[co-author: Corben Green - Law Clerk]

On September 12, 2018, the Bureau of Consumer Financial Protection (“CFPB”) announced an interim final rule (“Rule”) to be effective September 21, 2018, that will update two model disclosure forms used when conducting background checks pursuant to the federal Fair Credit Reporting Act (“FCRA”).

The changes to the model forms are in response to recent amendments made to the FCRA by the Economic Growth, Regulatory Relief, and Consumer Protection Act (“Act”). The Act increases consumer protections by requiring consumer reporting agencies to provide consumers free national security freezes[1] and to help protect persons from identity theft-based fraud.

The new security freeze feature is intended to protect consumers from having loans, credit, and services approved in their name without their authorization. Toward this end, the Act mandates that, when the FCRA requires a current or prospective employee to receive the Summary of Consumer Rights, the individual must also receive a notice regarding the right to a security freeze. Additionally, the Act extends the minimum period during which consumer reporting agencies have to include initial fraud alerts in consumers’ files, from 90 days to one year.

Specifically, the Rule amends the form titled “A Summary of Your Rights Under the Fair Credit Act,”[2] which employers must provide to current or prospective employees when obtaining background checks through a third-party consumer reporting agency. The revised form includes information regarding security freezes and the extended initial fraud alert period required by the Act. As a reminder, employers must provide this form, along with the disclosure statement and authorization, when the background check is first requested, and again if the employer intends to take adverse action against the current or prospective employee based upon the results of a background check.

The other form amended by the Rule is titled “Remedying the Effects of Identity Theft.” This form is sent by a consumer reporting agency after a consumer notifies the agency that he or she believes that he or she has been the victim of fraud or identity theft and has been amended to reference the minimum one-year fraud alert.

Entities using the prior versions of the forms, which were last updated in 2012, may continue to use those forms if an attachment is provided with the updated language. For the form titled “A Summary of Your Rights Under the Fair Credit Act,” the following information should appear on the attachment:

The following FCRA right applies with respect to nationwide consumer reporting agencies:

CONSUMERS HAVE THE RIGHT TO OBTAIN A SECURITY FREEZE

You have a right to place a “security freeze” on your credit report, which will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit.

As an alternative to a security freeze, you have the right to place an initial or extended fraud alert on your credit file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer's credit file. Upon seeing a fraud alert display on a consumer's credit file, a business is required to take steps to verify the consumer's identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting 7 years.

A security freeze does not apply to a person or entity, or its affiliates, or collection agencies acting on behalf of the person or entity, with which you have an existing account that requests information in your credit report for the purposes of reviewing or collecting the account. Reviewing the account includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements.

The CFPB announced these changes without a period of notice before the new requirements will take effect. That is because the CFPB is not required to provide a period of notice (or the opportunity to comment) where, as here, the agency, based on good cause, finds that notice and public comment are impracticable, unnecessary, or contrary to the public interest. However, the CFPB has invited comment on the proposed amendments for potential use when the agency considers future amendments. Comments must be received on or before November 13, 2018. 

What Employers Should Do Now

• Modify background check forms to either (i) use the new “A Summary of Your Rights Under the Fair Credit Act” form or (ii) add the supplemental page with information regarding security freezes and the extended initial fraud alert period.
• Ensure that the new form or a supplemental page is put into use no later than September 21, 2018.
• Consider submitting comments to the CFPB regarding the Rule.

ENDNOTES

[1] The Act defines the term “security freeze” as a restriction that prohibits a consumer reporting agency from disclosing the contents of a consumer report that is subject to such security freeze to any person requesting the consumer report.

[2] The revised Summary of Consumer Identity Theft Rights is available in English and Spanish.

[View source.]