Auto Finance News
  • Home
  • News
  • Features
  • Events
    • Auto Finance Summit East
    • Equipment Finance Connect
    • Auto Finance Summit
    • PowerSports Finance Summit
  • Webinar
    • Harnessing AI & Machine Learning to Address Vehicle Affordability Issues
    • Webinar Library
  • Podcast
  • Powersports
  • Big Wheels Data

No products in the cart.

Subscribe
  • Capital & Funding
  • Compliance
  • Risk
  • Technology
  • Best Practices
  • Compliance Monitor
Log In
No Result
View All Result
Auto Finance News
  • Home
  • News
  • Features
  • Events
    • Auto Finance Summit East
    • Equipment Finance Connect
    • Auto Finance Summit
    • PowerSports Finance Summit
  • Webinar
    • Harnessing AI & Machine Learning to Address Vehicle Affordability Issues
    • Webinar Library
  • Podcast
  • Powersports
  • Big Wheels Data
BIG Wheels
Log In
No Result
View All Result
Auto Finance News
No Result
View All Result

Fair Credit Reporting Act: Policy check in – permissible purpose

Aaron KouhouptbyAaron Kouhoupt
July 20, 2021
in Compliance
Reading Time: 6 mins read

It should come as no surprise that the Fair Credit Reporting Act (FCRA) includes the potential for hefty liability, both from the actual, statutory and punitive damages that consumers may recover through private rights of action, and from administrative enforcement actions initiated by federal and state agencies. 

The FCRA governs actions of consumer reporting agencies (CRAs), users of consumer reports and the parties that furnish information to the CRAs. This article focuses on when your company will have a permissible purpose to obtain and use consumer report information. 

A comprehensive FCRA policy should be tailored to your company and reflect how it will actually obtain, use and share consumer reports in enough detail to match the complexity of your operations. If your company also furnishes account information to CRAs, you will also have to develop additional procedures and safeguards to ensure that your company can furnish complete and accurate information about consumers and can complete a timely investigation to resolve credit reporting disputes with consumers. 

FCRA policy – getting started 

As outlined below, your company’s FCRA policy should include any and all duties, restrictions and notice requirements that may result from what is required by the FCRA and the user agreement with the CRA. The very first step will be to isolate the permissible purpose(s) and reasons your company will obtain and use consumer report information, so that you can confirm that each use is permitted and covered by the disclosures and processes your company puts in place for compliance with the FCRA. Your compliance program’s foundation must be based on a careful review of your company’s business practices and policies, to ensure your company will have a permissible purpose for any use of the consumer report information. 

Permissible Purpose 

Your FCRA policy should describe the specific reasons your company will obtain and use consumer report information. Under the FCRA, a person may not use or obtain a consumer report for any purpose, except one expressly authorized by the FCRA that the user has certified to the CRA, what is also known as a “permissible purpose.” The FCRA includes several different permissible purposes. For example, a user may have a permissible purpose to obtain and use consumer report information: 

  • In accordance with a consumer’s written instructions; 
  • For employment purposes; 
  • For underwriting insurance; 
  • In connection with the extension of credit to, or the review or collection of an account of, the consumer; 
  • For a legitimate business purpose in connection with a transaction initiated by a consumer; and 
  • For making prescreened firm offers of credit or insurance. 

Each permissible purpose has a specific meaning and conditions that should be reviewed carefully. Once you are familiar with the permissible purposes, your FCRA policy should indicate the specific reasons why your company will obtain and use consumer report information and which permissible purpose applies in different contexts. The details in the policy should also match the contractual certifications your company provided in its user agreement with the CRA. This may seem straightforward, but, in today’s digital age, it rarely is. 

Addressing Limits 

Your FCRA policy should not only confirm which permissible purpose applies in different contexts, but also address any limits connected with each permissible purpose. For example: 

Written Instructions. If your company obtains consumer report information based on a consumer’s written instructions, specificity is key. A user may obtain and use the consumer report information only to the extent allowed by the consumer’s written instructions. Your company’s FCRA policy should address how your company will ensure that consumer reports are used only in accordance with the consumer’s instructions — for example, through training, monitoring, and access and use restrictions. You should review whether the words used in the consumer’s written instructions match your company’s current business practices, particularly if those practices change and evolve over time. The written instructions have to be clear, easy to understand, and authorize your company to obtain and use consumer report information in a manner that is consistent with the FCRA, your company’s user agreement with the CRA, and current business practices. 

Specific Use Case. Your FCRA policy should describe tailored safeguards that will ensure the consumer report information is used only for specific permissible purposes. Some examples include underwriting credit applications, reviewing or collect credit, employment purposes, etc. If your company may obtain consumer report information for a specific use case that is not clearly covered by a permissible purpose described by the FCRA, you may want to consider whether your company should include that use in the written instructions that consumers are asked to sign before your company obtains their consumer report information. 

Firm Offers of Credit. Under certain conditions, your company may be allowed to obtain limited consumer report information from CRAs in the form of a prescreened list and use it for marketing to consumers who have not otherwise requested credit. Before your company requests a prescreened list, it must establish in advance the specific criteria your company will apply when it evaluates consumers who respond to your company’s firm offer of credit. The prescreened list your company obtains will not identify every consumer who may be eligible for credit under your company’s criteria.  

The prescreened list from the CRA will exclude consumers who have opted-out of prescreened offers through the CRAs, which is a right your company and others must disclose in any firm offer they make to consumers. The CRAs will also exclude consumers who are not yet 21, and consumers who are ineligible based on the credit criteria your company provides to the CRA. Once your company receives a prescreened list, it must then make a firm offer of credit to each person included on the list.  

Not every person who accepts your company’s firm offer of credit, as defined by the FCRA, will necessarily qualify for credit. In certain cases, your company may reject consumers from the prescreened list based on recent changes in their consumer report information or based on criteria that your company established before making the offer, even if the consumer was unaware of that criteria. Because this is a narrow exception to the general rules that are often based on consumer-initiated activities, this exception contains a number of strict and specific requirements. If your company intends to make prescreened firm offers to consumers, your company’s FCRA policy should carefully outline the steps that it will take to ensure that your company can comply with all of the relevant notice requirements and restrictions on use of the information. 

Your company’s FCRA policy should be tailored to its specific business activities and permissible purposes. We recommend that all appropriate personnel at your company review your FCRA policy on a regular basis and, in particular, before your company makes any change in its business practices that relates to when your company obtains and uses consumer report information. 

Aaron Kouhoupt is Of Counsel in McGlinchey’s Cleveland office. He has more than 15 years’ experience as both in-house and outside counsel to banks and financial institutions of various sizes and formats, including most recently as Associate General Counsel at a peer-to-peer lending and alternative investing company. 

Auto Finance Summit, the premier industry event, returns October 27-29 in Las Vegas. The Summit continues to bring together the best and brightest in the industry year after year for unparalleled networking and professional education. To learn more about the 2021 event and register, visit www.AutoFinanceSummit.com.

Tags: complianceFCRAmcglinchey
Previous Post

AutoNation CEO calls industry overproduction the ‘old model’

Next Post

Ally Financial posts positive recovery on NCOs, surging lease yields in Q2

Related Posts

TJ Villanueva, vice president and associate counsel at GM Financial, speaks at Auto Finance Summit East 2025.
Best Practices

3 words of compliance advice from GM Financial counsel 

May 21, 2025
(Courtesy/Auto Finance News)
Compliance

GM Financial, Husch Blackwell talk CFPB shift

May 15, 2025

sponsored by InformedIQ

Subscribe to Our Newsletters

PowerSports Finance

Next Post
Photographer: Gabby Jones/Bloomberg

Ally Financial posts positive recovery on NCOs, surging lease yields in Q2

ABOUT US

HELP CENTER

ADVERTISE

PRIVACY TERMS

ADA COMPLIANCE

CODE OF JOURNALISM ETHICS

Manage Cookie Consent

EXECUTIVES OF THE YEAR

AUTO FINANCE EXCELLENCE AWARDS

MAGAZINE ARCHIVE

INDUSTRY GLOSSARY

facebook linkedin twitter podcast podcast
© 2025 Royal Media
No Result
View All Result
  • Home
  • News
    • All News
    • Capital & Funding
    • EVs
    • Technology
    • Management
    • Powersports Finance News
    • Risk Management
    • Sales & Marketing
  • Events
    • Auto Finance Summit East
    • Equipment Finance Connect
    • Auto Finance Summit
    • PowerSports Finance Summit
  • Features
    • Latest Issue
    • Features
    • New Tracks
    • Car Culture
    • Staffing Shuffles
    • Under The Hood
    • Spotlight
    • Issue Archive
  • Webinar
  • Podcast
  • Big Wheels Data
  • SUBSCRIBE
  • Log In / Account

No Result
View All Result
  • Home
  • News
    • All News
    • Capital & Funding
    • EVs
    • Technology
    • Management
    • Powersports Finance News
    • Risk Management
    • Sales & Marketing
  • Events
    • Auto Finance Summit East
    • Equipment Finance Connect
    • Auto Finance Summit
    • PowerSports Finance Summit
  • Features
    • Latest Issue
    • Features
    • New Tracks
    • Car Culture
    • Staffing Shuffles
    • Under The Hood
    • Spotlight
    • Issue Archive
  • Webinar
  • Podcast
  • Big Wheels Data
  • SUBSCRIBE
  • Log In / Account

THIS WEBSITE USES COOKIES

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “I CONSENT”, you consent to the use of ALL the cookies.

Cookie settingsI CONSENT

Review our Cookie Policies
.
Manage Cookie Consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
34f6831605sessionGeneral purpose platform session cookie, used by sites written in JSP. Usually used to maintain an anonymous user session by the server.
a64cedc0bfsessionGeneral purpose platform session cookie, used by sites written in JSP. Usually used to maintain an anonymous user session by the server.
CookieConsentPolicy1 yearUsed to apply end-user cookie consent preferences set by our client-side utility.
cookielawinfo-checkbox-advertisement1 yearSet by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
crmcsrsessionGeneral purpose platform session cookie, used by sites written in JSP. Usually used to maintain an anonymous user session by the server.
JSESSIONIDsessionThe JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
LS_CSRF_TOKENsessionCloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed.
LSKey-c$CookieConsentPolicy1 yearUsed to apply end-user cookie consent preferences set by our client-side utility.
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
CookieDurationDescription
__cf_bm30 minutesThis cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
_zcsr_tmpsessionZoho sets this cookie for the login function on the website.
663a60c55dsessionThis cookie is related to Zoho (Customer Service) Chatbox
e188bc05fesessionThis cookie is set in relation to Zoho Campaigns
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
CookieDurationDescription
_ga2 yearsThe _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid1 dayInstalled by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT2 yearsYouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
vuid2 yearsVimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
CookieDurationDescription
__Host-GAPS2 yearsThis cookie allows the website to identify a user and provide enhanced functionality and personalisation.
_dc_gtm_UA-1038974-31 minuteUsed to help identify the visitors by either age, gender, or interests by DoubleClick - Google Tag Manager.
_fbp3 monthsThis cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr3 monthsFacebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
test_cookie15 minutesThe test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE5 months 27 daysA cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSCsessionYSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devicesneverYouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-idneverYouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextIdneverThis cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requestsneverThis cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
CookieDurationDescription
caf_ipaddrsessionNo description available.
citysessionNo description available.
countrysessionNo description available.
gnt_eidsessionNo description available.
gnt_eu6 hoursNo description
iamcsrsessionZoho (Customer Support) sets this cookie and is used for tracking visitors (for performance purposes)
systemsessionNo description available.
traffic_targetsessionNo description available.
Save & Accept
Powered by CookieYes Logo