Skip to main content
United States flag An official website of the United States government
Show

Fair Credit Reporting Act (Regulation V)

Overview

The Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681, et seq., became effective on April 25, 1971. The FCRA is part of a group of laws contained in the Federal Consumer Credit Protection Act, 15 U.S.C. § 1601 et seq. Congress amended FCRA with the Fair and Accurate Credit Transactions Act of 2003 (FACT Act).[1] The FACT Act created new responsibilities for consumer reporting agencies and users of consumer reports. It contains consumer disclosure requirements and provisions on identity theft. In addition, it gives consumers the right to free annual consumer reports and improved access to consumer report information to help increase the accuracy of data in the consumer reporting system.

In 2010, Congress enacted the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), which granted rulemaking authority under FCRA (except for § 1681m(e) (red flag guidelines and regulation) and § 1681w (disposal of records)) to the Consumer Financial Protection Bureau (CFPB). The Dodd-Frank Act also amended FCRA to require disclosure of a credit score and related information when a credit score is used in taking an adverse action or in risk-based pricing.[2]

On December 21, 2011, CFPB restated FCRA regulations, named Regulation V (12 CFR Part 1022).

FCRA contains responsibilities for consumer reporting agencies and for persons that operate in any of the following capacities:

  • Procurers and users of information (for example, as credit grantors, purchasers of dealer paper, or when opening deposit accounts);
  • Furnishers and transmitters of information (by reporting information to consumer reporting agencies, other third parties, or to affiliates);
  • Marketers of credit or insurance products; and
  • Employers.

FCRA can be found here. Regulation V can be found here.

Part 717 of NCUA’s Regulations (Fair Credit Reporting) can be found here.


Associated Risks

Compliance risk can occur when the credit union fails to implement the necessary controls to comply with FCRA, 12 CFR Part 1022, and 12 CFR Part 717.

Reputation risk can occur when members of the credit union learn of its failure to comply with FCRA, 12 CFR Part 1022, and 12 CFR Part 717.

Examination Objectives

  • To determine the credit union’s compliance with the FCRA and implementing regulations.
  • To assess the quality of the credit union’s compliance risk management system to ensure compliance with FCRA, as amended.
  • To determine the reliance that can be placed on the credit union’s internal controls and procedures for monitoring compliance with FCRA.
  • To direct corrective action when violations of law are identified, or when the credit union’s policies or internal controls are deficient.

Examination Procedures [3][4]

Initial Examination Procedures

The initial examination procedures focus on the credit union’s systems, controls, policies, and procedures, including audits and previous examination findings.

The applicability of the various sections of the FCRA and the implementing regulations depends on a credit union’s operations. The functional examination requirements are presented topically in modules 1 through 5.

Initially, examiners should:

  1. Through discussions with management and review of available information, determine if the credit union’s internal controls are adequate to ensure compliance in the FCRA area under review.  Consider:
    1. Organization charts;
    2. Process flowcharts;
    3. Policies and procedures;
    4. Loan documentation;
    5. Checklists;
    6. Computer program documentation (for example, records illustrating the fields and types of data reported to consumer reporting agencies; automated records tracking customer opt-outs for FCRA affiliate information sharing; etc.).
  2. Review any compliance audit material, including workpapers and reports, to determine whether:
    1. The scope of the audit addresses all provisions as applicable;
    2. Corrective actions were taken to follow up on previously identified deficiencies;
    3. The testing includes samples covering all product types and decision centers;
    4. The work performed is accurate;
    5. Significant deficiencies and their causes are included in reports to management and/or to the board of directors; and
    6. The frequency of review is appropriate.
  3. Review the credit union’s training materials to determine whether:
    1. Appropriate training is provided to individuals responsible for FCRA compliance and operational procedures; and
    2. The training is comprehensive and covers the various aspects of the FCRA that apply to the individual credit union’s operations.
  4. Through discussions with management, determine which portions of the examination modules will apply.
  5. Complete appropriate examination modules; document and form conclusions regarding the quality of the credit union’s compliance management systems and compliance with FCRA.

Module 1 – Obtaining Consumer Reports

Permissible Purposes of Consumer Reports and Investigative Consumer Reports  (§ 1681b and  § 1681d)

  1. Determine whether the credit union obtains consumer reports.
  2. Determine whether the credit union obtains prescreened consumer reports and/or reports for employment purposes. If so, complete the appropriate sections of Module 3.
  3. Determine whether the credit union procures or causes an investigative consumer report to be prepared. If so, ensure that the appropriate disclosure is given to the consumer within the required time period.  In addition, ensure that the credit union certified compliance with the disclosure requirements to the consumer reporting agency.
  4. Ensure that the credit union obtains consumer reports only for permissible purposes.  Confirm that the credit union certifies to the consumer reporting agency the purposes for which it will obtain reports. (The certification is usually contained in a credit union’s contract with the consumer reporting agency.)
  5. If procedural weaknesses or other risks requiring further investigation are noted, such as the receipt of several consumer complaints, review a sample of consumer reports obtained and determine whether the credit union had permissible purposes to obtain them.  For example,
    1. Obtain a copy of a billing statement or other list of consumer reports obtained by the credit union for a period of time; and
    2. Compare this list, or a sample from this list to the credit union’s records to ensure that there is a permissible purpose for the report(s) obtained. A permissible purpose may include review of an existing account.

Module 2 – Obtaining Information and Sharing Among Affiliates

Consumer Report and Information Sharing (§ 1681a(d))

  1. Review the credit union’s policies, procedures, and practices concerning the sharing of consumer information with third parties, including both affiliated and nonaffiliated third parties. Determine the type of information shared and with whom the information is shared. (This portion of the examination process may overlap with a review of the credit union’s compliance with the Privacy of Consumer Financial Information Regulations that implement the Gramm-Leach-Bliley Act (GLBA)).
  2. Determine whether the credit union’s information sharing practices fall within the exceptions to the definition of a consumer report. If they do not, the credit union could be considered a consumer reporting agency and subject to the FCRA requirements for consumer reporting agencies.
  3. If the credit union shares information other than transaction and experience information with affiliates subject to opt-out provisions, determine whether its GLBA privacy notice contains information about how to opt out, as required by the Privacy of Consumer Financial Information regulation.
  4. If procedural weaknesses or other risks requiring further investigation are noted, obtain a sample of opt-out rights exercised by consumers and determine if the credit union honored the opt-out requests by not sharing “other information” with its affiliates subsequent to receiving opt-out directions.

Protection of Medical Information (§ 1681b(g); § 1022, Subpart D)

  1. Review the credit union’s policies, procedures, and practices concerning the collection and use of consumer medical information in connection with any determination of eligibility, or continued eligibility for credit.
  2. If the credit union’s policies, procedures, and practices allow for obtaining and using consumer medical information in a credit transaction, determine whether there are adequate controls in place to ensure that the information is only used subject to the financial information exception in the rules, or under a specific exception within the rules.
  3. If procedural weaknesses or other risks requiring further investigation are noted, obtain samples of credit transactions to determine whether the use of medical information pertaining to a consumer was done strictly under the financial information exception or the specific exceptions under the regulation.
  4. Determine whether the credit union has adequate policies and procedures in place to limit the redisclosure of consumer medical information that was received from a consumer reporting agency or an affiliate.
  5. Determine whether the credit union shares medical information about a consumer with affiliates. If it does, determine whether the sharing occurred in accordance with an exception in the rules that enables the credit union to share the information without becoming a consumer reporting agency.

Affiliate Marketing Opt Out (§ 1681s-3; § 1022 Subpart C)

  1. Determine whether the credit union receives consumer eligibility information from an affiliate. Stop here if it does not because Subpart C of § 1022 does not apply.
  2. Determine whether the credit union uses consumer eligibility information received from an affiliate to make a solicitation for marketing purposes that is subject to the notice and opt-out requirements.  If it does not, stop here.
  3. Evaluate the credit union’s policies, procedures, practices and internal controls to ensure that, where applicable, the consumer is provided with an appropriate notice, a reasonable opportunity, and a reasonable and simple method to opt out of solicitations for marketing purposes, and that the credit union is honoring opt-outs.
  4. If compliance risk management weaknesses or other risks requiring further investigation are noted, obtain and review a sample of notices to ensure technical compliance and a sample of opt-out requests to determine if the credit union is honoring the requests.
    1. Determine whether the opt-out notices are clear, conspicuous, and concise, and contain the required information, including the name of the affiliate(s) providing the notice, a general description of the types of eligibility information that may be used to make solicitations to the consumer, and the duration of the opt out (§  1022.23(a)).
    2. Review opt-out notices that are coordinated and consolidated with any other notice or disclosure that is required under other provisions of law for compliance with the affiliate marketing regulation (§ 1022.23(b)).
    3. Determine whether the opt-out notices and renewal notices provide the consumer a reasonable opportunity to opt out and a reasonable and simple method to opt out (§ 1022.24 and § 1022.25).
    4. Determine whether the opt-out notice and renewal notice are provided (by mail, delivery or electronically) so that a consumer can reasonably be expected to receive that actual notice (§ 1022.26).
    5. Determine whether, after an opt-out period expires, an credit union provides a consumer a renewal notice prior to making solicitations based on eligibility information received from an affiliate (§ 1022.27).

Module 3 – Disclosures to Consumers and Miscellaneous Requirements

Use of Consumer Reports for Employment Purposes (§ 1681b(b))

  1. Determine if the credit union obtains consumer reports on current or prospective employees.
  2. Assess the credit union’s policies and procedures to determine if appropriate consumer disclosures are provided when consumer reports are obtained for employment purposes, including situations where the credit union takes adverse actions based on consumer report information.
  3. If procedural weaknesses or other risks requiring further investigation are noted, review a sample of the consumer disclosures to determine if they are accurate and in compliance with the technical FCRA requirements.

Prescreened Consumer Reports and Opt-Out Notice (§ 1681b(c) and § 1681m(d); § 1022.54)

  1. Determine whether the credit union obtained and used prescreened consumer reports in connection with offers of credit and/or insurance.
  2. Evaluate the credit union’s policies and procedures to determine if a list of the criteria used for prescreened offers, including all post-application criteria, is maintained in the credit union’s files and the criteria are consistently applied when consumers respond to the offers.
  3. Determine if written solicitations contain the required disclosure of the right to opt-out of prescreened solicitations and comply with all requirements applicable at the time of the offer.
  4. Determine if the credit union maintains on file the criteria used to select consumers to receive the offer, all criteria bearing on credit worthiness or insurability, as applicable, that are the basis for determining whether or not to extend credit or insurance under each offer, and any requirement for the furnishing of collateral as a condition of the extension of credit or insurance, for three years beginning on the date on which the offer is made to the consumer.
  5. If procedural weaknesses or other risks requiring further investigation are noted, obtain and review a sample of approved and denied responses to the offers to ensure that criteria were appropriately followed.

Truncation of Credit and Debit Card Account Numbers (§ 1681c(g))

  1. Determine whether the credit union’s policies and procedures ensure that electronically generated receipts from automated teller machines and point-of-sale terminals or other machines do not contain more than the last five digits of the card number and do not contain card expiration dates.
  2. If procedural weaknesses or other risks requiring further investigation are noted, review samples of receipts.

Disclosure of Credit Scores by Certain Mortgage Lenders (§ 1681g(g))

  1. Determine if the credit union uses credit scores in connection with applications for closed-end or open-end loans secured by one- to four-family residential real property.
  2. Evaluate the credit union’s policies and procedures to determine whether accurate disclosures are provided to applicants as soon as is reasonably practicable after using credit scores.
  3. If procedural weaknesses or other risks requiring further investigation are noted, review a sample of disclosures given to home loan applicants to determine technical compliance with the requirements.

Adverse Action Disclosures (§ 1681m(a) and (b))

  1. Determine whether the policies and procedures adequately ensure that the creditor or other person provides the appropriate disclosures, including the consumer’s credit score, as appropriate, when it takes adverse action against consumers based in whole or in part on information contained in a consumer report or specified information received from third parties, including affiliates.
  2. Review the policies and procedures of the creditor or other person for responding to requests for information in response to these adverse action notices.
  3. If procedural weaknesses or other risks requiring further investigation are noted, review a sample of adverse action notices to determine if they are accurate and in technical compliance.

Debt Collector Communications Concerning Identity Theft (§ 1681m(g))

  1. Determine whether the credit union collects debts for third parties.
  2. Determine whether the credit union has policies and procedures to ensure that the third parties are notified if the credit union obtains any information that may indicate that the debt in question is the result of fraud or identity theft.
  3. Determine if the credit union has effective policies and procedures for providing information to consumers to whom fraudulent debts relate.
  4. If procedural weaknesses or other risks requiring further investigation are noted, review a sample of instances where consumers have alleged identity theft and requested information related to transactions to determine if all of the appropriate information was provided to the consumer.

Risk-Based Pricing Notice (§ 1681m(h); § 1022, Subpart H)

  1. Determine whether the creditor (or other person) uses consumer report information in consumer credit decisions.
    1. If yes, determine whether the creditor uses such information to provide credit on terms that are “materially less favorable” than the most favorable material terms available to a substantial proportion of its consumers.  Relevant factors in determining the significance of differences in the cost of credit include the type of credit product, the term of the credit extension, and the extent of the difference.
      1. If “yes,” the creditor is subject to the risk-based pricing regulations.
  2. Determine the method the creditor uses to identify consumers who must receive a risk-based pricing notice and whether the method complies with the regulation (§ 1022.72(b)).
    1. For creditors that use the direct comparison method (§ 1022.72(b)), determine whether the creditor directly compares the material terms offered to each consumer and the material terms offer to other consumers for a specific type of credit product.
    2. For creditors that use the credit score proxy method (§ 1022.72(b)(1)):
      1. Determine whether the creditor calculates the cutoff score by considering the credit scores of all, or a representative sample, of consumers who have received credit for a specific type of credit product;
      2. Determine whether the creditor recalculates the cutoff score no less than every two years;
      3. For new entrants into the credit business, for new products subject to risk-based pricing, or for acquired credit portfolios, determine whether the creditor recalculates the cutoff scores within time periods specified in the regulation;
      4. For creditors using more than one credit score to set material terms, determine whether the creditor establishes a cutoff score according to the methods specified in the regulation; and
      5. If no credit score is available for a consumer, determine whether the creditor provides the consumer a risk-based pricing notice.
    3. For creditors that use the tiered pricing method (§ 1022.72(b)(2)):
      1. When four or fewer pricing tiers are used, determine if the creditor sends risk-based pricing notices to consumers who do not qualify for the top, best-priced tier; or
      2. When five or more pricing tiers are used, determine if the creditor provides risk-based pricing notices to consumers who do not qualify for the two top, best-priced tiers and any other tier that, combined with the top two tiers, equal no less than the top 30 percent and no more than the top 40 percent of the total number of tiers.
    4. For credit card issuers:
      1. Determine whether the card issuer uses the direct comparison method, the credit score proxy method, or the tiered pricing method to identify consumers to whom it must provide a risk-based pricing notice.
      2. If the creditor does not use the direct comparison method, the credit score proxy method, or the tiered pricing method, determine whether the card issuer uses the following method as permitted by § 1022.72(c) to identify consumers to whom it must provide a risk-based pricing notice:
        1. A consumer applies for a credit card either in connection with an application program, such as a direct-mail offer or a take-one application, or in response to a solicitation under § 1026.60, and more than a single possible purchase annual percentage rate (APR) may apply under the program or solicitation; and
        2. Based in whole or in part on a consumer report, the credit card issuer provides a credit card to the consumer with a purchase APR that is greater than the lowest purchase APR available in connection with the application or solicitation.
      3. Determine whether the card issuer provides a risk-based pricing notice to each consumer that is provided a credit card with a purchase APR greater than the lowest purchase APR available under the program or solicitation.
  3. Determine whether the creditor provides a risk-based pricing notice to a consumer (§ 1022.72(a)). For creditors that provide the notice, proceed to step #4. If the creditor does not provide a risk-based pricing notice, proceed to step #5 to determine whether an exception applies (§ 1022.74).
  4. Determine whether the risk based pricing notice contains (§ 1022.73(a)(1)):
    1. A statement that a consumer report (or credit report) includes information about the consumer’s credit history and the type of information included in that history;
    2. A statement that the terms offered, such as the APR, have been set based on information from a consumer report;
    3. A statement that the terms offered may be less favorable than the terms offered to consumers with better credit histories;
    4. A statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the report;
    5. The identity of each consumer reporting agency that furnished a consumer report used in the credit decision;
    6. A statement that federal law gives the consumer the right to obtain a copy of a consumer report from the consumer reporting agency or agencies identified in the notice without charge for 60 days after receipt of the notice;
    7. A statement informing the consumer how to obtain a consumer report from the consumer reporting agency or agencies identified in the notice and providing contact information (including a toll-free telephone number, where applicable) specified by the consumer reporting agency or agencies;
    8. A statement directing consumers to the website of CFPB to obtain more information about consumer reports; and
    9. If a credit score of the consumer to whom a person grants, extends, or otherwise provides credit is used in setting the material terms of credit:
      1. A statement that a credit score is a number that takes into account information in a consumer report, that the consumer’s credit score was used to set the terms of credit offered, and that a credit score can change over time to reflect changes in the consumer’s credit history;
      2. The credit score used by the person in making the credit decision;
      3. The range of possible credit scores under the model used to generate the credit score;
      4. All of the key factors that adversely affected the credit score, which shall not exceed four key factors, except that if one of the key factors is the number of enquiries made with respect to the consumer report, the number of key factors shall not exceed five;
      5. The date on which the credit score was created; and
      6. The name of the consumer reporting agency or other person that provided the credit score.
  5. If the creditor does not provide a risk-based pricing notice, determine if one of the following situations that qualify for a regulatory exception applies (§ 1022.74(a)-(f)):
    1. A consumer applies for specific terms of credit, and receives them, unless those terms were specified by the creditor using a consumer report after the consumer applied for the credit and after the creditor obtained the consumer report;
    2. A creditor provides a notice of adverse action;
    3. A creditor makes a firm offer of credit in a prescreened solicitation (even if the person makes other firm offers of credit to other consumers on more favorable material terms);
    4. A creditor generally provides a credit score disclosure to each consumer that requests a loan that is or will be secured by residential real property (if so, proceed to step #6);
    5. A creditor generally provides a credit score disclosure to each consumer that requests a loan that is not or will not be secured by residential real property (if so, proceed to step #7); or
    6. A creditor, which otherwise provides credit score disclosures to consumers that request loans, provides a disclosure for when no credit score is available (if so, proceed to step #8).
  6. For creditors that choose to provide a credit score disclosure to consumers that request a loan that is or will be secured by residential real property, determine whether the § 1022.74(d) notice generally is provided to each consumer that requests such an extension of credit and that each notice contains:
    1. A statement that a consumer report (or credit report) is a record of the consumer’s credit history and includes information about whether the consumer pays his or her obligations on time and how much the consumer owes to creditors;
    2. A statement that a credit score is a number that takes into account information in a consumer report and that a credit score can change over time to reflect changes in the consumer’s credit history;
    3. A statement that the consumer’s credit score can affect whether the consumer can obtain credit and what the cost of that credit will be;
    4. A statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the report;
    5. A statement that federal law gives the consumer the right to obtain copies of his or her consumer reports directly from the consumer reporting agencies, including a free report from each of the nationwide consumer reporting agencies once during any 12-month period;
    6. Contact information for the centralized source from which consumers may obtain their free annual consumer reports;
    7. A statement directing consumers to the website of CFPB to obtain more information about consumer reports;
    8. The information required to be disclosed to the consumer in § 1681g(g) of the FCRA, and as described in Module 3 of these examination procedures, under Disclosure of Credit Scores by Certain Mortgage Lenders (FCRA), § 1681g(g); and
    9. The distribution of credit scores among consumers who are scored under the same scoring model that is used to generate the consumer’s credit score. The distribution must:
      1. Use the same scale as that of the credit score provided to the consumer; and
      2. Be presented:
        1. In the form of a bar graph containing a minimum of six bars that illustrates the percentage of consumers with credit scores within the range of scores reflected in each bar;
        2. By other clear and readily understandable graphical means; or
        3. In a clear and readily understandable statement informing the consumer how his or her credit score compares to the scores of other consumers.
        4. Note:  The presentation may use a graph or statement obtained from the creditor providing the credit score if it meets these requirements.
  7. For creditors that choose to provide a credit score disclosure to consumers that request a loan that is not or will not be secured by residential real property, determine whether the § 1022.74(e) notice generally is provided to each consumer that requests such an extension of credit and that each notice contains:
    1. A statement that a consumer report (or credit report) is a record of the consumer’s credit history and includes information about whether the consumer pays his or her obligations on time and how much the consumer owes to creditors;
    2. A statement that a credit score is a number that takes into account information in a consumer report and that a credit score can change over time to reflect changes in the consumer’s credit history;
    3. A statement that the consumer’s credit score can affect whether the consumer can obtain credit and what the cost of that credit will be;
    4. A statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the report;
    5. A statement that federal law gives the consumer the right to obtain copies of his or her consumer reports directly from the consumer reporting agencies, including a free report from each of the nationwide consumer reporting agencies once during any 12-month period;
    6. Contact information for the centralized source from which consumers may obtain their free annual consumer reports;
    7. A statement directing consumers to the website of CFPB to obtain more information about consumer reports;
    8. The current credit score of the consumer or the most recent credit score of the consumer that was previously calculated by the consumer reporting agency for a purpose related to the extension of credit;
    9. The distribution of credit scores among consumers who are scored under the same scoring model that is used to generate the consumer’s credit score. The distribution must:
      1. Use the same scale as that of the credit score provided to the consumer; and
      2. Be presented:
        1. In the form of a bar graph containing a minimum of six bars that illustrates the percentage of consumers with credit scores within the range of scores reflected in each bar;
        2. By other clear and readily understandable graphical means; or
        3. In a clear and readily understandable statement informing the consumer how his or her credit score compares to the scores of other consumers.  The presentation may use a graph or statement obtained from the creditor providing the credit score if it meets these requirements;
    10.  The range of possible credit scores under the model used to generate the credit score;
    11. The date on which the credit score was created; and
    12. The name of the consumer reporting agency or other person that provided the credit score.
  8. For creditors that otherwise provide credit score disclosures to consumers that request loans, determine whether the § 1022.74(f) notice is provided to the applicable consumers in situations where no credit score is available for the consumer, as required by § 1022.74(f).  Determine whether each notice contains:
    1. A statement that a consumer report (or credit report) includes information about the consumer’s credit history and the type of information included in that history;
    2. A statement that a credit score is a number that takes into account information in a consumer report and that a credit score can change over time in response to changes in the consumer’s credit history;
    3. A statement that credit scores are important because consumers with higher credit scores generally obtain more favorable credit terms;
    4. A statement that not having a credit score can affect whether the consumer can obtain credit and what the cost of that credit will be;
    5. A statement that a credit score about the consumer was not available from a consumer reporting agency, which must be identified by name, generally due to insufficient information regarding the consumer’s credit history;
    6. A statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the consumer report;
    7. A statement that federal law gives the consumer the right to obtain copies of his or her consumer reports directly from the consumer reporting agencies, including a free consumer report from each of the nationwide consumer reporting agencies once during any 12-month period;
    8. The contact information for the centralized source from which consumers may obtain their free annual consumer reports; and
    9. A statement directing consumers to the website of CFPB to obtain more information about consumer reports.
  9. For creditors that provide credit score exception notices and that obtain multiple credit scores in setting material terms of credit, determine whether the score(s) is disclosed in a manner consistent with the regulation (§ 1022.74(d)(4) and § 1022.74(e)(4)):
    1. If a creditor only relies upon one of those credit scores in setting the material terms of credit granted, extended, or otherwise provided to a consumer (for example, by using the low, middle, high, or most recent score), determine whether the notice includes that credit score and the other information required by § 1022.74(d).
    2. If a creditor relies upon multiple credit scores in setting the material terms of credit granted, extended, or otherwise provided to a consumer (for example, by computing the average of all the credit scores obtained), determine whether the notice includes one of those credit scores and the other information required by § 1022.74(d).
  10. Regardless of whether the creditor provides risk-based pricing notices or credit score disclosure exception notices, if the creditor increases the consumer’s APR as the result of a review of a consumer’s account, determine whether the creditor provided the consumer with an account review risk-based pricing notice (§ 1022.72(d)) if an adverse action notice was not already provided.
  11. Determine whether the account review risk-based pricing notice contains (§ 1022.73(a)(2)):
    1. A statement that a consumer report (or credit report) includes information about the consumer’s credit history and the type of information included in that history;
    2. A statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the report;
    3. The identity of each consumer reporting agency that furnished a consumer report used in the credit decision;
    4. A statement that federal law gives the consumer the right to obtain a copy of a consumer report from the consumer reporting agency or agencies identified in the notice without charge for 60 days after receipt of the notice;
    5. A statement that informs the consumer how to obtain a consumer report from the consumer reporting agency or agencies identified in the notice and provides contact information (including a toll-free telephone number, where applicable) specified by the consumer reporting agency or agencies;
    6. A statement that directs consumers to the website of CFPB to obtain more information about consumer reports;
    7. A statement that the creditor has conducted a review of the account using information from a consumer report;
    8. A statement that, as a result of the review, the APR on the account has been increased based on information from a consumer report; and
    9. If a credit score of the consumer whose extension of credit is under review is used in increasing the APR:
      1. A statement that a credit score is a number that takes into account information in a consumer report, that the consumer’s credit score was used to set the terms of credit offered, and that a credit score can change over time to reflect changes in the consumer’s credit history;
      2. The credit score used by the person in making the credit decision;
      3. The range of possible credit scores under the model used to generate the credit score;
      4. All of the key factors that adversely affected the credit score, which shall not exceed four key factors, except that if one of the key factors is the number of enquiries made with respect to the consumer report, the number of key factors shall not exceed five;
      5. The date on which the credit score was created; and
      6. The name of the consumer reporting agency or other person that provided the credit score.
  12. For all notices, determine whether the notices are clear and conspicuous and comply with the specific format requirements for the notices (§ 1022.73(b), § 1022.74(d)(2), § 1022.74(e)(2), and § 1022.74(f)(3)).
  13. For all notices, determine whether the notices are provided within the required time frames (§ 1022.73(c), § 1022.74(d)(3), § 1022.74(e)(3), and § 1022.74(f)(4)), as set out as follows:
    1. Risk-based pricing notices and account review risk-based pricing notices
      1. For closed-end credit, the notice generally must be provided to the consumer after the decision to approve a credit request is communicated to the consumer, but before consummation of the transaction.
      2. For open-end credit, the notice generally must be provided after the decision to grant credit is communicated to the consumer, but before the first transaction under the plan has been made.
      3. For account reviews, the notice generally must be provided at the time that the decision to increase the APR is communicated to the consumer or no later than five days after the effective date of the change in the APR.
    2. Credit score disclosures for loans secured by residential real property
      1. The credit score disclosure for loans secured by residential real property must be provided to the consumer at the same time as the disclosure required by § 1681g(g) of the FCRA is provided to the consumer. The § 1681g(g) notice must be provided as soon as reasonably practicable after the credit score has been obtained. In any event, the credit score disclosure for loans secured by residential real property must be provided at or before consummation in the case of closed-end credit or before the first transaction is made under an open-end credit plan.
    3. Credit score disclosures for loans not secured by residential real property
      1. The notice generally must be provided to the consumer as soon as reasonably practicable after the credit score has been obtained, but in any event at or before consummation in the case of closed-end credit or before the first transaction is made under an open-end credit plan.
    4. Credit score exception notices when no credit score is available
      1. The notice generally must be provided to the consumer as soon as reasonably practicable after the creditor has requested the credit score, but in any event not later than consummation of a transaction in the case of closed-end credit or when the first transaction is made under an open-end credit plan.
    5. Application to certain automobile lending transactions
      1. For automobile lending transactions made through an auto dealer that is unaffiliated with the creditor, the creditor may provide a notice in the time periods described above.  Alternatively, the creditor may arrange to have the auto dealer provide a notice to the consumer on its behalf within these time periods and maintain reasonable policies and procedures to verify that the auto dealer provides the notice to the consumer within the applicable time periods.  If the creditor arranges to have the auto dealer provide a credit score disclosure for loans not secured by residential real property, the creditor complies if the consumer receives a notice containing a credit score obtained by the auto dealer with these time periods, even if a different credit score is obtained and used by the creditor.
      2. For credit that is granted under an open-end credit plan to a consumer in person or by telephone for contemporaneous purchase of goods or services, the notice may be provided at the earlier of:
        1. The time of the first mailing to the consumer after the decision is made to approve the credit, such as in a mailing containing the account agreement or a credit card; or
        2. Within 30 days after the decision to approve the credit.
  14. For all notices, determine whether the creditor follows the rules of construction pertaining to the number of notices provided to the consumer(s) (§ 1022.75).  In a transaction involving two or more consumers, a creditor must provide a risk-based notice to each consumer.  If the consumers have the same address, and the notice does not include a credit score(s), a person may satisfy the requirements by providing a single notice addressed to both consumers.  However, if a notice includes a credit score(s), the person must provide a separate notice to each consumer whether the consumers have the same address or not.  Each separate notice that includes a credit score(s) must contain only the credit score(s) of the consumer to whom the notice is provided, and not the credit score(s) of the other consumer.  Similarly, for credit score disclosure exception notices, whether the consumers have the same address or not, the creditor must provide a separate notice to each consumer and each separate notice that includes a credit score(s) must contain only the credit score(s) of the consumer to whom the notices is provided.
  15. For all notices, determine whether the creditor uses the model forms in Appendix H of the regulation.  If yes, determine that it does not modify the model form so extensively as to affect the substance, clarity, comprehensibility, or meaningful sequence of the forms.

Module 4 – Duties of Users of Consumer Reports and Furnishers of Consumer Report Information

Duties of Users of Credit Reports Regarding Address Discrepancies (§ 1681c(h); § 1022.82)

  1. Determine whether a user of consumer reports has policies and procedures to recognize notices of address discrepancy that it receives from a nationwide consumer reporting agency (NCRA)[5] in connection with consumer reports.
  2. Determine whether a user that receives notices of address discrepancy has policies and procedures to form a reasonable belief that the consumer report relates to the consumer whose report was requested (§ 1022.82(c)).
    1. See examples of reasonable policies and procedures “to form a reasonable belief” in § 1022.82(c)(2).
  3. Determine whether a user that receives notices of address discrepancy has policies and procedures to furnish to the NCRA an address for the consumer that the user has reasonably confirmed is accurate, if the user does the following:
    1. Forms a reasonable belief that the report relates to the consumer;
    2. Establishes a continuing relationship with the consumer; and
    3. Regularly, and in the ordinary course of business, furnishes information to the NCRA (§ 1022.82(d)(1)).
    4. See examples of reasonable confirmation methods in § 1022.82(d)(2).
  4. Determine whether the user’s policies and procedures require it to furnish the confirmed address as part of the information it regularly furnishes to an NCRA during the reporting period when it establishes a relationship with the consumer (§ 1022.82(d)(3)).
  5. If procedural weaknesses or other risks requiring further information are noted, obtain a sample of consumer reports requested by the user from an NCRA that included notices of address discrepancy and determine:
    1. How the user established a reasonable belief that the consumer reports related to the consumers whose reports were requested; and
    2. If a consumer relationship was established:
      1. Whether the user furnished a consumer’s address that it reasonably confirmed to the NCRA from which it received the notice of address discrepancy; and
      2. Whether it furnished the address in the reporting period during which it established the relationship.
  6. On the basis of examination procedures completed, form a conclusion about the ability of user’s policies and procedures to meet regulatory requirements for the proper handling of address discrepancies reported by an NCRA.

Furnishers of Information to Consumer Reporting Agencies:  General (§ 1681s-2; § 1022, Subpart E

  1. Determine whether the credit union furnishes consumer information to a consumer reporting agency about an account or other relationship with a consumer.  If so, the credit union is subject to § 1022.40, § 1022.41, § 1022.42, and § 1022.43.
  2. Determine whether the credit union has established and implemented reasonable policies and procedures regarding the accuracy and integrity of information furnished to a consumer reporting agency (§ 1022.42(a)).
  3. Determine whether the credit union considered the Interagency Guidelines in Appendix E of the regulation when developing its policies and procedures, and incorporated the guidelines as appropriate (§ 1022.42(b)).
  4. Determine whether the credit union reviews its policies and procedures periodically and updates them as necessary to ensure their effectiveness (§ 1022.42(c)).
  5. If procedural weaknesses are noted or other risks requiring further investigation are noted, such as a high number of consumer complaints regarding the accuracy of their consumer report information from the credit union, select a sample of reported items and the corresponding loan or collection file to determine that the credit union:
    1. Did not report information that it knew, or had reasonable cause to believe, was inaccurate. (§ 1681s-2(a)(1)(A));
    2. Did not report information to a consumer reporting agency if it was notified by the consumer that the information was inaccurate and the information was, in fact, inaccurate. (§ 1681s-2(a)(1)(B));
    3. Provided the consumer reporting agency with corrections or additional information to make information complete and accurate, and thereafter did not send the consumer reporting agency any information that remained incomplete or inaccurate. (§ 1681s-2(a)(2));
    4. Furnished a notice to a consumer reporting agency of a dispute in situations where a consumer disputed the completeness or accuracy of any information the credit union furnished, and the credit union continued furnishing the information to a consumer reporting agency. (§ 1681s-2(a)(3));
    5. Notified the consumer reporting agency of a voluntary account-closing by the consumer, and did so as part of the information regularly furnished for the period in which the account was closed. (§ 1681s-2(a)(4)); and
    6. Notified the consumer reporting agency of the month and year of commencement of a delinquency that immediately preceded the action.  The notification to the consumer reporting agency must be made within 90 days of furnishing information about a delinquent account that was being placed for collection, charged-off, or subjected to any similar action.  (§ 1681s-2(a)(5)).
  6. If weaknesses within the credit union’s procedures for investigating errors are revealed, review a sample of notices of disputes received from a consumer reporting agency and determine whether the credit union did the following:
    1. Conducted an investigation with respect to the disputed information (§ 1681s-2(b)(1)(A));
    2. Reviewed all relevant information provided by the consumer reporting agency (§ 1681s-2(b)(1)(B));
    3. Reported the results of the investigation to the consumer reporting agency (§ 1681s-2(b)(1)(C));
    4. Reported the results of the investigation to all other nationwide consumer reporting agencies to which the information was furnished if the investigation found that the reported information was inaccurate or incomplete (§ 1681s-2(b)(1)(D)); and
    5. Modified, deleted, or blocked the reporting of information that could not be verified.
  7. Determine whether the credit union conducts reasonable investigations of direct disputes from consumers, including a review of all relevant information provided by the consumer (§ 1022.43(e)(1) and (2)).
    1. Determine whether the credit union completes the investigation and reports the results to the consumer within the required time frame (§ 1022.43(e)(3)).
    2. Determine whether the credit union notifies and provides corrected information to the consumer reporting agencies when the results of its investigation finds that inaccurate information was furnished to the consumer reporting agencies (§ 1022.43(e)(4)).
    3. When the credit union finds that a dispute is frivolous or irrelevant, determine whether the credit union:
      1. Notifies the consumer within five days after finding the dispute frivolous or irrelevant (§ 1022.43(f)(2)); and
      2. Includes in the consumer notification the reasons for the findings and the information necessary to investigate the disputed information (§ 1022.43(f)(3)).

Prevention of Re-Pollution of Consumer Reports (§ 1681s-2(a)(6))

  1. If the credit union provides information to a consumer reporting agency, review the credit union’s policies and procedures for ensuring that items of information blocked because of an alleged identity theft are not re-reported to the consumer reporting agency.
  2. If weaknesses are noted within the credit union’s policies and procedures, review a sample of notices from a consumer reporting agency of allegedly fraudulent information due to identity theft furnished by the credit union, to determine whether the credit union does not re-report the item to a consumer reporting agency.
  3. If procedural weaknesses or other risks requiring further investigation are noted, verify that the credit union has not sold or transferred a debt that resulted from an alleged identity theft.

Negative Information Notice (§ 1681s-2(a)(7))

  1. If the credit union provides negative information to a nationwide consumer reporting agency, verify that the credit union’s policies and procedures ensure that the appropriate notices are provided to consumers.
  2. If procedural weaknesses or other risks requiring further investigation are noted, review a sample of notices provided to consumers to determine compliance with the technical content and timing requirements.

Module 5 – Consumer Alerts and Identity Theft Protections

Fraud and Active Duty Alerts (§ 1681c-1(h))

  1. Determine whether the credit union has effective policies and procedures in place to verify the identity of consumers in situations in which consumer reports include fraud and/or active duty military alerts.
  2. Determine if the credit union has effective policies and procedures in place to contact consumers in situations where consumer reports include extended alerts.
  3. If procedural weaknesses or other risks requiring further investigation are noted, review a sample of transactions in which consumer reports including these types of alerts were obtained.  Verify that the credit union complied with the identity verification and/or consumer contact requirements.

Information Available to Victims (§ 1681g(e))

  1. Review the credit union’s policies, procedures, and/or practices to determine whether identities and claims of fraudulent transactions are verified and whether information is properly disclosed to victims of identity theft and/or appropriately authorized law enforcement agents.
  2. If procedural weaknesses or other risks requiring further investigation are noted, review a sample of these types of requests to determine whether the credit union properly verified the requestor’s identity prior to disclosing the information.

Duties Regarding the Detection, Prevention, and Mitigation of Identity Theft (§ 1681m(e); § 717.90)

  1. Verify that the federal credit union periodically [6] identifies covered accounts it offers or maintains.[7] Verify that the federal credit union:
    1. Included accounts for personal, family, and household purposes that permit multiple payments or transactions; and
    2. Conducted a risk assessment to identify any other accounts that pose a reasonably foreseeable risk of identity theft, taking into consideration the methods used to open and access accounts, and the institution’s previous experiences with identity theft. (§ 717.90(c))
  2. Review examination findings in other areas (e.g., Bank Secrecy Act, Customer Identification Program, and Customer Information Security Program) to determine whether deficiencies exist that adversely affect the federal credit union’s ability to comply with the Identity Theft Red Flags Rules (red flag rules).
  3. Review any reports, such as audit reports and annual reports prepared by staff for the board of directors [8] (or an appropriate committee thereof or a designated senior management employee) on compliance with the red flag rules, including reports that address:
    1. The effectiveness of the federal credit union’s Identity Theft Prevention Program (program);
    2. Significant incidents of identity theft and management’s response;
    3. Oversight of service providers that perform activities related to covered accounts; and
    4. Recommendations for material changes to the program.
  4. Determine whether management adequately addressed any deficiencies. (§ 717.90(f) and Appendix J)
  5. Verify that the federal credit union has developed and implemented a comprehensive written program designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or an existing covered account. The program must be appropriate to the size and complexity of the federal credit union and the nature and scope of its activities. (§ 717.90(d)(1))
  6. Verify that the federal credit union considered the Guidelines in Appendix J to the regulation (Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation) in the formulation of its program, and included those that are appropriate. (§ 717.90(f))
  7. Determine whether the program has reasonable policies, procedures, and controls to effectively identify and detect relevant red flags and to respond appropriately to prevent and mitigate identity theft. (§ 717.90(d)(2)(i)-(iii))  Federal credit unions may but are not required to use the illustrative examples of red flags in Supplement A to the Guidelines to identify relevant red flags. Appendix J, § II, § III, and § IV
  8. Determine whether the federal credit union uses technology to detect red flags.  If it does, discuss with management the methods by which the federal credit union confirms that the technology is working effectively.
  9. Determine whether the program (including the red flags determined to be relevant) is updated periodically to reflect changes in the risks to customers and the safety and soundness of the federal credit union from identity theft. (§ 717.90(d)(2)(iv))
  10. Verify that (i) the board of directors (or an appropriate committee thereof) initially approved the program; and (ii) the board (or an appropriate committee thereof or a designated senior management employee) is involved in the oversight, development, implementation, and administration of the program. (§ 717.90(e)(1) and (2))
  11. Verify that the federal credit union trains appropriate staff to implement and administer the program effectively. (§ 717.90(e)(3))
  12. Determine whether the federal credit union exercises appropriate and effective oversight of service providers that perform activities related to covered accounts. (§ 717.90(e)(4))
  13. On the basis of examination procedures completed, form a conclusion about whether the federal credit union has developed and implemented an effective, comprehensive, written program designed to detect, prevent, and mitigate identity theft.

Duties of Card Issuers Regarding Changes of Address (§ 1681m(e); § 717.91)

  1. Verify that the card issuer has policies and procedures in place to assess the validity of a change of address if:
    1. It receives notification of a change of address for a consumer’s debit or credit card account; and
    2. Within a short period of time afterwards (during at least the first 30 days after it receives  such notification), the card issuer receives a request for an additional or replacement card for the same account. (§ 717.91(c))
  2. Determine whether the policies and procedures prevent the card issuer from issuing additional or replacement cards until it:
    1. Notifies the cardholder at the cardholder’s former address or by any other means previously agreed to and provides the cardholder a reasonable means to promptly report an incorrect address (§ 717.91(c)(1)(i)-(ii)); or
    2. Uses other reasonable means of evaluating the validity of the address change. (§ 717.91(c)(2))
    3. Note:  In the alternative, a card issuer may validate a change-of-address request when it is received, using the above methods, prior to receiving any request for an additional or replacement card. (§ 717.91(d))
  3. Determine whether any written or electronic notice sent to cardholders for purposes of validating a change of address request is clear and conspicuous and is provided separately from any regular correspondence with the cardholder. (§ 717.91(e))
  4. If procedural weaknesses or other risks requiring further information are noted, obtain a sample of notifications from cardholders of changes of address and requests for additional or replacement cards to determine whether the card issuer complied with the regulatory requirement to evaluate the validity of the notice of address change before issuing additional or replacement cards.
  5. On the basis of examination procedures completed, form a conclusion about whether a card issuer’s policies and procedures effectively meet regulatory requirements for evaluating the validity of change-of-address requests received in connection with credit or debit card accounts.

Disposal of Consumer Information (§ 1681w; § 717.83)

  1. Determine whether the federal credit union or other entity, or any vendor acting on its behalf, has identified the “consumer information” that it maintains or possesses.  As defined in the FCRA, consumer information means any record about an individual, in paper, electronic, or other form, that is a consumer report or is based on a consumer report that the credit union or other entity maintains for a business. “Consumer information” also includes a compilation of such information such as a loan origination or loan servicing system that contains credit scores or other information derived from consumer reports on applicants or current or past borrowers.  It does not include records that do not identify an individual. (§ 717.83(d))
  2. Determine whether the federal credit union or other entity has instituted procedures to properly dispose of any consumer information that it maintains or otherwise possesses in a way that is consistent with the NCUA’s Guidelines for Safeguarding Member Information, in § 748, Appendix A, by, for example:
    1. Burning, pulverizing, or shredding papers that contain consumer information, or destroying or erasing electronic media containing consumer information; or
    2. Destroying or erasing electronic media containing consumer information. (§ 717.83(b)).
  3. Determine whether the federal credit union or other entity periodically conducts internal audits of the effectiveness of its consumer information disposal program.

FAIR CREDIT REPORTING ACT (FCRA) (REGULATION V)
CHECKLIST

Module 1 – Obtaining Consumer Reports

Permissible Purpose

Permissible Purpose
Item Description YES NO N/A
1 If the credit union obtains or uses consumer reports, does it do so only for permissible purposes such as in connection with an application for credit or to review an existing account? (§ 1681b(a))      
2 If the credit union obtains consumer reports from a consumer reporting agency, does it certify to the consumer reporting agency the purposes for which it will obtain reports? (The certification is usually contained in a credit union’s contract with the consumer reporting agency.) (§ 1681e(a))      
3 Does the credit union obtain prescreened consumer reports and/or reports for employment purposes? If so, complete the appropriate sections of Module 3.      
4 If the credit union obtains investigative consumer reports, does it disclose that it will do so not less than three days after the report was first requested and disclose the consumer’s right to request additional information? (§ 1681d(a))      
5 If the credit union obtains investigative consumer reports, does it disclose the nature and scope of the information requested to the consumer on request, as required? (§ 1681d(b))      

Module 2 – Obtaining Information and Sharing Among Affiliates

Consumer Report and Information Sharing

Consumer Report and Information Sharing
Item Description YES NO N/A
6 If the credit union shares information other than transaction and experience information with affiliates subject to opt-out provisions, does it include information regarding how to opt out in its Gramm-Leach-Bliley Act privacy notice or otherwise? (§ 1681a(d))      
7 If the credit union shares information other than transaction and experience information with non-affiliates, does it do so only when the nonaffiliated credit union’s participation is needed to complete the transaction? (§ 1681b(a))      

Protection of Medical Information

Protection of Medical Information
Item Description YES NO N/A
8 If the credit union’s policies, procedures, and practices allow for obtaining and using consumer medical information in the context of a credit transaction, are there adequate controls in place to ensure that the information is only used subject to the financial information exception or another exception in the rules? (§ 1681b(g))      
9 Does the credit union have adequate policies and procedures in place to limit the re-disclosure of consumer medical information that was received from a consumer reporting agency or an affiliate? (§ 1681b(g))      
10 If the credit union shares medical information about a consumer with affiliates, does the sharing occur in accordance with an exception in the rules that enables the credit union to share the information without becoming a consumer reporting agency? (§ 1681b(g))      

Affiliate Marketing Opt-Out

Affiliate Marketing Opt-Out
Item Description YES NO N/A
11 If the credit union uses consumer eligibility information received from an affiliate to make a solicitation for marketing purposes that is subject to the notice and opt-out requirements, do its policies, procedures, practices and internal controls ensure that, where applicable, the consumer is provided with an appropriate notice, a reasonable opportunity, and a reasonable and simple method to opt out of the credit union’s using eligibility information to make solicitations for marketing purposes to the consumer? (§ 1681s-3; § 1022.23)      
12 If the credit union provides affiliate-marketing opt-out notices, is it honoring opt-outs? (§ 1681s-3; § 1022.23)      
13 If the credit union provides affiliate-marketing opt-out notices, are the opt-out notices clear, conspicuous, and concise and do they contain the required information, including the name of the affiliate(s) providing the notice, a general description of the types of eligibility information that may be used to make solicitations to the consumer, and the duration of the opt out? (§ 1022.23(a))      
14 If the credit union provides affiliate-marketing opt-out notices, are they clear, conspicuous, and concise and contain the required information, including the name of the affiliate(s) providing the notice, a general description of the types of eligibility information that may be used to make solicitations to the consumer, and the duration of the opt out? (§ 1022.23(a)).      
15 Do opt-out notices that are coordinated and consolidated with any other notice or disclosure required under other provisions of law (e.g., GLBA) comply with the affiliate marketing regulation? (§ 1022.23(b))      
16 Do opt-out notices and renewal notices provide the consumer a reasonable opportunity to opt out and a reasonable and simple method to opt out? (§ 1022.24 and § 1022.25).      
17 17. Are the opt-out notice and renewal notice provided (by mail, delivery or electronically) so that a consumer can reasonably be expected to actually receive them? (§ 1022.26)      
18 After an opt-out period expires, does the credit union provide a consumer a renewal notice before making solicitations based on eligibility information received from an affiliate? (§ 1022.27)      

Module 3 – Disclosures to Consumers and Miscellaneous Requirements

Use of Consumer Reports for Employment Purposes

Use of Consumer Reports for Employment Purposes
Item Description YES NO N/A
19 If the credit union obtains consumer reports on current or prospective employees, does it make appropriate disclosures in advance? (§ 1681b(b))      
20 If the credit union obtains consumer reports on current or prospective employees, does it obtain the consumer’s consent before obtaining the report? (§ 1681b(b))      
21 If the credit union obtains consumer reports on current or prospective employees, does it provide a copy of the report and a summary of the consumer’s rights before taking action against the consumer? (§ 1681b(b))      

Prescreened Consumer Reports and Opt-Out Notice

Prescreened Consumer Reports and Opt-Out Notice
Item Description YES NO N/A
22 If the credit union obtains and uses prescreened consumer reports in connection with offers of credit and/or insurance, do the credit union’s policies and procedures indicate that a list of the criteria used for prescreened offers, including all post-application criteria, is maintained in the credit union’s files and the criteria are applied consistently when consumers respond to the offers? (§ 1681b(c))      
23 If the credit union obtains and uses prescreened consumer reports in connection with offers of credit and/or insurance, do written solicitations contain the required disclosures of the right to opt-out of prescreened solicitations and comply with all requirements applicable at the time of the offer? (§ 1681m(d))      
24 If the credit union obtains and uses prescreened consumer reports in connection with offers of credit and/or insurance, does the credit union maintain the criteria used for the product (including the criteria used to generate the prescreened report and any other criteria such as collateral requirements) on file for a period of three years, beginning on the date that the credit union made the offer to the consumer? (§ 1681m(d))      

Truncation of Credit and Debit Card Account Numbers

Truncation of Credit and Debit Card Account Numbers
Item Description YES NO N/A
25 Do the credit union’s policies and procedures ensure that electronically generated receipts from ATMs and point-of-sale terminals or other machines do not contain more than the last five digits of the card number and do not contain the expiration dates? (§ 1681c(g))      

Disclosure of Credit Scores by Certain Mortgage Lenders

Disclosure of Credit Scores by Certain Mortgage Lenders
Item Description YES NO N/A
26 If the credit union uses credit scores in connection with applications for closed-end or open-end loans secured by one- to four-family residential real property, do the credit union’s policies and procedures ensure that accurate disclosures are provided to applicants as soon as is reasonably practicable after using credit scores? (§ 1681g(g))      

Adverse Action Disclosures

Adverse Action Disclosures
Item Description YES NO N/A
27 Do the policies and procedures adequately ensure that the creditor or other person provides the appropriate disclosures, including the consumer’s credit score as appropriate, when it takes adverse action against consumers based in whole or in part on information contained in a consumer report? (§ 1681m(a))      
28 Do the policies and procedures adequately ensure that the creditor or other person provides the appropriate disclosures when it takes adverse action against consumers based in whole or in part on specified information received from third parties, including affiliates? (§ 1681m(b))      

Debt Collector Communications Concerning Identity Theft

Debt Collector Communications Concerning Identity Theft
Item Description YES NO N/A
29 If the credit union collects debts for third parties, does it have policies and procedures to ensure that the third parties are notified if the credit union obtains any information that may indicate that the debt in question is the result of fraud or identity theft? (§ 1681m(g))      
30 If the credit union collects debts for third parties, does it have effective policies and procedures for providing information to consumers to whom the fraudulent debts relate? (§ 1681m(g))      

Risk-Based Pricing Notice

Risk-Based Pricing Notice
Item Description YES NO N/A
31 If the creditor (or other person) uses consumer report information to provide credit on terms that are “materially less favorable” than the most favorable material terms available to a substantial proportion of its consumers and does not qualify for an exception, does it correctly use one of the methods provided by the regulation to identify consumers who must receive a risk-based pricing notice? (Acceptable methods generally include the direct comparison method, the credit score proxy method, and the tiered pricing method.) (§ 1681m(h))      
32 If the creditor provides risk-based pricing notices, do the notices contain all required information, including the credit score, key factors, the identity of each consumer reporting agency that furnished a consumer report used in the credit decision, and other disclosures? (§ 1681m(h))      
33 When the creditor does not provide a risk-based pricing notice, does one of the situations that qualify for a regulatory exception apply—(i) consumer is granted the specific terms applied for; (ii) creditor provides a notice of adverse action; (iii) creditor makes a firm offer of credit in a prescreened solicitation (even if the creditor makes other firm offers of credit to other consumers on more favorable material terms); (iv) (“exception notice”) creditor generally provides a credit score disclosure to each consumer that requests a loan that is or will be secured by residential real property or that is not or will not be secured by residential real property and provides a disclosure for when no credit score is available? (§ 1022.74)      
34 If the creditor provides an exception notice rather than a risk-based pricing notice, does the notice contain all required information, including the credit score, key factors, and other disclosures? (§ 1022.74)      
35 If the creditor increases the consumer’s APR as the result of review of a consumer’s account, does it provide the consumer with an account review risk-based pricing notice if an adverse action notice was not already provided? (§ 1022.72(d))      
36 If the creditor provided an account review risk-based pricing notice, did it contain all required information? (§ 1022.72(d))      
37 Were all required risk-based pricing and exception notices clear and conspicuous and comply with the specific format requirements for the notices? (§ 1022.73, § 1022.74)      
38 Were all required risk-based pricing and exception notices provided within specified time frames? (§ 1022.73, § 1022.74)      

Module 4 – Duties of Users of Consumer Reports and Furnishers of Consumer Report Information

Duties of Users of Credit Reports Regarding Address Discrepancies

Duties of Users of Credit Reports Regarding Address Discrepancies
Item Description YES NO N/A
39 If the credit union uses consumer reports, does it have policies and procedures to (i) recognize notices of address discrepancy that it receives from a nationwide consumer reporting agency (NCRA) and (ii) to form a reasonable belief that the consumer report relates to the consumer whose report was requested? (§ 1022.82(c))      
40 Does the credit union have policies and procedures, when it receives notices of address discrepancy, to furnish to the NCRA an address for the consumer that the user has reasonably confirmed is accurate? (This applies when the credit union (i) forms a reasonable belief that the report relates to the consumer; (ii) establishes a continuing relationship with the consumer; and (iii) regularly, and in the ordinary course of business, furnishes information to the NCRA.) (§ 1022.82(d)(1))      
41 Do the credit unions’ policies and procedures require it to furnish the confirmed address as part of the information it regularly furnishes to an NCRA during the reporting period when it establishes a relationship with the consumer? (§ 1022.82(d)(3))      

Furnishers of Information to Consumer Reporting Agencies: General

Furnishers of Information to Consumer Reporting Agencies: General
Item Description YES NO N/A
42 If the credit union furnishes consumer information to a consumer reporting agency about an account or other relationship with a consumer, has it established and implemented reasonable policies and procedures regarding the accuracy and integrity of information furnished to a consumer reporting agency? (§ 1022.42(a))      
43 If the credit union has established policies and procedures regarding the accuracy and integrity of information furnished to a consumer reporting agency, did it consider the Interagency Guidelines in Appendix E of the regulation when developing its policies and procedures, and incorporated the guidelines as appropriate? (§ 1022.42(b))      
44 Does the credit union review its policies and procedures periodically and update them as necessary to ensure their effectiveness? (§ 1022.42(c))      
45

Does the credit union comply with specific requirements of the FCRA to:

  • Avoid reporting information that it knows, or has reasonable cause to believe, is inaccurate, or if it provides an address for the consumer to notify it of inaccuracies, to avoid reporting information if it has been notified by the consumer that the information is inaccurate and the information is, in fact, inaccurate?
  • Provide the consumer reporting agency with corrections or additional information to make information complete and accurate, and thereafter does not send the consumer reporting agency any information that remains incomplete or inaccurate?
  • Furnish a notice to a consumer reporting agency of a dispute in situations where a consumer disputes the completeness or accuracy of any information the credit union furnished, and the credit union continues furnishing the information to a consumer reporting agency?
  • Notify the consumer reporting agency of a voluntary account-closing by the consumer, and do so as part of the information regularly furnished for the period in which the account was closed?
  • Notify the consumer reporting agency of the month and year of commencement of a delinquency that immediately preceded the action? The notification to the consumer reporting agency must be made within 90 days of furnishing information about a delinquent account that is being placed for collection, charged-off, or subjected to any similar action. (§ 1681s-2(a))
     
46

Does the credit union comply with specific requirements of FCRA to:

  • Conduct an investigation with respect to information the consumer disputes with a consumer reporting agency?
  • Review all relevant information provided by the consumer reporting agency?
  • Report the results of the investigation to the consumer reporting agency?
  • Report the results of the investigation to all other nationwide consumer reporting agencies to which the information was furnished if the investigation finds the reported information was inaccurate or incomplete?
  • Modify, delete, or block the reporting of information that cannot be verified? (§ 1681s-2(b))
     
47

Does the credit union conduct reasonable investigations of direct disputes from consumers, including:

  • Review of all relevant information provided by the consumer?
  • Complete the investigation and reporting the results to the consumer within the required time frame?
  • Notify and provide corrected information to the consumer reporting agencies when its investigation finds that inaccurate information was furnished to the consumer reporting agencies?
  • Notify the consumer within five days after finding the dispute frivolous or irrelevant, and including in the consumer notification the reasons for the findings and the information necessary to investigate the disputed information? (§ 1022.43(e), (f))
     

Prevention of Re-Pollution of Consumer Reports

Prevention of Re-Pollution of Consumer Reports
Item Description YES NO N/A
48 If the credit union provides information to a consumer reporting agency, do the credit union’s policies and procedures ensure that items of information blocked because of an alleged identity theft are not re-reported to the consumer reporting agency? (§ 1681s-2(a)(6))      

Negative Information Notice

Negative Information Notice
Item Description YES NO N/A
49 If the credit union provides negative information to a nationwide consumer reporting agency, do its policies and procedures ensure that the appropriate notices are provided to consumers? (§ 1681s-2(a)(7))      

Module 5 – Consumer Alerts and Identity Theft Protections

Fraud and Active Duty Alerts

Fraud and Active Duty Alerts
Item Description YES NO N/A
50 Does the credit union has effective policies and procedures in place to verify the identity of consumers in situations in which consumer reports include fraud and/or active duty military alerts, and to contact consumers in situations where consumer reports include extended alerts? (§ 1681c-1)      

Information Available to Victims

Information Available to Victims
Item Description YES NO N/A
51 Does the credit union properly verify identities and claims of fraudulent transactions and properly disclose information to victims of identity theft and/or appropriately authorized law enforcement agents? (§ 1681g(e))      

Duties Regarding the Detection, Prevention, and Mitigation of Identity Theft

Duties Regarding the Detection, Prevention, and Mitigation of Identity Theft
Item Description YES NO N/A
52 Does the federal credit union periodically identify covered accounts it offers or maintains, by including accounts for personal, family, and household purposes that permit multiple payments or transactions; and conducting a risk assessment to identify any other accounts that pose a reasonably foreseeable risk of identity theft? (§ 1681m(e); § 717.90)      
53 If the federal credit union has identified covered accounts, has it developed and implemented a comprehensive written program designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or an existing covered account? (§ 1681m(e); § 717.90)      

Duties of Card Issuers Regarding Changes of Address

Duties of Card Issuers Regarding Changes of Address
Item Description YES NO N/A
54 If the credit union is a card issuer, does it have policies and procedures in place to assess the validity of a change of address if it receives notification of a change of address for a consumer’s debit or credit card account; and, within a short period of time afterwards (during at least the first 30 days after it receives such notification), receives a request for an additional or replacement card for the same account? (§ 1681m(e); § 717.91(c))      
55 If the credit union is a card issuer, do its policies and procedures prevent it from issuing additional or replacement cards until it notifies the cardholder at the cardholder’s former address or by any other means previously agreed to and provides the cardholder a reasonable means to promptly report an incorrect address or uses other reasonable means of evaluating the validity of the address change? Or does the card issuer validate a change-of-address request when it is received, using the above methods, prior to receiving any request for an additional or replacement card? (§ 1681m(e); § 717.91)      
56 If the credit union is a card issuer, is any written or electronic notice sent to cardholders for purposes of validating a change of address request clear and conspicuous and provided separately from any regular correspondence with the cardholder? (§ 1681m(e); § 717.91(e))      

Disposal of Consumer Information

Item Description YES NO N/A
57 Has the federal credit union or other credit union, or any vendor acting on its behalf, identified the “consumer information” (consumer reports and individually-identifiable information derived from consumer reports) that it maintains or possesses? (§ 1681w; § 717.83(d))      
58 Has the federal credit union or other credit union instituted procedures to properly dispose of any consumer information that it maintains or otherwise possesses, e.g., by burning, pulverizing, or shredding papers that contain consumer information; or destroying or erasing electronic media containing consumer information? (§ 1681w; § 717.83(a), (b))      

 


Footnotes

[1] Pub. L. No. 108-159, 117 Stat. 1952.

[2] Section 1029 of the Dodd-Frank Act generally excludes from this transfer of authority, subject to certain exceptions, any rulemaking authority over a motor vehicle dealer that is predominantly engage in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both.

[3] These reflect FFIEC-approved procedures.

[4] These procedures do not currently contain a module on the requirements for consumer reporting agencies.

[5] A NCRA compiles and maintains files on consumers on a nationwide basis.

[6] The risk assessment and identification of covered accounts is not required to be done on an annual basis. This should be done periodically, as needed.
[7] A “covered account” includes: (i) an account primarily for personal, family, or household purposes, such as a credit card account, mortgage loan, auto loan, checking or savings account that permits multiple payments or transactions, and (ii) any other account that the credit union offers or maintains for which there is a reasonably foreseeable risk to customers or the safety and soundness of the institution from identity theft. 12 CFR 717.90(b)(3).
[8] The term “board of directors” includes, for a creditor that does not have a board of directors, a designated employee at the level of senior management.
 

Footnotes

Last modified on