The OCC Unleashed
FCRA: The OCC Unleashed
It's back - the authority to examine for FCRA compliance. OCC has wasted no time getting procedures developed and out the door. The procedures include a detailed discussion of the Act's requirements. This material should be useful in preparing for training and any briefings on the FCRA.
Of most interest, however, are the examination procedures themselves. The examination goals are to determine compliance with FCRA but also to assess the quality of the institution's compliance management policies and procedures. The OCC examiners will be determining "the reliance that can be placed on the financial institution's internal controls and procedures."
Charts and flow charts play a big role in kicking off the examination. Examiners love charts: they tell a quick and concise story of what happens, how, and where. Charts also make useful management tools. Use them for your own purposes.
In addition to the standard requests for policies and procedures, examiners will ask for organization charts, process flowcharts and checklists. FCRA permeates the entire institution, including lending and deposit activities. These tools are a great way to manage as well as to tell your story to the examiner.
As with other compliance evaluations, the examiners will use your audit material. They will review your audits for their effectiveness in identifying problems. Then, of course, they'll look at what steps the institution took to remedy any deficiencies that were identified in the audit.
You could hardly expect them to pass this issue by. How your institution uses and reports customer information will be closely evaluated. First on the list is the reporting of information to credit bureaus. The primary compliance issue here is accuracy. Creditors have an obligation to report accurate information and to correct errors when these are identified by affected consumers.
Correcting misinformation is a two-way street. What the creditor reports must be accurate. And if the consumer challenges what the creditor has already reported, the creditor must research and correct as appropriate.
When the examiners come in, they will be looking for your procedures to ensure accuracy of information reporting. Be ready to tell them how information is reported, who handles quality control, how you make any corrections to information reported, and how you handle disputes from consumers. The most important thing to show is responsiveness to customer concerns and requests.
FCRA is one of the laws that specifically requires creditors to investigate consumer allegations of error. Consumer complaint investigations are important in all aspects of your compliance program, however, they are particularly important when specifically required by law. As with billing errors and electronic transfers, the reporting of accurate information is something over which the bank has total control and the consumer has virtually none. So the law places clear responsibilities on banks to report accurate information and to investigate the information's accuracy when the consumer alleges an error.
An investigation must be much more than a cursory look at the situation. The creditor should carefully consider the consumer's version of what information is accurate and inaccurate. Then the creditor should look at its own information recording and reporting process before evaluating whether something actually did go wrong. The examiners will review the quality and extent of the bank's evaluation. Make sure your efforts measure up.
Adverse Action Notices
A lot has been said on the notification requirements of FCRA. The fact remains that this is the easiest practice to check. Errors in notifications are therefore one of the commonly reported violations. There are two primary concerns with respect to FCRA notices.
First, make sure you are using the correct language in your notices. The disclosure requirements changed with the recent overhaul of FCRA and your current disclosure should be several sentences longer than the disclosures several years ago. For example, your notice should now specifically state that the credit bureau cannot answer questions about the credit decision.
Second, get the notices right. Send them when information was used to deny the application, and don't send them when the denial was unrelated to information in the credit report.
Third Party Information
There are different notification requirements that are triggered when the creditor uses information from a third party that is not a credit bureau. The most common error here is to fail to make the statement and disclosure that information from a third party was used in making the decision to deny the application. This statement becomes important when the creditor has relied on information from another creditor, a landlord, an employer, or the like. This is another paper-trail violation that examiners will be checking.
Sharing Customer Information
Figuring out what to do with customer information and what not to do is a bit like learning to drive a manual transmission. Engaging the clutch is an art. Done well, no-one notices, but miss it and the car bucks all over the place. Banks will be highly visible if any customer feels their information has been mis-used , but if banks do this right, no-one will notice. So the compliance goal is to have nothing going on that anyone notices.
Although the amended FCRA allows certain prescreening practices for purposes of customer solicitations, the current emphasis on customer privacy means that any institution engaging in prescreening can expect to be examined carefully for compliance.
Essential questions will include whether the customer received an offer of credit under conditions that meet FCRA requirements. You can also expect examiners to review how the institution handled responses, and what subsequent verification steps were taken.
Don't forget that FCRA applies to any use of credit reports involving employment. Employment decisions are a permissible use for credit reports. However, there are restrictions. You need the consumer's permission to obtain the report.
Your examiner will be checking employment postings for review. They will be looking for the disclosure, authorization, and adverse action notices. Examiners will also be checking for any use of credit bureau reports in the investigation and termination of any employee. Because you need the employee's permission to pull a report, examiners will also be looking for that.
Financial institutions should maintain an on-going authorization from all employees to obtain a copy of their credit report. It simply isn't practical to go and get permission from an employee you have reason to suspect of dipping into the till, and you can't get the report without the authorization.
- Design flow charts for FCRA processes in your institution.
- Prepare a directory of authorized credit report users.
- Review the rules on information sharing and on reporting credit information to credit bureaus. Make sure everyone knows their job.
- Review all adverse action forms that your institution uses. Identify any that are not current and get rid of them. We don't recommend burning books, but burning non-compliant forms can be a lot of fun.
- Review all presolicitation practices being used in your institution. Check them for compliance with FCRA requirements. Also make sure that essential documentation is being maintained.
- Review your institution's practices relating to credit reports for employment purposes. Be sure that you have current authorizations from all employees.
Copyright © 2000 Compliance Action. Originally appeared in Compliance Action, Vol. 5, No. 1, 2/00
First published on 02/01/2000