Skip to main content

Background and Summary of Regulation V

6-3210

BACKGROUND

The Fair Credit Reporting Act (FCRA) (15 USC 1681-1681u), sets standards for the collection, communication, and use of information related to a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living. For many years, to avoid the obligations that the FCRA imposed on consumer reporting agencies (for example, the requirement to furnish consumer reports only for permissible purposes, maintain high standards for ensuring the accuracy of information in consumer reports, and resolve customer disputes), many institutions avoided giving affiliated companies any information that could constitute consumer reports.
In 1996, the Consumer Credit Reporting Reform Act amended the FCRA extensively, excluding from the definition of consumer report specific types of information sharing with affiliates and assuring institutions that engaging in these specific types of information sharing would not expose them to the obligations of consumer reporting agencies. In particular, the 1996 amendments excluded from the definition of consumer report the sharing of “other” information among affiliates, so long as the consumer had been given notice and an opportunity to opt out and had not opted out. The term other information refers to information that is covered by the FCRA and that is not a report containing information solely about transactions or experiences between the consumer and the person making the report.
The Fair and Accurate Credit Transactions Act of 2003 (FACT Act) (Pub. L. 108-159, 117 Stat. 1952) amended the FCRA to help consumers combat identity theft, to increase the accuracy of consumer reports, and to give consumers greater control over the type and amount of marketing solicitations they receive.

6-3212

AFFILIATE MARKETING

Subpart C of Regulation V implements the affiliate marketing provisions in section 624 of the FCRA (added by section 214 of the FACT Act), which generally prohibit a person from using information received from an affiliate to make a marketing solicitation to a consumer unless the consumer is given notice and a reasonable opportunity and a reasonable and simple method to opt out of such solicitations. Institutions are permitted to share two types of consumer information with their affiliates without incurring the obligations of consumer reporting agencies:
  • 1.
    information about transactions or experiences between the consumer and the person making the communication
  • 2.
    “other” information (that is, information covered by the FCRA but not transaction or experience information), so long as the institution has given notified the consumer that the other information may be communicated, the institution has given the consumer an opportunity to opt out (that is, to direct that the information not be communicated), and the consumer has not opted out
The regulation explains how to comply with the requirements concerning sharing of information with affiliates, addressing such matters as the content and delivery of the notice to consumers that “other” information may be communicated (the opt-out notice).

6-3213

MEDICAL INFORMATION

Subpart D of Regulation V, effective April 1, 2006, implements section 411 of the FACT Act, which generally limits creditors’ ability to obtain or use medical information in connection with determinations about credit eligibility, consumer reporting agencies’ ability to disclose medical information, and institutions’ ability to share medical information among affiliates.

Obtaining or Using Medical Information to Determine Credit Eligibility

The regulation creates exceptions to the general statutory prohibition against creditors’ obtaining or using medical information pertaining to a consumer in connection with any determination of the consumer’s eligibility, or continued eligibility, for credit. It sets out those purposes determined to be necessary and appropriate, permitting creditors to obtain and use medical information that is typically considered in credit underwriting. Creditors are not prohibited from obtaining or using medical information for purposes that are not connected with credit-eligibility determinations.

Sharing Medical Information with Affiliates

The sharing of medically related information with affiliates is restricted if that information meets the definition of consumer report in section 603(d)(1) of the FCRA. The standard exclusions from the definition contained in section 603(d)(2)—such as sharing transaction or experience information among affiliates or sharing other information among affiliates after notice and an opportunity to opt out—do not apply if medically related information is disclosed to an affiliate. Medically related information includes medical information as well as an individualized list or description based on payment transactions for medical products or services, and an aggregate list of identified consumers based on payment transactions for medical products or services.
Several exceptions allow institutions to share medically related information with affiliates in accordance with the standard exclusions that apply to the sharing of information that is not medically related. The federal agencies have the authority to create additional exceptions by regulation or order.

Redisclosure of Medical Information

Under section 604(g)(4) of the FCRA, any person that receives medical information from an affiliate pursuant to an exception in section 604(g)(3) or from a consumer reporting agency under section 604(g)(1) must not disclose that information to any other person, except as necessary to carry out the purpose for which the information was initially disclosed, or as otherwise permitted by statute, regulation, or order.

6-3218

ADDRESS DISCREPANCIES AND DISPOSAL OF RECORDS

Subpart I, which implements section 315 of the FACT Act, provides guidance regarding reasonable policies and procedures that a user of a consumer report should employ when the user receives a notice of address discrepancy. Subpart I also implements section 216 of the FACT Act, which requires each financial institution to develop and maintain, as part of its information security program, appropriate controls to ensure that it disposes of “consumer information” derived from a consumer report in accordance with the requirements laid out in the Interagency Guidelines Establishing Information Security Standards. The term consumer information means “any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of the [institution] for a business purpose.” The term also includes a compilation of such records. It does not, however, include “any record that does not identify an individual.”
A financial institution must implement measures to properly dispose of consumer information that identifies a consumer, such as the consumer’s name and the credit score derived from a consumer report. However, this requirement does not apply to aggregate information, such as the mean credit score that is derived from a group of consumer reports, or blind data, such as a series of credit scores that do not identify the subjects of the consumer reports from which those scores are derived. A financial institution that maintains information derived from a consumer report for a business purpose, including a consumer report originally obtained in connection with a “business transaction that is initiated by the consumer,” is subject to the proper-disposal requirement.

6-3219

IDENTITY THEFT RED FLAGS

Subpart J implements section 114 of the FACT Act, which requires that financial institutions and creditors have an identity theft prevention program to address accounts most prone to identity theft. Only those financial institutions and creditors that offer or maintain “covered accounts” must develop and implement a written program. A covered account is (1) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, or (2) any other account for which identity theft poses a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor. Financial institutions and creditors must periodically determine whether they offer or maintain a “covered account.”
An identity theft prevention program must be designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. It must also be tailored to the entity’s size, its complexity, and the nature of its operations and must contain “reasonable policies and procedures” to—
  • identify relevant red flags for covered accounts and incorporate those red flags into the program,
  • detect those red flags,
  • respond appropriately to any red flags that are detected to prevent and mitigate identity theft, and
  • ensure that the program is updated periodically to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft.
A specific red flag addressed by subpart J is a notification of a change of address followed, within 30 days, by a request for an additional or replacement card. Credit and debit card issuers are required to have reasonable policies and procedures to assess the validity of such change-of-address requests.

6-3220

MODEL NOTICES

Appendix B provides model notices that a financial institution may use to comply with the requirement to provide a customer with a clear and conspicuous written notice if it (1) extends credit and regularly and in the ordinary course of business furnishes information to a nationwide consumer reporting agency and (2) furnishes negative information to such an agency regarding credit extended to a customer. The Board’s model notices may be used by all financial institutions, as defined by section 217 of the FACT Act.
Appendix C provides model forms that may, but are not required to, be used to facilitate compliance with the affiliate marketing notice requirements. The requirement for clear and conspicuous notices would be satisfied by the appropriate use of one of the model forms. Institutions may also design their own notices, using a number of methods to make them clear and conspicuous (for example, using bullet lists and clear and concise sentences, paragraphs, and sections and avoiding multiple negatives, legal and highly technical business terminology, and imprecise explanations that are readily subject to different interpretations). Institutions are not required to use any particular methods. The particular facts and circumstances will determine whether a disclosure is clear and conspicuous.

Back to top