Now, more than ever, consumer report information impacts the everyday life of consumers in a meaningful way. Not only are consumer reports used by creditors, but also employers, insurers, landlords, and more.
It should come as no surprise that the Fair Credit Reporting Act (FCRA) includes the potential for hefty liability, both from the actual, statutory, and punitive damages that consumers may recover through private rights of action, and from administrative enforcement actions initiated by federal and state agencies.
The FCRA governs actions of consumer reporting agencies (CRAs); users of consumer reports; and the parties that furnish information to the CRAs. This article focuses on when your entity will have a permissible purpose to obtain and use consumer report information.
A comprehensive FCRA Policy should be tailored to your entity and reflect how it will actually obtain, use, and share consumer reports, in enough detail to match the complexity of your operations. If your entity also furnishes account information to CRAs, you will also have to develop additional procedures and safeguards to ensure that your entity can furnish complete and accurate information about consumers and can complete a timely investigation to resolve credit reporting disputes with consumers.
FCRA Policy – Getting Started
As outlined below, your entity’s FCRA Policy should include any and all duties, restrictions, and notice requirements that may result from what is required by the FCRA and the user agreement with the CRA. The very first step will be to isolate the permissible purpose(s) and reasons your entity will obtain and use consumer report information, so that you can confirm that each use is permitted and covered by the disclosures and processes your entity puts in place for compliance with the FCRA. Your compliance program’s foundation must be based on a careful review of your entity’s business practices and policies, to ensure your entity will have a permissible purpose for any use of the consumer report information.
Permissible Purpose
Your FCRA Policy should describe the specific reasons your entity will obtain and use consumer report information. Under the FCRA, a person may not use or obtain a consumer report for any purpose, except one expressly authorized by the FCRA that the user has certified to the CRA (a “permissible purpose”). The FCRA includes several different “permissible purposes.” For example, a user may have a “permissible purpose” to obtain and use consumer report information:
- in accordance with a consumer’s written instructions;
- for employment purposes;
- for underwriting insurance;
- in connection with the extension of credit to, or the review or collection of an account of, the consumer;
- for a legitimate business purpose in connection with a transaction initiated by a consumer; and
- for making prescreened firm offers of credit or insurance.
Each “permissible purpose” has a specific meaning and conditions that should be reviewed carefully. Once you are familiar with the permissible purposes, your FCRA Policy should indicate the specific reasons why your entity will obtain and use consumer report information and which permissible purpose applies in different contexts. The details in the Policy should also match the contractual certifications your entity provided in its user agreement with the CRA. This may seem straightforward, but, in today’s digital age, it rarely is.
Addressing Limits
Your FCRA Policy should not only confirm which permissible purpose applies in different contexts, but also address any limits connected with each permissible purpose. For example:
Written Instructions. If your entity obtains consumer report information based on a consumer’s written instructions, specificity is key. A user may obtain and use the consumer report information only to the extent allowed by the consumer’s written instructions. Your entity’s FCRA Policy should address how your entity will ensure that consumer reports are used only in accordance with the consumer’s instructions (for example, through training, monitoring, and access and use restrictions). You should review whether the words used in the consumer’s written instructions match your entity’s current business practices, particularly if those practices change and evolve over time. The written instructions have to be clear, easy to understand, and authorize your entity to obtain and use consumer report information in a manner that is consistent with the FCRA, your entity’s user agreement with the CRA, and current business practices.
Specific Use Case. Your FCRA Policy should describe tailored safeguards that will ensure the consumer report information is used only for specific permissible purposes (for example, to underwrite credit applications, review or collect credit, for employment purposes, etc.). If your entity may obtain consumer report information for a specific use case that is not clearly covered by a permissible purpose described by the FCRA, you may want to consider whether your entity should include that use in the written instructions that consumers are asked to sign before your entity obtains their consumer report information.
Firm Offers of Credit. Under certain conditions, your entity may be allowed to obtain limited consumer report information from CRAs in the form of a prescreened list and use it for marketing to consumers who have not otherwise requested credit. Before your entity requests a prescreened list, it must establish – in advance – the specific criteria your entity will apply when it evaluates consumers who respond to your entity’s “firm offer” of credit. The prescreened list your entity obtains will not identify every consumer who may be eligible for credit under your entity’s criteria. The prescreened list from the CRA will exclude consumers who have “opted-out” of prescreened offers through the CRAs, which is a right your entity and others must disclose in any “firm offer” they make to consumers. The CRAs will also exclude consumers who are not yet 21 and consumers who are ineligible based on the credit criteria your entity provides to the CRA. Once your entity receives a prescreened list, it must then make a “firm offer” of credit to each person included on the list. Not every person who accepts your entity’s “firm offer” of credit, as defined by the FCRA, will necessarily qualify for credit. In certain cases, your entity may reject consumers from the prescreened list based on recent changes in their consumer report information or based on criteria that your entity established before making the offer, even if the consumer was unaware of that criteria. Because this is a narrow exception to the general rules that are often based on consumer-initiated activities, this exception contains a number of strict and specific requirements. If your entity intends to make prescreened “firm offers” to consumers, your entity’s FCRA Policy should carefully outline the steps that it will take to ensure that your entity can comply with all of the relevant notice requirements and restrictions on use of the information.
As discussed above, your entity’s FCRA Policy should be tailored to its specific business activities and permissible purposes. We recommend that all appropriate personnel at your entity review your FCRA Policy on a regular basis and, in particular, before your entity makes any change in its business practices that relates to when your entity obtains and uses consumer report information.
