United States: Fair Credit Reporting Act Amendments: A Summary and Analysis

On December 4, 2003, President Bush signed the Fair and Accurate Credit Transactions Act of 2003 (the "Amendments"), which adopts the financial service industry’s long-sought permanent preemption relating to critical provisions of the Fair Credit Reporting Act (the "FCRA").

This memorandum is intended to provide our financial service clients and friends with an initial summary of the principal changes made to the FCRA as a result of the adoption of the Amendments, as well as indicating operational concerns to be addressed as the federal agencies responsible for implementing the modifications made to the FCRA engage in an extensive rule-making process.¹

For ease of discussion, the analysis will be divided into the following sections: (a) a general overview; (b) credit reporting requirements; (c) credit theft and verification requirements; (d) preemption concerns; (e) rulemaking and effective dates; (e) miscellaneous provisions; and (f) conclusions and recommendations.²

General Information

The Amendments were the result of a two-year effort by banks and other industry members to prevent the Balkanization of the national credit reporting system by state legislatures. Specifically, because the preemption against state attempts to legislate in many areas addressed in the FCRA was scheduled to sunset on December 31, 2003, the threat of state and municipal laws being adopted made passage of the Amendments essential to avoid chaos in the retail credit market.

In return for federal preemption, however, the financial services industry was forced to consent to political compromises that expanded consumer protections, including the imposition of new obligations on both users of credit reports (herein, "Creditors") as well as credit reporting agencies ("CRAs"). To view the Amendments as merely preempting state law, therefore, ignores the impact that the Amendments ultimately will have on the lending operations of Creditors— particularly in regard to reporting, verifying and utilizing consumer credit data as part of the loan underwriting and loan administration functions.

In that regard, we offer the following observations: First, the Amendments adopt the views of consumer advocates that the credit reporting system should be modified (or more fairly balanced) by imposing on Creditors and CRAs new, substantive and procedural obligations to report and verify credit data in an accurate manner. These legislative goals were achieved by characterizing many perceived defects in the credit reporting system as "identity theft" concerns—thereby insuring congressional willingness to address and modify the FCRA to deal with these problems.

The Amendments reflect a blurring of the distinctions between privacy, credit data, identity theft and security concerns—and this point of reference might become the new central focus from which public policy issues regarding consumer data access, ownership and control will be debated in the future. Although from a policy perspective the blurring of such distinctions may be useful or expedient, the tendency of Creditors not to overlap compliance statutes and requirements becomes a challenge with regard to their day-to-day operations.³

Second, from the viewpoint of consumer advocates, the use of state legislatures as laboratories for devising and implementing solutions to difficult public policy issues has been vindicated—in particular, the Amendments adopted on a wholesale basis creative measures crafted by the California legislature in the past several years that expanded and refined the credit reporting process, including identity theft, credit scoring and credit reporting practices. This incorporation of state law credit reporting approaches into federal law may presage other state law consumer initiatives that must be addressed by lenders on a state-by-state basis until workable, uniform patterns emerge that are adopted as national standards.

Finally, in what many industry commentators believe is a significant victory, the Amendments authorize for the first time several of the federal agencies, including the Federal Trade Commission (the "FTC"), the Federal Reserve Board (the "FRB") and the other federal banking agencies to issue regulations defining and implementing the FCRA and the Amendments.⁴ While the risk of regulatory overkill is always present whenever a regulatory entity is authorized to define and interpret a statute through the issuance of regulations, the ability of the Federal Agencies to resolve interpretive issues and ambiguities inherent in the FCRA should benefit Creditors that operate best under bright-line rules governing compliance.⁵

The Credit Reporting Process ⁶

Title II of the Amendments adopts numerous refinements to the national credit reporting process in order to ensure the continued accuracy of consumer credit data. The most significant of these refinements is the adoption of a long-sought goal of consumer groups whereby consumers will now be able to "opt-out" of the transfer of credit data to affiliated companies for marketing purposes. Other refinements impose new obligations on CRAs and Creditors in regard to the use and disclosure of credit reports and credit scores when determining the availability and allocation of credit to consumers.

The following are several of the principal changes made by the Amendments with regard to the credit reporting process.

Affiliate Opt-Out. One of the battlegrounds in both the FCRA and the privacy area has been the issue of whether consumers should be permitted to exercise a right to "opt-out" of the transfer of their personal information to a company affiliated with the company with which the consumer maintains a business relationship. Although anecdotal evidence indicates that most consumers who were afforded the option to opt-out from affiliate data-sharing chose not to do so, the resolution of this issue took on near-religious significance for both consumer advocates and certain banking interests.

Section 214 of the Amendments resolves this debate by requiring that, on a go-forward basis, prior to utilizing consumer data obtained from an affiliate for marketing purposes, a consumer must be provided with a notice of his/her right to opt-out of affiliate data-sharing for five-year periods—renewable for additional five-year periods following the receipt of a new opt-out notice from the Creditor.

Rather than micro-manage the requirements of this provision—which was originally envisioned by the House and Senate bills—in a compromise the Federal Agencies are authorized to issue regulations to implement and define this important requirement. For example, while the provision does not prohibit sharing of experience information among affiliates, the use of experience information as the basis for a marketing solicitation is subject to the opt-out requirement. Similarly, several exceptions that are available—such as pre-existing business relationships—will have to be clarified by regulatory action.

It should be noted that an important exception adopted by the Conference Committee makes the limitation on data-sharing among affiliates purely prospective in nature. In other words, if prior to the effective date of the provision an affiliated group of companies merges or otherwise shares or provides access to all of its consumer data for some or all of its affiliates, those affiliated companies may continue to market to the joint database without providing the consumer a right to opt-out from the marketing effort.

Finally, as noted above, the affiliate-sharing provision is more properly a privacy issue and—but for a legislative anomaly—would have been a constituent part of the privacy provisions of the Gramm-Leach-Bliley Act (the "GLB Act"). The Amendments, however, appear to allow the Federal Agencies the flexibility to permit a Creditor to incorporate the disclosure requirements of Section 214 into the existing privacy disclosures required by the GLB Act.

Coordination of CRAs and Use of Centralized Facilities. With regard to the general credit reporting process, the Amendments create a scheme—similar to the national no-call telemarketing system recently passed by Congress—whereby consumers will be able to utilize a centralized access point for requesting free credit reports and to report inaccuracies in the same.⁷ (With regard to a credit score, a consumer will be able to obtain his/her credit score, but will be required to pay a reasonable fee—except in the case of mortgage applications—if the credit score is requested.) The Amendments shorten statutory timeframes for investigation of alleged erroneous data in a consumer’s credit file in the instances in which a credit report is provided to a consumer through the use of a centralized facility.

Expanded Obligations of Creditors. The FCRA obligations of Creditors who use consumer reports will become more complicated. We believe that the net effect of the new provisions will be to significantly increase the internal compliance responsibilities of Creditors when reporting data to CRAs, including insuring the accuracy of the data reported. In addition, the Amendments impose substantive lending restrictions that will require consideration by all Creditors, regardless of charter or license form.

First, the Amendments authorize the Federal Agencies to issue regulations requiring Creditors to adopt internal policies and procedures to verify the accuracy of data reported to CRAs. Moreover, the duty of care when reporting credit experiences to CRAs as set forth in Section 623 of the FCRA has now been strengthened, which may have the effect of increasing the liability of Creditors that avoid determining the accuracy of credit data reported to a CRA.

Second, the Amendments impose a direct obligation on a Creditor to investigate and correct alleged inaccurate credit data previously reported to CRAs—whereas formally no such duty existed. This modification was strongly advocated by the consumer lobby, which pointed out that the current structure of the FCRA did not impose any penalty on a provider of credit information to respond to inquiries from a CRA concerning erroneous data.⁸

Finally, the Amendments require that the first time a creditor makes an adverse credit report to a CRA, it must provide a notice to the consumer indicating that adverse information will be reported. Following the receipt of that notice, no further notice must be provided and the provider of consumer data may submit any additional adverse credit experience data as appropriate.⁹

Credit Scores. The Amendments address in detail refinements in the credit-scoring component of the credit reporting system.

First, the FTC is authorized to issue a model summary of the rights of the consumer to obtain copies of consumer reports, including credit scores. That right will be linked to the centralized reporting facility discussed above.

Second, consumers, on a national basis, will be entitled to obtain their credit score, along with an explanation of the credit score from a CRA.

It is important to note that special rules regarding credit scores will apply to residential mortgage lenders. In that regard, mortgage lenders originating closed-end or open-end, one- to four-family residential units must provide a credit score or proprietary credit score used by the mortgage lender. However, the Amendments incorporate virtually verbatim limitations contained in the California credit scoring statute—which specifically excludes from the definition of a credit score a "mortgage score" that is created by an underwriting engine, such as the electronic underwriting systems developed by Fannie Mae or Freddie Mac. In the instance in which a mortgage score is used to determine eligibility for a home loan, in the place of the mortgage score the Creditor will be required to provide a credit score obtained from a CRA, as well as an explanatory disclosure.

Finally, the Amendments impose another significant substantive lending/disclosure requirement in that a notice will be required to be given to consumers should the consumer’s credit extended by a Creditor result in a higher cost of credit than the optimal (i.e., lowest rate loan program) typically provided by that Creditor because of risk-based pricing. This notice must state that the credit report of the consumer has resulted—or may result—in a higher cost of credit, and should encourage the consumer to make appropriate inquiries to either the Creditor or the CRA regarding the credit report and the accuracy of the data it contains.

Thankfully, this provision was significantly modified during the Conference Committee negotiations, and now appears to constitute merely a notice requirement that discloses the impact that risk-based pricing may have on a consumer’s entitlement to credit—whereas earlier versions of the provision were complicated, transaction-specific. In that regard, we understand that the Federal Agencies may permit the required disclosure to be provided as part of the application process and as a "standard" disclosure.

The Amendments establish national procedures whereby consumers may protect their credit by requesting that CRAs flag credit files to identify instances of fraud or identity theft.¹⁰ Upon the receipt of such a request, a CRA must take several actions. First, the CRA must include the fraud or identity theft alert in the consumer’s credit file, and place a warning concerning the existence of the alert whenever a credit report or a credit score is requested by a Creditor. There are two time periods during which a fraud alert must remain in a credit file: (a) an initial period of 90 days following the receipt of the fraud alert; and (b) upon the request of the consumer, of up to seven years.¹¹

The centralized facility concept, discussed above, is also utilized in the context of fraud alerts. Following the receipt of a fraud alert, each CRA will also be obligated to notify other CRAs concerning the existence of the fraud alert. In addition, the CRA must disclose to the consumer his/her entitlement to receive two free credit reports during the ¹² months following the receipt of the fraud alert to enable the consumer to verify whether or not his or her credit has been impacted by identity theft.

It is important to note that—from the Creditor’s perspective—the initiation of a fraud alert creates a substantive limitation on a Creditor that will impact both loan underwriting and loan administration. Upon the receipt of a credit report that includes a fraud alert, a creditor will be prohibited from extending new credit to a consumer until the Creditor reasonably confirms that the person requesting the credit is not an imposter.12 In the situation in which the consumer alleges that identity theft has actually occurred, the Creditor will also be prohibited from selling, transferring or collecting on the debt obligation—unless and until the Creditor can determine that the debt was not caused by identity theft.¹³

The Amendments also establish procedures by which consumers may identify erroneous data in their credit reports arising from instances of identity theft. In such situations, a CRA receiving a notice from a consumer must "block" within four days a credit report containing alleged erroneous information and must notify the provider of the data that the erroneous data is the result of identity theft. Following the notification of the "block," the Creditor that reported the erroneous information must also take steps to avoid so-called "repollution" of the consumer’s credit file by re-reporting the erroneous credit data—unless the provider of the data determines that the credit data information is not the result of identity theft.

Finally, it is noteworthy that not only do the Amendments address the obligations of CRAs and Creditors to act responsibly following the receipt of a fraud alert, but the FCRA has also been amended to impose procedures whereby victims of identity theft may have their credit repaired. For example, following the receipt of a fraud alert, a Creditor will now be obligated to provide, without charge, information relating to the credit transaction that constituted the alleged identity theft unless it can determine "with a high degree of confidence" that the alleged identity theft did not occur. This provision—which is effective 180 days after the effective date of the Amendments, discussed below—will require Creditors to adopt policies and procedures to comply with demands from consumers for internal information regarding transactions involving alleged identity theft.

The Amendments establish two forms of federal preemption, which must be considered by Creditors and CRAs. First, as noted above, the preemption contained in Section 624 that was expiring at the end of 2003— which prohibited states from adopting laws concerning credit reporting—has been made permanent. In addition, specific new prohibitions have been added in regard to credit reporting provision added to the FCRA, including: (i) truncation of credit and debit cards and Social Security numbers; (ii) identity theft; (iii) blocking of disputed information; (iv) providing annual copies of credit reports; and (v) procedures to investigate and resolve consumer complaints. The effect of this permanent preemption arguably prevents states and local governmental units from adopting statutes or ordinances that supplement or expand upon the FCRA’s provisions.

Second, a limited preemption has been adopted for identity theft issues addressed by the Amendments, whereby a state is prohibited from adopting additional limitations that are contradictory to the approach incorporated into the FCRA.

When determining the scope of the preemption intended by the Amendments, we note that the tension between the ability of state legislatures and the national credit system adopted by the Amendments will probably require regulatory interpretation by the Federal Agencies and possibly litigation over the next several years in order to be resolved. For example, while Creditors will argue that the permanent preemption constitutes so-called "field" preemption and forecloses legislative interference by state entities, local officials may take the position that some degree of additional statutory tinkering is permissible. In any event, it is hoped that the comprehensive approach to identity theft adopted by the Amendments will be given sufficient time by local governmental entities to be implemented and evaluated before further local measures are considered.

In addition, we note that the rule-making process contemplated by the Amendments may significantly impact the degree and effectiveness of the federal preemption. In that regard, for the first time the Federal Agencies will be authorized to issue regulations regarding the implementation of the FCRA. Inherent in this regulatory authority appears to be the ability of the Federal Agencies to define the extent of preemption as now contained in the FCRA, and in particular, the ability of Creditors to comply with the same without running afoul of comparable state laws.

This ability to address critical preemption issues makes the rule-making process contemplated by the Amendments of particular importance to Creditors. Accordingly, we strongly recommend that our clients participate in the upcoming rule-making process, either directly through the submission of comments to the Federal Agencies or through participating trade associations.

Although the Amendments are interspersed with provisions that confirm that the legislation was written by a committee, the following are several of the more significant stand-alone provisions:

Truncation. The Amendments adopt changes to Section 605 of the FCRA to require that, within a three-year period, receipts for credit cards and debit cards must have the card identification numbers truncated rather than printed in full on the receipt. Timeframes are specified for the effective date of these modifications based upon the date that the card-receipt machines are put into use.

In addition, the Amendments provide that a consumer will be authorized to notify a CRA and to have the consumer’s Social Security number truncated in the credit file.

Medical Data. The current prohibition in Section 604 of the FCRA against the reporting of medical data has been expanded by imposing new procedural and notice requirements prior to permitting the inclusion of medical data in a consumer report. Among other things, in relation to applications for insurance and employment, an affirmative authorization must be obtained from the consumer prior to obtaining the medical data.¹⁴

Disposal of Consumer Data. The Amendments contain a loosely worded requirement that addresses the obligation of a Creditor to properly dispose of consumer data when the Creditor no longer requires the same. Although the provision could be read as requiring that credit data must be destroyed following the completion of the credit relationship, we have been informed that the intention of the provision is to merely require that prudent safeguards must be adopted by Creditors should a determination ever be made to dispose of consumer credit data in possession of a Creditor.

Regulation and Effective Dates

As noted above, the Amendments are somewhat skewed in their internal approach to authorizing the Federal Agencies to issue regulations, as well as the effective date for the various provisions of the regulations—due in no small part to the fact that the Amendments were the subject of protracted negotiations by various interest groups. Section 3 of the Amendments requires the FRB and the FTC to issue joint regulations "establishing the effective dates for each of the provisions of the [Amendments]."

As of the date of this memorandum, the FRB and the FTC announced their intention to issue two regulations to determine the effective dates for various provisions of the Amendments that do not contain specific effective dates. For provisions that are self-effectuating, the proposed regulation would set March 31, 2004 as the effective date for those provisions. For all other provisions that will require rulemaking, including public notice and comment, the draft regulations propose December 1, 2004 as the effective date—thereby providing Creditors and CRAs appropriate time to implement required policies and procedures.

In addition to the foregoing, the methodology set forth in Section 3 for determining effective dates has created the untended consequence whereby the current preemptions set forth in Section 624 of the FCRA could sunset without the new permanent preemption becoming effective. In that regard, the FRB and the FTC have announced their intention to issue an interim regulation whereby Section 711 of the Amendments and related provisions—which establish the permanent preemption for specified credit reporting issues pursuant to Amendments—will become effective December 31, 2003.

We strongly urge clients to closely monitor this rulemaking process. Among other things, from a historical perspective, joint agency rulemakings are virtually never finalized within statutory timeframes. More importantly from a Creditor’s perspective, the timeframe needed to implement final regulations may require a period well beyond the proposed December 1, 2004 effective date. Similarly, provisions that will become effective on March 31, 2004 will also require the development of policies and procedures to ensure compliance, as well as other provisions of the Amendments that contain specific effective dates and impose affirmative requirements.¹⁵

We trust that this article is useful in identifying many of the significant procedural and substantive changes made by the Amendments. In that regard, please note that this memorandum is intended to be a summary, and many of the obligations discussed herein may require additional review and analysis.

This article is presented for informational purposes only and is not intended to constitute legal advice.