Consumer Compliance

FCRA Compliance: The Fair Credit Reporting Act and Regulation V

The short version

The Fair Credit Reporting Act governs how consumer report information is collected, shared, and used. It is implemented by Regulation V and reaches three kinds of players: consumer reporting agencies that compile reports, furnishers that supply data to them, and the users who obtain reports to make decisions. Its core rules are that a consumer report may be obtained only for a permissible purpose, that the information must be accurate and that consumers can dispute it, and that a user who takes adverse action based on a report must tell the consumer. Identity-theft and disposal duties round it out.

The Fair Credit Reporting Act is the law that turns the credit-reporting system into a regulated one. Almost any company that pulls a credit report, reports payment data, or uses a background check touches it, often without realizing the role it occupies under the statute. This guide covers who is covered, permissible purpose, the accuracy and dispute duties, adverse action, and where FCRA programs fall short.

Who is covered

RoleWhat it is
Consumer reporting agency (CRA)An entity that assembles or evaluates consumer credit information to furnish consumer reports to third parties, such as the nationwide credit bureaus and many specialty agencies.
FurnisherAn entity that provides information about consumers to a CRA, such as a lender reporting payment history.
UserAn entity that obtains and uses a consumer report to make a decision, such as a creditor, employer, or landlord.

A single company is often more than one of these at once. A lender that pulls reports to underwrite is a user, and if it reports repayment data it is also a furnisher. The duties attach to the role, so a company has to know which roles it occupies.

Permissible purpose

A consumer report may be obtained only for a purpose the FCRA permits, such as a credit transaction the consumer initiated, employment with the consumer's authorization, account review, or another listed purpose. Pulling a report without a permissible purpose is a violation in itself, regardless of what the report shows. The permissible-purpose rule is the gate, and it is the most common place FCRA programs fail.

Accuracy and disputes

The FCRA imposes accuracy and dispute duties on both CRAs and furnishers. A CRA must follow reasonable procedures to assure maximum possible accuracy and must investigate consumer disputes. A furnisher must not report information it knows or has reasonable cause to believe is inaccurate, must correct and update, and must investigate disputes referred to it by a CRA. The dispute process is a defined-timeline obligation, and a furnisher that ignores it carries direct liability.

Adverse action

A user that takes adverse action based in whole or in part on a consumer report must provide an adverse action notice that identifies the CRA that supplied the report, states that the CRA did not make the decision, and tells the consumer of the right to a free copy of the report and to dispute its accuracy. In credit, this duty overlaps with the adverse action notice required under Regulation B, and the two are usually satisfied together.

Identity theft and disposal

The FCRA also carries identity-theft protections, including fraud alerts and the duties associated with red-flags identity-theft prevention programs for covered entities, and a disposal rule requiring reasonable measures to dispose of consumer report information so it cannot be reconstructed.

Where it goes wrong

FCRA compliance follows the role a company occupies in the credit-reporting system, and most companies occupy more than one. For the structure that manages it, see the Compliance Management System guide; for the related credit-decision fairness rules, see the fair lending guide.

Primary sources

Common questions

Who must comply with the FCRA?
Three kinds of players: consumer reporting agencies that compile and furnish consumer reports, furnishers that supply consumer information to those agencies, and users that obtain and use reports to make decisions. A single company is often more than one at once, and the duties attach to the role.
What is a permissible purpose under the FCRA?
A consumer report may be obtained only for a purpose the FCRA permits, such as a credit transaction the consumer initiated, employment with the consumer's written authorization, account review, or another listed purpose. Obtaining a report without a permissible purpose is itself a violation, regardless of the report's contents.
What are a furnisher's duties under the FCRA?
A furnisher must not report information it knows or has reasonable cause to believe is inaccurate, must correct and update information, and must investigate disputes referred to it by a consumer reporting agency within the required timeline. A furnisher that ignores a dispute carries direct liability.
When is an FCRA adverse action notice required?
When a user takes adverse action based in whole or in part on a consumer report. The notice identifies the agency that supplied the report, states that the agency did not make the decision, and tells the consumer of the right to a free copy and to dispute the report. In credit it usually overlaps with the Regulation B adverse action notice.
From the team behind this guide

FCRA compliance mapped to your roles

Compliance Command Center identifies which FCRA roles a company occupies, builds the permissible-purpose, dispute, and adverse-action controls each role requires, and documents the evidence. Practitioners build it, with a human reviewing every deliverable, so the program holds up to an examiner or a dispute.

See Compliance Command Center Talk to a Practitioner