Issued by FDIC
Sec. 615. Requirements on users of consumer reports
(a) Duties of users taking adverse actions on the basis of information contained in consumer reports. If any person takes any adverse action with respect to any consumer that is based in whole or in part on any information contained in a consumer report, the person shall
(1) provide oral, written, or electronic notice of the adverse action to the consumer;
(2) provide to the consumer written or electronic disclosure
(A) of a numerical credit score as defined in section 609(f)(2)(A) used by such per- son in taking any adverse action based in whole or in part on any information in a consumer report; and
(B) of the information set forth in subparagraphs (B) through (E) of section 609(f)(1);
Note: paragraph (2) above inserted by § 1100F of the Dodd-Frank Act, effective 7/21/2011.
(3) provide to the consumer orally, in writing, or electronically
(A) the name, address, and telephone number of the consumer reporting agency (including a toll-free telephone number established by the agency if the agency compiles and maintains files on consumers on a nationwide basis) that furnished the report to the person; and
(B) a statement that the consumer reporting agency did not make the decision to take the adverse action and is unable to provide the consumer the specific reasons why the adverse action was taken; and
(4) provide to the consumer an oral, written, or electronic notice of the consumer's right
(A) to obtain, under section 612 [§ 1681j], a free copy of a consumer report on the consumer from the consumer reporting agency referred to in paragraph (3), which notice shall include an indication of the 60-day period under that section for obtaining such a copy; and
(B) to dispute, under section 611 [§ 1681i], with a consumer reporting agency the accuracy or completeness of any information in a consumer report furnished by the agency.
(b) Adverse Action Based on Information Obtained from Third Parties Other than Consumer Reporting Agencies
(1) In general. Whenever credit for personal, family, or household purposes involving a consumer is denied or the charge for such credit is increased either wholly or partly because of information obtained from a person other than a consumer reporting agency bearing upon the consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living, the user of such information shall, within a reasonable period of time, upon the consumer's written request for the reasons for such adverse action received within sixty days after learning of such adverse action, disclose the nature of the information to the consumer. The user of such information shall clearly and accurately disclose to the consumer his right to make such written request at the time such adverse action is communicated to the consumer.
(2) Duties of Person Taking Certain Actions Based on Information Provided by Affiliate
(A) Duties, generally. If a person takes an action described in subparagraph (B) with respect to a consumer, based in whole or in part on information described in subparagraph (c), the person shall
(i) notify the consumer of the action, including a statement that the consumer may obtain the information in accordance with clause (ii); and
(ii) upon a written request from the consumer received within 60 days after transmittal of the notice required by clause (i), disclose to the consumer the nature of the information upon which the action is based by not later than 30 days after receipt of the request.
(B) Action described. An action referred to in subparagraph (A) is an adverse action described in section 603(k)(1)(A) [§ 1681a], taken in connection with a transaction initiated by the consumer, or any adverse action described in clause (i) or (ii) of section 603(k)(1)(B) [§ 1681a].
(C) Information described. Information referred to in subparagraph (A)
(i) except as provided in clause (ii), is information that
(I) is furnished to the person taking the action by a person related by common ownership or affiliated by common corporate control to the person taking the action; and
(II) bears on the credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living of the consumer; and
(ii) does not include
(I) information solely as to transactions or experiences between the con- sumer and the person furnishing the information; or
(II) information in a consumer report.
(c) Reasonable procedures to assure compliance. No person shall be held liable for any violation of this section if he shows by a preponderance of the evidence that at the time of the alleged violation he maintained reasonable procedures to assure compliance with the provisions of this section.
(d) Duties of Users Making Written Credit or Insurance Solicitations on the Basis of Information Contained in Consumer Files
(1) In general. Any person who uses a consumer report on any consumer in connection with any credit or insurance transaction that is not initiated by the consumer, that is provided to that person under section 604(c)(1)(B) [§ 1681b], shall provide with each written solicitation made to the consumer regarding the transaction a clear and conspicuous statement that
(A) information contained in the consumer's consumer report was used in connection with the transaction;
(B) the consumer received the offer of credit or insurance because the consumer satisfied the criteria for credit worthiness or insurability under which the consumer was selected for the offer;
(C) if applicable, the credit or insurance may not be extended if, after the consumer responds to the offer, the consumer does not meet the criteria used to select the consumer for the offer or any applicable criteria bearing on credit worthiness or insurability or does not furnish any required collateral;
(D) the consumer has a right to prohibit information contained in the consumer's file with any consumer reporting agency from being used in connection with any credit or insurance transaction that is not initiated by the consumer; and
(E) the consumer may exercise the right referred to in subparagraph (D) by notifying a notification system established under section 604(e) [§ 1681b].
(2) Disclosure of address and telephone number; format. A statement under paragraph (1) shall –
(A) include the address and toll-free telephone number of the appropriate notification system established under section 604(e); and
(B) be presented in such format and in such type size and manner as to be simple and easy to understand, as established by the Bureau, by rule, in consultation with the Federal Trade Commission, Federal banking agencies and the National Credit Union Administration.
Note: See also 16 CFR Part 642; 16 CFR Part 698, App. A
(3) Maintaining criteria on file. A person who makes an offer of credit or insurance to a consumer under a credit or insurance transaction described in paragraph (1) shall maintain on file the criteria used to select the consumer to receive the offer, all criteria bearing on credit worthiness or insurability, as applicable, that are the basis for determining whether or not to extend credit or insurance pursuant to the offer, and any requirement for the furnishing of collateral as a condition of the extension of credit or insurance, until the expiration of the 3-year period beginning on the date on which the offer is made to the consumer.
(4) Authority of federal agencies regarding unfair or deceptive acts or practices not affected. This section is not intended to affect the authority of any Federal or State agency to enforce a prohibition against unfair or deceptive acts or practices, including the making of false or misleading statements in connection with a credit or insurance transaction that is not initiated by the consumer.
(e) Red Flag Guidelines and Regulations Required
See also 16 CFR Part 681
(1) Guidelines. The Federal banking agencies, the National Credit Union Administration, the Federal Trade Commission, the Commodity Futures Trading Commission, and the Securities and Exchange Commission shall jointly, with respect to the entities that are subject to their respective enforcement authority under section 621 –
(A) establish and maintain guidelines for use by each financial institution and each creditor regarding identity theft with respect to account holders at, or customers of, such entities, and update such guidelines as often as necessary;
(B) prescribe regulations requiring each financial institution and each creditor to establish reasonable policies and procedures for implementing the guidelines established pursuant to subparagraph (A), to identify possible risks to account holders or customers or to the safety and soundness of the institution or customers; and
(C) prescribe regulations applicable to card issuers to ensure that, if a card issuer receives notification of a change of address for an existing account, and within a short period of time (during at least the first 30 days after such notification is received) receives a request for an additional or replacement card for the same account, the card issuer may not issue the additional or replacement card, un less the card issuer, in accordance with reasonable policies and procedures –
(i) notifies the cardholder of the request at the former address of the cardholder and provides to the cardholder a means of promptly reporting incorrect address changes;
(ii) notifies the cardholder of the request by such other means of communication as the cardholder and the card issuer previously agreed to; or
(iii) uses other means of assessing the validity of the change of address, in accordance with reasonable policies and procedures established by the card issuer in accordance with the regulations prescribed under subparagraph (B).
(A) In general. In developing the guidelines required by paragraph (1)(A), the agencies described in paragraph (1) shall identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft.
(B) Inactive accounts. In developing the guidelines required by paragraph (1)(A), the agencies described in paragraph (1) shall consider including reasonable guidelines providing that when a transaction occurs with respect to a credit or deposit account that has been inactive for more than 2 years, the creditor or financial institution shall follow reasonable policies and procedures that provide for notice to be given to a consumer in a manner reasonably designed to reduce the likelihood of identity theft with respect to such account.
(3) Consistency with verification requirements. Guidelines established pursuant to paragraph (1) shall not be inconsistent with the policies and procedures required under section 5318(l) of title 31, United States Code [Note: Reference to CIP requirements].
(4) Definitions. As used in this subsection, the term “creditor” –
(A) means a creditor, as defined in section 702 of the Equal Credit Opportunity Act (15 U.S.C. 1691a), that regularly and in the ordinary course of business
(i) obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction;
(ii) furnishes information to consumer reporting agencies, as described in section 623, in connection with a credit transaction; or
(iii) advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person;
(B) does not include a creditor described in subparagraph (A)(iii) that advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person; and
(C) includes any other type of creditor, as defined in that section 702, as the agency described in paragraph (1) having authority over that creditor may determine appropriate by rule promulgated by that agency, based on a determination that such creditor offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.
Note: Paragraph (4) above added effective 12/10/2010 by § 2(a) of the Red Flag Program Clarification Act of 2010 (Pub. L. 111-319)
(f) Prohibition on Sale or Transfer of Debt Caused by Identity Theft
(1) In general. No person shall sell, transfer for consideration, or place for collection a debt that such person has been notified under section 605B has resulted from identity theft.
(2) Applicability. The prohibitions of this subsection shall apply to all persons collecting a debt described in paragraph (1) after the date of a notification under paragraph (1).
(3) Rule of construction. Nothing in this subsection shall be construed to prohibit –
(A) the repurchase of a debt in any case in which the assignee of the debt requires such repurchase because the debt has resulted from identity theft;
(B) the securitization of a debt or the pledging of a portfolio of debt as collateral in connection with a borrowing; or
(C) the transfer of debt as a result of a merger, acquisition, purchase and assumption transaction, or transfer of substantially all of the assets of an entity.
(g) Debt collector communications concerning identity theft. If a person acting as a debt collector (as that term is defined in title VIII) on behalf of a third party that is a creditor or other user of a consumer report is notified that any information relating to a debt that the person is attempting to collect may be fraudulent or may be the result of identity theft, that person shall –
(1) notify the third party that the information may be fraudulent or may be the result of identity theft; and
(2) upon request of the consumer to whom the debt purportedly relates, provide to the consumer all information to which the consumer would otherwise be entitled if the consumer were not a victim of identity theft, but wished to dispute the debt under provisions of law applicable to that person.
(h) Duties of Users in Certain Credit Transactions
(1) In general. Subject to rules prescribed as provided in paragraph (6), if any person uses a consumer report in connection with an application for, or a grant, extension, or other provision of, credit on material terms that are materially less favorable than the most favorable terms available to a substantial proportion of consumers from or through that person, based in whole or in part on a consumer report, the person shall provide an oral, written, or electronic notice to the consumer in the form and manner required by regulations prescribed in accordance with this subsection.
(2) Timing. The notice required under paragraph (1) may be provided at the time of an application for, or a grant, extension, or other provision of, credit or the time of communication of an approval of an application for, or grant, extension, or other provision of, credit, except as provided in the regulations prescribed under paragraph (6).
(3) Exceptions. No notice shall be required from a person under this subsection if –
(A) the consumer applied for specific material terms and was granted those terms, unless those terms were initially specified by the person after the transaction was initiated by the consumer and after the person obtained a consumer report; or
(B) the person has provided or will provide a notice to the consumer under subsection (a) in connection with the transaction.
(4) Other notice not sufficient. A person that is required to provide a notice under subsection (a) cannot meet that requirement by providing a notice under this subsection.
(5) Content and delivery of notice. A notice under this subsection shall, at a minimum –
(A) include a statement informing the consumer that the terms offered to the consumer are set based on information from a consumer report;
(B) identify the consumer reporting agency furnishing the report;
(C) include a statement informing the consumer that the consumer may obtain a copy of a consumer report from that consumer reporting agency without charge;
(D) include the contact information specified by that consumer reporting agency for obtaining such consumer reports (including a toll-free telephone number established by the agency in the case of a consumer reporting agency described in section 603(p)); and
(E) include a statement informing the consumer of –
(i) a numerical credit score as defined in section 609(f)(2)(A), used by such person in making the credit decision described in paragraph (1) based in whole or in part on any information in a consumer report; and
(ii) the information set forth in subparagraphs (B) through (E) of section 609(f)(1).
Note: Subparagraph (E) added by § 1100F of the Dodd-Frank Act, effective 7/21/2011.
See also 16 CFR Part 610
(A) Rules required. The Bureau shall prescribe rules to carry out this subsection.
(B) Content. Rules required by subparagraph (A) shall address, but are not limited to –
(i) the form, content, time, and manner of delivery of any notice under this subsection;
(ii) clarification of the meaning of terms used in this subsection, including what credit terms are material, and when credit terms are materially less favorable;
(iii) exceptions to the notice requirement under this subsection for classes of persons or transactions regarding which the agencies determine that notice would not significantly benefit consumers;
(iv) a model notice that may be used to comply with this subsection; and
(v) the timing of the notice required under paragraph (1), including the circumstances under which the notice must be provided after the terms offered to the consumer were set based on information from a consumer report.
(7) Compliance. A person shall not be liable for failure to perform the duties required by this section if, at the time of the failure, the person maintained reasonable policies and procedures to comply with this section.
(B) Administrative enforcement. This section shall be enforced exclusively under section 621 by the Federal agencies and officials identified in that section.