Tracey Levandoski
Managing Director

As published in ABA Risk and Compliance, July/August 2024

Financial institutions (FIs) maintain a substantial amount of consumer information that they collect directly from consumers as part of account inquiries or applications or that they obtain from third-party sources in the normal course of conducting the business of banking. Regulation P, which implements portions of the Gramm-Leach-Bliley Act concerning the privacy of consumer financial information, imposes specific requirements regarding the disclosure and sharing of consumers’ nonpublic personal information (NPPI). The Fair Credit Reporting Act (FCRA) as well as the Fair and Accurate Credit Transactions Act and their implementing Regulation V also include information sharing requirements that sometimes intersect with Regulation P.

There are many reasons an FI may need to share a consumer’s financial information with a third party while conducting its business. Such reasons may include making credit decisions, processing deposit account transactions, and offering products or services through third-party service providers or joint marketing agreements, among others.

Consumer information shared by an FI may constitute a consumer report under certain situations, which could cause the FI to become a consumer reporting agency (CRA). As the FCRA contains many substantive compliance requirements for CRAs with which the FI may have difficulty complying, it is generally in the best interest of an FI to avoid becoming a CRA.

The FCRA includes several exceptions that enable FIs to share consumer information that would otherwise be deemed a consumer report without becoming a CRA. Detailed below is information about how FIs can share consumer information consistent with FCRA’s exceptions (thus avoiding becoming a CRA) while also complying with Regulation P. Tips for effective FCRA compliance management are also provided.

Important Definitions

Before diving into the FCRA information sharing requirements and exceptions, it is important to understand the definition of a consumer report and a CRA. In summary, the FCRA defines a consumer report as any communication by a CRA of information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is used for establishing a consumer’s eligibility for credit, insurance, employment, or any other permissible purpose as established in Section 604 of the FCRA.

Under the FCRA definition, a report is not a consumer report in the following circumstances (not an all-inclusive list):

1. The report contains only information as to the reporting institution’s experience with a specific consumer. Such reports can be made to any third party; however, Regulation P may restrict sharing these reports with non-affiliated third parties, if not shared under the Regulation P exceptions, unless the consumer has been given the opportunity to opt out and has not opted out (Regulation P, §1016.10).
2. A report that contains information other than the FI’s experience is shared among affiliates. The consumer must be given notice that the information may be shared and the opportunity to opt out of sharing information among affiliates. Information can only be shared if the consumer does not opt out (FCRA Section 603(d)(2)(A)(iii)). While the opt-out is required by the FCRA, it can be incorporated within the Regulation P privacy notice.
3. A consumer report is shared in accordance with the Federal Trade Commission’s Joint User Rule. The Joint User Rule allows entities to share consumer reports if they are jointly involved in a decision on a consumer’s application for a product or service provided both entities have a permissible purpose to obtain a consumer report for the transaction. (For more information on permissible purpose see Permissible Purpose and Use of Prescreened Solicitations in the May-June 2024 issue.) An example of sharing under the Joint User Rule is an application for a mortgage loan that will require private mortgage insurance. Both the lender and the mortgage insurer are involved in the credit decision. However, Regulation P may limit such sharing with non-affiliates as discussed above in item 1.

A CRA is any person or entity that regularly assembles or evaluates consumer information in order to furnish consumer reports to third parties. As this is a very broad definition, knowing the exceptions to avoid becoming a CRA is generally in the best interest of an FI lest it become subject to the many significant regulatory requirements on CRAs, such as:

1. Maintaining reasonable procedures to:
   1. Assure maximum accuracy of reports on consumers.
   2. Upon a consumer’s request, accurately disclose to the consumer all information in a consumer’s file, the source of the information, the identity of each entity to which the consumer’s report was provided (time limits apply), a record of inquiries not initiated by the consumer, and other information set forth in FCRA Section 609. As recently as January 2024, the CFPB issued an advisory opinion to address obligations CRAs have under Section 609 and stated, “Section 609(a)’s file disclosure requirements are central to the statute’s accuracy, fairness, and privacy purposes.” This clearly remains a CFPB focus.
   3. Investigate disputed information, even if that information was obtained from another entity.
   4. Provide free annual reports upon request.
2. Including in consumer reports:
   1. A disclosure when a credit score is provided as part of the consumer report and the score was adversely affected by the number of inquiries, even if that credit score was obtained from another entity.
   2. The fact that the consumer voluntarily closed an account if information about that account is included in the report.
   3. The fact that the consumer disputed an account if information about that account is included in the report.
   4. Notice of address discrepancy.
   5. Active duty and fraud alerts.
3. Blocking information resulting from identity theft and human trafficking.
4. Retaining trained personnel to explain all credit report information provided to a consumer who has requested a copy of their report.

The above is not an exhaustive list, but one can quickly discern that complying with the regulatory requirements imposed upon CRAs would likely require more resources than most FIs have available.

Protection of Medical Information

Now that we have an overview of how an FI’s information sharing can in some circumstances be construed as providing consumer reports as a CRA, we will explore the exceptions that allow using and sharing medical information without becoming a CRA. Like everything in the compliance world, definitions are important, so we first need to define “medical information.” Medical information is any information or data relating to a consumer’s past, present, or future physical, mental, or behavioral health or condition and includes the provision of health care or payment for healthcare (FCRA Section 603(i)). The source of the information is not limited to information contained in a consumer report; it is also health-related information about the consumer, received directly from the consumer or from anyone else.

Although FIs are generally prohibited from obtaining and using medical information as part of a credit decision (FCRA Section 604(g)), Regulation V §1022.30(c)(1) established that the FI has not violated this prohibition if the medical information was provided unsolicited. In addition, Regulation V §1022.30 sets forth certain exceptions to the Section 604(g) prohibition on creditors obtaining and using medical information:

1. Financial Information Exception
   1. A creditor may obtain and use a consumer’s medical information to determine the consumer’s eligibility for credit if it is the type of financial information routinely used to determine credit eligibility, such as debts, expenses, benefits, and use of loan proceeds, among others.
   2. The creditor must consider the medical information no less favorably than comparable information that is not medical in nature. As an example, if the consumer has a medical debt listed in the consumer report, the FI must consider it no less favorably than any other type of debt such as an auto loan, credit card, etc. However, the FI may treat the medical debt more favorably, for example, by not considering delinquent medical debt in the credit decision.
   3. The creditor cannot consider the consumer’s health, condition, or prognosis as part of the credit decision.
2. Other Specific Exceptions—The consumer’s medical information may be considered in the credit decision to comply with local, state, or federal laws, to the extent necessary for fraud prevention or detection, or to determine:
3. Whether the use of a power of attorney or legal representative triggered by a medical condition or event is necessary or appropriate.
4. If the consumer qualifies for a special credit program designed to meet the needs of consumers with a medical condition if the consumer has requested the determination.
5. The medical purpose of the loan if the credit is for financing medical products or services.
6. The consumer’s eligibility for credit to accommodate the consumer’s health-related circumstances if requested by the consumer and documented by the FI.
7. The consumer’s eligibility for a forbearance program, debt cancellation contract, or credit insurance product triggered by a medical condition.

Despite the exceptions noted for using medical information, FIs should use caution when considering the sharing of medical information as some circumstances could cause the FI to become a CRA. Medical information contained in a consumer report cannot be shared with any other entity except as necessary to carry out the purpose for which the information was initially provided (Regulation V §1022.31(b)). While some non-medical information may be shared with affiliates, generally, medical information may not be shared with affiliates; this includes individualized or aggregated lists that are based on payment transactions for medical products or services. There are limited exceptions to these prohibitions, however.

Under Regulation V §1022.32(c), medical information is not considered a consumer report if it is shared with affiliates and meets one of the exceptions listed below. Because an FI is not considered to be sharing a consumer report under these circumstances, it does not create heightened risk of being considered a CRA. The exceptions are for medical information that is shared with affiliates:

1. In connection with the business of insurance or annuities.
2. For any purpose permitted by the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act (HIPAA).
3. To service, process, or maintain a product, service, or account authorized by the consumer (or for any other purpose described in Section 1179 of HIPAA or Section 502(e) of the Gramm-Leach-Bliley Act).
4. In connection with a credit decision consistent with the Financial Information Exception or Other Specific Exceptions as outlined above for obtaining and using medical information.

In September 2023, the CFPB announced that it is considering a proposed rulemaking to amend FCRA in several significant respects that would affect FIs’ sharing, use, and furnishing of information, including the use of medical information. Proposals under consideration include prohibiting CRAs from including medical information in consumer reports and prohibiting creditors from using medical information in the credit decision. As of the publication of this article, no proposed rule has been issued.

Affiliate Marketing Opt-Out

Now that we have reviewed general information sharing and using and sharing medical information, we will turn our attention to the last part of FCRA information sharing—affiliate marketing and opt-out—covered by FCRA Section 624 and Subpart C of Regulation V. Section 624 gives the consumer the right to restrict the FI from using eligibility information obtained from an affiliate to make solicitations if the FI does not have a pre-existing business relationship with the consumer. Eligibility information is specific to the consumer and includes the affiliate’s direct experience information as well as the types of information found in consumer reports (i.e., information that would otherwise be considered a consumer report if it were not excluded from the definition under FCRA Section 603(d)(2)(A)). “Pre-existing business relationship” is also a defined term that includes specific time periods that depend on the type of relationship. Refer to Regulation V §1022.20(b) (4) for the time periods.

Before the FI can market its products and services to consumers with whom it does not have a pre-existing business relationship using eligibility information provided by the affiliate, the affiliate must provide a notice that the FI may make marketing solicitations using the eligibility information and include a reasonable opportunity and method for the consumer to opt-out of such sharing. The FI can make the solicitations only after it has provided a reasonable opportunity and the consumer has not opted out. (Regulation V § 1022.24(b) provides examples of reasonable opportunities.) The notice and optout requirements do not apply if the FI makes a solicitation to a consumer with whom it has a pre-existing business relationship even if it is using eligibility information from an affiliate (Regulation V §1022.21(c)(1)). Alternatively, the FI can use what is known as “constructive sharing” to market its products to the affiliate’s customers by providing its marketing criteria to the affiliate after which the affiliate uses the criteria to send the marketing materials to its own customers (Regulation V §1022.21(b)(4)).

A consumer may opt out of affiliate information sharing at any time, and the opt-out period must be at least five years unless the consumer revokes the opt-out in writing earlier. If the FI allows the opt-out period to expire, a renewal notice must be provided to the consumer, and no solicitations can be made to the consumer unless the consumer does not renew the opt-out after being given a reasonable opportunity to do so. Appendix C of Regulation V includes model forms that provide safe-harbor contents for initial and renewal opt-out notices. Alternatively, the FI can incorporate the opt-out within the Regulation P privacy notice, but in so doing, the opt-out cannot expire.

Considerations for Examination Management

Examiners will review FCRA risk as part of the FI’s compliance examinations. FI management should be proactive in maintaining documentation that describes how FCRA risk has been mitigated with regard to obtaining, using, and sharing information so examiners are not left to make assumptions and apply further scrutiny in the examination process.

The first step in demonstrating a strong FCRA compliance management system is to implement effective policies and detailed procedures. An effective FCRA policy might include the following elements:

1. Statement of purpose, scope, and policy statement to describe the activities in which the FI engages that are covered by the FCRA and state the commitment to compliance and how the FI intends to achieve it.
2. Policy ownership, roles, and responsibilities in the FI’s approach to FCRA compliance.
3. FCRA training requirements that align with the FI’s overarching training program.
4. Record retention requirements as prescribed in the FCRA when applicable.
5. Version control that maintains the policy’s implementation date and brief history of revisions.
6. Board or committee approval.

Because there are information sharing elements in both Regulation P and the FCRA, it may be preferable to cover obtaining and sharing information in a combined information sharing and privacy policy with a cross reference in the FCRA-specific policy.

In addition to the policy, procedures that provide the details for complying with the policy may be helpful. The goal of any procedure document should be that employees can follow the steps outlined, including any system access and entry, to complete their job responsibilities effectively with little additional guidance. As indicated earlier, procedures should address requirements for obtaining and sharing information within the exceptions that allow the FI to avoid becoming a CRA. Other considerations for inclusion in the policies and procedures include:

1. Identification of a centralized team that is well-trained to respond to information requests for specific consumer information.
2. A well-defined credit policy that covers the use of medical information in credit underwriting.
3. As applicable, a well-defined marketing policy that covers the use and sharing of information for marketing purposes among affiliates and among non-affiliated third parties with which the FI engages in joint marketing activities.

As part of the overarching training program, training records should be maintained and should include descriptions of content, employee rosters, and completion status. Such records should be maintained for any training required and completed since the prior examination.

FCRA compliance monitoring and testing activities completed since at least the prior examination should also be maintained. For each activity, document the date and scope of the review, summary of findings, corrective action plans, and any follow-up conducted. Examples of testing for compliance with the FCRA provisions covering obtaining and sharing consumer information include:

1. Periodic review of the privacy notice, particularly when information sharing policies change, to confirm that opt-out provisions align with policies.
2. Loan file testing to validate that medical information is not used in credit underwriting outside of the exceptions.
3. Testing to assure that opt-out requests are honored in a timely manner and for the duration of the opt-out period. If the FI allows opt-out requests to expire, testing should also include validation that renewal notices are provided and no solicitations are made until consumers have had a reasonable opportunity to opt out.
4. Testing to validate that the information for a consumer who has opted out is actually being excluded when information is shared with affiliates.

Any source documentation reviewed as part of testing may also be helpful. If testing schedules are based on a risk assessment, that should also be presented for examiner review.

Regulators consider consumer complaints a significant indication of risk, and an effective complaint management program is a regulatory expectation. Identify FCRA-related complaints, particularly those alleging unauthorized information sharing and marketing solicitations, and summarize their resolution to be included as part of the information provided to the examination team.

Conclusion

Despite the FCRA having become effective over fifty years ago in 1971, it continues to be a highly scrutinized area during compliance examinations. With so many priorities on the compliance team’s plate, taking the time now to review your FI’s program for complying with the provisions of the FCRA covering obtaining and sharing consumer information before the next compliance examination and implementing the suggestions set forth in this article will take you one step closer to a satisfactory examination outcome.