The Fair Credit Reporting Act (FCRA) is a U.S. federal law regulating consumer credit information collection, dissemination, and use by consumer reporting agencies. Understanding the FCRA is vital for organizations directly utilizing consumer credit information and individuals who want to exercise their rights over their personal credit information.
Monitor your organization’s attack surface and stay FCRA compliant with UpGuard BreachSight >
What is the Fair Credit Reporting Act?
Passed in 1970, the FCRA is a consumer protection law that promotes the accuracy and ensures the privacy of information in consumer credit reports while protecting consumer rights in credit reporting.
Information about consumers is continuously collected by various entities, including the three major consumer credit bureaus: Experian, TransUnion, and Equifax. Other financial organizations, including banks and credit unions, may collect and use your consumer information.
Credit information is crucial because it can directly impact a consumer’s creditworthiness, which is evaluated when applying for credit cards, car loans, mortgages, etc. Credit card issuers, insurance companies, and mortgage lenders often review a consumer’s credit to assess their creditworthiness, meaning how likely they are to repay lines of credit or loans. Your credit history can also affect loan availability, credit card APRs, potential employment, housing rentals, and insurance offers.
In 2003, the Fair and Accurate Credit Transactions Act (FACTA) added provisions to the FCRA that improved the accuracy of consumers’ credit information, along with measures to prevent and mitigate identity theft. Included is a section that allows consumers to place fraud alerts in their credit files.
The FCRA helps ensure your credit information is accurate and kept private, extending rights to consumers over their credit information and personal data.
Consumer Rights
A significant component of the FCRA is consumer rights over their credit information. Your rights as a consumer include:
- Right to Access Your Credit Report: Every American consumer is entitled to one free credit report yearly from each central credit reporting agency (Experian, TransUnion, and Equifax) or another popular resource, annualcreditreport.com.
- Right to Know Your Credit Score: Consumers can request their credit score. There may be a fee associated with this request
- Right to Privacy: The FCRA restricts who can see a consumer’s credit report, including personal data and account information.
- Right to Opt-Out of Prescreened Offers: Consumers have the right to opt out of prescreened offers of credit or insurance offers. Unless a consumer gives permission, companies cannot send them recommendations based on information in their credit report.
- Right to Be Informed: Consumers must be notified if their credit report information was used against them. This can include being denied credit cards, insurance, employment, etc.
- Right to Be Notified of Adverse Action: If any adverse action is taken due to a consumer report (denial of credit, insurance, or employment), the entity taking action must inform the consumer and provide contact details of the credit reporting agency that produced the report they used.
- Right to Dispute Inaccurate Information: Consumers can dispute information they believe is incorrect in their credit reports. The consumer reporting agency must investigate the dispute within a specific timeframe, typically 30 days.
- Protection from Old Information: A credit report cannot include outdated negative credit information. The cutoff is usually data older than seven years or older than ten years for bankruptcies.
- Right to Request a Security Freeze: Consumers can request a security freeze on their credit report, which prevents credit, loans, and services from being approved in their name without their consent. This is typically used if the consumer is a victim of identity theft.
- Right to Seek Damages: If a consumer reporting agency or information provider violates the FCRA, the affected consumer can take legal action in state or federal court and seek damages.
Obligations of Credit Reporting Agencies
The other major components of the FCRA involve organizations that handle consumer credit information, including credit reporting agencies (CRAs). These organizations collect, maintain, and disseminate credit information about individuals. CRAs play a significant role in the financial landscape because they provide information to lenders and other entities that help them assess a consumer’s creditworthiness.
The FCRA requires CRAs to follow strict protocols when handling consumer data, including the following.
- Maintain reasonable procedures that ensure the maximum possible accuracy of the information contained within a consumer's report.
- Provide a consumer with information about them in their files and take active steps to verify the information is accurate.
- If a consumer dispute leads to negative information being removed, it cannot be reinserted without first notifying the consumer via writing within five days.
- If negative information is removed due to a consumer's dispute, it may not be reinserted without notifying the consumer in writing within five days.
- Remove negative credit information after seven years (bankruptcies require ten years).
Duties of Furnishers of Information
Along with CRAs, Furnishers of Information is another party included in the FCRA. These are typically creditors, lenders, and other financial institutions that provide information to CRAs. The FCRA outlines Furnishers of Information's obligations, including the following.
- Provide accurate and complete information to any credit reporting agencies.
- Investigate diligently any consumer disputes received from credit reporting agencies.
- Within 30 days of a dispute, correct, delete, or verify the information.
- Inform consumers about negative news in the process of or already placed on a consumer's credit report within one month.
Special Provisions
One of the leading special provisions included in the FCRA revolves around using credit files during employee background checks and for employment purposes. If an employer is using consumer reports to screen job applicants or employees, they must follow this specific procedure:
- Obtain your written consent
- Communicate how they want to use your credit report
- Only use your credit information for the permissible purposes outlined
- Provide a copy of your credit report should the employer decide not to hire or fire you
- Allow you to dispute the information within your credit report before making a final adverse decision.
Who Must Comply with the Fair Credit Reporting Act?
Due to the widespread use of credit information, many organizations must comply with the FCRA. Major businesses include companies that primarily deal with consumer credit information, like CRAs and lenders. But some organizations use credit information on a small scale, like employers, marketing agencies, and collection agencies, who must also follow FCRA guidelines. Outlined below are organizations that must comply with the FCRA.
- Consumer Reporting Agencies (CRAs): Includes the major credit bureaus (Equifax, Experian, and TransUnion) and specialty agencies that sell information about medical, check writing, and rental history records.
- Furnishers of Information: Creditors, lenders, and other financial institutions that provide information to CRAs
- Users of Consumer Reports: Any business or individual that utilizes a credit report to decide an individual’s eligibility for credit, insurance, employment, or rental housing
- Employers: Companies who use credit reports to screen applicants for employment or evaluate existing employees for promotion, reassignment, or retention
- Resellers of Credit Information: Entities that obtain consumer information from CRAs and then resell that information to other parties
- Debt Buyers or Collection Agencies: A company or individual that collects debts owed to others, or purchases an electronic file of information about the portfolio of debts
- Marketing Companies: Any marketing business that uses consumer reports to identify consumers for “prescreened” credit offers
Penalties for Non-Compliance
Because of the sensitive nature of consumer credit information and its impact on an individual’s ability to secure loans, housing, and employment, there are strict penalties for non-compliance with the FCRA.
Federal agencies, like the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB), are authorized to impose penalties for FCRA violations. If there is a pattern of non-compliance within an organization, penalties can range from thousands to potentially millions of dollars. Specific states also have regulations that work with the FCRA and may include additional penalties for non-compliance.
Non-compliant organizations have civil liability to consumers, including payment of actual damages, statutory damages, punitive damages, and attorney fees and court costs. These amounts can add up to hundreds of thousands of dollars. Additionally, consumers can come together to file class action lawsuits against organizations for FCRA violations, resulting in hefty fines if many consumers are affected.
When an entity knowingly and willingly collects information from a CRA under false pretenses, it is considered a federal crime. These violations can result in fines and imprisonment.
Why is the Fair Credit Reporting Act Important?
The FCRA is vital to both consumers and organizations who use credit information. Financial information, especially consumer credit information, is widely used, so having regulation guidelines help protect how that info is obtained, used, and maintained.
Leverage for Consumers
The FCRA gives consumers control over their credit data, allowing them to leverage and review this vital personal information. The FCRA provides primary access to credit reports for consumers with one free report per year while also safeguarding against identity theft and fraud.
Additionally, consumers can dispute any inaccuracies preventing them from obtaining loans, employment, or credit. Finally, the FCRA allows consumers to seek compensation for any damages they face due to non-compliance with the FCRA. Overall, this regulation puts power and control over personal credit information back into the hands of the consumers.
Evolution of the Modern Digital Age
Since its introduction in the 1970s, the financial ecosystem across the U.S. has evolved rapidly. One significant component was the shift from physical to digital data, which introduced new challenges. During this transition, the FCRA has continued to play a crucial role in maintaining consumer privacy and data security. As personal finance information is regarded as confidential, it is imperative to ensure its confidentiality and security.
The same standards the FCRA originally introduced have been adapted to modern digital data practices, raising the need for more robust cybersecurity measures for financial organizations.
The Fair Credit Reporting Act and Cybersecurity
While not a cybersecurity regulation, the FCRA does outline rules for the protection and security of personal information, which means there are cybersecurity practices that help organizations stay compliant with the FCRA.
Protection of Consumer Information
A major regulation in the FCRA is that CRAs and organizations that furnish information to them must ensure that the data they handle is accurate and private.
Since that data is often stored digitally, these organizations should implement cybersecurity measures to protect that data against authorized access, data breaches, or data theft. Some examples of cybersecurity measures that organizations can utilize are:
- Organizing and Classifying Data
- Enabling Data Encryption
- Performing Data Protection Impact Assessments (DPIA)
- Use Data Masking or Data Obfuscation
- Enabling Multi-Factor Authentication (MFA)
- Regularly Backing up Data
- Implementing Stronger Network Security
Data Disposal Requirements
Any organization that must comply with the FCRA must adopt appropriate measures to dispose of consumer information. Before the digital data age, secure shredding could quickly dispose of protected information. Although secure shredding is still used for physical data, digital data requires specific cybersecurity methods to ensure data cannot be reconstructed. Simply deleting data from a computer or a network may not destroy it, and cybercriminals may be able to retrieve it.
Common ways to destroy digital data include overwriting a storage device, degaussing (passing an electromagnet over a storage device to scramble the information rendering it unreadable), and, as previously mentioned, physical destruction.
Data Breaches
If an organization covered by FCRA experiences a data breach that compromises consumers' personal information, it must disclose that data breach. All U.S. States and the District of Columbia have existing legislation that requires notification of security breaches that involve personal information.
In March 2017, Equifax, one of the largest credit reporting agencies in the United States, experienced a major data breach that exposed the personally identifying data of over 147 million people—more than 40% of the U.S. population. Compromised data included names, addresses, dates of birth, social security numbers, and driver’s licenses.
The overwhelming size of the breach and the methods hackers used (exposing a vulnerability in a consumer complaint portal that was widely known but never patched) left a massive stain on Equifax and resulted in $1.4 billion spent on cleanup costs. A class action lawsuit filed by affected consumers tacked on an additional $1.38 billion in consumer claims.
Vendor Management
Just like any other business, organizations that use consumer credit information often work with third-party vendors who may process or handle consumer data. This introduces various third-party risks that can adversely affect the primary organization.
To ensure third parties also comply with FCRA standards, organizations should implement a Third-Party Risk Management program that evaluates, identifies, and remediates any cyber risks that may be present within a third party.
Complementary Cybersecurity Regulations
The FCRA works in tandem with other regulations that have explicit cybersecurity components. For example, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to ensure customer records, and information is kept secure and confidential. Any company offering consumers financial products or services (i.e., loans, financial, investment advice) must explain their information-sharing practices and safeguard sensitive data.
Adhering to these cybersecurity regulations not only keeps organizations compliant with them but also with the FCRA.
How UpGuard Can Help You Stay FCRA Compliant
If your organization handles consumer credit information and you want to bolster your cybersecurity posture to help you stay compliant with the privacy and security components of the FCRA, UpGuard is here to help.
BreachSight is an all-in-one platform allowing your organization to manage your external attack surface confidently. Protect your organization’s reputation by understanding the risks impacting your external security posture, and rest assured your assets are regularly monitored and protected. BreachSight Features include data leak detection, continuous monitoring, attack surface reduction, shared security profiles, insight reports, and more.
