I am adding the provisions of the FACT Act to our existing FCRA policy. This is what I have so far. REPEAT: This is still in DRAFT Form. Use at your discretion. Any feedback offered is appreciated, but be gentle.
I also used elements from the policy example that was given at one of the BOL FACT Act webinars. Thank you BOL!
You are a WONDERFUL resource. Remember the formatting changes when posting here.
FAIR CREDIT REPORTING ACT/FAIR AND ACCURATE CREDIT TRANSACTION ACT POLICY
STATEMENT OF NEED AND DEFINITION
In general, the consumer reporting industry consists of credit bureaus, investigative reporting companies, and similar organizations whose business is to gather and report information about consumers for others to use in deciding whether to make mortgage loans, grant other types of credit, underwrite insurance, or employ the subject of those reports. “Consumer reporting agencies” (CRAs) are required to adopt reasonable procedures for providing accurate information to banks, other credit grantors, insurers, employers, and other legitimate users of that information in a manner that is fair and equitable to the consumer. Those who use reported credit information are required to disclose that fact, as well as certain other information to the consumer affected.
The Fair and Accurate Credit Transaction Act (the FACT Act) amended the Fair Credit Reporting Act (FCRA). The FCRA and FACT Act establish numerous requirements that provide protection for the victims of identity theft, provide more information to consumers about credit reports and credit scoring, limits sharing of information with affiliates, and protect consumer medical and other information.
The _________ and its Banks acknowledge their responsibility to fully comply with all applicable requirements of the FCRA and the FACT Act.
PURPOSE
These acts are designed to regulate the consumer reporting industry, but also places specific responsibilities on financial institutions that use credit information provided by others.
SPECIFIC GOALS
This policy has the specific goals:
• To define authority and responsibility for implementing the FCRA and FACT Act to ____; and
• To establish standards for responsibility, record retention, and enforcement for the FCRA and FACT Act policy.
POLICY ELEMENTS
___ avoids the activities that would allow them to be considered a consumer reporting agency. Even though ____ is not a consumer reporting agency there are still duties under both acts that ____ must comply with. ____ uses credit reports in a variety of ways including mortgage loan evaluation, credit extension, purchase of dealer paper, issuing credit cards, and employee hiring.
It is the policy of ____ to:
• Respond to fraud and active duty alerts;
• Properly dispose of consumer report information;
• Provide information to victims of identity theft;
• Properly handle notice of identity theft;
• Respond to any notification received from a Credit Reporting Agency (CRA) relating to information resulting from identity theft, to prevent refurnishing blocked information;
• Truncate the last 5-digits of a debit or credit card;
• Comply with the rules regarding sharing information with affiliates;
• Provide an oral, written, or electronic notice to those who receive less favorable terms;
• Comply with guidelines adopted by the Federal banking agencies, and the FTC for use when furnishing information to a CRA regarding the accuracy and integrity of the information relating to consumers that such entities furnish to CRAs;
• Provide the required notice and credit scores;
• Provide the required notice regarding negative information;
• Take appropriate action when the bank receives a notice of discrepancy in a consumer’s address;
• Comply with the “red flag” guidelines;
• Protect medical information in the financial system; and
• To establish standards for responsibility, record retention, and enforcement for the FCRA/FACT Act policy.
RESPONSIBILITIES
Responsibilities that arise under the act are triggered by the preparation, distribution and use of a “consumer report.” Any information, good or bad, written or oral, that bears on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living is a consumer report if it is used, expected to be used, or collected, in whole or in part, either for the purpose of considering the consumer’s eligibility for consumer credit, insurance, or employment, or for other purposes permitted by the act.
RESPONSIBILITIES OF A CONSUMER REPORTING AGENCY
Many of the FCRA and FACT Act requirements apply to “consumer reporting agencies”. A consumer reporting agency is any person who assembles or evaluates consumer credit information or other information for the purpose of preparing or furnishing “consumer reports”. The information involved need not be derogatory.
• If _____ reports information from its own files to another user of credit information it is not considered a consumer reporting agency as long as that information reflects only _____’s own experience. A bank that regularly reports information that reflects experience other than its own, however, will usually be considered a consumer reporting agency within the meaning of the act and will be subject to a broad array of statutory requirements. For example, if banker A called banker B and asked for his banking experience with Mr. Brown, the reporting by banker B of Mr. Brown’s payment record with him would not be a consumer report. However, if banker B informs banker A that Mr. Brown has been paying him properly but has been defaulting in his obligation to banker C, banker B is making a consumer report and must satisfy his statutory responsibilities. There are exceptions to this rule that provide the ability for affiliates to centralize and share customer information including consumer reports if certain compliance procedures are established and followed.
RESPONSIBILITIES OF A USER OF OTHER CONSUMER INFORMATION
The act along with this policy imposes disclosure requirements on the users of consumer information. These duties apply to all banks that obtain any credit information regarding a consumer from sources outside of the bank.
RESPONSIBILITIES OF ____ WHO REPORTS INFORMATION TO CREDIT REPORTING AGENCIES
Internal Controls –
Bank Management and the Bank Compliance Officers are responsible for developing, implementing and complying with appropriate controls to assure that the procedures are followed.
Officers Responsible for Compliance –
The _____ Compliance Department is responsible for assuring written policy is adopted for all Banks. Bank Management is responsible for assuring that appropriate procedures and internal controls are adopted for all departments of their independent Banks to assure compliance with both the FCRA and FACT Acts. Additionally, Bank Management is responsibility for developing, implementing and complying with those procedures.
Independent Testing –
The _____ Compliance Officer, or persons so designated, will conduct periodic reviews to monitor ____’s compliance with the FCRA and FACT Act, at all ____ locations. Results of the compliance review(s) will be reported to the Audit/Compliance Committee of ____ and to the Bank’s Board of Directors at their regular scheduled meetings.
RECORD RETENTION REQUIREMENTS
When processing a loan, the ____ loan officer should assemble a record of compliance with this policy.
Required Records –
Consumer credit reporting agencies (including banks that release information other than that resulting from their own experience) that disclose reports for employment, credit, or other purposes must keep records of the recipients of any consumer report that they furnish. The act also places disclosure responsibilities on ____ and on other users of reports from persons other than credit reporting agencies.
Retention Period –
The period of retention of a consumer report depends on the purpose for which the report was released. If released for employment purposes, the report must be retained for two years. If released for any other purpose, the report must be retained for six months. The law provides that a civil action can be brought against a credit reporting agency or user for a period of two years, so ____ will maintain evidence of compliance with disclosure requirements for at least two years. ____ will retain all information relative to a solicited offer that was made using a prescreened list until the expiration of three years beginning on the date that the offer was made to the consumer. If a material and willful misrepresentation is made in a required disclosure, the two-year period does not begin to run until the misrepresentation is discovered.