It is therefore not surprising that the Fair Credit Reporting Act (FCRA) carries the potential for heavy liability, both actual, statutory and punitive damages that consumers can recover through private rights of action, and administrative enforcement actions initiated by federal authorities and state agencies.
The FCRA governs the actions of Consumer Information Agencies (CRAs), users of consumer reports, and parties that provide information to CRAs. This article focuses on when your business will have an authorized purpose for obtaining and using information from consumer reports.
A comprehensive FCRA policy should be tailored to your business and reflect how it will obtain, use, and share consumer reports in sufficient detail to match the complexity of your operations. If your business also provides account information to rating agencies, you will also need to develop additional procedures and safeguards to ensure that your business can provide complete and accurate consumer information and can conduct a timely investigation to resolve credit disputes with consumers.
FCRA policy – getting started
As noted below, your company’s FCRA policy should include all obligations, restrictions, and notification requirements that may arise from what is required by the FCRA and the user agreement with the CRA. The very first step will be to isolate the permitted purpose (s) and the reasons why your business will obtain and use the information from the consumer reports, so that you can confirm that each use is permitted and covered by the disclosures and processes put in place. up by your business for compliance. with the FCRA. The foundation of your compliance program should be based on a careful examination of your company’s business practices and policies, to ensure that your business will have an authorized purpose for any use of consumer report information.
Your FCRA policy should describe the specific reasons why your business will obtain and use the information from consumer reports. Under the FCRA, a person cannot use or obtain a consumption report for any purpose other than that expressly authorized by the FCRA which the user has certified to the CRA, which is also known as “authorized end”. The FCRA has several different authorized purposes. For example, a user might have an authorized purpose for obtaining and using consumer report information:
- In accordance with the written instructions of the consumer;
- For employment purposes;
- For the subscription of insurance;
- In connection with the granting of credit to, or the examination or collection of a consumer’s account;
- For legitimate business purposes in connection with a consumer initiated transaction; and
- To make pre-selected firm offers of credit or insurance.
Each authorized goal has a specific meaning and conditions that must be carefully considered. Once you have familiarized yourself with the permitted goals, your FCRA policy should outline the specific reasons why your business will obtain and use information from consumer reports and which permitted purpose applies in different contexts. The details of the policy should also match the contractual certifications provided by your company in its user agreement with the CRA. It may sound simple, but in today’s digital age, it is rarely the case.
Your FCRA policy should not only confirm which permitted goal applies in different contexts, but also address any limitations associated with each permitted goal. For example:
Written instructions. If your business obtains consumer reporting information based on a consumer’s written instructions, specificity is key. A user may obtain and use the information from the consumer report only to the extent permitted by the written instructions of the consumer. Your company’s FCRA policy should outline how your company will ensure that consumer reports are used only as directed by the consumer, for example through training, monitoring and access restrictions and use. You should check if the words used in the written instructions of the consumer correspond to the current business practices of your company, especially if these practices change and evolve over time. Written instructions should be clear, easy to understand, and authorize your business to obtain and use consumer reporting information in a manner consistent with the FCRA, your business user agreement with the CRA, and to current business practices.
Specific use case. Your FCRA policy should outline suitable safeguards that will ensure that the information in the consumption report is used only for specific authorized purposes. Some examples include underwriting credit applications, reviewing or collecting credit, employment termination, etc. If your business can obtain consumption report information for a specific use case that is not clearly covered by an authorized purpose described by the FCRA, you may consider your business to include that use in the written instructions that the consumers are encouraged to sign before your business obtains their consumer report information.
Firm credit offers. Under certain conditions, your business may be permitted to obtain limited information on consumer reports from rating agencies in the form of a pre-selected list and use it for marketing purposes to consumers who have not requested a rating. credit otherwise. Before your business applies for a shortlist, it must establish in advance the specific criteria that your business will apply when assessing consumers who meet your business’s firm offer to credit. The shortlist that your business obtains will not identify all consumers who might be eligible for credit under your business criteria.
The CRA shortlist will exclude consumers who have opted out of shortlisted offers through CRAs, which is a right that your business and others must disclose in any binding offer they make to consumers. CRAs will also exclude consumers who are under 21 and consumers who are not eligible based on the credit criteria your business provides to the CRA. Once your business receives a pre-selected list, it must then make a firm offer of credit to each person on the list.
Not all people who accept your company’s firm credit offer, as defined by the FCRA, will necessarily be eligible for credit. In some cases, your business may reject consumers from the shortlist based on recent changes in their consumer report information or based on criteria your business established prior to making the offer, even though the consumer was not aware of these criteria. Because this is a narrow exception to the general rules which are often based on activities initiated by consumers, this exception contains a number of strict and specific requirements. If your business intends to make prescreened firm offers to consumers, your company’s FCRA policy should carefully outline the steps it will take to ensure that your business can comply with all notification requirements and relevant restrictions on the use of information.
Your company’s FCRA policy should be tailored to its specific business activities and authorized objectives. We recommend that all appropriate personnel in your business review your FCRA policy on a regular basis and, in particular, before your business changes its business practices regarding when your business obtains and uses consumer reporting information.
Aaron Kouhouptis advising inMcGlincheythe Cleveland office. He has over 15 years of experience as internal and external legal advisor to banks and financial institutions of various sizes and formats, including most recently as an associate legal advisor in a peer-to-peer lending company and alternative investment.