It should come as no surprise that the Fair Credit Reporting Act (FCRA) includes the potential for hefty liability, both from the actual, statutory and punitive damages that consumers may recover through private rights of action, and from administrative enforcement actions initiated by federal and state agencies.
The FCRA governs actions of consumer reporting agencies (CRAs), users of consumer reports and the parties that furnish information to the CRAs. This article focuses on when your company will have a permissible purpose to obtain and use consumer report information.
A comprehensive FCRA policy should be tailored to your company and reflect how it will actually obtain, use and share consumer reports in enough detail to match the complexity of your operations. If your company also furnishes account information to CRAs, you will also have to develop additional procedures and safeguards to ensure that your company can furnish complete and accurate information about consumers and can complete a timely investigation to resolve credit reporting disputes with consumers.
FCRA policy – getting started
As outlined below, your company’s FCRA policy should include any and all duties, restrictions and notice requirements that may result from what is required by the FCRA and the user agreement with the CRA. The very first step will be to isolate the permissible purpose(s) and reasons your company will obtain and use consumer report information, so that you can confirm that each use is permitted and covered by the disclosures and processes your company puts in place for compliance with the FCRA. Your compliance program’s foundation must be based on a careful review of your company’s business practices and policies, to ensure your company will have a permissible purpose for any use of the consumer report information.
Your FCRA policy should describe the specific reasons your company will obtain and use consumer report information. Under the FCRA, a person may not use or obtain a consumer report for any purpose, except one expressly authorized by the FCRA that the user has certified to the CRA, what is also known as a “permissible purpose.” The FCRA includes several different permissible purposes. For example, a user may have a permissible purpose to obtain and use consumer report information:
- In accordance with a consumer’s written instructions;
- For employment purposes;
- For underwriting insurance;
- In connection with the extension of credit to, or the review or collection of an account of, the consumer;
- For a legitimate business purpose in connection with a transaction initiated by a consumer; and
- For making prescreened firm offers of credit or insurance.
Each permissible purpose has a specific meaning and conditions that should be reviewed carefully. Once you are familiar with the permissible purposes, your FCRA policy should indicate the specific reasons why your company will obtain and use consumer report information and which permissible purpose applies in different contexts. The details in the policy should also match the contractual certifications your company provided in its user agreement with the CRA. This may seem straightforward, but, in today’s digital age, it rarely is.
Your FCRA policy should not only confirm which permissible purpose applies in different contexts, but also address any limits connected with each permissible purpose. For example:
Written Instructions. If your company obtains consumer report information based on a consumer’s written instructions, specificity is key. A user may obtain and use the consumer report information only to the extent allowed by the consumer’s written instructions. Your company’s FCRA policy should address how your company will ensure that consumer reports are used only in accordance with the consumer’s instructions — for example, through training, monitoring, and access and use restrictions. You should review whether the words used in the consumer’s written instructions match your company’s current business practices, particularly if those practices change and evolve over time. The written instructions have to be clear, easy to understand, and authorize your company to obtain and use consumer report information in a manner that is consistent with the FCRA, your company’s user agreement with the CRA, and current business practices.
Specific Use Case. Your FCRA policy should describe tailored safeguards that will ensure the consumer report information is used only for specific permissible purposes. Some examples include underwriting credit applications, reviewing or collect credit, employment purposes, etc. If your company may obtain consumer report information for a specific use case that is not clearly covered by a permissible purpose described by the FCRA, you may want to consider whether your company should include that use in the written instructions that consumers are asked to sign before your company obtains their consumer report information.
Firm Offers of Credit. Under certain conditions, your company may be allowed to obtain limited consumer report information from CRAs in the form of a prescreened list and use it for marketing to consumers who have not otherwise requested credit. Before your company requests a prescreened list, it must establish in advance the specific criteria your company will apply when it evaluates consumers who respond to your company’s firm offer of credit. The prescreened list your company obtains will not identify every consumer who may be eligible for credit under your company’s criteria.
The prescreened list from the CRA will exclude consumers who have opted-out of prescreened offers through the CRAs, which is a right your company and others must disclose in any firm offer they make to consumers. The CRAs will also exclude consumers who are not yet 21, and consumers who are ineligible based on the credit criteria your company provides to the CRA. Once your company receives a prescreened list, it must then make a firm offer of credit to each person included on the list.
Not every person who accepts your company’s firm offer of credit, as defined by the FCRA, will necessarily qualify for credit. In certain cases, your company may reject consumers from the prescreened list based on recent changes in their consumer report information or based on criteria that your company established before making the offer, even if the consumer was unaware of that criteria. Because this is a narrow exception to the general rules that are often based on consumer-initiated activities, this exception contains a number of strict and specific requirements. If your company intends to make prescreened firm offers to consumers, your company’s FCRA policy should carefully outline the steps that it will take to ensure that your company can comply with all of the relevant notice requirements and restrictions on use of the information.
Your company’s FCRA policy should be tailored to its specific business activities and permissible purposes. We recommend that all appropriate personnel at your company review your FCRA policy on a regular basis and, in particular, before your company makes any change in its business practices that relates to when your company obtains and uses consumer report information.
Aaron Kouhoupt is Of Counsel in McGlinchey’s Cleveland office. He has more than 15 years’ experience as both in-house and outside counsel to banks and financial institutions of various sizes and formats, including most recently as Associate General Counsel at a peer-to-peer lending and alternative investing company.
Auto Finance Summit, the premier industry event, returns October 27-29 in Las Vegas. The Summit continues to bring together the best and brightest in the industry year after year for unparalleled networking and professional education. To learn more about the 2021 event and register, visit www.AutoFinanceSummit.com.