One is a statute (FCRA), one is a regulation that implements parts of the the statute.
Here is my explanation that I use:
Congress substantively amended FCRA with the passage of the Fair and Accurate Credit Transactions Act of 2003 (FACTA or FACT Act). The FACT Act created many new responsibilities for consumer reporting agencies and users of consumer reports.
Historically, rulemaking authority for the FCRA was divided among the Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), the Federal Trade Commission (FTC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), [and the Office of Thrift Supervision (OTS).
The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) amended provisions of the FCRA. In addition, the Dodd-Frank Act transferred rulemaking authority for most provisions of the FCRA to the Bureau of Consumer Financial Protection (Bureau), effective July 21, 2011.
The Dodd-Frank Act did not transfer to the CFPB the authority to promulgate: rules on the disposal of consumer information; rules on identity theft red flags and corresponding interagency guidelines on identity theft detection, prevention, and mitigation; and rules on the duties of card issuers regarding changes of address. These existing provisions are not included in the CFPB’s Regulation V.
Specific requirements of the FCRA, including requirements regarding Identity Theft, have been included in the CFPB’s Regulation V.
The requirements of the FCRA regarding proper disposal of customer information must be included in a bank’s Information Security Program, as required by the safety and soundness standards of the Bank’s primary regulator (OCC, FDIC, FRB). Information on Disposal of Records remains in the Federal Reserve’s Regulation V and the corresponding requirements for national banks regulated by the OCC and for FDIC regulated banks. This authority was not transferred to the CFPB because it is a safety and soundness standard, regulated by the banks’ prudential regulators.