This article summarizes the revised examination procedures for the Fair Credit Reporting Act (FCRA) that the Federal Financial Institutions Examination Council (FFIEC) Task Force on Consumer Compliance approved on November 14, 2005. Among other things, the revised procedures address provisions of the FCRA that were substantially amended by the Fair and Accurate Credit Transactions Act of 2003 (FACT Act).1 The revised examination procedures replace the interim guidance for reviewing compliance, which was effective December 1, 2004. This article will help financial institutions prepare for their next compliance examination by understanding the revised procedures examiners will be utilizing to verify compliance with the FCRA.
Background and Summary of FCRA and FACT Act
The FCRA imposes significant responsibilities on business entities that qualify as consumer reporting agencies and lesser responsibilities on those that do not. A consumer reporting agency is defined as any person who regularly engages in the practice of assembling or evaluating consumer credit information for the purpose of selling consumer reports to third parties. Financial institutions are generally not considered consumer reporting agencies; however, if they engage in certain types of information sharing practices, they can be deemed a consumer reporting agency.
In addition to the requirements for financial institutions acting as consumer reporting agencies, FCRA requirements apply to financial institutions that engage in the following activities:
Structure and Overview of Examination Procedures
The revised FCRA examination procedures are organized as a series of six modules. This structure allows examiners to risk-focus the FCRA review according to a financial institution’s operations. Specifically, if a module is not applicable to a financial institution’s operations, it is excluded from the examination scope. General information about each module’s requirements is given below. The actual examination procedures for each of the modules are contained in Appendix A to the examination procedures, discussed later in this article.
Module 1: Obtaining Consumer Reports. Consumer reporting agencies retain a significant amount of financial information about consumers. This information is invaluable when assessing a consumer’s creditworthiness for financial products and services, such as loans, deposit accounts, insurance, leases, and more. The FCRA regulates creditors’ ability to access this information to ensure that they use it for permissible purposes. It requires any prospective “user” of a consumer report (such as a lender, insurer, landlord, or employer) to have a legal purpose to obtain it.
Given the prevalence of electronically available information and the growth of identity theft, financial institutions must manage the risks associated with obtaining and using consumer reports. Module 1 verifies that financial institutions are employing procedures, controls, and other safeguards to ensure that consumer reports are obtained and used only for permissible purposes. Once the information is acquired, an institution’s information security program governs the procedures to access, store, and destroy it. However, the procedures to obtain a consumer report must be in compliance with the FCRA.
Module 2: Obtaining Information and Sharing Among Affiliates. The FCRA contains many substantive compliance requirements for consumer reporting agencies to ensure the accuracy and integrity of the consumer reporting system. Banks, credit unions, and thrifts have a significant amount of consumer information that could constitute a consumer report, and, thus, communicating this information could qualify the institution as a consumer reporting agency. However, the FCRA contains several exceptions that allow a financial institution to communicate this type of information, within strict guidelines, without being designated a consumer reporting agency.
Instead of containing strict information sharing prohibitions, the FCRA creates a business disincentive. If an institution shares consumer report information outside of the exceptions, it is considered a consumer reporting agency, and, therefore, it is subject to the significant compliance requirements under the FCRA. Consequently, most financial institutions structure their information sharing practices within the exceptions to avoid being designated a consumer reporting agency.
This examination module covers various information sharing practices within these exceptions. If examiners determine that a financial institution’s information sharing practices fall outside of these exceptions, it can be considered a consumer reporting agency, and examiners will have to complete the examination procedures specified in Module 6.2
Module 3: Disclosures to Consumers and Miscellaneous Requirements. The FCRA requires financial institutions to provide consumers with notices and information under a variety of circumstances. This module examines compliance in these areas.
Module 4: Financial Institutions as Furnishers of Information. The FCRA imposes many responsibilities on financial institutions that furnish information to consumer reporting agencies. These requirements generally involve ensuring the accuracy of the data that are placed in the consumer reporting system. Financial institutions that do not furnish any information to consumer reporting agencies will not be examined under this module.
Module 5: Consumer Alerts and Identity Theft Protections. The FCRA contains several provisions for both consumer reporting agencies and users of consumer reports that are designed to help combat identity theft. This module applies to financial institutions that are not consumer reporting agencies, but that are users of consumer reports.
To combat identity theft, the FCRA imposes two primary requirements. First, a user of a consumer report that contains a fraud or active duty alert must take steps to verify the identity of the individual to whom the consumer report relates. Second, a financial institution must disclose certain information when consumers allege they are victims of identity theft.
Module 6: Requirements for Consumer Reporting Agencies. The FFIEC will add the procedures for Module 6 at a later date. Examiners will not review compliance with the consumer reporting agency requirements until the new procedures are developed.
Appendix A—FCRA Examination Procedures
The FCRA examination objectives are as follows:
Initial Procedures. The initial procedures are designed to acquaint examiners with the operations and processes of the institution under examination. They focus on an institution’s systems, controls, policies, and procedures, including audits and previous examination findings. The extent to which the FCRA and its implementing regulations apply depends on an institution’s unique operations.
The FCRA contains many different requirements that a financial institution must follow, even if it is not a consumer reporting agency. Subsequent to the passage of the FACT Act, some of the individual compliance responsibilities are set forth directly in the statute, while others are within joint interagency regulations. Still others are included in regulations set by some of the regulatory agencies. The modules present examination responsibilities by subject matter versus the regulatory or statutory construction.
Examination Process. Examiners will follow the steps outlined below to determine which modules apply to each financial institution and which modules will be completed as part of their examination scope.
1. Determine whether the institution’s internal controls are adequate to ensure compliance in the area under review through discussions with management and review of available information. The following data will be reviewed: organization charts, flowcharts, policies and procedures, loan documentation, checklists, and computer program documentation (e.g., records illustrating the fields and types of data reported to consumer reporting agencies, automated records tracking customer opt outs for FCRA affiliate information sharing, etc.).
2. Review any compliance audit material, including work papers and reports, to determine whether:
|a.||The scope of the audit addresses all provisions as applicable.|
|b.||Corrective actions were taken to follow up on previously identified deficiencies.|
|c.||The testing includes samples covering all product types and decision centers.|
|d.||The work performed is accurate.|
|e.||Significant deficiencies and their causes are included in reports to management and/or to the board of directors.|
|f.||The frequency of review is appropriate.|
3. Review the financial institution’s training materials to determine whether:
a. Appropriate training is provided to individuals responsible for FCRA compliance and operational procedures. b. The training is comprehensive and covers the various aspects of the FCRA that apply to the individual financial institution’s operations.
4. Determine which portions of the six examination modules will apply.
5. Complete appropriate examination modules and document and form conclusions regarding the quality of the financial institution’s compliance management systems and compliance with the FCRA.
Future Modifications to the Examination Procedures. Some provisions of the FACT Act require the regulators to enact implementing regulations before the requirements and their corresponding examination procedures apply. The revised examination procedures contain three sections that will be amended after the implementing regulations are enacted. Those sections are §604(g) – Protection of Medical Information, §624 – Affiliate Sharing, and §615(h) – Risk-Based Pricing Notice.
As previously noted, Module 4 contains examination procedures for institutions that furnish information to consumer reporting agencies. The FFIEC will have to update this module after an interagency group issues guidance required by Section 312 of the FACT Act to enhance the accuracy of furnishing such information. In the interim, Module 4 will be used in examining financial institutions subject to the FCRA requirements for furnishers of information to consumer reporting agencies.
Appendix B—Statutory and Regulatory Matrix
As previously noted, financial institutions are subject to a number of different requirements under the FCRA. Appendix B of the revised procedures contains a matrix that displays the different compliance obligations required of financial institutions under the FCRA and the citations to the statutes and implementing regulations from which these obligations derive. This matrix is sorted by federal regulator.
Examiners began utilizing the new FCRA examination procedures during the last quarter of 2005. Financial institutions should review their compliance management programs to ensure that their FCRA policies and procedures reflect the revised provisions of the act. The Federal Trade Commission (FTC) recently republished a booklet which contains the FCRA to reflect changes by the FACT Act. Instructions for ordering the booklet are available on the FTC’s website at www.ftc.gov/bcp/conline/pubs/bulkordr.htm.
The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.