The Fair Credit Reporting Act (FCRA), became law in 1970 to promote accuracy, fairness, and the privacy of personal information assembled by Credit Reporting Agencies (CRAs).  CRAs assemble reports on individuals for businesses, including credit card companies, banks, employers, landlords, and others.

15 USC section 1681e(b) claims typically demand that the CRAs , having published inaccurate credit reports without following reasonable procedures to assure the accuracy of the information, remove said information.

15 USC section 1681i (a) of the FCRA is another part of the Statute used to sue Equifax, Experian, and Trans Union. Under this FCRA provision, a credit reporting agency must conduct a reasonable investigation of disputed credit accounts and must notify the furnisher of the consumer’s dispute so that the furnisher may conduct their own independent investigation.

CRAs use an automated system that simply notifies the creditor or “furnisher” of the type of dispute by category.  Once a reply is received by the furnisher, the CRA merely repeats or “parrots” the furnisher response without conducting their own independent investigation.  In some cases, punitive damages have been awarded for this conduct because of the failure to conduct their own independent investigation.

Amendments to the FCRA include the Consumer Credit Reporting Reform Act of 1996, mostly affects credit reports obtained for employment purposes and contains a number of improvements to the FCRA. It also included provisions that allow affiliate sharing of credit reports, “prescreening” of credit reports (unsolicited offers of credit made to certain consumers), and limited preemption of stronger state laws on credit.

Another change was made by the “Fair and Accurate Credit Transactions Act of 2003″ (FACTA). The Act preempts some state privacy protections, but includes a number of improvements to credit reporting law, including free credit reports annually.

Consumer credit reports contain information on financial accounts, and include credit card balances and mortgage information. Credit reports are used for evaluating eligibility for credit, insurance, employment, and tenancy; the ability to pay child support; professional licensing (for instance, to become an attorney); or for any purpose that a consumer approves.

A consumer credit report will contain basic identifying information (name, address, previous address, Social Security Number, marital status, employment information, and number of children) along with: Financial information: Estimated income, employment, bank accounts, value of car and home, Public records information: Such as arrests, bankruptcies, and tax liens, Trade lines: Credit accounts and their status. This will also include the data subject’s payment habits on credit accounts, Collection Items: Whether the data subject has unpaid or disputed bills. Current Employment and employment history, Requests for the credit report: The number of requests for the data subject’s report and the identity of the requestors, Narrative information: A statement by the data subject or by the furnisher regarding disputed items on the credit report, Health information.

Transaction and experience (records of purchases of goods and services) information is not reported. Additionally, corporations may share credit report information among affiliates as long as notice and opt-out is provided to the consumer.

CRAs can also prepare “investigative consumer reports,” (ICRs) dossiers on consumers that include information on character, reputation, personal characteristics, and mode of living. ICRs are compiled from personal interviews with persons who know the consumer. Since ICRs include especially sensitive information, the FCRA affords greater protections for them. For instance, within three days of requesting an ICR, the requestor must inform the consumer that an ICR is being compiled. The consumer also can request a statement explaining the nature and scope of the investigation underlying the ICR.

The FCRA limits the use of the credit report to: Applications for credit, insurance, and rentals for personal, family or household purposes, Employment, which includes hiring, promotion, reassignment or retention. A CRA may not release a credit report for employment decisions without consent, Court orders, including grand jury subpoenas, “Legitimate” business needs in transactions initiated by the consumer for personal, family, or household purposes, Account review. Periodically, banks and other companies review credit files to determine whether they wish to retain the individual as a customer, Licensing (professional), Child support payment determinations, Law enforcement access: Government agencies with authority to investigate terrorism and counterintelligence have secret access to credit reports.

• See http://www.federalreserve.gov/boarddocs/supmanual/cch/200611/fcra.pdf

Specific prior consent is required before consumer reports with medical information can be released.

Target marketing is not a permissible use of credit reports.

Inaccurate Information: The Right to Correct

Individuals may dispute information that appears in a credit report, whether it is accurate, verified or aged. CRAs are required to investigate each dispute and provide a report back to the consumer. If the CRA cannot resolve the dispute, the individual can add a statement to the credit report. Inaccurate or unverifiable information must be removed within 30 days of notice of the dispute. When creating the credit report the FCRA requires there to be a reasonable procedures to assure maximum possible accuracy.  However, the Fair and Accurate Credit Transactions Act of 2003 (FACTA) — amendments to the FCRA — requires that investigation be “reasonable”.

When individuals also dispute inaccurate information with the furnisher that furnisher cannot report the information to a CRA without also including a notice of the dispute. They are also required to block that information from being re-reported to CRAs.

The FCRA limits the length of time some information can appear in a consumer report. For instance, bankruptcies must be removed from the report after 10 years. Civil suits, civil judgments, paid tax liens, accounts placed for collection, and records of arrest can only appear for 7 years. Records of criminal convictions can remain on the report indefinitely.

Consumers may now directly dispute fraudulent transactions with the furnisher. The furnisher must investigate the disputed transactions and inform the consumer of the results.

Consumers must be the party to initiate the dispute, not “credit repair” agencies from disputing the transactions. The FCRA now requires that a CRA not report information that it “knows or has reasonable cause to believe is inaccurate. When a CRA determines that transaction information is fraudulent, it must notify the furnisher that the information has been modified or deleted.

When a furnisher reports negative information, it must notify the consumer within thirty days using a thirty word maximum notice to be designed by the Federal Reserve Board. Unfortunately, it appears that furnishers will be able to avoid meaningful notices because they can insert the notice with the standard contract documentation.

Accountability

Individuals can sue a CRAs, users of credit reports, and furnishers in federal or state court. They may obtain attorney’s fees, court costs, and punitive damages. The FTC can enforce provisions of the act. Criminal penalties can be brought against those who knowingly and willfully obtain a consumer report under false pretenses.

The “qualified immunity provision” limits the situations in which a consumer can pursue legal action against a CRA. For the certain types of disclosures — disclosures to consumers, condition and form of disclosure to consumers, requirements on users, and disclosure by user after taking adverse action against a consumer — a consumer may only bring suit if the CRA acted with “malice or willful intent to injure.” The Fair and Accurate Credit Transactions Act of 2003 (FACTA) amendments to the FCRA expanded the enumerated list of types of disclosure for which CRA liability is limited in this way. These new types of disclosures, which if violated are limited by the qualified immunity, include, among others: the requirement that agencies withhold the last five SSN digits when requested by a consumer; allowing identity theft victims to obtain business transaction information from businesses that have done business with the thief; and requiring mortgage lenders to disclose credit scores to loan applicants.

Furthermore, FACTA incorporated the new furnisher responsibilities into the qualified immunity provisions. These include, for example, requiring financial institutions to notify customers that they are furnishing negative information to CRAs about that customer — into the qualified immunity provision. Other liability provisions were also limited by FACTA with respect to other new responsibilities established by the amendments. One such limitation prevents consumers from forcing a CRA to issue red flag guidelines and regulations.

The ability of states to pursue legal action against a CRA was also limited by the FACTA amendments. Even for major violations — failure to provide accurate information, failure to comply with guidelines to protect accuracy and integrity of consumer information, etc. — states must first obtain an injunction against the CRA. Only then may it seek damages for violations of the FCRA.

Identity Theft

The FACTA added significant identity theft provisions to the FCRA, but most of these provisions are remedial and will not prevent identity theft.

These include the ability to issue one-call fraud alerts, extended fraud alerts and active military duty alerts. Additionally, new responsibilities are placed on users of credit reports (e.g. a lending company). These include red-flag guidelines, providing identity theft victims with business transaction information, and protecting certain consumer information.

All fraud alerts are now “one-call.” If an agency receives a request for a fraud alert, it must notify the other CRAs also. The fraud alert is also communicated to users requesting the consumer’s credit report. Additionally, the CRA must notify the consumer of her right to a free credit report which the FACTA requires to be delivered within three days of request. “Initial fraud alerts” last for ninety days.

A fraud alert indicates that a consumer does not authorize new credit, an additional card on an existing account, or increases in the credit limit of an existing account. A consumer may provide a telephone contact number in which case a credit user must verify the consumer’s identity over the phone on that number. An exception to that rule allows a credit user to “take reasonable steps” instead of calling the consumer for an “initial fraud alert” or an “active military duty alert.”

If the consumer has filed a report with a law enforcement agency, she may request an “extended fraud alert” that lasts for seven years. CRAs must also exclude the consumer from prescreening lists for five years. Finally, it must notify the consumer of her right to two free credit reports within twelve months of the fraud alert request. Deployed military personnel can request an “active military duty alert” that remains active for twelve months.

The FACTA requires the FTC, the National Credit Union Administration, and other certain banking agencies to jointly issue regulations requiring creditors to establish “reasonable policies and procedures” for implementing “red flag” guidelines regarding identity theft. Additionally, businesses who have dealt with an identity thief must, under certain circumstances, provide information about those transactions to the identity theft victim. However, the rule is weakened by several provisions, the absence of a consumer’s enforcement action, and preemption of state law.

FCRA also now limit data disclosures that can lead to identity theft. Merchants will be required, over time, to truncate credit and debit numbers on electronically printed receipts. Consumers will also have the right to request that a CRA withhold their last five SSN digits on credit reports.

Inadequate CRA security also can contribute to identity theft. In November 2002, a prosecution was brought against a group of suspects who allegedly orchestrated the theft of 30,000 individuals’ identities. The suspects used terminals that are commonly present in auto dealerships and apartment finding companies to gain access to thousands of credit reports. The reports were then used to open new lines of credit in others’ names.

The FACTA also provides new rights for those that have suffered identity theft. CRAs and credit furnishers must help identity theft victims recover and restore their credit history. If a consumer can show a CRA that identity theft data is included in their report, the CRA must block that information within four days and notify the furnisher of the report of the fraudulent data. The consumer must establish proof of identity, a copy of an identity theft report, the fraudulent information, and a statement that the information is unrelated to any transaction of the consumer.

Furnishers of credit information also have new responsibilities under FACTA. Upon notification of fraudulent data by either a CRA or the consumer herself, the furnisher must not re-send the fraudulent data. Also, for such fraudulent information, the furnisher may not sell the debt, transfer the debt, or place it for collection. A debt collector who is notified by the consumer that the debt may be fraudulent or may have resulted from identity theft is obligated to notify creditors of the fraudulent debt. Finally, a nationwide CRA that receives an identity theft complaint must — as with identity theft “fraud alerts” — notify the other CRAs.

The statute of limitations for bringing an action for a violation of the FCRA is two years from the date of discovery of the violation by the consumer, although the action must be brought within five years of the date of the actual violation.

Consumer Credit Reports Are Inaccurate

Individuals often obtain redress against CRAs by suing for failure to correct inaccurate information or incomplete information. CRAs have immunity from defamation lawsuits based on information in the reports.

The US Public Interest Research Group (US PIRG) showed that 29% of credit reports contained serious inaccuracies (false judgments, false delinquency notices) that could result in denial of credit. PIRG found that 70% of reports had some type of error. Further, 20% of reports were missing creditworthiness information that would have assisted a consumer in obtaining credit.