Final rules will determine the effective date. In response to a request by ABA and other trade associations, on November 24, 2004, the banking agencies and the Federal Trade Commission wrote that institutions do not have to comply with those FACTA provisions which must be implemented by rulemaking until after adoption of final rules. Those provisions include those related to: risk-based pricing notices; affiliate marketing; medical information sharing; red flag guidelines and regulations; notice of opt out from prescreened solicitations; disposal of consumer report information; accuracy and integrity guidelines and regulations; ability of consumer to dispute information with furnisher); and reconciling addresses.
The FACTA requires mortgage lenders to provide credit scores along with other information to mortgage loan applicants. The credit score and other information must be provided when a credit score is used for an application for a consumer loan that is secured by one to four units of residential property; this requirement includes purchase money residential loans, mortgage refinances, home equity loans, and loans secured by vacation homes (the provision does not apply if the loan is used for a business purpose). In addition, the credit score and other information must be provided for all applicants for whom a credit score is used, not just those denied. The Act requires that the score be provided if the lender used a score of a consumer who "initiated or sought" a covered mortgage; consequently, co-applicants would also be included. While this issue remains unclear, this analyst recommends that guarantors should also be provided with the credit score if a score was 'used,' given that if the credit had a permissible purpose to retrieve the credit score in the first place, the guarantor is likely entitled to receive it as well. Furthermore, although automated underwriting systems are excluded from the definition of credit score, Section 609(g)(1)(B) of the Act stipulates that mortgage lenders using automated underwriting systems, "may satisfy the obligation to provide a credit score" by disclosing a credit score and associated key factors supplied by a consumer reporting agency; however, if a proprietary credit scoring system is used, the lender has a choice and may supply either its own score or a score provided by a consumer reporting agency.
Information required with credit score
Unfortunately, the Act is nebulous in this area; under existing guidance, though, mortgage lenders that use a credit score should likely provide, together with the statutory notice, any information contained in the credit score report listed in Section 609(f), including specifically: (1) the credit score; (2) the range of possible credit scores for that model; (3) up to four key adverse factors, plus number of inquiries, if adverse factor; (4) the date the credit score was created; and (5) the name of the credit score maker. Under 609(g)(1)(D), covered credit score users must provide a copy of a statutory notice that explains credit scores. In addition, Section 609(g)(1)(a) requires covered credit score users to provide the five items listed above that are "obtained from a consumer reporting agency." In most cases, this information (except for the range, and the number of inquiries), is contained in the credit score report; in some instances, though, credit score users "obtained" the ranges from the credit score maker, so this information should likely be included as well. It should be pointed out, though, that the foregoing two provisions are incongruent with Section 609(g)(1)(E) that stipulates, "This subsection shall not require any person to... ii) disclose any information other than a credit score or key factors..." A strictly literal interpretation of this stipulation would mean that the credit score user would not have to even provide the statutory notice. Further complicating this subsection is 609(g)(1)(F) that provides that covered credit score users need only provide a "copy of the information that was received from the consumer reporting agency," suggesting that information not contained in the credit score report need not be disclosed to the applicant. There clearly appears to be a congressional intent to require credit score users only to provide information provided in the credit score report; therefore, a "give what you get" approach is most likely appropriate. Some score makers will provide "compliant" notices, frequently for a price; otherwise, covered credit score users can provide information themselves. Finally, the disclosures are only required if the institution "uses" the credit score; however, leaders that do not use credit scores they receive should consider obtaining reports that omit scores or, in the alternative, providing the disclosures anyway. Otherwise, they may be vulnerable to challenges questioning why they obtain credit scores if they do not use them.
Credit score users and applicant signature requirements
There is no requirement to obtain the applicants' signature; appropriate procedures should provide sufficient proof of compliance.
Notice about negative information
Section 623(a)(7) requires creditors to notify their customers if negative information may or will be reported by them to a nationwide consumer reporting agency; however, the Act does not specifically direct any agency to promulgate regulations but only requires the Federal Reserve Board to adopt model disclosures. Those disclosures are available on the Federal Reserve Board's website (www.federalreserve.gov) or the June 15 Federal Register. Institutions had to begin complying by December 1, 2004. This provision also likely applies if the institution furnishes information about charged-off deposit accounts; however, this requirement would only be applicable in those cases where the information is being provided to one of the "nationwide" consumer reporting agencies noted above (e.g., Transunion, Equifax, or Experian and excludes ChexSystems).
Timing of notices
Notices must be provided prior to, or no later than, 30 days after furnishing the negative information; they may be included on or with other documents, such as a periodic statement or late payment notice and they may also be included with welcome packages, provided they are not in the Regulation Z. initial disclosures.
Provision of notice to co-applicants and guarantors
Co-applicants and guarantors must be provided notice if the lender is furnishing negative information about them; the notice may be delivered to the address as the mortgage agreement provides.
Provision of notice to all existing customers concerning negative information
The bank may choose to deliver the notice to all customers, new and existing, but complies so long as the customer receives it no later than 30 days after the creditor has actually reported negative information. For this purpose, the Federal Reserve Board provided two models: one suitable if the notice is sent in advance of reporting negative information and a second one if it is sent afterwards. Although model disclosures are not stipulated, the bank is deemed in compliance when they are used.
There are three types of alerts: (1) initial alerts, (2) active duty alerts, and (3) extended alerts. The initial alert and active duty alerts last 90 days and are inserted in the file upon the request of a consumer who has provided appropriate proof of identification. Initial alerts are intended to assist consumers who have, for example, lost their wallet and fear becoming victimized or have experienced less intrusive identity theft. Active duty alerts last 12 months and can be filed by active duty military consumers to prevent identity theft while they are on active duty. Extended alerts last seven years. Consumers may be required to provide an identity theft report along with proof of identification. These alerts are intended for those instances when identity thieves have really taken over the financial lives of the victim
Responsibilities of users of credit reports
If a user pulls a credit report that contains an initial or active duty alert, the user must have reasonable policies and procedures to "form a reasonable belief that the user knows the identity of the person making the request" for credit. The user has two choices: the user may (1) contact the consumer at the telephone number, if provided; or (2) "take reasonable steps to verify the consumer's identity" and confirm that the application is not a result of identity theft. This could include, for example, using the policies adopted to comply with Section 326 of the Patriot Act related to customer identification procedures. If the report contains an extended alert, the user may not grant credit unless it contacts the consumer "in person" or by telephone or other reasonable contact method.
Provision of information to consumers claiming to be victims of identity theft
The FACTA requires that banks and creditors provide to people claiming to be a victim of identity theft information related to accounts opened by the identity thief. Institutions must provide to identity theft victims and law enforcement "application and business transaction records in the control of the business entity... evidencing any transaction alleged to be a result of identity theft." The legislative history clarifies that institutions are not required to provide records that are not "readily available" or "not easily retrieved." Therefore, banks should provide copies of the applications, but are not required to provide merchant credit card and debit…