FCRA Examination Procedures

Examination Objectives

  • To determine the financial institution’s compliance with the Fair Credit Reporting Act (FCRA).
  • To assess the quality of the financial institution’s compliance risk management system to ensure compliance with the FCRA, as amended by the Fair and Accurate Credit Transaction Act of 2003 (FACT Act).
  • To determine the reliance you can place on the financial institution’s internal controls and procedures for monitoring the institution’s compliance with the FCRA.
  • To direct corrective action when you identify violations of law, or when the institution’s policies or internal controls are deficient.

Initial Examination Procedures

The initial examination procedures are designed to acquaint examiners with the operations and processes of the institution being examined. They focus on the institution’s systems, controls, policies, and procedures, including audits and previous examination findings.

The applicability of the various sections of the FCRA and the implementing regulations1 depends on an institution’s unique operations. The functional examination requirements for an institution’s FCRA responsibilities are presented topically in modules 1 through 5.

Initially, examiners should:

  1. Through discussions with management and review of available information, determine if the institution’s internal controls are adequate to ensure compliance in the FCRA area under review. Consider the following:

    a. Organization charts

    b. Process flowcharts

    c. Policies and procedures

    d. Loan documentation

    e. Checklists

    f. Computer program documentation (for example, records illustrating the fields and types of data reported to consumer reporting agencies; automated records tracking customer opt-outs for FCRA affiliate information sharing; etc.).

  2. Review any compliance audit material, including workpapers and reports, to determine whether:

    a. The scope of the audit addresses all provisions as applicable

    b. Corrective actions were taken to follow up on previously identified deficiencies

    c. The testing includes samples covering all product types and decision centers

    d. The work performed is accurate

    e. Significant deficiencies and their causes are included in reports to management and/or to the board of directors, and

    f. The frequency of review is appropriate.

  3. Review the financial institution’s training materials to determine whether:

    a. Appropriate training is provided to individuals responsible for FCRA compliance and operational procedures.

    b. The training is comprehensive and covers the various aspects of the FCRA that apply to the individual financial institution’s operations.

  4. Through discussions with management, determine which portions of the examination modules will apply.

  5. Complete appropriate examination modules; document and form conclusions regarding the quality of the financial institution’s compliance management systems and compliance with FCRA.

Module 1: Obtaining Consumer Reports

Permissible Purposes of Consumer Reports (15 USC 1681b) and Investigative Consumer Reports (15 USC 1681d)

  1. Determine whether the financial institution obtains consumer reports.

  2. Determine whether the institution obtains prescreened consumer reports and/or reports for employment purposes. If so, complete the appropriate sections of Module 3.

  3. Determine whether the financial institution procures or causes an investigative consumer report to be prepared. If so, ensure that the appropriate disclosure is given to the consumer within the required time period. In addition, ensure that the financial institution certified compliance with the disclosure requirements to the consumer reporting agency.

  4. Ensure that the institution obtains consumer reports only for permissible purposes. Confirm that the institution certifies to the consumer reporting agency the purposes for which it will obtain reports. (The certification is usually contained in a financial institution’s contract with the consumer reporting agency.)

  5. If procedural weaknesses are noted or other risks requiring further investigation are noted, such as the receipt of several consumer complaints were received, review a sample of consumer reports obtained from a consumer reporting agency and determine whether the financial institution had permissible purposes to obtain the reports. For example,

  • Obtain a copy of a billing statement or other list of consumer reports obtained by the financial institution from the consumer reporting agency for a period of time.
  • Compare this list, or a sample from this list to the institution’s records to ensure that there is a permissible purpose for the report(s) obtained. This could include any permissible purpose, such as the consumer applied for credit, insurance, or employment, etc. The financial institution may also obtain a report in connection with the review of an existing account.

Module 2: Obtaining Information and Sharing Among Affiliates

Consumer Report and Information Sharing (15 USC 1681a(d))

  1. Review the financial institution’s policies, procedures, and practices concerning the sharing of consumer information with third parties, including both affiliated and nonaffiliated third parties. Determine the type of information shared and with whom the information is shared. (This portion of the examination process may overlap with a review of the institution’s compliance with the Privacy of Consumer Financial Information Regulations that implement the Gramm-Leach-Bliley Act.)

  2. Determine whether the financial institution’s information sharing practices fall within the exceptions to the definition of a consumer report. If they do not, the institution could be considered a consumer reporting agency and subject to the FCRA requirements for consumer reporting agencies.

  3. If the financial institution shares information other than transaction and experience information with affiliates subject to opt-out provisions, determine whether the institution’s GLBA privacy notice contains information regarding how to opt out, as required by the Privacy of Consumer Financial Information regulations.

  4. If procedural weaknesses or other risks requiring further investigation are noted, obtain a sample of opt-out rights exercised by consumers and determine if the financial institution honored the opt-out requests by not sharing “other information” about the consumers with the institution’s affiliates subsequent to receiving a consumer’s opt-out direction.

Protection of Medical Information (12 CFR 222.30, Subpart D)

  1. Review the financial institution’s policies, procedures, and practices concerning the collection and use of consumer medical information in connection with any determination of the consumer’s eligibility, or continued eligibility for credit.

  2. If the financial institution’s policies, procedures, and practices allow for obtaining and using consumer medical information in the context of a credit transaction, determine whether there are adequate controls in place to ensure that the information is only used subject to the financial information exception in the rules, or under a specific exception within the rules.

  3. If procedural weaknesses or other risks requiring further investigation are noted, obtain samples of credit transactions to determine whether the use of medical information pertaining to a consumer was done strictly under the financial information exception or the specific exceptions under the regulation.

  4. Determine whether the financial institution has adequate policies and procedures in place to limit the redisclosure of consumer medical information that was received from a consumer reporting agency or an affiliate.

  5. Determine whether the financial institution shares medical information about a consumer with affiliates. If it does, determine whether the sharing occurred in accordance with an exception in the rules that enables the financial institution to share the information without becoming a consumer reporting agency.

Affiliate Marketing Opt Out (12 CFR 222.20)

  1. Determine whether the financial institution receives consumer eligibility information from an affiliate. Stop here if it does not because Subpart C of 12 CFR 222 does not apply.

  2. Determine whether the financial institution uses consumer eligibility information received from an affiliate to make a solicitation for marketing purposes that is subject to the notice and opt-out requirements. If it does not, stop here.

  3. Evaluate the institution’s policies, procedures, practices and internal controls to ensure that, where applicable, the consumer is provided with an appropriate notice, a reasonable opportunity, and a reasonable and simple method to opt out of the institution’s using eligibility information to make solicitations for marketing purposes to the consumer, and that the institution is honoring the consumer’s opt-outs.

  4. If compliance risk management weaknesses or other risks requiring further investigation are noted, obtain and review a sample of notices to ensure technical compliance and a sample of opt-out requests from consumers to determine if the institution is honoring the opt-out requests.

    a. Determine whether the opt-out notices are clear, conspicuous, and concise and contain the required information, including the name of the affiliate(s) providing the notice, a general description of the types of eligibility information that may be used to make solicitations to the consumer, and the duration of the opt out (12 CFR 222.23(a)).

    b. Review opt-out notices that are coordinated and consolidated with any other notice or disclosure that is required under other provisions of law for compliance with the affiliate marketing regulation (12 CFR 222.23(b)).

    c. Determine whether the opt-out notices and renewal notices provide the consumer a reasonable opportunity to opt out and a reasonable and simple method to opt out (12 CFR 222.24 and .25).

    d. Determine whether the opt-out notice and renewal notice are provided (by mail, delivery or electronically) so that a consumer can reasonably be expected to receive that actual notice (12 CFR 222.26).

    e. Determine whether, after an opt-out period expires, a financial institution provides a consumer a renewal notice prior to making solicitations based on eligibility information received from an affiliate (12 CFR 222.27).

Module 3: Disclosures to Consumers and Miscellaneous Requirements

Use of Consumer Reports for Employment Purposes (15 USC 1681b(b)(2))

  1. Determine if the financial institution obtains consumer reports on current or prospective employees.

  2. Assess the financial institution’s policies and procedures to determine if appropriate disclosures are provided to current and prospective employees when a financial institution obtains consumer reports for employment purposes, including situations where the financial institution takes adverse actions based on consumer report information.

  3. If procedural weaknesses or other risks requiring further investigation are noted, review a sample of the disclosures to determine if they are accurate and in compliance with the technical FCRA requirements.

Prescreened Consumer Reports and Opt-Out Notice (15 USC 1681b(c) and 15 USC 1681m(d))(and Parts 642 and 698 of Federal Trade Commission Regulations)

  1. Determine whether the financial institution obtained and used prescreened consumer reports in connection with offers of credit and/or insurance.

  2. Evaluate the institution’s policies and procedures to determine if a list of the criteria used for prescreened offers, including all post-application criteria, is maintained in the institution’s files and the criteria are applied consistently when consumers respond to the offers.

  3. Determine if written solicitations contain the required disclosures of the consumers’ right to opt-out of prescreened solicitations and comply with all requirements applicable at the time of the offer.

  4. If procedural weaknesses or other risks requiring further investigation are noted, obtain and review a sample of approved and denied responses to the offers to ensure that criteria were appropriately followed.

Truncation of Credit and Debit Card Account Numbers (15 USC 1681c(g))

  1. Determine whether the financial institution’s policies and procedures ensure that electronically generated receipts from automated teller machines (ATM) and point-of-sale (POS) terminals or other machines do not contain more than the last five digits of the card number and do not contain the expiration dates.

  2. For ATMs and POS terminals or other machines put into operation before January 1, 2005, determine if the institution brought the terminals into compliance or started a plan to ensure that these terminals comply by the mandatory compliance date of December 4, 2006.

  3. If procedural weaknesses or other risks requiring further investigation are noted, review samples of actual receipts to ensure compliance.

Disclosure of Credit Scores by Certain Mortgage Lenders (15 USC 1681g(g))

  1. Determine if the financial institution uses credit scores in connection with applications for closed-end or open-end loans secured by one- to four-family residential real property.

  2. Evaluate the institution’s policies and procedures to determine whether accurate disclosures are provided to applicants as soon as is reasonably practicable after using credit scores.

  3. If procedural weaknesses or other risks requiring further investigation are noted, review a sample of disclosures given to home loan applicants to determine technical compliance with the requirements.

Adverse Action Disclosures (15 USC 1681m(a) and (b))

  1. Determine whether the institution’s policies and procedures adequately ensure that the financial institution provides the appropriate disclosures when it takes adverse action against consumers based on information received from consumer reporting agencies, other third parties, and/or affiliates.

  2. Review the financial institution’s policies and procedures for responding to requests for information in response to these adverse action notices.

  3. If procedural weaknesses or other risks requiring further investigation are noted, review a sample of adverse action notices to determine if they are accurate and in technical compliance.

Debt Collector Communications Concerning Identity Theft (15 USC 1681m(g))

  1. Determine whether the financial institution collects debts for third parties.

  2. Determine whether the financial institution has policies and procedures to ensure that the third parties are notified if the financial institution obtains any information that may indicate that the debt in question is the result of fraud or identity theft.

  3. Determine if the institution has effective policies and procedures for providing information to consumers to whom the fraudulent debts relate.

  4. If procedural weaknesses or other risks requiring further investigation are noted, review a sample of instances where consumers have alleged identity theft and requested information related to transactions to determine if all of the appropriate information was provided to the consumer.

Risk-Based Pricing Notice2 (12 CFR 222.70)

  1. Determine whether the financial institution uses consumer report information in consumer credit decisions.
    If yes, determine whether the institution uses such information to provide credit on terms that are “materially less favorable” than the most favorable material terms available to a substantial proportion of its consumers. Relevant factors in determining the significance of differences in the cost of credit include the type of credit product, the term of the credit extension, and the extent of the difference.

    If “yes,” the financial institution is subject to the risk-based pricing regulations.

  2. Determine whether the financial institution provides a risk-based pricing notice to a consumer (12 CFR 222.72(a)). If it does, proceed to step 3. If the institution does not provide a risk-based pricing notice, proceed to step 22 to determine whether an exception applies (12 CFR 222.74).

  3. Determine the method the financial institution uses to identify consumers who must receive a risk-based pricing notice and whether the method complies with the regulation (12 CFR 222.72(b)).

    a. For institutions that use the direct comparison method (12 CFR 222.72(b)), determine whether the institution directly compares the material terms offered to each consumer and the material terms offer to the other consumers for a specific type of credit product.

    b. For institutions that use the credit score proxy method (12 CFR 222.72(b)(1)):

    i. determine whether the institution calculates the cutoff score by considering the credit scores of all, or a representative sample, of consumers who have received credit for a specific type of credit product;

    ii. determine whether the institution recalculates the cutoff score no less than every two years;

    iii. for new entrants into the credit business, for new products subject to risk-based pricing, or for acquired credit portfolios, determine whether the institution recalculates the cutoff scores within time periods specified in the regulation;

    iv. for institutions using more than one credit score to set material terms, determine whether the institution establishes a cutoff score according to the methods specified in the regulation; and

    v. if no credit score is available for a consumer, determine whether the institution provides the consumer a risk-based pricing notice.

    c. For institutions that use the tiered pricing method (12 CFR 222.72(b)(2)):

    i. when four or fewer pricing tiers are used, determine if the institution sends risk-based pricing notices to consumers who do not qualify for the top, best-priced tier; or

    ii. when five or more pricing tiers are used, determine if the institution provides risk-based pricing notices to consumers who do not qualify for the two top, best-priced tiers and any other tier that, combined with the top two tiers, equal no less than the top 30 percent and no more than the top 40 percent of the total number of tiers.

    d. For credit card issuers:

    i. Determine whether the card issuer uses the credit score proxy method or the tiered pricing method to identify consumers to whom it must provide a risk-based pricing notice.

    ii. If the institution does not use the credit score proxy method or the tiered pricing method, determine whether the card issuer uses the following method as permitted by 12 CFR 222.72(c) to identify consumers to whom it must provide a risk-based pricing notice:

    a) A consumer applies for a credit card either in connection with an application program, such as a direct-mail offer or a take-one application, or in response to a solicitation under 12 CFR 226.5a, and more than a single possible purchase annual percentage rate may apply under the program or solicitation; and 

b) Based in whole or in part on a consumer report, the credit card issuer provides a credit card to the consumer with a purchase APR that is greater than the lowest purchase APR available in connection with the application or solicitation.

    iii. Determine whether the card issuer provides a risk-based pricing notice to each consumer that is provided a credit card with a purchase APR greater than the lowest purchase APR available under the program or solicitation.

  4. Determine whether the risk based pricing notice contains (12 CFR 222.73(a)(1)):

    a. a statement that a consumer report (or credit report) includes information about the consumer’s credit history and the type of information included in that history;

    b. a statement that the terms offered, such as the APR, have been set based on information from a consumer report;

    c. statement that the terms offered may be less favorable than the terms offered to consumers with better credit histories;

    d. a statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the report;

    e. the identity of each consumer reporting agency that furnished a consumer report used in the credit decision;

    f. a statement that federal law gives the consumer the right to obtain a copy of a consumer report from the consumer reporting agency or agencies identified in the notice without charge for 60 days after receipt of the notice;

    g. a statement informing the consumer how to obtain a consumer report from the consumer reporting agency or agencies identified in the notice and providing contact information (including a toll-free telephone number, where applicable) specified by the consumer reporting agency or agencies; and

    h. a statement directing consumers to the websites of the Federal Reserve Board and Federal Trade Commission to obtain more information about consumer reports.2

    Proceed to step #10.

  5. If the institution does not provide a risk-based pricing notice, determine if one of the following situations that qualify for a regulatory exception applies (12 CFR 222.74(a)-(f)):

    a. when a consumer applies for specific terms of credit, and receives them, unless those terms were specified by the creditor using a consumer report after the consumer applied for the credit and after the creditor obtained the consumer report;

    b. when a creditor provides a notice of adverse action;

    c. when a creditor makes a firm offer of credit in a prescreened solicitation;

    d. when an institution generally provides a credit score disclosure to each consumer that requests a loan that is or will be secured by residential real property;

    e. when an institution generally provides a credit score disclosure to each consumer that requests a loan that is not or will not be secured by residential real property;

    f. when an institution, which otherwise provides credit score disclosures to consumers that request loans, provides a disclosure for when no credit score is available.

  6. For institutions that choose to provide a credit score disclosure to consumers that request a loan that is or will be secured by residential real property, determine whether the Section 222.74(d) notice generally is provided to each consumer that requests such an extension of credit and that each notice contains:

    a. A statement that a consumer report (or credit report) is a record of the consumer’s credit history and includes information about whether the consumer pays his or her obligations on time and how much the consumer owes to creditors;

    b. A statement that a credit score is a number that takes into account information in a consumer report and that a credit score can change over time to reflect changes in the consumer’s credit history;

    c. A statement that the consumer’s credit score can affect whether the consumer can obtain credit and what the cost of that credit will be;

    d. A statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the report;

    e. A statement that federal law gives the consumer the right to obtain copies of his or her consumer reports directly from the consumer reporting agencies, including a free report from each of the nationwide consumer reporting agencies once during any 12-month period;

    f. Contact information for the centralized source from which consumers may obtain their free annual consumer reports;

    g. A statement directing consumers to the websites of the Federal Reserve Board and Federal Trade Commission to obtain more information about consumer reports;

    h. The information required to be disclosed to the consumer in Section 609(g) of the FCRA, and as described in Module 3 of these examination procedures, under “Disclosure of Credit Scores by Certain Mortgage Lenders (FCRA), Section 609(g)”; and

    i. The distribution of credit scores among consumers who are scored under the same scoring model that is used to generate the consumer’s credit score. The distribution should:

    i. Use the same scale as that of the credit score provided to the consumer, and

    ii. Be presented:

    a) in the form of a bar graph containing a minimum of six bars that illustrates the percentage of consumers with credit scores within the range of scores reflected in each bar, 

b) by other clear and readily understandable graphical means, or 

c) in a clear and readily understandable statement informing the consumer how his or her credit score compares to the scores of other consumers.

    The presentation may use a graph or statement obtained from the entity providing the credit score if it meets these requirements.

  7. For institutions that choose to provide a credit score disclosure to consumers that request a loan that is not or will not be secured by residential real property, determine whether the Section 222.74(e) notice generally is provided to each consumer that requests such an extension of credit and that each notice contains:

    a. A statement that a consumer report (or credit report) is a record of the consumer’s credit history and includes information about whether the consumer pays his or her obligations on time and how much the consumer owes to creditors;

    b. A statement that a credit score is a number that takes into account information in a consumer report and that a credit score can change over time to reflect changes in the consumer’s credit history;

    c. A statement that the consumer’s credit score can affect whether the consumer can obtain credit and what the cost of that credit will be;

    d. A statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the report;

    e. A statement that federal law gives the consumer the right to obtain copies of his or her consumer reports directly from the consumer reporting agencies, including a free report from each of the nationwide consumer reporting agencies once during any 12-month period;

    f. Contact information for the centralized source from which consumers may obtain their free annual consumer reports;

    g. A statement directing consumers to the websites of the Federal Reserve Board and Federal Trade Commission to obtain more information about consumer reports;

    h. The current credit score of the consumer or the most recent credit score of the consumer that was previously calculated by the consumer reporting agency for a purpose related to the extension of credit;

    i. The distribution of credit scores among consumers who are scored under the same scoring model that is used to generate the consumer’s credit score. The distribution should:

    i. Use the same scale as that of the credit score provided to the consumer, and

    ii. Be presented:

    a)  in the form of a bar graph containing a minimum of six bars that illustrates the percentage of consumers with credit scores within the range of scores reflected in each bar, 

b) by other clear and readily understandable graphical means, or 

c) in a clear and readily understandable statement informing the consumer how his or her credit score compares to the scores of other consumers. The presentation may use a graph or statement obtained from the entity providing the credit score if it meets these requirements;

    j. The range of possible credit scores under the model used to generate the credit score;

    k. The date on which the credit score was created; and

    l. The name of the consumer reporting agency or other person that provided the credit score.

  8. For institutions that otherwise provide credit score disclosures to consumers that request loans, determine whether the Section 222.74(f) notice is provided to the applicable consumers in situations where no credit score is available for the consumer, as required by 222.74(f). Determine whether each notice contains:

    a. A statement that a consumer report (or credit report) includes information about the consumer’s credit history and the type of information included in that history;

    b. A statement that a credit score is a number that takes into account information in a consumer report and that a credit score can change over time in response to changes in the consumer’s credit history;

    c. A statement that credit scores are important because consumers with higher credit scores generally obtain more favorable credit terms;

    d. A statement that not having a credit score can affect whether the consumer can obtain credit and what the cost of that credit will be;

    e. A statement that a credit score about the consumer was not available from a consumer reporting agency, which must be identified by name, generally due to insufficient information regarding the consumer’s credit history;

    f. A statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the consumer report;

    g. A statement that federal law gives the consumer the right to obtain copies of his or her consumer reports directly from the consumer reporting agencies, including a free consumer report from each of the nationwide consumer reporting agencies once during any 12-month period;

    h. The contact information for the centralized source from which consumers may obtain their free annual consumer reports; and

    i. A statement directing consumers to the websites of the Federal Reserve Board and Federal Trade Commission to obtain more information about consumer reports.

  9. For institutions that provide credit score exception notices and that obtain multiple credit scores in setting material terms of credit, determine whether the score(s) is disclosed in a manner consistent with the regulation (12 CFR 222.74(d)(4) and .74 (e)(4)):

    a. If an institution only relies upon one of those credit scores in setting the material terms of credit granted, extended, or otherwise provided to a consumer (for example, by using the low, middle, high, or most recent score), determine whether the notice includes that credit score and the other information required by Section 222.74(d).

    b. If an institution relies upon multiple credit scores in setting the material terms of credit granted, extended, or otherwise provided to a consumer (for example, by computing the average of all the credit scores obtained), determine whether the notice includes one of those credit scores and the other information required by Section 222.74(d).

  10. Regardless of whether the institution provides risk-based pricing notices or credit score exception notices, if the institution increases the consumer’s APR as the result of a review of a consumer’s account, determine whether the financial institution provided the consumer with an account review risk-based pricing notice (12 CFR 222.72(d)) if an adverse action notice was not already provided.

  11. Determine whether the account review risk-based pricing notice contains (12 CFR 222.73(a)(2)):

    a. a statement that a consumer report (or credit report) includes information about the consumer’s credit history and the type of information included in that history;

    b. a statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the report;

    c. the identity of each consumer reporting agency that furnished a consumer report used in the credit decision;

    d. a statement that federal law gives the consumer the right to obtain a copy of a consumer report from the consumer reporting agency or agencies identified in the notice without charge for 60 days after receipt of the notice;

    e. a statement that informs the consumer how to obtain a consumer report from the consumer reporting agency or agencies identified in the notice and provides contact information (including a toll-free telephone number, where applicable) specified by the consumer reporting agency or agencies;

    f. a statement that directs consumers to the websites of the Federal Reserve Board and Federal Trade Commission to obtain more information about consumer reports;

    g. a statement that the financial institution has conducted a review of the account using information from a consumer report; and

    h. a statement that, as a result of the review, the APR on the account has been increased based on information from a consumer report.

  12. For all notices, determine whether the notices are clear and conspicuous and comply with the specific format requirements for the notices (12 CFR 222.73(b), .74(d)(2), .74(e)(2), and .74(f)(3)).

  13. For all notices, determine whether the notices are provided within the required time frames (12 CFR 222.73(c), .74(d)(3), .74(e)(3), and .74(f)(4)):

    Risk-based pricing notices and account review risk-based pricing notices

  • For closed-end credit, the notice generally must be provided to the consumer after the decision to approve a credit request is communicated to the consumer, but before consummation of the transaction.
  • For open-end credit, the notice generally must be provided after the decision to grant credit is communicated to the consumer, but before the first transaction under the plan has been made.

  • For account reviews, the notice generally must be provided at the time that the decision to increase the APR is communicated to the consumer or no later than five days after the effective date of the change in the APR.

    Credit score disclosures for loans secured by residential real property

  • The credit score disclosure for loans secured by residential real property must be provided to the consumer at the same time as the disclosure required by Section 609(g) of the FCRA is provided to the consumer. The 609(g) notice must be provided as soon as reasonably practicable after the credit score has been obtained. In any event, the credit score disclosure for loans secured by residential real property must be provided at or before consummation in the case of closed-end credit or before the first transaction is made under an open-end credit plan.

    Credit score disclosures for loans not secured by residential real property

  • The notice generally must be provided to the consumer as soon as reasonably practicable after the credit score has been obtained, but in any event at or before consummation in the case of closed-end credit or before the first transaction is made under an open-end credit plan.

    Credit score exception notices when no credit score is available

  • The notice generally must be provided to the consumer as soon as reasonably practicable after the institution has requested the credit score, but in any event not later than consummation of a transaction in the case of closed-end credit or when the first transaction is made under an open-end credit plan.

    All notices, except credit score disclosures for loans secured by residential real property

  • For automobile lending transactions made through an auto dealer that is unaffiliated with the institution, the institution may provide a notice in the time periods described above. Alternatively, the institution may arrange to have the auto dealer provide a notice to the consumer on its behalf within these time periods and maintain reasonable policies and procedures to verify that the auto dealer provides the notice to the consumer within the applicable time periods. If the institution arranges to have the auto dealer provide a credit score disclosure for loans not secured by residential real property, the institution complies if the consumer receives a notice containing a credit score obtained by the dealer with these time periods, even if a different credit score is obtained and used by the institution.

  • For instant credit that is granted under an open-end credit plan to a consumer in person or by telephone, the notice may be provided at the earlier of:
    • The time of the first mailing to the consumer after the decision is made to approve the credit, such as in a mailing containing the account agreement or a credit card; or
    • Within 30 days after the decision to approve the credit.

  1. For all notices, determine whether the financial institution follows the rules of construction pertaining to the number of notices provided to the consumer(s) (12 CFR 222.75). In a transaction involving two or more consumers, a financial institution must provide a risk-based notice to each consumer. If the consumers have the same address, a financial institution may satisfy the requirements by providing a single risk-based pricing notice addressed to both consumers. For credit score disclosure exception notices, whether the consumers have the same address or not, the financial institution must provide a separate notice to each consumer.

  2. For all notices, determine whether the financial institution uses the model forms in Appendix H of the regulation. If yes, determine that it does not modify the model form so extensively as to affect the substance, clarity, comprehensibility, or meaningful sequence of the forms (Appendix H).

Module 4: Duties of Users of Consumer Reports and Furnishers of Consumer Report Information

Duties of Users of Credit Reports Regarding Address Discrepancies (12 CFR 222.82)

  1. Determine whether a user of consumer reports has policies and procedures to recognize notices of address discrepancy that it receives from a nationwide consumer reporting agency (NCRA)3 in connection with consumer reports.

  2. Determine whether a user that receives notices of address discrepancy has policies and procedures to form a reasonable belief that the consumer report relates to the consumer whose report was requested (12 CFR 222.82(c)).

    See examples of reasonable policies and procedures “to form a reasonable belief” in 12 CFR 222.82(c)(2).

  3. Determine whether a user that receives notices of address discrepancy has policies and procedures to furnish to the NCRA an address for the consumer that the user has reasonably confirmed is accurate, if the user does the following:

    a. Forms a reasonable belief that the report relates to the consumer;

    b. Establishes a continuing relationship with the consumer; and

    c. Regularly, and in the ordinary course of business, furnishes information to the NCRA (12 CFR 222.82(d)(1)).
    See examples of reasonable confirmation methods in 12 CFR 222.82(d)(2).

  4. Determine whether the user’s policies and procedures require it to furnish the confirmed address as part of the information it regularly furnishes to an NCRA during the reporting period when it establishes a relationship with the consumer (12 CFR 222.82(d)(3)).

  5. If procedural weaknesses or other risks requiring further information are noted, obtain a sample of consumer reports requested by the user from an NCRA that included notices of address discrepancy and determine:

    a. How the user established a reasonable belief that the consumer reports related to the consumers whose reports were requested; and

    b. If a consumer relationship was established:

    i. Whether the institution furnished a consumer’s address that it reasonably confirmed to the NCRA from which it received the notice of address discrepancy; and

    ii. Whether it furnished the address in the reporting period during which it established the relationship.

  6. On the basis of examination procedures completed, form a conclusion about the ability of user’s policies and procedures to meet regulatory requirements for the proper handling of address discrepancies reported by an NCRA.

Furnishers of Information – General (12 CFR 222.40)

  1. Determine whether the financial institution furnishes consumer information to a consumer reporting agency about an account or other relationship with a consumer. If so, the institution is subject to 12 CFR 222.40

  2. Determine whether the financial institution has established and implemented reasonable policies and procedures regarding the accuracy and integrity of information furnished to a consumer reporting agency (12 CFR 222.42(a)).

  3. Determine whether the institution considered the Interagency Guidelines in Appendix E of the regulation when developing its policies and procedures, and incorporated the guidelines as appropriate (12 CFR 222.42(b)).

  4. Determine whether the institution reviews its policies and procedures periodically and updates them as necessary to ensure their effectiveness (12 CFR 222.42(c)).

  5. If procedural weaknesses are noted or other risks requiring further investigation are noted, such as a high number of consumer complaints regarding the accuracy of their consumer report information from the financial institution, select a sample of reported items and the corresponding loan or collection file to determine that the financial institution:

    a. Did not report information that it knew, or had reasonable cause to believe, was inaccurate. Section 623(a)(1)(A) [15 USC 1681s-2(a)(1)(A)];

    b. Did not report information to a consumer reporting agency if it was notified by the consumer that the information was inaccurate and the information was, in fact, inaccurate. Section 623(a)(1)(B) [15 USC 1681s-2(a)(1)(B)];

    c. Provided the consumer reporting agency with corrections or additional information to make the information complete and accurate, and thereafter did not send the consumer reporting agency the inaccurate or incomplete information in situations where the incomplete or inaccurate information was provided. Section 623(a)(2) [15 USC 1681s-2(a)(2)];

    d. Furnished a notice to a consumer reporting agency of a dispute in situations where a consumer disputed the completeness or accuracy of any information the institution furnished, and the institution continued furnishing the information to a consumer reporting agency. Section 623(a)(3) [15 USC 1681s-2(a)(3)];

    e. Notified the consumer reporting agency of a voluntary account-closing by the consumer, and did so as part of the information regularly furnished for the period in which the account was closed. Section 623(a)(4) [15 USC 1681s-2(a)(4)]; and

    f. Notified the consumer reporting agency of the month and year of commencement of a delinquency that immediately preceded the action. The notification to the consumer reporting agency must be made within 90 days of furnishing information about a delinquent account that was being placed for collection, charged-off, or subjected to any similar action. Section 623(a)(5) [15 USC 1681s-2(a)(5)].

  6. If weakness within the financial institution’s procedures for investigating errors are revealed, review a sample of notices of disputes received from a consumer reporting agency and determine whether the institution did the following:

    a. Conducted an investigation with respect to the disputed information (Section 623(b)(1)(A) [15 USC 1681s-2(b)(1)(A)].

    b. Reviewed all relevant information provided by the consumer reporting agency (Section 623(b)(1)(B) [15 USC 1681s-2(b)(1)(B)].

    c. Reported the results of the investigation to the consumer reporting agency (Section 623(b)(1)(C)) [15 USC 1681s-2(b)(1)(C)].

    d. Reported the results of the investigation to all other nationwide consumer reporting agencies to which the information was furnished if the investigation found that the reported information was inaccurate or incomplete (Section 623(b)(1)(D) [15 USC 1681s-2(b)(1)(D)].

    e. Modified, deleted, or blocked the reporting of information that could not be verified.

  7. Determine whether the institution conducts reasonable investigations of direct disputes from consumers, including a review of all relevant information provided by the consumer (12 CFR 222.43(e)(1) and (2)).

    a. Determine whether the institution completes the investigation and reports the results to the consumer within the required time frame (12 CFR 22243(e)(3)).

    b. Determine whether the institution notifies and provides corrected information to the consumer reporting agencies when the results of its investigation finds that inaccurate information was furnished to the consumer reporting agencies (12 CFR 222.43(e)(4)).

    c. When the institution finds that a dispute is frivolous or irrelevant, determine whether the institution:

    i. notifies the consumer within five days after finding the dispute frivolous or irrelevant (12 CFR 222.43(f)(2)), and

    ii. includes in the consumer notification the reasons for the findings and the information necessary to investigate the disputed information (12 CFR 222.43(f)(3)).

Prevention of Re-Pollution of Consumer Reports (15 USC 1681s-2(a)(6))

  1. If the financial institution provides information to a consumer reporting agency, review the institution’s policies and procedures for ensuring that items of information blocked because of an alleged identity theft are not re-reported to the consumer reporting agency.

  2. If weaknesses are noted within the financial institution’s policies and procedures, review a sample of notices from a consumer reporting agency of allegedly fraudulent information due to identity theft furnished by the financial institution, to determine whether the institution does not re-report the item to a consumer reporting agency.

  3. If procedural weaknesses or other risks requiring further investigation are noted, verify that the financial institution has not sold or transferred a debt that resulted from an alleged identity theft.

Negative Information Notice (15 USC 1681s-2(a)(7))

  1. If the financial institution provides negative information to a nationwide consumer reporting agency, verify that the institution’s policies and procedures ensure the the appropriate notices are provided to consumers.

  2. If procedural weaknesses or other risks requiring further investigation are noted, review a sample of notices provided to consumers to determine compliance with the technical content and timing requirements.

Module 5: Consumer Alerts and Identity Theft Protections

Fraud and Active Duty Alerts (15 USC 1681c-1(h))

  1. Determine whether the financial institution has effective policies and procedures in place to verify the identity of consumers in situations in which consumer reports include fraud and/or active duty military alerts.

  2. Determine if the financial institution has effective policies and procedures in place to contact consumers in situations where consumer reports include extended alerts.

  3. If procedural weaknesses or other risks requiring further investigation are noted, review a sample of transactions in which consumer reports including these types of alerts were obtained. Verify that the financial institution complied with the identity verification and/or consumer contact requirements.

Information Available to Victims (15 USC 1681g(e))

  1. Review the financial institution’s policies, procedures, and/or practices to determine whether identities and claims of fraudulent transactions are verified and whether information is properly disclosed to victims of identity theft and/or appropriately authorized law enforcement agents.

  2. If procedural weaknesses or other risks requiring further investigation are noted, review a sample of these types of requests to determine whether the financial institution properly verified the requestor’s identity prior to disclosing the information.

Next section

  1. The Federal Reserve’s implementing regulation is cited in these procedures. However, if examiners cite violations by an entity, examiners should cite violations of the applicable regulation in effect with respect to that entity. 

  2. These exam procedures do not include final amendments to Regulation V implementing Dodd Frank Act amendments to risk-based pricing rules that require disclosure of credit scores and information relating to credit scores in risk-based pricing notices. CFPB is working with prudential regulators to update exam procedures to reflect these rules, which have taken effect, in a uniform manner as appropriate. 

  3. These procedures will be further modified in the future to reflect, as appropriate, the transfer of certain authorities from the Federal Reserve Board to the CFPB on July 21, 2011 effected by the Dodd-Frank Act. 

  4. A NCRA compiles and maintains files on consumers on a nationwide basis. As of the effective date of the rule (January 1, 2008) there were three such consumer reporting agencies: Experian, Equifax, and TransUnion. Section 603(p) of FCRA (15 USC 1681a).