Fact Sheet 6a:
Facts on FACTA, the Fair and Accurate Credit Transactions Act


Send to PrinterSend to Printer


Copyright © 2004 - 2014
Privacy Rights Clearinghouse
Posted August 2004
Revised April 2014

  1. Introduction
  2. Help for Identity Theft Victims
    1. Free Credit Reports
    2. Fraud Alerts and Active Duty Alerts
    3. Truncation: Credit Cards, Debit Cards, Social Security Numbers
    4. Information Available to Victims
    5. Collection Agencies
    6. Red Flags
      1. Red Flags
      2. Change of Address with Request for Replacement Cards
      3. Address Discrepancy in Credit Report
    7. Disposal of Consumer Reports
  3. Notice of Consumer Rights
  4. Credit Scores
  5. Disputing Inaccurate Information
  6. Negative Information in a Consumer Report
  7. Medical Information and Consumer Reports
  8. Nationwide Specialty Consumer Reporting Agencies
  9. Workplace Investigations
  10. Information Sharing Among Affiliates – Opt-Out for Marketing
  11. Risk-Based Pricing
  12. Learn More about FACTA's Rulemaking Process
  13. References

 1. Introduction

The Fair and Accurate Credit Transaction Act of 2003 (FACTA) added  sections to the federal Fair Credit Reporting Act (FCRA, 15 U.S.C. 1681 et seq.), intended primarily to help consumers fight the growing crime of identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights to disclosure are included in FACTA. (Pub. L. 108-159, 111 Stat. 1952)

This is all good news for consumers. However, consumers came out on the losing end when Congress virtually barred states from adopting stronger laws. The Notes section at the end of this guide has more information about Congressional pre-emption of state laws.

Throughout this guide we use the terms "law" and "regulations" or "rules" when referring to new consumer rights under FACTA. For consumers trying to understand the process, this can be confusing. To simplify, a bill introduced in Congress becomes law after it is approved by both the House of Representatives and the Senate and then signed by the President.

The law often directs the appropriate federal agency or agencies to adopt regulations, or rules, that expand upon the provisions included in the law. In most cases, federal agencies publish proposed regulations seeking public comment. Industry representatives, private citizens, other government agencies, consumer organizations, and anyone else with an interest can submit written comments to the agency. After the comment period is completed and the agency has analyzed all the comments, it then issues the final rules. Properly adopted rules have the same effect as a law passed by Congress.

Some sections of FACTA were effective December 1, 2004. Other sections directed federal agencies to solicit public comment and then adopt final regulations. In addition to the Federal Trade Commission (www.ftc.gov), the federal financial agencies have jurisdiction and are involved in writing regulations to implement FACTA.

 2. Help for Identity Theft Victims

The crime of identity theft has continued at epidemic proportions. Several widely reported surveys on the number of identity theft victims were released as Congress went into final hearings on FCRA amendments. A shocking report released by the Federal Trade Commission (FTC) in September 2003 estimated that approximately 10 million people were victims of identity theft in 2002 alone. More recently, a  February 2014 report by Javelin Strategy and Research estimated that 13.1 million persons were victims of identity fraud in 2013.  This represents the second-highest total since Javelin began conducting its annual study in 2004. http://money.cnn.com/2014/02/06/pf/identity-fraud/

In response to the findings about identity theft, Congress adopted a number of provisions aimed at prevention and help for victims. The FTC has also published a revised guide for identity theft victims which includes FACTA provisions. Take Charge: Fighting Back Against Identity Theft  can be found at www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.shtm.

 A. Free Credit Reports

Consumer advocates have long encouraged individuals to monitor their credit reports as a way to detect identity theft. The standard advice was to request a copy of your credit report once a year from each of the three national credit bureaus: Experian, TransUnion, and Equifax. Before FACTA, consumers usually had to pay up to $9.50 to get a copy of their reports from each of these credit bureaus.

Congress recognized the benefits of self-monitoring. It adopted a rule that allows you a free copy of your credit report annually from each of the "big three." (Read more about the rulemaking on this provision.)

Should I contact each credit bureau for my free report?

No. The only way to get your free reports is through a centralized source, a combined effort by the three national bureaus. Free reports are available through a dedicated web site, www.annualcreditreport.com. You may order by telephone at (877) 322-8228 or by mail. For a copy of the mail-in form, go to http://www.consumer.ftc.gov/articles/pdf-0093-annual-report-request-form.pdf

What is the best way to order my free reports?

We recommend you order free reports by telephone or mail. A World Privacy Forum report released in July 2005 exposed hundreds of imposter web sites. To read the full report and tips for ordering free reports, see http://www.worldprivacyforum.org/2005/07/report-call-dont-click-update-still-be-smart-about-ordering-federally-mandated-free-credit-reports/

The FTC filed suit against one imposter site and sent warning letters to many others. Some bogus sites lure you in with "free" offers, but just want to sell you products like credit monitoring services. Others are outright frauds that aim to steal your personal information. To read more about fake sites, see www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt130.shtm

If you still prefer to order your free reports online, make sure you link to the only official web site. The safest way to do this is through the FTC's web site which includes more information on annual reports. www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt156.shtm. Never visit a site you find through a search for terms like "free credit reports," "free credit scores," or "free credit checks."

Am I still entitled to a free credit report if I am unemployed?

Yes, and for other reasons as well. You can still get a free copy of your credit report if you certify to the credit reporting agency that:

  • You are unemployed and intend to apply for employment in the 60-day period beginning on the date you make the certification.
  • Or you receive public welfare assistance.
  • Or you believe your file contains inaccurate information due to fraud.

FACTA also gives you rights to a free credit report if you are a victim of identity theft. For more on this, see Section 2B below on fraud and active duty alerts.

In addition to free credit reports, FACTA gives you the right to one free report annually from a consumer reporting agency that compiles reports on employment, medical records, check writing, insurance, and housing rental history. For more on what FACTA calls "nationwide specialty consumer reporting agencies," see Section 8 below and PRC Fact Sheet 6b, The 'Other' Consumer Reports: What You Should Know About Specialty Reports, www.privacyrights.org/fs/fs6b-SpecReports.htm.

I live in one of the states that passed a law prior to FACTA giving residents free reports. Can I order an additional free credit report under my state's law?

Yes. The seven states that have laws on the books giving their residents a free credit report annually are: Colorado, Georgia (two per year), Maine, Maryland, Massachusetts, New Jersey, and Vermont. If you live in one of these states, you can obtain a free report from each bureau annually under federal law and an additional free report under your state's law.  For information on obtaining these additional reports read   http://money.msn.com/credit-rating/get-extra-credit-reports-for-free.aspx.

 B. Fraud Alerts and Active Duty Alerts

If you are the victim of identity theft, FACTA gives you the right to contact a credit reporting agency to flag your account. To place a fraud alert, you must provide proof of your identity to the credit bureau. The fraud alert is initially effective for 90 days, but may be extended at your request for seven years when you provide a police report to the credit bureaus that indicates you are a victim of identity theft.

FACTA creates a new kind of alert, an active duty alert, that allows active duty military personnel to place a notation on their credit report as a way to alert potential creditors to possible fraud. While on duty outside the country, military members are particularly vulnerable to identity theft and lack the means to monitor credit activity. An active duty alert is maintained in the file for at least 12 months.

If a fraud alert or active duty alert is placed on your credit report, any business that is asked to extend credit to you must contact you at a telephone number you provide or take other "reasonable steps" to see that the credit application was not made by an identity thief.

FACTA gives you the right to a free copy of your credit report when you place a fraud alert. With the extended alert (seven years), you are entitled to two free copies of your report during the 12-month period after you place the alert.

FACTA provisions also allow you to "block" certain items on your credit report that resulted from identity theft. Like the fraud alert, "blocking" was already an option for consumers in some states. With FACTA, Congress has made "blocking" the national standard.

 C. Truncation: Credit Cards, Debit Cards, Social Security Numbers

Credit card receipts that include full account numbers and expiration dates are a gold mine for identity thieves. FACTA says credit and debit card receipts may not include more than the last five digits of the card number. Nor may the card's expiration date be printed on the cardholder's receipt. However, this does not apply to receipts for which the sole means of recording a credit or debt card number is by handwriting or by an imprint or copy of the card.

Another FACTA section allows consumers who request a copy of their file to also request that the first 5 digits of their Social Security number (or similar identification number) not be included in the file.

D. Information Available to Victims

For victims, obtaining copies of the imposter's account application and transactions is an important step toward regaining financial health. A business that provides credit or products and services to someone who fraudulently uses your identity must give you copies of documents such as applications for credit or transaction records. The business must also provide copies of documents to any federal, state, or local law enforcement agency you specify.

To obtain account documentation, you must supply proof of your identity. The business may also ask you to provide a police report and an identity theft affidavit. For a copy of the FTC's fraud affidavit, see www.ftc.gov/bcp/edu/resources/forms/affidavit.pdf. You must also:

  • Make your request in writing. 
  • Mail the request to the business at an address it specifies. 
  • If the business asks, include relevant information about dates and account numbers.

Are there reasons a business would not have to give me this information?

Yes, there are some exceptions. A business does not have to provide this information if:

  • There is not a "high degree of confidence" in your true identity. 
  • The request contains a misrepresentation of fact. 
  • The information is Internet navigational data or similar information about a person's visit to a web site or online service.

Can I sue a business for not turning information over to me?

The business can be sued only by a government agency. And the business cannot be held civilly liable if it makes a “good faith” effort to comply.

E. Collection Agencies

A call from a collection agency is often the first sign of trouble for an identity theft victim. Under FACTA, if you are contacted by a collection agency about a debt that resulted from the theft of your identity, the collector must so inform the creditor. You are entitled to receive all information about this debt -- such as applications, account statements, late notices from the creditor -- that you would be entitled to see if the debt were actually yours. In addition, FACTA says that a creditor, once notified that the debt is the work of an identity thief, cannot sell the debt or place it for collection.

For more on collection agencies, see the PRC guide Debt Collection Practices: When Hardball Tactics Go Too Far, www.privacyrights.org/fs/fs27-debtcoll.htm. The FTC's guide for identity theft victims also includes information on how to deal with collection agencies. Read Take Charge: Fighting Back Against Identity Theft, www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.shtm.

F. Red Flags

Consumer advocates have long pointed out that consumers can only go so far in protecting against identity theft, and that much of the problem lies with lax procedures of credit issuers and other companies that use information from credit reports. A climate of easy credit has made some creditors far too willing to accept a change of address, a request for a replacement credit card, or reactivation of a dormant account.

In adopting FACTA, Congress recognized that consumers are helpless to prevent identity theft if businesses ignore the events that signal a potential fraud. Thus, FACTA incorporates several provisions that require financial institutions, creditors, and other businesses that rely on consumer reports to detect and resolve fraud by identity theft.

The so-called “red flags” and related sections of FACTA include:

  • Red Flag Guidelines and requirements for credit and debit card issuers to assess the validity of a change of address request, (FACTA §114, FCRA §615(e)).
  • Procedures to reconcile different consumer addresses. (FACTA §315, FCRA §605(h)(2)).

The Red Flags Rule was originally set to become effective on November 1, 2008, but the effective date was postponed several times until finally becoming effective on January 1, 2011. http://www.frostbrowntodd.com/resources-1279.html

The FTC has published a how-to business guide, entitled Fighting Fraud with the Red Flags Rule, www.ftc.gov/bcp/edu/microsites/redflagsrule/index.shtml. The FTC has also established a dedicated e-mail address to answer questions about the new red flags requirements. Questions may be sent to the agency at RedFlags@ftc.gov . The FTC, joined by the federal banking agencies, provided further business guidance by issuing answers to frequently asked questions about the Red Flags Rule. www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm

A major source of confusion centers on who must comply with the Red Flags Rule, which applies to “financial institutions” and “creditors.” Clearly, banks and credit unions are “financial institutions” and must comply. The term “creditor” under the Rule, however, goes far beyond credit card companies or dealers who arrange a car loan.

Under the Red Flags Rule, a “creditor” is anyone who provides products or services for later payment. Utility and telecommunications companies are “creditors” as are many small businesses that provide day-to-day services and bill later. For a business that faces a low risk of identity theft the FTC offers a do-it-yourself prevention guide. The guide allows businesses to assess their own risk by answering the following four questions:

  • Do you know your clients personally?
  • Do you usually provide your services at your customer's home?
  • Have you ever experienced an incident of identity theft?
  • Are you in a business where identity theft is uncommon?

The FTC’s guide for businesses at low risk for identity theft can be found at: www.ftc.gov/bcp/edu/microsites/redflagsrule/RedFlags_forLowRiskBusinesses.pdf

A bill (S3987) to limit the scope of the Red Flags Rule became law when signed by President Obama on December 18, 2010. Known as the Red Flags Clarification Act of 2010 (RFCA), the law defines “creditor” as a business that:

  • Obtains or uses consumer reports, directly or indirectly in connection with a credit transaction;
  • Furnishes information to a consumer reporting agency, or
  • Advances funds based on an obligation to repay the funds or repayable from specific property.

The law does not, however, include a creditor that advances funds for expenses incidental to a service. Congress left the FTC to decide, through rulemaking, other types of creditors whose accounts could be subject to a “reasonably foreseeable risk of identity theft.”

To read the full text of the RFCA, go to: www.gpo.gov/fdsys/pkg/BILLS-111s3987enr/pdf/BILLS-111s3987enr.pdf

Unlike earlier bills introduced by Congress to limit the FTC’s Red Flags Rule, the RFCA does not identify specific kinds of business (e.g. healthcare providers and attorneys) that do not have to comply.

Even though most healthcare providers will not have to adopt a Red Flags Program, medical identity theft remains a reality and a serious problem for consumers who fall victim to this crime. To address the continuing risk of medical identity theft, the FTC has published the following guidance for healthcare providers about how to detect and combat medical identity theft.

The FTC’s guidance for consumers related to medical identity theft can be found here:  http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt10.shtm

The U.S. Court of Appeals for the District of Columbia Circuit has found that the FTC cannot regulate lawyers under the Red Flags Rule.  Read more about this case at http://www.americanbar.org/publications/governmental_affairs_periodicals/washingtonletter/2011/march/redflagsvictory.html

On April 19, 2013, the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) issued final rules establishing Red Flags guidelines. (78 FR 23637) The Dodd-Frank Wall Street Reform and Consumer Protection Act, P.Law 111-203, added the CFTC and SEC to the list of other federal agencies directed by the FACT Act to adopt and enforce Red Flags Rules.

1. Red Flags

Businesses that use consumer reports, under the new rules, must adopt a plan to detect, prevent and mitigate identity theft. The plan must be approved by the company’s board of directors or senior management. The rules identity certain signals of actual or attempted identity theft, but each company is left to establish plans based upon a risk assessment of its own operations. Signals identified by the agencies as warranting increased alert include:

  • Consumer's notation on a credit report such as a fraud alert, active duty alert, or credit freeze.
  • Unusual patterns in the consumer's use of credit, such as a recent increase in inquiries or new credit accounts, changes in the use of credit, or accounts closed.
  • Suspicious documents that appear to be alerted, forged or reassembled. Or documents that include information that is inconsistent with the person applying for credit.
  • Suspicious Social Security number (SSN), for example an SSN that has not been issued or is listed on the Social Security Administration's Death Master File. Another example would be one in which the SSN range does not match the date of birth or is the same SSN as provided by other persons opening an account.
  • Suspicious address or phone number as follows: (a) the address or phone number is known to have been furnished on fraudulent applications; (b) the address either does not exist or is that of a mail drop or prison; (c) the phone number is invalid or associated with a pager or answering service; or (d) the address or phone number is the same or similar to information submitted by other persons opening accounts.
  • Use of an account that has been inactive for a "reasonably lengthy period of time."
  • Mail sent to the account holder is returned while transactions continue.
  • Notice from the account holder or law enforcement that identity theft has occurred.

2. Change of Address with Request for Replacement Cards

A common practice among identity thieves is to notify a credit or debit card issuer of a change of address. Soon after the change of address notice, the thief asks the card issuer for replacement cards.

Now, before a new or replacement card can be issued, card issuers must take steps to assess the validity of a change of address. This applies at least within the first 30 days after an address change notification. Extra steps are required whether the change of address notice comes directly from the consumer or from the Postal Service.

An address change notice combined with a request for new or replacement cards means the card issuer must verify the address by contacting the cardholder. Card issuers are also free to adopt alternate procedures for verifying an address.

The rule applies to debit and credit cards issued by a financial institution as well as payroll cards and recipients of a home equity loan if the cardholder is able to access the loan with a debit or credit card. Stored value or prepaid cards such as gift cards are not subject to this rule. Because an identity thief’s use of a business card may affect an individual’s personal credit rating, the rules equally cover cards issued for personal, household, family or business purposes.

3. Address Discrepancy in Credit Report

A consumer’s attempt to open a new credit account or increase an existing line of credit almost certainly results in the use of a consumer report. Rental and employment applications may also trigger the request for a credit report. Under rules in place since December 1, 2004, credit bureaus must notify the creditor, landlord, employer or other requester if the address supplied by the consumer “substantially differs” from the address included in the bureau’s files.

As part of the “red flags” rules, credit report users that receive an address discrepancy notice from a credit bureau must take additional steps to verify the identity of the person applying to open an account or rent a property. Financial institutions required to adopt Customer Identification Programs (CIP) by the USA PATRIOT Act, Pub.L. 107-56, are instructed to follow the CIP standards for verifying identity for purposes of this FACTA section.

Others (such as employers and landlords) that are not subject to the CIP rules are encouraged to adopt similar practices. For more on CIPs required by the USA PATRIOT ACT, see PRC Fact Sheet 31, www.privacyrights.org/fs/fs31-CIP.htm

Once a financial institution verifies a customer’s identity, the results may be reported back to the credit bureau. However, this additional step is required only if (1) a relationship is established with the consumer and (2) the financial institution regularly reports to the credit bureau.

G. Disposal of Consumer Reports

The practice known as "dumpster diving" provides identity thieves with a treasure trove of personal data. Irresponsible information disposal by businesses has been cited in numerous instances of fraud. Now under FACTA provisions consumer reporting agencies and any business that uses a consumer report must adopt procedures for proper document disposal.

The FTC, the federal banking agencies, and the National Credit Union Administration (NCUA) have published final regulations to implement the FACTA Disposal Rule. The FTC's disposal rule applies to consumer reporting agencies as well as individuals and any sized business that uses consumer reports. The FTC lists the following as among those that must comply with the rule:

  • Lenders
  • Insurers
  • Employers
  • Landlords
  • Government agencies
  • Mortgage brokers
  • Automobile dealers
  • Attorneys and private investigators
  • Debt collectors
  • Individuals who obtain a credit report on prospective nannies, contractors, or tenants
  • Entities that maintain information in consumer reports as part of their role as service providers to other organizations covered by the rule.

To read the FTC's full business alert about the disposal rule, see http://business.ftc.gov/documents/alt152-disposing-consumer-report-information-new-rule-tells-how. (Read more about the rulemaking process for this provision.)

3. Notice of Consumer Rights

Under FACTA, credit reporting agencies have an obligation to give identity theft victims a notice of their rights. This includes, among other things, notice of: (1) the right to file a fraud alert, (2) the right to block information in a report that resulted from fraud, and (3) the right to obtain copies of documents used to commit fraud.

This notice of rights is in addition to a general notice of rights already required by earlier FCRA amendments. The FTC has issued final regulations and a sample copy of the identity theft rights. Under the FTC's rule consumers who report fraud to a consumer reporting agency will receive the special victims' notice of rights. The FTC's final rule also includes notices that explain the obligations of companies that furnish information on consumers as well as those that use consumer reports. (Read more about the rulemaking process for this provision.)

4. Credit Scores

It has become increasingly common for lenders to make decisions based upon a "score." Until recently, consumers did not have access to their score or information about the factors that made up the score. Common sense says a series of late payments can lead to a bad credit rating. However, a score is determined by other factors as well, and to give you the chance to improve your score, you should know how the score is calculated.

Even if you do not have a history of late payments, your score may be lowered if your credit card balance is close to the limit or if you are just starting out with using credit. If you are looking for a car loan or thinking of refinancing your mortgage, it is a good idea to check your score before you apply for new credit.

What is a credit score?

FACTA defines a "credit score" as:

A numerical value or categorization derived from a statistical tool or modeling system used by a person who makes or arranges a loan to predict the likelihood of certain credit behaviors, including default (and the numerical value or the categorization derived from such analysis may also be referred to as a "risk predictor" or "risk score" (FCRA §609(f)(2))

The definition does not include a mortgage score. FACTA provides separate requirements for scores generated for home loans and mortgage lenders. (FCRA §609(g)) In addition, the score consumers are entitled to see under FACTA is an "educational" score intended to inform consumers about how scoring works. This is not the FICO score that lenders are likely to view.

For more on credit scores, see PRC Fact Sheet 6c, Your Credit Score: How It All Adds Up, www.privacyrights.org/fs/fs6c-CreditScores.htm.

See also the FTC publication, www.ftc.gov/bcp/edu/pubs/consumer/credit/cre24.shtm. Visit the web site for Fair Isaac, the company that originated the credit scoring model, www.myfico.com. For information on credit scores used by insurers, see the PRC publication, CLUE and You: How Insurers Size You Up, www.privacyrights.org/fs/fs26-CLUE.htm. (Read more about the rulemaking process for this provision.)

5. Disputing Inaccurate Information

Consumer reports combine data voluntarily submitted to one or more of the national bureaus by companies that have had business dealings with the consumer. The FCRA defines such companies as "furnishers" of information. When creditors and others access a consumer's report, data is generally accepted as unquestionably true.

By its very name, the Fair and Accurate Credit Transactions Act places new emphasis on accuracy of information in consumer reports. Two FACTA sections aim to improve the accuracy and integrity of information as well as give consumers a new right to dispute data included in reports directly with the company that furnished it. These sections are:

  • Accuracy guidelines for financial institutions and creditors that furnish information to credit bureaus. (FACTA §312(a), FCRA §623(e)(1)).
  • Ability of consumers to dispute information with companies that report to credit bureaus. (FACTA §312(c), FCRA §623(a)(8)).

On July 1, 2009, the federal banking agencies and the FTC adopted final rules to carry out the FACTA section that allows consumers to directly dispute inaccurate information with the creditor that furnished it to a consumer reporting agency (CRA). At the same time, the agencies published guidelines that financial companies should follow to ensure the accuracy and integrity of information they furnish to a CRA. The rules and accuracy guidelines took effect July 1, 2010.

Upon notice from a consumer that inaccurate information has been furnished to a CRA, the creditor must conduct a “reasonable” investigation and issue its findings within 30 days, with one 15-day extension allowed. This is the same amount of time credit bureaus have to investigate and respond to a consumer dispute.

Only certain kinds of disputes require an investigation. Disputes which require an investigation include those that relate to:

  • Consumer’s liability, for example, when the consumer has been the victim of identity theft or fraud.
  • Terms of the credit account such as the principal balance, scheduled payments or credit limits on open-end accounts.
  • Performance on the account, such as the date of payments or the date an account was opened or closed.
  • Any other information that bears on the consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.

Companies that furnish information to a credit bureau are not required under the rules to investigate disputes that relate to:

  • Identifying information such as name, date of birth, Social Security number, telephone numbers or addresses.
  • Past or present employers.
  • Inquiries listed on the consumer’s credit report.
  • Information derived from public records such as bankruptcies, liens and other legal matters.
  • Information related to fraud alerts.
  • Information provided to a credit bureau by another creditor.
  • Disputes the creditor believes were prepared by a credit repair organization.

Disputes must be submitted to the proper address, that is, one the creditor includes in a consumer report, an address specified as a dispute address, or any business address if no specific dispute address is designated.

To be investigated, a dispute must include:

  • Information sufficient to identity the disputed account such as account number, and the consumer’s name, address and telephone number.
  • Supporting documentation such as the consumer report that contains disputed information, a police report, a fraud or identity theft affidavit or a court order.

Companies may decline to investigate a dispute they find to be “frivolous” or “irrelevant.” Disputes fall into this category if the company determines the consumer did not provide enough information or the dispute is substantially the same as one submitted previously.

The FACTA dispute rules can be found at: www.ftc.gov/opa/2009/07/facta.shtm .

On September 4, 2013, the Consumer Financial Protection Bureau (CFPB) put furnishers on notice that they are responsible for investigating consumer disputes forwarded by the consumer reporting companies. Furnishers are also responsible for reviewing all relevant information provided with the disputes, including documents submitted by consumers.  CFPB Bulletin 2013-09.

For disputes about errors with the credit bureaus, see the FTC publication, How to Dispute Credit Report Errors, www.ftc.gov/bcp/edu/pubs/consumer/credit/cre21.shtm and PRC Fact Sheet 6, How Private is My Credit Report.

6. Negative Information in a Consumer Report

The number one tip for detecting identity theft is to check your credit report regularly. Erroneous information about late payments and collection actions is what you don't want to see. But catching fraud early enables you to more quickly regain your financial health.

FACTA requires creditors to give you what might be called an "early warning" notice. This notice could alert you that something is amiss with an account. However, the notice is not a substitute for your own monitoring of credit reports, bank accounts, and credit card statements. And, you may have to look closely to even see this new notice.

A financial institution that extends credit must send you a notice before or no later than 30 days after negative information is furnished to a credit bureau. Negative information includes late payments, missed payments, partial payments, or any other form of default on the account.

Does this apply only to my accounts with a bank?

No. A "financial institution" has the same meaning as under the Gramm-Leach-Bliley Act. In addition to a bank, this can mean a merchant that extends credit to you or a collection agency that routinely reports information to a credit bureau. For more on non-bank entities that are considered "financial institutions," see the FTC publication, How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act, www.ftc.gov/bcp/edu/pubs/business/idtheft/bus67.shtm.

Do I get a notice every time the account is delinquent?

It’s a one-time notice as long as the late payment or other negative information has to do with the same account. After the one-time notice, the financial institution can continue to report negative information about the same account. For example, if you are late on your credit card payment three months straight, you are only entitled to the notice either before or within 30 days after the first late payment is reported.

Will I receive a separate notice or registered letter?

You will almost certainly not receive a registered letter. FACTA requires the financial institution to give you this notice along with "any notice of default, any billing statement, or any other materials provided to [you]." The one place the notice cannot appear is in the Truth in Lending Act notice you get when you first open an account. The notice must be "clear and conspicuous," but need not be in bold or enlarged type.

The Federal Reserve Board (www.federalreserve.gov) was directed by Congress to write sample notices for financial institutions. The Board has finalized the regulation, at www.federalreserve.gov/BoardDocs/Press/bcreg/2004/200406082/default.htm. The sample notices adopted by the Federal Reserve Board are short and to the point:

Notice before negative information is reported:
We may report information about your account to credit bureaus. Late payments, missed payments, or other defaults on your account may be reflected in your credit report.

Notice after negative information is reported:
We have told a credit bureau about a late payment, missed payment or other default on your account. This information may be reflected in your credit report.

Will the notice let me know when I'm a victim of identity theft?

Not always. When an imposter opens up a new credit account in your name, the thief usually establishes an address different from yours. The address might be a post office box or a vacant apartment used as a mail-pickup by the thief. When the imposter fails to pay on the credit card account, which is usually the case, the creditor will send the warning notice to the address associated with the account. And that is not your address. So you will be in the dark about the impending negative notice to your credit report.

The negative information will be recorded in your credit report, however. That is why we emphasize the importance of ordering your credit report at least once a year. If you are a victim of identity theft, you will learn of it on your credit report.

As you learned in Section 2A above, FACTA gives consumers the ability to obtain one free credit report per year from each of the three credit bureaus. The major reason the law requires credit bureaus to provide free annual credit reports is so you can check for evidence of identity theft. We strongly encourage you to take advantage of this provision of FACTA.

In short, you should not be lulled into a false sense of security just because a creditor must send you a notice before posting negative information to your credit report. Identity thieves operate in various ways. They might attempt to take over your existing accounts. And they might open up new accounts unbeknownst to you. Your best defense against fraud is always to review your credit reports as well as your monthly credit card and bank account statements.

7. Medical Information and Consumer Reports

If you're like most people, privacy of your medical information is a top priority. A major concern is that medical information may be used against you when you apply for a job or refinance your mortgage. Even when medical information is protected in one area, it may still be disclosed through other means.

A good example of this is the credit report. A collection action noted on a credit report that names a medical facility as creditor could inadvertently reveal an underlying medical condition. This is a significant threat since the Federal Reserve Board found in a 2003 study that over half the collections reported on credit reports are for medical debt. See An Overview of Consumer Data and Credit Reporting, www.federalreserve.gov/pubs/bulletin/2003/0203lead.pdf.

Under FACTA, consumer reporting agencies may not report the name, address, and telephone number of any medical creditor unless the information is provided in codes that do not identify or infer the provider of care or the individual's medical condition. This does not apply to insurance companies selling other than property and casualty insurance. (FCRA §605(a)(6))

Another section of FACTA says a creditor may not obtain or use medical information to make credit decisions. (FCRA §604(g)(2)) But there are exceptions, and federal banking agencies were directed to issue regulations to cover uses of medical information to protect "legitimate operational, transactional, risk, consumer, and other needs." (FCRA §604(g)(5)(A))

The banking agencies have adopted final regulations on medical information and credit. The rule prohibits a creditor from obtaining and using medical information to decide a consumer's credit eligibility. Still, creditors can obtain and use financial information if related to medical debts, expenses, and income.

One example is a debt for medical bills. You may owe money to a hospital and perhaps you worked out a plan to pay the debt over time. If you apply for a car loan, the bank can check to see if your payments on the hospital bill are up-to-date. If you are late on a payment or two, the bank may consider this in deciding whether you give you the loan. The bank cannot, however, ask about your medical condition or the reason for your hospital stay. In other words, the late payments to the hospital cannot carry any more weight than a late payment on a credit card. It is your history of paying debts only that is allowed. Your health status should not factor into a creditor's decision about whether to give you a loan. To read the final rules on medical information and credit, go to www.federalreserve.gov/boarddocs/press/bcreg/2005/20051117/default.htm

Is my consent needed to disclose medical information to an employer?

Yes. Even before FACTA, your consent was required to disclose medical information to an employer or for credit or insurance. Now under FACTA your consent to use medical data for employment and credit purposes must be specific and in writing. Further, the consent request must use "clear and conspicuous language" about how the information will be used. FACTA also requires that the medical information requested for employment or credit purposes be "relevant." (FCRA §605(a)(6)) The same standard does not apply to insurance.

8. Nationwide Specialty Consumer Reporting Agencies

Consumer reports are generally thought to mean "credit" reports issued by one of the three national credit bureaus: Experian, TransUnion, or Equifax. However, consumer reports may also be issued for purposes other than credit applications. The FCRA also covers reports for insurance, employment, check writing, and housing rental history. Such reports are quite common and a number of companies now specialize in providing reports for these specific purposes.

FACTA defines companies that issue non-credit reports as a "nationwide specialty consumer reporting agency" when reports relate to:

  • Medical records or payments. 
  • Residential or tenant history. 
  • Check writing history. 
  • Employment history. 
  • Insurance claims.

Consumers may request a free report annually from any of the specialty agencies.

The FTC has declined to publish a list of companies that meet the definition of "nationwide specialty consumer reporting agencies." For some specialties such as employment and rental history, there are many companies that meet the definition of consumer reporting agency and that follow the FCRA. Other specialties are dominated by one or two companies. 

To read more about "specialty" reports, see PRC Fact Sheet 6b, The 'Other' Consumer Reports: What You Should Know about 'Specialty' Reports at www.privacyrights.org/fs/fs6b-SpecReports.htm.

9. Workplace Investigations

FACTA sets a new standard for what the law calls "employee misconduct investigations."

What is an "employee misconduct investigation"?

This is an investigation conducted by a third-party your employer may hire if the employer suspects you of:

  • Misconduct relating to your employment. 
  • A violation of federal, state, or local laws or regulations. 
  • A violation of any preexisting written policies of the employer. 

Noncompliance with the rules of a self-regulatory organization, that, for example, oversees the securities and commodity futures industry.

Why was this change made to the FCRA?

This section was adopted to make it clear that employers do not have to get permission to conduct a misconduct investigation. Prior to this, FTC staff issued an opinion letter, the so-called Vail Letter, that said the disclosure and consent requirement of FCRA applies even when an employee is suspected of misconduct and the employer hires an outside investigator. (www.ftc.gov/os/statutes/fcra/vail.htm) Employers objected to this interpretation of the law because they felt that obtaining consent would tip off the employee to an investigation. (Note: California law already includes an exception for workplace misconduct investigations. www.privacyrights.org/fs/fs16a-califbck.htm.)

If my employer suspects me of misconduct, what does this mean for me?

It means your employer does not have to give you notice and get your permission to conduct a misconduct investigation. Like other inquiries covered by the FCRA, this only applies if the employer hires an outside party to conduct the investigation.

It also means you will not receive a notice of your rights as others who are subject to a standard employment background check normally would. If at the end of the investigation the employer decides to take some action against you, you will receive the "adverse action" notice only after the action has been taken. You will receive only a summary of the investigation report, but not the more detailed report that may include sources.

Who will see the investigation report?

The report may be communicated to:

  • The employer or its agent.
  • Any federal or state officer, agency or department, or any officer, agency or department of a unit of general local government.
  • Any self-regulatory organization with regulatory authority over the activities of the employer or the employee.
  • A government agency, in accordance with an existing FCRA section that allows a consumer reporting agency to disclose personal identifying information to a government agency. 
  • Others, as otherwise required by law; or

 Can I dispute the findings?

Not under the FCRA dispute procedure. That is because this new section on workplace misconduct investigations was established by removing this type of investigation from the definition of "consumer report." Thus, the usual protections that apply to a consumer report conducted for employment purposes do not apply to workplace misconduct investigations. If you find yourself in this position, you will probably want to seek the advice of an employment law attorney.

10. Information Sharing Among Affiliates – Opt-Out for Marketing

FACTA gives consumers an opportunity to stop a corporation's affiliates from sharing customer data for marketing purposes. This opt-out is in addition to the existing opt-out choices for information shared with third-party non-affiliates and an existing opt-out under the FCRA.

For more on the existing opt-outs, see PRC Fact Sheet 24, Protecting Financial Privacy in the New Millennium: The Burden Is on You, www.privacyrights.org/fs/fs24-finpriv.htm, and Fact 24a, Financial Privacy: How to Read Your Opt-Out Notices, www.privacyrights.org/fs/fs24a-optout.htm.

On October 23, 2007, the FTC approved regulations that provide consumers with an opportunity to “opt out” before a person or company uses information provided by an affiliated company to market its products and services to the consumer. The final rule generally prohibits using certain information received from an affiliate to make a solicitation to a consumer about the person’s products or services, unless the consumer is given notice and a reasonable opportunity and a reasonable and simple method to opt out of the making of such solicitations, and the consumer does not opt out.

The final rule applies to information obtained from the consumer’s transactions or account relationship with an affiliate, the consumer’s application, and credit reports and other third-party sources. Unlike the FCRA's opt out for creditworthiness data which applies indefinitely, the FACTA marketing opt out is effective for at least five years. At the end of five years, consumers must be provided with a notice and opportunity to renew the opt out.

Substantially similar rules were issued separately by the banking regulatory agencies. Read the FTC's regulations at: www.ftc.gov/os/fedreg/2007/october/071030affiliatemarketingrule_final.pdf

An explanation titled "Making Sense of the New Affiliate Marketing Rule" can be read at http://www.mmmlaw.com/media-room/publications/newsletter/making-sense-of-the-new-affiliate-marketing-rule1.

Existing provisions of the FCRA allow affiliates to share information about your "experience and transactions" But that section of the FCRA enables you to stop affiliates from sharing information about your "credit-worthiness," also sometimes called "application information." FACTA does not change these procedures, but adds a new opt-out choice to stop information sharing among affiliates when the purpose is for marketing. You now have the ability to prevent the affiliate receiving your information to solicit you for its products and services.

11. Risk-Based Pricing

The amount you pay in interest can vary greatly. If you have a poor credit history, you will usually have to pay a higher rate than people with a good history of repayments. Like everyone else, you probably receive direct mail or other solicitations quoting exceptionally low interest rates. But, if you apply for the loan or credit card, the interest rate may end up being several points higher than originally quoted.

A section of FACTA (FCRA §615(h)) says you must receive a notice if you are offered credit on terms that are "materially" less favorable than the terms others received from the creditor. In short, this covers the situation where you apply for a loan and, although you get the loan, you have to pay a higher interest rate than most people because of something in your credit history. If this happens, you are entitled to notice plus a free copy of your credit report. Like many other provisions included in FACTA, the risk-based pricing notices aim to give consumers the tools to identify and an opportunity to correct inaccuracies in their credit reports.

The FTC and the the Federal Reserve Board (FRB) have set out the details of the risk-based pricing notices requirement in final rules adopted on December 22, 2009, with January 1, 2011, as the effective date.  The risk-based pricing notice requirement does not override the notice requirement that  consumer reporting agencies are required to make to "users" of consumer reports. www.ftc.gov/os/2004/07/040709fcraappxh.pdf  Creditors, insurers, and others that use consumer reports must still give consumers an “adverse action” notice if the consumer is denied credit. The risk-based pricing notice, however, is only necessary when the consumer is granted credit but at terms less favorable than what others receive from the creditor.

In today’s tough economy, many people have fallen behind on current payments. Based on an existing creditor’s right to review consumer reports, interest rates may be adjusted upward if the consumer falls short in any account. In this case, the consumer should receive a risk-based notice along with the offer of a free credit report.

As an alternative, the rule allows creditors to give consumers their credit scores free along with an explanation of the score.  Free credit reports are available once every 12 months through the FTC’s website: www.ftc.gov/freereports. However, in most cases, consumers must pay for credit scores.

To read the final risk-based pricing rules as well as sample notices, go to: www.ftc.gov/opa/2009/12/rbpricing.shtm

12. Learn More about FACTA's Rulemaking Process

Free credit reports. To review public comments submitted to the FTC from consumer advocates, industry representatives, and others in response to the free credit report rule, see: www.ftc.gov/os/comments/factafcr/index.shtm. For the final free credit report rule published by the FTC on June 24, 2004, see www.ftc.gov/opa/2004/06/freeannual.shtm.

Fraud alerts. The FTC proposed regulations to implement the fraud alert sections of FACTA were published on April 21, 2004. www.ftc.gov/opa/2004/04/factafrn0421.shtm To see comments submitted in response to this proposal, go to www.ftc.gov/os/comments/factaidt/index.shtm The PRC joined Consumers Union and other consumer organizations in commenting on this proposal. www.ftc.gov/os/comments/factaidt/EREG-000002.htm To see the final rule, go to www.ftc.gov/opa/2004/10/facataidtheft.shtm

Red flags and security practices. FACTA requires the FTC and the federal banking agencies to adopt regulations that establish guidelines to detect identity theft. On July 16, 2006, the agencies issued a proposal to establish red flag guidelines as well as guidelines for credit card issuers and other creditors confronted with a change of address followed by a request for new or replacement cards. The proposal can be found at www.ftc.gov/opa/2006/07/idtheftredflagjoint.shtm

To read comments submitted by the PRC and five other consumer organizations, go to www.privacyrights.org/ar/FTC-RedFlagComments-060918.htm. Final rules were issued on October 31, 2007. www.ftc.gov/opa/2007/10/redflag.shtm.

Disposal of consumer reports. The FTC's final disposal rule was effective June 2005. The banking agencies rule was effective July 2005.

Notice of consumer rights. To read the FTC's final rule and the content of required notices, go to www.ftc.gov/opa/2004/11/facta.shtm

Disputing inaccurate information. FACTA requires the federal banking agencies and the FTC to adopt rules about consumer disputes with companies that furnish information for reports. (FACTA §312(c)), FCRA §623(a)(8)). On December 13, 2007, the FTC and the federal banking agencies issued a joint proposal. The proposal is found at: www.ftc.gov/os/fedreg/2007/december/071213factafurnisheraccuracy.pdf. To read public comments to this proposed rule, see www.ftc.gov/os/comments/factafurnishersnpr/index.shtm.  Final dispute rules were issued on July 1, 2009, and effective July 1, 2010. To read the final rules, go to: www.ftc.gov/opa/2009/07/facta.shtm

Negative information in a consumer report. The Federal Reserve Board (www.federalreserve.gov) was directed by Congress to write sample notices for financial institutions when reporting negative information to consumers. The Board has finalized the regulation, at www.federalreserve.gov/BoardDocs/Press/bcreg/2004/200406082/default.htm.

Medical information and consumer reports. In May 2005 the PRC submitted comments about the proposed medical privacy rules. www.privacyrights.org/ar/FDIC-MedFI.htm. The agencies adopted final rules in November, 2005. www.federalreserve.gov/boarddocs/press/bcreg/2005/20051117/default.htm

Opting out of affiliate sharing. On June 10, 2004, the FTC and the federal banking agencies proposed regulations to create this new opt-out procedure. www.ftc.gov/opa/2004/06/factaaffiliate.shtm To read public comments received in response to the proposed rule, see www.ftc.gov/os/comments/affiliate_marketing/index.shtm. A final rule was issued on October 30, 2007. www.ftc.gov/os/fedreg/2007/october/071030affiliatemarketingrule_final.pdf

Risk-based pricing of credit. On May 8, 2008, the FTC and the Federal Reserve Board issued a proposed rule on risk-based pricing notices. To read the proposal, see www.ftc.gov/opa/2008/05/factfyi.shtm. The risk-based notice requirement also appears in a much earlier FTC proposal to amend the notice consumer reporting agencies are required to make to users of consumer reports. www.ftc.gov/os/2004/07/040709fcraappxh.pdf.

On December 22, 2009, the FTC and FRB issued final risk-based pricing rules, with an effective date of January 1, 2011. The final rules are available at: www.ftc.gov/opa/2009/12/rbpricing.shtm.

13. References

Federal Law

PRC Publications

Publications about Credit Reporting

Additional Resources


The Privacy Rights Clearinghouse developed this guide with  funding from the Rose Foundation Consumer Privacy Rights Fund.  

Copyright © Privacy Rights Clearinghouse. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.


X

Sign In!

Loading