Strategies for Banks to Avoid Common Fair Credit Reporting Act Violations
Consumer Affairs Update - September 2016
Published October 12, 2016 | September 2016 issue
The Fair Credit Reporting Act (FCRA) and Regulation V cover the rights of consumers related to their credit reports, including the obligations of credit reporting agencies (CRA) and the businesses that provide information to them. Examiners commonly identify violations related to these rules, given the number of technical requirements and the multiple business lines often covered by the requirements. In this article, we will summarize some of the most common violations we find. We then list steps that banks can take in advance to avoid such violations.
Common violations include the following:
- Written Policies and Procedures1 —Banks that provide customer credit information to CRAs must have written policies and procedures in place regarding the accuracy and integrity of that information. The regulation contains guidelines for what these policies and procedures should contain. Examiners often note that banks have accuracy and integrity policies, but they are often informal and not written. In addition, banks sometimes assume that other written policies, such as those related to identity theft red flags, cover the accuracy and integrity requirements, which is not usually the case.
- Risk-Based Pricing—Exception Notices2 —Some banks use consumer reports to provide certain consumers with materially less favorable terms (e.g., higher rates or fees) than other consumers. When banks risk-base price in this manner, Regulation V requires that the consumer receive a risk-based pricing notice or a risk-based pricing exception notice (also known as a credit score notice). The exception notice is more common and contains a number of disclosures, including information about how banks use credit reports, score distributions, information about how the consumer’s score compares to others, and information about the consumer’s legal rights. Examiners commonly find errors related to these notices, such as missing content, failing to give a copy to each applicant, failing to provide the Notice to Home Loan Applicant on home equity lines of credit, and failing to provide a notice to consumers with no credit score.
- Adverse Action Notices3 —A bank must provide an adverse action notice to the consumer when taking adverse action that is based on any information in a consumer report.4 The notice must contain information such as the name of the CRA that provided the report, the consumer’s right to receive a free report and dispute information, and credit score information, as applicable. The FCRA definition of “consumer report” is broad enough to cover more than just credit bureau reports. Examiners sometimes find that banks do not provide the required adverse action notice when the bank denies opening a deposit account because of information included in a consumer report (e.g., ChexSystems).
- Credit Reports for Employment Purposes5 —Disclosure Format —A bank must give a written notice to the applicant informing the individual that a credit report will be obtained in order to receive authorization to pull a credit report as part of an employment application. The notice must be on a document that consists solely of the disclosure. Examiners commonly see the disclosure combined with other disclosures or documents, including as part of the actual employment application form.
What you can do
A few straightforward steps can help limit the potential for FCRA and/or Regulation V violations. First, compliance staff should familiarize themselves with the Federal Reserve’s Consumer Compliance Handbook, which contains detailed summaries and examination procedures for most FCRA and Regulation V requirements.6 The handbook has different modules that can be used to help focus compliance reviews or audits. Compliance staff can also use the procedures to learn about regulatory requirements and evaluate internal procedures for possible compliance weaknesses in this area.
Second, identify all of the business lines that use consumer reports and confirm how they use the reports. For example, employees who pull consumer reports when opening deposit accounts or hiring staff should be familiar with the FCRA adverse action requirements. These business lines should have processes for ensuring that the bank complies with these requirements when appropriate. The bank’s internal and/or external audit should periodically verify compliance with these requirements. Likewise, consumer lenders who originate loans secured by one-to-four family residential real estate (e.g., home equity lines of credit) should ensure that they understand how to generate compliant risk-based pricing exception notices for both consumer loans and dwelling-secured loans.
Finally, periodically check the content of risk-based pricing exception notices and adverse action forms, even if you are using forms from a vendor, such as a CRA. In addition, make sure all of the default settings are correct in your automated disclosure systems and review the disclosure content after any software updates. Many times, violations related to missing content occur because disclosure templates or default settings are incorrect.
1 Regulation V section 1022.42
2 Regulation V section 1022.74
3 FCRA section 615(a)
4 Regulation B—Equal Credit Opportunity Act has additional requirements that apply when a bank takes adverse action on a loan application.
5 FCRA section 604(b)
6 Consumer Compliance Handbook, http://www.federalreserve.gov/boarddocs/supmanual/supervision_cch.htm