Certified Information Privacy Professional (CIPP): US - Fair Credit Reporting Act, FCRA, Consumer Reports, Adverse Action, Red Flags Rule

What This Is

The Fair Credit Reporting Act (FCRA) is the U.S. federal law that governs how consumer reporting agencies (CRAs) collect, use, and share “consumer reports” (credit, employment, insurance, and other background?check information). It also sets strict rules for adverse?action notices (when a decision is made against a consumer based on a report) and the Red Flags Rule (a safeguard?requirement for organizations that handle “covered credit?card or loan information”).

Real?world example: A national retailer screens job applicants using a third?party background?check vendor. When an applicant is denied because of a poor credit score, the retailer must send an adverse?action notice that explains the decision, the source of the report, and the consumer’s rights to dispute the information. Failure to do so can trigger FCRA penalties and state?law damages.

Key Terms & Provisions

• Consumer Report: Any written, electronic, or oral communication containing information about a consumer’s creditworthiness, character, or other personal data, prepared by a CRA. (FCRA § 601)
• Consumer Reporting Agency (CRA): An entity that assembles or evaluates consumer reports for the purpose of furnishing them to third parties. (FCRA § 603)
• Permissible Purpose: A legally allowed reason for a user (e.g., employer, insurer) to obtain a consumer report, such as employment, credit, or insurance underwriting. (FCRA § 604)
• Adverse Action: Any denial, termination, or unfavorable change in terms (e.g., loan denial, job offer withdrawal) based on information in a consumer report. (FCRA § 615)
• Adverse?Action Notice: The written disclosure a user must provide to a consumer after an adverse action, including the CRA’s name, contact info, and the consumer’s right to a free copy of the report and dispute errors. (FCRA § 615(a)(1)–(2))
• Pre?Adverse?Action Disclosure: A copy of the consumer report (or a summary) and a notice of the consumer’s right to dispute the information, sent at least 5 business days before the adverse action is taken. (FCRA § 615(a)(1)–(2))
• Red Flags Rule: A regulation (31 C.F.R. §§ 1004.1–1004.13) requiring “covered entities” and “service providers” to develop a written Identity Theft Prevention Program that identifies, detects, and mitigates “red flags” of identity theft.
• Covered Entity (Red Flags Rule): Any person or business that regularly engages in the business of extending, renewing, or servicing credit, or that maintains consumer?report information. (31 C.F.R. § 1004.2)
• Covered Credit?Card/Loan Information: Any data that can be used, alone or with other information, to identify a consumer and access their credit or loan accounts (e.g., account numbers, expiration dates, security codes). (Red Flags Rule definition)
• Dispute Process: The consumer’s right to challenge inaccurate or incomplete information in a consumer report; the CRA must investigate within 30 days and correct any errors. (FCRA § 611)
• Statute of Limitations for FCRA Actions: Generally 2 years from the date of the violation, or 5 years for willful violations. (28 U.S.C. § 1654)

Step?by?Step Process Flow (Handling an Adverse Action)

1. Confirm Permissible Purpose – Verify that the request for the consumer report falls under an allowed purpose (e.g., employment, credit, insurance).
2. Obtain the Report – Request the consumer report from a CRA (Equifax, Experian, TransUnion, or a specialty agency).
3. Pre?Adverse?Action Review – If the report will lead to a denial or other adverse action, send the consumer a pre?adverse?action disclosure (copy of the report or summary + notice of dispute rights) 5 business days before the decision.
4. Make the Decision – After the 5?day window, decide whether to proceed with the adverse action.
5. Send the Adverse?Action Notice – Provide the consumer with the required notice (CRA name, contact info, statement of rights, and how to obtain a free copy of the report).
6. Document & Retain – Keep copies of all disclosures, notices, and any consumer disputes for at least 2 years (or 5 years for willful violations).

Common Mistakes

• Mistake: Sending only an email “you were denied” without the required pre?adverse?action disclosure.
  Correction: Provide the full pre?adverse?action packet (report copy or summary + dispute rights) at least 5 business days before the denial.

• Mistake: Assuming a “soft” credit check (e.g., for a background?screen) does not require an adverse?action notice.
  Correction: Any decision that is adverse (denial, less favorable terms, or termination) triggers the notice requirements, regardless of whether the check was “soft” or “hard.”

• Mistake: Treating the Red Flags Rule as optional or only applicable to banks.
  Correction: Any entity that maintains covered credit?card or loan information—such as a retail store offering store?card financing—must implement an Identity Theft Prevention Program.

• Mistake: Believing that a consumer’s dispute automatically removes the information from the report.
  Correction: The CRA must investigate and correct only if the information is found to be inaccurate; otherwise the data may remain.

• Mistake: Ignoring the 30?day “re?investigation” window after a consumer disputes a report.
  Correction: Track disputes carefully; the CRA must complete the reinvestigation within 30 days (or 45 days if the consumer provides additional information).

CIPP Exam Insights

1. Adverse?Action Timing: The exam loves to ask about the 5?business?day pre?adverse?action disclosure rule—remember it applies before the adverse decision, not after.
2. Red Flags Rule Scope: Expect a question distinguishing “covered entities” (those that extend credit or maintain credit?card/loan info) from “non?covered” businesses (e.g., a pure e?commerce retailer that never offers credit).
3. Permissible Purpose vs. Consent: FCRA does not require consumer consent for a credit check; it requires a permissible purpose. This is a frequent trap when comparing to GDPR’s consent requirement.
4. Statute of Limitations: The exam may test the 2?year vs 5?year limitation—2 years for ordinary violations, 5 years for willful violations.

Quick Check Questions

1. Scenario: A landlord runs a credit check on a prospective tenant and decides not to rent to them because of a low credit score. What must the landlord provide to the applicant?
   Answer: A pre?adverse?action disclosure (copy of the report or summary + dispute rights) at least 5 business days before the denial, followed by an adverse?action notice after the decision.

2. Scenario: A retailer offers a store?card and stores customers’ card numbers, expiration dates, and CVVs. Is the retailer subject to the Red Flags Rule?
   Answer: Yes—because it maintains covered credit?card information, it must develop an Identity Theft Prevention Program.

3. Scenario: An employer receives a consumer report showing a conviction that is later proven inaccurate. The employee disputes the record. What is the CRA’s obligation?
   Answer: The CRA must investigate the dispute within 30 days and correct the report if the information is found to be inaccurate.

Last?Minute Cram Sheet (10 One?Liners)

1. FCRA §?604 – Only “permissible purposes” (employment, credit, insurance, etc.) allow a consumer report to be obtained.
2. 5?Business?Day Rule – Pre?adverse?action disclosure must be sent 5 business days before the adverse decision.
3. Adverse?Action Notice – Must include CRA name, contact info, and the consumer’s right to a free report and dispute.
4. 30?Day Dispute Rule – CRA must investigate a consumer dispute within 30 days (45 days if additional info is provided).
5. Red Flags Rule – Applies to any “covered entity” that maintains covered credit?card or loan information.
6. Identity Theft Prevention Program – Must be written, periodically reviewed, and tailored to the organization’s size and risk.
7. Statute of Limitations – 2 years for ordinary FCRA violations; 5 years for willful violations.
8. Penalty Ceiling – Up to $1,000 per negligent violation and $10,000 per willful violation (per consumer, per incident).
9. FCRA §?611 – Consumers have a right to a free copy of their report if they dispute it, and the CRA must correct any inaccuracies.
10. “Soft” vs. “Hard” Check – Both can trigger adverse?action notice requirements; the distinction only affects the consumer’s credit score, not the notice obligations.