FCRA—a sleeping regulation awakes

The Fair Credit Reporting Act, enacted in 1970, has not been a compliance problem for the 45 years of its existence—that is, the first 45.

What FCRA is about

This law—FCRA for short—governs the collection and distribution of consumer credit history by private companies, referred to as “credit reporting agencies.” One of the primary purposes of the law is to ensure that these credit reporting agencies report accurate information and that consumers have a method to dispute the information reported.

FCRA also has a few requirements for “users,” that is, those who purchase the reports as well as reporters of consumer credit information, like financial institutions, retailers, utility companies, and credit card companies.

For example, if a consumer is denied credit based in part or in whole on a credit report, the report user must provide an adverse action notice stating that fact and providing contact information on the agency whose report was used. In addition, if a consumer disputes information, the furnisher of the information is required to investigate and correct the disputed items, if they are wrong.

Congress did not authorize issuing regulations to implement FCRA, and for the entire history of the law, there have been few regulatory enforcement actions related to its requirements.

This is about to change.

CFPB takes the wheel

Congress gave the Consumer Financial Protection Bureau jurisdiction over FCRA in the Dodd-Frank Act in 2010. CFPB has conducted research into the accuracy of consumer credit information reported by financial institutions and how consumer disputes are handled by the credit reporting agencies.

CFPB has indicated its concern with inaccurate credit reports and the damage they can do to the ability of consumers to get high quality, reasonably priced credit products. In fact, the bureau has published stories on its website of how inaccurate reports harm consumers.

In 2014 CFPB issued an enforcement action against a furnisher of consumer credit information, finding that the company did not have procedures to ensure the accuracy of the reports. The lack of compliance was found to be a violation of UDAAP (“Unfair, Deceptive, or Abusive Acts or Practices) as well as a violation of FCRA.

In 2013 the Federal Trade Commission found that 25% of consumers indicate that some data on their credit reports is incorrect. CFPB found that the process for resolving disputed accounts was not comprehensive enough and that consumers were unable to provide complete information on the disputed item.

Other issues that concern CFPB include the fact that there are incidences where adverse credit information stays on the consumer’s report beyond the statutory time period, and that information on bankruptcies and charged-off loans are timely and appropriately updated.

In December 2014, CFPB required the credit reporting agencies to send monthly reports of the number of disputed credit reports and which credit furnishers had the most disputes, both in total and in comparison with their peers. This information is presumably a proxy for incorrect credit information.

Where banks come in

Financial institutions have long reported credit history automatically, from one system (i.e., the bank’s loan system) to another (i.e., credit agencies’ data bases). While this is generally how the process works, in reality, many financial institutions contract with third-party servicers and debt collectors to report consumer credit information to the credit bureaus.

Since this process is automated, with little to no human intervention, many have believed that the accuracy was assured and there was little need to test the data for errors.

Now, with the intense scrutiny that consumer credit reporting is drawing financial institutions should consider doing the following:

1. Strengthen your FCRA compliance management program.

This includes reviewing the compliance program and overall FCRA governance for completeness. Institutions must make sure that policies and procedures are up to date; that FCRA risk assessments are rigorous; and that key risk indicators (KRIs) and management reporting are robust.

The management program, in this context, also includes the controls for managing any third parties and vendors that report consumer credit on behalf of the bank.

2. Conduct an assessment of the current state of FCRA operations.

“FCRA operations” includes all processes from the uploading of consumer credit history from the lender’s actual files to the transmission of information to the credit reporting agencies. These are likely to comprise more than one system-to-system transfers.

In many cases there may be multiple systems of record for different types of consumer loans. This is especially true if outside servicers are vendors who are used to service or collect loans.

Pay special attention to any department in the bank or any vendor that is dealing with delinquent accounts. These are especially important to CFPB.

The procedures to report credit information must include controls for information accuracy. The accuracy of the data should be tested periodically with samples that are large enough to gain an understanding of the overall data quality.

3. Review your procedures for resolving credit disputes.

The days of spending little to no time to push back a credit reporting dispute are over. Every institution should treat a dispute as a serious complaint and undertake to review the record from scratch.

4. Remediate all known issues.

If you know that accounts have been reported incorrectly, be proactive and remediate them. This means that the account history should be compared to the credit report and any needed updates made. Doing this in a proactive manner, rather than a reactive one will save a lot of time and money in the long run.

5. Pay particular attention to debt sales and debt collectors.

If the financial institution has sold debt in the past or uses third party debit collectors, scrutinize how credit accounts are reported by these entities.

The bank will be liable for any consumer harm that it could have prevented by being more diligent with its data.

CFPB’s running FCRA now

The necessity for taking these precaution are a testament to the new teeth in FCRA enforcement. Institutions and the credit reporters cannot point their fingers at each other and assume that problems are the fault of another party. Now everyone is on the hook to make sure that credit data reported on consumers are correct.