FCRA/FACT Act: Exam Procedures Are Out (5 Action Steps)
The agencies have published new examination procedures for FCRA and the FACT Act. Although this revision of examination procedures was triggered by the FACT Act and the changes that law made to FCRA, the procedures provide a good review of the longer standing FCRA requirements. With all the attention currently being focused on the FACT Act, it is easy to pay too little attention to the FCRA as a whole.
The new examination procedures are risk based. References to risk management are now so frequent that it is easy to think the risk is already taken care of. But stay alert. The new FCRA exam procedures discuss risk management and the agencies' expectations. The exam procedures provide some specific examples of how the examiners approach risk. These examples should help you develop and manage your compliance program.
As these procedures demonstrate, there is no way to assess and manage risk without attention to regulatory requirements. These procedures show the impact of technical requirements in the assessment or designation of risk to specific functions.
There are six modules, organized around a combination of regulatory concepts and functions performed within the institution. The modules begin with obtaining consumer reports, cover obtaining and sharing information, disclosures to consumers, and identity theft compliance. Modules will be selected for use during examinations based on the institution's activities.
One of the collateral benefits of examination procedures is the resource material they provide for you as well as for examiners. For example, the procedures contain the critical FCRA definitions, making a useful, quick reference when you need to remind yourself what a consumer is, or a similar definition need. They also have a quick, concise description of prescreened consumer reports. Some of these can be lifted and used for your training programs.
The role of FCRA in restricting or allowing access to consumer reports is well established; however, problems persist. This topic comprises the first module, one that will probably be used in all institutions. The primary focus of these procedures is to ensure that consumer reports are obtained and used only for permissible purposes.
Risk in this module is associated with obtaining and using consumer reports. The use of electronic transmissions to obtain reports and send information raises the risk level. In addition, because of electronic uses, the information security program and procedures should be considered in this part of the examination.
Affiliate Information Sharing
Module 2 deals with obtaining information and sharing information with affiliates. This module will only be used when the institution has an affiliate. The risk identified in this module is that the nature of business conducted by financial institutions means that the institution has a significant amount of information about its customers. Sharing that information in ways that do not fully comply with the FCRA could make the institution a credit reporting agency, subject to many more parts of the FCRA.
Information sharing is an area where the GLBA and the FCRA are interwoven in a tortuous path. One goal of this module is to evaluate the ways in which institutions protect or share customer information. The module discussion points out that a practice that may seem permissible under the GLBA, such as sharing a credit score for joint marketing purposes, may be prohibited by the FCRA if it is considered a consumer report.
The reverse may also be true. Sharing may be permitted by the FCRA but prohibited by the GLBA. The joint user rule permits financial institutions to share information if they are jointly involved in the decision to approve the consumer's request for credit or credit-related services, such as PMI. However, sharing non-public, personal information would be limited or prohibited by GLBA.This module also includes treatment of medical information. Procedures are not yet included but will be developed and published soon.
The module on disclosures includes examination for prescreening programs and consumer disclosures, truncation of account numbers, disclosure of credit scores, adverse action notices, debt collection notices from institutions that act as third party debt collectors, and risk based pricing notices. In short, the long laundry list of paper-based, easily-identified notice requirements is in Module 3. Pay close attention to this one to avoid common violations, both new and old.
Work by the agencies on guidelines for the accuracy and integrity of information is still underway. The examination guidance will be revised and republished when that work is complete. Investigation and resolution of customer complaints will be included in that section. Expect to see standards for and examples of what the agencies will consider to be appropriate levels of investigation.
Included in this module is the reporting of account activity including voluntary closures, disputes and delinquent accounts. The way in which such activity is reported has a significant impact on the consumer's credit history and credit score. When published, these standards will be important.
The information furnishing module will also include examination for compliance with the notices required for the reporting of negative information.
Identity Theft Protections
This module focuses on two requirements. First is the requirement to properly identify a consumer when an identity theft alert or active duty alert is in the consumer's report. Second, the module covers the requirement to provide information to the consumer about any fraudulent transactions under the alert.
The actual procedures reflect the agencies' emphasis on risk-based performance. For each element, the examiner should first determine the institution's activity. The first question is, of course, whether the institution undertakes the activity. In some cases, the answer will be no and the module will be dropped from the examination.
The next step is to review policies and procedures. Under the risk-based approach, everything flows from the examiner's assessment of the policies and procedures. Strong, clear instructions to staff lower the level of supervisory concern, while weak, unclear instructions will trigger additional work by the examiner. The examiner is instructed to review these documents to determine whether they are inclusive and give adequate guidance.
In some cases, more specific instructions are included in the procedures. For example, when reviewing compliance with permissible uses of consumer reports, examiners are instructed to obtain a billing statement showing the consumer reports obtained and to compare this list to the institution's records. Using this comparison, the examiner should evaluate whether the institution complies with the permissible purpose rules.
Examiners are instructed to obtain and review certain documents. These are selected to provide the examiner with an understanding of how FCRA requirements may apply to the institution and what processes, products, systems, or procedures the examiner should review.
Documents for review include organization charts, process flowcharts, policies and procedures, and loan documentation. They will also look for any methods the institution uses for documentation such as checklists and system documentation.
Examiners will also review compliance audit materials and work papers to evaluate whether the scope was appropriate, the audit performed was accurate, and steps have been taken to correct any findings.
Finally, examiners will review training materials to be sure that the training is appropriate and comprehensive. Here, expect examiners to look for training that is pertinent to the specific sections of FCRA that are triggered by activities or products within your institution.No matter how examiners plan to use these exam procedures in your next exam, you should use them to review your compliance program, risk assessment, and the adequacy of your policies and procedures.
- Review the FCRA examination procedures and determine which modules apply to your institution.
- Read the discussion material carefully. This lays the groundwork for what the examiner considers as requirements.
- While reading the discussion material, identify parts to lift and use in your compliance manual and training materials.
- Review your policies and procedures with respect to each topic covered by these modules. Compare the content and instructions with the regulatory expectations and fix any gaps.
- Schedule FCRA training before the examiners are scheduled to arrive.
Copyright © 2005 Compliance Action. Originally appeared in Compliance Action, Vol. 10, No. 15, 12/05
First published on 12/01/2005