the fcra it s not just for credit bureaus l.
Skip this Video
Loading SlideShow in 5 Seconds..
The FCRA: It’s Not Just For Credit Bureaus PowerPoint Presentation
Download Presentation
The FCRA: It’s Not Just For Credit Bureaus

Loading in 2 Seconds...

play fullscreen
1 / 67

The FCRA: It’s Not Just For Credit Bureaus - PowerPoint PPT Presentation

  • Uploaded on

The FCRA: It’s Not Just For Credit Bureaus. Privacy Academy 2008 Orlando, Florida. Rebecca E. KUEHN Assistant Director Federal Trade Commission. Jennifer R. Rossi consumer financial services Litigator Robinson & Cole LLP. Overview.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'The FCRA: It’s Not Just For Credit Bureaus' - tavi

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the fcra it s not just for credit bureaus
The FCRA:It’s Not Just For Credit Bureaus

Privacy Academy 2008

Orlando, Florida


Regardless of how you describe your business, it’s likely you use and access consumer reports.

The FCRA and FACT Act cover a wide range of activities related to accessing, collecting and using consumer information.

We will discuss what business practices are regulated by these statutes and recent FTC rules concerning identity theft.

The overall goal of this presentation is heightened appreciation for the effects of noncompliance.

We will end with a question andanswer session.

  • The remarks in this presentation do not necessarily reflect the views of the Federal Trade Commission or of any Commissioner, nor are they intended to be legal advice.
  • Anyone with specific questions about a matter should consult legal counsel.
broad scope of fcra
Broad Scope of FCRA

An adventure in definitions

federal trade commission
Federal Trade Commission
  • Nation’s only general jurisdiction consumer protection agency
  • Enforcement through federal district court and administrative litigation
the fcra
  • Passed in 1970; significant amendments in 1996 and 2003
  • “[T]o insure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer's right to privacy”
fcra guiding principles
FCRA Guiding Principles
  • Privacy
    • Limited access to consumer reports
    • Same limits on government access, withcertain exceptions
  • Accuracy
    • Responsibilities of consumer reporting agenciesand information furnishers
    • Consumer dispute process
  • Fairness
    • Adverse action notices
    • Obsolete information deleted
who is covered by fcra
Who Is Covered by FCRA
  • Consumer Reporting Agencies
  • Furnishers – information sources
  • Users of consumer reports
  • And more (merchants using debit/credit cards; “financial institutions” and “creditors”)
fcra enforcement
FCRA Enforcement
  • Civil enforcement by many agencies:
    • FTC and federal banking agencies
    • State attorneys general
    • Consumers: private right of action in some cases
  • Criminal enforcement: federal or state prosecutors (e.g., information obtained under false pretenses, unauthorized disclosure by credit bureau employees)
consumer report defined
Consumer Report Defined
  • “any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for -- (A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other purpose authorized under section 604.”
definition dissected
Definition Dissected
  • Two basic elements:
    • Information in report has a “bearing on” one or more specified consumer characteristics (e.g., credit standing)
    • Report is “used or expected to be used (by the user) ... for the purpose of ... establishing the consumer’s eligibility (for purposes allowed bythe FCRA)...”
some important points
Some Important Points
  • Has to be about a consumer – if doesn’t identify specific consumer, not a consumer report
    • Ex. Flagging a specific internet transaction as potentially fraudulent based on comparison to aggregate data about internet transactions (e.g., time-of-day activity, geographic location, amount of the transaction, etc.), without reference to an individual consumer, is not a consumer report
includes summaries and evaluations of reports
Includes Summaries and Evaluations of Reports
  • Includes numerical or other evaluation of file data by a CRA, such as a credit score that bears on a consumer’s creditworthiness
  • Includes a list of the names of people meeting certain characteristics – such as a list of creditworthy individuals, or individuals on whom CRAs have derogatory information
examples of consumer reports
Examples of Consumer Reports
  • Credit report
  • Rental history
  • Check writing history/“bad check” lists
  • Employment history
  • Medical history
  • Insurance claims history
consumer reporting agency defined
Consumer Reporting Agency Defined
  • “any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports”
mutually dependent definitions
Mutually Dependent Definitions
  • Consumer report = report provided by consumer reporting agency
  • Consumer reporting agency = an entity that provides consumer reports
some important points19
Some Important Points
  • Entities that work together for a common purpose without monetary compensation may form a CRA
    • Exchange or data pool
  • Entities that repackage and/or resell consumer report information may be CRAs
the non traditional cra
The non-traditional cra

Evolution of the information industry: A case study

case study
Case Study
  • In the Matter of Ingenix, Inc.
  • In the Matter of Milliman, Inc.
  • Consent Decisions and Orders issued February 12, 2008
where industry was
Where Industry Was
  • Life insurance companies used service providers to get medical records
  • Service providers requested records from health care providers, put in envelope, and mailed to insurer
record retrieval companies are not cras
Record Retrieval Companies Are Not CRAs
  • An entity that performs only mechanical tasks in connection with transmitting consumer information is not a CRA because it does not assemble or evaluate information. A business that delivers records, without knowing their content or retaining any information from them, is not acting as a CRA even if the recipient uses the records to evaluate the consumer’s eligibility for insurance or another permissible purpose.
ingenix and milliman
Ingenix and Milliman
  • Provide reports on prescription drugpurchase histories of insurance policy applicants, to insurance companies for underwriting decisions
  • Obtain prescription drug histories from Pharmacy Benefit Managers and create prescription medical profiles
why cra assemble or evaluate
Why CRA – “Assemble” or “Evaluate”
  • “Assembled” -- Compiled informationinto single report
  • “Evaluated” -- Analyzed information toreport potential medical conditions thatmay be present
administrative enforcement action
Administrative Enforcement Action
  • Complaints charged Ingenix and Milliman with violating FCRA by failing to provide Notice to Users
  • Notice to Users describes FCRA responsibilities and obligations of recipients of reports, including notifying consumers if adverse action is taken, based in whole or in part, on information contained in the consumer report
consent order
Consent Order
  • 5 year record keeping obligation
  • 20 year injunction to comply with CRA duties:
    • Notice to Users
    • Only furnish reports to those with permissible purpose
    • Reasonable procedures to assure maximum possible accuracy of information
    • Reasonable procedures to handle consumer disputes
    • Conduct reasonable reinvestigations
    • Comply with the Disposal Rule
b ackground screening reports
Background screening reports

Special Reports: Special Rules

background reports are consumer reports
Background Reports Are Consumer Reports
  • The definition of a “consumer report” includes more than just consumer credit information
  • Criminal background checks, educational background checks, and license checks are consumer reports because involve the individual consumer's “character, general reputation, personal characteristics, or mode of living”
background screening companies are cras
Background Screening Companies Are CRAs
  • Company that provides oral/written reports to employers about the prior work experience of applicants
  • Company that regularly researches criminal records of job applicants and reports them to its clients
special rules in employment
Special Rules in Employment
  • Written notice and authorization before getting report
  • Pre-adverse action disclosure – copy of report and Summary of Rights
  • Adverse Action Notice
  • Using Consumer Reports: What Employers Need to Know
red flag rules
Red-flag rules

What they are and what they’re not.

what they are
What They Are
  • “Red Flag” means:
    • a pattern, practice, or specific activity that indicates the possible existence of identity theft
red flag guidelines and rules
“Red Flag Guidelines and Rules”
  • Where do they come from?
    • Fair and Accurate Credit Transactions (“FACT”)Act of 2003
    • Amended FCRA
    • Passed in response to concerns about misuse of personal information of consumers, including identity theft
    • Instructed FTC and agencies to establish guidelines and rules
red flag guidelines
Red Flag Guidelines
  • 15 U.S.C. § 1681m(e)(1)(A): “The federal banking agencies, the National Credit Union Administration, and the [Federal Trade] Commission shall jointly . . .
    • establish and maintain guidelines . . . regarding identity theft with respect to account holders at, or customers of, such entities, and update such guidelines as often as necessary . . . .”
joint rulemaking
Joint Rulemaking
  • Final rules published November 9, 2007. (Press Release)
  • Effective on January 1, 2008
  • Full compliance required by November 1, 2008
identity theft prevention programs
Identity Theft Prevention Programs
  • The rules require “financial institutions” and “creditors” with “covered accounts” to implement a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with:
    • The opening of a covered account or
    • The existence of a covered account
creditors with covered accounts
“Creditors” with “Covered Accounts”
  • “Anyone who arranges for the extension, renewal or continuation of credit or any assignee of an original creditor who participates in the decision to extend, renew or continue credit.”
creditors with covered accounts39
“Creditors” with “Covered Accounts”
  • A consumer account that “involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account and
  • “Any other account that the financial institutionor creditor offers or maintains for which there isa reasonably foreseeable risk to customers or tothe safety and soundness of the financialinstitution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.”
the guidelines
The Guidelines
  • Intended to assist financial institutions and creditors in the formulation and maintenance of a Program that satisfies the requirements of the Red Flag Rules
  • Topics include
    • The Identity Theft Program
    • Identifying Relevant Red Flags
    • Detecting Red Flags
    • Preventing and Mitigating Identity Theft
    • Updating the Program
    • Methods for Administering the Program
    • Other Applicable Legal Requirements
guideline highlights
Guideline Highlights
  • Identifying Red Flags
    • Categories of Red Flags
      • Alerts, notifications, or other warnings from consumer reporting agencies or service providers, such as fraud detection services
      • The presentation of suspicious documents
      • The presentation of suspicious personal identifying information, such as a suspicious address change
      • The unusual use of, or other suspicious activity related to, a covered account
      • Notice from customers, victims of identity theft, law enforcement or others regarding possible identity theft
    • Appendix to Rule has 26 examples for the foregoing categories.
guideline highlights cont d
Guideline Highlights (cont’d)
  • Procedures to detect Red Flags
    • Verify identity
    • Authenticate customers
    • Monitor transactions
    • Verify validity of address changes
guideline highlights cont d43
Guideline Highlights (cont’d)
  • Appropriate Responses to Red Flags
    • Monitor accounts
    • Contact customer
    • Change passwords
    • Close and reopen account
    • Refuse to open account
    • Do not collect on or sell account
    • Notify law enforcement
    • No response
guideline highlights cont d44
Guideline Highlights (cont’d)
  • Administering the Program
    • Oversight involves
    • Assigning specific responsibility
    • Reviewing reports
    • Approving material changes to Program
what they re not
What They’re Not
  • Red Flags compliance v. data security
  • Definition of “financial institution” is not same under Red Flags and Gramm Leach Bliley Act
  • Compliance with HIPAA does not equal compliance with Red Flags
ftc activity
FTC Activity
  • June 2008 “FTC Business Alert”
  • FTC set-up email for questions:
identity theft prevention
Identity theft prevention

Are you a financial institution or creditor?

mandatory compliance
Mandatory Compliance
  • By November 1, 2008 for:
    • “Financial Institutions”
    • “Creditors” that hold any consumer account or other account for which there is a reasonably foreseeable risk of identity theft
are you a financial institution
Are you a “Financial Institution”?
  • A “financial institution” is:
    • A State or National bank
    • A State or Federal savings and loan association
    • A mutual savings bank
    • A State or Federal credit union
    • “Any other person that, directly or indirectly, holds a transaction account belonging to a consumer”

15 U.S.C. § 1681a(t) (emphasis added)

transaction account
Transaction Account
  • “The term ‘transaction account’ means a deposit or account on which the depositor or account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others. Such term includes demand deposits, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.”

12 USCS § 461(b)(1)(C) (also known as section 19(b) of the Federal Reserve Act)

  • FCRA says,
    • “[t]he term[]…’creditor’ ha[s] the same meaning[] as in section 702 of the Equal Credit Opportunity Act.”

See 15 U.S.C. § 1681a(r)(5)

are you a creditor
Are you a “Creditor”?

A “creditor” is:

  • Any person who regularly extends, renews or continues credit
  • Any person who regularly arranges for the extension, renewal, or continuation of credit
  • Any assignee of an original creditor who participates in the decision to extend, renew, or continue credit

15 U.S.C. §1691a(e) (also known as the Equal Credit Opportunity Act, Definitions)

step 1 risk assessment
Step 1: Risk Assessment
  • Do you offer or maintain “covered accounts”?
  • How do you open “covered accounts”?
  • How do you provide access to your accounts?
  • What experiences do you have withidentity theft?
step 2 develop program to
Step 2: Develop Program to
  • Identify red flags and incorporateinto Program
  • Detect red flags included in Program
  • Respond to red flags when detected
  • Periodically update program to address changing risks
step 3 administer program by
Step 3: Administer Program by
  • Obtaining approval of initial Program from Board or appropriate Board committee
  • Ensuring adequate oversight
  • Training appropriate staff
  • Overseeing service provider agreements
message from the federal trade commission
Message from the Federal Trade Commission
  • “By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure.”

(FTC Chairman, Deborah Platt Majoras, March 27, 2008)

  • Using its authority under Section 5 of the FTC Act (which prohibits unfair or deceptive practices), the Commission has brought a number of cases to enforce promises in privacy statements, including promises about the security of consumers’ personal information. The Commission has also used its unfairness authority to challenge information practices that cause substantial consumer injury.

Privacy Initiatives

l itigation trends
Litigation trends

Traps for the Unwary

private right of action
Private Right of Action?
  • Dissention over whether FACT Act eliminated private rights of action for all violations of § 1681m. See Perry v. First Nat. Bank, 459 F.3d 816, 820 (7th Cir. 2006).
  • No question Congress declined to provide private right of action for violations of the red flag requirements and guidelines set forth in § 1681m(e). See id. at 821; White v. E-Loan, Inc., 409 F. Supp. 2d 1183, 1185-86 (N.D. Cal. 2006).
  • 15 U.S.C. § 1681s-2(c)(3) provides that 15 U.S.C. §§ 1681n and 1681o – which establish rights of action for willful and negligent violations of the FCRA respectively – “do not apply to any violation of…subsection (e) of section 1681m of this title.”
the beverly litigation
The Beverly Litigation
  • FACTS:
    • Named Plaintiff applied to Wal-Mart
    • Application denied due to criminal record:
      • He was shown as a felon when he had been convicted of a misdemeanor
      • Others in the class were shown as felons based on records of other people with the same name but different birth dates, SSNs
    • Inaccuracies blamed on ChoicePoint’s internal controls
beverly v choicepoint inc
Beverly v. ChoicePoint, Inc.
    • Two option for CRA that reports public record information for employment purposes:
      • Notify the consumer “at the time such public report information is reported”
      • Maintain “strict procedures designed to insure that [the] information . . . is complete and up to date”
    • ChoicePoint gave notice, but not until after it had sent the reports to Wal-Mart
    • No court decision yet
beverly v wal mart stores inc
Beverly v. Wal-Mart Stores, Inc.
    • Wal-Mart did not give sufficient time to dispute the erroneous information
      • 9/1/05: ChoicePoint, on Wal-Mart’s behalf, sent notice to Beverly of contemplated adverse action
        • This included a copy of Beverly’s criminal history report, as required by the FCRA
      • 9/6/05: ChoicePoint, on Wal-Mart’s behalf, sent notice to Beverly of adverse action
      • Due to Labor Day, both letters arrived on 9/7
the beverly litigation62
The Beverly Litigation
  • IRONY:
    • Beverly called ChoicePoint on 9/7 to dispute
    • ChoicePoint sent Wal-Mart a corrected report
    • Wal-Mart hired Beverly
beverly v wal mart stores inc63
Beverly v. Wal-Mart Stores, Inc.
  • COURT DECISION: Court Opinion
    • Under the FCRA, an employer must give the consumer “a reasonable period to respond” to the initial notice and consumer report
      • Wal-Mart delegated this duty to ChoicePoint
      • ChoicePoint did not take into account postal delays that would be caused by the holiday weekend
      • Ultimately, Wal-Mart is responsible for that mistake
    • Motion for summary judgment denied
beverly v wal mart stores inc64
Beverly v. Wal-Mart Stores, Inc.
    • FCRA imposes technical obligations on CRAs and employers
      • Employer can delegate its duties but remains responsible
    • Courts interpret FCRA in light of its purpose
      • Consumers must be able to dispute inaccuracies before the report is used against them
    • FCRA can be a trap for well-meaning and sophisticated employers
q uestion answer session
Question & answer session

Did we cover all of your questions, and/or generate new ones?

for more information
For More Information

Rebecca E. Kuehn

Assistant Director

Division of Privacy and Identity Protection

Federal Trade Commission

600 Pennsylvania Ave., N.W., NJ-3158

Washington, D.C.  20580


Jennifer R. Rossi

Business Litigator

Consumer Financial Services Team Leader

Robinson & Cole LLP

280 Trumbull Street

Hartford, CT 06103-3597


Fair Credit Reporting Act

FTC Fair Credit Reporting Act Page

FTC Business Alert: New ‘Red Flag’ Requirements for Financial Institutions and Creditors Will Help Fight Identity Theft

thank you
Thank you

Any additional questions please ask.