December 18, 2003
FAIR CREDIT REPORTING ACT
By: Sandra Norman-Eady, Chief Attorney
You wanted to know the areas of state law pre-empted by a recent amendment to the federal Fair Credit Reporting Act (FCRA).
On December 4, 2003, President Bush signed the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which makes permanent the FCRA's preemption provisions that were set to expire on January 1, 2004. These provisions cover: (1) the information that may be included in consumer reports, (2) the responsibilities of people who furnish information to consumer reporting agencies, (3) the duties of people to provide adverse action notices to consumers in connection with the use of consumer reports, (4) the procedures a consumer reporting agency must use if a consumer disputes the accuracy of information, (5) prescreening activities involving the use of consumer reports for credit or insurance transactions not initiated by consumers, (6) the exchange of information among affiliated institutions, and (7) the form or content of the summary of rights a consumer reporting agency (CRA) must provide to a consumer when it provides the consumer with information in the consumer's credit file. FACTA broadens the FCRA's provision on consumers' access to credit reports, enhances the accuracy of these reports, limits the use and sharing of medical information, and establishes a Financial Literacy and Education Commission.
FACTA prohibits states from imposing requirements or prohibitions on the areas of law covered by the preemption that are inconsistent with the act. FACTA eliminates a provision of the FCRA that allowed states to enact laws that afforded consumers greater protection than the federal law.
FACTA extends the FCRA's areas of preemption to include fraud or identity theft alerts, the blocking of information resulting from identity theft, the truncation of credit card and debit card account numbers, the truncation of Social Security numbers, prohibitions against the sale or transfer of debt caused by identity theft, notice by debt collectors of fraudulent information, coordination of identity theft complaint investigations and prevention of repollution (secondary disclosure of consumer reports that contain information resulting from identity theft) reports.
The preemption does not, however, apply to state laws that are outside of the areas covered by the act or the resulting federal agency regulations, such as state laws governing the sale or use of social security numbers, alerts for data base hackings, or increased criminal penalties for identity theft perpetrators.
Also, a new provision in the act states specifically that nothing in the FCRA is intended to preempt state laws regulating the use of credit-based insurance scores or disclosure of their use. Apparently, this provision would allow states to issue rules permitting the use of credit reports in setting insurance rates and would allow the states to determine the contents of any notice.
FACTA requires the Board of Governors of the Federal Reserve System and the Federal Trade Commission (FTC) to establish joint regulations, setting an effective date for each of the act's provisions. These dates must be as early as possible, but no later than 10 months after the regulations are issued in final form. The regulations must be presented in final form within two months of the act's enactment.
The remainder of this report is a brief section-by-section summary of FACTA.
FAIR AND ACCURATE CREDIT TRANSACTION ACT OF 2003
Identity Theft Prevention (§§ 112-115)
Fraud or Identity Theft Alerts. The act requires CRAs, upon a consumer's (1) good faith allegation of identity theft or fraud, and (2) request, to include a fraud alert in the consumer's file for at least 90 days (one-call fraud alert). It requires the agencies to inform the consumer that he may request a free copy of his file.
The act requires CRAs, upon the request of a consumer who files an identity theft report and proof of identity, to include a fraud report in the consumer's file for seven years (unless the consumer requests its removal). The agencies must exclude the consumer, for the first five years, from any list provided to a third party that offers consumers unsolicited credit or insurance. It requires the agencies to inform the consumer that he may request two free copies of the fraud alert file.
The act requires CRAs, upon an active duty military consumer's request, to include an active duty alert in the consumer's file for at least 12 months (unless the consumer requests its removal), and exclude the consumer, for two years, from any list provided to a third party that offers consumers unsolicited credit or insurance.
The act requires CRAs that receive fraud or active duty alerts to (1) refer them to other CRAs and (2) establish compliance procedures. Agencies that receive alerts from other agencies must follow the same disclosure procedures.
The act requires CRAs that assemble and merge consumer information for a third party that does not use it to create new reports (resellers) to include fraud alerts in their reports.
Lastly, the act requires consumer reports containing initial and extended fraud alerts to notify prospective users to verify the consumer's identity before extending any additional credit in his name. Prospective users are prohibited from extending credit until the verification is completed.
Truncation of Credit and Debit Card Numbers. The act mandates that electronic receipts of credit or debit card sales contain no more than the last five digits of the card number or its expiration date. The mandate applies beginning December 2004 to electronic receipt machines in use on or after January 1, 2005 and December 2006 to such machines first used before January 1, 2005.
Procedure for Identifying Possible Identity Theft. The act directs federal banking agencies, the National Credit Union Administration (NCUA), and the FTC to establish guidelines and prescribe regulations: (1) identifying possible identity theft risks to account holders or to the safety and soundness of an institution or customers; and (2) prohibiting card issuers from issuing additional or replacement cards within 30 days after receiving a change of address notice unless certain steps are taken to verify such change of address. The guidelines must be consistent with those established by the Treasury secretary for verifying information.
Truncation of Social Security Numbers. The act requires CRAs to exclude the first five digits of the consumer's Social Security number from disclosure upon his request. The agencies must have appropriate proof of the requestor's identity.
Protection and Restoration of Identity Theft Victims' Credit History (§§ 151-157)
Identity Theft Victims' Rights. The act directs the FTC, in consultation with the federal banking agencies and NCUA, to prescribe the form and content of a summary of consumer rights on the procedures for remedying the effects of fraud or identity theft involving credit, electronic funds transfers, or accounts or transactions at or with a financial institution. It prescribes procedural guidelines under which a business entity must provide a copy of the business records of alleged identity theft to the victim and to any law enforcement agency or officer specified by the victim or investigating the identity theft.
Lastly, it requires the FTC to implement a public education campaign on identity theft by December 2005.
Blocking Identity Theft Information. The act requires CRAs to block the reporting of information that a consumer alleges resulted from identity theft. It cites circumstances under which such agencies may decline to block, or may rescind any block of information. It prescribes special rules governing resellers or verification companies that are notified of information in a consumer's file resulting from identity theft. Blocked information must be made available to federal, state, and local law enforcement agencies.
Reporting Identity Theft and Fraud. The act requires CRAs to develop a procedure for referring the existence of a block, consumers' allegations of identity theft, and requests for fraud alerts to other similar reporting agencies. It also requires the agencies to annually report a summary of consumer identity theft and fraud alert complaints to the FTC. It directs the FTC, in consultation with the federal banking agencies and NCUA, to develop a form and procedure for consumers to report identity theft.
Preventing Consumer Reports Repollution. The act requires people who furnish information to CRAs to have procedures for preventing the reporting of blocked information. It prohibits debt collectors from selling, transferring, or trying to collect a debt that resulted from identity theft. It also requires debt collectors for creditors or other users of consumer reports to (1) notify these third parties when the debt results from identity theft and (2) give the consumer information that is available to him to dispute a debt.
Statute of Limitations. The act extends the civil statute of limitations for FCRA violations from two to five years after the date on which the violation occurs (but not later than two years after the violation is discovered).
Technology as Identity Theft Combatant. The act requires the Treasury Secretary, in consultation with other entities, such as state and local government agencies, state prosecutors, and law enforcement, to conduct a six-month study on how biometrics and other technologies may be used to reduce the incidence and costs of identity theft.
Improving the Use of and Consumer Access to Credit Information (§§ 211-217)
Free Consumer Reports. Upon request, the act requires CRAs and specialty CRAs to furnish one free credit report to consumers during any 12-month period. The duty applies to regular CRAs only if the request is made using the centralized system the act establishes. Specialty CRAs are those that maintain files on medical records or payments, residential or tenant history, check writing history, employment history, or insurance claims. The act also requires, upon consumer request, free disclosures in connection with fraud alerts.
The act requires the FTC to issue regulations, within six months after the act's passage, that streamline the process for consumers to request consumer reports.
The act directs the FTC to prepare a model summary of consumer rights for: (1) obtaining and disputing information in consumer reports, and (2) obtaining credit scores. It requires CRAs to include with their disclosures, the summary, a toll-free number, a list of enforcement agencies, and a statement that accurate derogatory information will not be removed from consumer reports.
Disclosure of Credit Scores. The act requires CRAs that maintain credit scores on file, upon request from a consumer, to provide the (1) consumer's current credit score, (2) the range of possible scores, (3) all of the key factors that adversely affected the score, (4) the date the score was created, and (5) the name of the person or entity that provided the score. A “credit score” is a numerical value derived from a statistical tool or modeling system used by lenders to predict the likelihood of certain credit behavior.
It requires mortgage lenders who use credit scores to give consumers a copy of the information CRAs are required to provide. The disclosure requirements do not limit, annul, affect, or supersede state laws regulating insurers' use of credit-based insurance scores.
Opt-Out of Credit and Insurance Marketing. By law, a consumer may elect to have his name and address excluded from CRAs' prescreened lists of consumers who will receive unsolicited credit or insurance information. The act extends, from two years to five years, the effective period during which consumers may opt to have their information excluded.
The act requires a study and a report to be submitted to Congress within a year on the current mechanism for opting out of prescreen lists, the extent to which consumers use these mechanisms, the benefits of receiving written offers of credit or insurance, the adverse effects of receiving these offers, and the effect restricting these offers will have on consumers.
Affiliate Sharing. The act requires affiliates who exchange consumer information for market solicitation purposes to: (1) alert consumers to such practice; and (2) allow the consumer to prohibit for at least five years (renewable in five-year intervals) all solicitation for marketing purposes. It authorizes such affiliates to allow the consumer to choose from different options to prohibit solicitations, including the types of entities and information covered and solicitation methods.
It directs federal banking agencies, the NCUA, and the FTC to: (1) promulgate regulations limiting affiliate sharing of consumer information for solicitation purposes; and (2) study and report to Congress on consumer information sharing by users of consumer reports, including financial institution affiliates.
Credit Scores Effect on Availability and Affordability of Financial Products. The act requires the FTC to study and report to Congress on: (1) the effects of the use of credit scores and credit-based insurance scores on the availability and affordability of financial products and services; (2) the correlation between the factors considered by credit score systems and the quantifiable risks and actual losses businesses experience; (3) the extent to which the use of credit scoring models, credit scores, and credit-based insurance scores benefit or negatively affect people based on geography, income, ethnicity, race, color, religion, national origin, age, sex, marital status, or creed; and (4) the extent to which credit scoring systems are used by businesses, the factors considered by such systems, and the effects of those variables not considered.
Disposal of Consumer Record and Information. The act directs the FTC to issue final regulations requiring proper disposal of consumer information or any compilation of it that is derived from consumer reports for a business purpose.
Disclosure of Negative Consumer Information. The act requires financial institutions that extend credit and regularly furnish information to CRAs to give consumers written notice of any negative information the institutions furnish. The notice must be provided no later than 30 days after the information is furnished. The notice may be included with other materials provided to consumers, but must be clear and conspicuous.
Enhancing Reports' Accuracy (§§ 311-319)
Duties of Consumer Report Users. The act requires anyone who uses a consumer credit report to grant, extend, or otherwise provide credit to give the consumer notice of such use. The notice must (1) inform consumers that credit terms are based on information from the consumer report, (2) identify the CRAs that furnished the report, (3) inform consumers that they may get a free copy of their credit report from the CRAs, and (4) tell consumers how to contact the appropriate CRAs.
Accuracy and Integrity of Reports to CRAs. The act directs the federal banking agencies, NCUA, and FTC to coordinate guidelines and regulations governing the accuracy and completeness of information provided by furnishers of consumer information to CRAs. It requires the
furnishers to consult with one another to ensure consistency in the regulations. The regulations must include dispute resolution procedures that afford consumers the opportunity to notify furnishers of inaccurate information and require furnishers to conduct an investigation.
When developing guidelines, the act requires the agencies to (1) identify practices that compromise accuracy and integrity, (2) review the methods used to furnish information to CRAs, (3) determine whether furnishers maintain and enforce policies to ensure the accuracy and integrity of information, and (4) examine the policies and processes that furnishers employ to conduct reinvestigations and correct inaccurate information.
The act revises limitations on liability and enforcement in connection with willful and negligent noncompliance by furnishers of consumer information to CRAs.
Procedure Where Accuracy Disputed. The act requires the FTC to compile all consumer complaints, except those discovered during an investigation, alleging inaccurate or incomplete information in consumer credit reports and to send each complaint to the appropriate CRAs. These CRAs must review the complaints to assure that all legal obligations are met, regularly report their determinations to the FTC, and maintain disposition records for a reasonable period of time. The act requires CRAs to promptly delete or modify information found to be incorrect upon reinvestigation. The CRAs must provide furnishers of the information with notice of their findings. The furnishers must delete or modify, as appropriate, incorrect information.
The FTC must annually report to Congress information learned under this section and study CRAs' compliance with procedures on handling accuracy disputes.
Reconciling Addresses. The act requires CRAs to notify consumer report users whenever the consumer address contained in a report differs substantially from that provided by the user when it requested the report. It directs federal banking agencies, the NCUA, and the FTC to promulgate procedural guidelines that consumer report users should employ to reconcile a consumer's address with the CRAs by furnishing such address to the agencies as part of their regularly furnished information.
Notice of Dispute Through Resellers. The act requires CRAs to reinvestigate consumer disputes forwarded to them by resellers of consumer reports. If a reseller receives notice from a consumer of a dispute concerning the integrity or accuracy of information in a consumer report, the reseller must, within five days, determine the integrity or accuracy of the information and correct any errors.
Reasonable Reinvestigation Requirement. The act requires CRAs that prepared a consumer report with information disputed by the consumer to conduct a reasonable investigation (free of charge) to determine whether the disputed information is inaccurate.
Studies of Fair Credit Reporting Issues. The act requires the FTC to study and report to Congress ways to improve the operation of the FCRA, in particular: (1) the efficacy of increasing the number of points of identifying information a CRA must match to ensure that a consumer is the correct individual to whom a credit report relates before releasing the report to a user; (2) mandatory notification of consumers when negative information has been added to their credit reports; (3) the effects of requiring that a consumer experiencing an adverse action receive a copy of the same credit report on which the creditor relied in taking the adverse action; (4) any common financial transactions not generally reported to CRAs that would provide useful information in determining creditworthiness; and (5) any actions that might be taken within a voluntary reporting system to encourage the reporting of those types of transactions not generally reported.
The act also requires the commission to study the accuracy and completeness of information contained in consumer reports prepared or maintained by CRAs and methods for improving the accuracy and completeness of such information.
Using and Sharing Medical Information in the Financial System (§§ 411 and 412)
With one exception, the act requires specific affirmative consumer consent (opt-in) regarding the use and sharing of medical information by CRAs for employment or insurance purposes. The information may be so used and shared if it contains codes that do not identify, or provide information sufficient to infer, the specific provider or the nature of the medical service, products, or devices.
The act prohibits lenders from using medical information to determine a consumer's eligibility for credit, unless the information is obtained pursuant to a regulation or order of a federal banking agency, the NCUA, the FTC, or an applicable state insurance authority. It directs federal banking agencies and the NCUA to prescribe regulations limiting the use of such medical information.
The act prohibits affiliates from sharing consumer reports of medical information among themselves, unless the information is provided in connection with the issuance of annuities or insurance in compliance with the act or Health Insurance Portability and Accountability Act (HIPAA).
Lastly, the act requires information furnishers whose primary business is providing medical services, products, or devices to notify any CRA to which they furnish consumer information that they are medical information furnishers, for purposes of compliance with medical information coding requirements.
Financial Literacy and Education (§§ 511-518)
The act establishes the Financial Literacy and Education Commission to: (1) improve federal financial literacy and education programs, grants, and materials; (2) establish a website and a toll-free telephone number for the public; (3) develop and disseminate public education materials; (4) coordinate and promote financial literacy and education at the state and local level; (5) develop a national strategy promoting basic financial literacy and education among all Americans; and (6) report its activities to Congress.
It directs the comptroller general to give Congress a report on the commission's effectiveness in promoting financial literacy and education.
Protecting Employee Misconduct Investigations (§ 611)
The act excludes certain communications for employee investigations from the definition of “consumer report.” “Consumer report” does not include communications to an employer in connection with the investigation of employee misconduct or compliance with the law, the rules of a self-regulatory organization, or the employer's pre-existing written policies that are not made to investigate a consumer's credit worthiness and only disclosed as specified by law. However, employers are required to give employees a summary of the nature and substance of any communication that forms the basis for any adverse action.