FCRA, Reg V, and Reg FF

The Fair Credit Reporting Act, FCRA, at fifteen U-S-C sixteen eighty-one, and Regulation V at twelve C-F-R part ten twenty-two, govern how consumer reports, what people loosely call credit reports, may be obtained, used, and shared, and they impose accuracy and dispute obligations on those who furnish data. The Fair and Accurate Credit Transactions Act, the FACT Act, layered on identity-theft protections, including the Red Flags Rule and risk-based pricing notices. FCRA touches lending, employment screening, and account decisions, so its reach is broad.

The exam tests permissible purpose, the adverse-action and risk-based-pricing notices, furnisher duties, and the identity-theft pieces. Let's walk the core obligations a bank must meet.

The first rule of FCRA is permissible purpose. A bank may obtain a consumer report only when it has a permissible purpose listed in the statute, for example, in connection with a credit transaction the consumer initiated, for account review, for collection of an account, for employment purposes with the consumer's written consent, or for insurance underwriting. Pulling a report without a permissible purpose violates FCRA and can carry penalties.

On the exam, watch for a scenario where someone accesses a report out of curiosity or for a purpose not on the list, that's a violation regardless of intent. The principle is simple: no permissible purpose, no pull.

When a bank takes adverse action based even in part on a consumer report, FCRA requires a notice. It must identify the consumer reporting agency used, state that the agency didn't make the decision, and tell the consumer they can get a free copy of the report and dispute its accuracy; it generally must include the credit score used. This FCRA notice is frequently combined with the ECOA adverse-action notice from Reg B.

Separately, FCRA's risk-based pricing rule requires notifying consumers who get credit on less favorable terms than others, based on their report, often satisfied by giving a credit-score disclosure to all applicants. The exam tests when each notice is required and what it must contain.

Banks aren't just users of reports; they're furnishers, they send account data to the credit bureaus. As furnishers, they must provide accurate information and have policies to ensure accuracy. When a consumer disputes information through a credit bureau, the bureau forwards the dispute, and the furnisher must investigate, review the relevant information, and report back, correcting or deleting anything found inaccurate, generally within about thirty days.

In some cases consumers may dispute directly with the furnisher. The exam may test the furnisher's duty to investigate a dispute and the accuracy obligation. This furnisher role connects to UDAAP, inaccurate furnishing that harms a consumer can become an unfair practice, so treat data quality as a compliance priority.

The FACT Act added strong identity-theft tools. The Red Flags Rule requires covered institutions to develop a written identity-theft prevention program that identifies relevant red flags, like mismatched information or suspicious documents, and details how the bank will detect, respond to, and update its defenses. FACT Act provisions also let consumers place fraud alerts on their files, require truncation of card numbers on receipts, give consumers access to free annual reports, and govern address-discrepancy handling.

The outline references the identity-theft rules, sometimes associated with Reg FF. The exam may ask what a Red Flags program must include or what a fraud alert does. Connect these protections to the bank's broader fraud and B-S-A defenses.

One detail candidates often miss is the address-discrepancy rule: when a credit bureau sends a notice that the address a consumer gave substantially differs from the address on file, the user must have policies to form a reasonable belief that it knows the true identity of the consumer. Likewise, when a debit or credit card issuer receives a change-of-address request closely followed by a request for a replacement card, that pattern itself is a red flag warranting extra verification. These small rules exist because identity thieves exploit exactly those seams, and the exam likes testing whether you recognize them.

Recap of fair credit reporting. FCRA and Regulation V, at twelve C-F-R ten twenty-two, govern consumer reports. You need a permissible purpose to pull one.

Adverse action based on a report triggers a notice naming the bureau and offering a free report, and risk-based pricing has its own notice. As a furnisher, the bank must report accurately and investigate disputes. And the FACT Act's Red Flags Rule requires a written identity-theft prevention program.

Go test yourself, then we cover Fair Housing, debt collection, and servicemember protections.