The Fair Credit Reporting Act governs how consumer report information is collected, shared, and used. It is implemented by Regulation V and reaches three kinds of players: consumer reporting agencies that compile reports, furnishers that supply data to them, and the users who obtain reports to make decisions. Its core rules are that a consumer report may be obtained only for a permissible purpose, that the information must be accurate and that consumers can dispute it, and that a user who takes adverse action based on a report must tell the consumer. Identity-theft and disposal duties round it out.
The Fair Credit Reporting Act is the law that turns the credit-reporting system into a regulated one. Almost any company that pulls a credit report, reports payment data, or uses a background check touches it, often without realizing the role it occupies under the statute. This guide covers who is covered, permissible purpose, the accuracy and dispute duties, adverse action, and where FCRA programs fall short.
Who is covered
| Role | What it is |
|---|---|
| Consumer reporting agency (CRA) | An entity that assembles or evaluates consumer credit information to furnish consumer reports to third parties, such as the nationwide credit bureaus and many specialty agencies. |
| Furnisher | An entity that provides information about consumers to a CRA, such as a lender reporting payment history. |
| User | An entity that obtains and uses a consumer report to make a decision, such as a creditor, employer, or landlord. |
A single company is often more than one of these at once. A lender that pulls reports to underwrite is a user, and if it reports repayment data it is also a furnisher. The duties attach to the role, so a company has to know which roles it occupies.
Permissible purpose
A consumer report may be obtained only for a purpose the FCRA permits, such as a credit transaction the consumer initiated, employment with the consumer's authorization, account review, or another listed purpose. Pulling a report without a permissible purpose is a violation in itself, regardless of what the report shows. The permissible-purpose rule is the gate, and it is the most common place FCRA programs fail.
Accuracy and disputes
The FCRA imposes accuracy and dispute duties on both CRAs and furnishers. A CRA must follow reasonable procedures to assure maximum possible accuracy and must investigate consumer disputes. A furnisher must not report information it knows or has reasonable cause to believe is inaccurate, must correct and update, and must investigate disputes referred to it by a CRA. The dispute process is a defined-timeline obligation, and a furnisher that ignores it carries direct liability.
Adverse action
A user that takes adverse action based in whole or in part on a consumer report must provide an adverse action notice that identifies the CRA that supplied the report, states that the CRA did not make the decision, and tells the consumer of the right to a free copy of the report and to dispute its accuracy. In credit, this duty overlaps with the adverse action notice required under Regulation B, and the two are usually satisfied together.
Identity theft and disposal
The FCRA also carries identity-theft protections, including fraud alerts and the duties associated with red-flags identity-theft prevention programs for covered entities, and a disposal rule requiring reasonable measures to dispose of consumer report information so it cannot be reconstructed.
Where it goes wrong
- No permissible purpose. Reports are pulled for a purpose the statute does not allow, or the permissible purpose is never documented.
- Furnisher disputes ignored. A company that reports data treats disputes as the bureau's problem, missing its own direct investigation duty.
- Incomplete adverse action. The adverse action notice omits the CRA identification or the consumer's rights, or is not sent at all.
FCRA compliance follows the role a company occupies in the credit-reporting system, and most companies occupy more than one. For the structure that manages it, see the Compliance Management System guide; for the related credit-decision fairness rules, see the fair lending guide.
Primary sources
- Fair Credit Reporting Act (15 U.S.C. 1681) and Regulation V (12 CFR 1022): The statute governing the accuracy, use, and disclosure of consumer report information, and its implementing regulation.
- CFPB Supervision and Examination Manual, Compliance Management Review: The CFPB's framework for a Compliance Management System: board and management oversight plus a compliance program of policies and procedures, training, monitoring and audit, and consumer complaint response.