Heads down, keep your eyes on your own paper, and no discussing with your neighbor. Question 1—In one word or less, are you breaking the law?

Complying with Federal consumer financial laws is hard. Put simply, there are a lot of them. After all, the CFPB filled up 924 pages with laws, rules and regulations.  As we explained last week, even the best compliance companies miss the mark sometimes.

In our experience, the Fair Credit Reporting Act (FCRA) is the most challenging law for consumer finance companies.  The reason is that the FCRA is comprised of scores of separate rules, requirements, provisions and regulations. Each one is a potential violation of law for a company.  To put it in perspective, the CFPB Supervision and Examination Manual spends 18 pages on Unfair, Deceptive, or Abusive Acts or Practices (UDAAP), 10 pages on the Fair Debt Collection Practices Act (FDCPA), 42 pages on the Gramm-Leach-Bliley Act (GLBA) Privacy Rule, and 86 pages on the FCRA.

Most consumer finance companies (hopefully) know about the “big rules”, namely the Red Flags Rule, the Risk-Based Pricing Rule, the Adverse Action Rule, and the Furnisher and Direct Dispute Rules.  However, many companies do not know about other important FCRA Rules.  In today’s post, we review several of the lesser known provisions of the FCRA. So, sharpen your pencils, and let’s begin.

  1. Negative Information Notice. Section 623(a)(7) of the FCRA requires financial institutions to provide consumers with a notice either before, or within 30 days after, furnishing negative information to a consumer reporting agency.  The negative information notice may be included on disclosures, bills or default notices and may be sent to all customers. The regulations include model language.
  2. Affiliate Marketing Opt-Out. Section 624 of the FCRA gives a consumer the right to prohibit a company that does not have a pre-existing business relationship from using information obtained from an affiliate for marketing purposes. Before an entity may market to its affiliate’s customers, the affiliate must give an opt-out notice. Some companies include the opt-out on GLBA privacy forms.
  3. Re-Pollution. Section 623(a)(6) of the FCRA requires companies that furnish information to consumer reporting agencies to have policies and procedures to keep from re-reporting (or “re-polluting”) information that is allegedly the result of identity theft.  To fully comply with the law, companies need to have written policies in place.
  4. Fraud and Active Duty Alerts. Under Section 605A(h) of the FCRA, a financial institution must have reasonable policies and procedures to verify the identity of a consumer who has a fraud or active duty alert on his or her consumer report.
  5. Information to Identity Theft Victims. Section 609(e) of the FCRA states that upon the request of a victim of identity theft, a financial institution must provide copies of the application and other business records. Before releasing any records, the company must take steps to verify the identity of the person making the request.

In one word or less, did you pass the pop quiz? Or, are you breaking the law?