Consumer Protection / Financial Services

FCRA

Fair Credit Reporting Act of 1971 (15 USC 1681 et seq., 12 CFR Part 1022)

Legally Required Featured Framework

Federal law regulating consumer credit reporting agencies, protecting accuracy and privacy of consumer credit information, and ensuring fair treatment in credit decisions

Executive Summary

The Fair Credit Reporting Act (FCRA) regulates collection, dissemination, and use of consumer credit information. Applies to Consumer Reporting Agencies (CRAs including Equifax, Experian, TransUnion), users of consumer reports (creditors, employers, landlords), and furnishers of information (banks, creditors). Key consumer rights: free annual credit report from each nationwide CRA, right to dispute inaccurate information (30-day investigation), fraud alerts (1-7 years), security freezes, identity theft protections. Requirements for users: have permissible purpose before obtaining report, provide adverse action notices with credit score and factors, honor opt-outs. Requirements for furnishers: establish reasonable written policies per 12 CFR 1022.42, not furnish known inaccurate information, investigate disputes. FACTA amendments (2003): Red Flags Rule for identity theft prevention, Disposal Rule for secure information destruction, free annual credit reports. Enforcement by CFPB, FTC, State AGs. Notable cases: Equifax data breach settlement ($700M), TransUnion tenant screening ($15M), Equifax credit reporting errors ($15M). Private right of action: willful violations $100-$1,000 statutory + punitive damages; negligent violations actual damages only.

Comprehensive Documentation

Fair Credit Reporting Act (FCRA)

Overview

Primary Regulators: Consumer Financial Protection Bureau (CFPB), Federal Trade Commission (FTC)
Legislation: 15 USC 1681 et seq. (FCRA of 1971)
Implementing Regulations: 12 CFR Part 1022 (Regulation V)
Enacted: April 25, 1971
Major Amendments: Fair and Accurate Credit Transactions Act (FACTA) - December 4, 2003

Key Purposes

  1. Promote Accuracy: Ensure maximum possible accuracy of consumer credit information

  2. Protect Privacy: Limit access to consumer credit information to permissible purposes

  3. Consumer Rights: Give consumers rights to access, dispute, and correct their credit information

  4. Fair Treatment: Ensure fair treatment in credit, employment, insurance, and housing decisions

  5. Identity Theft Prevention: Protect consumers from identity theft through fraud alerts, security freezes, and Red Flags Rule


Legislative Authority

Primary Statute: 15 USC 1681 et seq.

Congressional Findings (15 USC Sec. 1681):

  • Banking system is dependent upon fair and accurate credit reporting

  • Inaccurate credit reports directly impair efficiency of banking system

  • Need to ensure consumer reporting agencies exercise responsibilities with fairness, impartiality, and respect for consumer privacy


Key Statutory Provisions:
  • 15 USC Sec. 1681a: Definitions (consumer report, CRA, adverse action)

  • 15 USC Sec. 1681b: Permissible purposes for consumer reports

  • 15 USC Sec. 1681c: Time limitations on reporting adverse information (7-10 years)

  • 15 USC Sec. 1681c-1: Fraud alerts (initial 1 year, extended 7 years)

  • 15 USC Sec. 1681c-2: Security freezes and identity theft protections

  • 15 USC Sec. 1681e: CRA duties regarding maximum possible accuracy

  • 15 USC Sec. 1681i: Consumer dispute procedures (30-day investigation)

  • 15 USC Sec. 1681j: Free annual credit reports

  • 15 USC Sec. 1681m: Adverse action notice requirements

  • 15 USC Sec. 1681n: Willful noncompliance civil liability ($100-$1,000 statutory + punitive)

  • 15 USC Sec. 1681o: Negligent noncompliance civil liability (actual damages)

  • 15 USC Sec. 1681s: Administrative enforcement authority (FTC, CFPB, banking agencies)

  • 15 USC Sec. 1681s-2: Furnisher responsibilities (accuracy, dispute investigation)


CFPB Implementing Regulations: 12 CFR Part 1022

Regulation V - Fair Credit Reporting

  • 12 CFR Sec. 1022.42: Furnisher written policies and procedures (accuracy and integrity)

  • 12 CFR Sec. 1022 Subpart D: Medical information restrictions

  • 12 CFR Sec. 1022 Subpart H: Duties of users regarding address discrepancies

  • 12 CFR Sec. 1022 Appendix E: Interagency Guidelines on furnisher policies


FACTA Amendments: Public Law 108-159

Fair and Accurate Credit Transactions Act of 2003:

  • Section 114: Red Flags Rule (identity theft prevention programs)

  • Section 216: Disposal Rule (secure destruction of consumer information)

  • Section 211: Free annual credit reports from major CRAs

  • Fraud Alerts: Initial (1 year minimum) and Extended (7 years)

  • Security Freezes: Consumer right to freeze credit files

  • Identity Theft Blocking: CRAs must block fraudulent information within 4 business days


FTC Implementing Rules

16 CFR Part 681 - Identity Theft Red Flags Rule:

  • Financial institutions and creditors must develop identity theft prevention programs

  • Must detect, prevent, and mitigate identity theft

  • Program must include: detection methods, prevention/mitigation responses, periodic updates, service provider oversight


16 CFR Part 682 - Disposal Rule:
  • Requires proper disposal of consumer information

  • "Reasonable measures to protect against unauthorized access"

  • Applies to burning, pulverizing, shredding papers; destroying/erasing electronic media


Covered Entities

Consumer Reporting Agencies (CRAs)

Nationwide Consumer Reporting Agencies:

  1. Equifax, Inc.

  2. Experian Information Solutions, Inc.

  3. TransUnion LLC


Specialty Consumer Reporting Agencies (~400 total):
  • Employment screening companies

  • Tenant screening companies

  • Medical specialty report companies

  • Check verification companies

  • Low-income and subprime reporting companies


Users of Consumer Reports

  • Creditors and lenders (banks, credit card companies, mortgage lenders)

  • Insurance companies (underwriting)

  • Employers (employment screening with consumer consent)

  • Landlords and property managers (tenant screening)

  • Government agencies (licensing, benefits determination)


Furnishers of Information

  • Banks and credit unions

  • Credit card companies

  • Mortgage servicers

  • Auto lenders

  • Collection agencies

  • Any creditor reporting to CRAs


Permissible Purposes (15 USC Sec. 1681b)

Consumer reporting agencies may furnish reports ONLY for:

Legal Process


  • Court orders with jurisdiction

  • Federal grand jury subpoenas


Consumer Authorization


  • Written instructions from the consumer


Business Purposes


  • Credit transactions involving the consumer or account review

  • Employment purposes (with disclosure and written consent)

  • Insurance underwriting involving the consumer

  • Government benefits requiring financial responsibility assessment

  • Legitimate business need for consumer-initiated transactions


Other Permissible Purposes


  • Child support enforcement

  • FDIC/NCUA conservatorship actions

  • Potential investor/servicer credit risk assessment


Employment-Specific Requirements:
  • Employers MUST provide clear disclosure before obtaining reports

  • MUST obtain written authorization

  • MUST supply copy of report before adverse action


Consumer Rights

Free Annual Credit Reports (15 USC Sec. 1681j)

Federal Requirement:

  • One free credit report every 12 months from each nationwide CRA

  • Obtained through: AnnualCreditReport.com or (877) 322-8228

  • ONLY authorized website for free annual federal disclosures


Additional Free Reports:
  • Within 3 business days of requesting fraud alert

  • Two free reports during 12 months following extended fraud alert

  • After adverse action based on credit report (60-day window)

  • Unemployment and seeking employment

  • Recipient of public assistance

  • Victim of identity theft


Right to Dispute Inaccurate Information (15 USC Sec. 1681i)

Consumer Rights:

  • Dispute any incomplete or inaccurate information

  • Free dispute process


CRA Investigation Requirements:
  • 30-day investigation period (may extend 15 days if consumer provides new information)

  • Must review all consumer-submitted information

  • Notify information furnisher within 5 business days of dispute

  • Must delete or modify inaccurate/unverifiable information promptly

  • Provide written notice within 5 business days after completing investigation


Fraud Alerts (15 USC Sec. 1681c-1)

Initial Fraud Alert:

  • Duration: Not less than 1 year

  • Trigger: Good faith suspicion of identity theft/fraud

  • Benefits: Free credit report within 3 business days


Extended Fraud Alert:
  • Duration: 7 years

  • Requirements: Submit identity theft report

  • Benefits: 2 free credit reports during 12 months; 5-year exclusion from prescreened offers


Active Duty Alert:
  • Duration: Not less than 12 months

  • Eligibility: Active duty military members

  • Benefits: 2-year exclusion from prescreened offers


Security Freeze / Credit Freeze (15 USC Sec. 1681c-2)

Federal Rights:

  • Prohibits CRA from releasing consumer report without express authorization

  • Free placement, lifting, and removal of freezes (as of September 2018)

  • Must be processed within specific timeframes


Massachusetts-Specific (201 CMR 16.00):
  • Placement timing: 3 business days maximum

  • Temporary lift: 3 business days

  • Permanent removal: 3 business days

  • PIN requirements: Cannot contain Social Security numbers

  • Written confirmation: Within 5 business days of placement


Identity Theft Protections (15 USC Sec. 1681c-2)

Blocking Information:

  • CRAs must block identity theft-related information within 4 business days

  • Consumer must provide: proof of identity, identity theft report, identification of fraudulent data


Adverse Action Requirements (15 USC Sec. 1681m)

When taking adverse action based on consumer reports, users must provide:

Required Disclosures


  1. Oral, written, or electronic notice of adverse action

  2. Credit score information: numerical score, range of possible scores, factors that adversely affected score

  3. CRA contact information: name, address, phone number

  4. Clarification that CRA did not make the adverse decision

  5. Consumer rights information: right to free credit report, right to dispute accuracy


Timing


  • Notice must be provided when adverse action is communicated or shortly thereafter


Key Factors Disclosure


  • Must not exceed four factors


Accuracy and Dispute Procedures

Time Limitations on Reporting (15 USC Sec. 1681c)

Agencies Cannot Report:

  • Bankruptcy older than 10 years

  • Civil suits, judgments, arrests older than 7 years

  • Delinquent accounts older than 7 years

  • Tax liens older than 7 years

  • Other adverse information older than 7 years


Furnisher Responsibilities (15 USC Sec. 1681s-2)

Accuracy Requirements:

  • Must not report information known or reasonably believed to be inaccurate

  • Must promptly correct and update incomplete/inaccurate information

  • Cannot continue furnishing data determined to be flawed


Dispute Investigation Duties:
  • Conduct investigations when notified by CRAs

  • Review all relevant consumer-provided documentation

  • Complete investigations within CRA's required timeframe

  • Modify, delete, or block reporting of inaccurate/unverifiable information


Furnisher Written Policies (12 CFR Sec. 1022.42):
  • Each furnisher must establish and implement reasonable written policies and procedures

  • Policies must address accuracy and integrity

  • Must review and update policies periodically

  • Must be appropriate to nature, size, complexity of activities


FACTA Provisions

Red Flags Rule (16 CFR Part 681)

Requirements:
Financial institutions and creditors must develop and implement written Program to detect, prevent, and mitigate identity theft.

Program Components:

  1. Detection: Identify red flags, obtain identifying information, authenticate customers

  2. Prevention and Mitigation: Respond appropriately to detected red flags

  3. Service Provider Oversight: Ensure service providers follow reasonable policies/procedures

  4. Periodic Updates: Update program to reflect changes in risks


Red Flag Definition:
Pattern, practice, or specific activity indicating possible identity theft.

Covered Accounts:

  • Accounts primarily for personal, family, or household purposes

  • Accounts with foreseeable risk of identity theft


Disposal Rule (16 CFR Part 682)

Requirements:
Any person maintaining or possessing consumer information for business purpose must properly dispose.

Disposal Standard:
"Reasonable measures to protect against unauthorized access during disposal"

Examples:

  • Paper: Burning, pulverizing, or shredding

  • Electronic: Destruction or erasure so information cannot be read or reconstructed

  • Third-Party: Contract with record destruction business after due diligence


Enforcement and Penalties

Administrative Enforcement Authority (15 USC Sec. 1681s)

Consumer Financial Protection Bureau (CFPB):

  • Primary regulatory and interpretive role (effective July 21, 2011)

  • Rule-making authority under Dodd-Frank

  • Enforcement authority over "covered persons"


Federal Trade Commission (FTC):
  • Historical enforcement authority

  • Treats FCRA violations as unfair/deceptive practices

  • Subject to CFPB authority for covered persons


State Attorneys General:
  • Can bring civil actions for FCRA violations affecting state residents

  • Concurrent with FTC/CFPB (both can enforce)

  • Can seek injunctions, civil penalties, restitution


Civil Penalties (Government Enforcement)

FTC/CFPB Civil Penalties:

  • Not more than $2,500 per violation

  • For knowing violations constituting pattern or practice


Private Right of Action

Willful Noncompliance (15 USC Sec. 1681n):

  • Actual damages OR Statutory damages ($100-$1,000)

  • PLUS Punitive damages at court's discretion

  • PLUS Attorney fees and costs


Negligent Noncompliance (15 USC Sec. 1681o):
  • Actual damages

  • Attorney fees and costs

  • No punitive damages or statutory minimums


Notable Enforcement Actions

Equifax:

  1. 2017 Data Breach Settlement (2019) - Up to $700 million

- CFPB: Up to $425M consumer relief + $100M civil penalty
- FTC/States: $175M to 48 states/DC/Puerto Rico
- Affected: 147 million consumers

  1. 2025 Credit Reporting Errors - $15 million civil penalty

- Improper investigations of credit reporting errors
- Failure to ensure maximum accuracy

TransUnion:

  1. Tenant Screening Violations (2023) - $15 million

- $11M consumer compensation + $4M civil penalty
- Largest amount ever recovered in FTC tenant screening matter

Massachusetts-Specific Requirements

Massachusetts Fair Credit Reporting Act (MGL Ch. 93, Sec.Sec. 50-68)

Key Provisions:

  • Consumers can obtain free copy within 60 days of credit denial

  • CRAs must investigate claims within 30 business days

  • Negative information more than 7 years old generally cannot be included

  • State law works alongside federal FCRA (not preempted for fraud, computer crimes)


Massachusetts Security Freeze Law (201 CMR 16.00)

Processing Requirements:

  • 3 business day maximum for placement, temporary lift, or permanent removal

  • Fee structure (though federal law now mandates free freezes)

  • PIN/password requirements (no SSN sequences)

  • Written confirmation within 5 business days


Massachusetts Data Protection (201 CMR 17.00)

Standards for Protection of Personal Information:

  • Minimum standards for persons who own/license personal information

  • Safeguarding requirements for paper and electronic records

  • Comprehensive written information security program (WISP) required

  • Complements FCRA requirements


Massachusetts AG Enforcement

2015 Multistate Settlement - $6 million across 31 states

  • Parties: Equifax, Experian, TransUnion

  • Issues: Credit report errors, data furnisher problems


Settlement Provisions:
  • Cannot add fines/tickets to credit reports (generally)

  • Cannot place medical debt until 180 days after reporting

  • Must maintain list of problem data furnishers

  • Enhanced escalated process for complex disputes


Compliance Framework

For Consumer Reporting Agencies

  1. Furnish reports only for permissible purposes (15 USC Sec. 1681b)

  2. Maintain reasonable procedures ensuring maximum accuracy (15 USC Sec. 1681e)

  3. Investigate disputes within 30 days (15 USC Sec. 1681i)

  4. Provide free annual disclosures (15 USC Sec. 1681j)

  5. Process fraud alerts and security freezes (15 USC Sec. 1681c-1, Sec. 1681c-2)

  6. Block identity theft information within 4 business days

  7. Implement Red Flags Rule program (16 CFR 681)

  8. Properly dispose of consumer information (16 CFR 682)


For Users of Consumer Reports

  1. Have permissible purpose before obtaining report (15 USC Sec. 1681b)

  2. Provide adverse action notices with required disclosures (15 USC Sec. 1681m)

  3. Obtain employment report consent and provide pre-adverse action notice

  4. Certify permissible purpose to CRA


For Furnishers of Information

  1. Establish and implement reasonable written policies/procedures (12 CFR Sec. 1022.42)

  2. Not furnish information known to be inaccurate (15 USC Sec. 1681s-2)

  3. Investigate disputes referred by CRAs

  4. Update/correct inaccurate information promptly

  5. Notify CRAs when accounts voluntarily closed

  6. Provide notice before furnishing negative information


Massachusetts-Specific Compliance

  1. Comply with 201 CMR 16.00 security freeze requirements (3 business days)

  2. Implement 201 CMR 17.00 data protection standards

  3. Respond to Massachusetts AG inquiries

  4. Honor enhanced consumer rights under MGL Ch. 93, Sec.Sec. 50-68


Official Sources

  • 15 USC 1681 et seq.: https://uscode.house.gov/view.xhtml?path=/prelim@title15/chapter41/subchapter3

  • 12 CFR Part 1022: https://www.ecfr.gov/current/title-12/chapter-X/part-1022

  • FACTA: https://www.govinfo.gov/content/pkg/PLAW-108publ159/html/PLAW-108publ159.htm

  • 16 CFR Part 681: https://www.ecfr.gov/current/title-16/chapter-I/subchapter-F/part-681

  • 16 CFR Part 682: https://www.ecfr.gov/current/title-16/chapter-I/subchapter-F/part-682

  • FTC FCRA Resources: https://www.ftc.gov/legal-library/browse/statutes/fair-credit-reporting-act

  • CFPB Compliance: https://www.consumerfinance.gov/compliance/compliance-resources/other-applicable-requirements/fair-credit-reporting-act/

  • 201 CMR 16.00: https://www.mass.gov/regulations/201-CMR-1600-placing-lifting-and-removing-security-freezes

  • 201 CMR 17.00: https://www.mass.gov/regulations/201-CMR-1700-standards-for-the-protection-of-personal-information-of-residents-of-the-commonwealth

  • MA Credit Resources: https://www.mass.gov/info-details/massachusetts-law-about-credit-banking-and-interest-rates

Applicable Industries

Financial Services (Banks, Credit Unions, Lenders)Credit Card CompaniesMortgage ServicersAuto LendersCollection AgenciesInsurance CompaniesEmployers (using credit reports for hiring)Landlords and Property ManagersConsumer Reporting AgenciesTenant Screening CompaniesEmployment Screening CompaniesAny Business Using or Furnishing Consumer Credit Information

Company Size

All persons subject to FTC jurisdiction (users, furnishers, CRAs) regardless of company size

Effective Date

4/25/1971

Penalties for Non-Compliance

Civil: Up to $2,500 per violation (government); Willful violations: $100-$1,000 statutory + punitive damages + attorney fees (private); Negligent violations: actual damages + attorney fees (private); Notable: Equifax breach ($700M), TransUnion tenant screening ($15M), Equifax credit errors ($15M)

For Massachusetts Companies

This is a mandatory federal framework that applies to Massachusetts companies in applicable industries. Non-compliance can result in significant penalties.

Applicable Massachusetts Industries

Financial Services (Banks, Credit Unions, Lenders)
Credit Card Companies
Mortgage Servicers
Auto Lenders
Collection Agencies
Insurance Companies
Employers (using credit reports for hiring)
Landlords and Property Managers
Consumer Reporting Agencies
Tenant Screening Companies
Employment Screening Companies
Any Business Using or Furnishing Consumer Credit Information
View MA Compliance OverviewBrowse by Industry

Official Resources

Primary Source

https://www.ftc.gov/legal-library/browse/statutes/fair-credit-reporting-act

Additional Official Sources

Enforcement Agency

Consumer Financial Protection Bureau (CFPB); Federal Trade Commission (FTC); State Attorneys General; Banking Regulatory Agencies (OCC, Federal Reserve, FDIC, NCUA)