Welcome to Consumer Reports Advocacy

For 85 years CR has worked for laws and policies that put consumers first. Learn more about CR’s work with policymakers, companies, and consumers to help build a fair and just marketplace at TrustCR.org

Fixing the Credit Reporting System


TO: Interested Parties
FROM: Margot Saunders, National Consumer Law Center, 202-986-6060
Ed Mierzwinski, US Public Interest Research Group, 202-546-9707
Gail Hillebrand, Consumers Union, 415-431-6747
Travis Plunkett, Consumer Federation of America, 202-387-6121
RE: Consumer Group Analysis of House FCRA Legislation, H.R. 2622
This memo provides a section-by-section analysis of H.R. 2622, which was reported out of the House Financial Services Committee on July 25th. Although the bill takes some steps to prevent identity theft, improve accuracy and protect medical privacy, it fails to offer meaningful solutions to the most important problems that were identified in Senate and House hearings, especially given that the quid pro quo for these measures is permanent and perhaps expanded preemption of state laws. The bill also reduces existing consumer rights in several ways.
Summary of Provisions of H.R. 2622 on Priority Consumer Issues
All of the provisions mentioned here are explained in detail below, along with recommended changes.
1. Identity theft. The bill takes some useful steps to help consumers once they become ID theft victims but is vague, weak or redundant in preventing the practice before it occurs. For example, two preventative practices required by the bill – fraud alerts and blocking of fraudulent trade lines – are already in widespread use, and in the case of blocking, being done in a much shorter time period than the 30 days permitted by the bill. The section on blocking is also marred by the broad authority it gives to CRAs to deny the block and by sweeping exceptions for resellers and specialized CRAs. Of great concern is that the placement in Section 605 of identity theft provisions may expand the current preemption language of the FCRA and preempt numerous stronger existing and future state identity theft laws that are responding to this fast-growing and changing crime.
2. Accuracy and completeness of reports. Overall, the bill requires extremely weak measures, given the extent of the problems that have been documented in Committee hearings. Furnishers are not required to report complete information and CRAs are not required to maintain it. The duty of furnishers to report accurate information is slightly increased – a modest but positive step. However, this requirement is made unenforceable (by private action) through its placement in the statute. Consumers are allowed to request one free credit report per year, but only from national bureaus. They cannot receive their credit score at no charge, however. For that they must pay a “reasonable fee”, which will inhibit access to this important information by low and moderate-income consumers. Moreover, consumers who request their free report may not know that key information is being withheld if the credit score is missing. The bill does require the FTC to study credit report accuracy and completeness of information on an ongoing basis – a positive step. However, the provision contains no requirements to ensure that the research is adequate or that the FTC can easily get access to the necessary data from the CRAs, despite the fact that a GAO study on credit reporting accuracy found that lack of data significantly hindered reaching reliable findings.
3. Affiliate sharing and privacy. One of the major failures of the bill is that it does not address the growing gap in FCRA protection posed by increasing used of affiliate-shared information for credit granting outside of the protections of the FCRA. Moreover, if the temporary preemption of state restrictions on affiliate sharing is extended, financial institutions will attempt to defeat or overturn state laws regulating affiliate sharing that are explicitly allowed under Gramm-Leach-Bliley, such as legislation passed this week by the California Legislature. H.R. 2622 does prevent affiliate sharing of medical information – a very positive step – although the requirement needs to be tightened up to cover the sharing of all medical information. Another positive step worth preserving is the bill’s requirement that name and address information about medical furnishers be encoded to prevent disclosure of information that might reveal a consumer’s health condition.
4. Pre-screening and privacy. Under current law, a telephone opt-out of pre-approved credit card solicitations is only good for two years. A consumer must go through the additional burden of receiving, signing, stamping and returning a “signed notice of election” to obtain a permanent opt-out. Instead of simplifying the overly complex opt-out system, Section 507 merely requires the Federal Reserve Board to conduct a study of pre-screening practices. Worse, virtually all of the Congressional “questions” describing the study presuppose industry benefits, rather than consumer costs.
5. Dispute resolution. One of the most important recommendations heard by the Committee to improve the dispute resolution process — the FTC’s proposal requiring that offers of credit at less-than-favorable terms be considered an adverse action under the statute — is not in the bill. The bill does require “reasonable” reinvestigations, but this standard is presently required by four circuit courts and has already has the force of law. In addition, this provision (Section 303) may be construed to mean that furnisher reinvestigations do not have to be reasonable. The bill’s provision allowing consumers to initiate a reinvestigation by contacting a furnisher is an important step, but the requirement is likely to be unenforceable through private action because of its placement in the FCRA.
6. Private enforcement. Nothing in the bill improves the extremely limited rights that consumers presently have to enforce the law. At the very least, the bill should allow consumers to seek injunctive relief (see Medicare Modernization Act proposal at the end of memo.)
7. State preemption. Preemption is permanent in each of the prior categories. The bill also appears to expand preemption to cover identity theft laws (section 204) and possibly other existing laws, such as those related to check truncation (section 203). In the areas of affiliate sharing and identity theft, where Congress has not provided anything close to a comprehensive scheme, the case for preemption is particularly weak. A CRS memo to Rep. Barbara Lee (attached) confirms our concern that the so-called 7 existing preemptions are expanded by H.R. 2622 and would significantly impair existing state identity theft protections.
Reductions in Current Rights
— Employee credit reporting rights in the workplace are drastically reduced;
— Rights to free credit reports to the unemployed and the very poor, and when adverse actions occurs, are cut back, and
— CRAs will no longer be required to provide the phone numbers of furnishers of information, unless those phone numbers are provided to them.
Additional Issues Not Addressed by H.R. 2622
These issues include, but are not limited to, the following:
— Use of credit scores for insurance purposes. Renewal of insurance or price should not be based on unrelated credit transactions.
— The sale or assigning of debt to a debt collector where the consumer is a victim of identity theft with respect to that debt. This practice should be banned or regulated so consumers are not victimized twice.
— Notification of consumers anytime computerized data is improperly accessed through a breach of security. At a minimum, consumers should be notified if their personal, credit or other financial information has been improperly obtained via a security breach.
— No protections for consumers against increases in interest rates in credit cards because of credit scores, and similar problems.
— No right to freeze access to the credit file, an important right that two states have already chosen to give to their victims of identity theft to stop additional harm from an ongoing string of crimes.
— Too many other important issues, such as the impact of credit scores on the affordability of financial services and the possible disparate impact of scoring, are relegated to studies rather than action.
Sec. 101. Uniform national consumer protection standards made permanent.

This section permanently extends all existing preemptions of state law and may expand these preempted areas. The attached memo by Consumers Union’s Gail Hillebrand describes a list of already-enacted California identity theft laws that will or may be preempted because the structure of H.R. 2622 incorporates most amendments into the already-preempted sections of the FCRA e.g., see Section 201 (b)(3) (page 10, line 10) of Medicare Modernization Act print. Some specific references are also made below. In addition, as the Consumers Union memo notes, California and Texas have enacted additional provisions known as the “security freeze right” – allowing consumers to block access to their entire credit report – which are not addressed in any way by federal law. Would these be preempted?
Instead of permanent preemption, this preemption should be limited in time to four to six years at most to force Congress to revisit these issues on a regular basis. In addition, as detailed in Ed Mierzwinski’s coalition testimony before the committee on July 31st, the affiliate sharing provision should be clarified and narrowed, with a specific statement that nothing in the Act prevents states from restricting financial institutions from sharing information with their affiliates or companies under common control. This is especially important because it is expected that California Governor Gray Davis will sign compromise financial privacy legislation authored by State Senator Jackie Speier providing consumers with an opt-out for most affiliate shared transactions, as well as an opt-in for most third-party transactions.
Sec. 201. Investigating changes of address and inactive accounts.

This section requires Federal banking agencies and the National Credit Union Administration to promulgate regulations to require credit and debit card issuers to use proper procedures when issuing replacement cards, in order to avoid “red flag” patterns of identity theft. This section, along with Section 206, have apparently been written to parallel certain new account provisions of the Patriot Act. Consumer groups haven’t analyzed the relationship of these provisions to the Patriot Act new account guidelines in detail yet.
Section 201, as well as several other sections, provide the banking agencies with the authority to pass regulations relating the various aspects of the law, but does not provide the FTC with similar rulemaking authority.
The FTC should have rulemaking authority. We propose the following language:
Regulatory Authority
(New Section – § 1681a-1)
(1) Rulemaking
(a) The Commission shall prescribe regulations as may be necessary or proper to effectuate the purposes of this subchapter, to prevent circumvention or evasion thereof, or to facilitate compliance therewith.
(b) Such regulations shall be prescribed in accordance with applicable requirements of title 5 and shall be issued in final form not later than 6 months after January 1, 2004.

Paragraph (b)(3) (Page 10, line 10): This language appears to add a permanent new preemption to prohibit states from enacting laws protecting against identity theft.
Sec. 202. Fraud alerts.
The primary purpose of this provision is to require fraud alerts (which are already general industry practice) to be placed on consumer credit reports. The failure to comply would constitute a violation of the FCRA. The provision provides for additional free reports for fraud victims and additional requirements to protect active duty military personnel.
This section is an exemplar of a number of the provisions of H.R. 2622 designed to establish different regulations for different CRAs, which would make the act confusing and difficult to enforce. The provision includes troubling exceptions for reseller and specialized credit bureaus. Several other provisions of the proposed bill (such as the free report section) refer to 603(p), which in addition to describing CRAs that are national in scope, also uses a narrower definition of consumer report than the general definition (See FCRA 603(d)(1)). The references to 603(p) may exclude check clearing and insurance credit bureaus, as well as all non-national credit bureaus.
Subparagraph (i)(2)(C) (Page 13, line 6): This section provides identity theft victims with two free credit reports per year. It is unclear under this provision whether this is in addition to the reports required to be provided to all consumers under Section 609.
It should be clarified that these reports would be provided in addition to those that otherwise are provided pursuant to the rewritten Section 612, which allows one free report each year, albeit from national repositories only..
Paragraph (i)(3) (Page 13, line 10): This language provides for an “active duty” alert to be placed on the credit file of a person on active duty in the military. While we understand the intent of this amendment is to protect military personnel, it is important to consider the possible effect of this provision on the additional rights provided to active duty military personnel by the Soldiers and Sailors Relief Act. Congress is currently rewriting this 1940 law (See H.R. 100). Congress should carefully review whether this proposed amendment will work without unintended consequences. Any final FCRA amendment should make clear that any active duty alert is intended only to prevent further identity theft and could not be used as a negative factor in credit scoring or credit granting or for any other purpose by a report user.
The protections provided by this new section could be undermined by a lack of enforceability. For example, in paragraph (5) (page 14, line 21), users are prohibited from establishing new credit for consumers who have placed a fraud alert on their file, without following the procedures in subparagraph 9. Yet the procedures in paragraph 9 (page 16, line 7) only require a user who is providing a new account to a consumer after a fraud alert to use “reasonable policies and procedures to form a reasonable belief that the user knows the identity of the person for whom the new plan is established . . . by such other reasonable means agreed to.”
This language is too vague to adequately protect consumers. It could allow creditors to extract consumer consent for any subsequent offer of credit, even if a fraud alert is placed on the account, though a statement in the small print of a contract, including, for example, the voluminous contract — virtually a contract of adhesion — that consumers agree to when they obtain their cards. More importantly, this language could be construed as a safe harbor for creditors – so long as they comply with these very weak standards they might be protected from claims from consumers regarding their extensions of credit to a thief. This provision could undermine any protections provided to consumers by the preceding paragraphs of the whole section.
Sec. 203. Truncation of credit card and debit card account numbers.
This provision requires existing credit and debit card issuers to truncate account numbers within three years of enactment.
By including such a long implementation period, this section will have the effect of delaying the implementation of recently enacted state truncation laws. For example, California law requires compliance by January 1, 2004. We are checking, but we believe that the existing state laws may also have narrower exceptions than H.R. 2622, for example, regarding its exception for manual receipt machines. It appears that the clear intent of this provision is to trump those stronger state laws. (See Consumers Union memo.)
Sec. 204. Summary of rights of identity theft victims.
This provision requires CRAs to provide additional disclosures of rights for identity theft.
Although these disclosures are marginally helpful, the section appears to preempt additional state actions and disclosures.
Sec. 205. Blocking of information resulting from identity theft.
The intent of this provision is to give consumers the right to block fraudulent trade lines on their credit reports. It includes a sweeping rebuttal presumption right for the CRA to deny the block, and broad exceptions for resellers and specialized credit bureaus.
This provision also appears to preempt other blocking laws, especially those that are stronger. For example, California code requires that a CRA promptly block upon receipt of a police report, while H.R. 2622 allows the CRA 30 days.
Subparagraph (j)(1)(B) (Page 21, lines 13). This section establishes the rules for blocking of information resulting from identity theft.
Ideally, this section should also require police departments to accept police reports of identity theft. Although this provision’s requirement that blocking is conditioned on obtaining a police report tracks existing state law provisions, we note that several states have also gone substantially further than federal law to make it easier to obtain a police report, which H.R. 2622 does not do. Congress should make it easier to obtain police reports. It should also be made very clear that this provision allows states to enact stronger provisions.
Subparagraph (j)(1)(d ) (Page 21, line 17). In order to place a block, the consumer is required to confirm “that the information is not information relating to any transaction by the consumer.”
This standard may be unreasonably high. How does a consumer prove a negative?
The provision should be deleted or rewritten so that the CRA is required to accept the word of the consumer, without imposing any additional standards of proof. The CRA already has sweepingly overly-broad authority to rescind a block for consumer misrepresentation (Section 205, page 22, beginning line 5).
Subparagraph (j)(3)(A)(ii) (Page 22, line 14). In this section, a CRA is permitted to refuse to block information flowing from an identity theft “on the basis of a misrepresentation of fact by the consumer relevant to the request to block.”
This exception is too broad. CRAs could refuse to place a block because a consumer misstated a date or an amount, or some other minor mistake of fact that has nothing to do with the facts surrounding the identity theft.
The section should at least require that the misrepresentation of fact be material to the determination of whether there was a theft of identity.
Subparagraph (j)(3)(A)(iii) (Page 22, line 19). Another reason the CRA could refuse the block is because the consumer “should have known that the consumer obtained possession of goods,….”
This is far too broad.
The “should have known” standard should be deleted.
Subparagraph (j)(3)(C) (Page 23, line 9). This provision appears to be intended to protect consumers who make honest mistakes from retribution by CRAs but could have unintended consequences. Its intent should be carefully reviewed and clarified or it should be deleted.
Subparagraph (j)(4)(A) (Page 23, line 19). Check verification companies are excluded from blocking requirements.
This exclusion – along with all other exclusions and safe harbors for various resellers and specialized credit bureaus throughout the bill — is completely unwarranted. If a consumer has checks stolen and bounces checks as a result — but then clears up the mess — the consumer’s ability to write checks and have them approved by check verification companies should also be protected. Consumers who have had their checks stolen are just as much victims of identity theft as anyone else.
The exception for check verification companies, other specialized credit bureaus and resellers from the blocking requirements should be deleted.
Subparagraph (j)(4)(A)(ii) (Page 24, line 1). Deposit account information service companies are excluded from blocking requirements.
Just as consumers are being shut out from the conventional credit market due to identity theft, they are being excluded from mainstream bank accounts due to overdraft on their bank accounts made by someone who has stolen their method of access to that account (check, ATM card, passbook). These consumers should be able to establish a clean slate to obtain deposit accounts after a theft, just as other victims of identity theft can.
The exception for deposit account information companies from the blocking requirement should be deleted.
Subparagraph (j)(4)(B)(III) (Page 24, line 23). Resellers here are also exempted from the blocking requirements.
All the information we have obtained from the National Credit Reporting Association (NCRA), which represents small non-automated resellers, suggests that NCRA supports our view that resellers should be subject to the same rules as other CRAs. In addition, in this subparagraph resellers are required to tell consumers that they can report the identity theft to the FTC. The language allows them to inform the consumer “by any means.” Such an important notification should by required through the most dependable means: in writing.
Resellers should be required to inform the consumer of the right to report the theft to the Commission in writing.
Subparagraph (j)(4)(B)(III)(ii) (Page 25, line 3). Here, resellers that maintain files on consumers are allowed to meet special, weaker requirements for blocking identity theft data.
There is no good reason that these CRAs (resellers) should be treated any differently than other CRAs.
The special rules for resellers with files in this subparagraph should be deleted.
Sec. 206. Establishment of procedures for depository institutions to identify
possible instances of identity theft.

Paragraph (k) (Page 26, line 18). Here the banking regulatory agencies are writing “red flag” guidelines in consultation with the Federal Trade Commission. See comment above on Section 201 regarding the Patriot Act.
It should be explicit that the FTC writes guidelines for all users who are not depository institutions.
Sec. 207. Study on the use of technology to combat identity theft.
Paragraph (b) (Page 28, line 14). This mandates a study of the use of biometrics to reduce identity theft. The Secretary of the Treasury is explicitly required to consult a wide range of government agencies and industry representatives, but not consumers.
Consumer and privacy advocates should be explicitly listed as necessary to consult with in the study.
Sec. 301. Coordination of consumer complaint investigations.
This provision requires development of a coordinated identity theft reinvestigation system by the three national repositories. The 1996 amendments required coordination of credit report error reinvestigations through establishment of an automated joint reinvestigation system (FCRA 611 (5)(D).
As detailed testimony presented in the Senate and House has shown, this 1996 reinvestigation system hasn’t worked. If Congress is going to impose new requirements for coordination between the CRAs, Congress should ensure that adequate oversight and enforcement authority is provided for this new duty.
Sec. 302. Notice of dispute through reseller.
This provision would require resellers to conduct reinvestigations through repositories and mandate that repositories conduct reinvestigations once notified by a reseller.
The FTC has expressed in testimony that when a reseller attempts to conduct a reinvestigation by contacting a furnisher on behalf of a consumer, that the “the reseller may meet resistance in getting the creditor who originally furnished the information to investigate the dispute, because the creditor has no relationship with the reseller. Yet, if the reseller sends the dispute to the relevant repository, that repository currently has no legal obligation to reinvestigate, because the dispute did not come directly from the consumer. The Commission supports an amendment that would require resellers to submit disputes to the originating repository and the source furnisher to investigate these disputes.”
We also understand that the commission may have a belief that resellers could somehow provide some consumers with an opportunity to “game” the reinvestigation system by assisting them in removing information more quickly than other consumers could get negative information removed. In our view, this is not gaming the system, if resellers do so legally. Rather than making it more difficult for consumers in need to turn to resellers for assistance, the goal of this legislation should be to improve the flawed reinvestigation system so that consumers who don’t receive the assistance of resellers are able to remove information as quickly as those who do. We also understand that the original version of this section was sought aggressively by the Credit Data Industry Association (CDIA), which represents the repositories and the large automated resellers. These large automated resellers, and the repositories, generally are at odds with the smaller resellers of the NCRA, which assist consumers in manual reinvestigations. The repositories and automated resellers generally look at consumer disputes and the associated phone calls and reinvestigations as burdensome and expensive, even though they are required by the FCRA.
The small resellers obtained a savings clause, the Carson amendment, in subparagraph (b)(3) (page 32, line 21). It makes clear that nothing in the provision prohibits a reseller from attempting to conduct reinvestigations. It was supported by consumer groups because we believe that the small manual resellers improve the accuracy of the credit reporting system.
Although this section establishes separate requirements for resellers to investigate disputes, which might be acceptable, it is unclear how this reinvestigation process dovetails with the rules for CRAs and furnishers. In general, the consumer groups believe that the CDIA’s plan to complicate the law by creating different duties for resellers and different exceptions for resellers and specialized bureaus should be rejected. Resellers should have the same duties as other CRAs, as currently required, which is reflected in the FTC consent decree with the large reseller First American Credco.
Section 303. Reasonable reinvestigation required.
This section inserts a “reasonable” reinvestigation standard for CRAs.
This standard is already imposed by four federal Circuit Courts of Appeal, so it adds nothing new to the law. Indeed, adding this requirement for CRAs, without also requiring reasonable reinvestigations for furnishers, may hurt consumers when the courts interpret the reinvestigation duties of furnishers, because of contrasting statutory standards for both (CRAs would be required to conduct reasonable reinvestigations, and furnishers would have no standards for their reinvestigations).
Also there is no mention of any requirement for completeness of information, which is very serious. Completeness is a standard referenced elsewhere in the FCRA (see, e.g. Sec. 611(a)) because information that is not complete is misleading. (See comments under Section 304.)
The CRAs should be required to conduct “reasonable reinvestigations to determine whether the disputed information is inaccurate or incomplete.”
Section 304. Duties of furnishers of information.
This section increases the standard of accuracy required of furnishers by changing the requirement from “knows or consciously avoids knowing” to “knows or has reasonable cause to believe,” which is the standard in Massachusetts law that was “grandfathered” into the 1996 amendments. (See FCRA 624 (b)(F)(i): “with respect to section 54A(a) of chapter 93 of the
Massachusetts Annotated Laws (as in effect on the date of enactment of the Consumer Credit Reporting Reform Act of 1996)).
While this standard is an improvement over the very weak requirement in current law, it still makes the analysis of whether the furnisher has complied with the standard dependent upon the furnisher’s frame of mind, and how does a corporation have a frame of mind? Much better criteria would be objective and could be evaluated equally by the furnisher or the regulator. In addition, the standard in Massachusetts law addresses both the “accuracy and completeness” of the information, but H.R. 2622 eliminates all references to completeness.
The fairer standard for furnishers’ accuracy is “knows or should know.” The standard should also require completeness, which would be defined in the definitions section of the bill as follows:
For purposes of this section, information provided by a person to a consumer reporting agency shall be considered complete if it includes all relevant details applicable only to the consumer, including but not limited to credit limit, current balance, date of last activity, and all data fields specified by the METRO 2 format, or other standard approved by the Federal Trade Commission, which are relevant to an evaluation of that information for purposes permitted under this act or that are used in the development of scoring systems that meet criteria under the Equal Credit Opportunity Act.

Subparagraph (1)(B) (Page 33, line 22). This subparagraph on reasonable procedures would insert the above furnisher requirement in the statute in subsection (a) of Sec. 623
This presents very serious problems for private enforcement of the requirement by consumers. Some courts have held that as there is no private enforcement of the requirements of subsection (a) and thus there is no standard for furnisher accuracy at all that can be enforced.
To make any accuracy requirement on furnishers meaningful, this new subparagraph (2) (B) should be elsewhere in Section 623 of the statute, such as in a new subsection (e), for example.
Subparagraph (2)(C) (Page 34, line 9). This establishes a definition for the furnisher’s standard for accuracy based on what the consumer must show to force the furnisher to act.
Here a furnisher is only required to act on inaccurate information if the knowledge is based on information other than “allegations” solely supplied by the consumer. So how is a consumer supposed to get a furnisher to act, if the furnisher is protected from acting when all of the information is supplied by the consumer? The standard appears to be the opposite of a current requirement on CRAs. Current Section 611 (a)(1)(B) requires CRAs to conduct a longer more extensive reinvestigation when it obtains “relevant” information from the consumer.
Moreover, establishing a standard for furnisher “substantial doubt”, as this section does, is too high when applied to information that the furnisher should be able to verify with relative ease. The burden should be on the furnisher because the furnisher has the records.
A furnisher should be required to provide information to CRAs that is accurate and complete. At the most, a safe harbor for furnishers should be allowed only when the furnisher can demonstrate it could not have known the information is inaccurate or incomplete and the furnisher cannot verify the accuracy or the completeness of the information.
Subparagraph (3) (Page 34, line 20).
This section grants consumers the right to dispute the accuracy of information direction with furnishers.
This establishes a good standard for furnishers to reinvestigate inaccurate information when requested to do so by the consumer. Requiring furnishers to reinvestigate their own information and ensure that it is accurate, after being notified by consumers that their information is incorrect is essential to making the FCRA work the way it was intended to.
However, again, this requirement is not in the proper place in the statute. Worse, by imposing certain reinvestigation duties in Section 623(a), the private right of action granted by the current reinvestigation duties section, 623(b), would be undercut. In 1996, as part of the major set of compromises that were made, furnish duties to ensure accuracy under 623(a) were subjected only to agency enforcement, but if a furnisher failed to comply with a reinvestigation, a consumer had a private right of action under Section 623(b). Even though it was clearly Congressional intent to grant this private right of action, this right was mired in a series of incorrect court decisions until the 9th Circuit cleared up the mess.(1) The enactment of HR 2622, with some dispute duties in Section 623(a) could only confuse matters again and reduce consumer rights. This duty should be placed in Section 623(b), which already deals with the obligations of furnishers upon notice of a dispute. It should be noted that the FTC specifically recommended that the consumer’s right to request a furnisher to reinvestigate disputed data must be in subsection (b), in order to create an affirmative duty on the furnisher.
Additionally, there also appears to be no requirement that the furnishers report the disputes to the appropriate CRAs. And the current language of the amendment does not cover incomplete information. To ensure accuracy, complete information must be required. There are many situations where furnishers supply technically accurate, but misleading and incomplete information, which causes considerable damage to consumers.
Also, there should be minimal substantive requirements for the investigation — at the least the investigation should be ”reasonable”. This would mirror the requirement for reinvestigations by CRAs to be conducted in a “reasonable” manner, long required by the courts, and now to be codified in section 611(a)(1)(A).
Finally, once furnishers provide correct and complete information to the CRAs, they should be required to delete the inaccurate or incomplete information from their own files, so that the mistake will not be repeated.
We recommend that this new subparagraph be made a subparagraph (3) in Section 623(b),
(A) IN GENERAL.”A consumer may dispute directly with a person the accuracy or completeness of information that:
(i) is contained in a consumer report on the consumer prepared by a consumer reporting agency described in section 603(p); and
(ii) was provided by the person to that consumer reporting agency in accordance with paragraph (1)(B).
(B) SUBMITTING A NOTICE OF DISPUTE.CA consumer who seeks to dispute the accuracy or completeness of information directly with a person under subparagraph (A) shall provide a dispute notice to the address specified by the person for such notices that:
(i) identifies the specific information that is being disputed; and
(ii) explains the basis for the dispute.
(C) DUTY OF PERSON AFTER RECEIVING NOTICE OF DISPUTE.CAfter receiving a notice of dispute from a consumer pursuant to subparagraph (B), the person that provided the information in dispute to a consumer reporting agency referred to in subparagraph (A) shall:
(i) conduct an reasonable investigation with respect to the disputed information;
(ii) review all relevant information provided by the consumer in or with the notice;
(iii) complete such person=s investigation of the dispute and report the results of the investigation to the consumer before the expiration of the period under section 611(a)(1) within which a consumer reporting agency would be required to complete its action if the consumer had elected to dispute the information under that section; and
(iv) if the investigation finds that the information reported was inaccurate or incomplete, promptly thereafter report correct information to each consumer reporting agency described in section 603(p) to which the person furnished the inaccurate or incomplete information and correct its own files.”.

Sec. 305. Prompt investigation of disputed consumer information.
This section requires the Federal Reserve Board and the FTC to conduct a joint study regarding: (1) how and whether CRAs and data furnishers are complying with current procedures and time requirements for the investigation of the accuracy and completeness of credit reporting information, and (2) whether furnishers and CRAs are complying with current requirements regarding the correction or deletion of information that is incomplete or inaccurate.
There are several problems with this approach. First, requiring the study appears to be an effort to put off further legislative action on the well-documented problems presented in testimony in both Houses regarding the time-consuming and inadequate reinvestigation process, and the difficulties that many consumers face in removing data that is accurate or incomplete.
Secondly, the study would only examine the extent to which CRA’s and furnishers are complying with the requirements of current law. This is important but not sufficient, because there are obvious inadequacies in present law.
The study should also examine the extent to which current statutory requirements are effective in achieving adequate reinvestigations and the correction or deletion of information that is incomplete or inaccurate. It should require the Federal Reserve Board and the FTC to make recommendations for legislative and regulatory action to improve the status quo, as they deem necessary.
Section 401. Reconciling Addresses.
This section requires the banking agencies to issue regulations requiring CRAs to notify consumers if, the address the consumer provides upon requesting a credit report is substantially different from the address in the consumer’s file.
This section would wrongly preempt stronger state address change requirements. In addition, the qualifier “substantially differs” would allow the CRAs to continue to use database matching software that contributes to errors in credit reports by accepting partial address, Social Security Number or name matches.
Section 402. Prevention of repollution of consumer reports.
This section forbids data furnishers from submitting credit information to a CRA if the furnisher has been notified by a consumer that the information is the result of identity theft.
Although the provision on first glance appears to address a furnisher accuracy requirement that should be placed in 623(a), the section establishes a furnisher duty, after notification by a consumer, so again this provision should more appropriately be placed in 623(b).
Section 403: Notice By Users With Respect To Fraudulent Information
Under this section, debt collectors who report information to CRAs are required to provide CRAs with updated information when the consumer indicates that there may have been identity theft involved.
Debt collectors should also be required to update their own records, and keep them accurate. Also, some of the wording must be clarified to make sure that the consumer can see the information in his/her report, which was caused by identity theft. In the past, consumers have been refused access to information in their own reports because they say they are not the consumer to whom the information relates.
We recommend that this section be changed as follows:
Section 615 of the Fair Credit Reporting Act (15 U.S.C. 1681m) is amended by adding at the end the following new subsection:
(e) NOTICE OF FRAUDULENT INFORMATION RELATING TO IDENTITY THEFT.CIf an agent acting as a debt collector (as defined in title VIII) of a person who furnishes information to any consumer reporting agency uses information contained in a consumer report on any consumer and learns that any such information so used is the result of identity theft or otherwise is fraudulent, the agent shall:
(1) if such information:
(A) originated from the either the debt collector or the person for whom the debt collector is acting as agent, correct its own records and/or notify the person of the fraudulent information, as is appropriate; or
(B) originated from a person other than the debt collector or the person for whom the debt collector is acting as agent, notify the consumer reporting agency that provided the consumer report of the fraudulent information, either directly or through the person for whom the debt collector is acting as agent; and
(2) upon the request of the consumer, provide the consumer with all information which the consumer would be entitled to receive relating to the consumer, including the information which was the result of identity theft.”

In addition, as we point out in the introduction to this memo, a more important provision, prohibiting the sale of a debt related to an identity theft, is ignored by the bill: The sale or assigning of debt to a debt collector where the consumer is a victim of identity theft with respect to that debt. This practice should be banned or regulated so consumers are not victimized twice.
Section 404. Disclosure to consumers of contact information for users and furnishers of information in consumer reports.
Current law requires that the CRA provide the telephone number of the furnisher upon request of the consumer. This provision would delete the requirement in Section 609(a)(B)(ii) of FCRA and insert a requirement in 609(a)(2) that a CRA provide the phone number only if it is supplied to the CRA.
The current requirement should not be weakened. If a consumer is disputing information with a CRA, time is often of the essence. CRAs and furnishers should be working together to resolve any disputes quickly, and that includes providing consumers with phone numbers. If CRAs contend that furnishers are not providing telephone contact information to CRAs, furnishers should be required to.
This section should be deleted. If necessary, CRAs should seek a requirement that furnishers be required to provide CRAs with phone numbers that will allow consumers to reach knowledgeable real people who can address consumers’ issues about disputed information.
Section 405. FTC study of the accuracy of consumer reports.
This section requires the FTC to submit to Congress ongoing, biennial reports on the accuracy and completeness of information contained in credit reports for eight years, followed by a final report.
It is a very good idea to have the FTC study the accuracy and completeness of credit reports on an ongoing basis, but only if the FTC is provided with some general requirements to ensure that the research they conduct is adequate. For example, the FTC will not get a representative or thorough view of report accuracy and completeness if it only relies on information from complaints submitted by consumers to the agency. The FTC should be required to examine credit report data directly. If necessary, CRAs should be required to provide the FTC with any data that is requested, as long as consumer privacy is protected. Moreover, measuring the overall accuracy and completeness of all credit reporting data is not meaningful. Some information is much more important than other types of information in the credit granting process. The FTC should be required to measure the impact of inaccurate and incomplete information on the ability of consumers to receive credit, and at the most favorable terms for which they qualify. As credit scores are increasingly used to determine the availability and terms of credit that is granted, this means that the FTC should specifically examine score accuracy. This section should also require the FTC to make legislative recommendations, if they deem it necessary. The Consumer Federation of America will be providing more detailed suggestions on how the accuracy and completeness of credit reporting information can be adequately examined.
Section 501. Free reports annually.
This section establishes a consumer’s right to request one free credit report a year from “nationwide” CRAs.
Expanding the availability of free credit reports is good, so long as it is in addition to the requirements for a free report upon adverse action, to unemployed persons, and to persons on public assistance. However, the language appears to have several problems:
First, it deletes the current general requirement that indigent or unemployed persons or persons who suspect they are victims of fraud can obtain free credit reports from any credit bureau.
Second, it says that only national repositories must provide free reports annually. Other credit bureaus would apparently be the only ones still required to provide free reports to the indigent, the unemployed or victims of fraud, but not to any consumer on request.
Consumers are adversely affected by inaccurate and incomplete information from large and small credit reporting agencies. Consumers should not be limited to free reports from only the three national reporting agencies.
We recommend that this section be amended to clarify that the annual right to a free credit report is in addition to the free reports provided under current law. The requirement should be applied to all credit reporting agencies.
Section 502. Disclosure of credit scores.
This section adopts California’s credit scoring disclosure law nationally. It requires credit bureaus to provide consumers with a generic credit score generated on the fly (but not to retain and provide the score provided to users for their credit decisions). It also requires certain mortgage lenders to provide scores. And finally, it requires a detailed explanation of the scoring system and the key factors resulting in a consumer’s score. As part of this disclosure, consumes must be informed if the number of credit enquiries they make is used as a negative factor in determining the credit score. Although the Department of the Treasury and the bill’s principal author both stated their original intent to provide scores for free with reports, the section allows bureaus to charge for scores, undercutting the already-undercut free credit report provision.
CRAs should be required to provide free scores upon request annually. In addition, there should be a flat prohibition against enquiries having a bad effect on credit scores, instead of just a disclosure to consumers if enquires adversely affect their score. HUD may be helpful in establishing the basis for this prohibition as the whole idea of the GMPA – the packaged mortgage option – is worthless if a consumer cannot shop for the mortgage by having a mortgage originator actually evaluate the consumer’s credit. Consumers should not be penalized for seeking out credit on the best available terms.
Subparagraph (f)(1)(E)(iii) (Page 54, line 13).This subsection specifically does not require a user to provide a credit score after a loan is closed, yet users are not prohibited from obtaining and looking at credit scores to make credit decisions based on the scores, even after the loan is closed (such as to change the interest rates, the change the credit limit, or even to call the loan in default).
Users are also permitted to look at credit scores throughout a lending relationship. Yet under this subparagraph iv (Page 54, line 16), consumers would not have the right to obtain more than one score per transaction. Again, if users are looking at multiple credit scores, consumers should be able to access them as well.
Subparagraphs iii and iv should be deleted. If users are permitted to look at the scores after loan consummation, and multiple times during the loan process, consumers should also be given the same right.
Subparagraph (f)(1)(F)(ii) (Page 55, line 3). This appears to limit liability for the contents of information passed along to the consumer by the user. The problem is that this limitation of liability could be construed to limit existing liability of a CRA to consumers.
Subparagraph (F)(ii) should be deleted or rewritten to read “No person has liability under this section for the content of that information or for the omission of any information within the report of the credit score provided by the consumer reporting agency.”
Subparagraph (f)(1)(G)(2(B) (Page 55, line 21). Similarly, any existing liability that lenders otherwise have under the FCRA should not be reduced by this section, as it would appear to do.
Subparagraph (B) should be deleted or rewritten to clarify that this limitation on liability only affects credit scores, and not the underlying information provided to the CRAs that was used to determine the credit scores.
In addition, the provision should be amended to make it clear that lenders can share scores with consumers who are shopping for credit. Current credit scoring company and CRA practice, even under the California statute, is to only allow lenders to share scores at the end of the lending process.
Section 503. Simpler and easier method for consumers to use notification system.
In 1996, Congress codified certain FFIEC rules that had broadened the FTC’s previous interpretation that CRAs could sell creditors lists of “pre-screened” consumers who met certain criteria (either positive or negative). Those lists could be generated from credit reports. (Congress also added “insurance purposes” to the FTC’s ruling that reports could be pre-screened for credit purposes.) Pre-screened lists are the source of the five billion “pre-approved” credit card solicitations mailed each year. In effect, the codification placed in statute a new “permissible purpose,” the right to peruse credit reports before a consumer had even applied for credit. In addition, the Congress even defined a new term “firm offer of credit,” which meant the opposite: a firm offer of credit was an offer that could be cancelled after a “post-screen,” or second look at the credit report.
In return, Congress granted consumers a new right: the right to opt-out of pre-screened offers. It also required the national CRAs to give consumers a “one-stop” opt-out, or joint notification system, so that one opt-out would apply to all CRAs. The provision requires that the right to opt-out be prominently disclosed on all pre-approved solicitations.
The opt-out right has instead been intentionally obfuscated by the CRAs and creditors. Many disclosures use the dense statutory term “your right not to receive offers not initiated by you” to explain your right. For more details, see Ed Mierzwinski’s House testimony of June 4th, where a copy of a notice is included.
This section ignores the major problem with the opt-out right, it is only good for two years if you opt-out by telephone. It also ignores the current un-enforced provision that disclosures be prominent. It revises the prominence requirement with new requirements that the opt-out right be made more clearly and in a “simple and easy to understand format.”
The provision is meaningless. Current law has not been enforced.
Section 504. Requirement to disclose communications to a consumer reporting agency.
This section requires that financial institutions inform a consumer that negative credit information has been inserted on the consumer’s credit report within thirty days of providing this information to a CRA. However, if additional negative information is submitted to a CRA regarding the same transaction, account or consumer, the financial institution – or any affiliate — is not required to notify the consumer.
The exception to this requirement is far too broad. For example, it would allow a bank that has notified a consumer regarding a delinquent credit card account, to not alert the same consumer if negative information is submitted regarding a mortgage loan with that bank or any of the bank’s affiliates, even if the problem with the mortgage loan occurs years later. This undermines the goal of this provision: to spur a consumer to check information that is being submitted regarding a particular account.
A more effective way of notifying consumers that negative information has been placed on their credit report would be to track Colorado’s law, which requires that credit bureaus provide an annual notice of rights to consumers. The notice is sent to all consumers who have received one negative item or eight enquiries generally on their reports.
Section 505. Study of effects of credit scores and credit-based insurance scores on availability and affordability of financial products.
This section requires the FTC and the Department of Housing and Urban Development to conduct a study of: (1) the effect of credit scores and insurance scores on the availability and affordability of financial products and services; (2) the degree to which credit scores are related to financial risk and actual losses, and are accurate predictors of risk or loss, and (3) the extent to which the use of credit scores results in disparate impact by geography, income, race, etc.
A one-time study falls far short of the kind of ongoing oversight of credit scoring systems that is necessary. Credit scoring systems are not static or universal; they change on a regular basis and are different for different financial services providers. Federal regulators should be looking into the “black box” of credit scoring formulas on a regular basis to isolate and evaluate all significant factors that are used in order to determine their accuracy and fairness.
The FTC, HUD and federal banking regulators should be given explicit statutory authority to review all facets of credit scoring systems as needed, and to produce a series of reports to Congress, as is required in the bill for credit report accuracy. Moreover, the FTC and HUD should be given rulemaking authority to require creditors and credit score developers to provide necessary credit scoring data and to alter their credit scoring systems as necessary.
Section 506. GAO study on disparate impact of credit system.
The GAO would be required to evaluate whether the entire credit system has a discriminatory or disparate impact regarding the availability or terms of credit.
A study on disparate impact and credit scoring is a good idea, but, as with the study above, federal regulators should be provided with the requisite jurisdiction and rulemaking authority to do ongoing oversight on this important topic if they determine that such a step is necessary. The study should also the potential disparate impact of the credit system on those who are disabled.
Section 507. Analysis of further restrictions on offers of credit or insurance.
This section requires the Federal Reserve Board to study the costs and benefits of the current system for consumers to avoid unsolicited written offers of credit and insurance.
As stated above, under current law, a telephone opt-out of pre-approved credit card solicitations is only good for two years. A consumer must go through the additional burden of receiving and signing and stamping and returning a “signed notice of election” to obtain a permanent opt-out. Instead of simplifying the overly complex opt-out system, this section merely requires the FRB to conduct a study of pre-screening practices. Worse, virtually all of the Congressional “questions” presuppose industry benefits, rather than consumer costs.
Section 508. Study on the need and the means for improving financial literacy among consumers.
The Comptroller General would be required to study consumer knowledge and behavior regarding credit reporting, credit scores and the dispute resolution process. This would include how often consumers view their credit reports, why they obtain credit reports, and what they know about positive and negative factors that impact their credit scores.
Although this provision states that it is requiring a study of financial literacy regarding credit reports, credit scores and the dispute resolution process, none of the specific items that the Controller General is required to study involve credit scores or the extremely important dispute resolution process.
Paragraph b of this section should be amended to require study of consumer knowledge and experience regarding credit scores and the dispute resolution process, as follows:
(a) STUDY REQUIRED. The Comptroller General shall conduct a study to assess the extent of consumers’ knowledge and awareness of credit reports, credit scores, and the dispute resolution process, and on methods for improving financial literacy among consumers.
(b) FACTORS TO BE INCLUDED. The study required under subsection (a) shall include the following issues:
(1) The number of consumers who view their credit reports and credit scores.
(2) Under what conditions and for what purposes do consumers primarily obtain a copy of their consumer report and credit score (such as for the purpose of ensuring the completeness and accuracy of the contents, to protect against fraud, in response to an adverse action based on the report, or in response to suspected identity theft) and approximately what percentage of the total number of consumers who obtain a copy of their consumer report and credit score do so for each such primary purpose.
(3) The extent of consumers’ knowledge of the data collection process.
(4) The extent to which consumers know how to get a copy of a consumer report and credit score.
(5) The extent to which consumers know and understand the factors that positively or negatively impact credit scores.
(6) The extent to which consumers have used, know about and understand the process for resolving disputes under this act.

Section 509. Disclosure of increase in APR under certain circumstances.
This provision requires federal banking agencies and the National Credit Union Administration to adopt regulations as necessary requiring clear and conspicuous disclosure of interest rate increases caused by a decline in a consumer’s credit score or problems the consumer may have with another creditor.
This is disclosure clearly permits the increase of interest rates on open- end credit based on the consumer’s credit score or credit report, rather than on a payment problem the consumer may have had with his or her creditor. This may override some state laws, which clearly allow consumers to complete a loan based on the contractual agreement in the loan. Secondly, there may be good Unfair and Deceptive Acts and Practices claims that can be brought against a lender that conducts this type of unfair credit analysis. Yet this disclosure appears to justify the activity, and thus provide a safe harbor for it.
If no meaningful prohibition is added regarding score-based rate increases on existing credit agreements, this disclosure does more harm than good, and should be deleted.
Sec. 601. Certain employee investigation communications excluded from definition of consumer report.
This provision would exclude employer investigations of sexual harassment or other workplace violations from FCRA’s requirement that employees be notified of third party investigations of misconduct and be given a copy of their credit report if an adverse action is taken.
This section (the old Sessions Bill) is justified by arguments that FCRA’s requirements will hinder employer’s third-party investigations into employee misconduct. We understand that there is a need for a limited exemption in certain circumstances from the full application of the FCRA to investigatory reports for employment purposes. This broad approach however, would eliminate important protections for innocent employees who need them.
The privacy protections in the FCRA were applied to the employment arena deliberately and appropriately after findings of serious abuses of employees, such as are detailed in NCLC’s testimony (and the AFL-CIO appendix) before the House Financial Services Committee in 2000. In fact, a great deal of the impetus for the FCRA was not errors in credit reports, but abuses in investigative reports, including reports relating to employment.
The investigated employee may be the wrongdoer or the victim. Broad-scale exceptions to this important law should not be carved out based solely on the assumption that every investigated employee is guilty. If not guilty, the employee may be more than just mistakenly accused. The accusation against the employee may be malicious and vindictive, because the employee might be a woman in a male environment, a union organizer, a minority person, or simply disliked by someone. Any introduction of increased secrecy in employers’ third-party investigations must be balanced by an understanding that the secrecy can foster injustice as well as help ferret out misconduct.
In 2000, after the House Financial Services Committee first held a hearing on the Sessions bill, representatives of consumer groups, (National Consumer Law Center and U.S. PIRG), labor (AFL-CIO), civil rights groups (Lawyers Committee for Civil Rights), and the administration (FTC), met with an assortment of industry groups (including the U.S. Chamber of Commerce, employers’ representatives, as well as third-party investigators). Our joint goal was to produce an alternative proposal to the Sessions bill which would address the legitimate problems articulated by employers using third parties to investigate employee misconduct, while continuing to protect employees from overreaching investigations breaching privacy and basic rights of employees. After numerous meetings, an alternative proposal had been agreed to in principle by all parties, with a number of specific terms still to be worked through.
Set forth below is a proposal representing a middle-of-the-road approach between the various options not resolved in August 2000.
New Proposal – July 18, 2003
(Issues that were controversial are underlined)

Additions to Section 603. Definitions
(q) A “workplace misconduct report” is an investigative consumer report prepared by a consumer reporting agency for employment purposes, in which
(1) the report results from an investigation that was initiated as a result of alleged or suspected workplace misconduct on the part of a consumer who is not an applicant for new employment to determine whether to impose adverse action against that consumer
(2) the alleged or suspected workplace misconduct constitutes or could lead to a violation of federal, state or local civil or criminal statute, regulation, rule of any self-regulatory organization, or breaches of business ethics or confidential business information implemented by the person requesting the report; and
(3) the alleged or suspected workplace misconduct is related to the consumer’s employment.
provided, however, that a “workplace misconduct report” does not include a report which includes or relies upon:
(4) specific factual information obtained directly from a consumer’s credit report; or
(5) information about a consumer’s non-workplace behavior not related to alleged or suspected workplace misconduct described in this subsection.
New Section 626: Workplace Misconduct Reports
(a) A person who requests a workplace misconduct report from a consumer reporting agency, and a consumer reporting agency that prepares a workplace misconduct report, shall comply with the provisions of this Section and shall have no obligation to comply with Sections 604 through 615 of the Act.
(b) Regardless of whether the person takes adverse action against a consumer on the basis of a workplace misconduct report, such reports are subject to the following requirements:
(1) The person requesting the report must provide notice to a consumer who is the subject of a workplace misconduct report. Provided, however, that no notice shall be provided if a criminal or civil law enforcement or regulatory agency or self-regulatory organization requests in writing that the person not do so for a specified period of time, not to exceed 180 days, to permit the agency or organization to conduct an investigation. This period may be extended at the agency or organization’s written request for additional specified periods of time not to exceed 180 days each.
Notice is defined as follows:
(A) Within ten business days of the adverse action or completion of the investigation, whichever is earlier, the person must either (i) provide notice to the consumer or (ii) refer the investigation to a criminal or civil law enforcement or regulatory agency or self-regulatory organi