FCRA Rears Its Head

Just when you thought you could concentrate on privacy and forget about everything else (except RESPA), the Federal Trade Commission staff issued two interpretations of the Fair Credit Reporting Act that could turn your compliance procedures - and your commercial lenders - upside down.

Adverse Action Notices
The first interpretation, issued on July 14, 2000 and signed by Christopher Keller, deals with when adverse action notices are required by FCRA and whether this differs in any way from the ECOA requirements. Some clever person thought to ask about the number of adverse action notices required when there is more than one applicant and information from each credit report was used to deny the application.

The problem is this. ECOA requires that you give an adverse action notice whenever you deny an application. However, in the spirit of reducing regulatory burden, Regulation B admits that when two or more people apply jointly for credit, there is a high likelihood that they will share with each other the information in the adverse action notice. So Regulation B permits you to send only one notice to multiple applicants, identifying and sending the notice to the principle applicant, if possible. FCRA is not so forgiving. FCRA requires you to send a notice to the consumer whose report was used or relied upon when taking adverse action. In the second opinion, Attorney Keller explains that "if an application is denied even in part, based on information in a co-applicant's consumer report" the lender must give the co-applicant an adverse action notice that provides the FCRA disclosures. The co-applicant must receive his or her own adverse action notice.

The result is that in some cases, you will need to send a full adverse action notice to the primary applicant and an FCRA notice to one or more co-applicants whenever the co-applicant's credit report was part (or all) of the reason(s) for denial.

For example, suppose A and B jointly request credit, and A appears to be the principal applicant. The application is denied because A and B jointly lack the income to qualify for the credit. You can send an adverse action notice to A.

However, if a credit report played a part in the decision, it gets complicated. Suppose that together A and B lack the necessary income but that there are problems reported on B's credit report. Now we have two reasons for denial: insufficient income and B's credit problems. You can deal with this by sending a single notice to B giving both reasons and providing the FCRA notice.

Now for the tough one. Suppose the reason for denial is insufficient income and problems reported in both A's and B's credit history. At this point, there is no way to send only one notice and comply with the FTC's interpretation. At least one of the applicant's must receive a notice with the ECOA notices and reasons for denial. But both applicants must receive the FCRA notice. Both applicants are consumers whose reports were used to evaluate their credit qualifications.

One of the goals of the FCRA notice is to enable the consumer to identify incorrect information in their consumer report and take steps to have that information corrected. In order to do this - to even find out that there is a problem in their report - they need the FCRA notice.

This FTC's reasoning does not apply to guarantors, because guarantors are excluded from the definition of applicant.

Already one of the leading violations of Regulation B and FCRA, adverse action notifications are an Achilles heel in any compliance program. Things just got worse. http://www.ftc.gov/os/statutes/fcra/stinneford.htm

Tatelbaum
The second interpretation was issued on July 26, 2000, and signed by David Medine, Associate Director of the Division of Financial Practices. [The "Tatelbaum" opinion] The gist of the interpretation is that consumer reports (usually referred to as credit reports) are compiled for use relating to the consumer. The information is not compiled for non-consumer purposes such as a business purpose loan. The FCRA limits permissible purposes - the circumstances under which you may obtain a report - to consumer uses.

[Editor's Note: The information which appears below regarding the Tatelbaum opinion and Action Steps relating to it were written shortly after the opinion came out. For an important update on developments relating to the Tatelbaum opinion which occurred after this article was originally written, and information about "Tatelbaum II", check out these discussions from Bankers' Threads:

Tatelbaum discussion
Good News re Pulling Credit Reports

The result is that commercial lenders may not routinely request and use consumer credit reports to evaluate the credit of the borrowers or guarantors on loan applications for business purposes.

What the Act Says
The reasoning in the interpretation is based on the language used in FCRA itself. The opinion is further bolstered by a series of court cases. At the core of the interpretation is the language of the act which limits the permissible purposes for obtaining consumer reports to consumer-related purposes.

The interpretation draws a distinction between "consumer reports" that are compiled for consumer purposes - such as those often referred to as "credit reports" - and reports compiled for business purposes. An example of a business purpose report would be the information compiled by Dunn and Bradstreet.

The FCRA defines "consumer report" and uses this term throughout the act. A consumer report, according to FTC staff, is "a report on the personal credit and other history of the individual." This information is "collected in whole or in part for the purpose of (assisting evaluation of) the consumer's eligibility for credit." The purpose for compiling the information is primarily consumer, and the use to which it should be put is primarily for consumer purposes.

The status of this report as a consumer report is not changed, even if the use for which it is protected is a business purpose rather than a consumer purpose. FTC staff reasons that the information compiled by a consumer reporting agency does not change its status or lose any protections of FCRA merely because it is being put to a business purpose use.

Permissible purpose
There is a very important gatekeeper in the FCRA. Consumer reports are not readily available to the general public upon request. They are protected and their use is limited. Before you obtain a credit report on a consumer, you must have a permissible purpose. Without a permissible purpose, you may not have the report.

The act provides a laundry list of permissible purposes, including the obtaining of the report with the permission of the consumer.

The permissible purposes for obtaining a consumer report under FCRA are limited to situations initiated by the consumer. FTC concludes that the FCRA does not provide any support for a lender "to obtain a consumer report in connection with a credit application for any commercial purpose."

The 1996 amendments to the FCRA have bolstered this position by making a key change to the language of ?604(a)(3)(F)(i). The old language provided a permissible purpose to transactions "involving the consumer." The new language restricts use of reports to transactions "initiated by the consumer." When the loan is a business purpose loan, it is the business, not the consumer, who initiated the transaction.

This opinion wipes out the debate about when and how to send adverse action notices to individuals whose personal credit report contained information used to deny the application for business credit. The business lender does not have access to the consumer report on the individual based on the application. What is permitted is obtaining the consumer report with the permission of each individual consumer involved in the business credit application. Commercial lenders should now make obtaining this permission a routine part of their documentation when they receive requests for credit. www.ftc.gov/os/statutes/fcra/tatelbaum.htm

ACTION STEPS

Notify your commercial lenders about this interpretation immediately.
Implement a procedure to obtain (and maintain in the file) credit report permissions on all existing commercial loan files. Give your commercial lenders a form to use to obtain the permission of each primary applicant and guarantor to obtain copies of their personal credit report.
While you are on the topic, audit your FCRA compliance by comparing requests for consumer reports with the uses for consumer reports. Make sure that all requests were legal and legitimate.
Audit your adverse action files. Compare the information in the consumer reports used with the content and address of the adverse action notices. Find out whether and how often you failed to notify a co-borrower of credit bureau information problems.
Establish procedures for FCRA adverse action notices going forward.