Fair Credit Reporting Act - Iowa Bankers Association

Articles

FAQs

Accuracy and Integrity Reporting Rules

Credit Score Exception Notices

Disputes

FCRA Adverse Action Notices (AAN)

ID Theft Prevention Program (IDTPP)

Notice of Negative Reports

Notice to Home Loan Applicant & Credit Score Disclosure

Permissible Purpose

Risk-Based Pricing Rules & Disclosures

ACCURACY AND INTEGRITY – REPORTING RULES

Question: We received a request from a mortgage loan customer to remove the reporting of a 30-day past due mortgage payment from their credit file. The customer is not disputing the accuracy of the reporting but is now indicating they were 30 days past due because they were off work for 14 days due to COVID quarantine. As a bit of background, when the customer became more than 15 days past due, the loan officer attempted to call the customer multiple times and left messages but the customer did not respond. Finally, the customer responded to an email from the loan officer but at that point, was already 30-days past due and made their missed payment shortly thereafter at 35 days past due. Are we required by the CARES Act to remove the past due payment because the customer is indicating the delinquency was the result of COVID? If we are not required to remove the past due payment, may we remove it as an accommodation to our customer?

Answer: No. You are not required by the CARES Act to remove the reporting of the past due payment. The CARES Act , § 4201 states that, with certain exceptions, “if a furnisher makes an accommodation with respect to one or more payments on a credit obligation or account of a consumer, and the consumer makes the payments or is not required to make one or more payments pursuant to the accommodation, the furnisher shall — (I) report the credit obligation or account as current; or (II) if the credit obligation or account was delinquent before the accommodation — (aa) maintain the delinquent status during the period in which the accommodation is in effect; and (bb) if the consumer brings the credit obligation or account current during the period described in item (aa), report the credit obligation or account as current”. In your situation, the customer did NOT contact the bank and request a payment accommodation or deferment; in fact, they didn’t respond to your inquiries related to being late until AFTER the payment was past due and reported as such. The CARES Act puts some degree of responsibility on the consumer to communicate with the creditor in regard to the financial hardships caused by COVID.

The bank should not remove negative credit reporting it knows to be accurate. Furnishers are prohibited by Section 623 of the FCRA to provide information to credit reporting agencies that it knows to be inaccurate. They are further required to report when reported information is being disputed by the consumer. In this case, the bank is not reporting inaccurate information. The consumer is not asking you to correct inaccurate reporting; rather they are doing just the opposite — they are asking you to report inaccurate information which is prohibited by Section 623. Also, because the customer is not disputing the payment was late, the bank is not obligated to report the late payment as “disputed” to the credit reporting agency. (May 2021)

Question: At times we receive requests from our borrowers to defer or postpone making one or more periodic loan payments (e.g. due to medical issues, job changes, or even temporary government shutdowns). Do we have any Fair Credit Reporting obligations when this occurs?

Answer: Yes, under the Fair Credit Reporting Act, banks that submit data to a nationwide credit reporting agency are required to ensure the data is accurate. These types of deferrals are referred to as forbearance. Forbearance is defined as a period of time during repayment in which a borrower is permitted to temporarily postpone making regular monthly payments. The debt is not forgiven, but regular payments are suspended until a later time. A forbearance may be granted by the creditor for a number of reasons including, but not limited to, when a borrower is experiencing temporary financial difficulty. The consumer may make reduced payments, interest-only payments or no payments at all during this period. Therefore, the borrower should not be reported to a credit reporting agency as being past due if a forbearance or deferral agreement is in place permitting the borrower temporarily postpone payments. (February 2019)

Question: If the bank elects to grant a request for “forbearance”, how does the bank report that agreement to the credit reporting agencies?

Answer: The Metro II format rules require changes to various reporting fields such as Term Duration if the term is extended; Frequency of Payments (if no payment is due use report code D for deferred); Scheduled Monthly Payment Amount reflecting reduced payments or $0 if no payment is due; a Special Comment Code of CP indicating the account is in forbearance and a K4 Special Payment Indicator of 02 with a date for Deferred Payment Start Date if no payment is due. The credit report should reflect the loan’s correct Account Status ensuring the report doesn’t reflect the loan as delinquent during the forbearance period and the correct Payment History Profile of D is used, indicating no payments were due, if applicable. It is important to note if the consumer was delinquent going into the forbearance period and no payments are required during forbearance, the Account Status Code and Date of First Delinquency must be reviewed when the forbearance period ends. For more details, refer to the Credit Reporting Resource Guide, FAQ number 45. (February 2019)

Question: We are currently reviewing our FACT Act Section 312 policy and procedures related to accuracy and integrity of information furnished to consumer reporting agencies. Currently, our policy doesn’t include the reports we submit to ChexSystems regarding deposit accounts that have been charged-off due to overdraft activity. Is the information we furnish to ChexSystems’ covered by FACT Act Section 312 and should we address this reporting in our policy and procedures?

Answer: FACT Act Section 312 provisions related to accuracy and integrity of information apply only when reporting to a “consumer reporting agency” as defined under section 603(f) of the Fair Credit Reporting Act:

(f) The term “consumer reporting agency” means any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.

And “consumer report” as defined in the same section of the Fair Credit Reporting Act includes:

(d) Consumer Report
(1) In general. The term “consumer report” means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for
(A) credit or insurance to be used primarily for personal, family, or household purposes;
(B) employment purposes; or
(C) any other purpose authorized under section 604 [§ 1681b].
Section 604 describes “permissible purposes” of consumer reports and includes:
(F) otherwise has a legitimate business need for the information
(i) in connection with a business transaction that is initiated by the consumer; or
(ii) to review an account to determine whether the consumer continues to meet the terms of the account.

Because ChexSystems compiles and furnishes to third parties consumer information related to the consumer’s “character, personal characteristics, or mode of living,” it likely falls under the definition of a “consumer reporting agency.”

CREDIT SCORE EXCEPTION NOTICES

Question: When we obtain a credit report for our mortgage loans, we get a “tri-merge report”, which includes information and scores from all three credit bureaus. If we deny the loan, which credit score(s) do we disclose on the FCRA portion of the Adverse Action Notice?

Answer: Per the following excerpt from Consumer Compliance Outlook, published by the Federal Reserve Bank, the answer depends on which score(s) the creditor uses in the credit decision:

Multiple credit scores. In certain cases, a person may receive multiple credit scores from consumer reporting agencies. If the person only uses one credit score in making the decision, that particular score and related information for that specific credit score must be disclosed. If the person uses multiple credit scores in making the credit decision, only one of the scores is required to be disclosed; however, the FCRA does not prohibit creditors from disclosing multiple credit scores to the consumer.

This excerpt is found here in the 2013 article on Adverse Action Notices. (January 2019)

Question: If we decide to provide the credit score exception notice instead of the risk-based pricing notice, must we provide the credit disclosure to ALL consumer loan applicants or only to those who apply for products for which we price-based on credit risk? For example, we risk-base price auto loans as our rate grid takes into consideration the model year, down payment and borrowers’ credit score. However, we have one set rate for our consumer overdraft lines of credit. All applicants who qualify receive the same rate.

Answer: The preamble to the final rule indicates the creditor must provide an exception notice to every consumer requesting an extension of credit for a product for which the creditor uses risk-based pricing. So, if there is no risk-based pricing associated with your ODP LOC, the credit score disclosure is not triggered.

Question: We use the risk-based pricing credit score exception notice. Is this notice required for only consumer borrowers or should agricultural and commercial customers also receive the notice?

Answer: The risk-based pricing credit score exception notice is triggered by offers/extensions of credit made to consumers for a consumer purpose credits only.

Question: We use the risk-based pricing credit score exception notice. Is this notice required for loans made to consumers for the purpose of purchasing a lot if the loan will only be secured by the lot?

Answer: If the loan is consumer purpose, the application is covered by the rules if the bank risk-base prices loans. The lender must provide the credit score exception notice but will not have to provide the
Notice to Home Loan Applicant notice since the loan will not be secured by a dwelling.

Question: If we have more than one applicant for a transaction, can one credit score exception notice or risk-based pricing notice with credit score information be provided or does each applicant need their own?

Answer: In a transaction involving two or more consumers (joint applicants) who are granted credit, a creditor must provide a separate notice to each consumer to satisfy the requirements. Whether the consumers have the same address or not, the creditor person must provide a separate notice to each consumer. Each separate notice must contain only the credit score(s) of the consumer to whom the notice is provided, and not the credit score(s) of the other consumer.

For example, two consumers jointly apply for credit. The two consumers reside at the same address. The creditor obtains credit scores on each of the two consumer applicants. The creditor grants credit to the consumers. The creditor must provide credit score disclosure notices to each consumer to satisfy its obligations under FCRA § 615(h). Even though the two consumers reside at the same address, the creditor must provide a separate credit score disclosure notice to each of the consumers. Each notice must contain only the credit score of the consumer to whom the notice is provided.

Question: What information is to be included on the credit score exception notice?

Answer: The credit score exception notice must include the following elements:

A statement that a consumer report (or credit report) is a record of the consumer’s credit history and includes information about whether the consumer pays his or her obligations on time and how much the consumer owes to creditors;
A statement that a credit score is a number that takes into account information in a consumer report and that a credit score can change over time to reflect changes in the consumer’s credit history;
A statement that the consumer’s credit score can affect whether the consumer can obtain credit and what the cost of that credit will be;
The current credit score of the consumer or the most recent credit score of the consumer that was previously calculated by the consumer reporting agency for a purpose related to the extension of credit;
The range of possible credit scores under the model used to generate the credit score;
The distribution of credit scores among consumers who are scored under the same scoring model that is used to generate the consumer’s credit score using the same scale as that of the credit score that is provided to the consumer, presented in the form of a bar graph containing a minimum of six bars that illustrates the percentage of consumers with credit scores within the range of scores reflected in each bar, or by other clear and readily understandable graphical means, or a clear and readily understandable statement informing the consumer how his or her credit score compares to the scores of other consumers. Use of a graph or statement obtained from the person providing the credit score that meets the requirements of this paragraph (e)(1)(ii)(F) is deemed to comply with this requirement;
The date on which the credit score was created;
The name of the consumer reporting agency or other person that provided the credit score;
A statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the report;
A statement that Federal law gives the consumer the right to obtain copies of his or her consumer reports directly from the consumer reporting agencies, including a free report from each of the nationwide consumer reporting agencies once during any 12-month period;
Contact information for the centralized source from which consumers may obtain their free annual consumer reports; and
A statement directing consumers to the Web site of the Bureau to obtain more information about consumer reports.

Question: Must the credit score disclosure contain both the bar graph and narrative (as shown in the model form) detailing how the consumer’s credit score compares with other consumer credit scores?

Answer: No. The regulatory requirement is to provide the consumer with the distribution of credit scores among consumers who are scored under the same scoring model that is used to generate the consumer’s credit score, presented:

In the form of a bar graph containing a minimum of six bars that illustrates the percentage of consumers with credit scores within the range of scores reflected in each bar, or
By other clear and readily understandable graphical means, or
A clear and readily understandable statement informing the consumer how his or her credit score compares to the scores of other consumers.

The creditor may choose to use any one of these three options.

Question: How do we handle the credit score disclosure if we pull a tri-merge report containing three credit scores?

Answer: When a creditor obtains two or more credit scores from consumer reporting agencies and uses one of those credit scores in setting the material terms of credit extended – for example, by using the low, middle, high or most recent score – the notice must include that credit score and the other information required by rule. When a creditor obtains two or more credit scores from consumer reporting agencies and uses multiple credit scores in setting the material terms of credit extended – for example, by computing the average of all the credit scores obtained – the notice must include one of those credit scores and the other information required by the final rule.

Question: When must the credit score exception notice be provided to the consumer?

Answer: The timing requirements vary slightly, depending on whether the loan is secured by one-to-four units of residential real property.

For non-mortgage loans, the credit score exception notice must be provided “as soon as reasonably practicable” after the credit score has been obtained (e.g., within three business days), but, in any event, at or before closing for closed-end credit and before the first transaction for open-end credit.
For mortgage loans, the notice must be provided at the same time the separate Section 609(g) FCRA credit score notice is required, but in any event at or before closing for closed-end and before the first transaction for open-end credit.

The preamble to the final rule notes that for purposes of providing credit score exception notices to a consumer as soon as reasonably practicable after a credit score is obtained, what is a “reasonably practicable time period” may vary depending upon the circumstances of the transaction and the type of credit. For example, while it may be reasonably practicable to provide a notice to a consumer in several days in the mortgage lending context, what is reasonably practicable in other forms of credit may be a shorter or longer time period.

Disputes

Question: We have a customer who has continued to dispute a transaction on their credit report that we have investigated in the past and determined the trade line is reporting accurately. We have communicated this to the customer multiple times and he continues to dispute the item so we provided him with a “frivolous notice” as permitted by Regulation V. Since we have sent him the frivolous notice, he has sent yet another letter disputing the same trade line. How should we handle this latest dispute letter? Do we need to send another frivolous notice within five days or can we just ignore this dispute letter?

Answer: Unfortunately, you can’t just disregard the dispute without first taking a look at the information provided by the consumer. Regulation V does permit you to treat the claim as frivolous, but only after you have completed your review of the claim and determined it is indeed the same dispute as before and that the consumer has not provided new information to support his/her claim. After making this determination, you still have to notify the consumer of this fact. Regulation V makes no exemption from the notice requirement for consumers who have previously been notified their claim is frivolous.

1022.43(f) Frivolous or irrelevant disputes.

(1) A furnisher is not required to investigate a direct dispute if the furnisher has reasonably determined that the dispute is frivolous or irrelevant. A dispute qualifies as frivolous or irrelevant if:

(i) The consumer did not provide sufficient information to investigate the disputed information as required by paragraph (d) of this section;

(ii) The direct dispute is substantially the same as a dispute previously submitted by or on behalf of the consumer, either directly to the furnisher or through a consumer reporting agency, with respect to which the furnisher has already satisfied the applicable requirements of the Act or this section; provided, however, that a direct dispute is not substantially the same as a dispute previously submitted if the dispute includes information listed in paragraph (d) of this section that had not previously been provided to the furnisher; or

(iii) The furnisher is not required to investigate the direct dispute because one or more of the exceptions listed in paragraph (b) of this section applies.

(2) Notice of determination. Upon making a determination that a dispute is frivolous or irrelevant, the furnisher must notify the consumer of the determination not later than five business days after making the determination, by mail or, if authorized by the consumer for that purpose, by any other means available to the furnisher.

(3) Contents of notice of determination that a dispute is frivolous or irrelevant. A notice of determination that a dispute is frivolous or irrelevant must include the reasons for such determination and identify any information required to investigate the disputed information, which notice may consist of a standardized form describing the general nature of such information

FCRA ADVERSE ACTION NOTICES (AAN)

Question: At the time we receive an application to open a deposit account for a customer, we obtain a ChexSystems report. If the bank denies the account application due to negative information on the ChexSystems report, we provide the FCRA adverse action notice to the account applicant to alert them to the fact their application was denied due to derogatory information in the ChexSystems report. If the account is opened and handled according to account terms for 90 days, the account owner is eligible for overdraft protection. If the account owner requests overdraft protection, we obtain a new ChexSystems report.

We recently had a situation in which the ChexSystems report was fine at the time of account opening, but when we obtained a new report 90 days later, it contained derogatory information. The report was negative enough the bank decided to close the account due to information in the report. We sent notice to the borrower the account had been closed but did not provide an FCRA adverse action notice. Should we also have provided the FCRA adverse action notice?

Answer: Yes, a FCRA adverse action notice should have been provided. Section 615(a) of the FCRA makes it clear that anytime any adverse decision is based in whole or in part on a consumer report, a FCRA adverse action notice is required. This includes a decision to close an account based on information that ChexSystems provided after account opening. (June 2021)

Question: I have a joint application where one person qualifies and the other doesn’t. Based on this scenario, how should we complete the bottom portion of the Adverse Action Notice (AAN) – the Fair Credit Reporting Act (FCRA) portion of the notice?

Answer: There are three parts to the FCRA AAN which are required to be delivered to each consumer whose credit history is part of the reason for denial. When there is more than one applicant, a creditor must notify each consumer whose credit report was, in whole or part, the reason for denial. So in your situation each consumer whose credit report led to your denial decision should receive an AAN that includes:

The notice language: Our credit decision was based in whole or in part on information obtained in a report from the consumer reporting agency listed below. You have a right under the Fair Credit Reporting Act to know the information contained in your credit file at the consumer reporting agency. The reporting agency played no part in our decision and is unable to supply specific reasons why we have denied credit to you. You also have a right to a free copy of your report from the reporting agency, if you request it no later than 60 days after you receive this notice. In addition, if you find that any information contained in the report you receive is inaccurate or incomplete, you have the right to dispute the matter with the reporting agency.
Name:
Address:
[Toll-free] Telephone number:
If the creditor obtains a consumer credit score for the denied applicant, then the following credit score information must be disclosed to the denied customer since their credit history was part of the reason for the denial:
Credit score & date credit score was created
Range of possible scores
Key factors impacting the credit score (limited to 4 plus “number of inquiries”)
Entity name & contact information for provider of the credit score
Lastly, if the denial was due in part to information from an affiliate or third party bearing on the applicant’s creditworthiness, applicants must be made aware of their right to provide a written request for information regarding the nature of the information.

The IBA has a Completion Guide for Combined Reg. B/FCRA Adverse Action Notice and an Adverse Action Notice Review Form available for reference when completing the Regulation B and FCRA AAN information. Both are available on the IBA’s Bankers Compliance Resource page.

Question: We obtain tri-merge credit reports for mortgage loan applications. We order our reports from a third party vendor, not one of the three national credit reporting agencies (Equifax, TransUnion or Experian). If we deny the application due to information or a credit score on the tri-merge report, who do we list as the credit reporting agency on the AAN?

Section 615(a)(3) of the Fair Credit Reporting Act (FCRA) requires any person taking adverse action with respect to any consumer that is based, in whole or in part, on any information contained in a consumer report to provide the consumer with an oral, written, or electronic notice of the name, address, and telephone number of the “consumer reporting agency” (CRA) that furnished the report. The FCRA then defines a CRA as: “…any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.

The FCRA also defines another important term – “reseller” – which is applicable to your question since you obtain your tri-merge reports from a third party vendor instead of directly from one of the national CRAs: “A reseller is a consumer reporting agency that (1) assembles and merges information contained in the database of another consumer reporting agency or multiple consumer reporting agencies concerning any consumer for purposes of furnishing such information to any third party, to the extent of such activities; and (2) does not maintain a database of the assembled or merged information from which new consumer reports are produced.”

So, a vendor meets the definition “reseller” (and as such is considered a “consumer reporting agency”) if that vendor assembles and merges information from other CRAs, and furnishes that information to third parties but does not maintain a database of that merged information. This process is known in the credit reporting industry as “merge and purge”. If your vendor is a reseller per the FCRA’s definition, the reseller is considered a “consumer reporting agency” and would be listed on the AAN as the CRA that provided the credit report.

But if your vendor merely passes on the credit report obtained from one or more of the national CRAs without first merging the data and deleting duplicative information, it does not meet the definition of reseller and would not listed as the CRA on the AAN. In this case, you would list the CRA providing the credit report to your vendor on the AAN. So for example, if the vendor merely passed through the three credit reports from the three national CRAs and the lender denied the application due to information contained in the reports, the AAN should detail all three national CRAs.

The key takeaway here is the importance of understanding your vendor relationship with the CRAs and the tasks it performs – passing through the credit reports or “merging and purging” the reports before delivery to you. When in doubt, ask you vendor directly if it is a “reseller” under the FCRA. (January 2021)

We understand the FCRA AAN must include information about the consumer’s credit score if the consumer report contained a credit score, and that score led to our decision to take adverse action on the application/account. If we obtain a tri-merge credit report, which credit score should be disclosed on the AAN if we require all three scores to be above a certain threshold? That is, we consider all three credit scores in our decision.
A 2013 Consumer Compliance Outlook article, “Adverse Action Notice Requirements under the ECOA and the FCRA” addressed this very topic. It stated:

Multiple credit scores.²⁸ In certain cases, a person may receive multiple credit scores from consumer reporting agencies. If the person only uses one credit score in making the decision, that particular score and related information for that specific credit score must be disclosed. If the person uses multiple credit scores in making the credit decision, only one of the scores is required to be disclosed; however, the FCRA does not prohibit creditors from disclosing multiple credit scores to the consumer.

²⁸ 76 Fed. Reg. at 41,597

So, even if you consider all three scores, the rule only requires you disclose a single credit score on the AAN. (Note however, the institution could provide all three credit scores and not violate the rule.) If the institution elects to disclose only one of the scores, it should have policies and procedures in place to determine which score it will report when all three are considered. For example, the procedures could state only the lowest score will be disclosed on the AAN.

The same Outlook article warned violations in regard to the credit score disclosure on the AAN most often occur when creditors fail to recognize the disclosure has been triggered. Specifically, some violations have occurred because institutions interpret the term “using the credit score in taking adverse action” too narrowly to include only situations where credit score was the sole or primary reason for the adverse action, rather than a component of the decision. To avoid these violations, ensure procedures require provision of the credit score disclosures whenever a credit score is used, whether as the primary reason or just one of several reasons, for the adverse credit decision.

Question: Does the credit score disclosure for FCRA adverse action purposes have to be provided when adverse action is related to a factor other than the borrower’s credit report and credit score, e.g., due to collateral value or length of employment?

Answer: No. Who receives AANs under the FCRA has not changed. If an application was denied due to something other than information related to the borrower’s credit worthiness, the FCRA AAN requirements are not triggered, including the requirement to provide the credit score information.

Question: If the FCRA AAN and credit score disclosure is triggered by credit worthiness, would it have to be provided to a consumer who withdrew an application?

Answer: The FCRA AAN and credit score disclosures are only triggered when the creditor takes adverse action based upon the applicant’s credit report and credit score. When an applicant withdraws an application, the creditor has not taken adverse action, so the AAN and accompanying credit score information disclosures are NOT triggered. However, if the creditor normally provides the risk-based pricing credit score exception notice and extended an offer of credit to the consumer OR the application was consumer purpose and secured by a 1-4 units of residential real property, the credit score notices required by 609(g) and 615(h) still apply.

Question: Does the credit score disclosure for the FCRA AAN have to be provided when a score is pulled for a reason other than credit, e.g., for purposes related to checking account opening, employment, or insurance?

Answer: The FCRA provisions related to providing the AAN are written in broad language, indicating if a financial institution “takes any adverse action with respect to any consumer that is based in whole or in part on any information contained in a consumer report” (FCRA §615(a)) the consumer should be provided the AAN. Thus, the FCRA’s AAN requirements are not limited to credit transactions. The FCRA is limited, however, to actions involving “consumers,” including actions related to checking account applications, employment applications and applications by consumers for business purpose loans (e.g., an application by a consumer/sole proprietor for a small business start-up loan). Applications made by business entities would not be covered by the rules, except when a consumer will be personally liable on the loan as a co-borrower and a credit report with a credit score is obtained.

Question: We provide the risk-based pricing credit score exception notice to all borrowers to whom we offer credit. Given this, do we need to worry about the FCRA AAN provisions that require us to provide credit score information on the AAN?

Answer: The credit score exception notice provided under the RBP rules does not satisfy the FCRA AAN credit score disclosure requirements if your denial was based, in whole or part, on the applicant’s credit score. In some cases, applicants may be provided the credit score exception notice and then later be denied credit. If the denial is due in whole or part to the applicant’s credit report and credit score, the applicant must also receive the combined Reg. B and FCRA AAN which also contains their credit score information. The timing rules for the two disclosure requirements are distinctly different:

The RBP credit score exception notice must be provided “as soon as reasonably practicable” after obtaining a consumer’s credit score.
The FCRA AAN credit score disclosure may be provided up to 30 days after receiving a final application.

Creditors must be able to evidence compliance with both notice requirements.

Question: How would you recommend dealer applications be handled? If we deny an application within three days do we need to send the credit score disclosure again as part of the AAN when it has been recently provided via the risk-based pricing credit score exception notice?

Answer: Assuming you are referring to auto dealers, if you deny the application, the risk-based pricing credit score exception notice does not have to be provided as no credit offer was made or extended.
However, keep in mind while the risk-based pricing rules do not apply to denied applications, the 615(h) FCRA AAN credit score disclosure must be provided to each consumer whose credit score was used in whole or in part in denying the request for credit.

Question: What information must be included regarding the credit score on the FCRA AAN?

If the adverse action is taken against the consumer, in whole or part, due to their credit score, the following additional information must be provided on the FCRA AAN:

the current credit score of the consumer or the most recent credit score of the consumer that was previously calculated by the credit reporting agency for a purpose related to the extension of credit;
the range of possible credit scores under the model used;
all of the key factors that adversely affected the credit score of the consumer in the model used, the total number of which shall not exceed 4, subject to paragraph (9);
the date on which the credit score was created; and
the name of the person or entity that provided the credit score or credit file upon which the credit score was created.

Question: How many “key factors” affecting the credit score must the creditor disclose?

Answer: It depends. The FCRA indicates the creditor should disclose four key factors negatively impacting the consumer’s credit score. However, if “number of inquiries” was a factor, but not one of the top four key factors, then the creditor is to disclose five key factors – the top four key factors plus “number of inquiries.” Creditors should rely on the information provided by the credit score provider to determine the key factors impacting the borrower’s credit score.

Question: For purposes of disclosing the reasons for adverse action, may the creditor refer to the “credit score’s key factors” if those are the same reasons for the adverse action?

Answer: No. The Reg. B AAN should separately list the reasons for the adverse action and the key factors of the credit score, even if they are repetitive.

Question: If we take adverse action based on the credit report, but the consumer does not have enough credit history to generate a credit score, how do we complete credit score section of the FCRA AAN?

Answer: If you deny the consumer’s request due to their credit report or lack of credit history, you would check the FCRA box indicating your adverse action was based in whole or part, on the borrower’s credit report but you would not complete any of the credit score information when the report contained no score.

Question: Is the creditor permitted to add an addendum to the FCRA AAN that provides the credit score information on a separate document?

Answer: No. The preamble to final rule indicated providing a form with credit score information separately from the AAN is not consistent with the requirements of the Dodd Frank Act. Reg. B’s model notices have been updated to incorporate the new notice requirements accordingly.

Question: In light of the FCRA’s rules for providing information related to a consumer’s credit score on AANs when information contained in a consumer credit report is used to take any adverse action against a consumer, must a creditor provide both the Reg. B reasons for taking adverse action as well as the key factors adversely affecting the credit score? They often are the same.

Answer: Yes. Reg. B and the FCRA are two distinct, separate rules with similar but differing requirements. Lenders must still provide the Reg. B reasons for adverse action (or a statement the consumer is entitled to such reasons via written statement) and in addition, under the FCRA provide the consumer’s credit score and key factors adversely affecting the credit score. In some situations the reasons for denial and adverse factors affecting the credit score may be the same or very similar.

Question: It is my understanding we have to disclose the number of inquiries when providing the credit score information on the AAN. Does this apply in all instances – deposit account turndowns, loan denials, employment denials, etc.?

Answer: If the number of inquiries is listed as a factor that negatively affected the credit score, then you must disclose as one of the key factors, “the number of inquiries,” but not the actual numeric number of inquiries. See the preamble discussion to the final rules:

Key factors….Section 1100F of the Dodd-Frank Act expressly requires disclosure of the top four (or five) key factors that adversely affected the credit score, whether or not the effect was substantial. A person taking adverse action must provide the consumer the information set forth in subparagraphs (B) through (E) of section 609(f)(1) of the FCRA. Section 609(f)(1)(C) of the FCRA requires disclosure of all of the key factors that adversely affected the credit score in the model used, up to four, subject to section 609(f)(9) of the FCRA, which states that if the key factors that adversely affected the credit score include the number of inquiries made with respect to the consumer report, the ‘‘number of inquiries’’ must be disclosed as a key factor.

ID THEFT PREVENTION PROGRAM (IDTPP)

Question: We already have many of the required elements of an IDTPP in place through our CIP and other BSA/AML programs. Can we just refer to these programs in lieu of creating another?

Answer: I agree you should always avoid duplicating what you already have in place. In fact, the final rule even addressed this stating, “The guidelines clarify that a covered entity need not create duplicate policies and procedures and may incorporate into its Program, as appropriate, its existing processes that control reasonably foreseeable risks to customers or to the safety and soundness of the financial institution or creditor from identity theft, such as those already developed in connection with the entity’s fraud prevention program.”

The Red Flags and the BSA/AML requirements overlap in a number of areas; for example, verifying and documenting a customer’s identity, monitoring for unusual activity, and providing staff training. Unfortunately, the regulations are separate bodies of law and both require written programs, so you do need to develop two separate written programs. But at the functional level, certain elements/procedures will be the same in both programs allowing you to combine activities (“kill two birds with one stone”) and save resources.

These areas of your BSA/AML program will most likely also be a part of your IDTPP:

Risk Assessment. Both BSA/AML and Red Flag programs require risk assessments for accounts, access methods and the institution as a whole. Many of the risks involved are common and you should be able to use the same process/methodology to identify and prioritize risks for both programs.
Customer Identification Program. Your CIP program provides a process that can be used to detect and address many of the Red Flags identified in the Supplement to Appendix J of the final rule. Address verification should already be included under the CIP as well.
Monitoring. Your process for monitoring account activity for AML purposes should provide the ability to detect most Red Flags as well. Talk with your vendors or IT department regarding the possibility of automating monitoring for both requirements; for example, include monitoring accounts with recent address changes followed by card replacement orders.
Training. Training is always crucial and a challenge. Some Red Flags can only be detected through human observation – for example, suspicious identification documents provided at account opening. Since the AML program require training on many of the same issues, such as recognizing suspicious activity, integrating training requirements for both programs should be considered.

Your institution should also be able to rely heavily on existing programs and procedures related to Gramm-Leach-Bliley’s (GLBA) information security rules, multi-factor authentication and response programs when implementing the identity theft provisions of the FACT Act.

Question: Do we need to include all 26 Red Flags in our IDTPP? It seems some of them do not apply to our institution and the manner in which we open accounts and allow access to accounts.

Answer: Not necessarily. The final rules require institutions to have reasonable policies and procedures to respond appropriately to any Red Flag that is detected in order to prevent and mitigate identity theft. An institution that elects to not include certain Red Flags in its IDTPP should have a reasonable basis for concluding that particular Red Flag does not present an ID theft risk to the institution. The basis for an institution’s conclusions should be documented in its risk assessment.

Question: I am really confused by the provision in the IDTPP on service providers. Who is covered and what is expected? My initial thoughts were entities such as our core processor and the company that hosts our Internet banking web site would be covered, but we recently received a memo from our core processor that indicated they don’t interact with our customer (or someone posing as our customer) and don’t monitor activities of accounts, so therefore nothing to include as part of the agreement and don’t monitor activities on accounts, so therefore conduct no activity covered under the agreement that would identify potential identity theft activities. Are they covered or not?”

Answer: The definition of service provider is quite broad: “a person that provides a service directly to the financial institution or creditor.” It does include those entities you describe but could also include providers such as mortgage brokers and automobile dealers who initiate the “account” origination process and handle sensitive customer information.

The first question discussed programs the bank already has in place that may be able to be used under their IDTPP as well. The subject of service provider oversight is a prime example. The GLBA information security guidelines require banks to have contractual agreements in place with service providers who have access to nonpublic personal information to safeguard customer information, use that information only for its intended purpose and to notify the institution if there is a security breach affecting the nonpublic personal information. The institution’s current GLBA contractual provisions with your vendors may cover your IDTPP requirements.

If the institution outsources account opening activities to a service provider (e.g. mortgage loan broker or automobile dealer), it must ensure the activity of the service providers are conducted in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft. Service providers are not required to comply with your specific ID theft prevention program, but they do need to have procedures in place to detect Red Flags of identity theft and respond appropriately.

Under the rules, the financial institution is ultimately responsible for ensuring the activities of its service providers are conducted in compliance with the Red Flag regulations. The regulation states an institution could address this requirement with its providers by having a contractual provision requiring the service provider to have policies and procedures in place to detect relevant Red Flags. I stress “relevant” because all the Red Flags may not apply to all service providers. For example, the Red Flags related to unusual use or suspicious activity related to a covered account would not apply to a service provider whose sole function is to generate applications for the bank. A mortgage broker’s procedures for example, would be more focused on the Red Flags related to alerts from credit reporting agencies, suspicious documents and suspicious personal identifying information revealed in the application process.

Question: How do we decide if the address on the credit report is different enough than the one provided by the consumer to trigger the Red Flag address discrepancy rules?

Answer: The address discrepancy rules are triggered when the institution receives a “notice of address discrepancy” from the credit reporting agency (CRA). It is the CRA, not the institution that determines whether there is an “address discrepancy.” The institution’s responsibility is to respond to the notice by forming a reasonable belief that the credit report relates to the person about whom it was requested and to furnish a confirmed address to the CRA if an account relationship is established and the institution routinely furnishes information to the CRA.

Question: We currently use credit reports for all new deposit account applications, but we do not report or furnish information to the CRA on deposit accounts. Are we still required to furnish address confirmation when we receive a notice of an address discrepancy related to a deposit account application since we don’t report deposit account information as part of our “ordinary course of business”?

Answer: If you only report information related to loan accounts to the CRA, you are only required to verify address discrepancies related to credit reports obtained for loan accounts. You do not have to confirm deposit account address discrepancies since it is not your practice to report (or upload) on deposit accounts.

Question: I have been reading information that indicates an institution’s IDTPP should include an automated anti-phishing program. Is that required by the regulation?

Answer: No, it is not specifically required by the IDTPP final rule. The preamble to final rule indicates a financial institution or creditor should consider aggravating factors that may heighten the risk of identity theft in determining an appropriate response to the Red Flags it detects. It goes on to state in the section IV on “Prevention and Mitigation”: “The Program’s policies and procedures should provide for appropriate responses to the Red Flags the financial institution or creditor has detected that are commensurate with the degree of risk posed. In determining an appropriate response, a financial institution or creditor should consider aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to a customer’s account records held by the financial institution, creditor or third party, or notice that a customer has provided information related to a covered account held by the financial institution or creditor to someone fraudulently claiming to represent the financial institution or creditor or to a fraudulent web site.”

An anti-phishing program may be warranted if the bank has significant risk of a phishing attack – for example, has a transactional web site that allows for opening accounts online, transferring funds to third parties online or has been the subject of previous phishing schemes. Institutions that just allow for transferring funds between accounts internally but don’t allow for online account opening or transferring funds to third parties online, may not be able to justify an automated anti-phishing program.

Question: Are we required to file a SAR if we encounter a Red Flag? Should SAR reporting be detailed in our response in our IDTPP?

Answer: Identify theft is an event (or category) listed on the SAR form triggering a SAR report. If you suspect identity theft and the incident meets the mandatory reporting thresholds ($5,000 if suspect is known to you and $25,000 if suspect is unknown), then you must file a SAR. Given the mandatory filing requirements under the BSA, it seems appropriate to include filing a SAR in your IDTPP response to an identity theft.

Keep in mind however, guidance from FinCEN on this topic indicates you should NOT file a SAR on the victim of an identity theft scheme.

Question: Can our board of directors simply review our IDTPP or do they need to formally “approve” it? Could our Compliance Audit Committee approve the IDTPP instead of the Board?

Answer: The statute and regulation both specifically state the Board must approve the initial program. However, the preamble to the final rule states, “The final rule continues to require approval of the written Program by the board of directors or an appropriate committee of the board.” So if the board formally appoints the Compliance Audit Committee the authority to approve and oversee the program, the institution would be in compliance. The Audit Committee, however should still report its approval of the IDTPP to the board.

Question: The Red Flag regulation requires that we update our IDTPP as necessary to reflect changing risks, emerging Red Flags and new products and services offered by the institution. Since our initial program has to be approved by the board, does each update or change made to the program also have to approved by the board or an appropriate committee?

Answer: No. Again, the preamble to final rule addressed this in discussing board approval of the program and clarified while the initial program requires board approval, updates do not have to be board-approved: “…to ensure that this requirement (for board approval) does not hamper the ability of a financial institution to update its Program in a timely manner, the final rules provide that the board or an appropriate committee must approve only the initial Program. Thereafter, at the discretion of the covered entity, the board, a committee or senior management may update the Program.”

NOTICE OF NEGATIVE REPORTS

Question: Do you have the model language the Federal Reserve has developed for the FACT Act notice to consumers when an institution may or will be reporting negative information regarding that consumer to a credit-reporting agency?

Answer: The FACT Act provides that if any financial institution (1) extends credit and regularly and in the ordinary course of business furnishes information to a nationwide consumer reporting agency; and (2) furnishes negative information to such an agency regarding credit extended to a customer, the institution must provide a clear and conspicuous notice about furnishing negative information, in writing, to the customer. Negative information means information concerning a customer’s delinquencies, late payments, insolvency, or any form of default.

The final rule provided for two model notices. Although use of the model notices is not required, a financial institution will be deemed to be in compliance with the notice requirement if it properly uses the model notices.

Model Notice B-1 can be used if the institution provides the notice PRIOR to furnishing negative information to a nationwide credit-reporting agency. Model Notice B-1 reads: We may report information about your account to credit bureaus. Late payments, missed payments, or other defaults on your account may be reflected in your credit report.

Whereas, Model Notice B-2 could be used if the institution provides the notice AFTER furnishing negative information to a nationwide credit reporting agency. Model Notice B-2 reads: We have told a credit bureau about late payments, missed payments, or other defaults on your account. This information may be reflected in your credit report. This notice must be sent within 30 days of making the negative report to the credit-reporting agency.

Borrowers need only receive one notice per loan account and the notice may be included with other mailings (such as past due notices, with the delivery of coupon books, etc.) as long as the notice is clear and conspicuous to the borrower. The notice cannot, however, be combined with the early Truth-in-Lending disclosures.

Question: The FACT Act requires we send a notice to borrowers either prior to or within 30 days of making a negative report to a credit reporting agency. Can we send one notice to joint borrowers?

Answer: The notice should be provided to each consumer that you report negative information about, including co-signors and guarantors, if applicable. While the final regulation does not specifically address this, the regulators we have consulted with indicate if the consumers reside at the same address, one notice addressed to all will serve as adequate notice. If, on the other hand, the consumers do not live at the same address, then a notice should be sent to each at their respective residences. Also keep in mind the notice must be sent to each consumer on each account. Meaning that if you provided the notice to a customer on a delinquent auto loan and then their home equity loan later becomes delinquent and you report that delinquency to the credit reporting agency, you must provide the consumer with another notice for the delinquent home equity loan account.

NOTICE TO HOME LOAN APPLICANT & CREDIT SCORE DISCLOSURES

Question: When is the Credit Score Disclosure and Notice to Home Loan Applicant (NHLA) triggered?

Answer: Section FCRA §609(g) states:

(g) Disclosure of Credit Scores by Certain Mortgage Lenders

(1) In general. Any person who makes or arranges loans and who uses a consumer credit score, as defined in subsection (f), in connection with an application initiated or sought by a consumer for a closed end loan or the establishment of an open end loan for a consumer purpose that is secured by 1 to 4 units of residential real property (hereafter in this subsection referred to as the “lender”) shall provide the following to the consumer as soon as reasonably practicable:

(A) Information Required under Subsection (f)
i. In general. A copy of the information identified in subsection (f) that was obtained from a consumer reporting agency or was developed and used by the user of the information.
ii. Notice under subparagraph (D). [The Notice to Home Loan Applicant]

Therefore, the 609(g) disclosure and accompanying Notice to Home Loan Applicant (NHLA) are triggered by an application for consumer credit secured by 1-4 units of residential real property, whether the application is approved or denied. This was the original provision in the FCRA requiring the disclosure of credit score information to the consumer. Specifically, the notice is triggered if the creditor uses a consumer credit score in connection with an application for a consumer purpose loan (closed-end loan or open-end) that will be secured by 1 to 4 units of residential real property.

Question: When is the NHLA notice to be provided?

Answer: The FCRA indicates the notice should be provided to the consumer as soon as reasonably practicable. Most creditors provide the credit score disclosure and notice to home loan applicant disclosure along with the early disclosures required by RESPA and Reg. Z for dwelling secured loans.

Question: For the NHLA to apply, does the residential real property securing the loan have to be the borrower’s principal dwelling?

Answer: No. The application must be made by a consumer for a consumer purpose, but the 1-4 units residential real property could be the borrower’s principal residence, a second home or an investment property.

Question: Would an application for a lot loan require the credit score and NHLA?

Answer: If the loan is to be secured only by the bare lot (no dwelling), the application would NOT be covered by the requirement, regardless of the loan purpose.

Question: Is the NHLA disclosure required for rental property or a commercial mortgage loan if the loan is done in the consumer’s name?

Answer: No. See section 609(g) of the Fair Credit Reporting Act:

. . .in connection with an application initiated or sought by a consumer for a closed end loan or the establishment of an open end loan for a consumer purpose that is secured by 1 to 4 units of residential real property . . .

To trigger the NHLA disclosure, the loan must be:

Closed-end credit,
Secured by a 1-4 family dwelling,
Made to a consumer,
For a consumer (personal, family or house hold) purpose

Question: Must we provide the NHLA notice if we deny the application?

Answer: Yes. The FCRA § 609(g) notice requirement is triggered by the “application” for credit; not the creditor’s action on that application.

PERMISSIBLE PURPOSE

Question: We had a customer apply for a mortgage loan. As part of our underwriting process we obtained a tri-merge credit bureau report for each applicant. Within a couple hours of our credit report pull, our applicant was contacted by another lender with a sales pitch for a mortgage loan. The other lender told our customer they saw that they had applied for a mortgage loan at our bank. Of course, our customer contacted us immediately wanting to know why we shared their information with another lender. When we contacted our credit bureau provider to understand how another lender would know so quickly we had pulled a credit report on our customer, we learned the other lender subscribed to the bureau to receive “trigger leads.” I know about pre-screened offers of credit but I had never heard of a trigger lead. Can you tell me more?

Answer: A “trigger lead” is a marketing product that is sold by the three major credit bureaus — Experian, TransUnion and Equifax — to lenders who are looking for customers with certain specifications like loan types, ZIP codes or FICO scores. After a consumer applies for a loan, the lender will typically pull their credit report, signaling to the major credit bureaus the consumer is shopping for credit. The CRA then sells this information to product subscribers who often reach out to consumers via phone call or email within hours of the credit pull to provide their rate and product information to the consumer.

Triggers leads are legal under the Fair Credit Reporting Act and can even benefit consumers who are truly shopping for credit products. But trigger leads can be frustrating for consumers who do not want to be solicited and think their lender has shared their information with another lender without their permission. There are ways that a consumer can prevent ending up on a trigger list:

Register at www.optoutprescreen.com. This will opt a consumer out of unwanted prescreened solicitations and trigger leads for five years and it costs nothing. It does usually take one to two weeks for it to take effect.
Sign up at the Do Not Call Registry, www.donotcall.gov. This is also free and should take effect within 24 hours, however a borrower may have already ended up on a trigger lead list prior to registering so could still receive calls for up to 31 days. Being on the DNC list does not mean all calls will stop.

Lenders can help limit trigger lead contacts by not including the consumer’s phone number or email address on the credit pull.

Question: We are evaluating the ACH exposure limit for a brand new LLC with no financial statements. Do we have a permissible purpose to obtain a credit report on the members of that LLC even if we are not asking them to sign a personal guarantee?

Answer: If the bank does not intend to make the principals of the LLC personally sign or guarantee the credit extension, it would NOT have a right to pull a consumer credit report because the bank would not be “extending” credit to the consumer, just the LLC. The LLC is a separate legal entity apart from the consumer. See this excerpt from the Federal Trade Commission’s publication “40 Years of the Experience with the FCRA” found online at: https://www.ftc.gov/sites/default/files/documents/reports/40-years-experience-fair-credit-reporting-act-ftc-staff-report-summary-interpretations/110720fcrareport.pdf:

COMMERCIAL TRANSACTIONS – REPORTS ON PRINCIPALS OF A BUSINESS ENTITY
A lender has a permissible purpose to obtain a consumer report on a consumer in connection with a business credit transaction when the consumer is or will be personally liable on the loan as a co-signer or guarantor, because such a transaction involves the “extension of credit to … the consumer” by virtue of the individual’s liability. A lender would not have a permissible purpose to obtain a consumer report on a consumer who will not be personally liable for repayment of the credit (even an individual proprietor, shareholder, director, or officer of a corporation), because this section does not include the extension of credit to commercial entities. If a consumer has executed a promissory note reflecting an obligation to make capital contributions to a limited partnership, and that individual defaults, the creditor has a permissible purpose for obtaining the consumer report of the individual.

Question: We have several closed-end consumer loans we are in process of reviewing. Do we have a “permissible purpose” to obtain a credit report as part of our account review?

Answer: At first look, when reading the Fair Credit Reporting Act at section 604(a)(3)(F)(ii), it appears you do have a permissible purpose:

(F) otherwise has a legitimate business need for the information
…(ii) to review an account to determine whether the consumer continues to meet the terms of the account.

However, a Federal Trade Commission (FTC) informal staff opinion letter issued April 29, 1999, (https://www.ftc.gov/os/statutes/fcra/gowen.shtm) defined “reviewing” as determining whether to change the terms of an existing account relationship. The opinion further states,

“The terms of a closed-end credit transaction are predetermined and generally may not be changed unilaterally by the creditor unless the contract expressly provides for such action (e.g., in the event of default). Therefore, the creditor is unlikely to have a reason to consider “whether to retain or modify current account terms” and, thus, would not have any routine need to procure consumer reports to “review” its accounts.”

The FTC’s staff report of interpretations, “Forty Years of Experience with the Fair Credit Reporting Act” (https://www.ftc.gov/sites/default/files/documents/reports/40-years-experience-fair-credit-reporting-act-ftc-staff-report-summary-interpretations/110720fcrareport.pdf) also provides the following:

In order for a creditor to have a permissible purpose to obtain a consumer report to review an account, it must have an existing credit account with the consumer and must use the consumer report solely to consider taking action with respect to the account (e.g., modifying the terms of an open end account). A creditor has a permissible purpose to obtain a consumer report on one of its customers for the purpose of review of the account, even where the customer has sought to discharge his/her debt in bankruptcy. A creditor who is deciding whether to participate in a debt management plan which would involve the cooperation of all of the consumer’s creditors has a permissible “review” purpose under this section.

Therefore, for closed-end consumer credit, avoid obtaining consumer reports after loan closing on a routine or annual basis. If there are circumstances that would warrant a review of the consumer’s credit, for example if the consumer has requested a change in terms (modification or refinance) or the loan is in default and collection activities are likely, a permissible “review of the account” exists and a new credit report may be obtained.

RISK BASED PRICING RULES & DISCLOSURES

Question: Our bank does not “risk-base” price consumer loans. We have a standard rate sheet. All approved loan applicants receive the stated interest rates quoted on the rate sheet. The rate sheet interest rates vary based only on loan-to-value and, for auto loans, the model year. If our interest rates vary from the rate sheet, typically it is to meet a competitor’s bid or due to an extremely low or high loan-to-value. Given this, are we covered by the risk-based pricing rules?

Answer: No. Creditors that do not use risk-based pricing strategies based on the borrower’s credit history are not covered by the risk-based pricing rules or notice requirements. We recommend that if you do not employ risk-based pricing strategies, the bank adopt a policy statement to that effect, either as part of their FCRA/FACT Act policy or loan policy.

Question: Are loans we originate and sell to secondary market investors subject to the risk-based pricing rules? If so, do the adjustments made by the investors on the interest rate pricing constitute risk-based pricing?

Answer: Yes, secondary market mortgage loans made to a consumer are covered. Loan level price adjustments assigned by desktop underwriting systems and Fannie Mae or Freddie Mac investors definitely fall under the umbrella of risk-based pricing.

Question: We pull credit reports when we receive new applications for consumer credit, but our credit reports do not contain credit scores. Do the rules apply to us?

Answer: Yes. The rules are triggered when a creditor both:

Uses a consumer report (not just a credit score) in connection with an application for, or a grant, extension or other provision of, credit to that consumer that is primarily for personal, family or household purposes; and
Based in whole or in part on the consumer report, extends credit to that consumer on material terms that are materially less favorable than the most favorable material terms available to a substantial proportion of consumers from or through that creditor.

Question: Currently, the credit reports we order do not contain credit scores on them. Do the Risk-Based Pricing rules now require we order reports that include credit scores?

Answer: No. The requirement to include credit score information on the risk-based pricing notice is triggered when a credit score “is used” in connection with setting loan terms or taking adverse action against a consumer. If a credit score is not used, the requirements are not triggered.

Question: What if the borrower has no credit score due to limited credit history?

Answer: If a credit score is unavailable, the institution does not have to provide the credit score information on the risk-based pricing notice.

Question: Our credit reports include a credit score, but we do not use the score to establish the loan terms. Do we have to provide the additional credit score information?

Answer: No. The notice need only be provided if a credit score was used in setting the material terms of credit. However, you may find yourself hard-pressed to convince an examiner why you pulled a report with a credit score if the score is not used for purposes of setting the loan terms.

Question: We use the credit score as one factor in setting loan terms, along with the down payment amount and borrower’s debt to income ratio. Do we need to provide the credit score information on our risk-based pricing notice when the credit score is only part of the determinant in setting the loan terms?

Answer: Yes, even if the credit score was not a significant factor in setting the material terms of credit but was a factor, the creditor must provide the credit score notice.

Question: We pull tri-merge credit reports that contain three credit scores. Which score should we use for the risk-based pricing notice?

Answer: If the creditor obtains two or more credit scores and uses one of them, say, the middle score, it should disclose that score. If it obtains two or more credit scores and uses multiple credit scores in setting the material terms of credit, e.g., by computing the average of all the credit scores, it must include any one of these scores. The notice may, at the creditor’s option, disclose all the credit scores used.

Question: We often “reuse” a consumer report for subsequent loan requests by the same consumer. Our current loan policy only requires that we obtain a new credit report annually. Is coverage triggered if we “reuse” a consumer report?

Answer: We believe so. Neither the final rule, nor preamble, specifically address reuse of a consumer report and the notice requirements. Rather, as shown above, it appears that the notice is required for each application for credit that results in an extension of credit where information from the credit report was used to set the loan terms. The rule does not make an exception for when a notice was previously provided on a consumer report obtained in connection with an earlier credit request.

Question: We purchase dealer paper from a local car dealership. Are we responsible for providing the risk-based pricing notice or should the dealer provide the notice?

Answer: The rules of construction for the final rule indicate the person to whom a credit obligation is initially payable must provide the risk-based pricing notice or satisfy the requirements for and provide the notice required under one of the exceptions – even if that person immediately assigns the credit agreement to a third party and is not the source of funding for the credit.

The commentary to final rule provides the following examples:

A consumer obtains credit to finance the purchase of an automobile. If the auto dealer is the person to whom the loan obligation is initially payable, such as where the auto dealer is the original creditor under a retail installment sales contract, the auto dealer must provide the risk-based pricing notice to the consumer (or satisfy the requirements for and provide the notice required under one of the exceptions), even if the auto dealer immediately assigns the loan to a bank or finance company. The bank or finance company, which is an assignee, has no duty to provide a risk-based pricing notice to the consumer.
A consumer obtains credit to finance the purchase of an automobile. If a bank or finance company is the person to whom the loan obligation is initially payable, the bank or finance company must provide the risk-based pricing notice to the consumer (or satisfy the requirements for and provide the notice required under one of the exceptions) based on the terms offered by that bank or finance company only. The auto dealer has no duty to provide a risk-based pricing notice to the consumer. However, the bank or finance company may comply with this rule if the auto dealer has agreed to provide notices to consumers before consummation pursuant to an arrangement with the bank or finance company, as permitted under § 640.4(c).

Question: Do the risk-based pricing rules apply to a co-signor?

Answer: The final risk-based pricing rule indicates the rule is applicable to consumers who are “granted, extended or otherwise provided” credit. The regulation goes on then to provide examples of providing the required notices when there are “multiple consumers.”

1022.75(c) – (2) Credit score disclosure notices. In a transaction involving two or more consumers who are granted, extended, or otherwise provided credit, a person must provide a separate notice to each consumer to satisfy the exceptions in §1022.74(d), (e), or (f)…
(3) Examples. (ii) Two consumers jointly apply for credit with a creditor. The two consumers reside at the same address. The creditor obtains credit scores on each of the two consumer applicants. The creditor grants credit to the consumers. The creditor provides credit score disclosure notices to satisfy its obligations under this subpart. Even though the two consumers reside at the same address, the creditor must provide a separate credit score disclosure notice to each of the consumers. Each notice must contain only the credit score of the consumer to whom the notice is provided.

The examples indicate the notice should be provided to each consumer who “jointly applies” for credit. Given this, if the co-signor was also a joint applicant (applied contemporaneously with the primary applicant) and a credit report was used in the decision to grant credit, the co-signor should also receive the credit score disclosure. However, if the co-signor was not a joint applicant, but was required by the creditor as a condition of the credit extension, the notice would not be required.

Question: Can we contract with our credit reporting agency to send the risk-based pricing notices to borrowers on our behalf?

Answer: Yes, if you can ensure the delivery timing requirements will be met. Keep in mind the notice needs to be provided “as soon as reasonably practicable” but in any event before consummation for closed-end credit and prior to the first transaction on open-end credit. Your vendor may not be able to meet this requirement if the customer applies and the loan is closed the same day; e.g., a car loan.

A better option may be to have your credit report vendor supply the notice directly to the creditor for delivery. Many vendors are providing the notice at the end of the credit report. The creditor could then hand-deliver the notice just prior to closing if necessary. The creditor would also then have the ability to retain a copy of the notice for future use if it reuses credit reports for future credit requests.

Question: When must the risk-based pricing notice be provided to the consumer?

Answer: In the case of a closed-end credit request, the notice must be provided before consummation of the transaction, but not earlier than the time the decision to approve an application is communicated to the consumer. In the case of an open-end credit plan, the notice must be provided before the first transaction is made under the plan, but not earlier than the time the decision to approve an application is communicated to the consumer. And finally, in the case of a review of credit that has been extended to the consumer, the notice is to be provided at the time the decision to increase the annual percentage rate based on a consumer report is communicated to the consumer by the person required to provide the rate increase notice, or if no notice of the increase in the annual percentage rate is provided to the consumer prior to the effective date of the change in the annual percentage rate (to the extent permitted by law), no later than five days after the effective date of the change in the annual percentage rate.

Question: What information is to be included on the RBP notice?

Answer: The following information must be included on the RBP notice:

A statement that a consumer report (or credit report) includes information about the consumer’s credit history and the type of information included in that history;
A statement that the terms offered, such as the annual percentage rate, have been set based on information from a consumer report;
A statement that the terms offered may be less favorable than the terms offered to consumers with better credit histories;
A statement that the consumer is encouraged to verify the accuracy of the information contained in the consumer report and has the right to dispute any inaccurate information in the report;
The identity of each consumer reporting agency that furnished a consumer report used in the credit decision;
A statement that Federal law gives the consumer the right to obtain a copy of a consumer report from the consumer reporting agency or agencies identified in the notice without charge for 60 days after receipt of the notice;
A statement informing the consumer how to obtain a consumer report from the consumer reporting agency or agencies identified in the notice and providing contact information (including a toll-free telephone number, where applicable) specified by the consumer reporting agency or agencies;
A statement directing consumers to the Web site of the Bureau to obtain more information about consumer reports;

In addition, The Dodd Frank Act (DFA), section 1100F, requires credit score information be added to the risk-based pricing notice if a creditor used a credit score (in whole or part) to set the terms of credit offered to a consumer and provides the consumer with the risk-based pricing notice. After Aug. 15, 2011, if a credit score is used, in whole or part, in setting the material terms of the credit offered, the risk-based pricing notice must also include:

A statement that a credit score is a number that takes into account information in a consumer report, that the consumer’s credit score was used to set the terms of credit offered, and that a credit score can change over time to reflect changes in the consumer’s credit history;
The credit score used in making the credit decision;
The range of possible credit scores under the model used to generate the credit score;
All of the key factors that adversely affected the credit score, which shall not exceed four factors, except that if one of the key factors is the number of inquiries made with respect to the consumer report, the number of key factors shall not exceed five;
The date on which the credit score was created; and
The name of the consumer reporting agency or other person that provided the credit score.

The model notices can be found in Appendix H to Part 1022 at: https://www.ecfr.gov/cgi-bin/text-idx?SID=1a14b6431d389246bcb33fde1ab67fdb&mc=true&node=ap12.8.1022.0000_0nbspnbspnbsp.h&rgn=div9

Tools

Completion Guide for Combine Reg. B/FCRA Adverse Action Notice

Credit Report Dispute Resolution Form

Credit Score Disclosure Guide

HR: Background Check Disclosure and Authorization Form

ID Theft Victim Handout

Identity Theft Complaint Packet

Trigger Lead Consumer Notification