As published in ABA Risk and Compliance, March/April 2024
There are many reasons why a bank may need to obtain a consumer report from a consumer reporting agency (CRA) including evaluating a loan applicant’s credit history or credit score, evaluating a depositor’s request for a new account, or investigating the background of an applicant for employment. To access information from a CRA, the bank must have a permissible purpose, and in some cases, the bank must have written authorization from the consumer to obtain a consumer report.
This column will outline the rules a bank must follow for obtaining and using consumer reports according to the Fair Credit Reporting Act (FCRA) and provide tips for effective FCRA compliance management.
Before diving into permissible purpose and use of consumer reports, we should first understand what a consumer report is. In summary, the FCRA defines a consumer report as any communication of information by a CRA that is used for establishing a consumer’s eligibility for credit, insurance, employment, or any other permissible purpose as established in Section 604 of the FCRA. Under the FCRA definition, a report is not a consumer report if it contains only information as to the reporting institution’s experience with a specific consumer. While not within the scope of this article, banks should understand what constitutes a consumer report with respect to information they may be providing about their customers to third parties. In some circumstances, providing such information may cause the bank to be considered a CRA, which has its own set of FCRA requirements with which the bank must comply.
In this article, we will focus on the use of consumer reports for establishing credit, opening deposit accounts, and screening employment candidates as these are the common purposes for which your institution may obtain a consumer report.
Consumer Reports for Credit and Deposit Transactions
In the context of lending, you may have heard other references to a consumer report such as a credit report, a credit bureau report, or maybe even just a “bureau” (as in, “I need to pull a bureau for this loan application.”). Regardless of what your financial institution calls it, a consumer report can be obtained (in other words, there is a permissible purpose) if it is intended to be used in connection with a credit transaction. The credit transaction also includes post-consummation activities such as account review to determine ongoing qualification or collection of a delinquent account. The caveat here is that the credit transaction must involve the consumer for whom the consumer report is obtained (FCRA Section 604(a)(3)(A)). In the case of business purpose credit, a consumer report may only be obtained on those who will be personally liable for the credit such as a sole proprietor or guarantor. Consumer reports on principals, officers, board members, or others who are part of the business but not liable for the credit are not authorized as a permissible purpose as part of a credit transaction. Consumer reports on those who are not a party to the loan may only be obtained upon their written consent (FCRA Section 604(a)(2)).
Many financial institutions also obtain consumer reports in connection with opening deposit accounts through entities such as ChexSystems or other similar specialty CRAs. The institution has a permissible purpose for obtaining these reports because the FCRA affords permissible purpose for a “legitimate business need” in connection with a business transaction initiated by the consumer (such as a request to open a deposit account) or to review an account to determine whether the consumer continues to meet the terms of the account (FCRA Section 604(a)(3)(F)).
While written authorization from the consumer is not required for establishing permissible purpose in a credit transaction or in opening a new deposit account, it is a good practice to properly document that there is a legitimate business need. An effective way this can be accomplished is by requiring signed applications for all credit transactions and signed signature cards for all deposit accounts for which a consumer report is contemplated.
When someone in your institution “pulls a bureau,” the information is retrieved from one or more CRAs. The CRAs store a substantial amount of personal information about consumers, so to avoid access to that information for illegitimate or exploitative purposes, the FCRA includes requirements the CRAs must follow before they provide a consumer report in response to a request. These requirements include certification from the institution that it has a permissible purpose to obtain the report. This certification is typically included as part of the contract between the institution and the CRA, and therefore it is generally not something with which individual staff members need to be concerned. Where staff do need to be concerned is in understanding and following internal controls to assist in compliance with the permissible purpose requirement. Such controls may include:
- Policies and procedures that outline the institution’s requirements and expectations for obtaining consumer reports;
- Limitations on who within the institution has authorization and access to obtain consumer reports;
- Limitations on who within the institution has access to information contained in consumer reports after they have been obtained in furtherance of the institution’s policies on safeguarding customer information;
- Training employees so they understand their responsibilities with regard to FCRA compliance and permissible purpose;
- Periodic reviews of billing statements from the CRAs to confirm that consumer reports appearing on the billing statements were authorized; and
- Monitoring complaints related to permissible purpose such as a consumer’s allegation that a credit inquiry was not authorized.
A compliance pitfall that can be avoided by following these internal controls relates to a loan originator who “prequalifies” a potential applicant before the application has been completed. To illustrate, suppose a consumer calls the bank to inquire about a loan, and during the conversation, the loan originator acquires enough information from the consumer to obtain a consumer report. In reviewing the report, the originator determines that the consumer’s credit score is less than the minimum score to qualify for the loan program being discussed. The originator informs the consumer that he will not qualify and terminates the discussion. In this scenario, several compliance exceptions are noted. There was no permissible purpose for obtaining the consumer report as an application had not been completed. Beyond the FCRA exception, the Equal Credit Opportunity Act (ECOA) and its implementing Regulation B were also violated as the originator discouraged the consumer from completing the application and failed to provide proper notice of adverse action, including FCRA and Regulation B disclosure requirements. By implementing policies and procedures that establish the point at which a consumer report may be obtained, aligning system specifications and limitations with those policies and procedures, and training the originator, the risk of this scenario occurring is mitigated.
Consumer Reports for Employment Purposes
In contrast to the foregoing in which written authorization is not required to establish permissible purpose, we will now turn our attention to consumer reports for employment purposes, which include evaluating a candidate for employment or evaluating an employee for a promotion, reassignment, or retention. Not only is written authorization from the consumer required, but there is also a disclosure requirement that must be provided to the consumer in writing before the consumer report is obtained. The disclosure must state that a consumer report may be obtained for employment purposes and the disclosure may not be combined with any other information except that the consumer’s written authorization may be evidenced on it (FCRA Section 604(b)(2)(A)).
There are additional disclosure requirements if the institution makes an adverse employment decision because of information contained in the consumer report. Prior to taking the adverse action, the institution must provide to the consumer a copy of the report on which the decision was based along with a written description of the consumer’s rights to obtain and dispute information in the report. In addition, at the time the institution takes adverse action, a notice of adverse action that complies with Section 615 of the FCRA (credit score and CRA information) must be provided to the consumer.
To mitigate compliance risk in using consumer reports for employment purposes, effective policies and procedures should address not only the requirements described but also expectations for assessing credit history in the context of employment purposes to ensure consistent treatment among candidates. If your institution outsources this part of the hiring process, service providers should be monitored as part of the risk management of third-party relationships, including confirmation that all disclosure requirements are being met.
Considerations for Examination Management
Examiners will review FCRA risk as part of the institution’s compliance examinations. Bank management should be proactive in maintaining documentation that describes how FCRA risk has been mitigated with regard to permissible purpose and use of consumer reports so examiners are not left to make assumptions and apply further scrutiny in the examination process.
The first step in demonstrating a strong FCRA compliance management system (CMS) is to implement effective policies and detailed procedures. The FCRA policy should include the following elements at a minimum:
- Statement of purpose, scope, and policy statement to describe the activities in which the institution engages that are covered by the FCRA and state the commitment to compliance and how the institution intends to achieve it.
- Policy ownership, roles, and responsibilities in the institution’s approach to FCRA compliance.
- FCRA training requirements that align with the institution’s overarching training program.
- Record retention requirements as prescribed in the FCRA when applicable.
- Version control that maintains the policy’s implementation date and brief history of revisions.
- Board or committee approval.
In addition to the policy, procedures should be written that provide the details for complying with the policy. The goal of any procedure document should be that employees can follow the steps outlined, including any system access and entry, to complete their job responsibilities effectively with little additional guidance. As indicated earlier, procedures should address requirements for establishing permissible purpose, limitations on access to consumer reports, use and consistent evaluation of consumer reports, and accurate and timely disclosures when required.
As part of the overarching training program, training records should be maintained and should include descriptions of content, employee rosters, and completion status. Such records should be maintained for any training required and completed since the prior examination.
FCRA compliance monitoring and testing activities completed since the prior examination, should also be maintained. For each activity, be sure to document the date and scope of the review, summary of findings, corrective action plans, and any follow-up conducted. Any source documentation reviewed as part of testing may also be helpful such as CRA billing statements and evidence of the sampling completed to determine permissible purpose for items on the statements. If testing schedules are based on a risk assessment, that should also be presented for examiner review.
Regulators consider consumer complaints a significant indication of risk, and an effective complaint management program is a regulatory expectation. Identify FCRA-related complaints, particularly those alleging unauthorized credit inquiries, and summarize their resolution to be included as part of the information provided to the examination team.
In addition to the elements of the FCRA CMS, copies of contracts with each of the CRAs should be accessible for review by the examination team.
Conclusion
Despite the FCRA having become effective over fifty years ago in 1971, it continues to be a highly scrutinized area during compliance examinations. With so many priorities on the compliance team’s plate these days, taking the time now to review your bank’s program for complying with the permissible purpose and use provisions of the FCRA before the next compliance examination and implementing the suggestions set forth in this article will take you one step closer to a satisfactory examination outcome.
