Are credit agencies exempt from signing a confidentiality agreement with fi's (to keep customer information confidential) with respect to the FCRA?

They are not exempt under GLBA, if that is what you are looking for. They are an allowable exception to *your* bank's privacy disclosure, as the customer authorizes you to pull the credit report and agrees at closing to you reporting their performance. However, as far as vendor confidentiality agreements, information security agreements and notification of security breaches, they are not covered under FCRA.

If the question is do you need a confidentiality agreement/security agreement with a consumer reporting agency, this is how it was explained to me:

When you report the information to the credit bureau, the information now belongs to the credit bureau. It is no longer "your" information that you need to safeguard.

The distinction made is that when you use a third party data processor, the processor is handling YOUR data which you still need to protect.

But when you report information to a credit bureau, it now becomes THEIR data, and they are held to a security standard of their own under FCRA.