTION: I got my free credit reports, but they do not include my credit scores. Can I get my credit score for free too?CFPB ANSWER: It depends. Free credit reports provided by the nationwide credit reporting agencies do not include credit scores. These agencies charge a fee for providing this information. You can purchase your score directly from the credit reporting agencies and scoring companies. However, it’s important to check your credit report to make sure the information is accurate because your credit score is based on the information in your credit report. It’s also important to note that the score you purchase may not be the same as the one lenders use to decide whether to give credit.Your credit card company may share a credit score with you for free. Some companies include credit scores on your monthly statements. Note: Creditors (including card issuers) generally have to disclose your credit score (and related information) if they use the score and:

deny your application, increase the cost of your credit, or offer you a higher rate than other consumers get from that creditor.

Mortgage lenders also have to disclose your score when they check your score to approve a mortgage loan. There are other third parties that claim to offer “free” credit scores. However, you should consider the following:You may need to enroll in a program with a fee or purchase a product to get this “free” credit score. That means it is not really free. Sometimes there is period of time during which you can cancel without paying a fee. These programs are not free unless you remember to cancel within the allowed period of time. See the next pages for the “SUMMARY OF RIGHTS”

FCRA TOP TEN ISSUES - 2016 34

FCRA TOP TEN ISSUES - 2016 35

FCRA TOP TEN ISSUES - 2016 36

FCRA TOP TEN ISSUES - 2016 37

WHO IS JULIE MILLER?

This headline appeared in the news on January 21, 2014:

Equifax Hit with $1.62M in Punitive Damages for Failing to Fix Credit ReportA federal judge assessed $1.62 million in punitive damages against the Equifax credit bureau for merging a woman’s credit file with someone else with a bad record, and then ignoring her complaints for two years until she finally sued.

US District Judge Anna Brown in Oregon actually reduced a jury’s punitive damage award from $18.4 million, but preserved the $180,000 compensatory damage award – so the total recovery is $1.8 million. The jury awarded the original amount in July 2013 because the credit agency stonewalled the consumer, Julie Miller of Marion County.

“Equifax engaged in reprehensible conduct that caused real harm to Miller,” the judge wrote. “Equifax should be punished financially for that wrongful conduct. The amount of the punitive-damages award…should be enough to deter Equifax…from repeating this type of conduct in the future.”

In reality, Equifax has $1 billion in annual revenue and the damage award is a fraction of one percent of that.  The case is Miller v. Equifax Information Services, LLC, Case. No. 3:11-CV-01231-BR.

Botched credit recordsEquifax merged Miller’s credit file with a different person who had the same name and a similar Social Security number, but who lived in a different state and who had a bad credit record, unlike Miller’s credit record.

Evidence at trial showed the Equifax had other mixed-file cases where juries found that the company violated the Fair Credit Reporting Act. Frighteningly the court said that two million to four million Americans have inaccurate information in their credit reports because of mixed files.

Miller repeatedly wrote, telephoned and faxed Equifax over two years, but it never investigated the information, never made a correction and never gave miller the entire contents of her credit file. Equifax gave out the damaging incorrect information to businesses that did not have a legitimate purpose to get her credit report.

“For two years she was frustrated, overwhelmed, angry, depressed, humiliated, fearful about misuse of her identity, and concerned for her damaged reputation,” the judge wrote. Equifax’s own representative testified at the trial that it was company policy to investigate and correct files only after a lawsuit is filed.

Miller spent more than $250,000 in legal fees to pursue her case, which was reported in the New York Times. In the end, the judge said punitive damages could be no more than 9 times the amount of compensatory damages, citing a 2011 Alabama federal case.

FCRA TOP TEN ISSUES - 2016 38

CHAPTER 2CRITICAL IDENTITY THEFT ISSUES

FCRA TOP TEN ISSUES - 2016 39

RULES FOR IDENTITY THEFT RED FLAGS

The Fair and Accurate Credit Transactions Act of 2003 (FACT Act) became effective December 4, 2003. It was passed, in part, to combat identity theft. The mandatory compliance date for Section 315 addressed address discrepancies and became effective November 1, 2008. Here are the requirements:

Identity Theft Prevention ProgramFinancial institutions and creditors that offer or maintain covered accounts — which are defined in §222.90(b)(3) of the regulations as all consumer accounts that involve or are designed to permit multiple payments or transactions, and any other accounts (including business purpose accounts) for which there is a reasonable risk of identity theft — must develop and implement a written identity theft prevention program to combat identity theft with respect to new and existing covered accounts. The program must be tailored to the entity's size, its complexity, and the nature of its operations. Each program must satisfy the following requirements:

1. Identify relevant patterns, practices, and specific forms of activity that are red flags signaling possible identity theft and incorporate those red flags into the program;

2. Detect red flags that have been incorporated into the program;3. Respond appropriately to any red flags that are detected to prevent and mitigate identity

theft; and4. Ensure that the program is updated periodically to reflect changes in risks from identity

theft.

Board Approval and Oversight of the Identity Theft Prevention ProgramThe regulations also enumerate specific steps that financial institutions and creditors must undertake to administer their programs, including: (1) obtaining approval of the initial written program by the board of directors or a board committee; (2) ensuring oversight to develop, implement, and administer the program; (3) providing adequate training to staff; and (4) providing appropriate oversight of service provider arrangements. Guidelines are included in Appendix J of the regulations to assist financial institutions and creditors in developing and implementing a program that meets the specific requirements of the final rules.

Address Discrepancy Rules for Issuers of Credit and Debit CardsAdditionally, credit and debit card issuers must develop policies and procedures to verify a request for a change of address that is followed closely (within 30 days or a longer period established in a creditor's or a financial institution's procedures) by a request for an additional or replacement card. A card issuer cannot issue the additional or replacement card until it has verified the validity of the change of address request in accordance with the financial institution's policies and procedures. If a change of address request has been verified before a request for an additional or replacement card is received, it is not necessary to verify the address a second time before issuing the card.

Address Discrepancy Rules for Users of Consumer ReportsThe address discrepancy rules apply to the user of a consumer report that receives notice from a nationwide consumer reporting agency that the address the user included in its request for a report and the address in the nationwide consumer reporting agency's files are substantially

FCRA TOP TEN ISSUES - 2016 40

different. The rules impose two requirements to establish policies and procedures for responding to address discrepancy notices: one that applies to all users, and another that applies only to users in certain circumstances.

All users must establish reasonable policies and procedures to form a reasonable belief that the consumer whose report the user requested is the same consumer to whom the agency's report pertains. Section 222.82(c)(2) provides examples of acceptable procedures to accomplish this. A user must also develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the consumer reporting agency from which it received the notice of address discrepancy when: 1) the user can form a reasonable belief that the person in the consumer report and the consumer about whom it requested the report are the same person; 2) the user establishes a continuing relationship with the consumer; and 3) the user regularly, in the course of business, furnishes information to the consumer reporting agency that alerted the user to the address discrepancy. Section 222.82(d)(2) provides examples of acceptable ways of verifying a consumer's address.

FCRA TOP TEN ISSUES - 2016 41

SUPPLEMENT A TO APPENDIX J EXAMPLES FOR RED FLAGS

Alerts, Notifications or Warnings from a Consumer Reporting Agency

1. A fraud or active duty alert is included with a consumer report. 2. A consumer reporting agency provides a notice of credit freeze in response to a request

for a consumer report. 3. A consumer reporting agency provides a notice of address discrepancy, as defined in §

334.82(b) of this part. 4. A consumer report indicates a pattern of activity that is inconsistent with the history and

usual pattern of activity of an applicant or customer, such as:a. A recent and significant increase in the volume of inquiries; b. An unusual number of recently established credit relationships; c. A material change in the use of credit, especially with respect to recently established

credit relationships; or d. An account that was closed for cause or identified for abuse of account privileges by

a bank or creditor.

Suspicious Documents

5. Documents provided for identification appear to have been altered or forged. 6. The photograph or physical description on the identification is not consistent with the

appearance of the applicant or customer presenting the identification. 7. Other information on the identification is not consistent with information provided by the

person opening a new covered account or customer presenting the identification. 8. Other information on the identification is not consistent with readily accessible

information that is on file with the bank or creditor, such as a signature card or a recent check.

9. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.

Suspicious Personal Identifying Information

10. Personal identifying information provided is inconsistent when compared against external information sources used by the bank or creditor. For example:

a. The address does not match any address in the consumer report; or b. The Social Security Number (SSN) has not been issued, or is listed on the Social

Security Administration's Death Master File.

11. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth.

12. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the bank or creditor. For example:

FCRA TOP TEN ISSUES - 2016 42

a. The address on an application is the same as the address provided on a fraudulent application; or

b. The phone number on an application is the same as the number provided on a fraudulent application.

13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the bank or creditor. For example:

a. The address on an application is fictitious, a mail drop, or prison; or b. The phone number is invalid, or is associated with a pager or answering service.

14. The SSN provided is the same as that submitted by other persons opening an account or other customers.

15. The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other customers.

16. The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.

17. Personal identifying information provided is not consistent with personal identifying information that is on file with the bank or creditor.

18. For banks and creditors that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.

Unusual Use of, or Suspicious Activity Related to, the Covered Account

19. Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for new, additional, or replacement cards or a cell phone, or for the addition of authorized users on the account.

20. A new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns. For example:

a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or

b. The customer fails to make the first payment or makes an initial payment but no subsequent payments.

21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example:

a. Nonpayment when there is no history of late or missed payments; b. A material increase in the use of available credit; c. A material change in purchasing or spending patterns; d. A material change in electronic fund transfer patterns in connection with a deposit

account; or

FCRA TOP TEN ISSUES - 2016 43

e. A material change in telephone call patterns in connection with a cellular phone account.

22. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors).

23. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer's covered account.

24. The bank or creditor is notified that the customer is not receiving paper account statements.

25. The bank or creditor is notified of unauthorized charges or transactions in connection with a customer's covered account.

Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection with Covered Accounts Held by the Bank or Creditor

26. The bank or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.

FCRA TOP TEN ISSUES - 2016 44

FCRA REQUIRED TRAINING – RED FLAGS

REQUIRED ANNUAL TRAINING – Check with YOUR Regulator or POLICYRequired by law, regulation, or policy Required by policy, corrective action, or

regulatory “expectation”1. Annual Red Flags for Identity Theft2. Bank Protection Act (Physical

Security)3. Privacy Act and Information Security4. Dispute procedures for accuracy of

Credit Report Information

Fair Lending Bank Secrecy Act

Recent exam or audit findings most commonly include:

o HMDA reporting problemso Flood Issueso New regulations & disclosureso UDAP/UDAAP – Abusive

Practices

It’s important to follow the rules and guidance given by your bank’s’s primary regulator. Here’s a chart of the web address and name of the potential regulators for bankss.

Web Address Regulatorwww.consumerfiance.gov Consumer Financial Protection Bureau*www.federalreserve.gov Federal Reserve Boardwww.fdic.gov Federal Deposit Insurance Corporationwww.occ.treas.gov Office of the Comptroller of the Currencywww.ncua.gov National Credit Union Administrations

*The CFPB is the direct regulator for banks with assets of $10 billion or greater. If the CFPB is not the primary regulator for your bank or credit union it can still be helpful to review the CFPB website for information, particularly the Implementation Page for major regulatory changes and resources.

FCRA TOP TEN ISSUES - 2016 45

TEN STEPS TO MITIGATE IDENTITY THEFT RISKS

This is a vendor’s check list for FACTA compliance that can be used as a template for your program

FCRA TOP TEN ISSUES - 2016 46

IDENTITY THEFT AND FACTA PROVISIONS

This information is from the Privacy Rights Clearinghouse and is a helpful summary of key issues. https://www.privacyrights.org/fs/fs6a-facta.htm

Truncation of numbers

Credit card receipts that include full account numbers and expiration dates are a gold mine for identity thieves. FACTA says credit and debit card receipts may not include more than the last five digits of the card number. Nor may the card's expiration date be printed on the cardholder's receipt. However, this does not apply to receipts for which the sole means of recording a credit or debit card number is by handwriting or by an imprint or copy of the card.

Another FACTA section allows consumers who request a copy of their file to also request that the first 5 digits of their Social Security number (or similar identification number) not be included in the file.

Change of Address with Request for Replacement Cards

A common practice among identity thieves is to notify a credit or debit card issuer of a change of address. Soon after the change of address notice, the thief asks the card issuer for replacement cards. Before a new or replacement card can be issued, card issuers must take steps to assess the validity of a change of address. This applies at least within the first 30 days after an address change notification. Extra steps are required whether the change of address notice comes directly from the consumer or from the Postal Service.

An address change notice combined with a request for new or replacement cards means the card issuer must verify the address by contacting the cardholder. Card issuers are also free to adopt alternate procedures for verifying an address.

The rule applies to debit and credit cards issued by a financial institution as well as payroll cards and recipients of a home equity loan if the cardholder is able to access the loan with a debit or credit card. Stored value or prepaid cards such as gift cards are not subject to this rule. Because an identity thief’s use of a business card may affect an individual’s personal credit rating, the rules equally cover cards issued for personal, household, family or business purposes.

Address Discrepancy in Credit Report

A consumer’s attempt to open a new credit account or increase an existing line of credit almost certainly results in the use of a consumer report. Rental and employment applications may also trigger the request for a credit report. Credit bureaus must notify the creditor, landlord, employer or other requester if the address supplied by the consumer “substantially differs” from the address included in the bureau’s files.

FCRA TOP TEN ISSUES - 2016 47

As part of the “red flags” rules, credit report users that receive an address discrepancy notice from a credit bureau must take additional steps to verify the identity of the person applying to open an account or rent a property. Financial institutions required to adopt Customer Identification Programs (CIP) by the USA PATRIOT Act, Pub.L. 107-56, are instructed to follow the CIP standards for verifying identity for purposes of this FACTA section.

Once a financial institution verifies a customer’s identity, the results may be reported back to the credit bureau. However, this additional step is required only if (1) a relationship is established with the consumer and (2) the financial institution regularly reports to the credit bureau.

Disposal of Consumers ReportsThe practice known as "dumpster diving" provides identity thieves with a treasure trove of personal data. Irresponsible information disposal by businesses has been cited in numerous instances of fraud. Now under FACTA provisions consumer reporting agencies and any business that uses a consumer report must adopt procedures for proper document disposal.

The FTC, the federal banking agencies, and the National Credit Union Administration (NCUA) have published final regulations to implement the FACTA Disposal Rule. The FTC's disposal rule applies to consumer reporting agencies as well as individuals and any sized business that uses consumer reports. The FTC lists the following as among those that must comply with the rule:

Lenders

Disputing Inaccurate InformationConsumer reports combine data voluntarily submitted to one or more of the national bureaus by companies that have had business dealings with the consumer. The FCRA defines such companies as "furnishers" of information. When creditors and others access a consumer's report, data is generally accepted as unquestionably true.

By its very name, the Fair and Accurate Credit Transactions Act places new emphasis on accuracy of information in consumer reports. Two FACTA sections aim to improve the accuracy and integrity of information as well as give consumers a new right to dispute data included in reports directly with the company that furnished it. These sections are:

Accuracy guidelines for financial institutions and creditors that furnish information to credit bureaus. (FACTA §312(a), FCRA §623(e)(1)).

Ability of consumers to dispute information with companies that report to credit bureaus. (FACTA §312(c), FCRA §623(a)(8)).

On July 1, 2009, the federal banking agencies and the FTC adopted final rules to carry out the FACTA section that allows consumers to directly dispute inaccurate information with the creditor that furnished it to a consumer reporting agency (CRA). At the same time, the agencies published guidelines that financial companies should follow to ensure the accuracy and integrity of information they furnish to a CRA. Upon notice from a consumer that inaccurate information has been furnished to a CRA, the creditor must conduct a “reasonable” investigation and issue its findings within 30 days, with one 15-day extension allowed. This is the same amount of time credit bureaus have to investigate and respond to a consumer dispute.

FCRA TOP TEN ISSUES - 2016 48

Only certain kinds of disputes require an investigation. Disputes which require an investigation include those that relate to:

Consumer’s liability, for example, when the consumer has been the victim of identity theft or fraud.

Terms of the credit account such as the principal balance, scheduled payments or credit limits on open-end accounts.

Performance on the account, such as the date of payments or the date an account was opened or closed.

Any other information that bears on the consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.

Companies that furnish information to a credit bureau are not required under the rules to investigate disputes that relate to:

Identifying information such as name, date of birth, Social Security number, telephone numbers or addresses.

Past or present employers. Inquiries listed on the consumer’s credit report. Information derived from public records such as bankruptcies, liens and other legal

matters. Information related to fraud alerts. Information provided to a credit bureau by another creditor. Disputes the creditor believes were prepared by a credit repair organization.

Disputes must be submitted to the proper address, that is, one the creditor includes in a consumer report, an address specified as a dispute address, or any business address if no specific dispute address is designated.

To be investigated, a dispute must include:

Information sufficient to identity the disputed account such as account number, and the consumer’s name, address and telephone number.

Supporting documentation such as the consumer report that contains disputed information, a police report, a fraud or identity theft affidavit or a court order.

Companies may decline to investigate a dispute they find to be “frivolous” or “irrelevant.” Disputes fall into this category if the company determines the consumer did not provide enough information or the dispute is substantially the same as one submitted previously.The FACTA dispute rules can be found at: www.ftc.gov/opa/2009/07/facta.shtm .

On September 4, 2013, the Consumer Financial Protection Bureau (CFPB) put furnishers on notice that they are responsible for investigating consumer disputes forwarded by the consumer reporting companies. Furnishers are also responsible for reviewing all relevant information provided with the disputes, including documents submitted by consumers.  CFPB Bulletin 2013-09.

FCRA TOP TEN ISSUES - 2016 49

Medical Information and Consumer Reports

If you're like most people, privacy of your medical information is a top priority. A major concern is that medical information may be used against you when you apply for a job or refinance your mortgage. Even when medical information is protected in one area, it may still be disclosed through other means.

A good example of this is the credit report. A collection action noted on a credit report that names a medical facility as creditor could inadvertently reveal an underlying medical condition. This is a significant threat since the Federal Reserve Board found in a 2003 study that over half the collections reported on credit reports are for medical debt. See An Overview of Consumer Data and Credit Reporting,www.federalreserve.gov/pubs/bulletin/2003/0203lead.pdf.

Under FACTA, consumer reporting agencies may not report the name, address, and telephone number of any medical creditor unless the information is provided in codes that do not identify or infer the provider of care or the individual's medical condition. This does not apply to insurance companies selling other than property and casualty insurance. (FCRA §605(a)(6))

Another section of FACTA says a creditor may not obtain or use medical information to make credit decisions. (FCRA §604(g)(2)) But there are exceptions, and federal banking agencies were directed to issue regulations to cover uses of medical information to protect "legitimate operational, transactional, risk, consumer, and other needs." (FCRA §604(g)(5)(A))

The banking agencies have adopted final regulations on medical information and credit. The rule prohibits a creditor from obtaining and using medical information to decide a consumer's credit eligibility. Still, creditors can obtain and use financial information if related to medical debts, expenses, and income.

One example is a debt for medical bills. You may owe money to a hospital and perhaps you worked out a plan to pay the debt over time. If you apply for a car loan, the bank can check to see if your payments on the hospital bill are up-to-date. If you are late on a payment or two, the bank may consider this in deciding whether you give you the loan. The bank cannot, however, ask about your medical condition or the reason for your hospital stay. In other words, the late payments to the hospital cannot carry any more weight than a late payment on a credit card . It is your history of paying debts only that is allowed. Your health status should not factor into a creditor's decision about whether to give you a loan

FCRA TOP TEN ISSUES - 2016 50

FCRA POLICY - FOUR STEP PROCESS TO COMPLY

The Red Flags Rule tells you how to develop, implement, and administer an identity theft prevention program. A program must include four basic elements that create a framework to deal with the threat of identity theft.

A program must include reasonable policies and procedures to identify the red flags of identity theft that may occur in your day-to-day operations. Red Flags are suspicious patterns or practices, or specific activities that indicate the possibility of identity theft. For example, if a customer has to provide some form of identification to open an account with your company, an ID that doesn’t look genuine is a “red flag” for your business.

A program must be designed to detect the red flags you’ve identified. If you have identified fake IDs as a red flag, for example, you must have procedures to detect possible fake, forged, or altered identification.

A program must spell out appropriate actions you’ll take when you detect red flags. A program must detail how you’ll keep it current to reflect new threats.

Just getting something down on paper won’t reduce the risk of identity theft. That’s why the Red Flags Rule has requirements on how to incorporate your program into the daily operations of your business. Fortunately, the Rule also gives you the flexibility to design a program appropriate for your company — its size and potential risks of identity theft. While some businesses and organizations may need a comprehensive program to address a high risk of identity theft, a streamlined program may be appropriate for businesses facing a low risk.

Securing the data you collect and maintain about customers is important in reducing identity theft. The Red Flags Rule seeks to prevent identity theft, too, by ensuring that your business or organization is on the lookout for the signs that a crook is using someone else’s information, typically to get products or services from you without paying for them. That’s why it’s important to use a one-two punch in the battle against identity theft: implement data security practices that make it harder for crooks to get access to the personal information they use to open or access accounts, and pay attention to the red flags that suggest that fraud may be afoot.

WHO MUST COMPLY WITH THE RED FLAGS RULE: A TWO-PART ANALYSISThe Red Flags Rule defines a “financial institution” as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or a person that, directly or indirectly, holds a transaction account belonging to a consumer.

While many financial institutions are under the jurisdiction of the federal bank regulatory agencies or other federal agencies, state-chartered credit unions are one category of financial institution under the FTC’s jurisdiction.

FCRA TOP TEN ISSUES - 2016 51

CreditorThe Red Flags Rule defines “creditor” based on conduct. To determine if your business is a creditor under the Red Flags Rule, ask these questions:

Does my business or organization regularly defer payment for goods and services or bill customers?

grant or arrange credit? participate in the decision to extend, renew, or set the terms of credit?

If you answer:No to all, the Rule does not apply.Yes to one or more, ask:Does my business or organization regularly and in the ordinary course of business:

get or use consumer reports in connection with a credit transaction? give information to credit reporting companies in connection with a credit transaction? advance funds to — or for — someone who must repay them, either with funds or

pledged property (excluding incidental expenses in connection with the services you provide to them)?

If you answer:No to all, the Rule does not apply.Yes to one or more, you are a creditor covered by the Rule.

Covered AccountsIf you conclude that your business or organization is a financial institution or a creditor covered by the Rule, you must determine if you have any “covered accounts,” as the Red Flags Rule defines that term. You’ll need to look at existing accounts and new ones

Two categories of accounts are covered:A consumer account for your customers for personal, family, or household purposes that involves or allows multiple payments or transactions. Examples are credit card accounts, mortgage loans, automobile loans, checking accounts, and savings accounts. “Any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” Examples include small business accounts, sole proprietorship accounts, or single transaction consumer accounts that may be vulnerable to identity theft. Unlike consumer accounts designed to allow multiple payments or transactions — always considered “covered accounts” under the Rule — other types of accounts are “covered” only if the risk of identity theft is reasonably foreseeable.In determining if accounts are covered under the second category, consider how they’re opened and accessed. For example, there may be a reasonably foreseeable risk of identity theft in connection with business accounts that can be accessed remotely — say, through the Internet or the telephone. Your risk analysis must consider any actual incidents of identity theft involving accounts like these.

FCRA TOP TEN ISSUES - 2016 52

HOW TO COMPLY: A FOUR-STEP PROCESSMany companies already have plans and policies to combat identity theft and related fraud. If that’s the case for your business, you’re already on your way to full compliance.

1. Identify Relevant Red FlagsWhat are “red flags”? They’re the potential patterns, practices, or specific activities indicating the possibility of identity theft. Consider:

Risk Factors. Different types of accounts pose different kinds of risk. For example, red flags for deposit accounts may differ from red flags for credit accounts, and those for consumer accounts may differ from those for business accounts. When you are identifying key red flags, think about the types of accounts you offer or maintain; the ways you open covered accounts; how you provide access to those accounts; and what you know about identity theft in your business.

Sources of Red Flags. Consider other sources of information, including the experience of other members of your industry. Technology and criminal techniques change constantly, so it’s important to keep up-to-date on new threats.

Categories of Common Red Flags. Supplement A to the Red Flags Rule lists specific categories of warning signs to consider including in your program. The examples here are one way to think about relevant red flags in the context of your own business.

Alerts, Notifications, and Warnings from a Credit Reporting Company. Changes in a credit report or a consumer’s credit activity might signal identity theft:

a fraud or active duty alert on a credit report a notice of credit freeze in response to a request for a credit report a notice of address discrepancy provided by a credit reporting company a credit report indicating a pattern inconsistent with the person’s history B for example,

an increase in the volume of inquiries or the use of credit, especially on new accounts; an unusual number of recently established credit relationships; or an account that was closed because of an abuse of account privileges

Suspicious Documents. Documents can offer hints of identity theft: identification looks altered or forged the person presenting the identification doesn’t look like the photo or match the physical

description information on the identification differs from what the person with identification is telling

you or doesn’t match a signature card or recent check an application looks like it’s been altered, forged, or torn up and reassembled

Personal Identifying Information. Personal identifying information can indicate identity theft: inconsistencies with what you know — for example, an address that doesn’t match the

credit report or the use of a Social Security number that’s listed on the Social Security Administration Death Master File

inconsistencies in the information a customer has submitted to you

FCRA TOP TEN ISSUES - 2016 53

an address, phone number, or other personal information already used on an account you know to be fraudulent

a bogus address, an address for a mail drop or prison, a phone number that’s invalid, or one that’s associated with a pager or answering service

a Social Security number used by someone else opening an account an address or telephone number used by several people opening accounts a person who omits required information on an application and doesn’t respond to notices

that the application is incomplete a person who can’t provide authenticating information beyond what’s generally

available from a wallet or credit report — for example, someone who can’t answer a challenge question

Account Activity. How the account is being used can be a tip-off to identity theft: shortly after you’re notified of a change of address, you’re asked for new or additional credit cards, or to add users to the account

a new account used in ways associated with fraud — for example, the customer doesn’t make the first payment, or makes only an initial payment; or most of the available credit is used for cash advances or for jewelry, electronics, or other merchandise easily convertible to cash

an account used outside of established patterns — for example, nonpayment when there’s no history of missed payments, a big increase in the use of available credit, or a major change in buying or spending patterns or electronic fund transfers

an account that is inactive is used again mail sent to the customer that is returned repeatedly as undeliverable although

transactions continue to be conducted on the account information that the customer isn’t receiving an account statement by mail or email information about unauthorized charges on the account

Notice from Other Sources. A customer, a victim of identity theft, a law enforcement authority, or someone else may be trying to tell you that an account has been opened or used fraudulently.

2. Detect Red FlagsSometimes, using identity verification and authentication methods can help you detect red flags. Consider whether your procedures should differ if an identity verification or authentication is taking place in person, by telephone, mail, or online.

New accounts. When verifying the identity of the person who is opening a new account, reasonable procedures may include getting a name, address, and identification number and, for in-person verification, checking a current government-issued identification card, like a driver’s license or passport. Depending on the circumstances, you may want to compare that to information you can find out from other sources, like a credit reporting company or data broker, or the Social Security Number Death Master File. Asking questions based on information from other sources can be a helpful way to verify someone’s identity.Existing accounts. To detect red flags for existing accounts, your program may include reasonable procedures to confirm the identity of the person you’re dealing with, to monitor transactions, and to verify the validity of change-of-address requests. For online authentication,

FCRA TOP TEN ISSUES - 2016 54

consider the Federal Financial Institutions Examination Council’s guidance on authentication as a starting point. It explores the application of multi-factor authentication techniques in high-risk environments, including using passwords, PINs, smart cards, tokens, and biometric identification. Certain types of personal information — like a Social Security number, date of birth, mother’s maiden name, or mailing address — are not reliable authenticators because they’re so easily accessible.You may be using programs to monitor transactions, identify behavior that indicates the possibility of fraud and identity theft, or validate changes of address. If so, incorporate these tools into your program.

3. Prevent And Mitigate Identity TheftWhen you spot a red flag, be prepared to respond appropriately. Your response will depend on the degree of risk posed. It may need to accommodate other legal obligations, like laws about providing and terminating service. The Guidelines in the Red Flags Rule offer examples of some appropriate responses, including:

monitoring a covered account for evidence of identity theft contacting the customer changing passwords, security codes, or other ways to access a covered account closing an existing account reopening an account with a new account number not opening a new account not trying to collect on an account or not selling an account to a debt collector notifying law enforcement determining that no response is warranted under the particular circumstances

The facts of a particular case may warrant using one of these options, several of them, or another response altogether. Consider whether any aggravating factors raise the risk of identity theft. For example, a recent breach that resulted in unauthorized access to a customer’s account records would call for a stepped-up response because the risk of identity theft rises, too.

4.   Update The Program The Rule recognizes that new red flags emerge as technology changes or identity thieves change their tactics, and requires periodic updates to your program. Factor in your own experience with identity theft; changes in how identity thieves operate; new methods to detect, prevent, and mitigate identity theft; changes in the accounts you offer; and changes in your business, like mergers, acquisitions, alliances, joint ventures, and arrangements with service providers.

Administering Your ProgramYour Board of Directors — or an appropriate committee of the Board — must approve your initial plan.  If you don’t have a board, someone in senior management must approve it.  The Board may oversee, develop, implement, and administer the program — or it may designate a senior employee to do the job. Responsibilities include assigning specific responsibility for the program’s implementation, reviewing staff reports about compliance with the Rule, and approving important changes to your program.

FCRA TOP TEN ISSUES - 2016 55

The Rule requires that you train relevant staff only as “necessary.” Staff who have taken fraud prevention training may not need to be re-trained. Remember that employees at many levels of your organization can play a key role in identity theft deterrence and detection.In administering your program, monitor the activities of your service providers. If they’re conducting activities covered by the Rule — for example, opening or managing accounts, billing customers, providing customer service, or collecting debts — they must apply the same standards you would if you were performing the tasks yourself. One way to make sure your service providers are taking reasonable steps is to add a provision to your contracts that they have procedures in place to detect red flags and either report them to you or respond appropriately to prevent or mitigate the crime. Other ways to monitor your service providers include giving them a copy of your program, reviewing the red flag policies, or requiring periodic reports about red flags they have detected and their response.

It’s likely that service providers offer the same services to a number of client companies. As a result, the Guidelines are flexible about service providers using their own programs as long as they meet the requirements of the Rule.

The person responsible for your program should report at least annually to your Board of Directors or a designated senior manager. The report should

evaluate how effective your program has been in addressing the risk of identity theft; how you’re monitoring the practices of your service providers; significant incidents of identity theft and your response; and recommendations for major changes to the program.

FCRA TOP TEN ISSUES - 2016 56

CHAPTER 3EXAM PROCEDURES AND GUIDANCE

FCRA TOP TEN ISSUES - 2016 57

FCRA EXAM PROCEDURES

Agency Link

FDIC https://www.fdic.gov/regulations/compliance/manual/8/VIII-6.1.pdf

Compliance Exam Manual, Under VIII, Privacy and Consumer information, VIII-6.1, updated September 2015, 43 pages

Examination Objectives:

OCC http://www.occ.treas.gov/news-issuances/bulletins/2008/bulletin-2008-28.html

The procedures are outlined in six “modules”

FEDERAL RESERVE http://www.federalreserve.gov/boarddocs/supmanual/cch/200611/fcra.pdf

CFPB http://files.consumerfinance.gov/f/201210_cfpb_supervision-and-examination-manual-v2.pdf

FCRA TOP TEN ISSUES - 2016 58

CONSUMER PERSPECTIVE AND RECENT SETTLEMENT

This information represents a “consumer” perspective” on consumer’s rights with the credit reporting industry

What Is a Credit Report?A credit report is a compilation of information about you that lenders and others review to assess your financial behavior and creditworthiness. Credit reports contain a variety of information, including your loans, payment history (both on-time and late payments), personal information and, if applicable, tax liens, judgments and bankruptcies.Credit reports influence many aspects of your life. Lenders, prospective employers, landlords and others use credit reports to make important decisions like whether to give you a loan, hire you or rent an apartment to you. (Learn more about credit reports and the three big credit reporting agencies.)

How Will the Settlement Agreement Change Credit Reporting?On March 9, 2015, New York Attorney General Eric T. Schneiderman announced that he had signed a Settlement Agreement (the “Settlement Agreement”) with the three major credit reporting agencies (CRAs) – TransUnion, Equifax, and Experian (the “CRAs”).The CRAs maintain information on approximately 20 million consumers. In a 2012 Federal Trade Commission study, 26% of study participants identified at least one potentially material error in their credit reports. However, errors are often difficult to correct due to the CRAs’ current highly automated dispute resolution process.

Although not required by the Fair Credit Reporting Act, the voluntary changes agreed to by the CRAs in the Settlement Agreement will go a long way towards reducing errors, improving accuracy, and making it easier for consumers to dispute and correct errors.Below are some of the specifics.

180-Day Waiting Period Before Reporting Medical DebtBeginning in September 2016, CRAs will no longer report medical debt unless the medical debt is delinquent by at least 180 days. This waiting period will allow time for processing of insurance claims so that credit reports show the true amount due on a medical debt account and not amounts that the consumer actually doesn't owe. In addition, CRAs must remove medical debt if a creditor, collection agency or debt buyer reports it as paid in full, or if an insurance company is paying the debt.Traffic Tickets and Government Fines Will Not Appear in Credit ReportsCities and counties often refer traffic tickets and government fines to collection agencies, or sell them to debt buyers. Currently, collection agencies and debt buyers report these tickets and fines as “debt” to the CRAs. Beginning in September 2016, CRAs will no longer report debt that “did not arise from any contract or agreement to pay,” such as traffic tickets and government fines.

FCRA TOP TEN ISSUES - 2016 59

Enhanced Dispute Resolution ProceduresThe CRAs will make numerous changes that will enhance the dispute resolutions process, ultimately resulting in more accurate credit reports.

Initiating a dispute. No later than September 2015, the CRAs will eliminate certain conditions for accepting disputes. They will no longer require consumers to obtain a current credit report or provide an identification number associated with a credit report in order to initiate a dispute.

Improving notifications to consumers on reinvestigation results. Effective June 2018, if you submit a dispute you will receive more information about dispute investigations, including the action taken by the CRA, contact information for any furnisher involved in responding to the dispute, a description of the role played by the furnisher in the reinvestigation process, the results of the dispute, and if applicable, the specific modification or deletion of information on your credit file. You will also receive a summary of post-dispute options if you are not satisfied with the dispute results. Additional free annual credit report to consumers following dispute investigations. Currently, the Fair Credit Reporting Act allows you to get one free credit report annually from each of the three CRAs. Beginning in September 2016, if you dispute something on your report and as a result, your report is changed, you can get one additional free credit report within 12 months of the a change. Getting Your Free Credit Report From Experian, Equifax, or Transunion

You are entitled to one free credit report every 12 months, upon your request, from each of the three major credit reporting agencies. If you are married, you and your spouse can each obtain a free credit report from all three credit reporting agencies each year. Your reports will list all joint accounts (those you opened in both names). No combined report is created for married couples.

You can obtain your free reports: 

online at www.AnnualCreditReport.com by calling 877-322-8228, or by mail at Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-

5281.

You will have to provide certain information to prove your identity, such as your Social Security number and, say, the amount of your monthly mortgage payment.

You might want to order all three of your free credit reports at the same time so that you can compare them and spot discrepancies. Or, you can stagger your requests -- ordering one report every four months, for example -- so that you can check more frequently for suspicious activity (like identity theft) or errors.

If you dispute an error after getting your free report, and the CRA updates your report, you can get another free report within the one-year period. (This feature was added by the CRAs in their new National Consumer Assistance Plan.)

FCRA TOP TEN ISSUES - 2016 60

Escalated dispute handling for mixed files, fraud, and identity theft. Beginning in September 2015, the CRAs must have a process for escalating certain disputes. Disputes related to mixed files, fraud and identity theft will qualify for escalated handling. “Mixed files” are a common source of errors in credit reports – these are files that contain data about two different individuals with similar names or other overlapping personal information. The escalated dispute handling process will only apply to disputes that consumers submit directly to the CRAs – in other words, it will not apply to disputes from credit repair firms (which you should avoid anyway). In addition, the escalated dispute handling process will not apply to “frivolous or irrelevant” disputes.Review of supporting dispute documentation. Beginning in September 2015, the CRAs will ensure that when a consumer submits supporting documentation with a dispute, the person who reviews those documents will have the discretion to decide whether to make the change requested by the consumer. This requirement will not apply to documentation submitted by credit repair firms, or to frivolous or irrelevant disputes.

Consumer Education and Internal Changes to Improve Credit Report AccuracyThe CRAs agreed to numerous other changes in the Settlement Agreement. The CRAs will promote AnnualCreditReport.com, and improve educational content to help consumers understand how to read credit reports. They will provide information and instructions on their websites for consumers who have disputes that may qualify for escalated handling. Behind the scenes, they will work together to correct errors and share best practices, and expand capabilities to match new credit data with the file of the appropriate consumer.The Settlement Agreement represents a major win for consumers - the changes the CRAs will make in the coming years have the potential to improve accuracy and fairness in millions of consumer credit reports.

FCRA TOP TEN ISSUES - 2016 61

FTC ADVICE TO CONSUMERS – DISPUTING ERRORS ON CREDIT REPORTS

This is the link to their advice: http://www.consumer.ftc.gov/articles/0151-disputing-errors-credit-reports

Your credit report contains information about where you live, how you pay your bills, and whether you’ve been sued or arrested, or have filed for bankruptcy. Credit reporting companies sell the information in your report to creditors, insurers, employers, and other businesses that use it to evaluate your applications for credit, insurance, employment, or renting a home. The federal Fair Credit Reporting Act (FCRA) promotes the accuracy and privacy of information in the files of the nation’s credit reporting companies.

Some financial advisors and consumer advocates suggest that you review your credit report periodically. Why?

Because the information it contains affects whether you can get a loan — and how much you will have to pay to borrow money.

To make sure the information is accurate, complete, and up-to-date before you apply for a loan for a major purchase like a house or car, buy insurance, or apply for a job.

To help guard against identity theft. That’s when someone uses your personal information — like your name, your Social Security number, or your credit card number — to commit fraud. Identity thieves may use your information to open a new credit card account in your name. Then, when they don’t pay the bills, the delinquent account is reported on your credit report. Inaccurate information like that could affect your ability to get credit, insurance, or even a job.

How to Order Your Free ReportAn amendment to the FCRA requires each of the nationwide credit reporting companies — Equifax, Experian, and TransUnion — to provide you with a free copy of your credit report, at your request, once every 12 months.The three nationwide credit reporting companies have set up one website, toll-free telephone number, and mailing address through which you can order your free annual report. To order, visit annualcreditreport.com, call 1-877-322-8228, or complete the Annual Credit Report Request Form and mail it to:Annual Credit Report Request ServiceP.O. Box 105281Atlanta, GA 30348-5281

Do not contact the three nationwide credit reporting companies individually.

You may order your reports from each of the three nationwide credit reporting companies at the same time, or you can order from only one or two. The FCRA allows you to order one free copy from each of the nationwide credit reporting companies every 12 months.

FCRA TOP TEN ISSUES - 2016 62

You need to provide your name, address, Social Security number, and date of birth. If you have moved in the last two years, you may have to provide your previous address. To maintain the security of your file, each nationwide credit reporting company may ask you for some information that only you would know, like the amount of your monthly mortgage payment. Each company may ask you for different information because the information each has in your file may come from different sources.

Other situations where you might be eligible for a free reportYou’re also entitled to a free report if a company takes adverse action against you, such as denying your application for credit, insurance, or employment, based on information in your report. You must ask for your report within 60 days of receiving notice of the action. The notice will give you the name, address, and phone number of the credit reporting company.You’re also entitled to one free report a year if you’re unemployed and plan to look for a job within 60 days; if you’re on welfare; or if your report is inaccurate because of fraud, including identity theft.Otherwise, a credit reporting company may charge you a reasonable amount for another copy of your report within a 12-month period. To buy a copy of your report, contact the three credit report companies:

Experian-1-888-397-3742www.experian.com

TransUnion-1-800-916-8800www.transunion.com

Equifax-1-800-685-1111www.equifax.com

Correcting ErrorsUnder the FCRA, both the credit reporting company and the information provider (that is, the person, company, or organization that provides information about you to a credit reporting company) are responsible for correcting inaccurate or incomplete information in your report. To take advantage of all your rights under this law, contact the credit reporting company and the information provider.

Step OneTell the credit reporting company, in writing, what information you think is inaccurate. Use our sample dispute letter. (See Appendix) Include copies (NOT originals) of documents that support your position. In addition to providing your complete name and address, your letter should clearly identify each item in your report you dispute, state the facts and explain why you dispute the information, and request that it be removed or corrected. You may want to enclose a copy of your report with the items in question circled. Send your letter by certified mail, “return receipt requested,” so you can document what the credit reporting company received. Keep copies of your dispute letter and enclosures.

Credit reporting companies must investigate the items in question — usually within 30 days — unless they consider your dispute frivolous. They also must forward all the relevant data you provide about the inaccuracy to the organization that provided the information. After the information provider receives notice of a dispute from the credit reporting company, it must investigate, review the relevant information, and report the results back to the credit reporting company. If the information provider finds the disputed information is inaccurate, it must notify all three nationwide credit reporting companies so they can correct the information in your file.

FCRA TOP TEN ISSUES - 2016 63

When the investigation is complete, the credit reporting company must give you the results in writing and a free copy of your report if the dispute results in a change. This free report does not count as your annual free report. If an item is changed or deleted, the credit reporting company cannot put the disputed information back in your file unless the information provider verifies that it is accurate and complete. The credit reporting company also must send you written notice that includes the name, address, and phone number of the information provider.If you ask, the credit reporting company must send notices of any corrections to anyone who received your report in the past six months. You can have a corrected copy of your report sent to anyone who received a copy during the past two years for employment purposes.If an investigation doesn’t resolve your dispute with the credit reporting company, you can ask that a statement of the dispute be included in your file and in future reports. You also can ask the credit reporting company to provide your statement to anyone who received a copy of your report in the recent past. You can expect to pay a fee for this service.

Step TwoTell the information provider (that is, the person, company, or organization that provides information about you to a credit reporting company), in writing, that you dispute an item in your credit report. Use this sample dispute letter Include copies (NOT originals) of documents that support your position. If the provider listed an address on your credit report, send your letter to that address. If no address is listed, contact the provider and ask for the correct address to send your letter. If the information provider does not give you an address, you can send your letter to any business address for that provider.If the provider continues to report the item you disputed to a credit reporting company, it must let the credit reporting company know about your dispute. And if you are correct — that is, if the information you dispute is found to be inaccurate or incomplete — the information provider must tell the credit reporting company to update or delete the item.

About Your FileYour credit file may not reflect all your credit accounts. Although most national department store and all-purpose bank credit card accounts will be included in your file, not all creditors supply information to credit reporting companies: some local retailers, credit unions, travel, entertainment, and gasoline card companies are among the creditors that don’t.

When negative information in your report is accurate, only the passage of time can assure its removal. A credit reporting company can report most accurate negative information for seven years and bankruptcy information for 10 years. Information about an unpaid judgment against you can be reported for seven years or until the statute of limitations runs out, whichever is longer. There is no time limit on reporting: information about criminal convictions; information reported in response to your application for a job that pays more than $75,000 a year; and information reported because you’ve applied for more than $150,000 worth of credit or life insurance. There is a standard method for calculating the seven-year reporting period. Generally, the period runs from the date that the event took place.For more information, see How Credit Scores Affect the Price of Credit and Insurance

FCRA TOP TEN ISSUES - 2016 64

FCRA, IDENTITY THEFT RED FLAGS, AND THE PRIVACY ACT

There are three specific areas of required training for the Fair Credit Reporting Act and the Privacy Act.

1. The Identity Theft Red Flags are found in Subpart J of the Fair Credit Reporting Act. 2. There are additional rules for training staff, “as necessary, the implement the program

and provide oversight for employee standards of conduct with regard to privacy”. (See 12 CFR 334.90(e))

3. There are training requirements for employees who participate in activities related to the furnishing of information about consumers to consumer reporting agencies to implement the privacy policies and procedures.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (“GLBA”), requires financial institutions to maintain procedures that protect consumers’ personal financial information. There are three principal parts to the privacy requirements: 1) Financial Privacy Rule; 2) Safeguards Rule; and, 3) Pretexting Provisions.

The Financial Privacy Rule, also referred to as Regulation P, governs the collection and disclosure of customers’ personal financial information. The Safeguards Rule requires the financial institution to design, implement and maintain safeguards to protect customer information.

COLLECTION OF CUSTOMER INFORMATIONCustomer information is gathered from many different sources such as deposit accounts, loans, and other transactions with the financial institution.

When a customer opens a deposit account, we collect information about the customer such as their name, address, tax identification number, telephone numbers, date of birth, mother’s maiden name, driver’s license number, credit report information (such as ChexSystems) and their signature.

When a customer requests a loan, in addition to the information we would collect for a deposit account, we collect additional information related to employment, income, assets, existing liabilities, dependents, financial history and any other relevant information.

During the course of handling a deposit account or a loan, the bank collects transaction information about a customer such as balances, payee information, overdrafts and non-sufficient funds, payment history, address changes and changes in credit or financial standing. With the advent of the Internet we collect information from customers when they send us e-mail correspondence.

The bank’s Privacy Policy describes in detail how the bank manages customer information and under what circumstances such information may be released to third parties. This policy is disclosed to bank customers at the time a new account is established or upon request. The bank also re-discloses its Privacy Policy on an annual basis. NEW – there is an option to provide the annual statement on the bank’s website.

FCRA TOP TEN ISSUES - 2016 65

PRIVACY PROCEDURES

Protecting Customer Information Financial institutions must take various steps to safeguard customer or customer information and reduce losses from identity theft. These include: 1) procedures to verify the identity of individuals applying for financial products 2) procedures to prevent fraud activities related to customer information 3) maintaining a customer information security program.

1. Verification Procedures: New Accounts: Verification procedures for new accounts will include, as appropriate, independent confirmation of the customer’s identity. This may be done by: Independently verifying the telephone number Independently verifying the employer phone number Calling the customer to confirm the customer has opened an account Verifying driver’s license and pulling credit bureau

2. Fraud PreventionAddress changes: To prevent fraudulent address changes, we will verify customer information first. As appropriate we may send a confirmation of the address change to both the new and old address. We also circulate fraud bulletins received from various sources. (*NOTE: NEW FACT ACT “RED FLAGS” PROCEDURES BECAME EFFECTIVE 11/1/2008)

3. Information SecurityPretext Calling: Employees will use the pretext training guidelines provided by their bank. Employees can request a call back number to verify the authenticity of the request and then compare that number to our records. Any suspicion of pretext calling and/or concern about security risks will be report immediately to the Security Officer.

4. Reporting Suspected Identify Theft and Pretext CallingSAR reporting: Any bank will report all known or suspected criminal violations on a SAR

5. Consumer EducationAssisting Customers who are victims of Identity Theft: The FTC wrote a consumer education pamphlet called “ID Theft: When Bad Things Happen to Your Good Name”. It is found on the FTC website and should be provided as requested or to anyone who actually becomes an identity theft victim. All employees are required to read this information. A helpful website is: www.consumer.gov/idtheft. Customers can also be referred to the FTC website from the “Security” section of your website if the link is made available.

FCRA TOP TEN ISSUES - 2016 66

FCRA RULES AND PERMISSIBLE PURPOSE

The Fair and Accurate Credit Transactions (FACT) Act contains provisions that are designed to enhance the accuracy of credit reports. These provisions require the r Federal financial institution regulators, and the Federal Trade Commission (FTC) to establish and maintain guidelines for use by those who furnish information to credit bureaus that address the accuracy and integrity of the information. These provisions also require the regulators to issue rules to require furnishers to develop policies and procedures to ensure the accuracy and integrity of information provided to credit bureaus, and to consider the guidelines, as appropriate.

The regulators must also issue rules identifying the circumstances in which a furnisher, based on a direct request from a consumer, must investigate disputes about the accuracy of information in a credit report.

The regulators have issued a final rule that implements these FACT Act provisions.

Compliance with the final rule became effective on July 1, 2010.

Follow your institution’s dispute procedures

NOTE: The CFPB has begun to examine the “Big 3” Credit Reporting Agencies. BE CAREFUL TO MONITOR CREDIT REPORTS. Are they all being pulled for a “permissible purpose” under section 604 of the FCRA? Are they being pulled when a financial institution:

(A) intends to use the information, as a potential investor or servicer, or current insurer, in connection with a valuation of, or an assessment of the credit or prepayment risks associated with, an existing credit obligation; or (E) intends to use the information, as a potential investor or servicer, or current insurer, in connection with a valuation of, or an assessment of the credit or prepayment risks associated with, an existing credit obligation; or (F) otherwise has a legitimate business need for the information (ii) to review an account to determine whether the consumer continues to meet the terms of the account.

Warning from an Equifax representative: A bank may receive a letter from Equifax that references a credit report and your bank must supply the application that shows it was authorized for permissible purposes. Big issue is if an employee accesses a credit report (even their own) without authorization, it is a violation of FCRA and Equifax immediately terminates service. There is no chance for appeal. Examples of permissible purposes – skip tracing, review of loans, investigating fraud or possible identity theft. Examples of non-credible/permissible purposes – pulling a credit report for your own personal reason.

This representative recommended keeping both approved and denied applications for 6 years on file because FCRA allows for action 5+ years after the infraction or 2 years after the discovery of the infraction

FCRA TOP TEN ISSUES - 2016 67

CHAPTER 4FCRA COMPLIANCE ISSUES

FCRA TOP TEN ISSUES - 2016 68

CFPB RELEASE COMPLAINT REPORT AUGUST 2015

The CFPB has issued its August 2015 complaint report, the second in its new series of monthly complaint reports.  When it announced the launch of the new reports last month, the CFPB stated that each report would spotlight a particular product and geographic location.  The August 2015 spotlights credit reporting complaints and complaints from consumers in the Los Angeles, California metro area.Findings regarding complaints generally include the following:

As of August 1, 2015, the CFPB has handled approximately 677,200 complaints, including 26,700 complaints in July 2015.  Credit reporting complaints showed the greatest month-over-month increase, with the number of such complaints submitted by consumers in July 2015 up 56 percent from the number submitted in June 2015.  Mortgage complaints showed the greatest month-over-month decrease, with the number of complaints submitted by consumers in July 2015 down 4 percent from the number submitted in June 2015.

For July 2015, debt collection was the most-complained-about financial product or service, representing about 31 percent of complaints submitted (approximately 8,224 of the 26,704 complaints handled in July).  The second and third most-complained-about products were, respectively, credit reporting and mortgages.

Consumer loan complaints, which include pawn, title, and installment loans, increased 61 percent from the same time last year, up from a monthly average of 718 complaints from May to July 2014 to a monthly average of 1,154 complaints from May to July 2015.  This was the greatest percentage increase by product.  Bank account or services complaints showed the greatest percentage decrease (4 percent) by product over the same time period, decreasing from a monthly average of 1,976 complaints to 1,895 complaints.

Hawaii, Maine, Georgia, and North Carolina experienced the greatest average monthly complaint volume increases from the same time last year (May to July 2014 as compared with May to July 2015), with Hawaii up 37 percent, Maine up 36 percent, and both Georgia and North

FCRA TOP TEN ISSUES - 2016 69

Carolina up 33 percent.  South Dakota, New Mexico, and Alaska experienced the greatest complaint volume decrease from the same time last year, with South Dakota down 31 percent, New Mexico down 16 percent, and Arkansas down 11 percent.

FCRA TOP TEN ISSUES - 2016 70

SPECIFIC FUNCTIONAL UNITS OF THE CFPB

FCRA TOP TEN ISSUES - 2016

Research Unit

They will analyze trends in the provision of consumer financial products and review access to “fair and affordable credit for

traditional underserved communities” and review consumer awareness of the cost of

credit; they will report on consumer behavior with various products

Community Affairs Unit

They will focus on educating consumers

about consumer financial products and

ensuring broad access to financial products

Office of Fair Lending and Equal Opportunity

They will enforce federal laws relating to fair lending, which the

Act defines as “fair, equitable, and nondiscriminatory access to

credit for consumers.”

Complaints Unit

They will maintain a website and toll-free number to centralize collection and moni-toring of consumer complaints regarding consumer financial products and services,

and will route complaints to other federal and state agencies where appropriate.

The Office of Service Member Affairs

They will focus on issues to “empower service members and their families to make better financial choices” and monitor complaints

received by the CFPB or other federal agencies. Regional offices will be established

near military installations as needed.

The Office of Financial Education

They will develop programs to improve consumers’ financial literacy and

familiarity with consumer financial products

The Office of Protection for Older Americans

They will develop financial literacy programs for protection from unfair, deceptive and abusive practices on current and future

financial choices. Dodd Frank designates “older Americans” as being 62 and older and

are referred to as “seniors.”

71

CFPB STUDY ON CREDIT REPORTS

The CFPB released a report on May 5, 2015 that documents the results of a research project undertaken by the CFPB’s Office of Research to better understand the demographic characteristics of consumers without traditional credit reports or credit scores.  The Report concludes that the current credit reporting system is precluding certain populations from accessing credit and taking advantage of other economic opportunities.  Although the CFPB does not use the term “disparate impact”, the fair lending implications of the Report should be carefully considered by both the providers and users of credit reports and credit scores.This is a link: http://www.consumerfinance.gov/newsroom/cfpb-report-finds-26-million-consumers-are-credit-invisible/

The CFPB press release highlighted four of the findings from the Report: 26 million consumers (11% of U.S. adults) are “credit invisible” (i.e., they

do not have a credit file with any of the three nationwide credit reporting agencies: Equifax, Experian, and TransUnion).

19 million consumers (8% of U.S. adults) have “unscored” credit records (i.e., they have insufficient credit history to generate a credit score).

Consumers in low-income neighborhoods are more likely to be credit invisible or to have an unscored record.

Black and Hispanic consumers are more likely to have limited credit records.

Although the Report does not include any recommendations for the industry on how to address the Report’s findings, during a press call hosted by the CFPB prior to the release of the report, Kenneth Brevoort of the CFPB’s Office of Research noted that the CFPB will be working on the development of potential fixes to the problem either through regulatory actions or encouraging industry initiatives. 

The Report notes that several industry participants have already developed scoring products that are aimed specifically at these populations.  As demonstrated in congressional testimony last year by Stuart Pratt, President and CEO of the Consumer Data Industry Association (CDIA), the trade association for the consumer reporting industry, “CDIA’s members are at the forefront of this movement and it is private investment which is expanding the data sets available for

FCRA TOP TEN ISSUES - 2016 72

lenders to use as they reach new communities of consumers. These data ensure expanded fairness and access.”If the CFPB is suggesting that there need to be additional sources of alternative credit reports and credit scores, these new products and services must be developed carefully to ensure the reliability of any predictions; otherwise, the potential harm could be felt across all relevant stakeholders, from businesses that make decisions with inaccurate information and consumers that are impacted by those decisions.

In prepared remarks, CFPB Director Richard Cordray acknowledged that, “Without credit reporting and credit scoring, it would be harder for financial service providers to assess and manage credit risk, and the supply of credit would be more expensive, more erratic, and more constrained.” Industry experts hope that the CFPB will be wary of any actions that could disrupt the U.S. credit reporting system, which the Report observes is currently serving 189 million American consumers.

FCRA TOP TEN ISSUES - 2016 73

FDIC FAIR LENDING ISSUES WITH CREDIT REPORT FEES

While this is “old” news, this May 2010 article is still relevant.

In March, some New England area banks received notice from the Federal Deposit Insurance Corporation (FDIC) New York Division of Supervision and Consumer Protection that a recent examination found potential violations of the Equal Credit Opportunity Act (ECOA) for Fair Lending violations pertaining to the fees and processes imposed upon consumers for the credit reports related to their mortgage loans.

The credit reporting practices in question have been found to violate ECOA Section 202.4 (a) of Regulation B which prohibits a creditor from discriminating against an applicant in any aspect of the credit transaction on the basis of marital status. Further, Section 202.2(m) of Regulation B defines a credit transaction broadly to include “every aspect of an applicant’s dealings with a creditor regarding an application for credit or an existing extension of credit (including, but not limited to, information requirements; investigation procedures; standards of creditworthiness; terms of credit; furnishing of credit information; revocation; alteration or termination of credit; and collection procedures).” The preliminary findings continue with citations from Section 202.6(b)(8) of Regulation B which requires that “a creditor shall evaluate married and unmarried applicants by the same standards; and in evaluating joint applicants, a creditor shall not treat applicants differently based on the existence, absences or likelihood of a marital relationship between the parties.”

So, why are these credit reporting practices setting off so many alarms?From the fee structure perspective, it is the difference in the price of the credit reports that some banks have negotiated with their credit reporting agencies that give a price reduction to co-applicants that are traditional “joint” credit files (typically a husband and wife) which is not available to non-traditional co-applicants that are unmarried. This discounted credit report fee, which in one case created a $32 difference when the fees are passed along to the consumer, as a settlement services charge at closing. That fee difference discriminates against the unmarried co-applicants based on marital status and is a violation of the ECOA sections cited above.

From a processes perspective, unmarried co-applicants were also found by the FDIC examiners to have some discriminatory issues. One of the banks the FDIC noted on the violations was due to the requirement that unmarried co-applicants complete separate applications, while married co-applicants completed a single application. This requirement is a violation of the “same standards” regardless of marital status provisions of the above sections.

While correcting the pricing issue for ECOA compliance is fairly simple: Make sure that whatever the price a “joint” credit report is, the cost of two individual credit reports equals that same amount. Correcting the application processes issue is something more complex. The National Credit Reporting Agency Inc. (NCRA) has discovered that some loan origination systems (LOS) have requirements that split unmarried co-applicants into two separate applications for processing. This varies from system to system, and can even also vary pending

FCRA TOP TEN ISSUES - 2016 74

the current address status of the co-applicants. On some systems, if the co-applicants are currently residing at the same address, they can be entered on a single application. However, this is more of a problem when the co-applicants are residing at different locations at the time of the loan application. Some LOS do not have the ability to enter different addresses for co-applicants on a single application, regardless of marital status. This can also be problematic with the transfer of that data from the workflow of the LOS, to the mortgage credit reporting agency, to the national credit repositories and back with the credit report. Of course, with several different systems involved, this is not as simple of a fix as just making sure married couples no longer receive a few dollars discount on their credit report verses unmarried co-applicants.

Mortgage originators should take notice of this action and review their credit report fee structures for this issue, as well as their application processes. While the spirit of the law has not been violated, no one is being denied credit based on marital status, the law is clear and the FDIC seems intent on pushing it to the letter with regards to the equal treatment for “any” aspect of the loan transaction since they have referred some banks to the U.S. Department of Justice for a “Significant Violation” of the ECOA.

FCRA TOP TEN ISSUES - 2016 75

TOP TEN ISSUES AND SUGGESTIONS FOR FCRA COMPLIANCE

TOP TEN ISSUES1. Have internal controls been established to monitor credit reports? Can the bank prove that

credit reports are only pulled for a permissible purpose? Is there an audit program to compare the list of credit reports that have been pulled against all applications, renewals, collection activity, and employment inquiries? Are credit reports being properly disposed or protected from computer intrusion?

2. Does the bank make an annual report to the Board that outlines the effectiveness of the Identity Theft/Red Flags program? Have new threats been identified? Has additional training been required? Have updates been made to the program?

3. Are consumer disputes concerning the accuracy of credit reports being handled within the guidelines of resolving the dispute and responding within 30 days? Has appropriate training been done for new employees? Is there any audit module that reviews these disputes?

4. Is the information being reported to the credit reporting agencies accurate? Is there any audit module to monitor this function?

5. Are address changes being verified in connection for the request of replacement debit or credit cards?

6. If there is an address discrepancy, is it being resolved when a credit report is pulled?7. If there is an identity theft alert on the credit report or an active duty alert, are appropriate

procedures for verification being followed?8. Are the restrictions against the consideration of medical information being followed?9. Are the appropriate adverse action/FCRA notices being completed? Are they correct?10. Are the required risk-based credit score notices or credit score disclosure notices being

provided?

Suggestions for FCRA compliance1. Monitor your primary regulator’s exam procedures and guidance for any “hot spots” that

relate to credit reports, identity theft, and similar concerns2. Review policies and procedures that relate to FCRA3. Update audit programs as needed.4. Provide training to new hires and training for any corrective action cited in audits or

exams.

FCRA TOP TEN ISSUES - 2016 76

APPENDIX A – SAMPLE DISCLOSURES

FCRA TOP TEN ISSUES - 2016 77

FTC SAMPLE LETTER FOR DISPUTING CREDIT REPORT ERRORS

This is the link to the FTC SAMPLE LETTER:http://www.consumer.ftc.gov/articles/0485-sample-letter-disputing-errors-your-credit-report-information-providers

[Your Name][Your Address][Your City, State, Zip Code][Date] 

Complaint Department

[Company Name][Street Address][City, State, Zip Code]I am writing to dispute the following information that your company provided to [give the name of the credit reporting company whose report has incorrect information]. I have circled the items I dispute on the attached copy of the credit report I received.This item [identify item(s) disputed by type of item, such as credit account, judgment, etc., and your account number or another method for the information provider to locate your account] is[inaccurate or incomplete] because [describe what is inaccurate or incomplete and why]. I am requesting that [name of company] have the item(s) removed [or request another specific change] to correct the information.Enclosed are copies of [use this sentence if applicable and describe any enclosed documents, such as payment records and court documents] supporting my position. Please reinvestigate this [these] matter[s] and contact the national credit reporting companies to which you provided this information to have them [delete or correct] the disputed item[s] as soon as possible.Sincerely,

Your name

Enclosures: [List what you are enclosing.]

FCRA TOP TEN ISSUES - 2016 78

REGULATION B- NOTICE OF ACTION TAKEN AND STATEMENT OF REASONS

NOTE: There are multiple sample notices of adverse action for credit scoring, counter-offers, incomplete applications, business credit. This is a general notice.

FORM C-1—SAMPLE NOTICE OF ACTION TAKEN AND STATEMENT OF REASONSStatement of Credit Denial, Termination or Change

Date: ___________________Applicant’s Name: ___________________Applicant’s Address:___________________Description of Account, Transaction, or Requested Credit: ___________________Description of Action Taken:___________________Part I – PRINCIPAL REASON(S) FOR CREDIT DENIAL, TERMINATION, OR OTHER ACTION TAKEN CONCERNING CREDIT. This section must be completed in all instances.___________________Credit application incomplete___________________Insufficient number of credit references provided___________________Unacceptable type of credit references provided___________________Unable to verify credit references___________________Temporary or irregular employment___________________Unable to verify employment___________________Length of employment___________________Income insufficient for amount of credit requested___________________Excessive obligations in relation to income___________________Unable to verify income___________________Length of residence___________________Temporary residence___________________Unable to verify residence___________________No credit file___________________Limited credit experience___________________Poor credit performance with us___________________Delinquent past or present credit obligations with others___________________Collection action or judgment___________________Garnishment or attachment___________________Foreclosure or repossession___________________Bankruptcy___________________ Number of recent inquiries on credit bureau report___________________Value or type of collateral not sufficient___________________Other, specify:___________________

Part II — DISCLOSURE OF USE OF INFORMATION OBTAINED FROM AN OUTSIDE SOURCE.This section should be completed if the credit decision was based in whole or in part on information that has been obtained from an outside source.

___________________Our credit decision was based in whole or in part on information obtained in a report from the consumer reporting agency listed below. You have a right under the Fair Credit Reporting Act to know the information contained in your credit file at the consumer reporting agency. The reporting agency played no part in our decision and is unable to supply specific reasons why we have denied credit to you. You also have a right to a free copy of your report from the reporting agency, if you request it no later than 60 days after you receive this

FCRA TOP TEN ISSUES - 2016 79

notice. In addition, if you find that any information contained in the report you receive is inaccurate or incomplete, you have the right to dispute the matter with the reporting agency.

Name:___________________Address: ___________________[Toll-free] Telephone number: ___________________

Our credit decision was based in whole or in part on information obtained from an affiliate or from an outside source other than a consumer reporting agency. Under the Fair Credit Reporting Act, you have the right to make a written request, no later than 60 days after you receive this notice, for disclosure of the nature of this information.

If you have any questions regarding this notice, you should contact:Creditor’s name:___________________Creditor’s address:___________________Creditor’s telephone number:___________________

NOTICE

Federal law concerning this creditor is (name and address) as specified by the federal Equal Credit Opportunity Act prohibits creditors from discriminating against credit applicants on the basis of race, color, religion, national origin, sex, marital status, age (provided the applicant has the capacity to enter into a binding contract); because all or part of the applicant’s income derives from any public assistance program; or because the applicant has in good faith exercised any right under the Consumer Credit Protection Act. The federal agency that administers compliance with this appropriate agency listed in appendix A).

FCRA TOP TEN ISSUES - 2016 80

MODEL FORM C-3 FOR CREDIT SCORE DISCLOSURE ON DENIALS

FCRA TOP TEN ISSUES - 2016 81

NOTICE TO THE HOME LOAN APPLICANT AND CREDIT SCORE DISCLOSURE

In connection with your application for a home loan, the lender must disclose to you the score that a consumer reporting agency distributed to users and the lender used in connection with your home loan, and the key factors affecting your credit scores.

The credit score is a computer generated summary calculated at the time of the request and based on information that a consumer reporting agency or lender has on file. The scores are based on data about your credit history and payment patterns. Credit scores are important because they are used to assist the lender in determining whether you will obtain a loan. They may also be used to determine what interest rate you may be offered on the mortgage. Credit scores can change over time, depending on your conduct, how your credit history and payment patterns change, and how credit scoring technologies change.

Because the score is based on information in your credit history, it is very important that you review the credit-related information that is being furnished to make sure it is accurate. Credit records may vary from one company to another.

If you have questions about your credit score or the credit information that is furnished to you, contact the consumer reporting agency at the address and telephone number provided with this notice, or contact the lender, if the lender developed or generated the credit score. The consumer-reporting agency plays no part in the decision to take any action on the loan application and is unable to provide you with specific reasons for the decision on a loan application.

If you have questions concerning the terms of the loan, contact the lender.

The following company provided the credit score used in making a decision for your loan request. The company that provided the credit score also provided the credit file that your score is based upon.

Experian701 Experian ParkwayPO Box 2002Allen, TX 75013-0036Toll Free 888-397-3742

FCRA TOP TEN ISSUES - 2016 82

Credit Score Disclosure

Your application for a loan secured by your home was recently received. In connection with your loan request, the loan officer obtained a consumer credit report and credit score on all borrowers associated with your loan request.

This credit score may be different than other scores you have obtained in the past for any of the following reasons:1. Credit scores represent a snapshot in time. As the information in your credit report changes,

those changes will affect your score.2. The models used for calculating credit scores may be different with each credit reporting

agency or the lender may use an independently developed model.3. The information in the credit report may be different because not all financial institutions

report their credit experiences to the same credit reporting agencies, some institutions do not report their credit experiences at all.

The model used to calculate your credit score is provided by the credit reporting agency, scores range from the mid 300s to the mid 800s. Scores with higher numerical value are considered to reflect better credit performance.

The credit score and credit report used in connection with your home loan application was provided by:

Experian701 Experian Parkway

PO Box 2002Allen, TX 75013-0036Toll Free 888-397-3742

Name of Applicant:      The credit report used in conjunction with your loan request was obtained on:      The credit score is:    

The following factors adversely affected your credit score:

1. 01 Current balances on accounts 26 Number of revolving accounts2. 01 Current balances on accounts 26 Number of revolving accounts3. 01 Current balances on accounts 26 Number of revolving accounts4. 01 Current balances on accounts 26 Number of revolving accounts5. 08 Number of recent inquiries

FCRA TOP TEN ISSUES - 2016 83

FTC RESOURCES FOR IDENTITY THEFT

There are excellent resources at this link: https://www.identitytheft.gov/

Here are a few screen shots:

See the next page for “Other Steps”

FCRA TOP TEN ISSUES - 2016 84

FCRA TOP TEN ISSUES - 2016 85